[Pkg-sssd-devel] [Git][sssd-team/sssd][experimental] 282 commits: Updating the version before the 2.0 release
Timo Aaltonen
gitlab at salsa.debian.org
Mon May 27 11:59:53 BST 2019
Timo Aaltonen pushed to branch experimental at Debian SSSD packaging / sssd
Commits:
2f34087c by Jakub Hrozek at 2018-08-13T14:25:01Z
Updating the version before the 2.0 release
- - - - -
7e9f0a0c by Pavel Březina at 2018-08-13T14:59:01Z
include stdarg.h directly in debug.h
It expects to be already included which may break compilation
if it is not true.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
40e3863e by Pavel Březina at 2018-08-13T14:59:04Z
pam_add_response: fix talloc context
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c2ed0cae by Pavel Březina at 2018-08-13T14:59:09Z
sss_ptr_hash: add sss_ptr_get_value to make it useful in delete callbacks
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9c9a4328 by Pavel Březina at 2018-08-13T14:59:12Z
sss_ptr_list: add linked list of talloc pointers
A list item is automatically freed and removed from the list when
the talloc pointer is freed.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e347b555 by Pavel Březina at 2018-08-13T14:59:14Z
sbus: move sbus code to standalone library
This will allow to use both old and new sbus implementation during
conversion.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
564c0798 by Pavel Březina at 2018-08-13T14:59:17Z
sbus: add sbus sssd error codes
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b49ee1bf by Pavel Březina at 2018-08-13T14:59:21Z
sbus: add new implementation
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7f3ed078 by Pavel Březina at 2018-08-13T14:59:24Z
sbus: build new sbus implementation
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f91e90a7 by Pavel Březina at 2018-08-13T14:59:27Z
sbus: disable generating old api
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
06631b45 by Pavel Březina at 2018-08-13T14:59:29Z
sbus: fix indirect includes in sssd
Some header files were included indirectly throught data provider
interface headers. When we switch backend to new sbus, we got lots
of undefined symbols errors.
We now include the files directly so we can convert the backend.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2963f2d9 by Pavel Březina at 2018-08-13T14:59:33Z
sbus: add sss_iface library
This will merge sbus interface of all processes into one place.
SSSD is already a lot interconnected through and almost any process
needs acces to interface of all other processes (all processes talks
to monitor and data provider, data provider talks to some responders).
We would also like to make responders talks between each other.
Therefore it is much simpler to create one place for all the internal
D-Bus API. This will make it simpler to use, easier to build and it
will also reduce amount of generated code since most of the invokers
can be reused.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
924f8098 by Pavel Březina at 2018-08-13T14:59:47Z
sbus: convert monitor
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c7e2d7a5 by Pavel Březina at 2018-08-13T14:59:54Z
sbus: convert backend
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e50fb8ac by Pavel Březina at 2018-08-13T14:59:57Z
sbus: convert responders
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
de3a63c4 by Pavel Březina at 2018-08-13T15:00:00Z
sbus: convert proxy provider
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
fbe2476a by Pavel Březina at 2018-08-13T15:00:03Z
sbus: convert infopipe
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
aaecabf2 by Pavel Březina at 2018-08-13T15:00:06Z
sbus: convert sssctl
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5edba6ce by Pavel Březina at 2018-08-13T15:00:09Z
sbus: remove old implementation
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7c1dd71c by Pavel Březina at 2018-08-13T15:00:12Z
sbus: add new internal libraries to specfile
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
3d1b6458 by Pavel Březina at 2018-08-13T15:00:14Z
sbus: make tests run
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c0c8499b by Pavel Březina at 2018-08-13T15:00:17Z
tests: disable parse_inp_call_dp, parse_inp_call_attach in responder-get-domains-tests
New sbus implementation broke responder-get-domains-tests and we could
not find how to fix it in time.
Ticket to track fixing these tests:
https://pagure.io/SSSD/sssd/issue/3806
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
1adf2f98 by amitkuma at 2018-08-13T15:03:45Z
confdb: Remove CONFDB_DOMAIN_LEGACY_PASS
As CONFDB_DOMAIN_LEGACY_PASS is legacy parameter that is rooted in
pre-1.0 SSSD, let's just nuke it now as we're already removing other
legacy code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3530
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a2d543f6 by Amit Kumar at 2018-08-13T15:06:57Z
providers: disable ldap_sudo_include_regexp by default
Using wildcard in sudoHost attribute is very costly to evaluate on LDAP
server side and this features seems to be rarely used. Considering this,
let's make it **not** enabled by default.
Whoever is still interested on using it, can just add to their
sssd.conf:
`ldap_sudo_include_regexp = true`.
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
65bd6bf0 by Fabiano Fidêncio at 2018-08-13T15:19:47Z
providers: drop ldap_{init,}groups_use_matching_rule_in_chain support
Resolves:
https://pagure.io/SSSD/sssd/issue/3492
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5dafa817 by Fabiano Fidêncio at 2018-08-13T15:21:02Z
ldap: remove parallel requests from rfc2307bis
As this branch of code is not well tested, we've decided to just nuke it
and, in the future, spend more time on improving the performance for the
general case instead of maintaining this old "hack".
Resolves:
https://pagure.io/SSSD/sssd/issue/3494
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7d483737 by Fabiano Fidêncio at 2018-08-13T16:29:12Z
tests: adapt common_dom to files_provider
Also start to consider the "files" provider when cleaning up the files.
This change will let us start to moving to "files" provider in our test
suite.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2243b348 by Fabiano Fidêncio at 2018-08-13T16:29:19Z
tests: adapt test_sysdb_views to files provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Apart from the obvious change from "local" to "files" and from "LOCAL"
to "FILES", we're also passing an on-the-fly created uid/gid to the
sysdb_store_user() function in order to avoid calling
sysdb_get_new_id(), which only should be used with the "local" provider.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
35a200d5 by Fabiano Fidêncio at 2018-08-13T16:29:35Z
tests: adapt sysdb-tests to files_provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Apart from the obvious change from "local" to "files" and from "LOCAL"
to "FILES", we're also passing a static uid/gid to the sysdb_add_user()
function in order to avoid calling sysdb_get_new_id(), which only should
be used with the "local" provider. Another change doneis to explicitly
set mpg to true as it was enabled by default when using the "local"
provider.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6ebcc59b by Fabiano Fidêncio at 2018-08-13T16:29:42Z
tests: adapt sysdb_ssh tests to files provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Apart from the obvious change from "local" to "files" and from "LOCAL"
to "FILES", we also had to change the cleanup function as this test
suite doesn't rely on test_multidom_suite_cleanup().
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
064ca0b4 by Fabiano Fidêncio at 2018-08-13T16:29:49Z
tests: adapt auth-tests to files provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Apart from the obvious change from "local" to "files" and from "LOCAL"
to "FILES", we also had to change the cleanup function as this test
suite doesn't rely on test_multidom_suite_cleanup().
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a8a9e66a by Fabiano Fidêncio at 2018-08-13T16:29:55Z
tests: adapt tests_fqnames to files provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Only a simple change from "local" to "files" was required.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
99b5bb54 by Fabiano Fidêncio at 2018-08-13T16:30:09Z
sysdb: sanitize the dn on cleanup_dn_filter
When trying to get rid of the "local" provider references in
ldap_id_cleanup tests by switching to "files" provider, it's been
noticed that the linearized dn wasn't coming sanitized, which would make
the test to fail.
While I'm not sure here's the right place to have it fixed, this is the
simplest proposal I could come up with.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
728e4be1 by Fabiano Fidêncio at 2018-08-13T16:30:16Z
sysdb: pass subfilter and ts_subfilter to sysdb_search_*_by_timestamp()
The reason for specifically passing a ts_subfilter is because when using
a provider that relies on a cache and on a timestamp cache, the search
done each cache is different.
The difference in the search is that on timestamp cache we add a
(dateExpireTimestamp <= XXX), but it shouldn't be added to the cache
search.
This commit is needed in order to have the ldap_id_cleanup test running
when switching from local provider (which has no timestamp cache) to the
files provider (which exposed this issue).
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2e8fe6a3 by Fabiano Fidêncio at 2018-08-13T16:30:27Z
tests: adapt test_ldap_id_cleanup to files provider
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
The only changes requred were the obvious change from "local" to "files"
and from "LOCAL" to "FILES".
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a24f0c20 by Fabiano Fidêncio at 2018-08-13T16:30:35Z
tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_certmap
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Let's just replace "LOCAL_SYSDB_FILE" for NULL as This test suite
doesn't create local sysdb file.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5a87af91 by Fabiano Fidêncio at 2018-08-13T16:30:41Z
tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_domain_resolution_order_
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Let's just replace "LOCAL_SYSDB_FILE" for NULL as This test suite
doesn't create local sysdb file.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
15342ebe by Fabiano Fidêncio at 2018-08-13T16:30:54Z
tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_subdomains
Let's take advantage of the files provider and start to get rid of the
local provider references in our code.
