<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/sssd-team/sssd">Debian SSSD packaging / sssd</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a706ea8e0677c00e282946bcf24b67210e3aacfa">a706ea8e</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2019-12-02T11:59:58+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version in version.m4 to track the next release.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7578bdea9e343de0b9e1abe7a621e885d2533f54">7578bdea</a></strong>
<div>
<span>by Yuri Chornoivan</span>
<i>at 2019-12-04T11:55:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssctl: fix typo in user message
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bd201746f8cf0e95615b3e98868555451b5e66b8">bd201746</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-12-04T11:56:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sdap: Add randomness to ldap connection timeout
In case of mass deployment, mass registration of IPA clients roughly on
the same time leads to regular CPU load spikes on IPA servers, the load
spikes are caused by all/most clients refreshing their LDAP connections
(ldap_connection_expire_timeout) every 15 minutes.
This patch introduces new random value (from 0 up to
ldap_connection_expire_offset) that is added to the timeout.
Resolves:
https://pagure.io/SSSD/sssd/issue/3630
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1cdd43140e6069a10d59af0ba80d1c4e9427a0b4">1cdd4314</a></strong>
<div>
<span>by Andrew Gunnerson</span>
<i>at 2019-12-04T11:59:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: Add support for passing --add-samba-data to adcli
This adds a new option named `ad_update_samba_machine_account_password`,
which when enabled, will pass `--add-samba-data` to the adcli command
for updating the machine account password in Samba's secrets.tdb
database.
This option is necessary when Samba is configured to use AD for
authentication. For Kerberos auth, Samba can use the system keytab, but
for NTLM, Samba uses its own copy of the machine account password in its
secrets.tdb database.
See: https://pagure.io/SSSD/sssd/issue/3920
Signed-off-by: Andrew Gunnerson <andrewgunnerson@gmail.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/58a67cd38b8be9bef45ce70588763d851840dd65">58a67cd3</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2019-12-04T12:02:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb_sudo: Enable LDAP time format compatibility
LDAP specification allows to ommit seconds and minutes
in time border definition. In that case they defaults to zeros.
Current sssd.sudo implementation requires precision up to
seconds in time definition. This commit allows to lower
the precision up to hours.
Resolves:
https://pagure.io/SSSD/sssd/issue/4118
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/03bc96247cbd567ad11a4c693c1d90580f903bb7">03bc9624</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-12-11T14:37:22+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: use real primary gid if the value is overriden
SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD
because any possible override may not be known at the time of storing
the user.
Now we try to lookup group by its originalADgidNumber and if it is found
we will replace the original id with real primary group id.
Steps to reproduce:
1. Enroll SSSD to IPA domain with AD trust
2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain Users@ad.vm" --gid=40000000`
3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start`
4. On IPA server: Resolve user `id Administrator@ad.vm`
There will be visible both new and old gids without the patch.
Resolves:
https://pagure.io/SSSD/sssd/issue/4124
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/97c96fd0667fead15ce45e336a052e4ed6faa754">97c96fd0</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-12-11T15:16:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: add rhel7
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/63c38d6131ad1ef9253d98ca5cf6f2318a740e55">63c38d61</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-12-11T15:16:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: set sssd-ci notification to pending state when job is started
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c861a3909595566aedf14081e79597cafc8d172a">c861a390</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-12-11T15:16:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: archive ci-mock-result
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3477f2c28c5707cd90bccc6ebe81135fd49a2cde">3477f2c2</a></strong>
<div>
<span>by Fabiano Fidêncio</span>
<i>at 2019-12-11T16:21:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">INTG: Increase the sleep() time so the changes are reflected on SSSD
Those tests have been failing a lot recently and it does happen becase
the time to reflect the changes on SSSD is not enough for the machine
where the tests are running.
There's no reasonable explanation in the code why 4 seconds is used as
INTERACTIVE_TIMEOUT, neither a reasonable explanation why 2 seconds is
used as the time waited in order to have those changes reflected on
SSSD (neither in the code nor in the commit messages).
This patch uses the most simple empiric way to determine a better value
for this timeout, which was "run the tests a considerable amount of time
and check that there were no failures".
So, in order to avoid failures and our tests giving us more reliable
information, let's give more time so the changes are reflected on SSSD.
Resolves:
https://pagure.io/SSSD/sssd/issue/3463
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/116b144bc27d1eb8cd29813ed7eb7e674e8e189c">116b144b</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2019-12-11T16:21:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: fix race condition in enumeration tests
This change is relevant to Nyquist frequency. To ensure that enumeration has been
run we need to wait at least twice the enumeration timeout. In other words, we need
to make sure enumeration is run at least twice the frequency of our assertions to
ensure that it has been run at least once.
Patch was amended by Alexey Tikhonov <atikhono@redhat.com> to include nice
comment originally provided by Pavel Březina at
https://github.com/SSSD/sssd/pull/947#issuecomment-559440211
Relates: https://pagure.io/SSSD/sssd/issue/3463
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b626651847e188e89a332b8ac4bfaaa5047e1b3d">b6266518</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2019-12-11T17:27:41+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">INI: sssctl config-check command error messages
In case of parsing error sssctl config-check command does not give
proper error messages with line number. With this patch the error
message is printed again.
Resolves:
https://pagure.io/SSSD/sssd/issue/4129
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/580d61884b6c0a81357d8f9fa69fe69d1f017185">580d6188</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-12-14T01:51:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap_child: do not try PKINIT
if the PKINIT plugin is installed and pkinit_identities is set in
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
wants to authenticate with a keytab. As a result ldap_child might try to
access a Smartcard which is either not allowed at all or might cause
unexpected delays.
To avoid this the current patch sets pkinit_identities for LDAP child
explicitly to make the PKINIT plugin fail because if installed libkrb5
will always use it.
It turned out the setting pre-authentication options requires some
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
used to initialize the options struct.
Related to https://pagure.io/SSSD/sssd/issue/4126
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/21cb9fb28db1f2eb4ee770eb029bfe20233e4392">21cb9fb2</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-12-14T01:57:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">certmap: mention special regex characters in man page
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1d4a7ffdcf8b303a40058db49d5e1be4bfb8271a">1d4a7ffd</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-12-14T02:04:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">providers/krb5: got rid of unused code
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e41e9b37e4d3fcd8544fb6c591dafbaef0954438">e41e9b37</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-12-14T02:04:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">data_provider_be: got rid of duplicating SIGTERM handler
It was wrong to install two libtevent SIGTERM handlers both of which did
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
(as process was terminated with exit()) and libtevent docs doesn't say
anything about order of execution. But chances are, be_process_finalize()
was executed first so default_quit() was not executed and main_ctx was not
freed.
Moreover there is just no reason to have separate be_process_finalize()
at all: default server handler default_quit() frees main_ctx. And be_ctx
is linked to main_ctx so will be freed by default handler as well.
Resolves: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3f52de891cba55230730602d41c3811cf1b17d96">3f52de89</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-12-14T02:04:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/server: improved debug at shutdown
Relates: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2c13d8bd00f1e8ff30e9fc81f183f6450303ac30">2c13d8bd</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2019-12-14T02:30:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/watchdog: fixed watchdog implementation
In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.
