<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/sssd-team/sssd">Debian SSSD packaging / sssd</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4c47f1daf23291b0dd76593834cb770f28215767">4c47f1da</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-05T13:34:37+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">scripts: change release tag from sssd-x_y_z to x.y.z
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/db51ce55f9afe61b464fbbe2a50097d6d66fbcdf">db51ce55</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-05T13:45:58+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version in version.m4 to track the next release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d547a2dc1803ec10cbeda2b27b92ecc97adfd24b">d547a2dc</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-05T19:02:05+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: fixes gpo_child linking issue
/usr/bin/ld: src/util/gpo_child-signal.o (symbol from plugin): undefined reference to symbol 'BlockSignals@@SAMBA_UTIL_0.0.1'
Resolves: https://github.com/SSSD/sssd/issues/5385
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5ce7ced269c7b3dd8f75122a50f539083b5697ae">5ce7ced2</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-02-11T12:01:23+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam_sss_gss: support authentication indicators
MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:
- when KDC issues a service ticket, a policy at KDC side can reject the
ticket issuance based on a lack of certain indicator
- when a server application presented with a service ticket from a
client, it can verify that this ticket contains intended
authentication indicators before authorizing access from the client.
Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.
This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.
Resolves: https://github.com/SSSD/sssd/issues/5482
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b100efbfabd96dcfb2825777b75b9a9dfaacb937">b100efbf</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-11T12:01:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: do not search by low usn value to improve performance
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch..
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/75343ff575f05a69750a6482de9abc29d85100bf">75343ff5</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-16T11:18:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap: fix modifytimestamp debugging leftovers
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b1f4dc82a5f9d30121f641430c9cbbb804686974">b1f4dc82</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-16T11:26:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: don't hard require python3-sssdconfig in a meta package
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5c9143e9a8392148cde490be5831e0b4543cff2d">5c9143e9</a></strong>
<div>
<span>by Stanislav Levin</span>
<i>at 2021-02-16T11:32:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam_sss: Don't fail on deskprofiles phase for AD users
By default (if session_provider is not none) during session setup
pam_sss attempts to fetch desktop rules and profiles for user from
IPA domain. As part of this job, the data provider looks for the
user info(uid and gid) in IPA domain but fails to do that for AD
user from a trusted domain returning PAM_SESSION_ERR.
The requested target domain has been already found in `dp_req_new`
and may be referenced as `params->domain`. This change doesn't
introduce the possibility to fetch deskprofiles for AD users, but
at least, doesn't break PAM authentication for them.
Resolves: https://github.com/SSSD/sssd/issues/5499
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/135d843f61530ce4d4ad27555b4f6e6670a352d8">135d843f</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-19T10:11:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: remove setuid bit from child helpers if sssd user is root
The setuid bit is only needed if sssd runs as non-root user.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a53c214b77a305f9a0a1d038254567c7e7c07a53">a53c214b</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-19T10:11:38+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec file: don't enable implicit files domain on RHEL
Corresponding code is built and users can enable files domain
on a as-needed basis. But there is little value running it on
RHEL "as is" by default.
(As a reminder, as a comment in this file says, this is a
"SSSD SPEC file for Fedora 34+ and RHEL-9+")
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9aaa0e51ddf556265b799d551e29a6eaccfea13e">9aaa0e51</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-19T10:12:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">systemd configs: limit process capabilities
This is to upstream https://src.fedoraproject.org/rpms/sssd/blob/f34/f/0502-SYSTEMD-Use-capabilities.patch
Additionally even more limited CapabilityBoundingSet is applied to ifp and
kcm services (CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_BLOCK_SUSPEND are excluded as compared to main sssd service)
:relnote: Example systemd service configs now makes use of CapabilityBoundingSet
option as a security hardening measure.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ee9dbea1e67365ef1a48fff6bbf7cb4844c4b9ad">ee9dbea1</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-19T10:12:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">monitor: fixed default value of 'user' config option
1) man page explicitly and unconditionally says that default value
for this option is 'root' so this patch just aligns code with a doc
2) since at the moment "sssd running as non-root" feature isn't really
tested and is proposed at "use at your own risk" basis it wouldn't hurt
to require user to configure this option explicitly even when sssd is
built with "--with-sssd-user=sssd"
This should be changed when feature is really supported.
:relnote: default value of 'user' config option was fixed into accordance
with man page, i.e. default is 'root'
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fd7ce7b3de9647eb6de75c3dd3974b44d860078e">fd7ce7b3</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-02-19T10:12:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">systemd configs: add CAP_DAC_OVERRIDE in case certain case
If sssd is configured with --with-sssd-user=<user> where <user>!='root'
but is actually run under the root we need CAP_DAC_OVERRIDE to access
files owned by <user>:<user>
If sssd is really run under non-root account that doesn't have this cap
originally then it's addition to CapabilityBoundingSet doesn't matter.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f890fc4b592767f3f0b2bd5515cbd9516505ebe9">f890fc4b</a></strong>
<div>
<span>by ikerexxe</span>
<i>at 2021-02-19T14:28:37+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER: check that configured sockets match
Check if the sockets defined in systemd unit and sssd.conf match. If
they don't, then print a warning message.
Moreover, change man page regarding socket_path option to indicate that
it will be overwritten by systemd's unit file.
Resolves: https://github.com/SSSD/sssd/issues/5406
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/50e3221dac1f565fa0486c5d07b6f544fae0786a">50e3221d</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-19T16:43:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder: fix warning in activate_unix_sockets
The warning is with systemd disabled.
```
src/responder/common/responder_common.c: In function ‘activate_unix_sockets’:
src/responder/common/responder_common.c:1005:15: error: unused variable ‘sockaddr_len’ [-Werror=unused-variable]
1005 | socklen_t sockaddr_len = sizeof(sockaddr);
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/709bfc4a0b1a3038f7f2f2cf08b800f9149f7561">709bfc4a</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-19T16:57:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9eeaf23baf48b64922ab979c796c6e760131ad41">9eeaf23b</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-02-19T17:06:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version in version.m4 to track the next release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b5c2389bc2978deeba62018115f351876c7b0749">b5c2389b</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-02-24T11:27:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: Add function to control services
We can use this function to start stop or restart any service
Reviewed-by: Madhuri Upadhye <mupadhye@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0ff8d462bbf8a120f434220b63db6a0963b310ec">0ff8d462</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-02-24T11:28:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: write_krb5info_file word replacement
Replace write_krb5info_file in SSSD log file with exact filename.
Resolves: https://github.com/SSSD/sssd/issues/5505
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/634b3c940981f7c122009d4e43827c4b6780dc06">634b3c94</a></strong>
<div>
<span>by aborah</span>
<i>at 2021-03-01T11:08:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0
Starting from sssd-1.16.5-10.el7_9, the first query performed
with smart refresh contais modifyTimestamp attribute even
if the modifyTimestamp is 0.
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/32d2aa55435ea461fc425e776c12b8c5cffd8e09">32d2aa55</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-05T12:26:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">prompt config: fix covscan errors
Covscan is confused by dangling pointers in arrays after freeing. Its
analyzer may decide to visit already visited list elements and since
they weren't NULL-ed, it may consider double-free to happen in the code.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d73f1282748201582006185312701b4b09460195">d73f1282</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-05T12:26:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">covscan: initialize ret variable before use
covscan does consider 'ret' unitialized even though
GET_ATTR/GET_ATTR_ARRAY macros have explicit and unconditional
assignment to ret. This is confusing but causing actual failures in
covscan runs.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/42c9ca0cdbb0508812dc1c17382d277fa1f83e8a">42c9ca0c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2021-03-05T12:26:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">covscan: symlink() expects non-NULL second argument
Author: Alexander Bokovoy <abokovoy@redhat.com>
Amended by: Alexey Tikhonov <atikhono@redhat.com>
(used 'EINVAL' as error code instead of 'ENOMEM')
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1724482caeeb56e38a93190448a1f6e70a2dd3e3">1724482c</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-05T12:26:35+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: replace localtime() with localtime_r()
localtime_r() is much more performant (~x12 times faster on my machine)
as it sets `tzname` only once while localtime() does this every time
it is executed (and this includes string manipulations, getenv(),
stat("/etc/localtime"), etc)
As a result of this replacement, average time consumed by a trivial debug
message (one %d arg) is reduced by ~40..45% on my machine.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f553b57dd9d2d6088c58a9fe5b58b1d47a32d025">f553b57d</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-05T12:26:35+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: replace gettimeofday() with time() if usec isn't needed
gettimeofday() is much slower than time() and accounts for ~2% of total
time consumed by DEBUG.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5f840192eef2766db6642a3c9fd8b4f13be7222d">5f840192</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-05T12:26:35+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: cache string representation of last timestamp
Significant part (~15%) of time consumed by DEBUG is spent formatting string
representation of a timestamp. For a case of heavy logging it makes sense
to cache this string and re-format only in case timestamp changed.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/815197cb1d33ad0ac8538f5402a7b95e9f474e7f">815197cb</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-03-05T12:26:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: do not use systemd to restart services with RefuseManualStart=true
These service unit files have RefuseManualStart=true, therefore they can
be controlled only as a dependency via the main sssd.service or socket
activation.
