[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 187 commits: Bumping the version to track 1.16.2 development
Timo Aaltonen
gitlab at salsa.debian.org
Tue Jun 26 09:16:20 BST 2018
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
888d37d0 by Jakub Hrozek at 2018-03-09T12:49:13+01:00
Bumping the version to track 1.16.2 development
- - - - -
67645557 by Jakub Hrozek at 2018-03-09T13:39:36+01:00
IPA: Handle empty nisDomainName
Resolves:
https://pagure.io/SSSD/sssd/issue/3573
If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
netgroup at all. This is not in agreement with man innetgr which says "Any of
the elements in a triple can be empty, which means that anything matches. The
functions described here allow access to the netgroup databases".
This patch instead returns an empty domain as well, which eventually
produces the same output as if the netgroup was requested from the
compat tree.
To reproduce the bug:
$ ipa netgroup-add
Netgroup name: emptydom
-------------------------
Added netgroup "emptydom"
-------------------------
Netgroup name: emptydom
NIS domain name: ipa.test
IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
$ ipa netgroup-add-member
Netgroup name: emptydom
[member user]: admin
[member group]:
[member host]:
[member host group]:
[member netgroup]:
Netgroup name: emptydom
NIS domain name: ipa.test
Member User: admin
-------------------------
Number of members added 1
-------------------------
$ ipa netgroup-mod --nisdomain="" emptydom
----------------------------
Modified netgroup "emptydom"
----------------------------
Netgroup name: emptydom
Member User: admin
Then run:
getent negroup emptydom
without the patch, the netgroup won't be resolvable. It will resolve to
a netgroup triple that looks like this after the patch:
emptydom (-,admin,)
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
0f8add07 by Sumit Bose at 2018-03-09T13:39:46+01:00
intg: enhance netgroups test
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
15989964 by Lukas Slebodnik at 2018-03-09T13:57:16+01:00
CI: Add dbus into debian dependencies
There is just weak dependency (recommends) between dbus
libraries and dbus daemon. It is installed by default but we should
not rely in integration tests on weak dependency if we directly need
binary dbus-daemon.
sh# apt-cache depends libdbus-1-dev libdbus-1-3
libdbus-1-dev
Depends: libdbus-1-3
Depends: pkg-config
pkgconf
libdbus-1-3
Depends: libc6
Depends: libsystemd0
Breaks: dbus
Recommends: dbus
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
19f5dd0b by Sumit Bose at 2018-03-09T13:57:47+01:00
TESTS: simple CA to generate certificates for test
To avoid issue with certificate lifetimes a simple OpenSSL based CA is
used to generate certificates for tests.
To make management easy all related data is kept in
src/tests/test_CA. Since some header files will be generated the
generation of the needed files is added to BUILT_SOURCES as other
generated code.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
0dc7f906 by Sumit Bose at 2018-03-09T13:57:53+01:00
TESTS: replace hardcoded certificates
Since the hardcoded certificates have a limited lifetime they are
replaces by certificates from the test CA.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
cbcb2dab by Sumit Bose at 2018-03-09T13:57:58+01:00
TESTS: remove NSS test databases
NSS databases with the certificates from the test CA will be
automatically generated. The static databases are not needed anymore.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
da694601 by Jakub Hrozek at 2018-03-10T20:08:48+01:00
TESTS: Fix E266 pep8 issues on test_ldap.py
E266: too many leading '#' for block comment
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
16fe3a34 by Fabiano Fidêncio at 2018-03-10T20:08:58+01:00
TESTS: Fix E501 pep8 issues on test_ldap.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
b4c08cb3 by Jakub Hrozek at 2018-03-10T20:09:04+01:00
TESTS: Fix E231 pep8 issues on test_session_recording.py
E231: missing whitespace after ':'
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
f02b0bdd by Jakub Hrozek at 2018-03-10T20:09:09+01:00
TESTS: Fix E501 pep8 issues on test_session_recording.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
b4d72adc by Fabiano Fidêncio at 2018-03-10T20:09:11+01:00
TESTS: Fix E20[12] pep8 issues on python-test.py
E201: whitespace after '['
E202: whitespace before ']'
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
018fe983 by Fabiano Fidêncio at 2018-03-10T20:09:13+01:00
TESTS: Fix E501 pep8 issues on python-test.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
3fac321c by Fabiano Fidêncio at 2018-03-10T20:09:15+01:00
TESTS: Fix E251 pep8 issues on python-test.py
E251: unexpected spaces around keyword / parameter equals
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
71dc7aa5 by Fabiano Fidêncio at 2018-03-10T20:09:16+01:00
TESTS: Fix E231 pep8 issues on python-test.py
E231: missing whitespace after ','
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
01e7730d by Fabiano Fidêncio at 2018-03-10T20:09:18+01:00
TESTS: Fix E265 pep8 issues on python-test.py
E265: block comment should start with '# '
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
e3f0de23 by Fabiano Fidêncio at 2018-03-10T20:09:19+01:00
TESTS: Fix E128 pep8 issues on python-test.py
E128: continuation line under-indented for visual indent
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
5e86d31f by Fabiano Fidêncio at 2018-03-10T20:09:21+01:00
TESTS: Fix E302 pep8 issues on python-test.py
E302: expected 2 blank lines, found 1
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
0e16e020 by Fabiano Fidêncio at 2018-03-10T20:09:22+01:00
TESTS: Fix W391 pep8 issues on python-test.py
W391: blank line at end of file
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
4593a2f1 by Fabiano Fidêncio at 2018-03-10T20:09:23+01:00
TESTS: Fix E228 pep8 issues on python-test.py
E228: missing whitespace around modulo operator
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
8b53952c by Fabiano Fidêncio at 2018-03-10T20:09:24+01:00
TESTS: Fix E261 pep8 issues on python-test.py
E261: at least two spaces before inline comment
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
629563ed by Fabiano Fidêncio at 2018-03-10T20:09:26+01:00
TESTS: Fix E701 pep8 issues on python-test.py
E701: multiple statements on one line (colon)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
f64f99dd by Fabiano Fidêncio at 2018-03-10T20:09:27+01:00
TESTS: Fix E305 pep8 issues on python-test.py
E305: expected 2 blank lines after class or function definition, found 1
This issue was found on a debian_testing machine.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
7b9c3e69 by Fabiano Fidêncio at 2018-03-10T20:09:29+01:00
TESTS: Fix E20[12] pep8 issues on pysss_murmur-test.py
E201: whitespace after '['
E202: whitespace before ']'
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
9dc4c155 by Fabiano Fidêncio at 2018-03-10T20:09:30+01:00
TESTS: Fix E211 pep8 issues on pysss_murmur-test.py
E211: whitespace before '('
This issue was found on a debian_testing machine.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
8e00bbca by Fabiano Fidêncio at 2018-03-10T20:09:31+01:00
TESTS: Fix E20[12] pep8 issues on pyhbac-test.py
E201: whitespace after '['
E202: whitespace before ']'
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
235917c1 by Fabiano Fidêncio at 2018-03-10T20:09:32+01:00
TESTS: Fix E261 pep8 issues on pyhbac-test.py
E261: at least two spaces before inline comment
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
87fe92e9 by Fabiano Fidêncio at 2018-03-10T20:09:34+01:00
TESTS: Fix W391 pep8 issues on pyhbac-test.py
W391: blank line at end of file
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
25e0e4b0 by Fabiano Fidêncio at 2018-03-10T20:09:35+01:00
TESTS: Fix E501 pep8 issues on pyhbac-test.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
01012f0d by Fabiano Fidêncio at 2018-03-10T20:09:37+01:00
TESTS: Fix E302 pep8 issues on pyhbac-test.py
E302: expected 2 blank lines, found 1
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
00f267a3 by Fabiano Fidêncio at 2018-03-10T20:09:38+01:00
TESTS: Fix E305 pep8 issues on pyhbac-test.py
E305: expected 2 blank lines after class or function definition, found 1
This issue was found on a debian_testing machine.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
4c3ddbb1 by Fabiano Fidêncio at 2018-03-10T20:09:39+01:00
TESTS: Fix E711 pep8 issues on sssd_group.py
E711: comparison to None should be 'if cond is not None:'
The issue was found on: debian_testing, fedora22, fedora23, rhel6 and
rhel7 machines.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a7acb83a by Fabiano Fidêncio at 2018-03-10T20:09:41+01:00
TESTS: Fix E305 pep8 issues on sssd_netgroup.py
E305: expected 2 blank lines after class or function definition, found 1
This issue was found on a debian_testing machine.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
c13c7dd5 by Fabiano Fidêncio at 2018-03-10T20:09:42+01:00
TESTS: Fix E501 pep8 issues on utils.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
e27a07b9 by Fabiano Fidêncio at 2018-03-10T20:09:43+01:00
TESTS: Fix E305 pep8 issues on conf.py
E305: expected 2 blank lines after class or function definition
This issue was found on a debian_testing machine
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
6df88959 by Fabiano Fidêncio at 2018-03-10T20:09:45+01:00
CONTRIB: Fix E501 pep8 issues on sssd_gdb_plugin.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
942edc40 by Fabiano Fidêncio at 2018-03-10T20:09:46+01:00
CONTRIB: Fix E305 pep8 issues on sssd_gdb_plugin.py
E305: expected 2 blank lines after class or function definition, found 1
This issue was found on a debian_testing machine.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
40fab0e8 by Fabiano Fidêncio at 2018-03-10T20:09:47+01:00
TESTS: Fix E302 pep8 issues on test_enumeration.py
E302: expected 2 blank lines, found 1
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
1129979b by Jakub Hrozek at 2018-03-10T20:09:49+01:00
TESTS: Fix E303 pep8 issues on test_ldap.py
E303: too many blank lines (3)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
38cec211 by Fabiano Fidêncio at 2018-03-10T20:09:51+01:00
TESTS: FIX E501 pep8 issues on pysss_murmur-test.py
E501: line too long (longer than 79 characters)
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a907aa07 by Fabiano Fidêncio at 2018-03-10T20:09:53+01:00
CI: Enable pep8 check
CI can now check pep8 issues for all .py files but the ones under
src/config (for those, there's an issue already filed[0]).
