[Pkg-sssd-devel] sssd: Changes to 'ubuntu-trusty'

Timo Aaltonen tjaalton at moszumanska.debian.org
Thu Jun 30 21:11:28 UTC 2016


New branch 'ubuntu-trusty' available with the following commits:
commit 82df94f4f9a95916871073f1e01583d859c8fd1c
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Fri Jul 1 00:11:08 2016 +0300

    control: Drop check from build-depends (ftbfs).

commit e9377292a43c166adbe4b7e2c207cd7ac37a328a
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Thu Jun 9 10:47:19 2016 +0300

    debian/patches/AD-*.diff: Prefer site-local-DCs in LDAP ping, thanks Jorge Niedbalski! (LP: #1587988)

commit a4894945e017a633929b60c992eb996841d1e5d8
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 22:27:54 2016 +0300

    release to trusty

commit e1dc6384fb992de96d8e1e3061dc4ba04b3b5c09
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 22:27:20 2016 +0300

    drop fix-upstream-2765.diff, doesn't build

commit 9ea20bc4b70cf471021993dfe5f7400e26d5c0f7
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 22:11:22 2016 +0300

    fix-upstream-2620.diff: Set sdap handle as explicitly connected in LDAP auth. (LP: #1519086)

commit 64796800d073d682c4d191539105a580a059e114
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 22:07:11 2016 +0300

    fix-upstream-2765.diff: Prefer site-local DCs in LDAP ping. (LP: #1587988)

commit 9c00138a9bc45da192747e12361b26392698bfb0
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 22:04:54 2016 +0300

    close a few bugs

commit 76e63ad9deadc8d6c19110ad95b543d737f17083
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 21:25:13 2016 +0300

    sssd-common.install, sssd-dbus.install: Add new sss_signal helper and the dbus service using it.

commit 808fb383d76ac69999b105777e2155ac4dc80456
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Tue Aug 19 06:56:49 2014 +0300

    sssd-dbus: Add a new subpackage for the D-Bus responder.
    
    (cherry picked from commit 9576394586198a26e9e84de52141e957aefb5962)

commit 5cd48759905855c34aaf871fddc3e6119b5c80c9
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Wed Jun 1 07:53:26 2016 +0300

    fix-samba4-crash.patch: Dropped, upstream.

commit f3c19ab7e2e64aa124225a4f22d67708ab4bbb7e
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Thu May 26 14:57:03 2016 +0300

    update changelog

commit feb9c581fb7ae7705841da714018d7eb063988ed
Merge: eaaa224 caa1686
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Thu May 26 14:54:25 2016 +0300

    Merge tag 'sssd-1_11_8' into ubuntu-trusty
    
    Tagging the 1.11.8 release

commit caa1686123b158c79349edd6916ca927f4522a88
Author: Pavel Březina <pbrezina at redhat.com>
Date:   Wed Jul 29 14:51:30 2015 +0200

    sudo: use "higher value wins" when ordering rules
    
    This commit changes the default ordering logic (lower value wins) to
    a correct one that is used by native ldap support. It also adds a new
    option sudo_inverse_order to switch to the original SSSD (incorrect)
    behaviour if needed.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2682
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 52e3ee5c5ff2c5a4341041826a803ad42d2b2de7)

commit 5232e1e7e3267be04f9bdee614b5f81367050fbd
Author: Pavel Reichl <preichl at redhat.com>
Date:   Fri Nov 27 07:53:00 2015 -0500

    NSS: Fix memory leak netgroup
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2865
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 4231a17e66e0809a9c3d42207b45f95429cbb46c)
    (cherry picked from commit 4a6cae7d917a4c8e1a02cfaf5d27a021dd6545c1)

commit af0834223167694bdec7964c451d174213fba1e1
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Apr 17 16:52:43 2014 +0000

    NSS: fix memory leak in sysdb_getnetgr
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit ea67da003731c3ac6c37b22568683f29853c8f5c)

commit e25867df505ef5cb2b3843c1a859337782f13383
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Apr 17 16:14:11 2014 +0000

    NSS: sysdb_getnetgr refactor
    
    Move functionality for creating cache dummies into separate function.
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 96d5ff54565f6aaccd09ed4c84b45a712345fcc9)

commit e78fc9b264e14058607ee2af6d3830c694a39ff5
Author: Pavel Reichl <preichl at redhat.com>
Date:   Wed Feb 26 16:58:24 2014 +0000

    NSS: sysdb_getnetgr check return value first
    
    Output parameter was accessed before return value was checked.
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 09be002e58babda513b4b75d2b9eb9b2c351fa26)

commit 2465c60ed8a9b303fe479d4e10b17e3f5e46f70f
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Mon Feb 15 15:51:24 2016 +0100