Let's just replace "LOCAL_SYSDB_FILE" for NULL as This test suite
doesn't create local sysdb file.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c075e286 by Fabiano Fidêncio at 2018-08-13T16:31:01Z
tests: remove LOCAL_SYSDB_FILE reference from common_dom
As all tests are now taking advantage of the "files" provider instead of
the "local" one, let's just remove the last reference of
LOCAL_SYSDB_FILE from our tests.
Together with the reference, let's also remove the whole if-block as
we're not relying on "local" provider anymore.
Related:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b8946c46 by Fabiano Fidêncio at 2018-08-13T16:31:08Z
local: build local provider conditionally
Let's "get rid" of the local provider and only build it conditionally.
The local provider is only used by our integration tests and those will
be ran in the CI enabling the local provider.
If someone, for some reason, still needs to use it,
"--enable-local-provider" has been added as a configure option and the
provider can be built using that (as done in our integration tests).
Resolves:
https://pagure.io/SSSD/sssd/issue/3304
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
82d51b7f by Fabiano Fidêncio at 2018-08-13T16:31:16Z
pysss: fix typo in comment
"local" -> "password"
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0e211b8b by Fabiano Fidêncio at 2018-08-13T16:31:23Z
pysss: remove pysss.local
The pysss.local interface has been de-emphasized in favour of the files
domain. As there's no current consumer of this API, let's just remove
it.
Resolves:
https://pagure.io/SSSD/sssd/issue/3493
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4d7f0789 by Jakub Hrozek at 2018-08-13T16:39:45Z
TESTS: the sys package was used but not imported
The test used sys.exit but never imported the sys module.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
aafaacd5 by Jakub Hrozek at 2018-08-13T16:39:51Z
TESTS: Remove tests database in teardown
This is to avoid one test indirectly stepping on another if they are run
individually. For example, some of the tests added a principal and ran
kinit which populated the database, another test started execution by
checking there is nothing stored in the secrets database.
In general, it's better to run the tests in isolation.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
0294bcf7 by Jakub Hrozek at 2018-08-13T16:39:56Z
TESTS: Properly set argv[0] when starting the secrets responder
This was a nasty one. Because argv[0] was unsert, instead of its typical
setting as the program path, parsing the arguments produced garbage
which resulted in uid and gid being set to a random (?) value. As an
effect, the secrets responder was not running as fake-root in tests and
this triggered permission errors in libsss_secrets and only root is able
to set arbitary secrets.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
80811f94 by Jakub Hrozek at 2018-08-13T16:40:00Z
KCM: Move a confusing DEBUG message
We only want to print the message if KCM really does not find the nextID
on that try, but we used to print the message always.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
ca73eedb by Jakub Hrozek at 2018-08-13T16:40:05Z
KCM: Fix a typo
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
24b151e0 by Jakub Hrozek at 2018-08-13T16:40:10Z
UTIL: Add libsss_secrets
Splits pieces of the secrets responder and makes them into a library.
This is done so that other processes than sssd_secrets can access the
secrets database without going through the whole REST API.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
fdfa36ae by Jakub Hrozek at 2018-08-13T16:40:15Z
SECRETS: Use libsss_secrets
Instead of its own code for handling the secrets, use libsss_secrets.
It's pretty much the same code anyway, just moved to a different
location.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
e0bf64a7 by Jakub Hrozek at 2018-08-13T16:40:19Z
KCM; Hide the secret URL as implementation detail instead of exposing it in the JSON-marshalling API
There were several functions in the kcmsrv_ccache_json.c module that
were really specific to storing ccaches in the secrets responder. Since
we are about to introduce a new ccache back end which will on one hand
use the JSON representation but on the other hand not use the secrets
responder, we move several functions and definitions to
kcmsrv_ccache_secrets.c
A function to create the key for the secret is on the other made public
so that it could be reused in the future.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
0b9001e3 by Jakub Hrozek at 2018-08-13T16:40:24Z
UTIL: libsss_secrets: Add an update function
With the secrets responder, we were bound to what API did Custodia
provide, because one of the core functions of the secrets responder was
forwarding to Custodia. Since the library is not bound by any such
limitation, we can add a function to update a secret.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
24ba2120 by Jakub Hrozek at 2018-08-13T16:40:29Z
KCM: Add a new back end that uses libsss_secrets directly
Add a new KCM back end that stores the ccaches in libsss_secrets
directly by using its API. The back end is only fake-async as all the
libsss_secrets functions are synchronous.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
f91adcc8 by Jakub Hrozek at 2018-08-13T16:40:34Z
TESTS: Get rid of KCM_PEER_UID
In normal operation, libsss_secret only allows root to write to the KCM
namespace. This was impractical in tests, because the identity of the
client is read from the socket and even with the socket and uid
wrapping, still the real UID was used. So we #define-d the client ID to
something else during tests.
But this is also problematic for tests that do not use the secrets
responder, but only the libsecrets, beacause there the ID of the caller
is root, because of uid_wrapper.
This patch changes the approach so that the secrets responder tests
preload getsockopt_wrapper() and any communication to the secrets socket
rewrites the client credentials to be root. In combination with
uid_wrapper which pretends to libsss_secrets that the caller is root, we
can get rid of test-specific #define in the code.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
7dd1991c by Jakub Hrozek at 2018-08-13T16:40:41Z
TESTS: Add tests for the KCM libsss_secrets back end
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
f74feb08 by Jakub Hrozek at 2018-08-13T16:40:47Z
KCM: Change the default ccache storage from the secrets responder to libsecrets
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
fcbedf46 by Jakub Hrozek at 2018-08-13T16:40:52Z
BUILD: Do not build the secrets responder by default
The secrets responder is now built only conditionally and defaults to
'do not build'. However, libsss_secrets.so is built whenever either KCM
or secrets are selected.
The KCM secrets responder tests are skipped if the secrets responder is
not built.
This patch also avoids two BuildRequires in the default set,
libcurl-devel and http-parser-devel are no longer required by SSSD.
Related:
https://pagure.io/SSSD/sssd/issue/3685
Reviewed-by: Fabiano Fidêncio <fidencio at redhat.com>
- - - - -
c0374e1c by Niranjan M.R at 2018-08-17T12:39:54Z
Python3 changes to multihost tests
1. Python3 related changes
2. converting ldap attributes to use bytes
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
aba6fe44 by Niranjan M.R at 2018-08-20T11:23:12Z
Minor fixes related to converting of ldap attributes to bytes
Minor fixes related to converting attribute values to bytes
in function related to adding posix group
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
101934f2 by Lukas Slebodnik at 2018-08-20T11:24:33Z
BUILD: Fix issue with installation of libsss_secrets
libsss_secret.so is linked with libsss_util.so therefore it shoudl be
added into pkglib_LTLIBRARIES after libsss_util.so.
Otherwise there can failure in linking phase.
libtool: warning: relinking 'libsss_secrets.la'
libtool: install: (cd /home/build/sssd/ci-build-debug/intg/bld; /bin/sh
"/home/build/sssd/ci-build-debug/intg/bld/libtool" --tag CC
--mode=relink gcc -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith
-Wcast-qual -Wcast-align -Wwrite-strings -Wundef
-Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs
-fno-strict-aliasing -std=gnu99 -O2 -g -g3 -O2 -Werror
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-avoid-version -o libsss_secrets.la -rpath
/tmp/sssd-intg.l7nl5pgb/lib/sssd
src/util/secrets/libsss_secrets_la-secrets.lo
src/util/secrets/libsss_secrets_la-config.lo -ltalloc -lldb
libsss_crypt.la libsss_debug.la libsss_util.la )
libtool: relink: gcc -shared -fPIC -DPIC
src/util/secrets/.libs/libsss_secrets_la-secrets.o
src/util/secrets/.libs/libsss_secrets_la-config.o -Wl,-rpath
-Wl,/tmp/sssd-intg.l7nl5pgb/lib/sssd -ltalloc -lldb
-L/tmp/sssd-intg.l7nl5pgb/lib/sssd -lsss_crypt -lsss_debug -lsss_util
-O2 -g -g3 -O2 -Wl,-soname -Wl,libsss_secrets.so -o
.libs/libsss_secrets.so
/usr/bin/ld: cannot find -lsss_util
collect2: error: ld returned 1 exit status
libtool: error: error: relink 'libsss_secrets.la' with the above
command before installing it
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
677a9337 by Lukas Slebodnik at 2018-08-20T11:24:52Z
BUILD: Add missing deps to libsss_sbus*.so
It indirectly caused failures when linking unit test.