[0]: https://pagure.io/SSSD/sssd/issue/3514
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
89f5332c by Fabiano Fidêncio at 2018-03-10T20:09:54+01:00
CI: Ignore E722 pep8 issues on debian machines
For now, let's ignore E722 (do not use bare except) in the
debian_testing machines that are part of our CI.
Resolves:
https://pagure.io/SSSD/sssd/issue/3605
Reviewed-by: Michal Židek <mzidek at redhat.com>
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
cce64caa by Fabiano Fidêncio at 2018-03-13T10:43:20+01:00
TESTS: Fix E501 pep8 issues on test_netgroup.py
E501: line too long (longer than 79 characters)
The issue was inserted in commit 0f8add07b8, which has been pushed just
before the pep8 patches got merged.
The whole file was changed in order to adapt to the changes proposed to
this patch.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e32e17d0 by Justin Stephenson at 2018-03-13T11:23:00+01:00
DEBUG: Print simple allow and deny lists
For debug purposes, print the simple allow and deny users/groups lists
when a sufficient log debug level is set.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
86c06c3b by Sumit Bose at 2018-03-15T12:41:48+01:00
test_ca: add empty index.txt.attr file
Although is does not harm because 'openssl ca' creates the
index.tx.tattr file with a suitable content automatically this patch
adds the file to the test_CA directory to silence a message like:
Can't open ./index.txt.attr for reading, No such file or directory
139867607979840:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:74:fopen('./index.txt.attr','r')
139867607979840:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:81:
which is show by recent versions of OpenSSL.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a0173060 by Yuri Chornoivan at 2018-03-16T08:42:13+01:00
MAN: Fix minor typos
Reviewed-by: Lukáš Slebodník <lslebodn at fedoraproject.org>
- - - - -
718bce1f by Fabiano Fidêncio at 2018-03-16T16:03:52+01:00
NSS: Remove dead code
This piece of code introduced as part of 4049b63f8c most likely by
mistake and can be removed without causing any harm.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e5c74ab0 by Fabiano Fidêncio at 2018-03-26T20:55:04+02:00
CONFDB: Start a ldb transaction from sss_ldb_modify_permissive()
The reason why confdb_expand_app_domains() always fails is because we
try to do a ldb_request() without starting a ldb transaction.
When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of
messages, those call ldb_autotransaction_request() which will start a
new transaction and treat it properly when doing the ldb_request(). In
our case that we're calling ldb_request() by our own, we must ensure
that the transaction is started and properly deal with it._
It's never been noticed because in the only place the function is used
its errors are ignored.
Resolves:
https://pagure.io/SSSD/sssd/issue/3660
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f405a4a3 by Fabiano Fidêncio at 2018-03-26T20:55:30+02:00
TOOLS: Take into consideration app domains
In order to properly show an app domain when listing domains using
sssctl domain-list we have to expand the confdb, as already done in the
monitor code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a73d70f7 by Fabiano Fidêncio at 2018-03-26T20:55:36+02:00
TESTS: Move get_call_output() to util.py
This function will be reused outside of test_sssctl.py.
Related:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
885da2c8 by Fabiano Fidêncio at 2018-03-26T20:55:41+02:00
TESTS: Make get_call_output() more flexible about the stderr log
Future tests that will be added will need the stderr redirected to the
STDOUT.
Related:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
14b485b1 by Fabiano Fidêncio at 2018-03-26T20:55:47+02:00
TESTS: Add a basic test of `sssctl domain-list`
Let's just add a test for `sssctl domain-list` in order to avoid
regressing https://pagure.io/SSSD/sssd/issue/3658.
The test has been added as part of test_infopipe.py in order to take
advantage of the machinery already provided there.
Resolves:
https://pagure.io/SSSD/sssd/issue/3658
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a40c6b42 by Fabiano Fidêncio at 2018-03-29T20:06:20+02:00
KCM: Use json_loadb() when dealing with sss_iobuf data
As sss_iobuf data is *non* NULL terminated, we have to use json_loadb()
passing the data's length instead of just using json_loads().
Due to this issue, when running sssd-kcm under valgrind and performing a
`kinit foo` a bunch of erros like the following one could be seen:
==2638== Conditional jump or move depends on uninitialised value(s)
==2638== at 0x57DB678: stream_get.part.3 (load.c:172)
==2638== by 0x57DB9CA: stream_get (load.c:643)
==2638== by 0x57DB9CA: lex_get (load.c:246)
==2638== by 0x57DB9CA: lex_scan (load.c:601)
==2638== by 0x57DC56A: parse_json.constprop.7 (load.c:904)
==2638== by 0x57DC6AB: json_loads (load.c:959)
==2638== by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
==2638== by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
==2638== by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
==2638== by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
==2638== by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
==2638== by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)
Related to:
https://pagure.io/SSSD/sssd/issue/3687
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
bfc6d9d6 by Fabiano Fidêncio at 2018-03-29T20:15:08+02:00
KCM: Remove mem_ctx from kcm_new_req()
Let's remove the mem_ctx argument as we really want cctx to be the
memory context here, so that if the client disconnects the request goes
away.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2f11cf25 by Fabiano Fidêncio at 2018-03-29T20:15:17+02:00
KCM: Introduce kcm_input_get_payload_len()
As this piece of code will be useful for us in the future patches of
this series, let's move it to a new function.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
786c4002 by Fabiano Fidêncio at 2018-03-29T20:15:21+02:00
KCM: Do not use 2048 as fixed size for the payload
The KCM code has the limit set as 2048 only inside #ifdef __APPLE__,
while it should be normally set as 10 * 1024 * 1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
Last but not least, doesn't make much sense to use a fixed value as the
first 4 bytes received are the payload size ... so let's just allocate
the needed size instead of having a fixed value.
Resolves:
https://pagure.io/SSSD/sssd/issue/3671
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b09cd307 by Fabiano Fidêncio at 2018-03-29T20:15:25+02:00
KCM: Adjust REPLY_MAX to the one used in krb5
krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
Related:
https://pagure.io/SSSD/sssd/issue/3386
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a2633093 by Lukas Slebodnik at 2018-03-29T20:23:07+02:00
intg: convert results returned as bytes to strings
With python3 comparisons between byte literals and strings will fail. To
make sure assertions will pass the search results must be converted to
(utf-8) strings first.
Resolves https://pagure.io/SSSD/sssd/issue/3666
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
96fdbb2c by Fabiano Fidêncio at 2018-03-29T21:47:35+02:00
KCM: Fix typo in ccdb_sec_delete_list_done()
When deleting the ccache we want to check if sec_key_list_len is equal 0
and not if sec_key_list is 0.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e588e24c by Fabiano Fidêncio at 2018-03-29T21:47:39+02:00
KCM: Only print the number of found items after we have it
With the current code we've been always printing "Found 0 items" as
state->sec_key_list_len is only set by sec_list_parse().
