From gitlab at salsa.debian.org Wed Apr 3 08:05:35 2019 From: gitlab at salsa.debian.org (Timo Aaltonen) Date: Wed, 03 Apr 2019 07:05:35 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 125 commits: Updating the version to track 1.16.4 development Message-ID: <5ca45b3fc0ce4_20d73f86b27c6a508442e8@godard.mail> Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd Commits: 6bb137cd by Jakub Hrozek at 2018-08-12T13:36:54Z Updating the version to track 1.16.4 development - - - - - a57d9ec0 by Jakub Hrozek at 2018-08-13T12:50:43Z src/tests/python-test.py is GPLv3+ The following people touched the file: $ git log --format='%an <%ae>' src/tests/python-test.py | sort | uniq Bohuslav Kabrda <bkabrda at redhat.com> Fabiano Fidêncio <fidencio at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> René Genz <liebundartig at freenet.de> Stephen Gallagher <sgallagh at redhat.com> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 3badebcc by Jakub Hrozek at 2018-08-13T12:51:02Z src/tests/intg/util.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/util.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - e4864db4 by Jakub Hrozek at 2018-08-13T12:51:09Z src/tests/intg/test_ts_cache.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_ts_cache.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Petr Čech <pcech at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 444b463f by Jakub Hrozek at 2018-08-13T12:51:13Z src/tests/intg/test_sudo.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_sudo.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - a5422175 by Jakub Hrozek at 2018-08-13T12:51:18Z src/tests/intg/test_sssctl.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_sssctl.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 25275890 by Jakub Hrozek at 2018-08-13T12:51:25Z src/tests/intg/test_ssh_pubkey.py is licensed under GPLv3+ $ ggit log --format='%an <%ae>' src/tests/intg/test_ssh_pubkey.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - e92040a6 by Jakub Hrozek at 2018-08-13T12:51:30Z src/tests/intg/test_session_recording.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_session_recording.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 33c668e3 by Jakub Hrozek at 2018-08-13T12:51:34Z src/tests/intg/test_secrets.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_secrets.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Pavel Březina <pbrezina at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 7dc03ff9 by Jakub Hrozek at 2018-08-13T12:51:38Z src/tests/intg/test_pysss_nss_idmap.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_pysss_nss_idmap.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Sumit Bose <sbose at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 3ae7458a by Jakub Hrozek at 2018-08-13T12:51:43Z src/tests/intg/test_pam_responder.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_pam_responder.py | sort | uniq Sumit Bose <sbose at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 62a1eb3b by Jakub Hrozek at 2018-08-13T12:51:47Z src/tests/intg/test_pac_responder.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_pac_responder.py | sort | uniq Sumit Bose <sbose at redhat.com> All people who touched the file are Red Hat employees and the file is original work Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 02008a01 by Jakub Hrozek at 2018-08-13T12:51:51Z src/tests/intg/test_netgroup.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_netgroup.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Petr Cech <pcech at redhat.com> Sumit Bose <sbose at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 7283ee1d by Jakub Hrozek at 2018-08-13T12:51:59Z src/tests/intg/test_memory_cache.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_memory_cache.py | sort | uniq Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> Pavel Reichl <preichl at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 23df5989 by Jakub Hrozek at 2018-08-13T12:52:04Z src/tests/intg/test_local_domain.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_local_domain.py | sort | uniq Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 5eee13a0 by Jakub Hrozek at 2018-08-13T12:52:09Z src/tests/intg/test_ldap.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_ldap.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Justin Stephenson <jstephen at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Petr Čech <pcech at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 85486d23 by Jakub Hrozek at 2018-08-13T12:52:13Z src/tests/intg/test_kcm.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_kcm.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> René Genz <liebundartig at freenet.de> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 895524e6 by Jakub Hrozek at 2018-08-13T12:52:17Z src/tests/intg/test_infopipe.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_infopipe.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - e7afe9f0 by Jakub Hrozek at 2018-08-13T12:52:23Z src/tests/intg/test_files_provider.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_files_provider.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> René Genz <liebundartig at freenet.de> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - c2296d02 by Jakub Hrozek at 2018-08-13T12:52:27Z src/tests/intg/test_files_ops.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_files_ops.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 8cc67107 by Jakub Hrozek at 2018-08-13T12:52:34Z src/tests/intg/test_enumeration.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/test_enumeration.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 85d939d6 by Jakub Hrozek at 2018-08-13T12:52:38Z src/tests/intg/sssd_passwd.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/sssd_passwd.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - aa5f8174 by Jakub Hrozek at 2018-08-13T12:52:41Z src/tests/intg/sssd_nss.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/sssd_nss.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 1f244c03 by Jakub Hrozek at 2018-08-13T12:52:46Z src/tests/intg/sssd_netgroup.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/sssd_netgroup.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> René Genz <liebundartig at freenet.de> Sumit Bose <sbose at redhat.com> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 44d637d0 by Jakub Hrozek at 2018-08-13T12:52:50Z src/tests/intg/sssd_ldb.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/sssd_ldb.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Petr Čech <pcech at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 8a1092b6 by Jakub Hrozek at 2018-08-13T12:52:54Z src/tests/intg/sssd_id.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/sssd_id.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Pavel Březina <pbrezina at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 31f3f798 by Jakub Hrozek at 2018-08-13T12:52:57Z src/tests/intg/sssd_group.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/sssd_group.py | sort | uniq Fabiano Fidêncio <fidencio at redhat.com> Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 744ae1a0 by Jakub Hrozek at 2018-08-13T12:53:02Z src/tests/intg/secrets.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/secrets.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - b5c42f4c by Jakub Hrozek at 2018-08-13T12:53:07Z src/tests/intg/ldap_local_override_test.