CCLD test_sbus_opath
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_validate'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_free'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_malloc'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_casefold'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_collate'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strlen'
/usr/bin/ld: ./.libs/libsss_sbus.so: undefined reference to `g_utf8_strdown'
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
53ed60b8 by Lukas Slebodnik at 2018-08-20T11:24:58Z
BUILD: Reduce compilation of unnecessary files
We safe compilation of 52 files 2 times with linking to existing
internal libraries.
It also fixes issue with multiple definition of the same symbol
CCLD responder_common-tests
/usr/bin/ld: .libs/libsss_debug.so and ../../../src/util/responder_common_tests-debug.o:
warning: multiple common of `sss_logger'
collect2: error: ld returned 1 exit status
Merges: https://pagure.io/SSSD/sssd/pull-request/3808
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7dce2461 by Jakub Hrozek at 2018-08-21T12:17:18Z
Updating the version to track 2.1 development
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
81dce197 by Jakub Hrozek at 2018-08-29T13:04:48Z
KCM: Don't error out if creating a new ID as the first step
We need to handle the case where the nextID operation is ran, but the
secdb is totally empty, otherwise logins with sssd's krb5_child would
fail.
Resolves:
https://pagure.io/SSSD/sssd/issue/3815
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
55d5b435 by Pavel Březina at 2018-09-06T14:38:25Z
sbus: register filter on new connection
The filter is not again registered on new connection when the old connection
was lost. This caused a segfault when the router is destroyed during shutdown.
It also would not allow to recieve and process any messages as the filter
function is needed for that. However, this was not very visible with
current sssd architecture.
Steps to reproduce:
1. Run SSSD
2. pkill sssd_be
3. Wait for responders to reconnect to backend
4. Shutdown SSSD
5. It will crash without this patch
Resolves:
https://pagure.io/SSSD/sssd/issue/3821
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8c8f74b0 by Pavel Březina at 2018-09-06T14:38:38Z
sbus: fix typo
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
30f4adf8 by Pavel Březina at 2018-09-06T14:38:42Z
sbus: check for null message in sbus_message_bound
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ca50c405 by Pavel Březina at 2018-09-06T14:38:45Z
sbus: replace sbus_message_bound_ref with sbus_message_bound_steal
The memory context used to new message reference accidentally overwrote
the one use by the initial sbus_message_bound call. This caused a memory
leak of message as its reference counter got increased but number of
talloc contexts bound this this message decreased at the same time.
Fixing this is non-trival and it would require separate data slot for
each reference. Because we do not have any existing use case for this
and we use it only as an equivalent of talloc_steal it is better to
provide a real equivalent for this talloc function.
Resolves:
https://pagure.io/SSSD/sssd/issue/3810
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c895fa24 by Pavel Březina at 2018-09-06T14:38:54Z
sbus: add unit tests for public sbus_message module
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
945865ae by Jakub Hrozek at 2018-09-11T19:46:14Z
SELINUX: Always add SELinux user to the semanage database if it doesn't exist
Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.
This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.
Resolves:
https://pagure.io/SSSD/sssd/issue/3819
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e573f577 by Niranjan M.R at 2018-09-11T20:10:44Z
test-library: fixes related to KCM, TLS on Directory server
Fixes related to enabling of ssl in Directory Server
Minor fixes on KCM, adding new exceptions
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ac622b77 by Niranjan M.R at 2018-09-11T20:10:47Z
Multihost-SanityTests: New test case for ssh login with KCM as default
1. Minor fix with regarding to spaces between package names
2. Install sssd-dbus
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
1e239887 by Sumit Bose at 2018-09-19T09:49:29Z
intg: flush the SSSD caches to sync with files
To make sure that SSSD has synced with the latest data added to the
passwd file sss_cache is called in two places where the current sync
scheme was not reliable. This was mainly observed when running the
integration tests on Debian.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b03179ea by Sumit Bose at 2018-09-19T09:51:01Z
sbus: dectect python binary for sbus_generate.sh
We already detect python2 and python3 binaries during configure. With
this patch PYTHON_EXEC is set to the python3 binary if python3 bindings
are generated and to the python2 binary otherwise. With the help of an
environment variable sbus_generate.sh is made aware of it.
Related to https://pagure.io/SSSD/sssd/issue/3807
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d7f0b58e by Pavel Březina at 2018-09-19T09:54:14Z
sudo: respect case sensitivity in sudo responder
If the domain is not case sensitive and the case of the original user
or group name differs from the name in the rule we failed to find the
rule.
Now we filter the rule only with lower cased values in such domain.
Steps to reproduce:
1. Add user/group with upper case, e.g. USER-1
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
3. Login to system with lower case, e.g. user-1
4. Run sudo -l
Without the patch, rule is not found.
Resolves:
https://pagure.io/SSSD/sssd/issue/3820
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
3bd67c77 by Michal Židek at 2018-09-19T09:55:58Z
GPO: Add gpo_implicit_deny option
This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.
Resolves:
https://pagure.io/SSSD/sssd/issue/3701
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
10fa27ed by Michal Židek at 2018-09-21T16:22:20Z
CONFDB: Skip 'local' domain if not supported
When SSSD is built without the support for local
domain, we should gracegully skip local domains
and let other domains start.
Resolves:
https://pagure.io/SSSD/sssd/issue/3828
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7c619ae0 by Sumit Bose at 2018-09-25T12:56:48Z
sysdb: extract sysdb_ldb_msg_attr_to_certmap_info() call
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d1dd7f77 by Sumit Bose at 2018-09-25T12:56:52Z
sysdb_ldb_msg_attr_to_certmap_info: set SSS_CERTMAP_MIN_PRIO
Make sure that priority is always set.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0bf709ad by Sumit Bose at 2018-09-25T12:57:12Z
sysdb: add attr_map attribute to sysdb_ldb_msg_attr_to_certmap_info()
Allow more flexible attribute mapping in
sysdb_ldb_msg_attr_to_certmap_info()
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d9cc3800 by Sumit Bose at 2018-09-25T12:57:20Z
confdb: add confdb_certmap_to_sysdb()
Add a function to write certificate mapping and matching rules from the
config database to the cache of a domain.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
15301db1 by Sumit Bose at 2018-09-25T12:57:24Z
AD/LDAP: read certificate mapping rules from config file
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
06f7005d by Sumit Bose at 2018-09-25T12:57:27Z
sysdb: sysdb_certmap_add() handle domains more flexible
sysdb_ldb_msg_attr_to_certmap_info() creates an empty list if there are
no domains defined, sysdb_certmap_add() should be able to handle both a
missing or an empty domains list.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9386ef60 by Sumit Bose at 2018-09-25T12:57:31Z
confdb: add special handling for rules for the files provider
To make the configuration more simple there are some special assumption
for local users, i.e. user managed by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
275eeed2 by Sumit Bose at 2018-09-25T12:57:36Z
files: add support for Smartcard authentication
To support certificate based authentication the files provider must be
able to map a certificate to a user during a BE_REQ_BY_CERT request.
Additionally the authentication request should be handled by the PAM
responder code which is responsible for the local Smartcard
authentication. To be consistent with the other backend an authentication
handler is added to the files provider which unconditionally returns the
offline error code telling the PAM responder to handle the
authentication if it has access to the needed credentials.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9fdc5f1d by Sumit Bose at 2018-09-25T12:57:40Z
responder: make sure SSS_DP_CERT is passed to files provider
Currently the files provider is only contacted once in a while to update
the full cache with fresh data from the passwd file. To allow rule based
certificate mapping the lookup by certificate request must be always
send to the file provider so that it can evaluate the rules and add the
certificate to cached entry of the matching user.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d42f44d5 by Sumit Bose at 2018-09-25T12:57:45Z
PAM: add certificate matching rules from all domains
Currently the PAM responder only reads the certificate mapping and
matching rules from the first domain. To support Smartcard
authentication for local and remote users all configured domains must be
taken into account.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0c739e96 by Sumit Bose at 2018-09-25T12:57:50Z
doc: add certificate mapping section to man page
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
16941c47 by Sumit Bose at 2018-09-25T12:57:53Z
intg: user default locale
Some checks depend on english error messages so checks should be always
run with the default locale.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
442ae7b1 by Sumit Bose at 2018-09-25T12:57:57Z
PAM: use better PAM error code for failed Smartcard authentication
If the user enters a wrong PIN the PAM responder currently returns
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
91aea762 by Sumit Bose at 2018-09-25T12:58:01Z
test_ca: test library only for readable
On Debian libraries typically do not have the execute-bit set so it is
better to only check for readability.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a45a410d by Sumit Bose at 2018-09-25T12:58:05Z
test_ca: set a password/PIN to nss databases
To make sure the PIN is properly checked during tests the NSS databases
need a password.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d332c8a0 by Sumit Bose at 2018-09-25T12:58:09Z
getsockopt_wrapper: add support for PAM clients
PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
657f3b89 by Sumit Bose at 2018-09-25T12:58:15Z
intg: add Smartcard authentication tests
Two test for Smartcard authentication of a local user, i.e. a user
managed by the files provider, are added. One for a successful
authentication, the other for a failed authentication with a wrong PIN.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
74f24e9b by Niranjan M.R at 2018-09-26T11:53:21Z
pytest: Remove installing idm module
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4ffe3ab9 by Pavel Březina at 2018-09-28T08:20:25Z
proxy: access provider directly not through be_ctx
Modules are initialized as part of dp_init_send() but be_ctx->provider is set
only after this request is finished therefore it is not available here.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4c5a1afa by Pavel Březina at 2018-09-28T08:20:29Z
dp: set be_ctx->provider as part of dp_init request
Backend context is overused inside sssd code even during its initialization.
