[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 94 commits: Bumping the version to track the 1.16.3 development

Timo Aaltonen gitlab at salsa.debian.org
Wed Aug 22 14:35:47 BST 2018


Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd


Commits:
b5b073c2 by Jakub Hrozek at 2018-06-08T19:42:18Z
Bumping the version to track the 1.16.3 development

- - - - -
efae9509 by Sumit Bose at 2018-06-14T18:01:33Z
krb5 locator: add support for multiple addresses

Read multiple addresses from the kdcinfo files add call the provided
callback with each of them.

Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
9f683246 by Sumit Bose at 2018-06-14T18:01:50Z
krb5 locator: fix IPv6 support

IPv6 addresses are added with surrounding '[' and ']' to the kdcinfo
file to be able to specify a port number properly. The Kerberos location
plugin didn't handle those entries properly.

Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
c1fbc6b6 by Sumit Bose at 2018-06-14T18:01:54Z
krb5 locator: make plugin more robust

Although currently libkrb5 sets all parameters of the locator plugin
calls to suitable values we should make sure that provided pointers are
not NULL before trying to dereference them.

Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2124275f by Sumit Bose at 2018-06-14T18:01:57Z
krb5 locator: add unit tests

Unit test for existing and new functionality of the Kerberos locator
plugin.

Related to https://pagure.io/SSSD/sssd/issue/941
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
cc792275 by Sumit Bose at 2018-06-14T18:02:01Z
AD/IPA: Create kdcinfo file for sub-domains

With this patch kdcinfo files are created for sub-domains by the AD
provider and by the IPA provider on the IPA servers
(ipa_server_mode=True).

Related to https://pagure.io/SSSD/sssd/issue/3652
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
d91661e2 by Sumit Bose at 2018-06-14T18:02:04Z
krb5: refactor removal of krb5info files

Currently a persistent offline callback removes the krb5info files for
the configured main domain and those files were removed by a SIGTERM
signal handlers as well.

This does not scale if krb5info files are created for sub-domains as
well. To remove the files automatically the removal is moved into a
talloc destructor of an offline callback which is added if the file is
created and frees itself when the system goes offline. Due to the
talloc memory hierarchy we get removal on shutdown for free.

Related to https://pagure.io/SSSD/sssd/issue/3652
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
4759a482 by Sumit Bose at 2018-06-14T18:02:09Z
krb5_common: add callback only once

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f28d9957 by Sumit Bose at 2018-06-14T18:02:19Z
data provider: run offline callbacks only once

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
1038473e by Amit Kumar at 2018-06-14T18:02:51Z
Responder: simplify if-else structure in sss_dp_get_account_msg()

The structure of if-else statements in sss_dp_get_account_msg
become too complex. Replacing if-else with switch initially,
Will investigate more on refactoring further.

Resolves: https://pagure.io/SSSD/sssd/issue/1903
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
b34fcff0 by Fabiano Fidêncio at 2018-06-16T08:16:53Z
intg: Do not hardcode nsslibdir

This change is needed in order to have make intgcheck-run properly
running on opensuse systems.

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Chris Kowalczyk <ckowalczyk at suse.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
1575ec97 by Jakub Hrozek at 2018-06-22T09:29:42Z
TESTS: Extend the schema with sshPublicKey attribute

This will allow to store the users with a sshPublicKey attribute
provided that they have the right objectclass as well.

Related to:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
56cda832 by Jakub Hrozek at 2018-06-22T09:29:56Z
TESTS: Allow adding sshPublicKey for users

Adds the objectclass and allows storing a list of sshPublicKey
attributes for users. Since there is no harm in adding the extra
objectclass, we can do it unconditionally.

Related to:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
804c5b53 by Jakub Hrozek at 2018-06-22T09:30:02Z
TESTS: Add a basic SSH responder test

Adds a basic test that makes sure that a list of SSH public keys can be
retrieved. This is to make sure we don't break the SSH integration later
on.

Related:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
cb138d7d by Jakub Hrozek at 2018-06-22T09:30:06Z
SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys

Resolves:
https://pagure.io/SSSD/sssd/issue/3747

Before writing the keys to sshd, ignore SIGPIPE so that if the pipe
towards the authorizedkeys helper is closed, the sss_ssh_authorizedkeys
helper is not terminated with SIGPIPE, but instead proceeds and then the
write(2) calls would non-terminally fail with EPIPE.

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
909c16ed by Jakub Hrozek at 2018-06-22T09:30:10Z
TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys

Adds a test tool that simulates the behaviour of OpenSSH in the sense
that it starts to read the output from the sss_ssh_authorizedkeys tool,
but then closes the pipe before reading the whole output.