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/ldap_local_override_test.py | sort | uniq Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Pavel Reichl <preichl at redhat.com> René Genz <liebundartig at freenet.de> Sumit Bose <sbose at redhat.com> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - b94cf691 by Jakub Hrozek at 2018-08-13T12:53:11Z src/tests/intg/ldap_ent.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/ldap_ent.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> Petr Cech <pcech at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - fa125f1b by Jakub Hrozek at 2018-08-13T12:53:15Z src/tests/intg/krb5utils.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/krb5utils.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 89248d04 by Jakub Hrozek at 2018-08-13T12:53:19Z src/tests/intg/kdc.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/kdc.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - bcbc2f26 by Jakub Hrozek at 2018-08-13T12:53:23Z src/tests/intg/files_ops.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/tests/intg/files_ops.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - df5297fd by Jakub Hrozek at 2018-08-13T12:53:27Z src/tests/intg/ent_test.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/ent_test.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - ce5a90b3 by Jakub Hrozek at 2018-08-13T12:53:30Z src/tests/intg/ent.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/ent.py | sort | uniq Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 79f70d67 by Jakub Hrozek at 2018-08-13T12:53:34Z src/tests/intg/ds_openldap.py is licensed under GPLv3+ git log --format='%an <%ae>' src/tests/intg/ds_openldap.py | sort | uniq Jakub Hrozek <jhrozek at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> Michal Židek <mzidek at redhat.com> Nikolai Kondrashov <Nikolai.Kondrashov at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 3ee03cfc by Jakub Hrozek at 2018-08-13T12:53:41Z src/tests/intg/ds.py is licensed under GPLv3+ Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - de47b660 by Jakub Hrozek at 2018-08-13T12:53:46Z src/config/setup.py.in is licensed under GPLv3+ git log --format='%an <%ae>' src/config/setup.py.in | sort | uniq Lukas Slebodnik <lslebodn at redhat.com> Stephen Gallagher <sgallagh at redhat.com> All people who touched the file are Red Hat employees and the file is original work. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 02d23400 by Jakub Hrozek at 2018-08-13T12:53:53Z src/config/SSSDConfig/ipachangeconf.py is licensed under GPLv3+ $ git log --format='%an <%ae>' src/config/SSSDConfig/ipachangeconf.py | sort | uniq amitkuma <amitkuma at redhat.com> Bohuslav Kabrda <bkabrda at redhat.com> Jan Cholasta <jcholast at redhat.com> Lukas Slebodnik <lslebodn at redhat.com> René Genz <liebundartig at freenet.de> Stephen Gallagher <sgallagh at redhat.com> All except René Genz are Red Hat employees and Rene agreed to use GPLv3+ for his contribution. This file is not original work, but it is based on authconfig which is GPLv2+, so we can relicense to v3 just fine. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 9ba105f8 by Jakub Hrozek at 2018-08-13T12:54:39Z Explicitly add GPLv3+ license blob to several files In the absence of an explicit license blob in a file, the default GPLv3+ license applies, but it's better to be explicit. Reviewed-by: Michal Židek <mzidek at redhat.com> - - - - - 2b3b41da by Fabiano Fidêncio at 2018-08-13T12:55:41Z man/sss_ssh_knownhostsproxy: fix typo pubkeys -> pubkey In commit 36f2fe8f63 a discrepancy between the command line option and the manpage has been introduced. Related: https://pagure.io/SSSD/sssd/issue/3542 Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com> Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 86de91f9 by Lukas Slebodnik at 2018-08-13T13:26:57Z krb5_locator: Make debug function internal Merges: https://pagure.io/SSSD/sssd/pull-request/3786 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 276f2e34 by Lukas Slebodnik at 2018-08-13T13:27:12Z krb5_locator: Simplify usage of macro PLUGIN_DEBUG It should look like real function call Merges: https://pagure.io/SSSD/sssd/pull-request/3786 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 09dc1d9d by Lukas Slebodnik at 2018-08-13T13:27:17Z krb5_locator: Fix typo in debug message Merges: https://pagure.io/SSSD/sssd/pull-request/3786 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - aefdf703 by Lukas Slebodnik at 2018-08-13T13:27:20Z krb5_locator: Fix formatting of the variable port Merges: https://pagure.io/SSSD/sssd/pull-request/3786 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 9680ac9c by Lukas Slebodnik at 2018-08-13T13:27:24Z krb5_locator: Use format string checking for debug function Merges: https://pagure.io/SSSD/sssd/pull-request/3786 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 93caaf29 by Lukas Slebodnik at 2018-08-13T14:15:55Z PAM: Allow to configure pam services for Smartcards Resolves: https://pagure.io/SSSD/sssd/issue/2926 Merges: https://pagure.io/SSSD/sssd/pull-request/3799 Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - e7e942ce by Jakub Hrozek at 2018-09-11T19:54:26Z SELINUX: Always add SELinux user to the semanage database if it doesn't exist Previously, we tried to optimize too much and only set the SELinux user to Linux user mapping in case the SELinux user was different from the system default. But this doesn't work for the case where the Linux user has a non-standard home directory, because then SELinux would not have any idea that this user's home directory should be labeled as a home directory. This patch relaxes the optimization in the sense that on the first login, the SELinux context is saved regardless of whether it is the same as the default or different. Resolves: https://pagure.io/SSSD/sssd/issue/3819 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 945865ae16120ffade267227ca48cefd58822fd2) - - - - - 3dc88534 by Sumit Bose at 2018-09-19T09:59:28Z intg: flush the SSSD caches to sync with files To make sure that SSSD has synced with the latest data added to the passwd file sss_cache is called in two places where the current sync scheme was not reliable. This was mainly observed when running the integration tests on Debian. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 1e2398870e8aa512ead3012d46cbe6252429467a) - - - - - 2d928610 by Pavel Březina at 2018-09-19T09:59:34Z sudo: respect case sensitivity in sudo responder If the domain is not case sensitive and the case of the original user or group name differs from the name in the rule we failed to find the rule. Now we filter the rule only with lower cased values in such domain. Steps to reproduce: 1. Add user/group with upper case, e.g. USER-1 2. Add sudo rule with lower cased name, e.g. sudoUser: user-1 3. Login to system with lower case, e.g. user-1 4. Run sudo -l Without the patch, rule is not found. Resolves: https://pagure.io/SSSD/sssd/issue/3820 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee) - - - - - bca19357 by Jakub Hrozek at 2018-10-03T09:28:28Z pep8: Ignore W504 and W605 to silence warnings on Debian This code: pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" + "parameters=configdir='sql:" + config.ABS_BUILDDIR + "/../test_CA/p11_nssdb' " + "dbSlotDescription='SSSD Test Slot' " + "dbTokenDescription='SSSD Test Token' " + "secmod='secmod.db' flags=readOnly)\n\n") pkcs11_txt.close() Was producing warnings such as: ./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator Even though it looks OK visually and conforms to pep8's written form. Additionaly, this regular expression compilation: Template = re.compile( ' *<template name="(\S+)">(.*?)</template>\r?