Some parts of initialization code requires access to be_ctx->provider so we
must make it available as soon as possible.
Better solution would be to always use 'provider' directly in initialization
but this makes it safer for any future changes as one does not have to keep
in mind when it is safe to use be_ctx->provider and when not. Now it is
always safe.
Resolves:
https://pagure.io/SSSD/sssd/issue/3812
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9245bf1a by Pavel Březina at 2018-09-28T08:20:33Z
sbus: read destination after sender is set
dbus_message_set_sender may reallocate internal fields which will yield pointer
obtained by dbus_message_get_* invalid.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b821ee3c by Pavel Březina at 2018-09-28T08:20:36Z
sbus: do not try to remove signal listeners when disconnecting
This may cause some troubles if the dbus connection was dropped
as dbus will try to actually send the messages. Also when the
connectin is being freed, tevent integration is already disabled
so there is no point in doing this.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f1f9af52 by Pavel Březina at 2018-09-28T08:20:42Z
sbus: free watch_fd->fdevent explicitly
We never reproduced this with gdb but valgrind shows invalid read in sbus_watch_handler
after the watch_fd was freed. This should not be needed since watch_fd is memory parent
of fdevent but it seems to help.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
de8c9caf by Tomas Halman at 2018-10-01T19:12:07Z
doc: remove local provider reference from manpages
Introduce new condition for documentation build. Related part of
documentation is excluded, if build is done without local provider.
Resolves https://pagure.io/SSSD/sssd/issue/3826
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4276b3f7 by Niranjan M.R at 2018-10-01T19:27:55Z
pytest/testlib: Add function to create organizational Unit
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a62caa0e by Niranjan M.R at 2018-10-01T19:27:58Z
pytest/testlib: Fix related to removing kerberos database
Stop krb5kdc and kadmin services. Earlier we were
not stopping kadmin services. The current code use
loop to stop the services
Based on review comments, used tuple to define krb5kdc and kadmin
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2ac3efd1 by Niranjan M.R at 2018-10-01T19:28:02Z
pytest: Add test for sudo: search with lower cased name for case insensitive domains
1. Add test case for sudo: search with lower
cased name for case insensitive domains
2. Add fixtures:
disable case_sensitive
enable sudo service
add suders: sss in nsswitch.conf
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
58d11ae6 by Niranjan M.R at 2018-10-01T19:28:12Z
pytest/testlib: function to create sudorules in ldap
Adds function add_sudo_rule to create sudo rules in
Directory Server.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
78333065 by Niranjan M.R at 2018-10-01T19:28:15Z
pytest/testlib: remove space in CA DN
Minor fix of removing space in DN when creating self signed CA.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
56842e70 by Niranjan M.R at 2018-10-01T19:28:18Z
pytest/conftest.py: Delete krb5.keytab as part of cleanup
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0e8f9ffe by Niranjan M.R at 2018-10-01T19:28:20Z
pytest: split kcm test cases in to separate file.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e18c67c3 by Sumit Bose at 2018-10-03T09:24:18Z
ci: add http-parser-devel for Fedora
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ec766597 by Jakub Hrozek at 2018-10-03T09:27:15Z
pep8: Ignore W504 and W605 to silence warnings on Debian
This code:
pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
"parameters=configdir='sql:" + config.ABS_BUILDDIR +
"/../test_CA/p11_nssdb' " +
"dbSlotDescription='SSSD Test Slot' " +
"dbTokenDescription='SSSD Test Token' " +
"secmod='secmod.db' flags=readOnly)\n\n")
pkcs11_txt.close()
Was producing warnings such as:
./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator
Even though it looks OK visually and conforms to pep8's written form.
Additionaly, this regular expression compilation:
Template = re.compile(
' *<template name="(\S+)">(.*?)</template>\r?\n?',
re.MULTILINE | re.DOTALL
)
Was producing a warning such as:
./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S'
Since the \S literal is part of a regular expression, let's suppress
this warning as well.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
081b18e7 by Tomas Halman at 2018-10-03T09:29:43Z
confdb: log an error when domain is misconfigured
We need to inform user that there is misconfiguration
and particular domain will not be started.
Resolves:
https://pagure.io/SSSD/sssd/issue/3827
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
dfa7bf11 by Pavel Březina at 2018-10-03T09:33:05Z
be: use be_is_offline for the main domain when asking for domain status
The DOM_ACTIVE/INACTIVE flag is not used with the main domain as it
is used only for subdomains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3830
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e29b8207 by Sumit Bose at 2018-10-08T18:56:22Z
p11: handle multiple certs during auth with OpenSSL
This patch adds missing code already available in the NSS version to
select a certificate for authentication if multiple certificates are
available on the Smartcard. A unit test to check this feature is added
as well.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0be037bb by Tomas Halman at 2018-10-08T18:56:27Z
doc: Add nsswitch.conf note to manpage
We want to add note about nsswitch.conf configuration
into sssd-files manpage.
Resolves:
https://pagure.io/SSSD/sssd/issue/3750
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e5dc30e0 by Lukas Slebodnik at 2018-10-09T21:11:25Z
MAN: Fix typo in ad_gpo_implicit_deny default value
Merges: https://pagure.io/SSSD/sssd/pull-request/3846
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
42f69e26 by Sumit Bose at 2018-10-10T21:02:36Z
p11_child: add --wait_for_card option
The --wait_for_card option will let the p11_child wait until a
Smartcard/token is available in a slot with the removable flag.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2e4ecf5a by Sumit Bose at 2018-10-10T21:02:46Z
PAM: add p11_wait_for_card_timeout option
If the --wait_for_card is used to call p11_child the PAM responder
should be prepared to wait longer until p11_child can return
successfully.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d33a8bed by Sumit Bose at 2018-10-10T21:02:51Z
pam_sss: make flags public
To allow the PAM responder to act on the config flags set for pam_sss
the flags have to be made public first.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d3a18f06 by Sumit Bose at 2018-10-10T21:02:54Z
pam_sss: add try_cert_auth option
With this new option pam_sss can be configured to only do Smartcard
authentication or return an error if this is not possible.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
49be8974 by Sumit Bose at 2018-10-10T21:02:57Z
pam_sss: add option require_cert_auth
With this new option pam_sss will wait until a Smartcard is available
and then try to authenticate with the help of the Smartcard.
Related https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5cdb6968 by Sumit Bose at 2018-10-10T21:03:01Z
intg: require SC tests
Integration test for the new try_cert_auth and require_cert_auth option
for pam_sss.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
46fd681a by Sumit Bose at 2018-10-10T21:06:16Z
p11_child: show PKCS#11 URI in debug output
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f7b2152a by Sumit Bose at 2018-10-10T21:06:21Z
p11_child: add PKCS#11 uri to restrict selection
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
725b6508 by Sumit Bose at 2018-10-10T21:06:26Z
PAM: add p11_uri option
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4a22fb6b by Sumit Bose at 2018-10-10T21:06:31Z
tests: add PKCS#11 URI tests
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7a2e56d0 by Tomas Halman at 2018-10-10T21:11:50Z
test_config: Test for invalid characker in domain
There was bug allowing forbidden characters in config file section name.
Bug has been fixed meantime but we decided to write the test to avoid
regeression.
Resolves:
https://pagure.io/SSSD/sssd/issue/3334
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
dbd717fe by Sumit Bose at 2018-10-10T21:14:01Z
PAM: return short name for files provider users
If the 'allow_missing_name' option is used with pam_sss and the user
name will be determined based on the certificate content and the mapping
rules the PAM responder will by default return the fully-qualified name
of the user which is then later used by other PAM modules as well.
For local users which are configured to use SSSD for Smartcard
authentication this might cause issues in other PAM modules because they
are not aware of the fully-qualified name and will treat the user as
unknown.