In order to solve this, let's just print it *after* we have
state->sec_key_list_len set.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
250751bf by Jakub Hrozek at 2018-04-04T10:36:22+02:00
SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1
Resolves:
https://pagure.io/SSSD/sssd/issue/3684
If the cleanup task removes a user who was a fully resolved member (not a
ghost), but then the group the user was a member of is requested, unless
the group had changed, the user doesn't appear as a member of the group
again. This is because the modify timestamp would prevent the group from
updating and therefore the ghost attribute is not readded.
To mitigate this, let's also set the originalModifyTimestamp attribute
to 1, so that we never take the optimized path while updating the group.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
47ad0778 by Pavel Březina at 2018-04-04T10:38:57+02:00
sudo ldap: do not store rules without sudoHost attribute
Unless it is cn=defaults.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
cd4590de by Pavel Březina at 2018-04-04T10:39:06+02:00
sysdb custom: completely replace old object instead of merging it
This patch is written primary for sudo use case, but it makes sure the we do
not merge two record in other parts of the code that uses sysdb_store_custom.
1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.
2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.
Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
519354d0 by Fabiano Fidêncio at 2018-04-04T10:44:37+02:00
SERVER: Tone down shutdown messages for socket-activated responders
When dealing with socket-activated responders, those may be shut
themselves down after some inactivy period. And that's completely normal
and expected, thus should not be logged as an fatal error.
For the case when the responder is started by the monitor, however, it
still makes sense to keep the code as it is as the responders won't shut
themselves down in any normal scenario.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0f6b5b02 by Jakub Hrozek at 2018-04-04T14:45:03+02:00
IPA: Qualify the externalUser sudo attribute
We broke the externalUser support with the introduction of the fully
qualified attributes, because the provider was saving the data verbatim,
but the sudo responder expects a fully qualified name.
Reproducer:
on the server:
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
ipa sudorule-add readfiles
ipa sudorule-add-user --users=lcluser
ipa sudorule-mod --hostcat=all readfiles
then on the client:
configure sssd with:
id_provider = files
sudo_provider = ipa
ipa_domain = ipa.test
run:
sudo useradd lcluser
sudo passwd lcluser
su - lcluser
sudo -l
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f2252892 by Jakub Hrozek at 2018-04-04T14:58:38+02:00
NSS: Adjust netgroup setnetgrent cache lifetime if midpoint refresh is used
This is a minor regression compared to the state of the code before we
converted the responders to cache_req. The NSS responder keeps a has
table of netgroup objects in memory for either the lifetime of the
netgroup, or, in case midpoint refresh is used, up to the midpoint
refresh time. The case with the midpoint refresh was removed in the
cache_req enabled code, which means that even if the netgroup was
updated in the cache with the background refresh task, the object was
never read from cache, but always still returned from the in-memory
enumeration hash.
Resolves:
https://pagure.io/SSSD/sssd/issue/3550
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
c1208b48 by Justin Stephenson at 2018-04-05T14:00:17+02:00
CONFDB: Add passwd_files and group_files options
Add new options to the files provider allowing an administrator to
configure the files provider to read and monitor multiple or
non-standard passwd and group file sources. These options default to
/etc/passwd and /etc/group when unset.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0d6d493f by Justin Stephenson at 2018-04-05T14:00:21+02:00
FILES: Handle files provider sources
Setup watches on passwd and group files provided with the files provider
options passwd_files and group_files lists
Resolves:
https://pagure.io/SSSD/sssd/issue/3402
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4a9100a5 by Jakub Hrozek at 2018-04-05T14:00:23+02:00
TESTS: Add a test for the multiple files feature
Adds an integration test for the new feature.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
abf37767 by Michal Židek at 2018-04-09T10:02:41+02:00
AD: Missing header in ad_access.h
ad_access.h depends on data_provider.h header but
does not include it.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7a42831b by Michal Židek at 2018-04-09T10:02:43+02:00
GPO: Add ad_options to ad_gpo_process_som_state
We will need at least ad_site option from this
context available to get the AD site override
value.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
744e2b4d by Michal Židek at 2018-04-09T10:02:46+02:00
GPO: Use AD site override if set
Use AD site override if it was set in SSSD configuration.
Resolves:
https://pagure.io/SSSD/sssd/issue/3646
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
37a84285 by Sumit Bose at 2018-04-10T14:43:42+02:00
nss: initialize nss_enum_index in nss_setnetgrent()
setnetgrent() is the first call when looking up a netgroup and sets the
netgroup name for upcoming getnetgrent() and endnetgrent() calls.
Currently the state is reset by calling endnetgrent() but it would be
more robust to unconditionally reset the state in setnetgrent() as well
in case calling endnetgrent() was forgotten.
Related to https://pagure.io/SSSD/sssd/issue/3679
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
08db22b1 by Sumit Bose at 2018-04-10T14:43:47+02:00
nss: add a netgroup counter to struct nss_enum_index
Netgroups are not looked up with the help of a single request but by
calling setnetgrent(), getnetgrent() and endnetgrent() where
getnetgrent() might be called multiple times depending on the number of
netgroup elements. Since the caller does not provide a state the state
has to be maintained by the SSSD nss responder. Besides the netgroup
name this is mainly the number of elements already returned.
This number is used to select the next element to return and currently
it is assumed that there are not changes to the netgroup while the
client is requesting the individual elements. But if e.g. the 3 nss
calls are not used correctly or the netgroup is modified while the
client is sending getnetgrent() calls the stored number might be out of
range. To be on the safe side the stored number should be always
compared with the current number of netgroup elements.
Related to https://pagure.io/SSSD/sssd/issue/3679
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b8db8c2d by amitkuma at 2018-04-10T14:46:49+02:00
sssctl: Showing help even when sssd not configured
On a clean and unconfigured system, it's not possible
to use --help.
1) dnf install sssd-tools
2) sssctl cache-remove --help
Shows:
[confdb_get_domains] (0x0010): No domains configured, fatal error!
Solution: Donot check for confdb initialization when sssctl 3rd
command line argument passed is '--help'.
Please note when we run 'sssctl --help' on unconfigured system
confdb check is not done and proper o/p is seen.
Resolves: https://pagure.io/SSSD/sssd/issue/3634
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fe58f0fb by Pavel Březina at 2018-04-10T14:47:33+02:00
sssctl: move check for version error to correct place
This check was added here:
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv,
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 491) struct sss_route_cmd *commands,
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 492) void *pvt)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 493) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 494) struct sss_tool_ctx *tool_ctx;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 495) uid_t uid;
e98ccef2 (Pavel Březina 2016-06-09 16:13:34 +0200 496) errno_t ret;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 497)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 498) uid = getuid();
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 499) if (uid != 0) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 500) DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 501) ERROR("%1$s must be run as root\n", argv[0]);
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 502) return EXIT_FAILURE;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 503) }
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 504)
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 505) ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 506) if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 507) tool_ctx->init_err = ret;
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 508) } else if (ret != EOK) {
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 509) DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 510) return EXIT_FAILURE;
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 511) }
But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route.
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 328) if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 329) DEBUG(SSSDBG_FATAL_FAILURE,
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 330) "Command %s does not handle initialization error [%d] %s\n",
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 331) cmdline.command, tool_ctx->init_err,
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 332) sss_strerror(tool_ctx->init_err));
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 333) return tool_ctx->init_err;
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 334) }
a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 335)
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 336) ret = tool_cmd_init(tool_ctx, &commands[i]);
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 337) if (ret != EOK) {
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 338) DEBUG(SSSDBG_FATAL_FAILURE,
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 339) "Command initialization failed [%d] %s\n",
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 340) ret, sss_strerror(ret));
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 341) return ret;
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 342) }
cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 343)
284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 344) return commands[i].fn(&cmdline, tool_ctx, pvt);
This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
56839605 by amitkumar50 at 2018-04-11T16:44:42+02:00
MAN: Add sss-certmap man page regarding priority processing
PR adds following text in PRIORITY section of man sss-certmap:
The processing is stopped when a matched rule is found and no
further rules are checked.
Resolves: https://pagure.io/SSSD/sssd/issue/3469
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
adb9823d by Lukas Slebodnik at 2018-04-18T14:30:46+02:00
SYSDB: Remove unused parameter from sysdb_cache_connect_helper
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0b784c62 by Lukas Slebodnik at 2018-04-18T14:31:24+02:00
SPEC: Add gcc to build dependencies
gcc will be removed from buildroot in fedora 29
http://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
810935f6 by Lukas Slebodnik at 2018-04-18T21:07:55+02:00
UTIL: Use alternative way for detecting PyErr_NewExceptionWithDoc
Function PyErr_NewExceptionWithDoc was added in python 2.7.0
and we use fallback implementation for older versions of python.