\n?', re.MULTILINE | re.DOTALL ) Was producing a warning such as: ./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S' Since the \S literal is part of a regular expression, let's suppress this warning as well. Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit ec7665973936897ab6be58308e655f08d91bec5c) - - - - - 720a423a by Pavel Březina at 2018-11-22T21:52:38Z nss: use enumeration context as talloc parent for cache req result Otherwise we end up with memory leak since the result is never freed. We need to convert nctx->*ent structures into talloc pointer so we can use enum_ctx as parent. Resolves: https://pagure.io/SSSD/sssd/issue/3870 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 406b731ddfbeb62623640cc37a7adc76af0a4b22) - - - - - 876f1cb8 by Jakub Hrozek at 2018-11-26T20:43:09Z LDAP: minor refactoring in auth_send() to conform to our coding style Related: https://pagure.io/SSSD/sssd/issue/3451 A tevent _send() function should only return NULL on ENOMEM, otherwise it should mark the request as failed but return the req pointer. This was not much of an issue, before, but the next patch will add another function call to the auth_send call which would make error handling awkward. Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 09091b4b60456a989ecc8c3b6f76661a14c108ba) - - - - - 7eb18ab6 by Jakub Hrozek at 2018-11-26T20:43:09Z LDAP: Only authenticate the auth connection if we need to look up user information Related: https://pagure.io/SSSD/sssd/issue/3451 Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by using the full sdap_cli_connect() request during LDAP authentication. This was a good idea as it addressed the case where the authentication connection must also look up some user information (typically with id_provider=proxy where you don't know the DN to bind as during authentication), but this approach also broke the use-case of id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi. This is because (for reason I don't know) AD doesn't like if you use both GSSAPI and startTLS on the same connection. But the code would force TLS during the authentication as a general measure to not transmit passwords in the clear, but then, the connection would also see that ldap_sasl_auth=gssapi is set and also bind with GSSAPI. This patch checks if the user DN is already known and if yes, then doesn't authenticate the connection as the connection will then only be used for the user simple bind. Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 57fc60c9dc77698cf824813c36eb0f90d767b315) - - - - - 1a7c6ab6 by Sumit Bose at 2018-11-26T20:43:09Z LDAP: Log the encryption used during LDAP authentication Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 6f113c7ddeaa5c82558e10118b499d22bf7a2b14) - - - - - 4d3841ca by Lukas Slebodnik at 2018-11-26T21:04:19Z UTIL: Fix compilation with curl 7.62.0 The macro CURLE_SSL_CACERT is deprecated in upstream curl since commit 3f3b26d6feb0667714902e836af608094235fca2. commit 3f3b26d6feb0667714902e836af608094235fca2 Author: Han Han <hhan at thousandeyes.com> Date: Wed Aug 22 11:13:32 2018 -0700 ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code Long live CURLE_PEER_FAILED_VERIFICATION sh$ git tag --contains 3f3b26d6feb0667714902e836af608094235fca2 curl-7_62_0 It was not removed. It is just an alias to CURLE_PEER_FAILED_VERIFICATION which causes compile time failures in switch/case. ./src/util/tev_curl.c: In function 'curl_code2errno': ./src/util/tev_curl.c:113:5: error: duplicate case value case CURLE_PEER_FAILED_VERIFICATION: ^~~~ ./src/util/tev_curl.c: 100:5: note: previously used here case CURLE_SSL_CACERT: ^~~~ Merges: https://pagure.io/SSSD/sssd/pull-request/3878 Resolves: https://pagure.io/SSSD/sssd/issue/3875 Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 1ee12b05570fcfb8e4190c9ec704c5563138344d) - - - - - e80e869a by Lukas Slebodnik at 2018-11-26T21:04:26Z test_pac_responder: Skip test if pac responder is not installed Merges: https://pagure.io/SSSD/sssd/pull-request/3881 Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 4f824eca24e185e6463167b7bcc20d1398c60414) - - - - - de7f8773 by Lukas Slebodnik at 2018-11-26T21:04:33Z INTG: Show extra test summary info with pytest It will show reasons why tests were skipped. e.g. ====================== test session starts ======================== platform linux -- Python 3.7.1, pytest-3.9.3, py-1.5.4, pluggy-0.7.1 -- /usr/bin/python3 cachedir: .pytest_cache rootdir: /dev/shm/sssd/src/tests/intg, inifile: collected 286 items / 285 deselected test_pac_responder.py::test_multithreaded_pac_client SKIPPED [100%] ==================== short test summary info ====================== SKIP [1] test_pac_responder.py:108: No PAC responder, skipping Merges: https://pagure.io/SSSD/sssd/pull-request/3881 Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit fdbe67a88d1894471031b0aabc74bd1b29eef294) - - - - - 517fe071 by Lukas Slebodnik at 2018-11-26T21:04:55Z CI: Modify suppression file for c-ares-1.15.0 Valgrind does not generate full stack trace for errors. It is just limited amount of frames. Therefore we cannot see main function with the new c-ares. The suppression file generated with c-ares-1.14.0 { <insert_a_suppression_name_here> Memcheck:Leak match-leak-kinds: possible fun:malloc fun:strdup fun:ares_init_options fun:recreate_ares_channel fun:resolv_init fun:be_res_init fun:be_res_init fun:be_init_failover fun:test_ipa_server_create_trusts_setup obj:/usr/lib64/libcmocka.so.0.5.1 fun:_cmocka_run_group_tests fun:main } The suppression file generated with c-ares-1.15.0 { <insert_a_suppression_name_here> Memcheck:Leak match-leak-kinds: possible fun:malloc fun:strdup obj:/usr/lib64/libcares.so.2.3.0 obj:/usr/lib64/libcares.so.2.3.0 fun:ares_init_options fun:recreate_ares_channel fun:resolv_init fun:be_res_init fun:be_res_init fun:be_init_failover fun:test_ipa_server_create_trusts_setup obj:/usr/lib64/libcmocka.so.0.5.1 fun:_cmocka_run_group_tests } Merges: https://pagure.io/SSSD/sssd/pull-request/3884 Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit f02714d6f0f5d9cdd504d5f0527849a6d6b88fab) - - - - - 9e858795 by Sumit Bose at 2018-11-26T21:05:15Z BUILD: Accept krb5 1.17 for building the PAC plugin Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 53e6fdfd881f051898e85448832eafdd2ea09454) - - - - - d1c93080 by Sumit Bose at 2018-11-26T21:05:21Z tests: fix mocking krb5_creds in test_copy_ccache To just test some ccache related functionality without talking to an actual KDC to get the tickets some needed libkrb5 structs were mocked based on tests from the MIT Kerberos source code. One struct member (is_skey) was so far not regarded by libkrb5 for out test case. But a recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718 changed this and we have to change the mocking. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 08bba3a6e3e4e21f2e20b71cca463d50420aa9ee) - - - - - 19e6c50d by Sumit Bose at 2018-11-26T21:05:31Z tests: increase p11_child_timeout With recent version of valgrind some tests failed during a CI run with a timeout. To avoid this the related p11_child_timeout is increased for the affected tests. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 1617f3e3dc90788ef50bbc7948c3870d08cc9c2d) - - - - - d33ec644 by Sumit Bose at 2018-12-11T21:35:11Z Revert "IPA: use forest name when looking up the Global Catalog" This reverts commit 149174acae677d1e72a0da431bf0850d55f2ccb4. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 9096fc01cca8fcaeb19c36a27f3a9fa09d60772a) - - - - - 74568bdd by Sumit Bose at 2018-12-11T21:35:11Z ipa: use only the global catalog service of the forest root While creating the domains and sub-domains each domain gets a global catalog services assigned but only one should be used because the global catalog is by definition responsible for the whole forest so it does not make sense to use a global catalog service for each domain and in the worst case connect to the same GC multiple times. In the AD provider this is simple because the GC service of the configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA case all domains from the trusted forest are on the level of sub-domains so we have to pick one. Since the forest root is linked from all domain of the same forest it will be the most straight forward choice. Related to https://pagure.io/SSSD/sssd/issue/3902 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 62d671b874a66101c0f4bff39fc6d7f49cb8fca6) - - - - - 28792523 by Tomas Halman at 2018-12-11T21:58:26Z nss: sssd returns '/' for emtpy home directories For empty home directory in passwd file sssd returns "/". Sssd should respect system behaviour and return the same as nsswitch "files" module - return empty string. Resolves: https://pagure.io/SSSD/sssd/issue/3901 Reviewed-by: Simo Sorce <simo at redhat.com> Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) - - - - - 8e6c52f6 by Lukas Slebodnik at 2019-01-29T19:59:18Z sss_cache: Do not fail for missing domains The conf.db needn't exist(sssd has never been started) and in such situation sss_cache failed when trying to invalidate all entries. There is nothing to invalidate and therefore we are already in state which we want to achieve with calling sss_cache. No reason to fail. Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3926 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 88c0c3fcd1d97bd499bb28c2065ba19d629fa4f7) - - - - - 0a27a471 by Lukas Slebodnik at 2019-01-29T19:59:19Z intg: Add test for sss_cache & shadow-utils use-case Related to: https://pagure.io/SSSD/sssd/issue/3919 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 325df4acae303efeabd96d2247fb5799c728536a) - - - - - 498aaac2 by Lukas Slebodnik at 2019-01-29T19:59:19Z sss_cache: Do not fail if noting was cached It might happen that we have some domains in conf.db but nothing has been cached yet. sss_cache failed in such situation, bash-4.4# sss_cache -E No cache object matched the specified search bash-4.4# echo $? 2 Because there is nothing to invalidate and so we are already in state which we want to achieve with calling sss_cache. There is no reason to fail. We will still fail for invalidating particular entry. User might have a typo in the name and should be informed about possible mistake. bash-4.4# sss_cache -u test_user No cache object matched the specified search bash-4.4# echo $? 2 Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3926 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 71475f1ed78a65d78f75e5ca0fdc6e20cfdf2f39) - - - - - 7983826c by Lukas Slebodnik at 2019-01-29T19:59:19Z test_sss_cache: Add test case for invalidating missing entries Related to: https://pagure.io/SSSD/sssd/issue/3919 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 415094687e92789060626176c5ced31d4122692d) - - - - - 088eb545 by Lukas Slebodnik at 2019-01-29T20:12:27Z pyhbac-test: Do not use assertEquals src/tests/pyhbac-test.py:163: DeprecationWarning: Please use assertEqual instead. self.assertEquals(el.__repr__(), u'<category 0 names [] groups []>') src/tests/pyhbac-test.py:169: DeprecationWarning: Please use assertEqual instead. u'<category 1 names [foo] groups [bar, baz]>') Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 9b06c750b66ac675d3be19b15a60888153f11758) - - - - - b27ab9e7 by Lukas Slebodnik at 2019-01-29T20:12:27Z SSSDConfigTest: Do not use assertEquals src/config/SSSDConfigTest.py:88: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['debug_level'][0], int) src/config/SSSDConfigTest.py:91: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['command'][0], str) src/config/SSSDConfigTest.py:94: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['reconnection_retries'][0], int) + many more Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit c4db34c17a415abff585632d3f7547392e564cc2) - - - - - 07d7eeae by Lukas Slebodnik at 2019-01-29T20:12:27Z SSSDConfig: Fix ResourceWarning unclosed file /usr/lib64/python3.7/unittest/case.py:763: ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/sssd-invalid.conf' mode='r' encoding='UTF-8'> context = None ResourceWarning: Enable tracemalloc to get the object allocation traceback /usr/lib64/python3.7/unittest/case.py:763: ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/noparse.api.conf' mode='r' encoding='UTF-8'> context = None ResourceWarning: Enable tracemalloc to get the object allocation traceback Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 769dc244771db5aebeada2f45fbb284b8076cc42) - - - - - 3c0213fe by Lukas Slebodnik at 2019-01-29T20:12:27Z SSSDConfigTest: Remove usage of failUnless src/config/SSSDConfigTest.py:1855: DeprecationWarning: Please use assertTrue instead. self.failUnless(domain.get_name() in sssdconfig.list_domains()) src/config/SSSDConfigTest.py:1856: DeprecationWarning: Please use assertTrue instead. self.failUnless(domain.get_name() in sssdconfig.list_inactive_domains()) src/config/SSSDConfigTest.py:1585: DeprecationWarning: Please use assertTrue instead. self.failUnless(service.get_name() in sssdconfig.list_services()) Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 21bba050994aa59ab275a99dfa711b36d2900ebb) - - - - - 8f0a2acd by Lukas Slebodnik at 2019-01-29T20:18:35Z BUILD: Fix condition for building sssd-kcm man page Merges: https://pagure.io/SSSD/sssd/pull-request/3928 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 39b3b0e4a90d0624040319a177ebcb81568fc1b9) - - - - - 9e6a2248 by Lukas Slebodnik at 2019-01-29T20:27:33Z NSS: Do not use deprecated header files In file included from src/util/cert/nss/cert.c:26: /usr/include/nss3/key.h:9:9: note: #pragma message: key.h is deprecated. Please include keyhi.h instead. #pragma message("key.h is deprecated. Please include keyhi.h instead.") ^~~~~~~ Merges: https://pagure.io/SSSD/sssd/pull-request/3930 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit afd23bd7fbb3dad0e80d9e77e94ca2abf67d19b0) - - - - - 6c808477 by Lukas Slebodnik at 2019-02-05T21:40:12Z sss_cache: Fail if unknown domain is passed in parameter If sss_cache is called with --domain parameter we should fail in case of unknown domain. It might be a typo and user should know about such case. Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3940 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 2de3c5fb2490da0dabed0de498a8296db85a1e61) - - - - - 3ec716bb by Lukas Slebodnik at 2019-02-05T21:40:12Z test_sss_cache: Add test case for wrong domain in parameter Related to: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3940 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 159a2316b8d5560da5264022c598f1072f21bdba) - - - - - d6ed04f0 by Alexey Tikhonov at 2019-02-06T14:47:39Z Fix error in hostname retrieval Fix off-by-one error in gethostname() param Resolves: https://pagure.io/SSSD/sssd/issue/3865 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 170625872a7d53c182ef095b4e5cba29f632c0c4) - - - - - acce0326 by Alexey Tikhonov at 2019-02-10T20:24:10Z lib/cifs_idmap_sss: fixed unaligned mem access Fixed following warning: ``` lib/cifs_idmap_sss/cifs_idmap_sss.c: In function ‘sss_sid_to_id’: lib/cifs_idmap_sss/cifs_idmap_sss.c:221:47: warning: taking address of packed member of ‘struct cifs_uxid’ may result in an unaligned pointer value [-Waddress-of-packed-member] err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type); ``` Actually there are two issues: 1) Packed `cifs_uxid::id.uid` may be unaligned thus generating run time error on some architectures (as compiler complains); 2) In theory size of `uid_t` may be different than size of `uint32_t` thus resulting in corruption of `cifs_uxid` content. Proposed patch is not ideal due to `(uid_t)uid` cast but solves most of issues with minimal effor. Proper solution would require patching of `sss_nss_getidbysid()` and all underlying functions for no good reason. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 12f74f8c98fac6a7eeb3937f623949bcb3adb547) - - - - - 0a27fba0 by Sumit Bose at 2019-02-16T21:59:45Z utils: make N_ELEMENTS public The calculation of the size of an array is used in the main code as well, so it makes sense to move N_ELEMENTS to a common header to use it more often. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit e32920a9c7998476b596507762b28fcf81f6a456) - - - - - 911d7bb5 by Sumit Bose at 2019-02-16T21:59:45Z ad: replace ARRAY_SIZE with N_ELEMENTS ARRAY_SIZE is taken from the Samba header file memory.h which is not available as a public header in newer Samba versions anymore. This patch replaces it with an internal macro. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit e1ff063ffa4ad459bd0c8a9da56abf8379401dbe) - - - - - 31637fdf by Tomas Halman at 2019-02-16T22:26:37Z ssh: sssd_ssh fails completely on p11_child timeout When p11_child fails or timeout is reached, ssh login fails. With this patch sssd_ssh proceeds to ssh key and password login. Resolves: https://pagure.io/SSSD/sssd/issue/3937 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit e1755a00faf993e50db5dafa7671d88456a2a0ad) - - - - - 340de230 by Tomas Halman at 2019-02-16T22:26:37Z ssh: p11_child error message is too generic We have only one error core for p11_child error. With this patch new error ERR_P11_CHILD_TIMEOUT is introduced. It is then used for better log message. Resolves: https://pagure.io/SSSD/sssd/issue/3937 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 52c8336137a97af4843ff8074e7b3478f766f6d8) - - - - - db06ec55 by mateusz at 2019-02-16T22:30:21Z Added note about default value of ad_gpo_map_batch parameter Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 938dd6c1a7ba3bc89e2f298365fbf378b82d6649) - - - - - 5e70cf56 by Thorsten Scherf at 2019-02-20T20:49:55Z CONFIG: add missing ldap attributes for validation https://pagure.io/SSSD/sssd/issue/3961 This patch adds missing 'ldap_host_*' attributes for config validation. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> (cherry picked from commit 85e363086fb7fd859c9b2eda408ec83addd79008) - - - - - c96a3829 by Michal Židek at 2019-02-22T15:08:21Z GPO: Add gpo_implicit_deny option This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. Resolves: https://pagure.io/SSSD/sssd/issue/3701 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 3bd67c772c951f33422261ef658a104ccecc9561) - - - - - 8ba47275 by Victor Tapia at 2019-02-26T21:46:44Z GPO: Allow customization of GPO_CROND per OS For both Debian and Ubuntu, the cron PAM service is named "cron" instead of "crond", denying the use of the service by default. This patch enables the HAVE_$OS (HAVE_DEBIAN/HAVE_FEDORA...) macros to select the service name during build, allowing further customization if required. Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit bc65ba9a07a924a58b13a0d5a935114ab72b7524) - - - - - 38240086 by Sumit Bose at 2019-02-26T21:48:43Z responder: fix domain lookup refresh timeout Currently the timeout to check for new domains is reset whenever there is a request with an unknown domain name. If those requests happen more then once a minute (the default timeout) the timeout is always reset before it can expire and as a result the domain list is never refreshed. If SSSD starts offline with an empty domain list the NSS responder might never be able to resolve sub-domain users or groups even if the backend has switched to the online state and already refreshed the domain list. Related to https://pagure.io/SSSD/sssd/issue/3967 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit c01364341f22262ebc2012b102be872ec3f8bdf4) - - - - - 8ffc64c1 by Sumit Bose at 2019-02-26T21:53:45Z ldap: add get_ldap_conn_from_sdom_pvt Related: https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit eaece8b2e360a9433573e9cdd09f2ab73995c55a) - - - - - 0b5a3596 by Sumit Bose at 2019-02-26T21:53:45Z ldap: prefer LDAP port during initgroups user lookup The first step of an initgroups request is to lookup the user. When using the AD provider the Global Catalog will be the preferred source. But not all LDAP attributes of the user might be replicated to the Global Catalog and as a result some of the missing attributes might be removed from the cached user object. Related to https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit b2352a01f86f7c3d6fa4e405069383df9b1b84cb) - - - - - f80dad68 by Sumit Bose at 2019-02-26T21:53:45Z ldap: user get_ldap_conn_from_sdom_pvt() where possible Currently when trying to prefer LDAP port lookups over Global Catalog searches some AD specific structs are needed in the common LDAP provider code. By using get_ldap_conn_from_sdom_pvt() this can be avoided and all AD specific details are handled inside sdap_async_initgroups_ad.c now. Related to https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 3cb9a3db92247e02087f1dcd2af54fd083738646) - - - - - 1791eed5 by Sumit Bose at 2019-02-26T22:03:19Z krb5_locator: always use port 88 for master KDC If the kpasswdinfo file exists and the found IP address includes a port number as well the master KDC lookup will use this port number which is most probably wrong. Better use the default port 88 always for master KDC lookups. This patch also updates the man page for the locator plugin which was quite outdated. Related to https://pagure.io/SSSD/sssd/issue/3958 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 05350abdf2ab98770ca296b9485578218644a2a7) - - - - - 118c44f9 by Jakub Hrozek at 2019-02-26T22:10:19Z NSS: Avoid changing the memory cache ownership away from the sssd user Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242) - - - - - 28051216 by Lukas Slebodnik at 2019-02-26T22:18:18Z test_files_provider: Do not use pytest fixtures as functions test_files_provider.py::test_getpwnam_after_start src/tests/intg/test_files_provider.py:344: RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. src/tests/intg/test_files_provider.py:362: RemovedInPytest4Warning: Fixture "group_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. return setup_gr_with_list(request, [GROUP1, CANARY_GR]) Resolves: https://pagure.io/SSSD/sssd/issue/3942 Merges: https://pagure.io/SSSD/sssd/pull-request/3953 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 686a8f5f1de8447aedd3c65715ff40118bb9908f) - - - - - 0fb6543e by Lukas Slebodnik at 2019-02-26T22:18:18Z test_ldap: Do not uses pytest fixtures as functions test_ldap.py::test_local_negative_timeout_enabled_by_default /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. res = fixturefunc(**kwargs) /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "group_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. res = fixturefunc(**kwargs) /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "user_and_group_rfc2307" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. Resolves: https://pagure.io/SSSD/sssd/issue/3942 Merges: https://pagure.io/SSSD/sssd/pull-request/3953 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 948cd08cd91cda79f6afa96f99241f26d84bf1bc) - - - - - 