Resolves: https://github.com/SSSD/sssd/issues/5521
:fixes: SSSD spec file `%postun` no longer tries to restart services that
can not be restarted directly to stop produce systemd warnings
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8e8ccca5d647b373ce633df18578376df0681473">8e8ccca5</a></strong>
<div>
<span>by ikerexxe</span>
<i>at 2021-03-05T12:27:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: test socket path when systemd activation
Test socket path when sssd-kcm is activated by systemd. If socket in
systemd unit and sssd.conf is defined in different locations then print a
warning.
Verifies: https://github.com/SSSD/sssd/issues/5406
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b8d8b377524463ab378d1f2c13eeeb6738fbff2b">b8d8b377</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-16T13:03:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: fixed mistype in a debug message
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b165acb6d269a54f0961c93cbadaf5e7c3385ee0">b165acb6</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-03-16T13:04:00+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: missing multihost in service_ctrl
This update will fix the method and make it usable
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c7733c44411aadc45dd3f209551a78c2609fa9a3">c7733c44</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-03-16T13:13:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: Update test docstrings enable polarion updates
These docstring updates are a requirement to enable automatic updates
into polarion using betelguese tool. It will help to add/update test
cases and import test results from CI. Each test case must have 'id' to
make it unique. The tool will use it to update the respective case and
will avoid adding duplicate test case in polarion.
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/341c5e358180d8297276a38f3cf6eb9dbbbc6c62">341c5e35</a></strong>
<div>
<span>by Weblate</span>
<i>at 2021-03-18T11:44:48+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: update translations
Currently translated at 2.8% (21 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
Translated using Weblate (Finnish)
Currently translated at 2.5% (68 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
Translated using Weblate (Chinese (Simplified) (zh_CN))
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
Translated using Weblate (Japanese)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
Translated using Weblate (French)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
Translated using Weblate (Polish)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9da41eb910ed292a9ed27aa8b66c4d4c8c842122">9da41eb9</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-22T10:44:52+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SPEC: added 'BuildRequires: po4a'
'po4a' is needed when building from srpm made from upstream sources, i.e.
without prepared translations.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c796088ea9cade211f65ac202416691ad2be6349">c796088e</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-03-22T10:45:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: fix warning ‘security_context_t’ is deprecated
The type is now deprecated, char * should be used instead
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3fba29f98069960ab9c2684a925e258b1003a9ae">3fba29f9</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-03-22T10:45:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: fix warning ‘matchpathcon’ is deprecated
```
src/util/selinux.c: In function ‘selinux_file_context’:
src/util/selinux.c:50:9: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
50 | if (matchpathcon(dst_name, 0, &scontext) < 0) {
```
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ecf26727c30a9a5b9adfba0ce6f23572b6f4957a">ecf26727</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-03-22T10:45:59+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">selinux: make SEC_CTX and SELINUX_CTX typedef instead of macro
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2a512fdf57055a2ce4ae02256dfabb5b74d2abd6">2a512fdf</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-03-25T11:39:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case
Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0e0951478d4d4b2b2a65b390bd9f749bbb9c9b2e">0e095147</a></strong>
<div>
<span>by Heiko Schlittermann (HS12-RIPE)</span>
<i>at 2021-03-25T11:41:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix setXYent(): rewind always
This compensates for "forgotten" endXYent() calls during the same session,
as observed with Dovecot authd.
Affected functions:
- setgrent()
- sethostent()
- setnetent()
- setnetgrent()
- setpwent()
- setservent()
TLDR;
SSSD assumes the following sequnce in the consumer for enumeration:
setXYent(); while (getXYent()) { ... }; endXYent();
setXYent(); while (getXYent()) { ... }; endXYent();
But the 2nd setXYent() fails to rewind if in the above sequence the
call to first endXYent() is omitted.
Dovecot's authd is an example for omitting the endpwent(). They confirmed
an associated bug report already. But, formally speaking, the
documentation for setXYent() indicates that is should rewind. Period. :)
The endXYent() probably is for pure comfort, resource management, etc.
I built this into a private copy of the sssd packages Debian ships
(Buster/Debian10, 1.16.3) and used them in production (tested with AD
provided users and groups), using a simple Perl script.
#! /usr/bin/perl
use strict;
use warnings;
sub users {
my $n;
setpwent() or die "setpwent: $!\n";
$n++ while $_ = getpwent();
# enpwent(); # missing!
return $n;
}
print users(), "\n"; # reports number of all users
print users(), "\n"; # users backed by sssd are missing
Resolves: https://github.com/SSSD/sssd/issues/5523
Patch co-authored by Sumit Bose.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/986964149e5736207156e3368415ec5cb0357bbb">98696414</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-03-31T11:41:51+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CI: Use builtin command for pycodestyle check
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f1661c04a0d45dfb220d74bd90901444f58bd883">f1661c04</a></strong>
<div>
<span>by Tomas Halman</span>
<i>at 2021-04-01T11:17:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: Error is printed when everything is ok
Due to invalid condition error message that config file does not exist
is printed when there is actually no problem. This update fixes
the condition
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0fd0681d3a1476676064e752733b01f33d815659">0fd0681d</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Moved ldb_debug_messages() out of UTILS to SYSDB
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0dfb188ee2ae718d024ca939c816a8dec9527444">0dfb188e</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Moved declaration of debug related helpers defined in debug.c from util.h to debug.h
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fee3883bb4cbf0a6e296de3bbf6ecf753932a48b">fee3883b</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: use '--logger' as the only option to configure logger type.
This patch gets rid of:
- 'debug-to-files', 'debug-to-stderr' command line options
- undocumented 'debug_to_files' sssd.conf option
and makes '--logger' command line option the only "source of truth" for
logger type configuration.
Those options were not used much anyway but made precedence logic obscure
in case contradictory settings were used.
:config: Long time deprecated and undocumented 'debug_to_files' option was
removed.
:relnote: 'debug-to-files', 'debug-to-stderr' command line and undocumented
'debug_to_files' config options were removed.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fc5b64e8bfa9ce58bdb0adc68592954a3865e00e">fc5b64e8</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: make use of existing SSSD_DEBUG_OPTS macro
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c14e439cf300db3f6a78bb97d7622550e1d61676">c14e439c</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: incorporate sss_set_logger() into DEBUG_INIT
This makes code less error-prone reducing amount of function calls required
for debug initialization.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4d133e154845f225a8459636e06b18c0dfbb286f">4d133e15</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: remove sss_set_logger() from public API
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/cf699170443387955df32cb1ea5e20e477abc2ff">cf699170</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: added several comments to debug.h API and moved rarely used / "private" functions to the bottom.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/374d644f00a16c49deaba520cb05ba08ed5a34cb">374d644f</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Moved SSSDBG_MASK_ALL out of debug.h since is it is only used in tests.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dde57f76854d40a01f53655e633c17c5aea187a4">dde57f76</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: incorporate open_debug_file() into DEBUG_INIT
This makes code less error-prone reducing amount of function calls required
for debug initialization.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/21334de236390e0e946d6a4fcde306f41a932214">21334de2</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MONITOR: added logging of cmd used to start services
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0cddb67128edc86be4163489e29eaa3c4e123b7b">0cddb671</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: introduce SSSDBG_TOOLS_DEFAULT
Resolves: https://github.com/SSSD/sssd/issues/5488
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/66960c76952baf6b636d4f1949822710a3dc7da8">66960c76</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-01T11:18:13+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">MONITOR: in case '-i' is given don't force logger to 'stderr' if its value specified explictly
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9a39ceba2d4d503bd1c37166322e88aae0187520">9a39ceba</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-04-06T10:45:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kcm: remove unneeded kcm.h
This file was copied from MIT Kerberos code, but we do not really
need it.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/81130b23206aff7a4076f13b04b310352be8a23f">81130b23</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-04-06T10:45:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kcm: add support for MIT extensions
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/560e247904ca4b9b1da9895548263c4b9772f92b">560e2479</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-04-06T10:45:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kcm: add GET_CRED_LIST for faster iteration
For large caches, one IPC operation per credential dominates the cost
of iteration. Instead transfer the whole list of credentials to the
client in one IPC operation.
Resolves: https://github.com/SSSD/sssd/issues/5545
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/49010b16ed90eb743dc7c47d2ba7b6ae84c049cd">49010b16</a></strong>
<div>
<span>by Iker Pedrosa</span>
<i>at 2021-04-08T11:16:54+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">configure: set CPP macro with AC_PROG_CPP
sssd build with an autoconf version greater than 2.70 fails because CPP
macro is empty. This change fixes this problem by setting the macro with
AC_PROG_CPP at the beginning of the configuration.