Resolves: https://pagure.io/SSSD/sssd/issue/4089
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/090cf77a0fd5f300a753667658af3ed763a88e83">090cf77a</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-01-13T12:01:32+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: allow booleans for ad_inherit_opts_if_needed()
Currently ad_inherit_opts_if_needed() can only handle strings. With this
patch it can handle boolean options as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/341ba49b0deb42e17d535744824786c2499656b7">341ba49b</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-01-13T12:01:32+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: add ad_use_ldaps
With this new boolean option the AD provider should only use the LDAPS
port 636 and the Global Catalog port 3629 which is TLS protected as
well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/78649907b81b4bdaf8fc6a6e6ae55ed3cd5419f5">78649907</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-01-13T12:01:33+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap: add new option ldap_sasl_maxssf
There is already the ldap_sasl_minssf option. To be able to control the
maximal security strength factor (ssf) e.g. when using SASL together
with TLS the option ldap_sasl_maxssf is added as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/24387e19f065e6a585b1120d5568cb4df271d102">24387e19</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-01-13T12:01:33+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: set min and max ssf for ldaps
AD does not allow to use encryption in the TLS and SASL layer at the
same time. To be able to use ldaps this patch sets min and max ssf to 0
if ldaps should be used.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/26e33b1984cce3549df170f58f8221201ad54cfd">26e33b19</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-01-14T11:05:51+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/sss_ptr_hash: fixed double free in sss_ptr_hash_delete_cb()
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
to freeing of value->ptr and thus to destruction of value->spy that is
attached to value->ptr.
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
execution hash entry was actually deleted and value was freed.
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
to free value again => double free.
To prevent this bug value and hence spy are now freed before execution of
data->callback(value->ptr).
Resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d1f8ec8a974d20aa0476bf1701c70dfa179303f3">d1f8ec8a</a></strong>
<div>
<span>by David Mulder</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD should accept host entries from GPO's security filter
Not accepting host entries in the security filter
creates the need for sub-OU's, each with its own
GPO, otherwise one OU with an assigned GPO would
be sufficient.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8aa2f9edc95ceeed28c4e4c45d27287246e5a175">8aa2f9ed</a></strong>
<div>
<span>by David Mulder</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test the host sid checking
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8d333499a2acb1dfbe0bb00ce7fe6982a1a30e4d">8d333499</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Improve host SID retrieval
Set the entry expire time for cached computers and avoid querying twice
the cache by passing the host SID in the processing state if it is found
the first time.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d6f0b432af30243b83999d0fcb6ca55cabb970a3">d6f0b432</a></strong>
<div>
<span>by David Mulder</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove sssd Security Filtering host comment from man
Remove the sssd-ad man page comment explaining
that host entries in GPO Security Filtering is
not supported.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a2e7f687533800753e3062aac83e17c3af2df82f">a2e7f687</a></strong>
<div>
<span>by David Mulder</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Create a computer_timeout for caching GPO security filter
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5c8f7960f10686e62ef12799f4243e4eb2aad16e">5c8f7960</a></strong>
<div>
<span>by David Mulder</span>
<i>at 2020-01-14T11:09:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Resolve computer lookup failure when sam!=cn
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/007d5b79b7aef67dd843ed9a3b65095faaeb580f">007d5b79</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-01-22T11:47:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BE_REFRESH: Do not try to refresh domains from other backends
We cannot refresh domains from different sssd_be processes.
We can refresh just subdomains
Resolves:
https://pagure.io/SSSD/sssd/issue/4142
Merges: https://pagure.io/SSSD/sssd/pull-request/4139
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b47edd9fefc1b10fa642106f34b585536192664a">b47edd9f</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-01-22T11:48:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSS_INI: Fix syntax error in sss_ini_add_snippets
CC src/util/libsss_util_la-sss_ini.lo
src/util/sss_ini.c: In function ‘sss_ini_add_snippets’:
src/util/sss_ini.c:325: error: expected ‘;’ before ‘}’ token
Merges: https://pagure.io/SSSD/sssd/pull-request/4140
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3bdce86b4ec1b50603545914c01eed0cefc6f2d8">3bdce86b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-01-22T11:49:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Fix warning-format-overflow directive argument is null
CC src/providers/proxy/libsss_proxy_la-proxy_id.lo
In file included from src/util/util.h:47,
from src/providers/proxy/proxy.h:35,
from src/providers/proxy/proxy_id.c:30:
In function ‘delete_user’,
inlined from ‘get_pw_uid’ at src/providers/proxy/proxy_id.c:383:15,
inlined from ‘proxy_account_info’ at src/providers/proxy/proxy_id.c:1617:19,
inlined from ‘proxy_account_info_handler_send’ at src/providers/proxy/proxy_id.c:1760:20:
src/util/debug.h:126:9: error: ‘%s’ directive argument is null
[-Werror=format-overflow=]
126 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127 | __debug_macro_level, \
| ~~~~~~~~~~~~~~~~~~~~~~
128 | format, ##__VA_ARGS__); \
| ~~~~~~~~~~~~~~~~~~~~~~
src/providers/proxy/proxy_id.c:215:5: note: in expansion of macro ‘DEBUG’
215 | DEBUG(SSSDBG_TRACE_FUNC,
| ^~~~~
src/providers/proxy/proxy_id.c: In function ‘proxy_account_info_handler_send’:
src/providers/proxy/proxy_id.c:216:17: note: format string is defined here
216 | "User %s does not exist (or is invalid) on remote server,"
| ^~
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d7ddcc56e61e170d4a68807b62ca545764ee8bcf">d7ddcc56</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-01-22T11:49:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_nss_srv: Suppress Conditional jump or move depends on uninitialised value
gcc10 reordered conditions in long "or" condition
```
if (size < 2 || _list == NULL || *_list == NULL) {
```
And _list(gr->gr_mem) could be uninitialized in size was lover than 2.
It is a simplified implementation of parsing packet in unit test due to
mocking. `gr->gr_mem` always points to some array in real code.
Therefore we could see following error
Splitting condition to two if blocks fixes warning as well but
initializing `gr->gr_mem` to `NULL` is simpler change
[ RUN ] test_nss_getgrnam_no_members
==12857== Conditional jump or move depends on uninitialised value(s)
==12857== at 0x41B6C5: order_string_array (test_nss_srv.c:599)
==12857== by 0x41B6C5: assert_groups_equal (test_nss_srv.c:617)
==12857== by 0x41B810: test_nss_getgrnam_no_members_check (test_nss_srv.c:1476)
==12857== by 0x41CB3F: __wrap_sss_cmd_done (test_nss_srv.c:138)
==12857== by 0x4270C4: nss_protocol_done (nss_protocol.c:69)
==12857== by 0x423949: nss_getby_done (nss_cmd.c:571)
==12857== by 0x4E08359: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0837D: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0E1BF: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0C54A: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E075D7: _tevent_loop_once (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x42D45B: test_ev_loop (common_tev.c:82)
==12857== by 0x41C442: test_nss_getgrnam_no_members (test_nss_srv.c:1503)
==12857==
[ OK ] test_nss_getgrnam_no_members
Merges: https://pagure.io/SSSD/sssd/pull-request/4141
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d3d72b907b12448c52004a1b3aabfee0b516bf2f">d3d72b90</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-01-28T15:51:16+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: add CentOS 7
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a18a6f008985d9af18200240469a5a20da53bc64">a18a6f00</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2020-02-03T12:17:09+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/server: Fix the timing to close() the PID file
The PID file is closed just before pidfile function returns.
However, if close() is called immediately after read()/write(),
there is no need to call close() at multiple places.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/192eadaaf8ac6a427533612362f012dcbd7ce776">192eadaa</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2020-02-03T12:18:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update pam_sss.8.xml
pam_sss: Added return values on a man page
Resolves: https://pagure.io/SSSD/sssd/issue/3672
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c3b98b2b6703f72012f1ecfadede96eaaef52a48">c3b98b2b</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-02-04T13:18:41+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFIGURE: Fix detection of samba version for idmap plugin
The parameter -e is not standard parameter for echo builtin.