With this patch the PAM responder will return the short name for all
users handled by the files provider.
Related to https://pagure.io/SSSD/sssd/issue/3848
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
941e67b0 by Jakub Hrozek at 2018-10-15T19:56:58Z
TESTS: Add a test for whitespace trimming in netgroup entries
This is a unit test for commit dbb1abae6eaa9df24f61e3a9f855e2461a66a197
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
1e67da79 by Jakub Hrozek at 2018-10-15T19:58:48Z
TESTS: Add two basic multihost tests for the files provider
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
7b3794fb by Jakub Hrozek at 2018-10-15T19:58:54Z
FILES: The files provider should not enumerate
Resolves:
https://pagure.io/SSSD/sssd/issue/3849
For reason I cannot explain now, the files provider always enumerates.
There is commit a60e6ec which implements this, but it's clearly wrong,
because then the plain getent passwd output contains duplicates from
nss_files and nss_sss:
$ getent passwd | sort
adm:x:3:4:adm:/var/adm:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
certuser:x:10329:10330::/home/certuser:/bin/bash
certuser:x:10329:10330::/home/certuser:/bin/bash
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
chrony:x:997:994::/var/lib/chrony:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
91c608d0 by Sumit Bose at 2018-10-15T20:02:55Z
p11_child: add OCSP check ot the OpenSSL version
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
3c096c9a by Sumit Bose at 2018-10-15T20:02:58Z
p11_child: add crl_file option for the OpenSSL build
In the NSS build a Certificate Revocation List (CRL) can just be added
to the NSS database. For OpenSSL a separate file is needed.
Related to https://pagure.io/SSSD/sssd/issue/3489
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7794caec by Jakub Hrozek at 2018-10-15T20:05:00Z
p11: Fix two instances of -Wmaybe-uninitialized in p11_child_openssl.c
If uri_str was passed to the p11_child and parsing the URI failed, then
modules would be uninitialized, but freed in the done handler with
p11_kit_modules_finalize_and_release()
Also, another warning is suppressed by setting the 's' variable to zero.
While it cannot happen that the variable will be uninitialized, we
should help the compiler by setting a value explicitly.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
250e8225 by Pavel Březina at 2018-10-15T20:06:27Z
sudo: use correct sbus interface
Internal dbus interfaces were renamed to shorter names in sbus2.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8fbaf224 by Pavel Březina at 2018-10-15T20:06:30Z
sudo: fix error handling in sudosrv_refresh_rules_done
If sbus returns non-zero code then the output variables are not set and
therefore we access uninitialized memory.
Resolves:
https://pagure.io/SSSD/sssd/issue/3854
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c74b430b by Pavel Březina at 2018-10-15T20:06:33Z
sbus: remove leftovers from previous implementation
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
05ba237a by Lukas Slebodnik at 2018-10-15T20:11:20Z
CONFIGURE: Add minimal required version for p11-kit
There are few functions which were added in upstream p11-kit 0.23.3.
And there are compilation failures with older versions.
src/p11_child/p11_child_openssl.c: In function 'get_pkcs11_uri':
src/p11_child/p11_child_openssl.c:87:12: error: implicit declaration of function 'p11_kit_uri_get_slot_info' [-Werror=implicit-function-declaration]
memcpy(p11_kit_uri_get_slot_info(uri), slot_info, sizeof(CK_SLOT_INFO));
^
src/p11_child/p11_child_openssl.c:88:5: error: implicit declaration of function 'p11_kit_uri_set_slot_id' [-Werror=implicit-function-declaration]
p11_kit_uri_set_slot_id(uri, slot_id);
^
src/p11_child/p11_child_openssl.c: In function 'do_card':
src/p11_child/p11_child_openssl.c:767:35: error: implicit declaration of function 'p11_kit_uri_get_slot_id' [-Werror=implicit-function-declaration]
uri_slot_id = p11_kit_uri_get_slot_id(uri);
^
src/p11_child/p11_child_openssl.c:770:32: error: implicit declaration of function 'p11_kit_uri_match_slot_info' [-Werror=implicit-function-declaration]
|| p11_kit_uri_match_slot_info(uri, &info) != 1) {
^
Merges: https://pagure.io/SSSD/sssd/pull-request/3852
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d143319b by Lukas Slebodnik at 2018-10-15T20:13:08Z
SBUS: Silence warning maybe-uninitialized
It should not happen because function sbus_interface_find_property
should return NULL for access different than SBUS_PROPERTY_READABLE
or SBUS_PROPERTY_WRITABLE. And thus we would return ERR_SBUS_UNKNOWN_PROPERTY
from the function sbus_request_property.
src/sbus/interface/sbus_properties.c: In function 'sbus_request_property.isra.0':
src/sbus/interface/sbus_properties.c:360:14:
error: 'type' may be used uninitialized in this function
[-Werror=maybe-uninitialized]
sbus_req = sbus_request_create(mem_ctx, conn, type, destination,
~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
interface_name, property_name, path);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Merges: https://pagure.io/SSSD/sssd/pull-request/3851
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
46c483c0 by Sumit Bose at 2018-10-16T11:26:04Z
files: add session recording flag
If session recording is configured for a group the NSS ans PAM
responder rely on a attribute in the cache set by the backend to
determine is session recording is configured for the user or not. This
flag is typically set during the initgroups request.
Since the files provider does not have a dedicated initgroups request
the attribute must be set otherwise. This patch sets is for all users
after the files are reloaded.
Related to https://pagure.io/SSSD/sssd/issue/3855
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
fc29c3eb by Jakub Hrozek at 2018-10-16T11:26:08Z
UTIL: Suppress Coverity warning
We recently added this code:
if (domain_name != NULL
&& is_files_provider(find_domain_by_name(dom,
domain_name,
false)))
find_domain_by_name returns NULL if the domain_name can't be found. This
of course makes mostly sense for trusted domains that can appear and
disappear. And is_files_provider() didn't handle the situation where the
domain pointer was NULL and would directly dereference it.
This commit just adds a NULL check for the domain pointer so that
is_files_provider() returns 'false' if the domain pointer was NULL.
Another alternative might be to check the return value of
find_domain_by_name(), but I don't think it's worth the trouble.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f62f3b29 by Tomas Halman at 2018-10-23T20:48:42Z
UTIL: move and rename sysdb_error_to_errno to utils
The function sysdb_error_to_errno() is used by multiple component,
so we want to move it to shared place. Function is renamed to
sss_ldb_error_to_errno() and moved to util/util_errors.c.
Old name is still #defined in sysdb.h and points to new
name.
Also few places where ldb error code was handled manually
has been updated to use sss_ldb_error_to_errno.
Resolves:
https://pagure.io/SSSD/sssd/issue/3802
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
a0280715 by Niranjan M.R at 2018-10-23T20:52:09Z
testlib: Update update_resolv_conf() to decode str to bytes
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ac04d19f by Niranjan M.R at 2018-10-23T20:52:14Z
testlib: Replace Generic Exception with SSSDException and LdapException
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
dd2e6f26 by Madhuri Upadhye at 2018-10-23T20:56:18Z
pytest: Add test cases for configuration validation
Test cases cover configuration validation for sssd.conf,
"config-check" option of the "sssctl" command to locate
problems in the configuration file.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f0603645 by Jakub Hrozek at 2018-10-24T09:56:48Z
PYSSS: Re-add the pysss.getgrouplist() interface
Related:
https://pagure.io/SSSD/sssd/issue/3493
Commit 0e211b8ba30c3adcdeef21ca1339b194cbfffb04 was supposed to remove
only the parts of the pysss API that relate to the local domain. But it
removed also the getgrouplist() method by accident. This method is very
important to IPA, so we need to add it back.
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b4063b2d by Sumit Bose at 2018-10-25T09:57:13Z
ifp: fix typo causing a crash in FindByNameAndCertificate
Due to a typo in the recent refactoring the InfoPipe crashes in the
FindByNameAndCertificate request.
Additionally a state variable in set to the expected value.
Related to https://pagure.io/SSSD/sssd/issue/3863
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ed476c87 by Tomas Halman at 2018-11-05T19:28:14Z
DYNDNS: Drop support for legacy NSUPDATE
We should drop support for legacy versions of NSUPDATE that don't
support 'realm' option. The option 'realm' was added in
BIND 9.8.0a1.
Resolves:
https://pagure.io/SSSD/sssd/issue/2817
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4760eae9 by Pavel Březina at 2018-11-05T19:30:51Z
sbus: allow access for sssd user
D-Bus allows access for root and euid by default, however when running
in non-root mode monitor continues to run as root but responsers as sssd
user. Therefore monitor euid != sssd user and the connection is terminated.
We must explicitly allow the connection for sssd user uid.