Resolves: https://github.com/SSSD/sssd/issues/5563
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/cd843dafe63589d0a77145445c454f6fc19dabae">cd843daf</a></strong>
<div>
<span>by Massimiliano Torromeo</span>
<i>at 2021-04-08T11:17:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">configure: Fix python headers detection with recent autoconf Resolves: https://github.com/SSSD/sssd/issues/5336
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b6efe6b119b0c11314a324e8a2cf96fb74a9c983">b6efe6b1</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: handle large service tickets
Resolves: https://github.com/SSSD/sssd/issues/5568
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c6a76283580c25ff78b36b8b23efdabbdb3a2cc1">c6a76283</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: reduce duplication of code that handles larger-than-normal packets
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/63f318f73c933dc2cb08cad2f911a52d2281c45b">63f318f7</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: add debug logging to assist with errors caused by overlarge packets
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/37d331774385b2b871ba76fcdef6ceafd776efce">37d33177</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: further increase packet size for SSS_GSSAPI_SEC_CTX
Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
provides extra overhead should that increase in the future.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5c9fa75bd0ffa02e31cbbf19ee68134ed384229a">5c9fa75b</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: remove some unnecessary checks before growing packet
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b87619f9a917d6ed9ecdb5360c4bf242dce8e372">b87619f9</a></strong>
<div>
<span>by Sam Morris</span>
<i>at 2021-04-12T13:28:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder/common/responder_packet: allow packets of max size
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2319788126e219c0f0c86baa3b7d53ea051570c5">23197881</a></strong>
<div>
<span>by aborah</span>
<i>at 2021-04-12T13:28:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: Tests if shadow-utils are immune against bugs in 2006:0032
Tests if shadow-utils are immune against bugs in 2006:0032
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/05e75dba38249827e7c506e83924916bd25863da">05e75dba</a></strong>
<div>
<span>by Marco Trevisan (Treviño)</span>
<i>at 2021-04-12T13:28:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test_pam_srv: Add test for CA certificate check using intermediate CA
Since the switch to libcrypto as security backend SSSD enforces that all
the CAs in the key chain must be trusted, so add a test that ensures
that this is true and that an intermediate certificate doesn't verify a
leaf one if we're missing the whole chain.
To build the certificates we use the test_CA main certificate
(SSSD_test_CA.pem) as the root CA authority while we create a new CA
intermediate certificate used to create new leaf certificates.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5ed48d2f8aef444e08a33044ba5bf5f9b1887948">5ed48d2f</a></strong>
<div>
<span>by Marco Trevisan (Treviño)</span>
<i>at 2021-04-12T13:28:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child_openssl: Free X509_VERIFY_PARAM if initialized
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/018043bbd58df3b7e9f76a6a4e0bf2356f003b74">018043bb</a></strong>
<div>
<span>by Marco Trevisan (Treviño)</span>
<i>at 2021-04-12T13:28:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">p11_child: Add support for 'partial_chain' certificate_verification option
As per the switch to libcrypto by default, the CA certificates DB needs
to contain the whole certificates key-chain in order to verify a leaf
certificate. This means that if an intermediate CA authority signed a
leaf certificate the CA DB we provide to SSSD needs to contain the whole
key-chain, up to the root CA cert in order to verify the leaf one.
Now, while this is indeed more secure, it may break previous
configurations that were based on an NSS database that contained only
trusted intermediate CA certificates.
To allow such setups to continue working (once the NSS db is migrated)
we need to permit a "weaker" setup where an x509 certificate is verified
when the CA database we test against contains only the intermediate CA
certificate that was used to sign it.
As per this, support `partial_chain` value to be used as
`certification_verification` parameter that will add the
`X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the
openssl's verify `-partial-chain` parameter works.
This setup can still be considered secure as it's still needed to have
configured the SSSD ca db to contain the trusted certs.
Add tests to check that we can verify a leaf certificate against its
parent (only) when using such option.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7e3edb0622b57ab31dd7fe7f634fe4ebb0fcc45c">7e3edb06</a></strong>
<div>
<span>by Marco Trevisan (Treviño)</span>
<i>at 2021-04-12T13:28:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: Add custom pam_cert_verification setting to override default
PAM uses by default the certificate_verification parameter, however we
may want to set specific settings to be used for PAM auth only.
So add pam_cert_verification setting option that will be used to define
the verification options.
If this value is unset, we'll fallback to default.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/65c90d8f98b3ed17574972f1e1bd77d2f2fcf64f">65c90d8f</a></strong>
<div>
<span>by Marco Trevisan (Treviño)</span>
<i>at 2021-04-12T13:28:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssd.spec: BuildRequires on openssl tool
It's needed for creating the certificates we use for testing
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/509c2ac9317b7fbcf5fe8a140f9ba3c7d9a05401">509c2ac9</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-13T13:45:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: skip id-range of unknown type
If a new range type is added in the IPA serve SSSD currently considers
this as an error and stops processing and further server side options.
With this patch unknown range types are just skipped and no error is
returned.
Resolves: https://github.com/SSSD/sssd/issues/5571
:fixes: unknown IPA id-range types are not considered as an error
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/27172c9552e698e29e5779e3a754c4d6edf1a868">27172c95</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-13T13:45:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: add unit test for ipa_ranges_parse_results
A unit test is added to check if unknown range types are properly
skipped. For this ipa_ranges_parse_results() is made public and moved to
a source file which is already used in a unit test to avoid the
inclusion of additional dependencies.
Resolves: https://github.com/SSSD/sssd/issues/5571
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/02d9625ef8b3c8e3254ef69cea77fce058d6337d">02d9625e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-13T13:45:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa subdomains: do not fail completely if one step fails
Currently while updating server side data stored on an IPA server
during a subdomains request the whole request will fail if a single step
fails. As a result the remaining server side data which would have been
looked up after the failed attempt are missing.
With this patch a failure in a single lookup is not considered fatal and
SSSD will try to read the remaining data after an error occurred.
Resolves: https://github.com/SSSD/sssd/issues/5571
:fixes: During the IPA subdomains request a failure in reading a single
specific configuration option is not considered fatal and the
request will continue
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dab0ead2006d452c02254b75f43f51ddda3bcd91">dab0ead2</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-13T13:46:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSV: removed unused SUSE/sssd.id
see https://github.com/SSSD/sssd/pull/5535#issuecomment-814135680
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/37d255b285dbef7d4cf3e8093a32fc2bc0840fbf">37d255b2</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-13T13:46:11+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSV: replaced '-f' option in gentoo/sssd.in
This is follow up for PR#5535
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0e1452421fc99c094e1c23ced4efc44993e9702b">0e145242</a></strong>
<div>
<span>by peptekmail</span>
<i>at 2021-04-13T13:46:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e865b008aa8947efca0116deb95e29cc2309256f">e865b008</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-13T13:46:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD GPO: respect ad_gpo_implicit_deny if no GPO is present
Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
all for the given client. With this patch this case is handled as
expected as well.
Resolves: https://github.com/SSSD/sssd/issues/5561
:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/53ae9b1e3ef5a3b9fcbcd324796b690caf695a9f">53ae9b1e</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-13T13:47:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam_sss: fixed potential mem leak
Fixes following covscan issue:
```
Error: RESOURCE_LEAK (CWE-772): [#def1]
src/sss_client/pam_sss.c:1714: alloc_arg: "asprintf" allocates memory that is stored into "prompt".
src/sss_client/pam_sss.c:1765: leaked_storage: Variable "prompt" going out of scope leaks the storage it points to.
# 1763| free(response);
# 1764|
# 1765|-> return ret;
# 1766| #else
# 1767| return ENOTSUP;
```
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/231d1118727b989a4af9911a45a465912fe659d6">231d1118</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-13T13:48:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">negcache: use right domain in nss_protocol_fill_initgr()
When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.
With this patch th domain the group belongs to is determined and used
while checking the negative cache.
Resolves: https://github.com/SSSD/sssd/issues/5534
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4f3734274ce7c5ec84c4c244139cb35d2da40e78">4f373427</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-04-13T14:44:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ncache: Fix misleading function comment
sss_ncache_reset_repopulate_permanent() function is responsible
only for flushing and repopulating permament entries in negative
cache. Old inline description suggests that full negative cache
wipe will be performed.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e69943594994e458508fcd443e3ba3865a643b1e">e6994359</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-04-13T14:44:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: Add description for CLEAR_MC_FLAG define
CLEAR_MC_FLAG is definition of flag file which is used
to sync memory cache clearing process in between sss_cache util
and NSS responder.
When sss_cache sends SIGHUP to NSS, existence of flag file
notifies responder that memory cache clearing should be
performed. Deletion of this file by responder notifies
sss_cache back that cache clearing operation has been finished.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6195ac70bd4aa18fee30477af8918b7848ca939a">6195ac70</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-04-13T14:44:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: Add negcache clearing sbus callback
NSS responder already has SBUS callback for memory cache clearing.
It is called by MONITOR when SIGHUP is handled.
This commit extends SBUS sssd.service interface with negcache
clearing ability executed under "clearNegcache" request.
<interface name="sssd.service">
<annotation name="codegen.Name" value="service" />
<annotation name="codegen.SyncCaller" value="false" />
<method name="resInit" />
<method name="goOffline" />
<method name="resetOffline" />
<method name="rotateLogs" />
<method name="clearMemcache" />
<method name="clearNegcache" />
<method name="clearEnumCache" />
<method name="sysbusReconnect" />
</interface>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7a4974c876ad5a8558dbd8897c7111a18aad47b1">7a4974c8</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-04-13T14:44:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: Clear negative cache when SIGHUP received
When MONITOR receives SIGHUP signal it sends cache clearing
request to NSS responder using SBUS "clearMemcache" command.