Previously, we used detection of PyErr_NewExceptionWithDoc at configure
time; but it does not work well in case of python2.6 and python3.x
Resolves:
https://pagure.io/SSSD/sssd/issue/3656
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f0bcadfb by Lukas Slebodnik at 2018-04-18T21:08:09+02:00
CONFIGURE: drop unused check
Related to: https://pagure.io/SSSD/sssd/issue/3656
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2d43eaf4 by Jakub Hrozek at 2018-04-18T21:11:19+02:00
SDAP: Improve a DEBUG message about GC detection
It was not entirely clear what the message means. We should improve the
debug message to make it clear that all or none attributes should be
replicated to the Global Catalog.
This patch can be reverted once we fix
https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
the entry DN, not the entry itself.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
4ab8734c by Fabiano Fidêncio at 2018-04-18T21:11:25+02:00
MAN: Improve docs about GC detection
Add the same note we have as part of our debug to the sssd-ad manual.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
46a4c265 by Sumit Bose at 2018-04-20T14:39:08+02:00
nss-idmap: do not set a limit
If the limit is set the needed size to return all groups cannot be
returned.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2c4dc7a4 by Sumit Bose at 2018-04-20T14:39:12+02:00
nss-idmap: use right group list pointer after sss_get_ex()
If the initial array is too small it will be reallocated during
sss_get_ex() and the pointer might change and the initial memory area
should not be used anymore.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
851d3126 by Fabiano Fidêncio at 2018-04-25T07:29:17+02:00
NSS: Add InvalidateGroupById handler
There are some situations where, from the backend, the NSS responder
will have to be notified to invalidate a group.
In order to achieve this in a clean way, let's add the
InvalidateGroupById handler and make use of it later in this very same
series.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
709c42f0 by Fabiano Fidêncio at 2018-04-25T07:30:08+02:00
DP: Add dp_sbus_invalidate_group_memcache()
This function will be called from the data provider to the NSS
responder, which will invalidate a group in the memcache.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ccd349f0 by Fabiano Fidêncio at 2018-04-25T07:30:12+02:00
ERRORS: Add ERR_GID_DUPLICATED
This new error will be returned from sysdb_add_incomplete_group()
when renaming a group which will case gid collision.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d2633d92 by Jakub Hrozek at 2018-04-25T07:30:18+02:00
LDAP: Augment the sdap_opts structure with a data provider pointer
In order to be able to use the Data Provider methods from the SDAP code
to e.g. invalidate memcache when needed, add a new field to the
sdap_options structure with the data_provider structure pointer.
Fill the pointer value for all LDAP-based providers.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a537df2e by Fabiano Fidêncio at 2018-04-25T07:31:05+02:00
SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
This newly added function is a helper to properly hadle group
id-collisions when renaming incomplete groups and it does:
- Deletes the group from sysdb
- Adds the new incomplete group
- Notifies the NSS responder that the entry also has to be deleted from
the memory cache
This function will be called from
sdap_ad_save_group_membership_with_idmapping() and from
sdap_add_incomplete_groups().
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a2e743cd by Fabiano Fidêncio at 2018-04-25T07:31:23+02:00
SDAP: Properly handle group id-collision when renaming incomplete groups
Resolves:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
514b2be0 by Fabiano Fidêncio at 2018-04-25T07:31:28+02:00
SYSDB_OPS: Error out on id-collision when adding an incomplete group
This situation can be hit when renaming a group. For now, let's just
error this out so the caller can handle it properly on its own layer.
Related:
https://pagure.io/SSSD/sssd/issue/2653
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
35d6fb7c by Jakub Hrozek at 2018-04-25T07:31:33+02:00
TESTS: Add an integration test for renaming incomplete groups during initgroups
As we implemented the group renaming heuristics to rename only if we can
use another "hint" like the original DN or the SID to know the group is
the same, this patch adds two tests (positive and negative) to make sure
a group with a totally different RDN and hence different originalDN
cannot be renamed but a group whose name changed but the RDN stays the
same can be renamed.
Related:
https://pagure.io/SSSD/sssd/issue/3282
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
ba2d5f7a by Jakub Hrozek at 2018-04-25T07:31:37+02:00
SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID
Related:
https://pagure.io/SSSD/sssd/issue/2653
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
91d1e4c1 by Jakub Hrozek at 2018-04-25T07:33:28+02:00
MAN: Document which principal does the AD provider use
Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e6e5fe34 by Michal Židek at 2018-04-27T13:42:10+02:00
GPO: Fix bug with empty GPO rules
When two or more GPO rules were defined on the server
and one of them contained no SIDs (no users or groups
were specified), then SSSD failed to store such rule
and users were denied access (system error).
This patch changes the behavior so that in case
there are no SIDs in the rule a special value is
stored with the rule to indicate that the rule
was actually specified, but this value will not
match any real SID (because the rule should be
empty).
Resolves:
https://pagure.io/SSSD/sssd/issue/3680
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8655dd07 by Fabiano Fidêncio at 2018-04-27T13:42:28+02:00
SECRETS: reset last_request_time on any activity
As all the activities are being handled by the secrets responder itself
and not by responder's common code, we have to take care of re-setting
the last_request_time by ourselves here.
Without this patch, the responder would be shot down after reaching the
idle_timeout with activities happening or not.
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
cefadc6e by Fabiano Fidêncio at 2018-04-27T13:42:40+02:00
KCM: reset last_request_time on any activity
As all the activities are being handled by the kcm responder itself and
not by responder's common code, we have to take care of re-setting the
last_request_time by ourselves here.
Without this patch, the responder would be shot down after reaching the
idle_timeout with activities happening or not.
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
26592d1a by Fabiano Fidêncio at 2018-04-27T13:42:45+02:00
RESPONDER: Add sss_client_fd_handler()
Currently we have 3 functions to handle client fds:
- sec_fd_handler(): for secrets responder
- kcm_fd_handler(): for kcm responder
- client_fd_handler(): for all the others reponders
As those functions only differ by the functions used to handle sending
and receiving data to the fds, let's create a generic function that
receives the specific send_fn() and recv_fn() functions.
With this newly introduced function we'll be able to simply remove
duplicated code from those 3 handlers and just call
sss_client_fd_handler() from all of those.
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2f700656 by Fabiano Fidêncio at 2018-04-27T13:42:50+02:00
RESPONDER: Make use of sss_client_fd_handler()
Let's make use of the sss_client_fd_handler() on client_fd_handler().
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
04c236ca by Fabiano Fidêncio at 2018-04-27T13:42:57+02:00
SECRETS: Make use of sss_client_fd_handler()
Let's make use of the sss_client_fd_handler() on sec_fd_handler().
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
01ef93a4 by Fabiano Fidêncio at 2018-04-27T13:43:00+02:00
KCM: Make use of sss_client_fd_handler()
Let's make use of the sss_client_fd_handler() on kcm_fd_handler()
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
1ab24b39 by Fabiano Fidêncio at 2018-04-27T13:43:03+02:00
TESTS: Rename test_idle_timeout()
As this test is related to the client_idle_timeout, let's rename it
accordingly.
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ac9c3ad8 by Fabiano Fidêncio at 2018-04-27T13:43:21+02:00
TESTS: Add test for responder_idle_timeout
Two new tests have been added in order to test the following scenarios
of responder_idle_timeout:
- responder is shutdown after n seconds;
- responder has its shutdown delayed due to some activity and then is
shutdown after n seconds;
In order to have the tests added, a new dep has been introduced:
python-psutil
Keep in mind those newly added tests make our test suite to take a few
minutes more to finish. As it may be an inconvenience for some
developers, the tests have been explicitly marked as slow (both by the
pytest markdown and by having _slow in their names) and can be skipped
by doing:
`make intgcheck-run make intgcheck-run \
INTGCHECK_PYTEST_ARGS="-k test_secrets.py -m 'not slow'"`
Resolves:
https://pagure.io/SSSD/sssd/issue/3633
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a30d0c95 by Fabiano Fidêncio at 2018-04-27T13:44:16+02:00
TESTS: Fix typo in test_sysdb_domain_resolution_order_ops()
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d69e1da3 by Jakub Hrozek at 2018-04-27T13:45:21+02:00
FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch
The snotify_ctx structures were unused, are completely opaque (their
only value is that if they are freed, the watches disappear which
the files provider never does).