688134ee by Lukas Slebodnik at 2019-02-26T22:23:11Z Revert "intg: Generate tmp dir with lowercase" This reverts commit 929bb1170931d7aafac4dc0572ce18747c919a56. It is already fixed in upstream. Combination of python-urllib3-1.24 and python-requests-2.19 works well. Resolves: https://pagure.io/SSSD/sssd/issue/3276 Merges: https://pagure.io/SSSD/sssd/pull-request/3952 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 5773463361bacd69c816ddc46a4fc069db7bd0f7) - - - - - f4416173 by Lukas Slebodnik at 2019-02-26T22:26:02Z ent_test: Update assertions for python 3.7.2 pwd and grp modules return different string in KeyError since python 3.7.2 sh-4.4$ python3 --version Python 3.7.1 sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");' Traceback (most recent call last): File "<string>", line 1, in <module> KeyError: 'getgrnam(): name not found: non-exist' sh-4.4$ python3 --version Python 3.7.2 sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");' Traceback (most recent call last): File "<string>", line 1, in <module> KeyError: "getgrnam(): name not found: 'non-exist'" Merges: https://pagure.io/SSSD/sssd/pull-request/3951 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 54d7175d018792fc676201bd1b9772b268f14922) - - - - - 6bb46a67 by Sumit Bose at 2019-03-14T21:12:00Z NEGCACHE: initialize UPN negative cache as well UPNs are handled separately in the negative cache. To properly filter user names even in the case of the fallback to a UPN lookup the negative cahe for UPNs has to be initialized with the names from the filter_user option as well. If the name from the option is a short name it will be added to the negative UPN cache for each domain with the respective domain name. If the name from the option is fully-qualified it will be added as is to the negative UPN cache for each domain. Related to https://pagure.io/SSSD/sssd/issue/3978 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 2f5aca39b5b473259cd43e6b93246ff218a2b177) - - - - - 720907dd by Sumit Bose at 2019-03-14T21:12:00Z NEGCACHE: fix typo in debug message Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 6b93ee699cef2f24a5d96a187fcd9ece5f2e29f4) - - - - - faede6d2 by Sumit Bose at 2019-03-14T21:12:00Z NEGCACHE: repopulate negative cache after get_domains If SSSD starts offline the responders might only know about the configured domain because the sub-domains have not been discovered yet. As a result the permanent negative cache is only populated for the configured domain. If later the system goes online and the sub-domains are discovered or a new sub-domain was discovered at runtime the permanent negative cache is currently not created for those domains. This patch repopulates the negative cache for all known domains to the end of the get_domains request. Related to https://pagure.io/SSSD/sssd/issue/3983 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 640edac4287ccbd373fb0b5711b49cfb076bf6e0) - - - - - 2fb5be47 by Alexey Tikhonov at 2019-03-14T21:19:58Z ci/sssd.supp: fixed c-ares-suppress-leak-from-init Valgrind suppression pattern was adjusted to prevent fails on some target OS. Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 486b5523 by Pavel Březina at 2019-03-14T21:23:13Z netgroups: honor cache_refresh_percent The value of cache refresh percent was not passed to cache_req. Steps to reproduce: 1. Configure SSSD like so: ```ini [nss] entry_cache_nowait_percentage=10 memcache_timeout=0 [domain/mydomain] entry_cache_timeout = 30 ``` 2. Run SSSD 3. Fetch netgroup for the first time 4. Wait 15 seconds (midpoint refresh will be triggered from 10-29 seconds interval) 5. Fetch netgroup again, see in logs that midpoint refresh was triggered Resolves: https://pagure.io/SSSD/sssd/issue/3947 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit ce8a607c1e6bd418e651e3d90a7e1196477c0b39) - - - - - 4c1b2d4d by Jakub Hrozek at 2019-03-19T22:02:32Z TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finish test if needed Resolves: https://pagure.io/SSSD/sssd/issue/3986 Reviewed-by: Pavel Březina <pbrezina at redhat.com> - - - - - 6ff01196 by Alexey Tikhonov at 2019-03-19T22:07:24Z negcache: avoid "is_*_local" calls in some cases "use_local_negative" argument of `sss_ncache_set_str()` function only makes sense in case of non permanent record. So it is possible to avoid blocking (and thus dangerous) "is_local*()" calls in case "permanent == true" Resolves: https://pagure.io/SSSD/sssd/issue/3963 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit ddc49401bed931f48c8658b8e3a53555206466b1) - - - - - cca33946 by Sumit Bose at 2019-03-19T22:21:05Z ldap: add users_get_handle_no_user() If a user is not found on the server anymore but still has a cache entry this entry should be removed. The code to remove a group is already moved into a separate function groups_get_handle_no_group(). With this patch the code to remove a user is moved into a similar function so that it can be reused at other places. Related to https://pagure.io/SSSD/sssd/issue/3984 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit b1d288bf44c41a3f37c2c23630cf007ea47bb163) - - - - - 19fbcd1d by Sumit Bose at 2019-03-19T22:21:05Z ldap: make groups_get_handle_no_group() public To make groups_get_handle_no_group() reusable it has to be made public and has to get a proper interface. Related to https://pagure.io/SSSD/sssd/issue/3984 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit e8b2f0daebdac852e32317a1b219f3c754c67573) - - - - - c3821674 by Sumit Bose at 2019-03-19T22:21:05Z ipa s2n: fix typo Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 89d896208885694e7b951e47158d8c0dbba0e300) - - - - - b424c8a1 by Sumit Bose at 2019-03-19T22:21:05Z ipa s2n: do not add UPG member Currently the IPA provider uses user private groups for users from trusted AD domains with automatic ID-mapping. Here a single cached user object is used for both user and group. Since the user private group is the primary group of the user it is expected that there is no explicit member attribute. While processing the group membership on an IPA client the user private group is treated as ordinary group and a member attribute is added. As a result the user cannot be deleted anymore due to an error caused by the memberOf plugin because there is a member attribute without a matching memberOf. This patch makes sure user private groups are skipped. Related to https://pagure.io/SSSD/sssd/issue/3984 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 5d50621c7a38ad80561777fe7ac7208190fde8f1) - - - - - 3bed774e by Sumit Bose at 2019-03-19T22:21:05Z ipa s2n: try to remove objects not found on the server If there server returns that the search object does not exists we should try to remove it from the cache if it still has an entry. Related to https://pagure.io/SSSD/sssd/issue/3984 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 50641d4e385eee09d93df659dca9c914e4874c97) - - - - - 5b0bb56a by Alexey Tikhonov at 2019-03-19T22:28:14Z Monitor: changed provider startup timeout `monitor_service_init()` allows 10 secs for any connected sbus client to proceed with registration. It makes sense to allow overall provider startup timeout to be slightly greater. Resolves: https://pagure.io/SSSD/sssd/issue/3969 Reviewed-by: Pavel Březina <pbrezina at redhat.com> - - - - - 96e4d713 by Tomas Halman at 2019-03-19T22:37:59Z krb5_locator: Allow hostname in kdcinfo files Currently we support only IP addresses in kdcinfo files. We need to resolv eventual dns name and then we have to iterate trough list of addresses because hostname can be resolved that way, including