This commits adds calling for negcache clearing at the same time.
It is executed by calling "clearNegcache" from NSS SBUS API.
Resolves: https://github.com/SSSD/sssd/issues/4973
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/191b53529700f5d92f3db37b270ed624c53cbaa7">191b5352</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-04-15T10:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">data_provider: Configure backend probing interval
When be_ptask is created to monitor backend when SSSD
is in offline mode checks are happening in specified intervals:
delay = delay + (sss_rand() % task->random_offset);
New configuration option is introduced in this commit:
* offline_timeout_random_offset
Using this option allows end client to decide what
should be the size of random offset when new interval
for probing backend is calculated.
:feature: New configuration option `offline_timeout_random_offset`
to control random factor in backend probing interval
when SSSD is in offline mode.
:config: Added `offline_timeout_random_offset` configuration option
to control maximum size of random offset added to offline timeout
SSSD backend probing interval.
Resolves: https://github.com/SSSD/sssd/issues/5556
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5d65411f1aa16af929ae2271ee4d3d9101728a67">5d65411f</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-16T13:24:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_domain_info: add not_found_counter
This new counter should be used to track how often a domain could not be
found while discovering the environment so that it can be deleted after
a number of failed attempts.
Resolves: https://github.com/SSSD/sssd/issues/5528
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/95adf488f94f5968f6cfba9e3bef74c07c02ccff">95adf488</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-16T13:24:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">AD: read trusted domains from local domain as well
Currently SSSD only uses information stored in a domain controller of
the forest root domain to get the names of other trusted domains in the
forest. Depending on how the forest was created the forest root might
not have LDAP objects for all domains in the forest. It looks like a
typical case are child domains of other domains in the forest.
As a start SSSD can now include trusted domains stored in the LDAP tree
of a local domain controller as well. In a long run it would make sense
to allow SSSD to explicitly search for domain by looking up DNS entries
and checking a potential domain controller with a CLDAP ping.
Resolves: https://github.com/SSSD/sssd/issues/5528
:feature: Besides trusted domains known by the forest root, trusted
domains known by the local domain are used as well.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e0fcec928ec3bb5ae0e7fa753783a8820b01223a">e0fcec92</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-20T11:14:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: clarify single_prompt option
Make it more clear that the single_prompt prompting configuration option
can only be used with both factor even if the second is optional.
Resolves: https://github.com/SSSD/sssd/issues/5586
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/da55e3e69707de416b7949d08c165c950090bbb6">da55e3e6</a></strong>
<div>
<span>by Iker Pedrosa</span>
<i>at 2021-04-20T11:15:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ldap: retry ldap_install_tls() when watchdog interruption
When the call to ldap_install_tls() fails because the watchdog
interrupted it, retry it. The watchdog interruption is detected by
checking the value of the ticks before and after the call to
ldap_install_tls().
Resolves: https://github.com/SSSD/sssd/issues/5531
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/64340cacd2752f46aff58200048ec77482ab9997">64340cac</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-21T12:01:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">whitespace_test: remove 'debian' from exclude pattern as this is downstream specific.
See discussion in https://github.com/SSSD/sssd/pull/5435 for details
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/691fe4944a606e1d56d2f6bb77f5a6045317d4e9">691fe494</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-21T12:01:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: prefer homedir overrides over override_homedir option
Currently the override_homedir option will overwrite every home
directory even if a dedicated user override exists. With this patch a
home directory from a dedicated override will be preferred.
Resolves: https://github.com/SSSD/sssd/issues/5589
:relnote: A home directory from a dedicated user override, either local
or centrally managed by IPA, will have a higher precedence than the
override_homedir option.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/88eec1c22f188adc49f41b81fe5af03c995c690d">88eec1c2</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-21T12:02:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss client: make innetgr() thread safe
The innetgr() call is expected to be thread safe but SSSD's the current
implementation isn't. In glibc innetgr() is implementend by calling the
setnetgrent(), getnetgrent(), endgrent() sequence with a private context
(struct __netgrent) with provides a member where NSS modules can store
data between the calls.
With this patch setnetgrent() will read all required data from the NSS
responder and store it in the data member of the __netgrent struct.
Upcoming getnetgrent() calls will only operate on the stored data and
not connect to the NSS responder anymore. endgrent() will free the data.
Since the netgroup data is read in a single request to the NSS responder
protected by a mutex and stored in private context of innetgr() this
call is now thread-safe.
Resolves: https://github.com/SSSD/sssd/issues/5540
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/29abf94e3aec2c54c76adf61318099097c41ea77">29abf94e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-21T12:02:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">intg test: test is innetgr() is thread-safe
This integration test adds 2 large netgroups in LDAP and runs a program
with 2 threads looking up those netgroups in parallel.
Resolves: https://github.com/SSSD/sssd/issues/5540
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/38905cac4b67f0e4c4b0f59af9ea7474482f088e">38905cac</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:32:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">monitor: avoid NULL deref in monitor_service_shutdown()
Resolves: https://github.com/SSSD/sssd/issues/5598
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/cbfccb173d1cfa631350778abbee82bca1fbc296">cbfccb17</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: prefer PCRE2 over PCRE
:relnote:This release deprecates pcre1 support. This support will be
removed completely in following releases.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/519d943424ee744ecf7418df6bf6f0688a7d9099">519d9434</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/regexp: local functions shall be static
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/31bcb6f032c326d62fb7ac5efcf2ff55c9acbe04">31bcb6f0</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests/test_dp_opts: mem leak fixed
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9aa6fb34bea891e0385a9fc77f0181d01984c212">9aa6fb34</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests/test_nested_groups: mem leak fixed
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0fbe5af1f1e0b82cd36a8178e58d79b7dc357ab6">0fbe5af1</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">util/regexp: regular talloc d-tor shouldn't fail
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f2bcf74c43a682897e586eeb775c4bfedd95bafa">f2bcf74c</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-26T11:34:01+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sssd.supp: suppress false positive valgrind warning about 'pcre2_code' ptr
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6a60406b1d204c95701390ca6a757643620a5871">6a60406b</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-04-26T11:34:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: Modify subsystem to sst_idm_sssd
idm sst were sub divided in team specific sst and is now implemented in
polarion
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2276fc4262ee52c73fbe820440c304db62cb4b23">2276fc42</a></strong>
<div>
<span>by Shridhar Gadekar</span>
<i>at 2021-04-27T13:58:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: alltests: fetch autofs maps after coming online
SSSD should fetch autofs maps from server when coming online
from offline state, without existing cache.
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/eb61f1b2fd000ecc5f647e82a2a89936c813b89c">eb61f1b2</a></strong>
<div>
<span>by Shridhar Gadekar</span>
<i>at 2021-04-29T12:04:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">test: minor change in test doc string
adding test id in the doc string
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/846296d17de07c9ad99484b32e21d82a619926b7">846296d1</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-29T12:05:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">libwbclient-sssd: removed
:relnote: SSSD's implementation of 'libwbclient' was removed
as incompatible with modern version of Samba.
Resolves: https://github.com/SSSD/sssd/issues/5459
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9854ade1642f12e1715f156919d43746664c7800">9854ade1</a></strong>
<div>
<span>by Iker Pedrosa</span>
<i>at 2021-04-29T12:05:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">spec: Remove ldconfig scripts
According to
https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets#Upgrade.2Fcompatibility_impact
spec files that target Fedora 28+ don't require the use of ldconfig
scriptlets. So, I'm removing them from the spec file.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/99beee3c320f2d81ffad6290c58ef303623b2f89">99beee3c</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-04-29T12:05:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">LDAP: make connection log levels consistent
Connection related events (established, expired, released) now use same
debug level.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7313efba2cd668ce622c4bf54b94a725e7209617">7313efba</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-04-30T12:57:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: clarify priority in sss-certmap man page
Explain in the man page what is expected when two or more mapping and
matching rules have the same priority.
Resolves: https://github.com/SSSD/sssd/issues/4415
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a0179e31cf3a72b2044b57c1f9b90f360d0d73e0">a0179e31</a></strong>
<div>
<span>by Hugh Cole-Baker</span>
<i>at 2021-05-05T17:12:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: fix p11_uri example URIs
The p11_uri requires a pkcs11: scheme, using p11_uri = slot-description=My..
without pkcs11: as a prefix will cause p11_child to log an error:
p11_kit_uri_parse failed [-2][URI scheme must be 'pkcs11:'].
Fix the examples to include the pkcs11: scheme.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f66b5aedab31f22642a50df8f7f458af8d3d7391">f66b5aed</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: got rid of most explicit DEBUG_IS_SET checks as a preliminary step for "logs backtrace" feature
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/59ba14e5a70ed0b9253c7a881d664fcd28c337e7">59ba14e5</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: poor man's backtrace
In case SSSD is run with debug_level < 9, log everything to
a ring buffer in memory and flush the buffer to a log file on any
error (up to and including `min(0x0040, debug_level)`)
(i.e. if `debug_level` is explicitly set to 0 or 1 then only those
error levels will trigger backtrace, otherwise up to 2).
Feature is only supported for `logger == files`:
- for stderr it doesn't make much sense: as buffer is quite large,
it would be very inconvenient to get it in console.