And therefore needn't be implemented in some shells.
e.g.
sh$ /bin/dash -c 'echo -e "#include <samba/version.h>\nSAMBA_VERSION_MAJOR"'
-e #include <samba/version.h>
SAMBA_VERSION_MAJOR
And it caused failures in configure
checking Samba's idmap plugin interface version... idmap test result is: 6
configure: Samba's idmap interface version: 6
configure: Samba version: -e #include <samba/version.h>
SAMBA_VERSION_MAJOR -e #include <samba/version.h>
SAMBA_VERSION_MINOR -e #include <samba/version.h>
SAMBA_VERSION_RELEASE
/home/build/sssd/configure: 21832: test: #include: unexpected operator
configure: Samba's struct idmap_domain does not have dom_sid member
Merges: https://pagure.io/SSSD/sssd/pull-request/4153
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a483bfa67aa9ec67b1a87848184567d8c7acd174">a483bfa6</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-02-04T13:18:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFIGURE: Fix detection of attribute fallthrough
configure:27218: checking whether compiler supports __attribute__((fallthrough))
configure:27228: gcc -c -Werror conftest.c >&5
conftest.c:185:2: error: 'fallthrough' attribute at top level [-Werror=attributes]
185 | __attribute__ ((fallthrough));
| ^~~~~~~~~~~~~
cc1: all warnings being treated as errors
Merges: https://pagure.io/SSSD/sssd/pull-request/4153
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/50cc1963f66dbfd388874775b99e604b1f7b35c5">50cc1963</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2020-02-06T11:15:01+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove redundant header file inclusion
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4dbfaae4379eda8b3b7debd37b338e8d384e2a77">4dbfaae4</a></strong>
<div>
<span>by Andreas Hasenack</span>
<i>at 2020-02-06T11:15:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix another build failure with python 3.8
The parsing of python3-config --ldflags would break if multiple -L
path components were present. This change loops over these paths
until it finds the correct one.
Fixes https://pagure.io/SSSD/sssd/issue/4147
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bc56b10aea999284458dcc293b54cf65288e325d">bc56b10a</a></strong>
<div>
<span>by Stephen Gallagher</span>
<i>at 2020-02-06T11:16:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix build failure against samba 4.12.0rc1
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
around the ndr_token_peek() function, so we can use this approach on both
old and new versions of libndr.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/399ee9d1af9cca4026ce50c58ce25c45a30c85c2">399ee9d1</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-02-10T11:12:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: Accept krb5 1.18 for building the PAC plugin
Merges: https://pagure.io/SSSD/sssd/pull-request/4152
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7aa96458f3bec4ef6ff7385107458e6b2b0b06ac">7aa96458</a></strong>
<div>
<span>by Simo Sorce</span>
<i>at 2020-02-10T11:14:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add TCP level timeout to LDAP services
In some cases the TCP connection may hang with data sent because
of network conditions, this may cause the socket to stall for much
longer than the timeout intended.
Set a TCP option to forcibly timeout a socket that sees its data not
ACKed within the ldap_network_timeout seconds.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ceea56be3f91e413212dc1959e66d7f19871f52e">ceea56be</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2020-02-10T11:19:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">monitor: Fix check process about multiple starts of sssd when pidfile remains
If PIDFile is invalid in sssd.service, pidfile remains if sssd terminates abnormally.
Also, if /var/run is not tmpfs, the pidfile will remain when the OS is forcibly stopped.
In check process about multiple starts of sssd, only the existence of pidfile is checked.
Fix not only to check if pidfile exists, but also to check if PID exists.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2014d8f52ea6a9d086b25f8f0c5b8e6b1e1c161d">2014d8f5</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2020-02-10T11:25:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update __init__.py.in
We shouldn't modify the list of domain options in a loop. In some cases (for example issue #4149) that will cause problems, for example when deleting provider options after deleting the provider itself.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5b87af6f5b50c464ee7ea4558f73431e398e1423">5b87af6f</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-02-10T16:57:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_sockets: pass pointer instead of integer
```
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’:
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion]
123 | ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
| ^~~~~
| |
| unsigned int
In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28:
/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’
216 | const void *__optval, socklen_t __optlen) __THROW;
| ~~~~~~~~~~~~^~~~~~~~
CC src/util/sssd_kcm-sss_iobuf.o
cc1: all warnings being treated as errors
```
Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9483bf410eeb5de2fee3a4a61a80d96682772d51">9483bf41</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2020-02-12T10:54:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSDConfig: Update of config options
- Added missing config options with a description
- Removed not used or replaced options such as ldap_group_search_scope, ldap_group_search_filter, etc...
Resolves:
https://pagure.io/SSSD/sssd/issue/1362
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f9b3c0d1009da8d8dbe273c38d6725100789e57b">f9b3c0d1</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-02-17T11:35:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: do not mix different certificate lists
There was a list of binary certificates and a list with base64 encoded
ones which might be different depending on the active matching rules.
Only the base64 one with the filtered results should be used.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/849d495ea948e75ecb4ea469c9f8db4a740a2377">849d495e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-02-17T11:35:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: add 'no_rules' and 'all_rules' to ssh_use_certificate_matching_rules
To make ssh_use_certificate_matching_rules option more flexible and
predictable the keywords 'all_rules' and 'no_rules' are added.
'no_rules' can be used to allow all certificates.
If rules names are given but no matching rules can be found this is
considered an error and no ssh keys will be derived from the
certificates.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/faa5dbf6f716bd4ac0a3020a28a1ee6fbf74654a">faa5dbf6</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sbus_server: stylistic rename
Renamed sbus_server_name_remove_from_table() to
sbus_server_name_remove_from_table_cb() to keep naming consistent
with other functions used as `hash_delete_callback` argument of
sss_ptr_hash_create()
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/adc7730a4e1b9721c93863a1b283457e9c02a3c5">adc7730a</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data
There is no need to allocate memory for `sss_ptr_hash_delete_data`
if table user doesn't provide custom delete callback.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d0eb88089b059bfe2da3bd1a3797b89d69119c29">d0eb8808</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ptr_hash: sss_ptr_hash_delete fix/optimization
- no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
failed
- avoid excessive lookup if it is not required to free payload
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8cc2ce4e9060a71d441a377008fb2f567baa5d92">8cc2ce4e</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ptr_hash: removed redundant check
`sss_ptr_hash_check_type()` call would take care of this case.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4bc0c2c7833dd643fc1137daf6519670c05c3736">4bc0c2c7</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ptr_hash: fixed memory leak
In case `override` check was failed in _sss_ptr_hash_add()
`value` was leaking.
Fixed to do `override` check before value allocation.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0bb1289252eec972ea26721a92adc7db47383f76">0bb12892</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_ptr_hash: internal refactoring
sss_ptr_hash code was refactored:
- got rid of a "spy" to make logic cleaner
- table got destructor to wipe its content
- described some usage limitation in the documentation
And resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/88b23bf50dd1c12413f3314639de2c3909bd9098">88b23bf5</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-02-17T11:37:30+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: added sss_ptr_hash unit test
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9188aa17d9c4dfec1d5744981ea8855465965808">9188aa17</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2020-02-20T10:51:23+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Duplicated error message for unreadable GPO
sss_log() had wrong type set as log level.
The result was error message with very high
priority displayed on all terminals.