Resolves:
https://pagure.io/SSSD/sssd/issue/3871
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0882793e by Jakub Hrozek at 2018-11-05T19:33:03Z
IFP: Use subreq, not req when calling RefreshRules_recv
This emits a failure when refreshing access control rules from e.g.
sssctl access-report.
Resolves:
https://pagure.io/SSSD/sssd/issue/3874
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c42fb8de by Jakub Hrozek at 2018-11-07T20:34:32Z
CI: Make the c-ares suppression file more relaxed to prevent failures on Debian
Prevents tests running under valgrind from failing with:
==9189== 2 bytes in 1 blocks are possibly lost in loss record 1 of 195
==9189== at 0x48357BF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9189== by 0x60C7EF9: strdup (strdup.c:42)
==9189== by 0x6E6C0EE: ares_init_options (in /usr/lib/x86_64-linux-gnu/libcares.so.2.2.0)
==9189== by 0x5F96674: recreate_ares_channel (async_resolv.c:430)
==9189== by 0x5F967D6: resolv_init (async_resolv.c:471)
==9189== by 0x5F83147: be_res_init (data_provider_fo.c:884)
==9189== by 0x5F83147: be_res_init (data_provider_fo.c:865)
==9189== by 0x5F832B8: be_init_failover (data_provider_fo.c:70)
==9189== by 0x127876: test_ipa_server_create_trusts_setup (test_ipa_subdomains_server.c:311)
==9189== by 0x48541E2: ??? (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==9189== by 0x4854A16: _cmocka_run_group_tests (in /usr/lib/x86_64-linux-gnu/libcmocka.so.0.5.1)
==9189== by 0x1146CC: main (test_ipa_subdomains_server.c:999)
The failure is expected as the tests fork but the child processes never
clean up after themselves.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8007d615 by Jakub Hrozek at 2018-11-07T20:38:30Z
INI: Return errno, not -1 on failure from sss_ini_get_stat
sss_ini_get_stat() has two branches for two libini versions. The newer
version directly returns EIO on failure, but the old version would have
returned the return value from fstat() directly. And fstat() returns -1
on failure but sets errno. This patch returns errno on failure and EOK
on success.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
4b52ed06 by Jakub Hrozek at 2018-11-07T20:38:45Z
MONITOR: Don't check for pidfile if SSSD is already running
Related:
https://pagure.io/SSSD/sssd/issue/3862
The --genconf option of sssd is meant to be used to reload configuration from a
systemd socket-activated service. But it would only work if sssd was not
running, which defies its purpose.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
92b8f8d4 by Jakub Hrozek at 2018-11-07T20:38:50Z
SSSD: Allow refreshing only certain section with --genconf
Related:
https://pagure.io/SSSD/sssd/issue/3862
Adds a new option --genconf-section for the sssd binary. If this new
option --genconf-section is used, then only the section passed as this
option's value is refreshed.
Conversely, if this section no longer exists in the config file, then it
is removed from the confdb
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
c53fc08a by Jakub Hrozek at 2018-11-07T20:38:53Z
SYSTEMD: Re-read KCM configuration on systemctl restart kcm
Related:
https://pagure.io/SSSD/sssd/issue/3862
Uses the sssd command together with the --genconf-section=kcm option to
refresh the kcm configuration when the sssd-kcm systemd service is
restarted.
This allows the administrator to e.g. just drop a snippet to
/etc/sssd.conf.d/ or create the [kcm] section directly in the main sssd
config file, then just restart the sssd-kcm service for the changes to
apply.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
fc25224e by Jakub Hrozek at 2018-11-07T20:38:55Z
TEST: Add a multihost test for sssd --genconf
Related:
https://pagure.io/SSSD/sssd/issue/3862
Adds a multihost test to make sure the genconf switch of sssd works in
general and even with sssd running.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
66da9d9d by Jakub Hrozek at 2018-11-07T20:38:59Z
TESTS: Add a multihost test for changing sssd-kcm debug level by just restarting the KCM service
Related:
https://pagure.io/SSSD/sssd/issue/3862
Adds a test for the previous patches to make sure just restarting
sssd-kcm with changes to the [kcm] section applies the configuration
options from the kcm section.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
1ee12b05 by Lukas Slebodnik at 2018-11-08T10:55:17Z
UTIL: Fix compilation with curl 7.62.0
The macro CURLE_SSL_CACERT is deprecated in upstream curl
since commit 3f3b26d6feb0667714902e836af608094235fca2.
commit 3f3b26d6feb0667714902e836af608094235fca2
Author: Han Han <hhan at thousandeyes.com>
Date: Wed Aug 22 11:13:32 2018 -0700
ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
Long live CURLE_PEER_FAILED_VERIFICATION
sh$ git tag --contains 3f3b26d6feb0667714902e836af608094235fca2
curl-7_62_0
It was not removed. It is just an alias to
CURLE_PEER_FAILED_VERIFICATION which causes compile time failures in
switch/case.
./src/util/tev_curl.c: In function 'curl_code2errno':
./src/util/tev_curl.c:113:5: error: duplicate case value
case CURLE_PEER_FAILED_VERIFICATION:
^~~~
./src/util/tev_curl.c: 100:5: note: previously used here
case CURLE_SSL_CACERT:
^~~~
Merges: https://pagure.io/SSSD/sssd/pull-request/3878
Resolves:
https://pagure.io/SSSD/sssd/issue/3875
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4f824eca by Lukas Slebodnik at 2018-11-13T11:47:40Z
test_pac_responder: Skip test if pac responder is not installed
Merges: https://pagure.io/SSSD/sssd/pull-request/3881
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fdbe67a8 by Lukas Slebodnik at 2018-11-13T11:47:46Z
INTG: Show extra test summary info with pytest
It will show reasons why tests were skipped.
e.g.
====================== test session starts ========================
platform linux -- Python 3.7.1, pytest-3.9.3, py-1.5.4,
pluggy-0.7.1 -- /usr/bin/python3
cachedir: .pytest_cache
rootdir: /dev/shm/sssd/src/tests/intg, inifile:
collected 286 items / 285 deselected
test_pac_responder.py::test_multithreaded_pac_client SKIPPED [100%]
==================== short test summary info ======================
SKIP [1] test_pac_responder.py:108: No PAC responder, skipping
Merges: https://pagure.io/SSSD/sssd/pull-request/3881
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
55470b17 by Sumit Bose at 2018-11-13T11:48:13Z
pam_sss: return PAM_AUTHINFO_UNAVAIL if sc options are set
If pam_sss is called for PAM_USER root it currently returns
PAM_USER_UNKNOWN since SSSD does not handle root. To meet the documented
behavior if one to the sc options is used pam_sss should return
PAM_AUTHINFO_UNAVAIL in this case as well.
Related to https://pagure.io/SSSD/sssd/issue/3876
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5e703d3d by Lukas Slebodnik at 2018-11-19T09:14:55Z
p11_child: Fix warning cast discards ‘const’ qualifier from pointer target type
The function process_responder had parameter port defined as const and
it was used in macro BIO_set_conn_port which cast 2nd parameter to
(char*)
# define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1, \
(char *)(port))
src/p11_child/p11_child_openssl.c: In function ‘process_responder’:
src/p11_child/p11_child_openssl.c:157:9: error: cast discards ‘const’ qualifier from pointer target type [-Werror=cast-qual]
BIO_set_conn_port(cbio, port);
^~~~~~~~~~~~~~~~~
Merges: https://pagure.io/SSSD/sssd/pull-request/3880
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f02714d6 by Lukas Slebodnik at 2018-11-19T09:17:40Z
CI: Modify suppression file for c-ares-1.15.0
Valgrind does not generate full stack trace for errors.
It is just limited amount of frames. Therefore we cannot see main
function with the new c-ares.