And moreover, since the patches to support multiple files, the watches
were overwritten with subsequent assignments.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1f8bfb69 by Jakub Hrozek at 2018-04-27T13:45:34+02:00
FILES: Reduce code duplication
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
81f16996 by Jakub Hrozek at 2018-04-27T13:45:39+02:00
FILES: Reset the domain status back even on errors
The block that resets the domain status was only called on success, so
on error, the domain would have been permanently stuck in an
inconsistent state.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c1bce7da by Jakub Hrozek at 2018-04-27T13:45:43+02:00
FILES: Skip files that are not created yet
In order to avoid complex ordering logic, even if one file is updated,
we flush all the entries. In theory, we could only flush the individual
file and all the files preceding it, but it's safer to just create a
complete mirror every time.
And this can be problematic if one of the files we try to update is not
created yet during the update. This can happen e.g. when a file is not
created during early boot.
To solve this, try to be very defensive and always flush the whole
database, ignore ENOENT errors, but abort on all other errors.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
77d63f56 by Jakub Hrozek at 2018-04-27T13:45:48+02:00
FILES: Only send the request for update if the files domain is inconsistent
Resolves:
https://pagure.io/SSSD/sssd/issue/3520
The code was probably commented out as a mistake..
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
65034a71 by Jakub Hrozek at 2018-05-03T21:51:36+02:00
DYNDNS: Move the retry logic into a separate function
Let's not repeat ourselves
Related to:
https://pagure.io/SSSD/sssd/issue/3725
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
b57dfac8 by Jakub Hrozek at 2018-05-03T21:52:15+02:00
DYNDNS: Retry also on timeouts
There is the dyndns_server option that is supposed to make it possible
for the admin to select a server to update DNS with if the server
detected by nsupdate does not work. The fallback works OK for the case
where nsupdate fails with a non-zero return code, but doesn't work
for the case where nsupdate times out.
This patch extends the retry condition to also fallback to the
dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT.
Resolves:
https://pagure.io/SSSD/sssd/issue/3725
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
3cff2c5e by Jakub Hrozek at 2018-05-03T21:53:22+02:00
AD: Warn if the LDAP schema is overriden with the AD provider
Resolves:
https://pagure.io/SSSD/sssd/issue/3726
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
8a8285cf by Jakub Hrozek at 2018-05-03T21:54:46+02:00
SYSDB: Only check non-POSIX groups for GID conflicts
When checking for a GID conflict, it doesn't make sense to check for one
when the group being added is a non-POSIX one, because then the GID will
always be 0.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
10213efa by Jakub Hrozek at 2018-05-03T21:56:15+02:00
Do not keep allocating external groups on a long-lived context
The hash table with the external groups was never freed, so the
server_mode->ext_groups context was growing over time.
This patch keeps the new hash on the state if something failed, then
frees the previous hash and finally steals the new hash onto the server
mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3719
Signed-off-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
2952de74 by Jakub Hrozek at 2018-05-03T22:02:44+02:00
CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
A fix for upstream bug #3569 and the domain-locator feature were both
developed in the context of the same upstream version and therefore
touched the same code, but the domain locator did not account for the
ERR_ID_OUTSIDE_RANGE error code.
Therefore lookups for IDs that are outside the range for the domain
caused the whole lookup to fail instead of carrying on to the next
domain.
This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
was not found at all. Also some whitespace errors are fixed.
Resolves:
https://pagure.io/SSSD/sssd/issue/3728
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
b13cc2d1 by Sumit Bose at 2018-05-08T09:43:44+02:00
NSS: nss_clear_netgroup_hash_table() do not free data
nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS
request, which is e.g. used during 'sss_cache -E', to remove netgroup
data cached in the memory of the NSS responder.
Currently nss_clear_netgroup_hash_table() calls
'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only
removes all entries in the 'netgerent' hash table but frees them as
well.
The second step is not needed because nss_setnetgrent_set_timeout()
takes care that the data is freed after a timeout. Additionally freeing
the data in nss_clear_netgroup_hash_table() can even do harm when the
request is received by the NSS responder while waiting for the backend
to acquire the netgroup data. Because if the backend is done the NSS
responder tries do use enum_ctx which might have been freed in the
meantime.
Because of this nss_clear_netgroup_hash_table() should only remove the
data from the hash table but not free it.
Related to https://pagure.io/SSSD/sssd/issue/3731
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
cf4f5e03 by Fabiano Fidêncio at 2018-05-11T17:42:02+02:00
SYSDB: Properly handle name/gid override when using domain resolution order
When using name/gid override together with domain resolution order the
mpg name/gid may be returned instead of the overridden one.
In order to avoid that, let's add a check in case the domain supports
mpg so we can ensure that the originalADname and originalADgidNumber
attributes are the very same as the ones searched and then normally
proceed with the current flow in the code. In case those are not the
same, we *must* follow the code path for the non-mpg domains and then
return the proper values.
Resolves: https://pagure.io/SSSD/sssd/issue/3595
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
10a0bda9 by Fabiano Fidêncio at 2018-05-16T04:55:19+02:00
TESTS: Increase test_resp_idle_timeout* timeout
As suggested by Sumit, let's increase the timeout in the
test_resp_idle_timeout* as those are a little bit on the edge.
Related:
https://pagure.io/SSSD/sssd/issue/3633
Resolves:
https://pagure.io/SSSD/sssd/issue/3730
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
28436b57 by Fabiano Fidêncio at 2018-05-16T04:55:46+02:00
COVERITY: Add coverity support
Using travis-ci we can start doing coverity scans on every pushed code.
This is not something new as so far we have been relying on sgallagh's
internal infra to do so, unfortunatelly the infra is about to be
retired ... thus, start to use public coverity's instance is a hard
requirement for us.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Signed-off-by: Edjunior Machado <emachado at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e5514134 by Fabiano Fidêncio at 2018-05-16T04:56:15+02:00
MAKE_SRPM: Add --output parameter
This parameter is being added as it makes our life easier when dealing
with automated copr builds for this project.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4568d68d by Fabiano Fidêncio at 2018-05-16T04:56:30+02:00
Add .copr/Makefile
This will be used in order to provide automated builds to the project on
copr.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
c6b99b07 by Sumit Bose at 2018-05-18T17:23:16+02:00
winbind idmap plugin: support inferface version 6
With Samba 4.7 the interface version of the idmap plugin was updated to
6. The patch adds support for this new version but can be complied with
the older version as well.
A configure option is added to select the version, if no version is
given configure tries to detect the version with the help of an internal
Samba library libidmap-samba4.so.
To make sure that always the right version is used configure will fail
if Samba is used (--with-samba, default) and no version can be
determined.
Resolves https://pagure.io/SSSD/sssd/issue/3741
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
4ab4a26e by amitkumar50 at 2018-05-18T17:24:12+02:00
MAN: Clarify how comments work in sssd.conf
PR changes comment description in sssd.conf from:
'A line comment starts with a hash sign...'
to
'A comment line starts with a hash sign...'
Resolves: https://pagure.io/SSSD/sssd/issue/1117
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
095bbe17 by Sumit Bose at 2018-05-18T22:13:33+02:00
winbind idmap plugin: fix detection
Currently when compiling the detection code for the idmap interface
version only SMBCLIENT_CFLAGS are used. Since libsmbclient does not use
NTSTATUS the cflags do not contain '-DHAVE_IMMEDIATE_STRUCTURES=1' which
make NTSTATUS to a struct instead of an integer. Since Samba itself
might be complied with this define (it typically is) we have to make
sure we use it as well. Otherwise the test program might crash on
platforms where this change changes the calling convention as well.
Related to https://pagure.io/SSSD/sssd/issue/3741
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
afe7060f by Lukas Slebodnik at 2018-05-23T17:47:53+02:00
SYSDB: Return ENOENT for mpg with local provider
We need to return ENOENT for local provider if user have
just magic private group. Otherwise we would not be able
to detect such situation in sss_groupshow
/* The search itself */
ret = group_show(tctx, tctx->sysdb,
tctx->local, pc_recursive,
tctx->octx->name, &root);
/* Also show MPGs */
if (ret == ENOENT) {
ret = group_show_mpg(tctx, tctx->local,
tctx->octx->name, &root);
}
Resolves:
https://pagure.io/SSSD/sssd/issue/3644
Merges: https://pagure.io/SSSD/sssd/pull-request/3720
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b0aa567b by Lukas Slebodnik at 2018-05-23T17:47:58+02:00
sysdb-tests: sysdb_search_group_by_name with local provider
ldap and local provider are handled differently
in sysdb_search_group_by_name. And we need to cover both cases to avoid
regressions.