- for journal: support might be considered later, after getting
some feedback
:feature:If 'debug_backtrace_enabled' is set to 'true' then
on any error all prior debug messages (to some limit) are printed
even if 'debug_level' is set to low value (for details see
`man sssd.conf`: `debug_backtrace_enabled` description).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e3426ebeb52a821495ea5d34fdc408fe23df7416">e3426ebe</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:49+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">PAM: fixes a couple of covscan issues
Fixes:
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%.*s' directive argument is null
# 127 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 128 | level, \
# | ~~~~~~~~
# 129 | format, ##__VA_ARGS__); \
# | ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'filter_responses'
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:569:51: note: format string is defined here
# 569 | "Found PAM ENV filter for variable [%.*s] and service [%s].\n",
# | ^~~~
```
and
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/util.h:47: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:24: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'pam_check_user_search_next'
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%s' directive argument is null
# 127 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 128 | level, \
# | ~~~~~~~~
# 129 | format, ##__VA_ARGS__); \
# | ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:1947:53: note: format string is defined here
# 1947 | DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
# | ^~
```
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6b78b7aa802529fc885877f326650fb7e6527607">6b78b7aa</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: fixed REVERSE_INULL warning
Fixes following warning:
```
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:807: check_after_deref: Null-checking "domain" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:784: deref_ptr: Directly dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:790: deref_ptr_in_call: Dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:805: alias: Assigning: "state->selected_domain" = "domain".
# 805| state->selected_domain = domain;
# 806|
# 807|-> if (domain == NULL) {
# 808| break;
# 809| }
```
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0aaf61c66b6f2758f89152f946360e00755a9846">0aaf61c6</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: makes debug backtrace switchable
:config: Introduced new option 'debug_backtrace_enabled' to control
debug backtrace.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/97f046e72bdec06356a5ed5295f283d0529eb440">97f046e7</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: log IMPORTANT_INFO if any bit >= OP_FAILURE is on
This makes sense in general and ensures IMPORTANT_INFO doesn't trigger
backtrace dump.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f693078fe44ff0ae2f2c53180afaf532cfb92a1f">f693078f</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CERTMAP: removed "sss_certmap initialized" debug
Most lib users expect only errors to be logged and provide logger function
with SSSDBG_OP_FAILURE debug level.
Thus "sss_certmap initialized" was triggering backtrace dump for no reason.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6fb987b5cf64675a42dfaaccc877ed867867bd73">6fb987b5</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SERVER: decrease log level in `orderly_shutdown()` to avoid backtrace in this case.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/80963d683a0c7fd146fcfd21770990043b9d8449">80963d68</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-05T17:12:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SBUS: changed debug level in sbus_issue_request_done() to avoid backtrace dump in case of 'ERR_MISSING_DP_TARGET'
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f55c41b7a0d7a58526cbc87be1849f5f7c29cc82">f55c41b7</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-05-05T17:13:07+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: log_timeout_parameter_display
Display timeout parameter in SSSD logs.
Resolves: https://github.com/SSSD/sssd/issues/5514
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c79ee66fa9b3ae58aa099598608452cd8dc509c0">c79ee66f</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T11:34:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c8274b2489eea86c377a810b9a4347999c2613a3">c8274b24</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-07T13:01:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: deprecate 'local-provider'
:relnote:'local-provider' is deprecated and will be removed in one
of the next versions of SSSD.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8736776a7b8d316e332fa0acc7888a045fbc9cf4">8736776a</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-07T13:01:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">BUILD: deprecate 'secrets' support
:relnote:'secrets' support is deprecated and will be removed in one
of the next versions of SSSD.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ba99c1fb6cce95a482e712e349a63abbef77c647">ba99c1fb</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-05-07T13:01:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">modify check for rhel version before package install
Include check for rhel9 and remove nss-pam-ldapd install for rhel9 as it
wont be available. Test with nss-pam-ldap only for rhel8.
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d264a2b655b92eb15a6ead74349d1fe0465611c3">d264a2b6</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-05-07T13:01:30+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: remove pytest warning for yield_fixture
this change would remove this warning message
"PytestDeprecationWarning: @pytest.yield_fixture is deprecated"
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/61a03b2ccebce2116b36f3e4b424d7dfe6436ce4">61a03b2c</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T13:01:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: document how to disable sudo smart and full refresh
Resolves: https://github.com/SSSD/sssd/issues/5601
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b3247eeb562bf92ea7f0938eda6d0203e7cb63c4">b3247eeb</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T13:01:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: document how to tune sudo performance
Resolves: https://github.com/SSSD/sssd/issues/5603
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c0204c063cef32999db996b21dd7bda401643c57">c0204c06</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T13:01:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">be: add be_ptask_postpone
This will cancel the next event and schedule it to now + period.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d9d5c291fe68003c31061cfb7d32676c98726560">d9d5c291</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T13:01:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: reschedule periodic tasks when full refresh is finished
We postpone periodic full and smart refresh tasks when full refresh
(either per-request or periodic) is finished.
Resolves: https://github.com/SSSD/sssd/issues/5604
:feature: Completing a sudo full refresh now postpones the smart refresh
by `ldap_sudo_smart_refresh_interval` value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ca47accad0b8e1dccf0618df7ce8352ccdbd4dea">ca47acca</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-07T13:01:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: add ldap_sudo_random_offset
Resolves: https://github.com/SSSD/sssd/issues/5609
:feature: Backround sudo periodic tasks (smart and full refresh) periods
are now extended by a random offset to spread the load on the server in
environments with many clients. The random offset can be changed with
`ldap_sudo_random_offset`.
:config: Added `ldap_sudo_random_offset` (default to `30`) to add a
random offset to backround sudo periodic tasks (smart and full
refresh).
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/421c0a774a4409b8b6103da0dab9b4d6fd7c3ddb">421c0a77</a></strong>
<div>
<span>by aborah</span>
<i>at 2021-05-07T13:03:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: getent group ldapgroupname doesn't show any LDAP users
'getent group ldapgroupname' doesn't show
any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD
Verifies: https://github.com/SSSD/sssd/issues/5311
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1817122
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/47b40cca06a37f110a990da9c377d12d2e0a7c7f">47b40cca</a></strong>
<div>
<span>by aborah</span>
<i>at 2021-05-10T11:13:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)
With 2 automount entries in LDAP with same key ( cn: MIT and cn: mit),
autofs only works for one of them ( the one in uppercase )
Verifies: https://github.com/SSSD/sssd/issues/5330
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1873715
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/de1709041daa2898a859e85b71be92c3b1931da4">de170904</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-05-10T11:13:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sss_cache: reset original timestamp and USN
Currently the sss_cache utility only resets the internal/operational
timestamp attributes to indicate that the object should be refreshed.
But the timestamp cache also stored the last modification time and the
update sequence number (USN) of the original LDAP attribute to detect
changes of the original object. During some types of refreshes those
options might be checked, currently the modification timestamp during
group updates, and might prevent that the data object is refresh because
it was assume that the original object did not change.
Since it is expected that after calling e.g. sss_cache -E the cached
objects are refreshed unconditionally it makes sense to reset those
attributes in the timestamp cache as well.
Resolves: https://github.com/SSSD/sssd/issues/5596
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c227ea4ecdc3d0528be2cb31bba4fd41d7c4df1b">c227ea4e</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-05-10T11:13:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sysdb: add SYSDB_INITGR_EXPIRE to new user objects
SYSDB_INITGR_EXPIRE belongs to the timestamp cache attributes and if
only those attributes are modified it is expected that the data object
is not modified only the related object in the timestamp cache. Until
now SYSDB_INITGR_EXPIRE was missing from the user objects if the group
membership of the user was not lookup up (initgroups request). As a
result of user object might change if only timestamp cache attributes
are changed since the SYSDB_INITGR_EXPIRE was missing. With this patch
the SYSDB_INITGR_EXPIRE is addded with value '0' if a new user object is
created.
Resolves: https://github.com/SSSD/sssd/issues/5596
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/993b66d48d555c59e619d7ef3b494248a82587ac">993b66d4</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Read and set KCM renewal and krb5 options
Add new renewal options to enable KCM renewal functionality
tgt_renewal
tgt_renewal_inherit
Krb5 options below will be read from the [kcm] configuration
section, or a domain section when a tgt_renewal_inherit domain
is provided.
krb5_renew_interval
krb5_renewable_lifetime
krb5_lifetime
krb5_validate
krb5_canonicalize
krb5_auth_timeout
Resolves: https://github.com/SSSD/sssd/issues/2765
:config: Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*`
KCM options to enable, and tune behavior of new KCM renewal feature.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/599f0ad056dc8fc052395d5abe0e110e4e68a886">599f0ad0</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Prepare and execute renewals
Find and unmarshal renewable tickets in the list of KCM ccaches, process
and trigger renewals for tgts aftert half of their lifetime is exceeded.