The suppression file generated with c-ares-1.14.0
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: possible
fun:malloc
fun:strdup
fun:ares_init_options
fun:recreate_ares_channel
fun:resolv_init
fun:be_res_init
fun:be_res_init
fun:be_init_failover
fun:test_ipa_server_create_trusts_setup
obj:/usr/lib64/libcmocka.so.0.5.1
fun:_cmocka_run_group_tests
fun:main
}
The suppression file generated with c-ares-1.15.0
{
<insert_a_suppression_name_here>
Memcheck:Leak
match-leak-kinds: possible
fun:malloc
fun:strdup
obj:/usr/lib64/libcares.so.2.3.0
obj:/usr/lib64/libcares.so.2.3.0
fun:ares_init_options
fun:recreate_ares_channel
fun:resolv_init
fun:be_res_init
fun:be_res_init
fun:be_init_failover
fun:test_ipa_server_create_trusts_setup
obj:/usr/lib64/libcmocka.so.0.5.1
fun:_cmocka_run_group_tests
}
Merges: https://pagure.io/SSSD/sssd/pull-request/3884
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6dcc34d0 by Niranjan M.R at 2018-11-22T21:31:20Z
pytest/sudo: Modify fixture to restore sssd.conf
Modify set_case_sensitive_false fixture to restore sssd.conf
back to the original sssd.conf after running test_case_senitivity
test case
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ba87d783 by Niranjan M.R at 2018-11-22T21:31:23Z
pytest/sudo: Rename create_sudorule to case_sensitive_sudorule
Add del_sudo_rule function to delete the sudo rules
after test_sensitivity completes.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4dcef883 by Niranjan M.R at 2018-11-22T21:31:26Z
pytest/sudo: call case_sensitive_sudorule fixture instead of create_sudorule
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a5133f3a by Niranjan M.R at 2018-11-22T21:31:29Z
pytest/sudo: Add 2 fixtures set_entry_cache_sudo_timeout and generic_sudorule
set_entry_cache_sudo_timeout: this fixture adds entry_cache_sudo_timeout
to domain sections of sssd.conf
generic_sudorule: This is a generic sudo rule addding command /usr/bin/less
to be executed by posix user
generic_sudorule: Adds a generic sudo rule to access /usr/bin/less
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
fa2106a7 by Niranjan M.R at 2018-11-22T21:31:32Z
pytest/sudo: Add Testcase: sssd crashes when refreshing expired sudo rules.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5c550e72 by Niranjan M.R at 2018-11-22T21:31:36Z
pytest: use ConfigParser() instead of SafeConfigParser()
fix the warnings of SafeConfigParser being deprectated
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
406b731d by Pavel Březina at 2018-11-22T21:40:31Z
nss: use enumeration context as talloc parent for cache req result
Otherwise we end up with memory leak since the result is never freed.
We need to convert nctx->*ent structures into talloc pointer so
we can use enum_ctx as parent.
Resolves:
https://pagure.io/SSSD/sssd/issue/3870
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
291071cb by Tomas Halman at 2018-11-22T21:43:12Z
SSSCTL: user-show says that user is expired
sssctl user-show says that user is expired if the user comes from files
provider. This is ok because files user's expiration time is always set
to 0 but we should print a better, less confusing message.
The same change apply to groups.
Resolves:
https://pagure.io/SSSD/sssd/issue/3858
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
75696ddc by Jakub Hrozek at 2018-11-22T21:47:37Z
RESPONDER: Log failures from bind() and listen()
We've seen reports from users where SSSD (for a reason which is not
known at the moment) couldn't bind to the created socket. This patch
just logs the errno which should help in debugging issues like that in
the future.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6286f812 by Sumit Bose at 2018-11-22T21:48:46Z
p11_child(NSS): print key type in a debug message
NSS can handle EC keys automatically but a debug message indicating
which key type is used might be useful.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ef631f9e by Sumit Bose at 2018-11-22T21:48:51Z
pam_test_srv: set default value for SOFTHSM2_CONF
Currently the SOFTHSM2_CONF is not set by any fixture but some tests
sets them and other might rely on the setting done by a previous test.
This means that the tests have to run in a given order and depend on
each other.
To remove this dependency SOFTHSM2_CONF is set in the fixture to the
"default" SoftHSM2 configuration with one valid certificate. Any test
which needs a different setup must now set SOFTHSM2_CONF explicitly.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a0cdc3bd by Sumit Bose at 2018-11-22T21:48:54Z
tests: add ECC CA
To be able to test certificates with elliptic curve (EC) keys a new test
CA with this kind of keys is added.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a7421b52 by Sumit Bose at 2018-11-22T21:48:58Z
test_pam_srv: add test for certificate with EC keys
Add an authentication test with a certificate with EC keys.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d64d9cfb by Sumit Bose at 2018-11-22T21:49:00Z
p11_child(openssl): add support for EC keys
Add support for EC keys to the OpenSSL version of p11_child. Please see
comments in the code for some technical details.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ad3356d1 by Sumit Bose at 2018-11-22T21:49:03Z
utils: refactor ssh key extraction (OpenSSL)
Prepare the current code to allow adding other key types.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
41c4661b by Sumit Bose at 2018-11-22T21:49:05Z
utils: add ec_pub_key_to_ssh() (OpenSSL)
Add EC key support for the OpenSSL version of the ssh key extraction
code.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
4e627add by Sumit Bose at 2018-11-22T21:49:08Z
utils: refactor ssh key extraction (NSS)
Prepare the current code to allow adding other key types.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
3906e5f4 by Sumit Bose at 2018-11-22T21:49:11Z
utils: add ec_pub_key_to_ssh() (NSS)
Add EC key support for the NSS version of the ssh key extraction code.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
53e6fdfd by Sumit Bose at 2018-11-26T09:24:14Z
BUILD: Accept krb5 1.17 for building the PAC plugin
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
08bba3a6 by Sumit Bose at 2018-11-26T09:24:18Z
tests: fix mocking krb5_creds in test_copy_ccache
To just test some ccache related functionality without talking to an
actual KDC to get the tickets some needed libkrb5 structs were mocked
based on tests from the MIT Kerberos source code. One struct member
(is_skey) was so far not regarded by libkrb5 for out test case. But a
recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718
changed this and we have to change the mocking.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
1617f3e3 by Sumit Bose at 2018-11-26T09:24:25Z
tests: increase p11_child_timeout
With recent version of valgrind some tests failed during a CI run with a
timeout. To avoid this the related p11_child_timeout is increased for
the affected tests.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
09091b4b by Jakub Hrozek at 2018-11-26T20:39:54Z
LDAP: minor refactoring in auth_send() to conform to our coding style
Related:
https://pagure.io/SSSD/sssd/issue/3451
A tevent _send() function should only return NULL on ENOMEM, otherwise
it should mark the request as failed but return the req pointer. This
was not much of an issue, before, but the next patch will add another
function call to the auth_send call which would make error handling
awkward.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
57fc60c9 by Jakub Hrozek at 2018-11-26T20:40:05Z
LDAP: Only authenticate the auth connection if we need to look up user information
Related:
https://pagure.io/SSSD/sssd/issue/3451
Commit add72860c7a7a2c418f4d8b6790b5caeaf7dfb7b initially addressed #3451 by
using the full sdap_cli_connect() request during LDAP authentication. This
was a good idea as it addressed the case where the authentication connection
must also look up some user information (typically with id_provider=proxy
where you don't know the DN to bind as during authentication), but this
approach also broke the use-case of id_provider=ldap and auth_provider=ldap
with ldap_sasl_auth=gssapi.
This is because (for reason I don't know) AD doesn't like if you use
both GSSAPI and startTLS on the same connection. But the code would
force TLS during the authentication as a general measure to not transmit
passwords in the clear, but then, the connection would also see that
ldap_sasl_auth=gssapi is set and also bind with GSSAPI.
This patch checks if the user DN is already known and if yes, then
doesn't authenticate the connection as the connection will then only be
used for the user simple bind.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6f113c7d by Sumit Bose at 2018-11-26T20:40:14Z
LDAP: Log the encryption used during LDAP authentication
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
df9e4802 by Tomas Halman at 2018-12-05T19:46:51Z
DYNDNS: Convert dyndns timer to be_ptask
We have API for periodic tasks and we want to
use it instead of tevent timers.
Resolves:
https://pagure.io/SSSD/sssd/issue/1944
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f4794035 by Pavel Březina at 2018-12-05T19:49:49Z
sss_iface: prevent from using invalid names that start with digits
https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names
- Bus names that start with a colon (':') character are unique connection names. Other bus names are called well-known bus names.
- Bus names are composed of 1 or more elements separated by a period ('.') character. All elements must contain at least one character.
- Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_-", with "-" discouraged in new bus names. Only elements that are part of a unique connection name may begin with a digit, elements in other bus names must not begin with a digit.
- Bus names must contain at least one '.' (period) character (and thus at least two elements).
- Bus names must not begin with a '.' (period) character.
- Bus names must not exceed the maximum name length (255).
Resolves:
https://pagure.io/SSSD/sssd/issue/3872
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
36255b89 by Pavel Březina at 2018-12-05T20:01:14Z
ci: add ability to run tests in jenkins
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
807bbce2 by Jakub Hrozek at 2018-12-05T20:02:39Z
PROXY: Copy the response to the caller
Resolves:
https://pagure.io/SSSD/sssd/issue/3892
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7354e59e by George McCollister at 2018-12-10T22:18:11Z
build: remove hardcoded samba include path
SMBCLIENT_FLAGS already provides the samba-4.0 include path. Remove the
hardcoded samba include path which causes cross-compilation warnings
such as:
cc1: warning: include location "/usr/include/samba-4.0" is unsafe for
cross-compilation [-Wpoison-system-directories]
These warnings are treated as errors on build systems such as
OpenEmbedded.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5565dd36 by Tomas Halman at 2018-12-10T22:20:39Z
DYNDNS: SSSD does not batch DDNS update requests
SSSD includes a 'send' command in between each record modification
and does not batch DDNS update requests. This is problematic in
complex AD environments because those requests may not be processed
by the same server.