    BUILD: Fix linking issues on debian
    
    /usr/bin/ld: src/providers/test_search_bases-data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5'
    //lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from command line
    collect2: error: ld returned 1 exit status
    Makefile:7689: recipe for target 'test_search_bases' failed
    make[3]: *** [test_search_bases] Error 1
    
    /usr/bin/ld: src/providers/ad_access_filter_tests-data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5'
    //lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from command line
    collect2: error: ld returned 1 exit status
    Makefile:6457: recipe for target 'ad_access_filter_tests' failed
    make[3]: *** [ad_access_filter_tests] Error 1
    
    /usr/bin/ld: src/providers/ad_common_tests-data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5'
    //lib/x86_64-linux-gnu/libdl.so.2: error adding symbols: DSO missing from command line
    collect2: error: ld returned 1 exit status
    Makefile:6517: recipe for target 'ad_common_tests' failed
    make[3]: *** [ad_common_tests] Error 1
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

commit f4b0442bef99138a101e7b0a122117dacbfdbc87
Author: Petr Cech <pcech at redhat.com>
Date:   Mon Jan 11 06:18:33 2016 -0500

    KRB5: Adding DNS SRV lookup for krb5 provider
    
    This patch add DNS SRV lookup for krb5 provider.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2888
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 684191e61d891b1c34f3742a40d5a2ed6a1192dd)
    (cherry picked from commit dd5a52db9653d83bef26da468157c216df45f715)

commit e46ee9a77a03cb9a0c3d17c62cf37e354fb25a1d
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Mon Oct 26 07:00:50 2015 +0100

    BUILD: Accept krb5 1.14 for building the PAC plugin
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit 8fe87c3d35bf301cbb6ed7d441b588327d831924)
    (cherry picked from commit 3dd118ee870d4370e8bfff8bd71d7e9954ccac06)
    (cherry picked from commit 836bc574810076a0437baef6c17f52ba41517abd)

commit 1916410739d8096a52c1ff990bb977322ead6ef6
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Thu Oct 22 10:30:12 2015 +0200

    LDAP: Fix leak of file descriptors
    
    The state "struct sss_ldap_init_state" contains socket
    created in function sss_ldap_init_send. We register callback
    sdap_async_sys_connect_timeout for handling issue with connection
    
    The tevent request "sss_ldap_init_send" is usually (nested) subrequest
    of "struct resolve_service_state" related request created in fucntion
    fo_resolve_service_send. Function fo_resolve_service_send also register
    timeout callback fo_resolve_service_timeout to state "struct
    resolve_service_state".
    
    It might happen that fo_resolve_service_timeout will be called before
    sss_ldap_init_send timeout and we could not handle tiemout error
    for state "struct sss_ldap_init_state" and therefore created socket
    was not closed.
    
    We tried to release resources in function sdap_handle_release.
    But the structure "struct sdap_handle" had not been initialized yet
    with LDAP handle and therefore associated file descriptor could not be closed.
    
    [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached
    [fo_resolve_service_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[110]
    [sdap_handle_release] (0x2000): Trace: sh[0x7f6713410270], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory
    [be_resolve_server_done] (0x1000): Server resolution failed: 14
    [be_resolve_server_recv] (0x0020): TEVENT_REQ_RETURN_ON_ERROR ret[14]
    [check_online_callback] (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline (Success)]
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2792
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit a10f67d4c64f3b1243de5d86a996475361adf0ac)
    (cherry picked from commit db2fdba6f3cecd0612439988e61be60d5d8576bf)
    (cherry picked from commit 2136f71c94660bcdde83f80feb83734389d57674)

commit 96ad95f0f400ae555909328f179a9d1036d1e0db
Author: Thomas Oulevey <thomas.oulevey at cern.ch>
Date:   Wed Sep 23 10:55:59 2015 +0200

    Fix memory leak in sssdpac_verify()
    
    Resolves https://fedorahosted.org/sssd/ticket/2803
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit b4c44ebb8997d3debb33607c123ccfd9926e0cba)
    (cherry picked from commit c542366e4ddb2984107de1af2363adb184653290)

commit 91a6cdabd25f2e2e27a591ea02885fb8b1996216
Author: Pavel Reichl <preichl at redhat.com>
Date:   Tue Sep 22 04:41:18 2015 -0400

    SDAP: Relax POSIX check
    
    Relax the check on UID or GID just to check if at least one of them is
    present but do not require them to be positive numbers.
    