Resolves:
https://pagure.io/SSSD/sssd/issue/4133
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7b647338a40d701c6a5bb51c48c10a31a6b72699">7b647338</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-02-24T12:44:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: check if card is present in wait_for_card()
Some implementations of C_WaitForSlotEvent() might return even if no
card was inserted. So it has to be checked if a card is really present.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/37780b895199bab991edae6b1eeb91b7b3966bcf">37780b89</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-02-24T12:44:11+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PAM client: only require UID 0 for private socket
Some privileged services like e.g. gdm might only call with UID 0 but
with a different GID. This patch removes the GID 0 requirement to access
to private PAM socket so that e.g. gdm can use the wait-for-card option.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a4219bbcc73f6843007c9f75e95f94d7d62b36d6">a4219bbc</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2020-02-25T11:02:57+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSDConfig: New SSSDOptions class
- Moved option_strings dictionary to an external SSSDOptions class
- Removed duplicate keys from option_strings dictionary
- Updated Makefile.am to honor new sssdoptions.py file
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/746d4ff34acbb17f291b02a66311c27cfb44a005">746d4ff3</a></strong>
<div>
<span>by ikerexxe</span>
<i>at 2020-02-26T11:52:06+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">config: allowed auto_private_groups in child domains
sssctl config-check failed if auto_private_groups was enabled/disabled in child domains
Resolves:
https://pagure.io/SSSD/sssd/issue/4161
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b11907c657d324184716884667facc0b7ee83af1">b11907c6</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2020-02-27T00:16:10+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump the version.
Recently added option ssh_use_certificate_matching_rules
changed behavior. This justifies version bump.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fe9eeb51be06059721e873f77092b1e9ba08e6c1">fe9eeb51</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2020-02-28T10:11:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: Collision with external nss symbol
One of our internal static function names started
to collide with external nss symbol. Additional
sss_ suffix was added to avoid the collision.
This is needed to unblock Fedora Rawhide's
SSSD build.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bfa02b0b0edc68564094fcd681e703e76fd411ee">bfa02b0b</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-02-28T10:14:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: keep system list outside repository
This way we do not need to push new commit to repository every time
when we change the list of distribution we test on and changes
will be immediately picked up by opened pull request without the
need to rebase them.
It will also help us to temporarily disable particular distribution
when there are errors that we can not fix (e.g. current rawhide issue)
so we can still have all green results.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/feaf88914e61f871489481afd1eef5d5b11111c9">feaf8891</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-02-28T10:14:03+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ci: remove old dependency repository
This repository is no longer needed and packages there are not maintained
for many years. Recent update of mock-core-configs changes `yum.conf` to
`dnf.conf` on Fedora and this breaks things for us.
The original purpose was to add newer libraries (such as ding-libs) to
RHEL-6 an early RHEL-7 so we could test current master there. This is no
longer needed since it contains up to date packages. Therefore it is safe
to remove it instead of trying to determine whether there should be yum.conf
or dnf.conf.
Otherwise we end up during mock build with:
```
KeyError: 'yum.conf'
ERROR: Error in configuration
```
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7fbc7e3ffb7a5c0090bb2091011762dabf1f512f">7fbc7e3f</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2020-03-02T11:20:23+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssd.spec: Add recommended packages
sssd-dbus is recommended for tools and SSSD's logrotate
support can only be useful with the logrotate package
in place. It makes sense to recommend them.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2143c7276c7603520e2575ef6c9d93a5fc031256">2143c727</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-02T11:21:06+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: use getaddrinfo with AI_CANONNAME to find the FQDN
In systems where gethostbyname() does not return the FQDN try calling
getaddrinfo().
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2dc82a242a3257c41b0ab152c6fb615a87c77db3">2dc82a24</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2020-03-04T12:46:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix sssd-ldap man page
The option 'ldap_default_authtok_type' also accepts non clear text passwords
in the meantime.
Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b19b25e13e63ea0bc0844501e40b37790b9014dc">b19b25e1</a></strong>
<div>
<span>by Thorsten Scherf</span>
<i>at 2020-03-04T12:46:13+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">add reference to sss_obfuscate man page
Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9ccf78dbdc7d05b29dcfadff113c4e7064e84bc7">9ccf78db</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2020-03-04T12:46:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix typos - correct manpage reference - correct wrong word - capitalize the first letter
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e4c6ebf6754dca194487f02b616018a860e5dbdf">e4c6ebf6</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-03-05T10:30:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sdap: provide error message when password change fail in ldap_modify mode
Steps to reproduce:
1. Configure LDAP server to enable password constraints
2. Set ldap_pwmodify_mode = ldap_modify in [domain]
3. Run SSSD and authenticate as a user
4. Run passwd to change password, use password that does not meet requirements
It will print "password change successful" without this patch and server
error message with this patch applied.
Resolves:
https://pagure.io/SSSD/sssd/issue/4148
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/12bd3f96ca101192ddc6b0afb424c183e68989c9">12bd3f96</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">STAP: Add missing session data provider target
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d263fa9d643197bf0f3245e06149f7a3dd96f08d">d263fa9d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">UTIL: Add a function to canonicalize IP addresses
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/860c457063fedf4c0020e705060b97cd5a80d1a7">860c4570</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add sysdb functions for hosts entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/622849279be17cc9b7b59f81753aa05a0594df47">62284927</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add index for hostAddress attribute
Adding the IP address to the indexed attributes will speed up the
host-by-address searches.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/99ce117106b9c0d0e0167f1c10f5840a7912fa7f">99ce1171</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SBUS: Add new resolver target interface
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d76d818cb2015c4d5a4b70fac055f99134c5c858">d76d818c</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP: Add a new filter type, filter by address
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/469891df69faeceba2084efd8ce421b1ec11103e">469891df</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER: Add sss_dp_resolver_get_send
This function sends requests for IP hosts and networks to the resolver
target. Will be used by following cache req plugins:
* cache_req_ip_host_by_name
* cache_req_ip_host_by_addr
* cache_req_ip_network_by_name
* cache_req_ip_network_by_addr
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1cb209556adad75264802de543f03e08f7058d23">1cb20955</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Rename cache req host by name name plugin used by SSH
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dafdd066ef2358ee06796ce5bba8f0b0891c9d64">dafdd066</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Add a data field to store network addresses
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6e66e321797e52d7a9ed093683c45c678c9deec5">6e66e321</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Implement ip_host_by_addr and ip_host_by_name plugins
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e931f27dfd3800c3931c6aba7e75e7499b64a913">e931f27d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add client support for hosts (non-enumeration)
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/55cfacfe33e656840aed8bdb3ca7870a7bdad4dc">55cfacfe</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add gethostbyname and gethostbyaddr support to the NSS responder
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/014cd3a542bbb27d72c160a5c596b6797c6ed46e">014cd3a5</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add gethostbyname and gethostbyaddr NSS responder tests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2c317ce9fc5a66ef82969baaf1d949fbee5dcd75">2c317ce9</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP: Implement resolver target handler
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6f6900374520b34b25199259731e410be7b7ebf3">6f690037</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFDB: Add new options for resolver provider
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d6d03aafc49615ae1e4e88a692aa893214c3926d">d6d03aaf</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CONFDB: Add a new resolver_timeout to timeout cached resolver entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b523fb6a03dbf6289159d4fb8b491fe35f1c2693">b523fb6a</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">UTIL: Allow to specify mandatory and optional symbols when loading nss libs
It is needed a flexibler way of loading NSS shared libraries as not all
of them provide the same symbols.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0ec8bd578b55564182a21b05773c109393c16840">0ec8bd57</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Create a module context to store id and auth contexts
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/688e6a6b56966200e530c9e3a6de534e1f763b7e">688e6a6b</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Load resolver NSS library
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b1fe85eb0034f3aacb549322b4620976f09e39af">b1fe85eb</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Register resolver hosts handler method
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/be791978953d0cfec64a08d7da2aae6d44af8e53">be791978</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Handle resolver hosts by name requests
Call NSS library to get IPv4 and IPv6 addresses. If host not found,
cache entries are deleted.