Resolves: https://github.com/SSSD/sssd/issues/2765
:feature: Added support for automatic renewal of renewable TGTs that are
stored in KCM ccache. This can be enabled by setting `tgt_renewal =
true`. See the sssd-kcm man page for more details. This feature requires
MIT Kerberos krb5-1.19-0.beta2.3 or higher.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1dc3c33c8d2f4ca4a41b186746c44f74510c2f38">1dc3c33c</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: Don't hardcode SECRETS_DB_PATH
Allow for overriding in cmocka tests
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a55405b3edd6312a5e39567e4bdde5522ffc6a0a">a55405b3</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TESTS: Add kcm_renewals unit test
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0202eb53ab18b5eeac53fc96bf5e0569276e3767">0202eb53</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">INTG: Add KCM Renewal integration test
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ddcedbf3bc6b267d40d8a7edcb65f8d61ec13dd1">ddcedbf3</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Conditionally build KCM renewals support
Use --enable-kcm-renewal, --disable-kcm-renewal or allw
autodetection of MIT kerberos marshalling functions
required to enable KCM renewal support.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ec932d35172819ac68343355faaad4dc6ffae688">ec932d35</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-10T14:53:57+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Disable responder idle timeout with renewals
When KCM renewals are configured and enabled, disable the
responder idle timeout to prevent KCM from being in a shut-down
state when it should be executing TGT renewals.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ce54789e77a282c4d02e0139eccd1c5163576de6">ce54789e</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-10T14:56:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: fix _all_levels_enabled()
Expression was wrong in case `debug_level` had any bit without
associated level turned on (for example, 0xfff0).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c07a7beb8e7300c5d4ba0fc37e19ad3ce17e75aa">c07a7beb</a></strong>
<div>
<span>by Weblate</span>
<i>at 2021-05-10T14:57:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: update translations
(Ukrainian) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 99.8% (728 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Finnish) currently translated at 5.5% (40 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 2.6% (70 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Swedish) currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e30129410023ec71790625e6f799b8c7d69b5f6b">e3012941</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-10T15:06:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: add krb5_options to po4a.cfg
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b3336ab972d7589eefbced60272d1962e4a0c2e4">b3336ab9</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-10T15:11:58+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3f29bc26c36493fbb0d51153ff9e1b0ae341b612">3f29bc26</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-10T15:14:31+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Release sssd-2.5.0
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a95db4e1ba394fd43d2e24e174a2a39cf7de67ef">a95db4e1</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-10T17:13:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version in version.m4 to track the next release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/6eb845d09f605157bb181cb1a41cc6f116fd30bb">6eb845d0</a></strong>
<div>
<span>by Madhuri Upadhye</span>
<i>at 2021-05-13T12:37:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test: IPA: filter_groups option partially filters the group from 'id' output
It consists of following test case:
filter_groups option partially filters the group from 'id'
output of the user because gidNumber still appears in 'id' output
Verifies:
Issue: #5403
Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1876658
Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
Reviewed-by: Jakub Vávra <jvavra@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9b017dbc80cf09b3a2d7e09f771faf70d4538b4f">9b017dbc</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-14T11:34:24+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: return KRB5_FCC_INTERNAL for unknown or not implemented operation
sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
for cases where operation code is not known or not implemented. See:
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792
We returned different codes before this patch which makes Kerberos to differentiate
between Heimdal and sssd implementation. This leads to errors like:
* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703
Resolves: https://github.com/SSSD/sssd/issues/5628
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dbde4e692e34d3ff8233ac17a5eae5a062637e48">dbde4e69</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-05-19T19:24:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SECRETS: Resolve mkey path correctly
Use the correct master key path for the secrets database,
fixing an issue on upgrade.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9777427facccbbe45c855b0319258335dffb986a">9777427f</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-19T19:24:31+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">UTIL/SECRETS: mistype fix
Wrong variable was tested after mem allocation.
Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
# 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
# 1010| if (uuid_list == NULL) {
# 1011|-> ret = ENOMEM;
# 1012| goto done;
# 1013| }
```
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b099498f5ce26660badef52b822cf07ce1d9f29a">b099498f</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-19T19:24:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa: read auto_private_groups from id range if available
Resolves: https://github.com/SSSD/sssd/issues/4216
:feature: `auto_private_groups` option can be set centrally through
ID range setting in IPA (see `ipa idrange` commands family). This
feature requires SSSD update on both client and server.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/706627cf72d611155b2bc6d26a631252325c6095">706627cf</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-05-19T19:24:48+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: consider mpg_mode of each domain
Before this patch the mpg_mode == hybrid was used only if the main domain
had this mode set. This fails in multi domain environments as well as with
subdomains.
Now we lookup the hybrid object in each domain that has the hybrid mode
enabled.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ac1a07a3019bf70bb51949d71e1b079357993821">ac1a07a3</a></strong>
<div>
<span>by Iker Pedrosa</span>
<i>at 2021-05-24T18:04:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">responder: fix covscan issues
Fix two covscan issues that I accidentally included in commit
f890fc4b592767f3f0b2bd5515cbd9516505ebe9.
Error: FORWARD_NULL (CWE-476): [#def60]
sssd-2.4.0/src/responder/common/responder_common.c:1009: var_compare_op: Comparing "rctx->sock_name" to null implies that "rctx->sock_name" might be null.
sssd-2.4.0/src/responder/common/responder_common.c:1039: var_deref_model: Passing null pointer "rctx->sock_name" to "strlen", which dereferences it.
Error: CLANG_WARNING: [#def61]
sssd-2.4.0/src/responder/common/responder_common.c:1039:64: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
Resolves: https://github.com/SSSD/sssd/issues/5638
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/43b9b0922aa24a03ea466c673646d5e3079403fe">43b9b092</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-05-24T18:05:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD man: man_dns_resolver_parameter_modification
Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf
Resolves: https://github.com/SSSD/sssd/issues/5616
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7190f6b5d5b523e18e8c320df73c44b082c4d99b">7190f6b5</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-05-24T18:05:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD man: man_dns_resolver_parameter_modification
Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf
Resolves: https://github.com/SSSD/sssd/issues/5616
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/fbf33babe3fb52323f098aa300b51bf8fc5ee363">fbf33bab</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-05-24T18:06:10+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TOOLS: removed unneeded debug message
This message was logged before `sss_tool_init()` that sets debug level,
thus ignoring configured debug level.
Since the same message is printed via `ERROR` on a next line, this log
message doesn't add any information and can be simply removed.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/348512b099568bf67deb45cca3efcbaaf24141bd">348512b0</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-05-24T18:07:52+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: Fixes after running new tests downstream
tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format
Reviewed-by: Shridhar Gadekar <sgadekar@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9cb89666eae3ab2d4a93fb531fc29e433356391f">9cb89666</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-05-25T12:24:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">nss: fix getsidbyname for IPA user-private-groups
Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases are handled.
The first is about the default automatic user-private-groups
where the group is a managed object. In this case there will be a user
and a group object with the same name in the cache which will both be
found by the lookup by name. Since only the user object will have a SID
we can return this SID for the request.
The second case is the manual creation of a user and a groups with UID
and GIDs so that the group is a user-private group. Here the user and
the group object will both get a different SID assigned since they are
independent objects. In this case, both objects have a SID and the UID
and GID of the user and the GID of the group all have the same numerical
value, the SID of the user is returned.
Resolves: https://github.com/SSSD/sssd/issues/5607
:fixes: Fix getsidbyname issues with IPA users with a user-private-group
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e147d27229f7c4cf18a53ad3b5c392f4a761c586">e147d272</a></strong>
<div>
<span>by Steeve Goveas</span>
<i>at 2021-05-31T14:18:53+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">TEST: add ldap_sudo_random_offset 0 to offline test
New was option added in #5609
As there are no other requests in the test after a restart, sssd
would attempt a connection only after 10 to 30 seconds by default. To
enable immediate look up, we can set this option and continue with the
test
Reviewed-by: Anuj Borah <aborah@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/98400ef6414964943499a15312b9c8f0cce05c2d">98400ef6</a></strong>
<div>
<span>by Madhuri Upadhye</span>
<i>at 2021-05-31T14:19:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: common: Update the remove_sss_cache function
Remove the sssd exception as we dont find the path,
test fails with exception file does not exist.
so added print statement to print the error message.
Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/33f136f8f984e6cbaaf298f60c81c2cd3e821218">33f136f8</a></strong>
<div>
<span>by Madhuri Upadhye</span>
<i>at 2021-05-31T14:19:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: alltests: Code update for test_kcm_check_socket_path
Remove unwanted import.
Minor changes in test code.
Change the marker to tier1_2.