Related:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
4cc3c1a1 by Jakub Hrozek at 2018-06-22T09:30:14Z
TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys

A regression test for:
https://pagure.io/SSSD/sssd/issue/3747

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
b0ec3875 by Jakub Hrozek at 2018-06-22T09:36:22Z
Revert "LDAP/IPA: add local email address to aliases"

This reverts commit 9a310913d696d190db14c625080678db853a33fd.

Storing the e-mail address as a nameAlias was a performance optimization
to avoid having to fall back to the UPN lookup, but had the disadvantage
of returning multiple results for cases where an e-mail address is the
same as a user's fully qualified name.

Since the e-mail lookups would still work without this optimization,
just after one more lookup, let's revert the patch.

Resolves:
https://pagure.io/SSSD/sssd/issue/3607

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
58f60a09 by Jakub Hrozek at 2018-06-22T09:36:41Z
util: Remove the unused function is_email_from_domain

This commit pretty much reverts commit
04d4c4d45f3942a813b7f772737f801f877f4e64, it's just coded manually,
because "git revert 04d4c4d45f3942a813b7f772737f801f877f4e64"
resulted in conflicts. It's easier to just remove the single
function.

Related:
https://pagure.io/SSSD/sssd/issue/3607

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
d057eb2e by Jakub Hrozek at 2018-06-22T09:36:45Z
TESTS: Allow storing e-mail address for users

This would allow adding tests for by-e-mail lookups later

Related:
https://pagure.io/SSSD/sssd/issue/3607

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
76ce965f by Jakub Hrozek at 2018-06-22T09:36:49Z
TESTS: Add regression test for looking up users with conflicting e-mail addresses

Related:
https://pagure.io/SSSD/sssd/issue/3607

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
5e1641b1 by Jakub Hrozek at 2018-06-22T09:37:29Z
AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence

The logic behind deciding whether to check if a server contains any
POSIX attributes used the ignore_mark_offline flag. This was OK for some
time, because this flag was only set for to true for Global Catalog
connections, which are those that we need to check.

However, in recent releases, the flag was also set for any connection
towards a trusted domain. This had the unintended effect that any
lookup, LDAP or GC against a trusted domain ran the wide POSIX presence
check.

Resolves:
https://pagure.io/SSSD/sssd/issue/3754

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
4c79db69 by Jakub Hrozek at 2018-06-22T09:38:34Z
MAN: Remove outdated notes from the re_expression description

These notes are only valid for very old pcre releases which hopefully
nobody is using anymore.

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8071976a by Jakub Hrozek at 2018-06-22T09:39:00Z
MAN: Document the re_expression needed to suport @-signs in the groupnames

In the 2.0 release we will be able to change the default regular
expression that will allow to consume @-signs in the name, but
since the 1.x branches need to stay backwards compatible, let's
only document the regex for now.

Related:
https://pagure.io/SSSD/sssd/issue/3219

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a2cc554f by Sumit Bose at 2018-06-22T10:17:55Z
utils: add libsss_child dependency to libsss_cert

Since the refactoring of the ssh responder to call p11_child to
validate certificates there is a dependency between libss_cert and
libsss_child. In some environments, e.g. gentoo or the OpenSUSE build
service, this dependency must be declared explicitly even if it is
resolved otherwise while linking the binaries.

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
ed90a20a by Jakub Hrozek at 2018-06-25T07:18:24Z
SUDO: Create the socket with stricter permissions

This patch switches the sudo responder from being created as a public
responder where the permissions are open and not checked by the sssd
deaamon to a private socket. In this case, sssd creates the pipes with
strict permissions (see the umask in the call to create_pipe_fd() in
set_unix_socket()) and additionaly checks the permissions with every read
via the tevent integrations (see accept_fd_handler()).

Resolves:
https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852)

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c5ef56b4 by amitkumar50 at 2018-06-25T11:11:10Z
MAN: Give information regarding priority of ldap lookup

This PR provides information about priority of lookup
similar to as provided by function select_principal_from_keytab().

Resolves: https://pagure.io/SSSD/sssd/issue/3475

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29bbc8e0 by Jakub Hrozek at 2018-06-29T20:16:46Z
AD: expose the helper function to format the site DNS query

This function will be used later in the patchset. Instead of exposing
the format constant, expose the function that builds the DNS query for
site discovery.

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6f80bccc by Jakub Hrozek at 2018-06-29T20:17:44Z
RESOLV: Add a resolv_hostport_list request

Adds a request that resolves a list of (host,port) tuples and returns a
list of structures that contain the resolv_hostent structure as other
resolver requests do, but also a pointer to the original request tuple.

This is done because the request skips any unresolvable inputs, so it
might be handy to know which input an output maps to.

It is expected that the request will be used in the future also for cases
where we want to e.g. try the connectivity to a serve using a mechanism
such as an LDAP ping.