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bbb7a45dfd16a7eb8e1b56da508a536e520e3bcd">bbb7a45d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Store results from NSS library call into the cache
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/00bc7897163a9fed2bc7ba613f36c6b076e6d8c0">00bc7897</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Extend sysdb_store_host() to accept extra attributes
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/29c583b6450af52fd0b93b526fda67b946d925ba">29c583b6</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Handle resolver hosts by address requests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5672d2beb735d35bbf33efc25c48de4f31c33563">5672d2be</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Initialize resolver provider
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1402f10046eb830c9fcb591c8898f73dd13ddc95">1402f100</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Initialize resolver provider
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a61c6d61c39e566eeda38ceceb8fa11831822d51">a61c6d61</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Initialize ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6a7775263cec46b577d3d25be2e2086136c7a134">6a777526</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Document new ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0498591eaeea0ff92e12e26e818fbf660d45c5b2">0498591e</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Initialize ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b8fba016681aabf82eb7739259e323242aa4a8c4">b8fba016</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Prepare for iphost lookups
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/29b27395f39cb64834a054d1477467c045feaee3">29b27395</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Add support for iphost lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bbcd849a4208bb54d83ebdb4b57e35f25b887dd7">bbcd849a</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add client support for [set|get|end]hostent()
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/11cc32e48b5cb70aecbe040b6629482cb497108e">11cc32e4</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add support for enumerating hosts
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8b96109ffff823766ee5795f76bf17907392f6ee">8b96109f</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Add support for enumerating hosts
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8a51bc0df6d9f45d00b561dc3f03373d0527ce96">8a51bc0d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Setup resolver enumeration tasks
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/82b808d93ea8ffaea7a89f9196ad87a6f67441a9">82b808d9</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2be80a00cbd2227e828adb510c2d11cd3cfede48">2be80a00</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Setup resolver enumeration tasks
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/10d9346afd1a415cb6c624e9134c977bc6aec8f8">10d9346a</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ae6d042cbb6b8a2bfecc37edeb3a1509796f6846">ae6d042c</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Implement iphost cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/45dbaddde02ac0c5b1af612ece19933d50c132a4">45dbaddd</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Implement iphost cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e980b0f6a0aa2ded35f7cc81d8049eac159319da">e980b0f6</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8a66d6e5a8abc9a89e12a5ef386541193f965b19">8a66d6e5</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-03-05T10:31:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add LDAP resolver target integration tests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e698d53e0ddd3c2778e04fd8e405f8c0cee0a766">e698d53e</a></strong>
<div>
<span>by Michal Židek</span>
<i>at 2020-03-06T12:08:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: Do not overwrite /etc/pam.d/sssd-shadowutils
We should not overwrite this file when sssd-common is
updated.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6ab9ac3ff93cdaba6cc95dbb48db8a37d8e31e36">6ab9ac3f</a></strong>
<div>
<span>by Petr Vaněk</span>
<i>at 2020-03-06T12:13:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">configure: prefer python3 if available
We should prefer python3 every time when it is available regardless of
whether python3 binding are generated, otherwise sbus_generate.sh fails
in python3 only systems, where sssd is configured with
--without-python3-bindings parameter.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d4bf66261c7dfbcda9e3c7d107951fe0f198b426">d4bf6626</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-03-16T16:42:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sbus: commit complete generated code
99ce117106b9c0d0e0167f1c10f5840a7912fa7f incorrectly commited generated code.
Reviewed-by: Michal Židek <mzidek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6f7f15691b071cefd4e04a9fee44af580b6c502b">6f7f1569</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-03-16T17:12:29+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ssh: fix matching rules default
Before the ssh_use_certificate_matching_rules option was added the ssh
responder returned ssh keys derived from all valid certificates. Since
the default of the ssh_use_certificate_matching_rules option is
'all_rules' in a case where no matching rules are defined all
certificated will be filtered out and no ssh keys are returned.
The intention of the default was to allow the same same certificates
which are allowed in the PAM responder for authentication. The missing
default matching rule which is currently use by the PAM responder if no
other rules are available is added by this patch.
There might still be a small regression in case certificates without the
extended key usage (EKU) clientAuth were used for ssh. In this case
'ssh_use_certificate_matching_rules = no_rules' or a suitable matching
rule must be added to the configuration.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/653df698a7a04c40df13eb4217c7d598aba8f8f8">653df698</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-03-18T13:24:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Watchdog: fixes "off-by-one" error
'man sssd.conf': timeout: "Note that after three missed heartbeats
the process will terminate itself."
But implementation was:
```
\#define WATCHDOG_MAX_TICKS 3
...
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
...
_exit(1);
```
-- since after reset ticks start from 0 effectively this was 4 heartbeats.
Fixed to match man page.
Resolves: https://pagure.io/SSSD/sssd/issue/4169
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/863f71acbe0b64c2ad2103b600a63bb722906b87">863f71ac</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-03-26T12:41:44+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssd.spec.in: added missing Requires
This partially resolves warnings of rpmdiff tool.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b432b2c4c8039db0130494a83294bee950ebaa6a">b432b2c4</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2020-04-01T11:15:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Netgroups refresh in background task
refresh_expired_interval config value spawns be_task
responsible for refreshing expired cache entries
in background.
Netgroup related entries are stored in persistent
cache rather than timestamp cache. After sdap_refresh_step()
has been replaced by generic be_refresh_step()
lookup routine was searching for entries only in
timestamp cache. This result in LDAP netgroup entries
not refreshing in background.
Resolves:
https://pagure.io/SSSD/sssd/issue/4177
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/704d9f1d3dbae078f7fdcc310324a08770f3feef">704d9f1d</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2020-04-01T11:15:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Cache selector as enum
Sysdb has two sources of cache: timestamp based and persistent.
This change changes implementation of that selector from
binary flag to enum.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0003eda98b1db04bb3410af5f65d62e2426e426a">0003eda9</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-04-03T11:26:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: add missing new-line in debug message
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/27a3c0cf354bf2e85f50d7b4650d8a22120a5691">27a3c0cf</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-04-03T11:26:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: sanitize certmap rule name before using it in DN
The name of a certificate mapping and matching rule might contain
characters which are not allowed in RDNs an must be escaped before if
can be used in the DN of the cached certmap object.
Resolves: https://pagure.io/SSSD/sssd/issue/3721
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/626c9c2f41e347c3df6f530fcdf7db96741c385f">626c9c2f</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2020-04-03T11:27:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: override_gid not working for subdomains
The override_gid is not propagated to subdomain. This patch
assigns subdomain's override_gid to the value comming from
parent domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/4061
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ae5a2cdccadae3de29680466c05637b51b113147">ae5a2cdc</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-04-06T12:04:36+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">proxy: set pwfield to x for files library
Resolves:
https://pagure.io/SSSD/sssd/issue/4174
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc">1fdd8fa2</a></strong>
<div>
<span>by Noel Power</span>
<i>at 2020-04-06T12:05:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use ndr_pull_steal_switch_value for modern samba versions
commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
fix the build error resulting from removal of 'ndr_pull_get_switch'
This change uses the new replacement method
'ndr_pull_steal_switch_value' however depending on the samba version
the ndr_pull_steal_switch_value abi is different.
Note: ndr_pull_steal_switch_value is used since samba 4.10 for
the affected methods
Note: the following methods have been refreshed from samba-4.12 generated
code;
o ndr_pull_security_ace_object_type
o ndr_pull_security_ace_object_inherited_type
o ndr_pull_security_ace_object_ctr
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c031adde4f532f39845a0efd78693600f1f8b2f4">c031adde</a></strong>
<div>
<span>by Noel Power</span>
<i>at 2020-04-06T12:05:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5019d21666a5c6b3b8465de5ee92569b1c8b6f91">5019d216</a></strong>
<div>
<span>by Lars Francke</span>
<i>at 2020-04-06T12:14:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap: set ldap_group_name to sAMAccountName for ad schema
This is to make it consistent with the AD provider which was changed
in adb148603344a42d6edffdda0786a10af715dacb.