Verifies:
Issues: #5406
Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1632159
Signed-off-by: Madhuri Upadhye <mupadhye@redhat.com>
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/3674652492c6349d6502ce011908e6defde3931c">36746524</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-05-31T14:19:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kcm: use %zu as format for size_t
size_t might be a different integer type on different platforms. The %z
length modifier was added to handle this.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5b5e3827aba317b717249525dcce655baca895b5">5b5e3827</a></strong>
<div>
<span>by Jakub Vavra</span>
<i>at 2021-05-31T14:20:21+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: Add test_ipa_missing_secondary_ipa_posix_groups
Verifies
Issue: #5534
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1945552
https://bugzilla.redhat.com/show_bug.cgi?id=1937919
https://bugzilla.redhat.com/show_bug.cgi?id=1945654
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d35f36f0fbd512bdf83c23153c968f44634553ea">d35f36f0</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-05-31T14:20:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: log_error_reading_file_msg_modification
Replacing error reading file error code with proper message
Resolves: https://github.com/SSSD/sssd/issues/5615
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9c06088de65630f7407d505e015643fa656803d9">9c06088d</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-05-31T14:21:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: no_such_file_or_directory_modification
Replacing no such file or directory error code with alternate message
Resolves: https://github.com/SSSD/sssd/issues/5614
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b75ef442dd23f30d879e2876bbc19d13da1a62b8">b75ef442</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-05-31T14:22:06+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pac: allow larger PACs
Currently the PAC responder only accepts request which are about 1k in
size. Since a PAC can be larger there are cases where the PAC is not
accepted by the PAC responder. Recently SSS_GSSAPI_PACKET_MAX_RECV_SIZE
was added to be able to handle Kerberos tickets which can be also larger
than 1k. Since typically if present the PAC is the largest part of a
Kerberos ticket it make sense to use the same limit for the PAC
responder.
Resolves: https://github.com/SSSD/sssd/issues/5650
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1f6377d5910bcd66d5c4afc686aa73795511c2ca">1f6377d5</a></strong>
<div>
<span>by Weblate</span>
<i>at 2021-06-04T09:08:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: update translations
(Finnish) currently translated at 5.4% (40 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Polish) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Russian) currently translated at 25.7% (188 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/597a6c2a7f1135fbe3127514de4de2b2a31291a6">597a6c2a</a></strong>
<div>
<span>by Joakim Tjernlund</span>
<i>at 2021-06-04T09:10:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Gentoo/openrc: Add sssd-kcm service script
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/850af600d30fae13f3ab90f62d147cb1b95eb4a3">850af600</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-04T09:40:38+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a3cb981204b22a117cf3edbcdf1205218200da58">a3cb9812</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-04T14:29:44+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">sudo: disable ldap_sudo_random_offset by default
Resolves: https://github.com/SSSD/sssd/issues/5609
:config: Default value of `ldap_sudo_random_offset` changed to 0 (disabled). This
makes sure that sudo rules are available as soon as possible after SSSD start
in default configuration.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/1c6556104aaf0c8d29932ae2b3312407d3091433">1c655610</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-06-04T14:40:28+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">README: Update documentation links
Documentation links in README are broken due to sssd.io website
content recent update. This PR fix this and remaps links to point
correct content in new upstream documentation.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/669ee920d5ebb55b47e114977337fe402c48b835">669ee920</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-04T14:46:26+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">readme: update documentation repository
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c415dde65ef6b4e2404a97c379fa38bd4913b924">c415dde6</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-04T14:47:41+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/73cbe0b1a19fe0b18958abf5dc1d9762a6d101d5">73cbe0b1</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-06-07T11:34:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">utils: add mod_defaults_list
This patch adds a new utility function to handle options with values
prefixed by '+' or '-' to modify default lists. Unit tests are included.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/70a808d5a1a64c4782a85eab7fb510e61c4edaca">70a808d5</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-06-07T11:34:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: replace first argument of filter_responses()
The first argument of filter_responses() is replaced with a more generic
context to allow more flexible use in future.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f491979d4054c5c2df09868bfdfda72be5751cd1">f491979d</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-06-07T11:34:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: parse pam_response_filter values only once
To avoid parsing the configuration options for each PAM request the code
is modified to parse them only once. If the configuration is changed it
is already expected that SSSD is restarted which mean that with this
change no functionality is lost.
Tests had to be updated to make sure new values are read.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2a4c383340470336a2baa7138f39c912b64da459">2a4c3833</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-06-07T11:34:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pam: change default for pam_response_filter
So far pam_response_filter didn't had any default. It turned out that it
would be useful to filter the environment variable KRB5CCANME by default
for sudo. The reason is the e.g. in contrast to su the calling user is
authenticated and hence only the Kerberos credentials of the calling
user are available. But this causes a couple of inconsistencies. E.g.
depending on the credential cache type the target user might not have
access to the credential cache and even if the credential cache can be
accessed it will contain credentials which different privileges than the
target user. As a result it seems better to not make KRB5CCANME in the
environment of the target user and let him pick the matching default
credential cache.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ecb2ae7a8f78a2b561c67fca5bb97766c0d3ae9c">ecb2ae7a</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-06-08T11:02:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5_child: Honor Kerberos keytab location
Kerberos keytab location can be specified per domain in sssd.conf.
If it is not specified - default path is used: /etc/krb5.keytab
The problem is that default path itself can be redefined for kerberos
by adding entry in krb5.conf:
[libdefaults]
default_keytab_name = /<PATH>/krb5.keytab
krb5_child will still use /etc/krb5.keytab as default value which
will cause an error.
This patch adds config checking to krb5_child.
If keytab parameter will be set to /etc/krb5.keytab,
krb5_child will validate it against krb5.conf and eventually
overwritte with value presented there.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c917f9774d9a558ed03a0ebfe88a906b4fc45cb0">c917f977</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-08T11:04:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER: Generate incrementing client ID
This client ID will be passed through SSSD components to allow
tracking requests across SSSD.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/bee426c8ddf2cf3637e98034250a6e535ae3a059">bee426c8</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-08T11:04:15+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SBUS: Send Client ID across to DP interfaces
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7ed878723c7208d04a0ccbdc3c1c5ddef539d192">7ed87872</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-08T11:04:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">RESPONDER LOGS: Log the Client ID where accessible
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/d0e35894571a424acbbb8ec1a234739c637a57e9">d0e35894</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-08T11:04:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: Log the Client ID of the cache request
Log the Client ID at the initial cache request submission.
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4f1a06d1521a1b48419e8d29b67a452c546aa440">4f1a06d1</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-08T11:04:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DP: Propagate down the client id and sender name
Make the client ID and responder name available to log where
the DP request is attached. This will ensure we log the CID,
originating responder name, and DP-internal request ID for
all DP requests.
[dp_attach_req] (0x0400): DP Request [Initgroups #14]: REQ_TRACE: New
request. [sssd.pam CID #1] Flags [0x0001].
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5674aaedfad2f6d5d621534c412b98f7872ddf28">5674aaed</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-08T11:45:35+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dbd50453bd4c73edfcee9c1712759a4c0102e7be">dbd50453</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-08T13:37:23+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version in version.m4 to track the next release
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/c6cd2fe3f75638e8920b049ea05282f4072e9f05">c6cd2fe3</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">krb5_child: reduce log severity in sss_send_pac() in case PAC responder isn't running.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0eccee18822e60393c8a4a9b99a3c80d2b1275d9">0eccee18</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">secrets: reduce log severity in local_db_create() in case entry already exists since this is expected during normal oprations.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/624e3fe75116e15c48e9b9455ef0abd2f1256140">624e3fe7</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: use SSSDBG_MINOR_FAILURE for ERR_KCM_OP_NOT_IMPLEMENTED
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0646917cd826e14663691a2252be9853563331d2">0646917c</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: reduce log severity in sec_get() in case entry not found
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b04742485dfb18d23b08f040710944d9d6e29c56">b0474248</a></strong>
<div>
<span>by Yuri Chornoivan</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix minor typos in docs
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2a3fb3bdbac5dd7294a2ec6f27346ae18355241a">2a3fb3bd</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Unset _SSS_LOOPS
Since sssd_kcm is working independently of other SSSD components,
especially the nss responder, and the kcm client side in libkrb5 of
course does not check for _SSS_LOOPS to protect sssd_kcm from calling
into itself the variable is not needed.
This allows repeated getpwuid() calls in KCM renewals code to succeed.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/daad83876ef1faf8c3bbf8efb33faabe0d8f8d79">daad8387</a></strong>
<div>
<span>by Jakub Vavra</span>
<i>at 2021-06-17T12:25:50+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Tests: Add test_innetgr_threads
Verifies
Issue: #5540
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1703436
Reviewed-by: Steeve Goveas <sgoveas@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/9d576e47ef773fad3389e5481b77a5893cf89f78">9d576e47</a></strong>
<div>
<span>by Dan Lavu</span>
<i>at 2021-06-17T12:28:39+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Adding multihost test for supporting asymmetric nsupdate auth
* https://bugzilla.redhat.com/show_bug.cgi?id=1884301
Reviewed-by: Scott Poore <spoore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ff3f857055e52b29fa00c323f5d266939e94fcbc">ff3f8570</a></strong>
<div>
<span>by Dan Lavu</span>
<i>at 2021-06-17T12:29:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: Adding tests to cover ad discovery improvements using cldap
* This test requires a primary and secondary domain controller so AD can be moved between sites
* Currently contains four test cases
** Two DCs in one site no restrictions.
** Two DCs in one site, traffic blocked to the other DC
** DCs in seperate sites no restrictions
** DCs in seperate sites, traffic blocked to the other DC
Signed-off-by: Dan Lavu <dlavu@redhat.com>
SSSD-2497
Reviewed-by: Scott Poore <spoore@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/68ed4d4a274e14f2c93932640caf58382456bf9e">68ed4d4a</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-06-17T12:31:31+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">README: Dead social media link remove
Back in 2011 SSSD started using twitter account to broadcast releases.
Last time it happened 13.06.2019 so this account can be considered as
dead. This PR removes link to it from main README.