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a9a9f393 by Jakub Hrozek at 2018-06-29T20:17:49Z
KRB5/IPA/AD: Add a utility function to create a krb5_service instance

Each Kerberized provider used hand-crafted copy-paste code to set up its
copy of the krb5_service structure. Instead of adding yet another copy in
this patchset in the IPA subdomains code, create a utility function instead.

Due to IPA provider first creating the krb5_service in the common setup
function, but only later reading the auth options in the auth provider
constructor, the code first uses the default true value for the use_kdcinfo
flag and then overrides it with the configured value in the auth constructor
-- it would be preferable to create the structure with the right value at
creation time, but this would require bigger refactoring. Also, the code
before this change was even less correct as the flag was initially set the
"false" due to the structure being allocated with talloc_zero(). At least
now it uses the default value.

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8971399c by Jakub Hrozek at 2018-06-29T20:17:52Z
KRB5: Allow writing multiple addresses to the kdcinfo plugin

Turns the previous write_krb5info_file() function into a static function
that writes whatever input it recevies. Adds a wrapper around it that
accepts a list of strings, turns that into a newline-separated string
which is then passed to the original function.

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1cce549e by Jakub Hrozek at 2018-06-29T20:17:57Z
IPA: Add the options that the IPA subdomains code will read for trusted domains on the client

With this patchset, IPA clients will read and evaluate the ad_server and
ad_site options. This patch just adds the required structures for later
usage.

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
18b7f0a3 by Jakub Hrozek at 2018-06-29T20:18:02Z
IPA: Populate kdcinfo files on trust clients with configured AD servers

Resolves:
https://pagure.io/SSSD/sssd/issue/3291

Adds a new request into the IPA subdomains provider. This request runs on
IPA clients only.

The request looks into the configuration for either the ad_site or ad_server
options for each subdomain. If none are found, the subdomain is skipped.

If either is found, the request resolves the server names, or first the
site and then the server names from the site and writes their addresses
to the kdcinfo files for each subdomain. This allows programs such as
kinit but also SSSD's krb5_child to use the configured servers.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
014e7d8a by Jakub Hrozek at 2018-06-29T20:18:06Z
MAN: Document the options available for AD trusted domains

Related:
https://pagure.io/SSSD/sssd/issue/3291

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
13c84507 by Sumit Bose at 2018-06-29T20:18:12Z
AD: consider resource_groups in PAC as well

With recent versions of Active Directory the SIDs of Domain Local groups
might be only available in the resource_groups section of the PAC, this
feature is also called SID compression. To get a complete list of groups
the user is a member of the SIDs from this section must be extracted as
well.

Resolves https://pagure.io/SSSD/sssd/issue/3767

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
72099c32 by Sumit Bose at 2018-07-09T20:12:11Z
utils: make create_ipa_preauth_indicator() public as create_preauth_indicator()

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
d724ea3c by Sumit Bose at 2018-07-09T20:12:15Z
PAM: create pre-auth indicator file

If pam_cert_auth is enabled the PAM responder will automatically create
the pre-authentication indicator file to tell pam_sss to do the pre-auth
step to find out about the available authentication methods.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
c8d1c1b7 by Jakub Hrozek at 2018-07-10T11:23:28Z
SDAP: Detect schemaNamingContext from the rootDSE

Whether an attribute is replicated to the Global Catalog or not can be
detected by checking the value of the isMemberOfPartialAttributeSet
attribute:
https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-ismemberofpartialattributeset

This attribute is present in all objects with the objectClass
attributeSchema in AD:
https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes

And finally, the attributeSchema objects in AD are present in a schema
naming context. The schema naming context is replicated to all DCs in the
forest even though their own naming context might be different:
https://docs.microsoft.com/en-us/windows/desktop/ad/naming-contexts-and-partitions

Where the schema naming context is located is given by the
schemaNamingContext attribute of the rootDSE.

This patch is trivial on its own and just reads schemaNamingContext from
the rootDSE and stores it in the sdap_options structure for later use.

Related:
https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ba96e7b8 by Jakub Hrozek at 2018-07-10T11:24:07Z
AD: Add Global Catalog usability check in subdomain code by looking at the schema

Addsa a new tevent request which checks for the presence of uidNumber
and gidNumber under the schema naming context, which is typically
cn=schema,cn=configuration,$BASEDN. For both objects representing each of
the attributes, the isMemberOfPartialAttributeSet attribute is requested. If
this attribute is set to TRUE, then the attribute corresponding to this
schema object had been replicated to the Global Catalog.

Because the isMemberOfPartialAttributeSet is not replicated to the GC
itself, we use the LDAP connection for the search.

Related:
https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4273ac04 by Jakub Hrozek at 2018-07-10T11:24:14Z
AD: Remove the legacy check from ad_get_account_domain_posix_check request

Previously, the POSIX attribute presence check was run as part of the ID
request, so it was necessary to also run the check as part of the
get-domain-for-ID request.