"name" is an optional field for the group class.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dab522c09887e50722b17afa1a700b08ca1b7732">dab522c0</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-04-09T13:08:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">confdb: use proper timestamp if sssd.conf is missing
If sssd.conf is missing the timestamp is uninitialized and as a result
the lastUpdate attribute in config.ldb will contain some random binary
value.
This patch initializes the timestamp to "1".
Resolves: https://pagure.io/SSSD/sssd/issue/4178
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c7d328ea95324060b3be9b67ae70be8e8c70fad8">c7d328ea</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-04-09T13:11:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">proxy: do not fail if proxy_resolver_lib_name is not set
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/23c2d376b83a101b904ae6be3129841a723c336d">23c2d376</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-04-09T13:11:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">be: add BE_REQ_HOST to be_req2str
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/41220021d21b7711a416b5aeb8446c14dd931140">41220021</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-04-09T13:11:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">dp: free methods if target is not configured
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/494b838db2353b47ac5b462730c25ab12f1ed096">494b838d</a></strong>
<div>
<span>by Joakim Tjernlund</span>
<i>at 2020-04-09T13:14:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update OpenRC init.d script
Modernize the script, add TERM delay,rotate,online and offline
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d028df036d375532955d8920f70c2c8f7ac56dc3">d028df03</a></strong>
<div>
<span>by Lukas Slebodnik</span>
<i>at 2020-04-09T13:19:22+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Drop usage of unnecessary copr repo for mock
Merges: https://pagure.io/SSSD/sssd/pull-request/4156
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fa9ab958424227e352ec4a68dab557bc20c29332">fa9ab958</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-04-17T12:53:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PAM: fixed wrong debug message
Fixed wrong debug message in case of fail to read CONFDB_PAM_P11_URI
option from config.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/903fe0fa9b0c651e6d89263a80b29532e920315a">903fe0fa</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-04-21T13:22:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: fixed description of pam_cert_db_path
Part about "PKCS#11 modules" only applies to NSS version.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/80b9285b39127cc4f27fb9c18d1c03a1c654cdf0">80b9285b</a></strong>
<div>
<span>by ikerexxe</span>
<i>at 2020-04-21T13:23:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: in sssd-ipa clarified trusted domains section
In sssd-ipa man page added a second option when configuring trusted domains
Resolves:
https://pagure.io/SSSD/sssd/issue/4041
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1b84c3a1f17f59e134bb882f0f15109d18599193">1b84c3a1</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-04-22T13:10:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: check if the id override belongs to requested domain
Steps to reproduce:
1. Setup an id override (administrator@ad.vm: uid -> 10001)
2. Request user by name to fill cache
```
$ id Administrator@ad.vm
uid=10001(administrator@ad.vm) ...
```
3. Request user by id and see that domain part is missing
```
$ id 10001
uid=10001(administrator) ...
```
First, the uid is looked up in IPA domain and the override object is
found when we hit `sysdb_search_override_by_id` because id values are
not qualified. Therefore the origin object (administrator@ad.vm) is
returned as part of IPA domain.
We need to check if the original object belongs to the requested domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/4173
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/233d30a500e9efa8d76305674892da675cb00755">233d30a5</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add sysdb functions for ipnetwork entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b37a13db5b54bf472f4e53a49a3abc7d31edd82f">b37a13db</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add index for ipNetworkNumber attribute
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c01c1c34a835c9e942136d1103a7c66ff560ca12">c01c1c34</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Implement ip_network_by_name and ip_network_by_addr plugins
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9c96d570e1562fb6a79ffbe8f23f30c68efca9cc">9c96d570</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add client support for networks (non-enumeration)
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e88aac3b143cf349f5687c14a40753a783b49538">e88aac3b</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add getnetbyname and getnetbyaddr support to the NSS responder
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0ae366573b7dec2f7c2f1ee85bbc4031a48d9aac">0ae36657</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add getnetbyname and getnetbyaddr NSS responder tests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5dfced3cf9051fa8bb6e89a6f9b02412deaeb57d">5dfced3c</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP: Handle IP network requests in resolver target
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/be1e6c12d96af015b830a22287eecaa66a6eb80e">be1e6c12</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Load networks symbols
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5e92783f822d0626854f10fc16074bbfffcc7fc7">5e92783f</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Handle resolver IP network by name requests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0b88ce5d5b72b7cfe49add30fae63d3ee652f577">0b88ce5d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Handle resolver IP network by address requests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fe9f0ecf29144a41ef2f025939d7d199b9dfca2b">fe9f0ecf</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add functions to store IP networks from providers
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/92e8c1e88dcf65e4c50cf3175d224fff67d91528">92e8c1e8</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Store IP network results from NSS library in the cache
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/93de591c955d036f3882f4d18f9b4d33e5e3202e">93de591c</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Initialize ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4ab99ef1be8162ecdae4b39f825616d8f5f08dd1">4ab99ef1</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Document new ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/407d766d62bb7351b5df660f3d8e4bf62200275f">407d766d</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: Initialize new ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3533697f0e56fe72cd7c85a658624afe6fd9f756">3533697f</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Prepare for ipnetwork lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0e5303ba662019626b11aa7d1fc531fccad74b9b">0e5303ba</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Add support for ipnetwork lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/29adb1089d8cc7557525b795709a066ae9c533bf">29adb108</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">NSS: Add client support for [set|get|end]netent()
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/cad60f636f6253d8ec6f4d940e3c21b6f72e29d7">cad60f63</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add support for enumerating ipnetworks
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5e75d695a4ad386851e8a4ac527a1abbca14aaad">5e75d695</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Add support for enumerating ip networks
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ab2cd9ca57edd1ab69cc5a3019376ec71b5ea11d">ab2cd9ca</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Add support for ipnetworks enumeration
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f70695730b3b73e5e89f460a5ab133b7056fa7af">f7069573</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: Implement ipnetwork cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/08b774e43956d1269c4a98626a899bbc9825e56f">08b774e4</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PROXY: Add support for ipnetwork enumeration
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ebe944ba9852b230bf352dcc94cbb9a7e5c3f9dc">ebe944ba</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-04-23T13:40:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add LDAP resolver IP networks tests
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f5cb0e160db572b9789307228ee76c655626bd5d">f5cb0e16</a></strong>
<div>
<span>by REIM THOMAS</span>
<i>at 2020-04-29T14:16:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Grant access if DACL is not present
We falsely stopped GPO processing when Group Policy Container
in AD did not contain a DACL or "DACL Present" bit was not set.
Such GPOs are considered to be applicable according to MS-ADTS:
https://msdn.microsoft.com/en-us/library/cc223518.aspx.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8527ed113aba315061b3d54d8c5c803e290857b4">8527ed11</a></strong>
<div>
<span>by REIM THOMAS</span>
<i>at 2020-04-29T14:16:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Support group policy file main folders with upper case name
There are AD domain controller implementations that use upper case names
for the main folder on SYSVOL under which group policy files and templates
are stored. E. g. 'MACHINE' instead of 'Machine'.
gpo_child uses library libsmbclient to copy group policy files from the AD
domain controller into a local GPO cache directory. libsmbclient does not
allow to request the domain controller to perform case insensitive SMB URI
lookups, if SYSVOL is located on a case sensitive file system. If a group
policy template is stored under main folder 'MACHINE' gpo_child cannot
retrieve the policy data and exits with error code 2 (No such file or
directory). GPO based access control fails with error 22 (Invalid argument)
and users may not be able to login.