    Add requirement on objectclass attributes to be user or group to make
    check more reliable.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2800
    (cherry picked from commit 6735c0451d4e80d7cd4b480a8c1f7dafb2b536ea)
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit cc04876ec64b338f61ca275386f70baf91ce700f)
    (cherry picked from commit a73c89f8672a12878a8668bc321e6742bc45b924)

commit 17191a02c79959db7819b5293c32533c28081b4a
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Tue Sep 1 06:58:50 2015 +0200

    LDAP: Sanitize group dn before using in filter
    
    Each string should be sanitized(rfc4515) before using ldbsearch.
    A group dn was not sanitized in the function cleanup_groups.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2744
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit 6cb5bad3c8e2f35ca9dce1800a506d626f90c079)
    (cherry picked from commit 28dff998717b8bc70e28f39a8c7e3720c04305b7)

commit 7f736351092a153f8f877a6973b1fd8107cb8341
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Wed Jun 17 21:35:22 2015 +0200

    SDAP: Remove user from cache for missing user in LDAP
    
    Function sysdb_get_real_name overrode reurned code LDAP
    and thus user was not removed from cache after removing it from LDAP.
    This patch also do not try to set initgroups flag if user
    does not exist. It reduce some error message.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2681
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
    (cherry picked from commit d0d6956c3748ba670448edd548b8edd37c5f5c1a)

commit 1c8b34b035daf1f0ca321e58d440939a351b8568
Author: Sumit Bose <sbose at redhat.com>
Date:   Fri May 29 16:37:54 2015 +0200

    ldap: use proper sysdb name in groups_by_user_done()
    
    In a recent change set_initgroups_expire_attribute() was added to
    groups_by_user_done() to make sure that the initgroups timeout is only
    added to the user object until all groups added to the cache.
    
    This change (and the original code in groups_by_user_done() as well)
    didn't took sub-domain users into account where the name in sysdb might
    different form the original request and the domain is not the configured
    domain. This patch tries to ensure that the right name and domain are
    used.
    
    https://fedorahosted.org/sssd/ticket/2663
    
    Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
    (cherry picked from commit d0b7e5fcfca7d0db9e3d19be7b51f34d03d3d720)
    (cherry picked from commit edc1538566e7034eea9b8d592206fbc236233dff)

commit 1525b4d99aa300b180059f055fa6feb854950970
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Mon May 25 10:20:39 2015 +0200

    DP: Set extra_value to NULL for enum requests
    
    Some providers, notably IPA, rely on extra_value to be either a useful
    value or NULL. In enumeration, however, extra_value was random. Set
    the extra_value pointer explicitly to NULL to make it clear that it's
    not used for enumeration and also use talloc_zero as future-proof.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2659
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit d9296ba018228ac6a19f710b8bb9044c4ea9ab5b)
    (cherry picked from commit 2dfb4ed5a36a7be6bcde60e042811b81e83c4850)

commit 2dad4fa96b449df7ae1b0bf4a04496dc64e23a4c
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Fri May 22 15:19:31 2015 +0200

    Download complete groups if ignore_group_members is set with tokengroups
    
    Resolves:
        https://fedorahosted.org/sssd/ticket/2644
    
    When tokenGroups are enabled, we save groups using their SID as the RDN
    attribute during initgroups() and later, if the groups is requested and saved
    again with the full name, remove the original and save the new group entry.
    
    Saving the new group entry would break if ignore_group_members is also
    set, because the new group entry would lack the "member" attribute, so the
    member/memberof links between the new group and the user entry wouldn't
    be established again.
    
    This patch changes the initgroups processing so that the full group
    object is fetched when initgroups is enabled but together with
    ignore_group_members. This solution imposes some performance impact,
    because instead of one search for tokenGroups we also need to resolve the
    groups. The more systematic solution would be to get rid of removing the
    group entry as described in https://fedorahosted.org/sssd/ticket/2656
    
    To reproduce the bug, set: ignore_group_members = True with a
    backend that uses:
        id_provider = ad
    Then run:
        $ id aduser at ad_domain.com
        $ id aduser at ad_domain.com
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
    (cherry picked from commit 44f35a0f32785bf460b5d05424f5e9a15f4f4028)

commit cf81e43c0d6cf06a1875af9f5fc843a063b87722
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri May 15 15:05:28 2015 +0200

    SDAP: Set initgroups expire attribute at the end
    
    Initgrups consisted of two main steps:
    1. store user to cache
    2. store all user groups to cache.
    
    Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
    So in case of epmty cache and parallel initgroups request in responders
    there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
    not cached. Therefore sometime responder could return zero supplementary
    groups.
    