Since moving the POSIX check to being a part of the subdomain provider,
this is no longer needed as the subdomain provider disables the GC
support on its own if required. Therefore we can just remove the POSIX
check from the get-domain-for-ID request.

Related:
https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8d781198 by Jakub Hrozek at 2018-07-10T11:24:20Z
LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches

This code is superseded by the POSIX check in the subdomains provider.

Related:
https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5b2b6493 by Jakub Hrozek at 2018-07-10T11:24:25Z
LDAP: Remove the legacy POSIX check itself

This code is no longer needed now.

Related:
https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4991e467 by Jakub Hrozek at 2018-07-10T11:33:01Z
sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests

The sudo testcli tool can be handy in tests, but currently its output is
hard to process from a program. This patch makes the tool print an JSON
output instead, which will make it more usable.

Related:
https://pagure.io/SSSD/sssd/issue/3596

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
074a9ea7 by Jakub Hrozek at 2018-07-10T11:33:08Z
TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers

This will allow us to store sudo entries in our OpenLDAP test instances.

Related:
https://pagure.io/SSSD/sssd/issue/3596

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b14cb238 by Jakub Hrozek at 2018-07-10T11:33:12Z
TESTS: Add API to add sudo rules in tests

Actually adds an API that allows the programmer to store sudoRole
objects in LDAP.

Related:
https://pagure.io/SSSD/sssd/issue/3596

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5d838e13 by Jakub Hrozek at 2018-07-10T11:33:17Z
TESTS: Add a simple sudo LDAP test

Adds the most basic SUDO LDAP tests that makes sure a user specified in
a sudo rule can execute sudo and a user not specifed cannot.

Related:
https://pagure.io/SSSD/sssd/issue/3596

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e75601bf by Jakub Hrozek at 2018-07-10T11:33:23Z
SUDO: Don't save duplicates when saving qualified names

The sudoUser attribute which is part of the sudo rule can contain any
name that sudo can parse on the LDAP side. Internally, however, the
attribute is always qualified with the name of the SSSD domain.

This patch makes sure that if two or more sudoUser attributes contain
the same name in both qualified and an unqualified form, the rule is
actually saved. Previously, the rule would have failed to be saved and
the sysdb sudo code would have errored out with EEXIST.

Resolves:
https://pagure.io/SSSD/sssd/issue/3596

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ded46b7b by Fabiano Fidêncio at 2018-07-10T11:41:53Z
files: do not apply override_homedir to files provider

override_homedir should not be applied to files provider as the provider
should always return *only* what's in the files and nothing else.

Resolves:
https://pagure.io/SSSD/sssd/issue/3758

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
3b19518f by Fabiano Fidêncio at 2018-07-10T11:41:58Z
tests: add override_homedir tests for files provider

Resolves:
http://pagure.io/SSSD/sssd/issue/3758

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
24159461 by Fabiano Fidêncio at 2018-07-10T11:42:01Z
files: do not apply override_shell to files provider

override_shell should not be applied to files provider as the provider
should always return *only* what's in the files and nothing else.

Resolves:
https://pagure.io/SSSD/sssd/issue/3758

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
fe48bc32 by Fabiano Fidêncio at 2018-07-10T11:42:04Z
tests: add override_shell tests for files provider

Resolves:
https://pagure.io/SSSD/sssd/issue/3758

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
024c1b3a by Fabiano Fidêncio at 2018-07-10T11:42:06Z
util: add is_files_provider() helper

In a bunch of differente places we end up checking whether the domain's
provider is the "files" provider or not.

Let's just add some helper function to standardize the checks.

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2373df99 by Fabiano Fidêncio at 2018-07-10T11:42:10Z
files: make use of is_files_provider() helper

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f0b4d482 by Fabiano Fidêncio at 2018-07-12T07:18:11Z
cache_req: keep the files provider as the first domain to be searched

Currently we can't guarantee any order on which domain will the first to
be searched. More than that, in case domain_resolution_order is set, we
actually enforce that the first domain searched will respect the option
set.

This behaviour is not exactly the expect, as the implicit files domain
has to be searched first in order to avoid querying for local users in
remote domains. In order to enforce this, let's just keep the files
domain as the first to be searched, always!