IPv4 and IPv6 addresses. Resolves: https://pagure.io/SSSD/sssd/issue/3973 Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 63ccbfe00f7519081a8d25bda4cd8f5bd9f46f35) - - - - - 93a3a20b by Pavel Březina at 2019-03-19T22:54:00Z sdap: add sdap_modify_passwd_send to modify userPassword with ldap_modify instead of exop. Resolves: https://fedorahosted.org/sssd/ticket/1314 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit cdd0fd0b9b4c9e0347266fd1d607f76608df59b1) - - - - - be591f08 by Pavel Březina at 2019-03-19T22:54:14Z sdap: add ldap_pwmodify_mode option Resolves: https://pagure.io/SSSD/sssd/issue/1314 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit f81379c62a8f43659e24fcf2458137499c31d255) - - - - - 8d6fa496 by Pavel Březina at 2019-03-19T22:54:21Z sdap: split password change to separate request so it can be later extended to another method. Resolves: https://fedorahosted.org/sssd/ticket/1314 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit cf1d7ff79696d1150bc2690be2c4d9f7a9dd04fc) - - - - - 0a52934c by Pavel Březina at 2019-03-19T22:54:21Z sdap: use ldap_pwmodify_mode to change password Resolves: https://pagure.io/SSSD/sssd/issue/1314 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 7234e68d1c9e447b0752a17c6cd94003233b45c5) - - - - - e2f00aea by Pavel Březina at 2019-03-19T23:02:56Z sudo ipa: do not store rules without sudoHost attribute Unless it is cn=defaults. This was already fixed in LDAP provider with: 47ad0778be72994a2294b2e73cc5c670be6811a7 Resolves: https://pagure.io/SSSD/sssd/issue/3980 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> (cherry picked from commit 3b0ff2972bb18cb82259051abba9d47d0ffe3e90) - - - - - 15f01777 by Jakub Hrozek at 2019-03-20T15:08:32Z UTIL: Add a is_domain_mpg shorthand Instead of looking into the domain structure directly, add a sss_domain_is_mpg() function. This will make sense when we add a third state instead of the boolean that will also be mpg-like. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 37547802007322bbe4c0a522d4bc6d9f7d5fe5ae) - - - - - e01473aa by Jakub Hrozek at 2019-03-20T15:13:36Z UTIL: Convert bool mpg to an enum mpg_mode Instead of bool mpg inside struct sss_domain_info, let's introduce enum mpg_mode that currently maps pretty much 1:1 to the boolean. In future patches, a third value will be added. Also adds a getter for the mpg_mode value because we want to discourage getting or setting the value directly. Instead, the sss_domain_info structure should be opaque in the future. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 7c83450aba0a89890d1f15079978ae8b2a788a68) - - - - - e0c34a68 by Jakub Hrozek at 2019-03-20T15:16:46Z CONFDB: Read auto_private_groups as string, not bool In preparation to adding the third value of auto_private_groups, this patch reads the confdb value as string and checks for the option values on its own. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit fae57dba3c3a9de539676712faaeeb2280112cab) - - - - - e09dffed by Jakub Hrozek at 2019-03-20T15:25:33Z CONFDB/SYSDB: Add the hybrid MPG mode Permits a new option value 'hybrid' for the auto_private_groups option. The option was even previously marked as a string option in both the configAPI and the man pages, so we don't have to change the type now. If the hybrid mode is selected and the user's original GID number is available, then during initgroups and getpwnam, it is used as their primary GID instead of the MPG group. The original group is also not added as a secondary group during initgroups in this case. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit db03a19c4fbabd476dac0f3400ebcbb9ede24579) - - - - - 271544b6 by Jakub Hrozek at 2019-03-20T15:25:52Z CACHE_REQ: Add cache_req_data_get_type() Adds a utility function which returns the lookup type stored in struct cache_req_data. This will be used later to switch between different lookups as appropriate. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 2efc41cdd611d1e615dadae6324b096a23ae6659) - - - - - c083df05 by Jakub Hrozek at 2019-03-20T15:26:01Z NSS: Add the hybrid-MPG mode Implements the functionality of the hybrid private group mapping. Uncharacteristically, all the functionality is implemented in the responder only. This is because this hybrid mode must not shadow real groups with autogenerated ones, not even if the real group comes from another domain. Therefore, the user or group resolution must really call the full cache_req requests. Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 2ea38097dc62963403f77c96946a93f8aae11a44) - - - - - 64b855db by Jakub Hrozek at 2019-03-20T15:26:07Z TESTS: Add integration tests for auto_private_groups=hybrid Related: https://pagure.io/SSSD/sssd/issue/3822 Reviewed-by: Michal Židek <mzidek at redhat.com> (cherry picked from commit 93007c40def0d622536b9c2317e2de2eda4d5145) - - - - - 705fd73e by Pavel Březina at 2019-03-20T20:55:21Z be: remember last good server's name instead of fo_server structure This fo_server may be freed when collapsing servers from SRV lookup in `collapse_srv_lookup`. This would cause crash when we try to dereference the pointer. Resolves: https://pagure.io/SSSD/sssd/issue/3976 Reviewed-by: Jakub Hrozek <jhrozek at redhat.com> - - - - - 4f47ff66 by Jakub Hrozek at 2019-03-20T21:14:23Z Updating the translations for the 1.16.4 release - - - - - 6 changed files: - Makefile.am - contrib/ci/run - contrib/ci/sssd.supp - contrib/sssd.spec.in - po/bg.po - po/ca.po The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/61c515aa8484bdbcf2f4bc63c7032ade1c6ec06f...4f47ff665b4e24297b07e4206cdd3f3d4f77d204 -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/61c515aa8484bdbcf2f4bc63c7032ade1c6ec06f...4f47ff665b4e24297b07e4206cdd3f3d4f77d204 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Apr 3 08:05:37 2019 From: gitlab at salsa.debian.org (Timo Aaltonen) Date: Wed, 03 Apr 2019 07:05:37 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd] Pushed new branch experimental Message-ID: <5ca45b41d10c_20d73f86b27c6a50844436@godard.mail> Timo Aaltonen pushed new branch experimental at Debian SSSD packaging / sssd -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/tree/experimental You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Apr 3 08:05:37 2019 From: gitlab at salsa.debian.org (Timo Aaltonen) Date: Wed, 03 Apr 2019 07:05:37 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd] Pushed new tag debian/1.16.4-1_exp1 Message-ID: <5ca45b411a296_20d73f86b3c6df6c8446bb@godard.mail> Timo Aaltonen pushed new tag debian/1.16.4-1_exp1 at Debian SSSD packaging / sssd -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/tree/debian/1.16.4-1_exp1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftpmaster at ftp-master.debian.org Wed Apr 3 08:19:29 2019 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 03 Apr 2019 07:19:29 +0000 Subject: [Pkg-sssd-devel] Processing of sssd_1.16.4-1~exp1_source.changes Message-ID: sssd_1.16.4-1~exp1_source.changes uploaded successfully to localhost along with the files: sssd_1.16.4-1~exp1.dsc sssd_1.16.4.orig.tar.gz sssd_1.16.4.orig.tar.gz.asc sssd_1.16.4-1~exp1.diff.gz sssd_1.16.4-1~exp1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Wed Apr 3 08:34:03 2019 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Wed, 03 Apr 2019 07:34:03 +0000 Subject: [Pkg-sssd-devel] sssd_1.16.4-1~exp1_source.changes ACCEPTED into experimental Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 03 Apr 2019 09:56:33 +0300 Source: sssd Architecture: source Version: 1.16.4-1~exp1 Distribution: experimental Urgency: medium Maintainer: Debian SSSD Team