    This patch moves the setting of initgroups expire attribute from 1st step
    to the end of 2nd step.
    
    In case of parallel initgroups requests in responder there are two
    other ways how we could get correct results even thought there was a bug.
     a) Time between two request was too small. User was not stored in cache
        yet and 2nd request waited for response from DP.
     b) Time between two request was big enough. All users groups were
        successfully stored in cache and 2nd request returned correct results.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2634
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit d0cc678d20d8bde829450eb50bec1b7397cea3e1)
    (cherry picked from commit 9ae6567a573c05ba59d1138cfda94b44732019e8)

commit 79c0159e7173bf738f296d66e3d493cf5a64ee3c
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri May 15 14:11:56 2015 +0200

    nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
    
    When SYSDB_INITGR_EXPIRE had default value (0) then value of
    SYSDB_CACHE_EXPIRE was used as initgroups expire attribute.
    The right apoach is already used in responder_cache_req.c
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit fd60528321fd52720222ec35b895ade54cccb48d)
    (cherry picked from commit 521eb7ca65040c009bc4885ba8d6c8ad257bc0f1)

commit e4bba978499e17bd776cc7d5104aa60c6f8a003d
Author: Aron Parsons <parsonsa at bit-sys.com>
Date:   Wed Apr 29 02:44:18 2015 +0000

    autofs: fix 'Cannot allocate memory' with FQDNs
    
    https://fedorahosted.org/sssd/ticket/2643
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 4df706219e64527209f12ad0c7814ee1be979c07)
    (cherry picked from commit 8f57c6765b10de36582ef1dbee32d75452451a94)

commit 947ade0814e10db7c1a4379332b081fbf029784e
Author: Adam Tkac <vonsch at gmail.com>
Date:   Mon Apr 13 15:00:18 2015 +0200

    Option filter_users had no effect for retrieving sudo rules
    
    Previously sssd_sudo always obtained sudo rules for user from LDAP even
    when user was enlisted in filter_users.
    
    Resolves https://fedorahosted.org/sssd/ticket/2625
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>

commit f2bb2c60d23548982b230f8ddb12dd71ba124dd6
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri Apr 10 14:33:35 2015 +0200

    SDAP: Do not set gid 0 twice
    
    The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
    and for second time in the function sdap_store_group_with_gid,
    which was called every time from function sdap_save_group
    
    [sysdb_set_entry_attr] (0x0080): ldb_modify failed:
        [Attribute or value exists](20)[attribute 'gidNumber': value #1
        on 'name=domainlocalgroup1_dom2-493341 at sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
    [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
    [sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
    [sysdb_store_group] (0x0400): Error: 17 (File exists)
    [sdap_store_group_with_gid] (0x0040):
        Could not store group domainlocalgroup1_dom2-493341 at sssdad_tree.com
    [sdap_save_group] (0x0080): Could not store group with GID: [File exists]
    [sdap_save_group] (0x0080):
        Failed to save group [domainlocalgroup1_dom2-493341 at sssdad_tree.com]: [File exists]
    [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908)
    (cherry picked from commit cf7047634308c431f4cfbff1d88564668d2a33c7)

commit 73b68bb828c09fc8ac15584a7e48dfac0ebd3a92
Author: Pavel Březina <pbrezina at redhat.com>
Date:   Thu Apr 9 13:03:08 2015 +0200

    sudo: sanitize filter values
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2613
    
    Reviewed-by: Pavel Reichl <preichl at redhat.com>
    (cherry picked from commit c526cd124515cc2d44a413dcbfd4a74ddb490150)
    (cherry picked from commit 2fb2a267d0d15cce84b0ccea7e088a4b580e42fb)

commit c4dfffcb6b5d7611400d73a8917f27a6cee21b6e
Author: Daniel Hjorth <dh at dhjorth.com>
Date:   Wed Feb 25 13:07:35 2015 -0700

    LDAP: unlink ccname_file_dummy if there is an error
    
    https://fedorahosted.org/sssd/ticket/2592
    
    If there is an error after ccname_file_dummy is created but before it is
    renamed then the file isn't removed.  This can cause a lot of files to be
    created and take up inodes in a filesystem.
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit 2b20ff2e33ad3993a9cad910c4b4b828513613df)
    (cherry picked from commit 0b5036e4c652e6983a3352c045c8701d6573587b)

commit fcb0280cd53d6352cb375219108c8ebe14535dfa
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Thu Nov 28 16:00:59 2013 +0100

    KRB5: Go offline in case of clock skew
    
    https://fedorahosted.org/sssd/ticket/1096
    
    In case the KDC has skewed time, we can retry with the next one and
    eventually go offline if no KDC has time in sync with the client.
    Previously, authentication with wrong time resulted in System Error.
    