GP_EXT_GUID_SECURITY_SUFFIX constant defines a case sensitive main folder
name (/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf) for the policy
template to retrieve. If the group policy file cannot be retrieved, gpo_child
will now also try to retrieve the file using an upper case main folder name,
i.e. /MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Signed-off-by: Thomas Reim <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/866d588ae735d194fb69b1f9e8ced0e02aeb447b">866d588a</a></strong>
<div>
<span>by REIM THOMAS</span>
<i>at 2020-04-29T14:16:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Close group policy file after copying
The SMB protocol sequence for copying the content of group policy files
should be:
- smbc_getFunctionOpen()
- smbc_getFunctionRead()
- smbc_getFunctionClose().
Inform the AD server, that we do not need further access to a policy file
after we have copied its content.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5435e0a6659a15682b287190ca83115c25fbc0a3">5435e0a6</a></strong>
<div>
<span>by REIM THOMAS</span>
<i>at 2020-04-29T14:16:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Group policy access evaluation not in line with [MS-ADTS]
The implemented security ACE evaluation algorithm is too strict and does not
meet Microsoft technical specifications:
Security access rights for a group policy object may be split into several
access control entries (ACE). The implemented algorithm does not consider
this and denies access to GPOs, where the "ApplyGroupPolicy" (AGP) ACE is
preceded by a standard access rights ACE. The algorithm also denies
access, if the AGP ACE is preceded by other extended object ACEs.
Update security access right evaluation algorithms to be in line with the
applicable Microsoft technical specifications:
- Add a simple evaluation algorithm to check standard access rights for the
complete GPO ([MS-ADTS] 5.1.3.3.2 and [MS-GOPD] 2.4):
The requester must have been granted read access (RIGHT_DS_READ_PROPERTY)
to the properties of the GPO
- Fix the "ApplyGroupPolicy" evaluation algorithm to be in line with
[MS-ADTS] 5.1.3.3.4
Further improve debug messages during security filtering for administrators
to figure out why access to a GPO was denied:
- Inform administrators when a GPO with applicable AGP access right has not
been evaluated due to missing or denied read access.
- Show the trustee's SID that specifies the particular user or group for
which GPO access has been denied
- Align message content to Microsoft tool like Gpresult
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Signed-off-by: Thomas Reim <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a32f94f5c74d2216a84334a2a786a86077fa6a99">a32f94f5</a></strong>
<div>
<span>by REIM THOMAS</span>
<i>at 2020-04-29T14:16:45+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">GPO: Improve logging of GPO security filtering
GPO security filtering is as critical as the actual logon policy rights
checking. Administrators should not only be able to figure out, why GPO
access check granted or denied a user login, but also why a GPO access
check was not performed due to security filtering.
GPO access check can be logged using debug level Function Data, whereas GPO
security filtering can only be logged with lowest level tracing.
- Debug the main security filtering activities on level Function Data
- Debug missing security descriptor as minor failure, because it terminates
GPO security filtering.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth@gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4c93aa76d93fa786d52f78cd76d3afd94ee75ea2">4c93aa76</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2020-05-05T12:47:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DOMAIN: Downgrade log message type
Not all domains contains flat name.
This is specific and in most cases needed for AD domain.
In case of AD domain flat name checking and failure log already exists:
src/providers/ad/ad_domain_info.c +104
src/util/usertools.c contains more generic domain related
functions. In those cases missing of flat_name should not be
considered as failure.
Resolves:
https://github.com/SSSD/sssd/issues/1032
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9b120fe09d6a0567494bc31e4bb637d65422e600">9b120fe0</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-06T09:41:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: added explicit `samba-client-libs` dependency
Resolves: https://github.com/SSSD/sssd/issues/5136
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a7099b72f5481a80a444f8bd545ee4872b19cd10">a7099b72</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-06T09:42:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: fix ldap_sudo_include_regexp default
With https://github.com/SSSD/sssd/pull/627 the default value for
ldap_sudo_include_regexp should be set to 'false' but unfortunately the
patch was incomplete. With this patch the default should be change
properly.
Resolves https://pagure.io/SSSD/sssd/issue/3515
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ac7248e83a6d020d609d9a8433d45a684b98645a">ac7248e8</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-06T09:44:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: use GSSAPI with LDAPS
There is an issue in some cyrus-sasl versions with a max SSF of 0 (zero)
is not handled correctly when using GSS-SPNEGO. To be on the safe side
we switch to GSSAPI in that case.
Related to https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dc21609f126b5e17d8a2b4857b8b655c7418e497">dc21609f</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-06T09:44:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: change SASL mech default to GSS-SPNEGO
Resolves: https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8b2c4ad070de51ff18273cff753d368bce8ab5a4">8b2c4ad0</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-07T11:23:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">config: switch to OpenSSL as default crypto backend
- switch default to OpenSSL
- warn about deprecation in the case NSS is selected
during configuration
Resolves: https://github.com/SSSD/sssd/issues/1041 parts I.1 and I.2
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5379fddb16b1a7f45bb56bbcbd818bf2a241e26b">5379fddb</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-07T11:24:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: 'sssd.api.*' should belong `python-sssdconfig`
`sssd.api.conf` and `sssd.api.d/*` are only used by python-sssdconfig,
not by sssd-common.
Resolves: https://github.com/SSSD/sssd/issues/1038
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b4354623285dbf15e14261bd3be0ac0beb44af37">b4354623</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-12T10:02:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: NSS db setup is only required in NSS based build
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/090d804c89dfb4816bab8d20aaf82330643f6644">090d804c</a></strong>
<div>
<span>by Samuel Cabrero</span>
<i>at 2020-05-12T10:03:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Drop obsolete SUSE spec file
Just for reference, SUSE spec files are available in openSUSE build
service: https://build.opensuse.org/package/show/network:ldap/sssd
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ee56fbca310238193fb1580433a9b4a33b5e07d3">ee56fbca</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-05-12T10:04:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: fix initializer error
Building with:
```
$ echo $CFLAGS
-m64 -mtune=generic -fstack-protector-all -Wall -Wextra -Wno-sign-compare -Wshadow -Wunused-variable -Wno-unused-parameter -Wno-error=cpp -O0 -ggdb3 -Werror -Wp,-U_FORTIFY_SOURCE
```
Produces:
```
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c: In function ‘get_preferred_rsa_mechanism’:
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1296:9: error: missing initializer for field ‘evp_md’ of ‘struct prefs’ [-Werror=missing-field-initializers]
1296 | { 0, NULL }
| ^
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1288:23: note: ‘evp_md’ declared here
1288 | const EVP_MD *evp_md;
| ^~~~~~
```
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f2ac087daa51137fc5a3951d4d9b8529d98a7828">f2ac087d</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-12T11:35:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SBUS: do not return invalid connection pointer
Resolves:
https://github.com/SSSD/sssd/issues/5126
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/db6f6b6ddab56f7876a34af41736caa189cff043">db6f6b6d</a></strong>
<div>
<span>by Alex Rodin</span>
<i>at 2020-05-15T10:39:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: use_fully_qualified_names description updated
Has updated the information about when the option defaults to TRUE
Resolves: https://github.com/SSSD/sssd/issues/1025
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/49b9ca15866f59d6e3c1b572545d1b9e76625892">49b9ca15</a></strong>
<div>
<span>by ikerexxe</span>
<i>at 2020-05-15T10:40:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa_auth and krb5_auth: when providing wrong password return PAM_AUTH_ERR
When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.
Resolves:
https://github.com/SSSD/sssd/issues/5139
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/035271b72479845f9ef3d2ffe39656cd21926a32">035271b7</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2020-05-15T10:41:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MAN: refresh_expired_interval description updated
In some situations background task triggered by setting
refresh_expired_interval looks to be broken.