Resolves:
https://pagure.io/SSSD/sssd/issue/3768

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c07469f7 by Fabiano Fidêncio at 2018-07-12T07:19:20Z
tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order()

Related:
https://pagure.io/SSSD/sssd/issue/3768

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0052abe2 by Fabiano Fidêncio at 2018-07-12T07:19:24Z
tests: add a test to ensure the output_fqnames is false for files provider

Related:
https://pagure.io/SSSD/sssd/issue/3743

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
90378d31 by Jakub Hrozek at 2018-07-12T07:20:29Z
crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1()

It looks like the case where the key_len was exactly 64 was Confusing
Coverity. The trace looks like this:

  2. Condition key_len > 64, taking false branch.
  3. cond_at_most: Checking key_len > 64UL implies that key_len may be up to 64 on the false branch.
49    if (key_len > HMAC_SHA1_BLOCKSIZE) {
50        /* keys longer than blocksize are shortened */
51        if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) {
52            ret = EIO;
53            goto done;
54        }
55
56        EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len);
57        EVP_DigestFinal_ex(ctx, ikey, &res_len);
58        memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH);
59    } else {
60        /* keys shorter than blocksize are zero-padded */
61        memcpy(ikey, key, key_len);
  CID 18054 (#1 of 1): Out-of-bounds read (OVERRUN)4. overrun-local: Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer ikey + key_len. [Note: The source code implementation of the function has been overridden by a builtin model.]
62        memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len);
63    }

I think this is a false positive because then HMAC_SHA1_BLOCKSIZE-key_len
will be 0, so ikey+key_len will not be dereferenced at all, but let's be
helpful to Coverity and make sure the branch is not evaluated at all if
key_len == HMAC_SHA1_BLOCKSIZE.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ad10153f by Jakub Hrozek at 2018-07-12T07:20:46Z
crypto: Make one condition more defensive in NSS version of sss_hmac_sha1()

This makes the code more robust in case the if-block is moved to some
other place without the 'if (key_len > HMAC_SHA1_BLOCKSIZE)' check
before.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6ced8784 by Jakub Hrozek at 2018-07-13T06:53:01Z
SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries

If SSSD is searching for a user using a name-based filtrer in an
environment that uses nested OUs or sub domains, it is expected the
search can return two or more entries. The correct entry is then matched
using the domain name.

But the error message was confusing admins, because it simply said
"Expected one entry, found %d". This patch softens this error message
and rewords the message in case the matching fails.

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
efd6702e by Fabiano Fidêncio at 2018-07-13T06:53:56Z
deskprofile: don't bail if we fail to save one profile

Due to different reasons (a bug on fleet-commander, for instance?) we
may face the situation where one profile ends up stored in freeipa on a
half-broken state (with no data, for instance).

In case it happens, we should try our best to save the not broken
profiles and just skip the broken ones instead of bailing the whole
operation.

Resolves:
https://pagure.io/SSSD/sssd/issue/3773

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0648053a by Alexander Bokovoy at 2018-07-19T14:08:45Z
ipa provider: always use a special keytab to talk to a trusted DC

When FreeIPA is set up to trust an Active Directory forest, we should be
using trusted domain object credentials regardless of the trust
direction. Previously, SSSD relied on FreeIPA KDC issuing a cross-realm
referral towards a trusted domain. However, this does not work
currently with Samba AD and in general we want to move away to use
TDO in all cases as it is guaranteed to have correct permissions on AD
side.

Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
14faec9c by Alexander Bokovoy at 2018-07-19T14:08:50Z
ipa provider: expand search base to cover trusted domain objects

In case of a trust between FreeIPA and an Active Directory, domain
controller would use a TDO object in the trusting domain to
authenticate. Due to how trusted domain objects are used in Active
Directory, a domain controller from the trusted domain either synthesize
a Kerberos ticket without MS-PAC or would use NTLMSSP to authenticate.
On IPA master smbd process will attempt to validate successfully
authenticated TDO principal by looking at its MS-PAC structure, only to
find it is missing. As result, smbd will revert to a direct getpwnam()
to see if this user exists on the system.

Because TDO objects are stored under cn=trusts,$SUFFIX in FreeIPA, they
couldn't be found by SSSD which uses cn=accounts,$SUFFIX by default. Add
a search base to look up cn=trusts,$SUFFX to allow TDO objects to be
queried.

On FreeIPA side access controls are put in place so that only AD trust
agents are able to see a content of the cn=trusts,$SUFFIX subtree.

Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ececbf9c by Lukas Slebodnik at 2018-07-25T20:00:09Z
sss_seed: Remove unused parameter from seed_domain_user_info

The last usage was removed in the commit
6181113ea79806a414aadc580e6e241a6b317763

Merges: https://pagure.io/SSSD/sssd/pull-request/3784

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
4900b8e5 by Lukas Slebodnik at 2018-07-25T20:22:01Z
SUDO: Fix running in unprivileged responder

There are strict checks for private sockets which does not work with
unprivileged responder

Resolves:
https://pagure.io/SSSD/sssd/issue/3778

Merges: https://pagure.io/SSSD/sssd/pull-request/3784

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
21ea8204 by Lukas Slebodnik at 2018-07-25T20:22:06Z
SUDO: Root should be able to read/write sssd-sudo socket

There is not any reason to require additional capabilities from root
when sssd is running as unprivileged user.