    (cherry picked from commit 83011d97d17bd00e99ccf1e0302167a6bc0db84e)

commit 7d63f9c764a2e608a2ea78651356246c7504015e
Author: Sumit Bose <sbose at redhat.com>
Date:   Wed Oct 29 15:20:12 2014 +0100

    memberof: check for empty arrays to avoid segfaults
    
    The arrays with members to add or delete may be empty, i.e. have 0
    entries. In this case further processing should be skipped to avoid
    segfaults later on.
    
    Fixes (hopefully) https://fedorahosted.org/sssd/ticket/2430
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit a1bd8bc666df7fa696523ec8ec1dfe3d79780588)

commit 8c2cbe4cbe71d78f048dc1a4a83c160471494388
Author: Stephen Gallagher <sgallagh at redhat.com>
Date:   Wed Sep 24 11:00:44 2014 -0400

    UTIL: Do not change SSSD domains in get_domains_head
    
    When there was more than one SSSD domain configured, actions performed
    against domains later in the list would be incorrectly told to use the
    first domain as the base for locating subdomains. This was because we
    were rewinding the ->prev list on the sss_domain_info object, which is
    only intended to be used by confdb code. The correct approach was to
    use only the parent linkage, which would take us up to the top-level
    domain in this SSSD domain.
    
    (cherry picked from commit a2147c6c13c36c0ec056581b08a7ed7352ff9861)

commit 58190a0d9e47220e8c32b610f650b174c58ca181
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Thu Aug 28 09:27:01 2014 -0400

    Accept krb5 1.13 for building the PAC plugin
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit 9e1f638683cc5c229e8c0ea040c46d2cec58bd7c)

commit 2ba6c837d2e4932becbf64aa8a58046fe63ae9cb
Author: Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com>
Date:   Wed Jul 30 21:18:35 2014 +0300

    build: Don't install ad and ipa man pages unnecessarily
    
    Don't install sssd-ipa and sssd-ad man pages if corresponding providers
    weren't built (i.e. --without-samba was specified to configure).
    
    Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
    (cherry picked from commit 4b9c236008b35d2155b94635a236ce7770db4728)

commit be7685e6b20550495d24c3d48159042242626b6b
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Jun 19 12:27:41 2014 +0100

    TESTS: sysdb_search_return_ENOENT - check mem leaks
    
    Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
    (cherry picked from commit af63cdbfe0c917e0dc921232f67295fdc48d1e32)

commit 8488fbadeba254a989a3ed703c12abc8cc83f6d1
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Jun 19 12:23:26 2014 +0100

    SYSDB: sysdb_search_custom fix memory leak
    
    Add temporally talloc context to allocate basedn on.
    
    Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
    (cherry picked from commit a4caef931a245fb3c44b70ea65a58bd0c1ff8dc4)

commit fd2ff8fc8c87bc604768084de382420bbd6cca9a
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Jun 19 12:09:06 2014 +0100

    SYSDB: sysdb_search_entry fix memory leak
    
    Allocate res on tmp_ctx instead of on mem_ctx.
    Also use '_' prefix convention for output parameters.
    
    Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
    (cherry picked from commit 09579ae252c181c7884defc0612c36108f6cf509)

commit e19c67ab46481870291a7d1a883b01707a95839a
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Sat May 17 16:18:32 2014 +0200

    TEST: Test empty results from functions sysdb_search_*
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
    (cherry picked from commit 4b0c83e022c396e984d862ced5b6219e4ef04429)

commit 31e351ca0dab4bde31e935c37a24c33a32946dc7
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Thu Feb 12 19:10:34 2015 +0100

    MONITOR: Fix double free
    
    If kill timer was successfully executed then it will be released by libtevent.
    So we should not released it in mt_svc_exit_handler for the second time.
    