MAN description for refresh_expired_interval has been updated
to inform user about this scenario.
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/95c8667a547368442c5c8ecd44602d4ec888ab16">95c8667a</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:05:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ad: make GSS-SPNEGO maxssf=0 workaround configurable
To allow tp by-pass the workaround if the installed cyrus-sasl can
handle maxsssf=0 with GSS-SPNEGO a new configure option
--enable-gss-spnego-for-zero-maxssf is added. By default this option is
set to 'no' and the workaround is enabled.
Resolves: https://github.com/SSSD/sssd/issues/4978
https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/11435b1060675339263ce0a2a546cc44ab9bd576">11435b10</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:06:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5: do not cache ccache or password during preauth
The PAM preauth step is mainly used to determine which authentication
methods (single factor, two factor, Smartcard) are available for the
user. It does not make sense to try to store the password hash or the
credential cache at this step because this information is not available
or not accurate at this step.
It might even cause issue is the credential cache name contains a random
component. This is typically used for file based credential caches
stored in the /tmp directory to avoid attacks to pre-create the file
since the name is known. Since the credential cache name still contains
the template for the random component 'XXXXXX' updating the credential
cache name in the cache during preauth destroys the information about
the currently used credential cache and upcoming authentications will
create a new one.
This causes issues with screen-savers or screen-lock where every
unlocking creates a new credential cache file and not updates the
existing one as it is expected. Another case is if a user logs in
multiple times to the same host, e.g. with ssh. Here it is expected as
well that the first session will create a new credential cache file
while all additional sessions will reuse it and only update the TGT in
the existing credential.
Resolves: https://github.com/SSSD/sssd/issues/5160
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bf8536a0ba3fddf27cd8529b3d8725aaff5e361c">bf8536a0</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-19T11:12:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed unsafe usage of strncpy()
This patch fixes unsafe usage of strncpy() that renders warnings like:
```
In function ‘ad_try_to_get_fqdn’,
inlined from ‘ad_get_common_options’ at ../src/providers/ad/ad_common.c:540:19:
../src/providers/ad/ad_common.c:468:5: warning: ‘strncpy’ specified bound 65 equals destination size [-Wstringop-truncation]
468 | strncpy(buf, res->ai_canonname, buflen);
```
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b572871236a7f9059d375a5ab1bff8cbfd519956">b5728712</a></strong>
<div>
<span>by Simo Sorce</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: introduce cache_behavior enumeration
Instead of using individual booleans for controlling the behavior
of the nss reponder with regard to cache usage, use a single
enumeration that can be extended to add new behaviors as needed.
Related:
https://pagure.io/SSSD/sssd/issue/4098
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d2424bfb733c4de1582ad423394aa272e109b58a">d2424bfb</a></strong>
<div>
<span>by Simo Sorce</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: Use cache for users with existing session
Users that have an existing session do the bulk of their authentication
to unlock services that do not make use of initgroups (used only to
create a new login session). Forcing online initgroups calls for these
users leads mostly to delays in providing those services and do not
provide any useful data.
Resolves:
https://pagure.io/SSSD/sssd/issue/4098
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b66f0e44816bf858b3085b5538e2f8f50d9e8ae7">b66f0e44</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: add option pam_initgroups_scheme
This new option should be used to tell the PAM responder to refresh the
user's group memberships either with every new PAM session or always
rely on cached data or refresh the data only if the user currently has
no active login session.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/68aa68e8d7c3917d0a3acdf05d083fd8ada8cc60">68aa68e8</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: use pam_initgroups_scheme
The new pam_initgroups_scheme option is used to control how the PAM
responder is refreshing the group membership data of the user.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/74f0a451bd5e3e2afc7260ba98fc4102ec08ea1d">74f0a451</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: no refresh with CACHE_REQ_BYPASS_PROVIDER
This patch fixes an unexpected behavior of the cache request code if the
CACHE_REQ_BYPASS_PROVIDER option is used. Currently even if this option
is used an expired entry in the cache is refreshed by calling the
provider. With this patch an error is returned if the entry is expired
and the provider is not called.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/272efe495206cb52ef01e8f4ccdc3062988bdf22">272efe49</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2020-05-19T11:16:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: make sure initgr cache is not created twice
There are now two code paths which might call pam_initgr_cache_set() so
we should make sure the initgr cache is not created twice.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7b25375155e7b7f640d30dcfdf5b55482a6102a7">7b253751</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-19T11:19:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: changed timestamp output format
Changed timestamp format from (example) "(Tue Apr 21 14:35:30 2020)" to
"(2020-04-21 14:35:30)" to have tidier and "sorting friendly" logs.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b5604d072e93bca7fc0c408fcfbb88f41c4d50ca">b5604d07</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-19T11:19:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: introduce new SSSDBG_TRACE_LDB level
libldb LDB_DEBUG_TRACE messages usually doesn't bring any useful info
but create a lot of unneeded noise in the logs.
Nonetheless it feels too radical to drop them completely.
This patch introduces new debug_level=10 (0x10000) especially for those
messages.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/00e7b1ada3d1c1071eac79b65c17cd2701c2ae6a">00e7b1ad</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-19T11:19:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: changed "debug_prg_name" format
Removed wrapping "[sssd[...]]" from "debug_prg_name" as this doesn't
carry any information but eats 8 characters of debug line.
For example instead of `[[sssd[ldap_child[12492]]]]` logs will have
`[ldap_child[12492]]`
I also was considering to remove "debug_prg_name" from the output
completely but gave up this idea. It makes sense to have program name
in the output to be able to combine few logs together (sorted by
timestamp).
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/65369f293b06ce0fe5622502bb32596bb50c523a">65369f29</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2020-05-19T11:19:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WATCHDOG: log process termination to the journal
This patch adds explicit system journal message in case process was
terminated by an internal watchdog.
Resolves: https://github.com/SSSD/sssd/issues/5146
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/69de78d828b28e1716ff7024a2fd518e4c68a42f">69de78d8</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-05-19T11:50:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move from Pagure to Github
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ed64f142f617b154235831d5cb68575604567bbc">ed64f142</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2020-05-19T12:21:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update the translations for the 2.3.0 release
</pre>
</li>
</ul>
<h4>11 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#fb74e0ab745627ca1d3a24827b12823666934e79">
.git-commit-template
</a>
</li>
<li class="file-stats">
<a href="#2c5c5ed7d77485b627b5ba2e90b2f87baf64be55">
BUILD.txt
</a>
</li>
<li class="file-stats">
<a href="#0c2c5c506cef0ed2d3ad2b7e45e97980b66f5520">
Jenkinsfile
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">
README.md
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#3ead13c99a6fdcbcc0a23d3846e2a8837cc2f3e7">
contrib/ci/run
</a>
</li>
<li class="file-stats">
<a href="#b8d57aa4a09effcbac8deeffe8aea9131499424f">
contrib/sssd.spec.in
</a>
</li>
<li class="file-stats">
<a href="#c6530ce051d2e35856113d52e867a9581fa7b43d">
<span class="deleted-file">
−
contrib/suse/sssd.spec.in
</span>
</a>
</li>
<li class="file-stats">
<a href="#944f00a9afc281fcd148fc61fdc2cf888f624877">
contrib/test-suite/test-suite.yml
</a>
</li>
<li class="file-stats">
<a href="#4e573a66c66b45b45a1e180cad791738ed22cdd2">
po/bg.po
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/sssd-team/sssd/-/compare/8607b4822e4b6437d87dabf714882407f8959ef2...ed64f142f617b154235831d5cb68575604567bbc">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>