Resolves:
https://pagure.io/SSSD/sssd/issue/3644
Merges: https://pagure.io/SSSD/sssd/pull-request/3720
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
320cc463 by Jakub Hrozek at 2018-05-23T17:48:44+02:00
MAN: Fix the title of the session recording man page
Reviewed-by: amitkumar50 <amitkuma at redhat.com>
- - - - -
92addd7b by Lukas Slebodnik at 2018-05-24T22:19:21+02:00
selinux_child: Allow to query sssd
The function getpwnam_r is indirectly used ins selinux_child
on few places. (in libselinux and libsemanage)
There is not any reason why we should block nss calls with sssd.
It is a child process and loop cannot be created.
(BTW it is also allowed in krb_child and proxy_child)
#0 _nss_sss_getpwnam_r (name=0x55c0e6471a50 "user4_2", result=0x7ffe9ab0d05,
buffer=0x55c0e64741a0 "\200é\256\177\177", buflen=1024,
errnop=0x7f7fafbcdb08)
at src/sss_client/nss_passwd.c:132
#1 0x00007f7fae7ad48f in __getpwnam_r (name=name at entry=0x55c0e6471a50 "user4_2",
resbuf=resbuf at entry=0x7ffe9ab0d050, buffer=buffer at entry=0x55c0e64741a0 "\200é\256\177\177",
buflen=buflen at entry=1024, result=result at entry=0x7ffe9ab0d048)
at ../nss/getXXbyYY_r.c:316
#2 0x00007f7faeabc9e2 in get_default_gid (name=0x55c0e6471a50 "user4_2")
at seusers.c:105
#3 getseuserbyname (name=0x55c0e6471a50 "user4_2", r_seuser=0x7ffe9ab0d0f0,
r_level=0x7ffe9ab0d0f8) at seusers.c:186
#4 0x000055c0e5126d02 in seuser_needs_update (ibuf=0x55c0e64718e0)
at src/providers/ipa/selinux_child.c:175
#5 main (argc=<optimized out>, argv=<optimized out>)
at src/providers/ipa/selinux_child.c:332
#0 _nss_sss_getpwnam_r (name=0x55c0e647dda0 "user3_1", result=0x7ffe9ab0cce0,
buffer=0x55c0e6482180 "\240AG\346\300U", buflen=1024,
errnop=0x7f7fafbcdb08) at src/sss_client/nss_passwd.c:132
#1 0x00007f7fae7ad48f in __getpwnam_r (name=name at entry=0x55c0e647dda0 "user3_1",
resbuf=resbuf at entry=0x7ffe9ab0cce0, buffer=buffer at entry=0x55c0e6482180 "\240AG\346\300U",
buflen=buflen at entry=1024, result=result at entry=0x7ffe9ab0ccd8)
at ../nss/getXXbyYY_r.c:316
#2 0x00007f7faece29b3 in add_user (head=head at entry=0x7ffe9ab0ce28,
user=user at entry=0x55c0e64b5930, name=name at entry=0x55c0e647dda0 "user3_1",
sename=sename at entry=0x55c0e647bdc0 "staff_u",
selogin=selogin at entry=0x55c0e647dda0 "user3_1",
s=<optimized out>) at genhomedircon.c:999
#3 0x00007f7faece334c in get_users (errors=<synthetic pointer>,
s=0x7ffe9ab0ce70) at genhomedircon.c:1167
#4 write_gen_home_dir_context (homedir_context_tpl=0x55c0e647d3d0,
user_context_tpl=0x55c0e647a870, username_context_tpl=0x0,
out=0x55c0e646fa80, s=0x7ffe9ab0ce70) at genhomedircon.c:1205
#5 write_context_file (out=<optimized out>, s=0x7ffe9ab0ce70)
at genhomedircon.c:1317
#6 semanage_genhomedircon (sh=sh at entry=0x55c0e6476380, policydb=<optimized out>,
usepasswd=<optimized out>, ignoredirs=<optimized out>)
at genhomedircon.c:1382
#7 0x00007f7faecdfb95 in semanage_direct_commit (sh=0x55c0e6476380)
at direct_api.c:1575
#8 0x00007f7faece4d6d in semanage_commit (sh=0x55c0e6476380) at handle.c:426
#9 0x000055c0e5127cf8 in sss_set_seuser (login_name=0x55c0e6471a5 "user4_2",
seuser_name=0x55c0e6471960 "staff_u", mls=<optimized out>)
at src/util/sss_semanage.c:335
#10 0x000055c0e5126eea in sc_set_seuser (mls=0x55c0e64719d0 "s0-s0:c0.c1023",
seuser_name=0x55c0e6471960 "staff_u",
login_name=0x55c0e6471a50 "user4_2")
at src/providers/ipa/selinux_child.c:162
#11 main (argc=<optimized out>, argv=<optimized out>)
at src/providers/ipa/selinux_child.c:334
Merges: https://pagure.io/SSSD/sssd/pull-request/3732
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
51c6c483 by Lukas Slebodnik at 2018-05-24T22:19:32+02:00
selinux_child: Fix crash with initialized key
The semanage_seuser_key_t can be NULL in done section
in case of issues with initializing semanage handle or failure
with creating transaction.
The semanage_seuser_key_free is not NULL tolerant therefore its better
to prevent dereference of NULL pointer.
#0 semanage_seuser_key_free_internal (key=0x0) at seuser_record.c:83
#1 0x000055c1f8a687ed in sss_set_seuser (login_name=0x55c1f9ff8a50 "user4_1",
seuser_name=0x55c1f9ff8960 "staff_u", mls=<optimized out>)
at src/util/sss_semanage.c:344
#2 0x000055c1f8a67eea in sc_set_seuser (mls=0x55c1f9ff89d0 "s0-s0:c0.c1023",
seuser_name=0x55c1f9ff8960 "staff_u",
login_name=0x55c1f9ff8a50 "user4_1")
at src/providers/ipa/selinux_child.c:162
#3 main (argc=<optimized out>, argv=<optimized out>)
at src/providers/ipa/selinux_child.c:334
Merges: https://pagure.io/SSSD/sssd/pull-request/3732
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d5c3070c by Fabiano Fidêncio at 2018-05-28T09:44:50+02:00
CACHE_REQ: Don't force a fqname for files provider' output
Although this do not cause any issue per si, doesn't make sense to have
the output of the files provider changing its behaviour depending on
whether we do or do not use a domain_resolution_order.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
7f6ff80c by Fabiano Fidêncio at 2018-05-28T09:44:50+02:00
cache_req: Don't force a fqname for files provider output
As we're enforcing the output of files provider to be fully-qualified we
can face some weirdness when using domain_resolution_order as:
[user at implicit_files@machine]$
This is not only not coherent but also causes issues when the local
user, which is managed by the files provider, tries to do a `sudo su`.
As the most common scenario for *local* users is to have the user
(non-fully-qualified) in sudoers and, as sudo simply compares usernames,
changing the output from non fully-qualified to fully-qualified would
break this scenario, not allowing the user which has sudo access to use
sudo.
In order to avoid the issues described above, let's just not force the
output of the files provider to be fully-qualified.
Resolves:
https://pagure.io/SSSD/sssd/issue/3743
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a16d9743 by Fabiano Fidêncio at 2018-05-28T09:44:50+02:00
tests: Add a test for files provider + domain resolution order
Resolves:
https://pagure.io/SSSD/sssd/issue/3743
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
74a51472 by Fabiano Fidêncio at 2018-05-28T09:44:50+02:00
man: Users managed by the files provider don't have their output fully-qualified
As the users managed by the files provider won't have their output using
fully-qualified domain names, let's make it explicity in our man pages.
Resolves:
https://pagure.io/SSSD/sssd/issue/3743
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e354ec74 by Jakub Hrozek at 2018-05-28T09:44:50+02:00
DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes
An initgroups request for an AD user consists of two parts - resolving
the AD user, which internally calls an LDAP request and adding the IPA
external group memberships. For (probably?) historical reasons from the
time before we had any notion of subdomains, the initgrTimestamp
attribute is written down at the LDAP request level when it finishes --
which means the initgrTimestamp is written before the IPA external group
membership is evaluated.
When two requests for initgroups arrive semi-concurrently, it can happen
that the first request will trigger the whole machinery while the other
one would evaluate the initgrTimestamp attribute that was just bumped,
but the IPA group memberships were not yet written to the cache.
The result is that the second racing request only returns AD groups.
This fix removes writing the timestamp from the generic LDAP code and
instead writes the timestamp only when the Data Provider request fully
returns.
Resolves:
https://pagure.io/SSSD/sssd/issue/3744
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8f4b18db by Fabiano Fidêncio at 2018-05-31T22:44:43+02:00
Revert "CACHE_REQ: Don't force a fqname for files provider' output"
This reverts commit d5c3070c3dd8664b23999f003adc7fd170d19f20.