    [sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] terminated with signal [9]
    [sssd] [talloc_log_fn] (0x0010): talloc: access after free error - first free
                                             may be at ../tevent_timed.c:351
    [sssd] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free
    
    ==19129== Invalid read of size 4
    ==19129==    at 0x50470CD: talloc_chunk_from_ptr (talloc.c:372)
    ==19129==    by 0x50470CD: _talloc_free (talloc.c:1559)
    ==19129==    by 0x11086C: mt_svc_exit_handler (monitor.c:2754)
    ==19129==    by 0x8AF9B2F: sss_child_invoke_cb (child_common.c:181)
    ==19129==    by 0x4E39823: tevent_common_loop_immediate (tevent_immediate.c:135)
    ==19129==    by 0x4E3AF4D: poll_event_loop_once (tevent_poll.c:649)
    ==19129==    by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
    ==19129==    by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
    ==19129==    by 0x84C4B02: server_loop (server.c:668)
    ==19129==    by 0x10D9A6: main (monitor.c:3028)
    ==19129==  Address 0xb8a06c0 is 64 bytes inside a block of size 176 free'd
    ==19129==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==19129==    by 0x50472F2: _talloc_free_internal (talloc.c:1057)
    ==19129==    by 0x50472F2: _talloc_free (talloc.c:1581)
    ==19129==    by 0x4E3D0A3: tevent_common_loop_timer_delay (tevent_timed.c:351)
    ==19129==    by 0x4E3AF59: poll_event_loop_once (tevent_poll.c:653)
    ==19129==    by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
    ==19129==    by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
    ==19129==    by 0x84C4B02: server_loop (server.c:668)
    ==19129==    by 0x10D9A6: main (monitor.c:3028)
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2572
    
    Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
    (cherry picked from commit 373946b540eaa5d97c6efb39629195dbe2a1f015)
    (cherry picked from commit a5d81569531c1c5bbdd26e1f3cb631b16d13f199)

commit 95fd266d0af8d5229af88966e523d2adb52c014c
Author: Stephen Gallagher <sgallagh at redhat.com>
Date:   Wed Dec 10 14:16:49 2014 -0500

    monitor: Service restart fixes
    
    There are actually two bugs here:
    
    1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned
    failure (for any reason), we would talloc_free(svc) which removed it
    from being eligible for restart, resulting in the service never
    starting again without an SSSD service restart.
    
    2) There is a fairly wide race condition where it's possible for a
    SIGKILL timer to "catch up" to the child exit handler between us
    noticing the termination and actually restarting it. The race
    happens because we re-enter the mainloop and add a restart
    timeout to avoid a quick failure if we keep restarting due to a
    transitory issue (the mt_svc object, and therefore the SIGKILL
    timer, were never freed until we got to the actual service
    restart).
    
    We can minimize this race by recording  the timer_event for the
    SIGKILL timeout in the mt_svc object. This way, if the process
    exits via SIGTERM, we will immediately remove the timer for the
    SIGKILL. Additionally, we'll catch the special-case of an ESRCH
    response from the kill(SIGKILL) and assume that it means that the
    process has exited. The only other two possible errors are
     * EINVAL: (an invalid signal was specified) - This should be
               impossible, obviously.
     * EPERM: This process doesn't have permission to send signals to
              this PID. If this happens, it's either an SELinux bug or
              else the process has terminated and a new process that
              SSSD doesn't control has taken the ID over.
    
    So in the incredibly unlikely case that one of those occurs, we'll
    just go ahead and try to start a new process.
    
    This patch also removes the incorrect talloc_free(svc) calls on the
    kill() failures and replaces them with an attempt to just start up
    the service again and hope for the best.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2525
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit 152251b13a99c88054055d46600e0478c4f7bd05)

commit 392371cc9ee27d274ced6fae357a9416d6cd3afe
Author: Pavel Reichl <pavel.reichl at redhat.com>
Date:   Mon Dec 2 15:49:04 2013 +0000

    monitor: memory-leak bug
    
    In case *mt_svc_restart* event can't be created free *svc* directly.
    
    (cherry picked from commit 75275a04a36dba53a261e208d1ad44780c2a5702)

commit 985e95db4bf045e0d7ea96844b57ed62dfec7e3a
Author: Pavel Reichl <pavel.reichl at redhat.com>
Date:   Mon Dec 2 15:20:01 2013 +0000

    monitor: monitor_kill_service - refactor
    
    After freeing *svc* return immediately instead of creating event operating on
    *svc* (use-after-free). Also check tevent_add_timer failure and remove unused
    sigkill_ev variable.
    
    (cherry picked from commit e5502b7652b5c974bc44227f46693d3a43f69b8b)

commit 50ecac0266bba0cfd40dc4d967465389a2f8af11
Author: Pavel Reichl <pavel.reichl at redhat.com>
Date:   Mon Dec 2 14:51:59 2013 +0000

    monitor: use-after-free bugfix
    
    *monitor_kill_service* may create timed event which operates on *svc* and
    therefore *svc* should not be freed right after call of *monitor_kill_sercice*.
    *svc* is supposed to be freed by *mt_svc_restart*.
    