Sudo UNIX socket is not a real private socket. It just cannot
be used by others. Just owner(sssd) and root should be able to use it.

Resolves:
https://pagure.io/SSSD/sssd/issue/3778

Merges: https://pagure.io/SSSD/sssd/pull-request/3784

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7fbee790 by Lukas Slebodnik at 2018-07-25T20:25:31Z
SPEC: Drop unnecessary check for minor version of el7

CentOS 7.5.1804 was release more than 2 months ago
https://blog.centos.org/2018/05/centos-7-5-1804-released/

So we can drop checks for minor versions of el7. They were used
to distinguish between released and development versions and to use
new optional features.

Merges: https://pagure.io/SSSD/sssd/pull-request/3783

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
08ae90af by Lukas Slebodnik at 2018-07-25T20:27:31Z
test_ssh_client: Do not ignore failure from read

Merges: https://pagure.io/SSSD/sssd/pull-request/3782

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7326b52d by Lukas Slebodnik at 2018-07-25T20:29:13Z
SPEC: Move openssl deps away from unit tests deps

We should install openssl build dependences even though we do not want
to run/install dependencies for unit tests

Merges: https://pagure.io/SSSD/sssd/pull-request/3781

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2a3f2495 by Lukas Slebodnik at 2018-07-25T20:32:44Z
PYTHON: Avoid warnings with python3.7

src/python/pysss.c: In function 'PyList_AsStringList':
src/python/pysss.c:60:17: warning: assignment discards 'const'
    qualifier from pointer target type [-Wdiscarded-qualifiers]
         itemstr = PyUnicode_AsUTF8AndSize(item, &itemlen);
                 ^

src/python/pyhbac.c: In function 'str_concat_sequence':
src/python/pyhbac.c:252:14: warning: assignment discards 'const'
    qualifier from pointer target type [-Wdiscarded-qualifiers]
         part = PyUnicode_AsUTF8(item);
              ^

The result of PyUnicode_AsUTF8AndSize() and PyUnicode_AsUTF8() is now
of type const char * rather of char *. (Contributed by Serhiy
Storchaka in bpo-28769.)

https://docs.python.org/3.7/whatsnew/3.7.html
https://bugs.python.org/issue28769

Merges: https://pagure.io/SSSD/sssd/pull-request/3780

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7b25811b by Lukas Slebodnik at 2018-07-25T20:53:09Z
SPEC: Move secrets responder to the package sssd-kcm

The sssd secrets responder is used mainly by sssd-kcm and it is not
used by any service which is in the sub-package sssd-common.
Therefore it make more sense to have secrets responder in the pacakge
sssd-kcm and reduce dependencies of sssd-common package
(http-parser, jansson)
Note: libcurl is installed anyway on fedora due to other dependencies

Merges: https://pagure.io/SSSD/sssd/pull-request/3714

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
95055862 by Lukas Slebodnik at 2018-07-25T20:55:39Z
SPEC: Do not build python2 bindings on latest distros

Merges: https://pagure.io/SSSD/sssd/pull-request/3708

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7ddbcd8f by Lukas Slebodnik at 2018-07-25T21:01:42Z
BUILD: Replace also runstatedir in templates

It will be used in systemd socket files

Merges: https://pagure.io/SSSD/sssd/pull-request/3691

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f64e9587 by Lukas Slebodnik at 2018-07-25T21:01:44Z
SYSTEMD: Allow to use "/run" in ListenStream

/var/run is only symbolic link to /run on some distributions
and /run is mounted on tmpfs

sh-4.4$ ls -l /var/run
lrwxrwxrwx. 1 root root 6 Dec 12  2015 /var/run -> ../run

Previously, we used $(localstatedir)/run in ListenStream
which does not allow to use "/run" because we still need to
store some files in under $(localstatedir) (/var).

Autoconf 2.70 will add new configure time option --runstatedir
for configuring runstatedir. ATM, we use just fallback implementation
where $(runstatedir) is set to $(localstatedir)/run

Merges: https://pagure.io/SSSD/sssd/pull-request/3691

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
26db9658 by Jakub Hrozek at 2018-07-26T09:26:26Z
RESP: Terminate client connection if the permissions check on the priv pipe fails

Resolves:
https://pagure.io/SSSD/sssd/issue/3777

The responder code just returned in case the permissions check failed.
But at least with the sudo responder, this just caused an endless loop.
If the permission check fails, it's best to just abort the client.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
954bf82b by Fabiano Fidêncio at 2018-07-26T09:27:03Z
sdap: respect passwordGracelimit

Since recent changes in 389-ds two response controls are end when
passwordGracelimit is set and about to expire:
- [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself
- [2.16.840.1.113730.3.4.4] for the PasswordExpired

Whenever the former is returned and the GraceLimit is still valid, we
shouldn't report the latter to the users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3597

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
6d154a07 by Fabiano Fidêncio at 2018-07-26T09:27:43Z
deskprofile: fix a typo in _get_filename_path()

There's a typo in the matrix of profiles (based in the priority set)
which ended up saving the 10th priority with a wrong name.