Changed-By: Timo Aaltonen Closes: 923882 925026 Launchpad-Bugs-Fixed: 1572908 Changes: sssd (1.16.4-1~exp1) experimental; urgency=medium . [ Timo Aaltonen ] * New upstream release. (LP: #1572908) * Drop patches, all upstream. * Enable systemd responders. (Closes: #925026, #923882) . [ Dominik George ] * Acknowledge NMU. * Add myself to Uploaders. Checksums-Sha1: b0d2dde934fff60e4366c35555644abd3d7b3e48 5213 sssd_1.16.4-1~exp1.dsc 9deedae904567f197ddcdc6ef69c72956d14d39e 6355636 sssd_1.16.4.orig.tar.gz 4e44dec2ea86ec27675feddf058b18ae2c16d4fe 163 sssd_1.16.4.orig.tar.gz.asc 0b8c30cb1bc156d62ffc16f66393819e13acfb14 102232 sssd_1.16.4-1~exp1.diff.gz 745606d7bf8c7b713a97f05f677ba2000f7a305f 9871 sssd_1.16.4-1~exp1_source.buildinfo Checksums-Sha256: 5942b44af66baafee075493844c0c8fbbcba717e1db3557c65fc771e0eed9832 5213 sssd_1.16.4-1~exp1.dsc 6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959 6355636 sssd_1.16.4.orig.tar.gz 456aebb3cbc8f40222f0322d041e47b705d3e19412cf034c38625d47abf3777a 163 sssd_1.16.4.orig.tar.gz.asc d348aaffae40c0910fabb5d2436044e68c190c8fc13adc7bf0e77283c5811f82 102232 sssd_1.16.4-1~exp1.diff.gz 76b02b51e0e8691a36a058746b1ab81438a422d0da5104d9b5ffcffbdcf8dce7 9871 sssd_1.16.4-1~exp1_source.buildinfo Files: 5e099448554ad98c40cc078318430345 5213 utils optional sssd_1.16.4-1~exp1.dsc 757bbb6f15409d8d075f4f06cb678d50 6355636 utils optional sssd_1.16.4.orig.tar.gz ff29ffaaeaf00a69de5c8f4819f90c5b 163 utils optional sssd_1.16.4.orig.tar.gz.asc 7dec14ec163ad43e84147b42db2d8f2a 102232 utils optional sssd_1.16.4-1~exp1.diff.gz 188cdef559bf9e2f5d2ad5da40d8eec9 9871 utils optional sssd_1.16.4-1~exp1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlykWU0ACgkQy3AxZaiJ hNzrPRAAgy/KXZDCDbCMJy7fYqzS2jnSFsUWn0nTl6CaijLVo7Oi0bSVBBVhgtQb H+1iWTv7kBFmRMGZRTq7/1MlO60gzT06zX5ehG601wmtb+6T0mfnvB/cXDTdZ0UF fI0aXZDA2gqhsNdGGgAbWuR/02HBysTE7+UEY8L7MyqOOX6kULkb3AEAr5OM0NIb I5SQrMK2bvnD/gLBHBEv+enDH+G1IdnqPwqmw/Tl//aFj3uWsTI6pj1XgfqNgx1/ AqmQ3YTrjH72bZJnxPWeSqP4KorS8PJD7UAY6k9nK5h7pQT2W+Q9c2mrjhIEOzrQ lCKbD6oCuU5SMItvcki0QFjvphhJX6tcct0bbGjVgxHdGA8AthGCCvXztW5ZEosM 8lRIeaj6OmwSwwJwhCCBvsf/TnLj3G2A1dcyKzhy+R/nmoP2o12Q0Byx+QdYX9oS Mo9KOMkuSIfFLOoYgqP7L6+iLjWQFV/tVquQZYTSZuO2hMG4stu1tq+N4xpGQJY3 T5ZMyGrznmzrhywu471QFJr5L915Q5pMesG/ZCxmkm1mUS6cD5bGe89zARuU0oFy KJ2c/DSnxGXZoqbyKoIsnCdICna0O4P9JFXVRBjLnW44JwQ3bjSwHImI1nY+WGhq z1DgceA//H9eZjdgkpW4IwaGQI+z1Ih0TIQlR0rlhxXGkL691CU= =IRer -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Wed Apr 3 08:37:04 2019 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 03 Apr 2019 07:37:04 +0000 Subject: [Pkg-sssd-devel] Bug#923882: marked as done (sssd-tools: sssctl list-domains is broken) References: <155189297662.3694.14215099863807198846.reportbug@zelda.physik.fu-berlin.de> Message-ID: Your message dated Wed, 03 Apr 2019 07:34:03 +0000 with message-id and subject line Bug#923882: fixed in sssd 1.16.4-1~exp1 has caused the Debian Bug report #923882, regarding sssd-tools: sssctl list-domains is broken to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 923882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923882 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Jan Luca Naumann Subject: sssd-tools: sssctl list-domains is broken Date: Wed, 06 Mar 2019 18:22:56 +0100 Size: 4335 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#923882: fixed in sssd 1.16.4-1~exp1 Date: Wed, 03 Apr 2019 07:34:03 +0000 Size: 5805 URL: From owner at bugs.debian.org Wed Apr 3 08:37:07 2019 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 03 Apr 2019 07:37:07 +0000 Subject: [Pkg-sssd-devel] Bug#925026: marked as done (Please enable D-Bus activation for sssd-ifp (and possibly others)) References: <20190319133637.GD1159@piware.de> Message-ID: Your message dated Wed, 03 Apr 2019 07:34:03 +0000 with message-id and subject line Bug#925026: fixed in sssd 1.16.4-1~exp1 has caused the Debian Bug report #925026, regarding Please enable D-Bus activation for sssd-ifp (and possibly others) to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 925026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925026 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Martin Pitt Subject: Please enable D-Bus activation for sssd-ifp (and possibly others) Date: Tue, 19 Mar 2019 14:36:37 +0100 Size: 2433 URL: -------------- next part -------------- An embedded message was scrubbed... From: Timo Aaltonen Subject: Bug#925026: fixed in sssd 1.16.4-1~exp1 Date: Wed, 03 Apr 2019 07:34:03 +0000 Size: 5780 URL: From tjaalton at debian.org Wed Apr 3 08:45:08 2019 From: tjaalton at debian.org (Timo Aaltonen) Date: Wed, 3 Apr 2019 10:45:08 +0300 Subject: [Pkg-sssd-devel] Bug#923882: Bug#923882: Bug#923882: Bug#923882: sssd-tools: sssctl list-domains is broken In-Reply-To: References: <155189297662.3694.14215099863807198846.reportbug@zelda.physik.fu-berlin.de> <4b60beac-602f-a237-4358-a64b689d17af@debian.org> <155189297662.3694.14215099863807198846.reportbug@zelda.physik.fu-berlin.de> <3c9c884a-4e07-882e-eb76-9eb7e71e0597@fu-berlin.de> <155189297662.3694.14215099863807198846.reportbug@zelda.physik.fu-berlin.de> <155189297662.3694.14215099863807198846.reportbug@zelda.physik.fu-berlin.de> Message-ID: On 21.3.2019 16.23, Timo Aaltonen wrote: > On 21.3.2019 16.02, Jan Luca Naumann wrote: >> Another way could be to check in the postinst files if there is already >> an existing sssd.conf file and, if yes, do not enable the systemd units. >> >> This should prevent breaking existing installations but would allow to >> use the services after adjusting sssd.conf and new users would use the >> sockets directly. Admins of existing installations could be informed >> about this change via the NEWS file. >> >> Would that be a useful solution? > > No I think that would be very confusing :) > > I've pushed a new upstream plus added socket activation back (though the > changelog doesn't mention it) here: > > https://aaltoset.kapsi.fi/sssd > > if you can test that it'd be great I tested it myself and works fine, this is now pushed to experimental so it should be easier to test. I'm hoping this would be fine for buster too. -- t From jmm at inutil.org Mon Apr 29 22:38:40 2019 From: jmm at inutil.org (Moritz =?UTF-8?Q?M=C3=BChlenhoff?=) Date: Mon, 29 Apr 2019 23:38:40 +0200 Subject: [Pkg-sssd-devel] Bug#902860: sssd: CVE-2018-10852: information leak from the sssd-sudo responder In-Reply-To: <153053494543.29318.15316493377936254938.reportbug@lorien.valinor.li> References: <153053494543.29318.15316493377936254938.reportbug@lorien.valinor.li> <153053494543.29318.15316493377936254938.reportbug@lorien.valinor.li> Message-ID: <20190429213840.GA20516@pisco.westfalen.local> On Mon, Jul 02, 2018 at 02:35:45PM +0200, Salvatore Bonaccorso wrote: > Source: sssd > Version: 1.16.2-1 > Severity: important > Tags: security upstream > Forwarded: https://pagure.io/SSSD/sssd/issue/3766 > > Hi, > > The following vulnerability was published for sssd. > > CVE-2018-10852[0]: > | The UNIX pipe which sudo uses to contact SSSD and read the available > | sudo rules from SSSD has too wide permissions, which means that anyone > | who can send a message using the same raw protocol that sudo and SSSD > | use can read the sudo rules available for any user. This affects > | versions of SSSD before 1.16.3. This is fixed in https://pagure.io/SSSD/sssd/c/ed90a20a0f0e936eb00d268080716c0384ffb01d and this bug is almost a year old. Can we please get that fixed in time for the buster release (along with https://security-tracker.debian.org/tracker/CVE-2019-3811 and https://security-tracker.debian.org/tracker/CVE-2018-16883) Cheers, Moritz