    (cherry picked from commit f89cf190f58f3f5c73758abd0a24974a78cb160b)

commit 0ffc58e2407f1756b0c09fe31ecd21a75e88e833
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Sat May 23 21:46:45 2015 +0200

    pysss_nss_idmap: Use wrapper for older python
    
    PyUnicode_FromString -> sss_python_unicode_from_string
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

commit 1ec5ef62d63937727187419b36549edacd98a271
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Tue Apr 21 09:34:24 2015 +0200

    LDAP: return after tevent_req_error
    
    Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
    (cherry picked from commit f1f5854566c1ee44320a1111a33c12bcc409f00a)
    (cherry picked from commit fec528a3929792d4ec2981d6f3db30d6286197e7)

commit c34ac0da2396205200095a1223c3aec02c882d07
Author: Pavel Březina <pbrezina at redhat.com>
Date:   Wed Mar 25 12:08:04 2015 +0100

    enumeration: fix talloc context
    
    If for some reason ptask fails (e.g. timeout), req is talloc freed
    but because subreq is attached to ectx which is permanent it is
    finished anyway. Then a crash occures when we are trying to access
    callback data.
    
    The same happens in sdap_dom_enum_ex_send.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2611
    
    Reviewed-by: Pavel Reichl <preichl at redhat.com>
    (cherry picked from commit 725bb2a9901c4f673b107ed179f5d68ec443ca63)
    (cherry picked from commit 81bb9be1ae0b2a4ebe960f136a52576abcdfbbac)

commit 2dd4676825aa42a7fc38907dd0f879c17d508960
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Jun 26 16:21:16 2014 +0100

    sudo: return after tevent_req_error
    
    Don't call tevent_req_done after tevent_req_error (for the same request).
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit 979f969abe7a75a2f41f6fddabec94674ca3c722)

commit f160d64b08e574d58d046be297553efe73878bcb
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Jun 26 16:42:53 2014 +0100

    SDAP: return after tevent_req_error
    
    Don't call tevent_req_done after tevent_req_error (for the same request).
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>
    (cherry picked from commit 0d47aef7577f8cf651255cf59df87b3847dbe1ad)

commit 697d13aea5f6b020813111f1a50511cfc440f91c
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Sat Jan 24 09:17:35 2015 -0500

    PROXY: Fix use after free
    
    The dbus_req and associated talloc context are no longer valid after
    execution of the function sbus_request_return_and_finish even if error code
    was returned.
    
    ==32479== Invalid read of size 8
    ==32479==    at 0x131F275F: client_registration (proxy_init.c:474)
    ==32479==    by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
    ==32479==    by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
    ==32479==    by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
    ==32479==    by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
    ==32479==    by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
    ==32479==    by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
    ==32479==    by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
    ==32479==    by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
    ==32479==    by 0x529E255: server_loop (server.c:668)
    ==32479==    by 0x40DBC5: main (data_provider_be.c:2915)
    ==32479==  Address 0xb700858 is 104 bytes inside a block of size 136 free'd
    ==32479==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==32479==    by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
    ==32479==    by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
    ==32479==    by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
    ==32479==    by 0x131F264D: client_registration (proxy_init.c:443)
    ==32479==    by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
    ==32479==    by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
    ==32479==    by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
    ==32479==    by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
    ==32479==    by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
    ==32479==    by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
    ==32479==    by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2573
    
    Reviewed-by: Pavel Březina <pbrezina at redhat.com>
    (cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
    (cherry picked from commit 31dd2a8c5042493b24ef4f9360139525c018bcb4)

commit dcb16038ac779186aebbd7d37caab3736cb01466
Author: Pavel Reichl <preichl at redhat.com>
Date:   Thu Nov 20 18:27:04 2014 +0000

    LDAP: retain external members
    
    When processing group membership check sysdb for group members from
    extern domain and include them in newly processed group membership as
    extern members are curently found only when initgroups() is called.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2492
    
    Reviewed-by: Sumit Bose <sbose at redhat.com>

commit fea2d8c6aef70f1ba6f7528c261606eac4fcea1c
Author: Simo Sorce <simo at redhat.com>
Date:   Sat Nov 9 15:44:45 2013 -0500

    Signals: Remove unused functions
    
    Cleanup unused signal functions
    
    (cherry picked from commit d054a96e102b53a3aab6602f531a0e8d254080ab)
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

commit df62ac0be0ab00bb1661098590c2aec6773f321e
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Mon Aug 4 13:36:42 2014 +0200

    PAC: krb5_pac_verify failures should not be fatal
    
    As noted in the MIT KRB5 documentation, some servers send PAC with no
    checksum, therefire the PAC validation should not be fatal, instead, we
    should treat a failure from krb5_pac_verify as if there was no PAC at
    all.
    