Resolves:
https://pagure.io/SSSD/sssd/issue/3774

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
965e1f4f by Fabiano Fidêncio at 2018-07-26T09:27:48Z
tests: add tests for ipa_deskprofile_get_filename_path()

Related:
https://pagure.io/SSSD/sssd/issue/3774

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
dbb1abae by Josef Cejka at 2018-07-30T19:55:25Z
Strip whitespaces in netgroup triple.

Strip leading and trailing whitespaces from netgroup three-tuple
strings to be compatible with nss_ldap.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
49bb4520 by Fabiano Fidêncio at 2018-07-30T20:01:39Z
util: introduce sss_ssh_print_pubkey()

This function will be used to print the public keys, as already done in
sss_ssh_authorizedkeys.c.

Related:
https://pagure.io/SSSD/sssd/issue/3542

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
b1141e41 by Fabiano Fidêncio at 2018-07-30T20:01:43Z
ssh: make use of sss_ssh_print_pubkey()

Related:
https://pagure.io/SSSD/sssd/issue/3542

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
36f2fe8f by Fabiano Fidêncio at 2018-07-30T20:01:49Z
sss_ssh_knownhostsproxy: add option to only print the pubkey

Related:
https://pagure.io/SSSD/sssd/issue/3542

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f1c2d413 by Sumit Bose at 2018-07-30T20:07:10Z
MC: Remove check if record is in the mapped address space

There is a check in the memory cache code that checks if a record pointer
points to the mmapped region . But since some time ago, we return not
a pointer to the mmapped region itself, but a copy to avoid issues with
invalidating an entry while the same entry is being returned.

In most cases, the check is correct, simply because of how memory is laid
out on Linux, but in some cases the check was failing and causing a high
load of SSSD.

Signed-off-by: Jakub Hrozek <jhrozek at redhat.com>

Resolves:
https://pagure.io/SSSD/sssd/issue/3776

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
bb20d516 by Michal Židek at 2018-07-30T20:22:25Z
Revert "CRYPTO: Suppress warning Wstringop-truncation"

This reverts commit 2951a9a84bd85f384213a3e071ffc167907df2d7.

The original use stpncpy was correct. Changing it to memcpy
changed the resulting hash. This resulted in users from
local domain to not be able to authenticate (offline
authentication was also probably broken) if their hash was
created before this change.

https://pagure.io/SSSD/sssd/issue/3791

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
cd28ef7c by Lukas Slebodnik at 2018-08-02T10:21:51Z
Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation""

This reverts commit bb20d5160faed5e0076887ac4a83e550be15a8b2.

The patch introduced compile time warning
src/util/crypto/libcrypto/crypto_sha512crypt.c:280:10: error: 'stpncpy'
    output truncated before terminating nul copying 3 bytes from a string
    of the same length [-Werror=stringop-truncation]
     cp = stpncpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE);
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Merges: https://pagure.io/SSSD/sssd/pull-request/3792

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f62d2af0 by Lukas Slebodnik at 2018-08-02T10:22:01Z
CRYPTO: Save prefix in s3crypt_sha512

Since commit 2951a9a84bd85f384213a3e071ffc167907df2d7 where we switched from
stpncpy to memcpy the salt prefix "$6$" is not stored at all.
This broke offline authentication if someone upgraded from old version
that stored the prefix to one that doesn't store it.

Resolves:
https://pagure.io/SSSD/sssd/issue/3791

Merges: https://pagure.io/SSSD/sssd/pull-request/3792

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
8e1576b1 by Lukas Slebodnik at 2018-08-02T10:22:06Z
crypto-tests: Add unit test for s3crypt_sha512

Resolves:
https://pagure.io/SSSD/sssd/issue/3791

Merges: https://pagure.io/SSSD/sssd/pull-request/3792

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
a76f96ac by Lukas Slebodnik at 2018-08-02T10:22:10Z
SSS_CERT: Close file descriptors after executing p11_child

We can call cert_to_ssh_key_step from cert_to_ssh_key_done and thus
p11_child can be executed more time. We created pipes for each call
but destructor for state->io can close just last one.

It's better to manually close pipes with macro PIPE_FD_CLOSE.
that macro set file descriptor to -1 and destructor will not try
to close them 2nd time. Destructor will cover just edge cases.

Merges: https://pagure.io/SSSD/sssd/pull-request/3793

Resolves:
https://pagure.io/SSSD/sssd/issue/3794

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
a41367f7 by Stanislav Levin at 2018-08-09T07:06:07Z
Fix "test-find-uid" and "find_uid-tests" tests

Handle a "hidepid=1" mount option for procfs. One of the affects - this
option makes impermissible non own pid subdirectories on /proc.