The patch was pushed by mistake and should not be kept nor be part of
our tree.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f9b42e39 by Fabiano Fidêncio at 2018-05-31T22:45:25+02:00
selinux_child: workaround fqnames when using DRO
When using domain_resolution_order the username will always be
fully-qualified, what has been causing some SELinux issues as mappings
for user 'admin' are not applied for 'admin at ipa.example'.
In order to work this around we can take advantage that selinux_child
queries SSSD since commit 92addd7ba and call getpwnam() in order to get
the username in the correct format.
seuser_needs_update() signature has been updated due to this change.
Resolves:
https://pagure.io/SSSD/sssd/issue/3740
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
50a90eb2 by Jakub Hrozek at 2018-05-31T22:46:09+02:00
LDAP: Do not use signal-unsafe calls in ldap_child SIGTERM handler
The DEBUG macros internally use several signal-unsafe calls so it's
better to not use any DEBUG macros at all.
man 7 signal-safety lists functions that can be used in a signal
handler.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
179c7fb3 by Fabiano Fidêncio at 2018-05-31T22:47:11+02:00
sudo_ldap: fix sudoHost=defaults -> cn=defaults in the filter
This is a typo introduced as part of 47ad0778.
Resolves:
https://pagure.io/SSSD/sssd/issue/3742
Related:
https://pagure.io/SSSD/sssd/issue/3558
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0f897b18 by Fabiano Fidêncio at 2018-05-31T22:47:42+02:00
Revert "sysdb custom: completely replace old object instead of merging it"
This reverts commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63, as the
commit introduced a regression on known_hosts.
Resolves:
https://pagure.io/SSSD/sssd/issue/3733
Related:
https://pagure.io/SSSD/sssd/issue/3558
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f9e4c934 by Fabiano Fidêncio at 2018-05-31T22:48:18+02:00
sysdb_sudo: completely replace old object instead of merging it
Let's make sure that we do not merge two record in sysdb_sudo.
1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.
2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.
Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6d363229 by Thorsten Scherf at 2018-05-31T22:48:57+02:00
man: Add FILES as a valid config option for 'id_provider'
The 'id_provider' config option can now also take 'files' as a valid value.
This should be mentioned in man 5 sssd.conf. With this change we are also
going to deprecate the 'id_provider = local' setting.
Resolves:
https://pagure.io/SSSD/sssd/issue/3749
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7567215c by Jakub Hrozek at 2018-05-31T22:49:43+02:00
AUTOFS: remove timed event if related object is removed
autofs_map_result_timeout() is called as a timed event to free the
autofs map data is the cache lifetime is exceeded. If the data is freed
earlier the timed event should be removed as well to avoid a double
free issue.
Since talloc is used here the most easy way to achieve this is to allocate
the timed event on the map object itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3752
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
1e6381c8 by Lukas Slebodnik at 2018-05-31T22:54:09+02:00
BUILD: Remove unnecessary *flags from test_ipa_dn
sh-4.4$ grep wrap src/providers/ipa/ipa_dn.c src/tests/cmocka/test_ipa_dn.c
sh-4.4$ grep UNIT_TESTING src/providers/ipa/ipa_dn.c src/tests/cmocka/test_ipa_dn.c
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
59767799 by Lukas Slebodnik at 2018-05-31T22:54:13+02:00
BUILD: Remove ldap libraries from SSSD_LIBS
They are not used in any responder.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
38158852 by Lukas Slebodnik at 2018-05-31T22:54:16+02:00
BUILD: Remove ldap libraries from TOOL_LIBS
Just backend needs to be linked with openldap libraries.
None of tools need them.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
11ff270f by Lukas Slebodnik at 2018-05-31T22:54:18+02:00
BUILD: Remove pcre libs from common *_LIBS
PCRE is used just in libsss_util and krb5 provider
(+ few unit tests)
sh$ git grep pcre_free
src/providers/krb5/krb5_init.c: pcre_free(ctx->illegal_path_re);
src/tests/krb5_child-test.c: pcre_free(ctx->illegal_path_re);
src/tests/krb5_utils-tests.c: pcre_free(illegal_re);
src/util/usertools.c: pcre_free(snctx->re);
src/util/usertools.c: pcre_free_substring(result);
src/util/usertools.c: pcre_free_substring(result);
src/util/usertools.c: pcre_free_substring(result);
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a63c2869 by Lukas Slebodnik at 2018-05-31T22:54:24+02:00
BUILD: Remove pcre from krb5_child
sh# objdump -T /usr/libexec/sssd/krb5_child | grep pcre
sh# echo $?
1
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a10cd9ec by Lukas Slebodnik at 2018-05-31T22:54:28+02:00
BUILD: Remove libcollection form common *libs
libcollection is not used directly by sssd.
sh$ git grep " col_"
sh$ echo $?
1
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
17f5b50d by Lukas Slebodnik at 2018-05-31T22:54:43+02:00
BUILD: Reduce dependencies of sss_signal
sss_signal is tiny binary which can call only
function "sss_signal" or debug related functions
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
af9c031a by Lukas Slebodnik at 2018-05-31T22:54:48+02:00
BUILD: Remove cares from sssd_secrets
The secrets responder does not use any name resolution functions.
sh$ objdump -T /usr/libexec/sssd/sssd_secrets | grep ares
sh$ echo $?
1
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
acc79968 by Lukas Slebodnik at 2018-05-31T22:54:52+02:00
BUILD: Remove libini_config from common libs
The libini_config is not directly used by responders nor tools.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
a887e33f by Lukas Slebodnik at 2018-06-02T09:48:12+02:00
MONITOR: Do not use two configuration databases
confdb was initialized twice in monitor. The 1st time in
load_configuration and the 2nd time in server_setup.
libldb-1.4.0 contains stricter checking of PID which created db.
ldb_tdb: Prevent ldb_tdb reuse after a fork()
We may relax this restriction in the future, but for now do not assume
that the caller has done a tdb_reopen_all() at the right time.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
It did not cause any problem when sssd was stared in interactive mode
(used by systemd) But it causes failures in daemon mode which is used
in cwrap integration
[sssd] [ldb] (0x4000): Destroying timer event 0x5555557b1d30 "ltdb_timeout"
[sssd] [ldb] (0x4000): Ending timer event 0x5555557cbdd0 "ltdb_callback"
[sssd] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
[sssd] [ldb] (0x0010): Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: Reusing ldb opend by pid 28889 in process 28893
/ Protocol error
[sssd] [confdb_get_param] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error)
[sssd] [confdb_get_string] (0x0020): Failed to get [krb5_rcache_dir] from [config/sssd], error [5] (Input/output error)
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
bc7b4a3b by Lukas Slebodnik at 2018-06-02T09:48:12+02:00
CI: Prepare for python3 -> python
rpm-spec-builddeps is used for extracting build dependencies from spec
file to avoid duplication. But it was mostly used by python2 and
therefore we did not notice issues with python3 which has "print"
as a function and not as a statement.
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5b394161 by Sumit Bose at 2018-06-05T21:10:40+02:00
p11_child: move verification into separate functions
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
6514c4bd by Sumit Bose at 2018-06-05T21:10:59+02:00
p11_child: add verification option
With the new option p11_child can be used to verify a certificate given
on the command line. This will allow the ssh responder to call p11_child
to verify a certificate instead of doing it on its own. This does not
only reduce code-duplication but makes sure that the ssh responder is
not blocked while running OCSP checks.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9971ee45 by Sumit Bose at 2018-06-05T21:11:04+02:00
utils: add get_ssh_key_from_cert()
This new call only extracts the ssh key out of a certificate with the
help of NSS or OpenSSL without verifying the certificate.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f5e1aaf8 by Sumit Bose at 2018-06-05T21:11:08+02:00
utils: move p11 child paths to util.h
To allow other responders to call p11_child too, some general defines
are moved to a common place.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2f897afd by Sumit Bose at 2018-06-05T21:11:12+02:00
utils: add cert_to_ssh_key request
With this new request p11_child is used to verify the certificate before
the ssh key is extracted.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
176e4d24 by Sumit Bose at 2018-06-05T21:11:15+02:00
tests: add test for cert_to_ssh_key request
This patch adds cmocka base until tests for the new cert_to_ssh_key
request
There seems to be a memory leak in bash if a called binary returns an
error code. Since p11_child is called via a libtool wrapper in the unit
tests and returns an error code if a certificate is invalid this will be
reported during the CI valgrind run. To make the CI pass here a
suppression is added.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
842daeb7 by Sumit Bose at 2018-06-05T21:11:20+02:00
ssh: use cert_to_ssh_key request to verify certifcate and get keys
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4f63a1a9 by Sumit Bose at 2018-06-05T21:11:24+02:00
ssh: add option ssh_use_certificate_keys and enhance man page
This patch adds on option to switch the extraction of ssh keys from
X.509 certificates on and off and improves the general documentation
about this feature in the sss_ssh_authorizedkeys man page.