    Reported on sssd-devel by Thomas Sondergaard
    
    (cherry picked from commit 6e51d44a65b15c2f0491b0a8b452caac0bc00584)

commit d164404a2c5d6d5254b96567c7cda5e78a47f8bb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date:   Mon Sep 15 14:18:17 2014 +0200

    LDAP: Do not clobber return value when multiple controls are returned
    
    We loop over the array of returned controls and set 'ret' based on the
    control value. In case multiple controls were returned, the 'ret'
    variable might be clobbered with result of a string-to-int conversion.
    
    Reviewed-by: Pavel Reichl <preichl at redhat.com>
    (cherry picked from commit 6a3ec7ba6f99b027c4c15a360ef0116fe60a0705)

commit efe95361859b688e154165af3d7759aeb9609cb6
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri Nov 21 11:28:36 2014 +0100

    sss_client: Fix race condition in memory cache
    
    Thread safe initialisation was fixed in ticket #2380, but there is
    still race condition in reinitialisation.
    
    If caches is invalidated with command sss_cache -U (-G or -E) then
    client code will need to reinitialize fast memory cache.
    Let say we have two threads. The 1st thread find out that memory cache
    should be reinitialized; therefore the fast memory cached is unmapped
    and context destroyed. In the same time, 2nd thread tried to check
    header of memory cache whether it is initialized and valid. As a result
    of previously unmapped memory the 2nd thread access
    out of bound memory (SEGFAULT).
    
    The destroying of fast memory cache cannot be done any time. We need
    to be sure that there isn't any other thread which uses mmaped memory.
    The new counter of active threads was added for this purpose. The state
    of fast memory cache was converted from boolean to three value state
    (UNINITIALIZED, INITIALIZED, RECYCLED)
    UNINITIALIZED
        - the fast memory cache need to be initialized.
        - if there is a problem with initialisation the state will not change
        - after successful initialisation, the state will change to INITIALIZED
    INITIALIZED
        - if the cahe was invalidated or there is any other problem was
          detected in memory cache header the state will change to RECYCLED
          and memory cache IS NOT destroyed.
    RECYCLED
        - nothing will be done is there are any active threads which may use
          the data from mmaped memory
        - if there aren't active threads the fast memory cahe is destroyed and
          state is changed to UNINITIALIZED.
    
    https://fedorahosted.org/sssd/ticket/2445
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 6a60e29468fc6b4043a4dc52d3aab73e8465db70)

commit bbaa6a48b46f02edfeacc7c32b442ecad24c9430
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri Nov 21 14:00:23 2014 +0100

    sss_client: Extract destroying of mmap cache to function
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c)

commit 3cc9377bfce8bfda69244f7d79ce0062c60faa65
Author: Dan Lavu <dlavu at redhat.com>
Date:   Tue Nov 11 15:46:51 2014 -0500

    MAN: page edit for ldap_use_tokengroups
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2448
    
    Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

commit 6037341d6d77dc61b11d3d23944c615a96713353
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri Nov 7 13:58:17 2014 +0100

    LDAP: Disable token groups by default
    
    We tried to speed up processing of initgroup lookups with tokenGroups even for
    the LDAP provider (if remote server is Active Directory), but it turns out that
    there are too many corner cases that we didn't catch during development that
    break. For instance, groups from other trusted domains might appear in TG and
    the LDAP provider isn't equipped to handle them.
    
    Overall, users who wish to use the added speed benefits of tokenGroups are
    advised to use the AD provider.
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/2483
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>
    (cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)

commit c6a7cf7be85539ea0460d9f07182b8b666efe412
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Fri Nov 7 13:34:50 2014 +0100

    Revert "LDAP: Change defaults for ldap_user/group_objectsid"
    
    This reverts commit 29e5b5d17d9700022958bf1f59bb861cdf68bb57.
    
    OpenLDAP server cannot dereference unknown attributes. The attribute objectSID
    isn't in any standard objectclass on OpenLDAP server. This is a reason why
    objectSID cannot be set by default in rfc2307 map and rfc2307bis map.
    It is the same problem as using non standard attribute "nsUniqueId"
    in ticket https://fedorahosted.org/sssd/ticket/2383
    
    Reviewed-by: Michal Židek <mzidek at redhat.com>

commit f070a93e7dd6b594d8652718e513a18ec389fc2c
Author: Pavel Březina <pbrezina at redhat.com>
Date:   Fri Oct 31 14:26:30 2014 +0100

    IPA: use ipaUserGroup object class for groups
    
    dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class



More information about the Pkg-sssd-devel mailing list