Resolves: https://github.com/SSSD/sssd/issues/5649
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/4e3e87270be47911782bbbe34eea289ba0c5b3fc">4e3e8727</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-17T15:36:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">tests: fix pep8 issues
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/a6e5d53a358f3871d8ae646b252250d215d09883">a6e5d53a</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-06-18T12:33:05+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">kcm: terminate client on bad message
The debug message clearly says that the original intention was to
abort the client, not send an error message.
We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.
More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/8dba7476922856e3a0f6cb935570df47b51917f1">8dba7476</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-21T13:36:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DEBUG: don't reset debug_timestamps/microseconds to DEFAULT in `_sss_debug_init()`.
Otherwise `server_setup()` skips reading config settings.
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/89a40e77a1477a3957f4ddc47890eaecbc4d5c7c">89a40e77</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-06-21T16:21:34+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: invalid_argument msg mod
Improve invalid argument msg with additional information
Resolves: https://github.com/SSSD/sssd/issues/5578
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/71301ccf8aa54f7272e7ef8009402db622fe8cd9">71301ccf</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-06-24T10:27:32+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: removed unneeded assignment
Fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
# 479| ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
# 480| if (ctx == NULL) {
# 481|-> ret = ENOMEM;
# 482| DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
# 483| return;
```
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/ac0c0b0005c11b47857fc805c22ee31bb2c84188">ac0c0b00</a></strong>
<div>
<span>by Justin Stephenson</span>
<i>at 2021-07-08T11:28:14+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">KCM: Drop unnecessary c-ares linking
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b9e60ae067696782e3a52f58172f13077b5ea0f2">b9e60ae0</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-08T11:28:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">man: clarify effects of sss_cache on the memory cache
Resolves: https://github.com/SSSD/sssd/issues/5697
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/e373408a2e5cfca0bb8acacd676f933c60c4a745">e373408a</a></strong>
<div>
<span>by Sofia Nieves</span>
<i>at 2021-07-08T11:28:42+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replacing freenode with libera
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5feeb8ac93805abc52195259707807ad4c3446a5">5feeb8ac</a></strong>
<div>
<span>by Shridhar Gadekar</span>
<i>at 2021-07-08T11:30:12+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test: sudo rule with runAS set to short-username value
sudo rule containing sudoRunAs attribute to a short-username
should not generate error in the sssd log.
Reviewed-by: Dan Lavu <dlavu@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/7646ac958da5d0f3997c7655e39f7a2f43d6ec1f">7646ac95</a></strong>
<div>
<span>by Deepak Das</span>
<i>at 2021-07-08T11:30:25+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSSD Log: log_bad_address_msg_mod
Improve Log Containing Bad Address string
Resolves: https://github.com/SSSD/sssd/issues/5577
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/865330c651064977477121961bcd084af02bb0d9">865330c6</a></strong>
<div>
<span>by Iker Pedrosa</span>
<i>at 2021-07-08T12:28:04+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: parse name to get shortname
Unless parse_name is set to false parse the name to get the shortname in
cache_req_process_input(). Moreover, check that the input domain name
and the parsed domain name are equal and fail otherwise.
Updated unit tests to mock call to parse function.
Also include an integration test to check that UpdateMemberList()
and GetAll() return the correct users that are members of a group. This
is done by first adding a member to a group and checking that it is
returned correctly. Then, the member is deleted and the interface returns
no members.
Resolves: https://github.com/SSSD/sssd/issues/4255
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/5288ddaa283bb5e710a2864ff3866bf87f56d03f">5288ddaa</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-09T11:36:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: split update into batches
If the files managed by the files provider contain many users or groups
processing them might take a considerable amount of time. To keep the
backend responsive this patch splits the update into multiple steps
running one after the other but returning to the main loop in between.
This avoids issues during startup because the watchdog timer state is
reset properly. Additionally SBUS messages are process and as a result
the domain can be marked inconsistent in the frontends properly.
Resolves: https://github.com/SSSD/sssd/issues/5557
:fixes: Update large files in the files provider in batches to avoid
timeouts
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/0fbd67404a4b48b76e8750f0cdc727ed0f8de424">0fbd6740</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-09T11:36:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: add new option fallback_to_nss
To not block callers when SSSD's files is doing a refresh of
/etc/passwd or /etc/group allow to fall back to the next nss module
which is typically libnss_files.
Resolves: https://github.com/SSSD/sssd/issues/5557
:config: Add new config option 'fallback_to_nss'
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/dd1aa57950294e0b821a0be2893a159c5e5488a6">dd1aa579</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-09T11:36:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: delay refresh and not run in parallel
To avoid constant refreshes if /etc/passwd or /etc/group are modified
multiple times in a short interval the refresh is only started after 1s
of inactivity.
Additionally the request makes sure that only one instance is run.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/19b850636399fdf5f1018671ba5e2ff7c9deaa2f">19b85063</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-09T11:36:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">files: queue certmap requests if a refresh is running
To make sure current and valid data is used when a certificate should be
matched to a users from the files provider the request has to wait until
a running refresh is finished.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b4ee698ac078e74df51197b5f92432b4ed712d99">b4ee698a</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2021-07-09T11:36:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">cache_req: do not return cached data if domain is inconsistent
If a domain is inconsistent the cached data might be inconsistent as
well, so better not return it.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/b85984a36b54bfdf75f92a80b22381c9323c8dee">b85984a3</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-07-09T12:06:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">multihost: fix whitespace issues
whitespace test fails with:
```
Missing new line at the eof: src/tests/multihost/ipa/add-groups.ps1
Missing new line at the eof: src/tests/multihost/ipa/nestedgroups.csv
```
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/75c204ff1419c19212ef41ca9e1b9b45393e93d3">75c204ff</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-07-09T12:06:59+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">multihost: fix pep8 issues
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/17e339d58c57861c093fc53b241873dce00ae958">17e339d5</a></strong>
<div>
<span>by Paweł Poławski</span>
<i>at 2021-07-12T20:44:33+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SYSDB: Add search index "originalADgidNumber"
Commit 03bc962 introduced a change which can result in
unindexed search in some scenarios. The result is performance
drop comparing to older SSSD version.
This PR adds missing search index: originalADgidNumber
:relnote: Add search index "originalADgidNumber" to SYSDB
Resolves: https://github.com/SSSD/sssd/issues/5430
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/2ebf463fc7c029d94ac27d4878b48fa7f3e90ba9">2ebf463f</a></strong>
<div>
<span>by Alexey Tikhonov</span>
<i>at 2021-07-12T20:44:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CACHE_REQ: fixed covscan issues
Fixed following warning:
```
Error: GCC_ANALYZER_WARNING (CWE-476):
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c: scope_hint: In function 'cache_req_data_create'
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c:160:28: warning[-Wanalyzer-null-dereference]: dereference of NULL '0'
# 158| break;
# 159| case CACHE_REQ_SVC_BY_NAME:
# 160|-> if (input->svc.name->input == NULL) {
# 161| DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
# 162| ret = ERR_INTERNAL;
```
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/f02ac230be3cef8fa83ee8cafea519a22268b23a">f02ac230</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-07-12T20:45:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">debug: add support for tevent chain id
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/881a1a412eb036b8df22bc637a4bb38f10cdb9cf">881a1a41</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-07-12T20:45:17+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">debug: enable chain id in backend
:feature: Debug messages in data provider include a unique request ID that can be used
to track the request from its start to its end.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/161ff0e88a7da13d8cc552375f6585b8ce9d016e">161ff0e8</a></strong>
<div>
<span>by Weblate</span>
<i>at 2021-07-12T20:46:47+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">po: update translations
(Russian) currently translated at 20.7% (583 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Spanish) currently translated at 67.0% (1888 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Finnish) currently translated at 3.2% (91 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Ukrainian) currently translated at 100.0% (2814 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Ukrainian) currently translated at 97.7% (2750 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/sssd-team/sssd/-/commit/57ac580928664a356f07c38e2aca4cf33d145524">57ac5809</a></strong>
<div>
<span>by Pavel Březina</span>
<i>at 2021-07-12T20:53:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">pot: update pot files
</pre>
</li>
</ul>
<h4>7 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d">
README.md
</a>
</li>
<li class="file-stats">
<a href="#87db583be5c13c1f7b3c958b10e03d67b6a2ca06">
configure.ac
</a>
</li>
<li class="file-stats">
<a href="#3ead13c99a6fdcbcc0a23d3846e2a8837cc2f3e7">
contrib/ci/run
</a>
</li>
<li class="file-stats">
<a href="#d348d65f630a357f2aeaa78fc64043f57caa4cb0">
contrib/ci/sssd.supp
</a>
</li>
<li class="file-stats">
<a href="#b8d57aa4a09effcbac8deeffe8aea9131499424f">
contrib/sssd.spec.in
</a>
</li>
<li class="file-stats">
<a href="#4e573a66c66b45b45a1e180cad791738ed22cdd2">
po/bg.po
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">
—
<br>
<a href="https://salsa.debian.org/sssd-team/sssd/-/compare/b38701b9ebdfe1291e0d9f7aa6ff814f9b42b51a...57ac580928664a356f07c38e2aca4cf33d145524">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>