Related to https://pagure.io/SSSD/sssd/issue/3688
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7190e0ef by Sumit Bose at 2018-06-05T21:11:28+02:00
utils: remove unused code from cert utils
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
165f58ab by Sumit Bose at 2018-06-05T21:11:33+02:00
tests: add SSH responder tests
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b5136cd9 by Sumit Bose at 2018-06-05T21:11:37+02:00
p11_child: split common and NSS code into separate files
To avoid code duplication when adding support for OpenSSL the common
code is move into a separate file.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
6d6e4a5d by Sumit Bose at 2018-06-05T21:11:40+02:00
p11_child: add OpenSSL support
The patch adds an alternative implementation of p11_child with uses
p11-kit and OpenSSL instead of NSS.
Some certificate validation options are still missing and will be added
in upcoming patches.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4eed225b by Sumit Bose at 2018-06-05T21:11:44+02:00
TESTS: make some cert auth checks order independent
Since it is not clear in which order multiple certificates are returned
by the Smartcard/PKCS#11 module/p11_child tests should not rely on the
order.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
075f2f3a by Sumit Bose at 2018-06-05T21:11:48+02:00
p11_child: allow tests to use OpenSSL version of p11_child
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ee76c686 by Sumit Bose at 2018-06-05T21:11:52+02:00
certmap: fix issue found by Coverity in OpenSSL version
So far Coverity was only run with the NSS build enabled, with OpenSSL
enabled an issue was found in an OpenSSL specific file.
Related to https://pagure.io/SSSD/sssd/issue/3495
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8adf6ead by Sumit Bose at 2018-06-05T21:11:56+02:00
SPEC/CI: enable openssl build for Debian and upcoming versions
Related to https://pagure.io/SSSD/sssd/issue/3495
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8127b585 by Sumit Bose at 2018-06-05T21:12:00+02:00
certmap: allow missing empty EKU in OpenSSL version
In the OpenSSL version of the certificate mapping and matching code a
missing Extended Key Usage (EKU) extension was not detected properly and
caused an error while processing the certificate.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9adc750a by Jakub Hrozek at 2018-06-05T21:10:40+02:00
RESPONDERS: Enable the local negative timeout by default
Instead of letting admins opt-in to caching the local users negatively
for a long time, let's enable the negative cache by default.
Resolves:
https://pagure.io/SSSD/sssd/issue/3619
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
df8e1055 by Jakub Hrozek at 2018-06-05T21:10:40+02:00
LDAP: Suppress a loud debug message in case a built-in SID can't be resolved
Resolves:
https://pagure.io/SSSD/sssd/issue/3706
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
6191cf81 by Sumit Bose at 2018-06-08T13:16:14+02:00
KCM: be aware that size_t might have different size than other integers
The memory assignment for the size_t type might be larger on some
platforms than for 32bit integer values and even for value of unsigned
int type. When converting/casting size_t to those values special care
has to be taken especially when pointers to those values are used.
The patch also contains a fix for a unit test which now should detect
the issue properly.
Related to https://pagure.io/SSSD/sssd/issue/3757
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
39d37f6d by Michal Židek at 2018-06-08T13:16:50+02:00
GPO: DEBUG msg when GP to PAM mappings overlap
Improve debugging by giving hints on how to fix the issue
with overlapping PAM mappings.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f3f1bd4a by Michal Židek at 2018-06-08T13:16:54+02:00
GPO: Debugging default PAM service mapping
It was not simple to figure out what is going on when
the users where denied in case the PAM service was
not mapped to any Group Policy rule.
Resolves:
https://pagure.io/SSSD/sssd/issue/3664
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f8025ae0 by Fabiano Fidêncio at 2018-06-08T13:17:07+02:00
tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES
As a stopgap fix for this release, let's not log the content received in
tcurl_write_data().
A proper fix has to be done on Secrets's side.
Related:
https://pagure.io/SSSD/sssd/issue/3674
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8aa56a9e by Sumit Bose at 2018-06-08T13:17:25+02:00
sysdb: add sysdb_getgrgid_attrs()
sysdb_getgrgid() is the only MPG aware by GID request but only supports
a fixes set of attributes. The new call allows to add additional
arguments.
Related to https://pagure.io/SSSD/sssd/issue/3748
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
03222156 by Sumit Bose at 2018-06-08T13:17:28+02:00
ipa: use mpg aware group lookup in get_object_from_cache()
Since with algorithmic id-mapping SSSD automatically creates user
private groups for AD user with the help of magic private groups (mpg)
get_object_from_cache() should use mpg aware calls to make sure the
right user object is found when handling a request to look up a user
private group.
Only the lookup by gid had to be modified because
sysdb_search_group_by_name() used for lookups by name is aware of MPGs.
Related to https://pagure.io/SSSD/sssd/issue/3748
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e66517dc by Sumit Bose at 2018-06-08T13:17:33+02:00
ipa: allow mpg group objects in apply_subdomain_homedir()
Since with algorithmic id-mapping SSSD automatically creates user
private groups for AD user with the help of magic private groups (mpg)
apply_subdomain_homedir() should be aware the in mpg domains a group
lookup might actually return a user object. Since the related sysdb
calls are clever and replace the objectcategory so that it matches the
original request type we have to check for the group category in the mpg
case as well. apply_subdomain_homedir() checks the uidNumber later as
well to make sure the object has the needed attributes for a user.
Related to https://pagure.io/SSSD/sssd/issue/3748
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ad6ab352 by Sumit Bose at 2018-06-08T13:17:36+02:00
AD/LDAP: do not fall back to mpg user lookup on GC connection
For MPG domains a group lookup might fall back to a user lookup to check
if the request is for a user private group. Since we cannot be sure that
all needed attributes for a user are replicated to the Global Catalog we
do not want to lookup the user during the fall back from the Global
Catalog.
Since we cannot skip Global Catalog lookups for groups completely due to
membership to groups with universal scope this patch adds a flag to tell
the lower level lookup calls to not fall back on connections to a Global
Catalog.
Related to https://pagure.io/SSSD/sssd/issue/3748
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8550c06f by Richard Sharpe at 2018-06-08T13:25:03+02:00
nss-imap: add sss_nss_getsidbyuid() and sss_nss_getsidbygid()
Two new calls are added to allow the caller to specify if the given
POSIX ID is a UID or a GID and the expected result is a user or a group
respectively. This is needed because on POSIX a user and a group may
share numerically the same ID value but might have different SIDs
assigned.
Related to https://pagure.io/SSSD/sssd/issue/3629
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2571accd by Sumit Bose at 2018-06-08T13:25:06+02:00
cifs idmap plugin: use new sss_nss_idmap calls
Related to https://pagure.io/SSSD/sssd/issue/3629
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8ae68aa2 by Sumit Bose at 2018-06-08T13:25:08+02:00
winbind idmap plugin: use new sss_nss_idmap calls
Related to https://pagure.io/SSSD/sssd/issue/3629
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
54c040cb by Sumit Bose at 2018-06-08T13:25:11+02:00
libwbclient-sssd: use new sss_nss_idmap calls
Related to https://pagure.io/SSSD/sssd/issue/3629
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b8da03b4 by Sumit Bose at 2018-06-08T13:25:13+02:00
pysss_nss_idmap: add python bindings for new sss_nss_idmap calls
Related to https://pagure.io/SSSD/sssd/issue/3629
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
23c65bd2 by Jakub Hrozek at 2018-06-08T21:20:11+02:00
Updating the translations for the 1.16.2 release
- - - - -
28 changed files:
- + .copr/Makefile
- + .travis.yml
- + .travis/travis-docker-build.sh
- + .travis/travis-tasks.sh
- + Dockerfile
- + Dockerfile.deps
- Makefile.am
- configure.ac
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/rpm-spec-builddeps
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/fedora/make_srpm.sh
- contrib/gdb/sssd_gdb_plugin.py
- contrib/sssd.spec.in
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fr.po
- po/hu.po
- po/id.po
- po/it.po
- po/ja.po
- po/nb.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/7465d6a1ef6e83825dba3a4dc4dda7271671aba0...23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/7465d6a1ef6e83825dba3a4dc4dda7271671aba0...23c65bd29319abe90d1ba0bfa21ef2bb5d4e6844
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20180626/8a2da295/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list