Resolves:
https://pagure.io/SSSD/sssd/issue/3789

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
1e81d040 by Jakub Hrozek at 2018-08-09T07:07:13Z
SELINUX: Also call is_selinux_enabled as a check for selinux child

Resolves:
https://pagure.io/SSSD/sssd/issue/3796

The SSSD selinux management routines were only checking if SELinux is
managed on the system. If it is managed, the code tries to proceed and
set the login context, otherwise an error is returned which SSSD handles
gracefully.

But this is not enough, in some cases SELinux might be disabled, but
managed and in these cases SSSD was returning strange errors, which
might have prevented login with selinux provider in effect.

We got this hint form the RH SELinux maintainer:
"""
libsemanage is for managing SELinux infrastructure. generally if there's
/etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux
module store - /etc/selinux/<SELINUXTYPE>/active (or
/var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can
manage it even when SELinux is disabled.

I'm not sure if selinux_child doesn any is_selinux_enabled() checks but
it could help to avoid such situations.
"""

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>

- - - - -
4937f2c6 by Alexey Sheplyakov at 2018-08-09T15:20:25Z
nss: skip incomplete groups instead of bailing out

Suppose the user U is a member of (AD) groups D1\A, D1\B, D2\X, and no
domain controllers in the domain D2 can be reached at the moment (and
there are no cached info). As of now initgroups won't assign any groups
at all. To improve the behavior skip the incomplete groups so initgroup
assigns at least some groups (D1\A, D1\B in the above example).

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e8b417e8 by Fabiano Fidêncio at 2018-08-10T15:26:37Z
nss: remove unused label

After 4937f2c6, Sumit noticed the following warning/breakage:

    make[2]: Leaving directory '/home/sbose/sssd/master_build/src/man'
    Making check in .
    make[2]: Entering directory '/home/sbose/sssd/master_build'
      CC       src/responder/nss/nss_protocol_grent.o
    ../src/responder/nss/nss_protocol_grent.c: In function 'nss_protocol_fill_initgr':
    ../src/responder/nss/nss_protocol_grent.c:409:1: error: label 'done' defined but not used [-Werror=unused-label]
     done:
     ^~~~
    cc1: all warnings being treated as errors
    Makefile:17808: recipe for target 'src/responder/nss/nss_protocol_grent.o' failed
    make[2]: *** [src/responder/nss/nss_protocol_grent.o] Error 1
    make[2]: Leaving directory '/home/sbose/sssd/master_build'

Also, while removing the label, by moving the error treatment to the if
block just before the existing one makes the code cleaner.

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7225bab5 by Jakub Hrozek at 2018-08-10T15:27:11Z
P11: Don't return int failure from a bool function

The functions return bool as per their prototype, but returning EINVAL
on failure meant that EINVAL (typically 22) was converted to 'true', so
a certificate that was not processable was considered valid.

Luckily this code only converts certificates into SSH public keys, so
there are no security implications.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
da9e34e3 by Sumit Bose at 2018-08-10T15:28:08Z
tests: fix sss_nss_idmap-tests

If sss_nss_idmap-tests is complied with -Wl,-Bsymbolic-functions it
fails because sss_nss_make_request_timeout() is not properly wrapped but
the tests expects that the replacement call it provides is picked by the
linker and not the original function.

This patch wraps the call in the corresponding test library. As a
consequence a small helper function had to be added to make dlopen-tests
pass for the test library as well.

Resolves:
https://pagure.io/SSSD/sssd/issue/3801

Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Tested-by: Andreas Hasenack <andreas.hasenack at canonical.com>

- - - - -
61c515aa by Jakub Hrozek at 2018-08-12T13:21:41Z
Updating translations for the 1.16.3 release

- - - - -


29 changed files:

- Makefile.am
- contrib/sssd.spec.in
- po/bg.po
- po/ca.po
- po/de.po
- po/es.po
- po/eu.po
- po/fr.po
- po/hu.po
- po/id.po
- po/it.po
- po/ja.po
- po/nb.po
- po/nl.po
- po/pl.po
- po/pt.po
- po/pt_BR.po
- po/ru.po
- po/sssd.pot
- po/sv.po
- po/tg.po
- po/tr.po
- po/uk.po
- po/zh_CN.po
- po/zh_TW.po
- src/confdb/confdb.c
- src/db/sysdb_search.c
- src/external/samba.m4
- src/krb5_plugin/sssd_krb5_locator_plugin.c


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844...61c515aa8484bdbcf2f4bc63c7032ade1c6ec06f

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844...61c515aa8484bdbcf2f4bc63c7032ade1c6ec06f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20180822/b039ab20/attachment-0001.html>


More information about the Pkg-sssd-devel mailing list