Now forward zone update is done in two steps - one per
protocol family. If dyndns_update_per_family is set
to false, update is performed in single step.
Resolves:
https://pagure.io/SSSD/sssd/issue/3829
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9096fc01 by Sumit Bose at 2018-12-11T21:31:31Z
Revert "IPA: use forest name when looking up the Global Catalog"
This reverts commit 149174acae677d1e72a0da431bf0850d55f2ccb4.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
62d671b8 by Sumit Bose at 2018-12-11T21:31:38Z
ipa: use only the global catalog service of the forest root
While creating the domains and sub-domains each domain gets a global
catalog services assigned but only one should be used because the global
catalog is by definition responsible for the whole forest so it does not
make sense to use a global catalog service for each domain and in the
worst case connect to the same GC multiple times.
In the AD provider this is simple because the GC service of the
configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA
case all domains from the trusted forest are on the level of sub-domains
so we have to pick one. Since the forest root is linked from all domain
of the same forest it will be the most straight forward choice.
Related to https://pagure.io/SSSD/sssd/issue/3902
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
90f32399 by Tomas Halman at 2018-12-11T21:51:20Z
nss: sssd returns '/' for emtpy home directories
For empty home directory in passwd file sssd returns "/". Sssd
should respect system behaviour and return the same as nsswitch
"files" module - return empty string.
Resolves:
https://pagure.io/SSSD/sssd/issue/3901
Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d33eaac8 by Sumit Bose at 2018-12-13T11:06:51Z
p11_child(openssl): do not free static memory
Coverity found a code path where we try to free a static array, this
patch removes it.
Related to https://pagure.io/SSSD/sssd/issue/3887
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e49e9f72 by Sumit Bose at 2018-12-13T11:09:13Z
krb5_child: fix permissions during SC auth
For PKINIT we might need access to the pcscd socket which by default is
only allowed for authenticated users. Since PKINIT is part of the
authentication and the user is not authenticated yet, we have to use
different privileges and can only drop it only after the TGT is
received. The fast_uid and fast_gid are the IDs the backend is running
with. This can be either root or the 'sssd' user. Root is allowed by
default and the 'sssd' user is allowed with the help of the
sssd-pcsc.rules policy-kit rule. So those IDs are a suitable choice. We
can only call switch_creds() because after the TGT is returned we have
to switch to the IDs of the user to store the TGT.
The final change to the IDs of the user is not only important for KCM
type credential caches but for file based ccache types like FILE or DIR
as well.
Related to https://pagure.io/SSSD/sssd/issue/3903
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
61e4ba58 by Jakub Hrozek at 2018-12-13T11:14:06Z
NSS: Avoid changing the memory cache ownership away from the sssd user
Resolves:
https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
17062587 by Alexey Tikhonov at 2018-12-13T11:16:35Z
Fix error in hostname retrieval
Fix off-by-one error in gethostname() param
Resolves:
https://pagure.io/SSSD/sssd/issue/3865
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
15bde7da by Alexey Tikhonov at 2019-01-06T19:12:55Z
util/tev_curl: Fix double free error in schedule_fd_processing()
Prevents deletion of already executed timer.
libcurl calls schedule_fd_processing every time it wants to have (new)
timer setup. And it happens quite a lot of times.
Being called schedule_fd_processing wants to delete previous timer before
creating new one. That's basically proper action. The problem is it sometimes
tries to delete non-existent (already executed and deleted by libtevent)
timer. This is "double free" case.
Proposed patch sets timer pointer in tcurl_ctx to NULL at the end of timer
handler (actually can be placed anywhere in the handler: handler called =>
timer deleted by libtevent). That prevents schedule_fd_processing from
freeing already freed memory. And I think it is good idea overall to not
have pointers to freed memory (dangling pointers). This should be safe
operation since all processes are single-thread proces
Resolves:
https://pagure.io/SSSD/sssd/issue/3917
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
814889a7 by Tomas Halman at 2019-01-06T19:17:19Z
ifp: extraAttributes is UnknownProperty
Attempting to get extraAttributes via SSSD's ifp fails.
Here I uncomment interface function for extraAttributes.
also right for querying this interface is changed to allow
this request.
Resolves:
https://pagure.io/SSSD/sssd/issue/3906
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e4469fbd by Adam Williamson at 2019-01-06T19:20:29Z
sbus: use 120 second default timeout
As discussed in #1654537, first login to a system as a FreeIPA
domain user now usually causes an expensive SELinux operation
to happen; this can take longer than the default bus message
timeout of 25 seconds. To deal with this for now, let's use a
120 second default timeout; this is a big hammer, but unless we
can refactor things to use a longer timeout just for that one
call, or make the actual operation take less time, there's not
much else we can do.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1654537
Resolves:
https://pagure.io/SSSD/sssd/issue/3909
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
02c15d40 by Jakub Hrozek at 2019-01-08T22:19:21Z
KCM: Deleting a non-existent ccache should not yield an error
Resolves:
https://pagure.io/SSSD/sssd/issue/3910
When the KCM destroy operation is called, it receives a name as an input. If
the name cannot be found, we would currently return KRB5_CC_NOTFOUND. But
other ccache types return KRB5_FCC_NOFILE in that case and e.g. utilities
like kdestroy special case KRB5_FCC_NOFILE to be non-fatal.
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
46e52b03 by Jakub Hrozek at 2019-01-08T22:19:45Z
TESTS: Add a test for deleting a non-existent ccache with KCM
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
f94881d4 by Jakub Hrozek at 2019-01-08T22:22:53Z
MAN: Explicitly state that not all generic domain options are supported for the files provider
Resolves:
https://pagure.io/SSSD/sssd/issue/3882
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
8e9e8011 by Alexey Tikhonov at 2019-01-10T21:19:46Z
CONFIG: validator rules & test
Add support of 'certmap' config section to validator rules
Resolves:
https://pagure.io/SSSD/sssd/issue/3845
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
bf248a39 by Pavel Březina at 2019-01-10T21:27:59Z
ci: add Fedora 29
Enables testing on Fedora 29 distro.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8a3517c5 by Michal Židek at 2019-01-10T21:34:49Z
confdb: Always read snippet files
This patch removes the ldif with fallback configuration
and adds the fallback configuration as in-memory
INI snippet.
Fixes:
https://pagure.io/SSSD/sssd/issue/3439
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b66f8dc3 by Michal Židek at 2019-01-10T21:34:52Z
CONFDB: Remove old libini support
Remove code code that uses libini older then v1
Related:
https://pagure.io/SSSD/sssd/issue/3439
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ea7ada6c by Sumit Bose at 2019-01-10T21:39:52Z
idmap_sss: improve man page
The misleading in the idmap_sss man page is improved.
Related to https://pagure.io/SSSD/sssd/issue/3912
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
bc1e8ffd by Pavel Březina at 2019-01-17T20:47:41Z
sbus: do not use signature when copying dictionary entry
Resolves:
https://pagure.io/SSSD/sssd/issue/3921
When we open container for DBUS_TYPE_DICT_ENTRY, dbus expects the
signature to be NULL.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b3285f9f by Jakub Hrozek at 2019-01-28T20:42:18Z
AD/IPA: Reset subdomain service name, not domain name
Related:
https://pagure.io/SSSD/sssd/issue/3911
Since commit 778f241e78241b0d6b8734148175f8dee804f494 the subdomain fail
over services use the "sd_" prefix. This was done to make it easier,
until the whole failover design works better with subdomains, to see
which services belong to the main domain from tools.
However, some parts of the code would still just use the domain name for
the failover service, which meant the service was not found, notably
when trying to reset services:
(Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [ipa_srv_ad_acct_retried] (0x0400): Subdomain re-set, will retry lookup
(Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc] (0x1000): Resetting all servers in service ipaad2016.test
(Thu Dec 13 05:29:31 2018) [sssd[be[testrelm.test]]] [be_fo_reset_svc] (0x0080): Cannot retrieve service [ipaad2016.test]
This patch switches to reading the service names from the ad_options and
the sdap_service structures that are contained within ad_options.
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
aaaa9a3e by Jakub Hrozek at 2019-01-28T20:42:41Z
IPA: Add explicit return after tevent_req_error
When working on another patch I realized that we don't use explicit
return after failing a request. This could be potentially fatal as the
code would continue, perhaps with data that is not defined.
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
484b48ff by Alexey Tikhonov at 2019-01-28T20:45:30Z
sss_client/common.c: fix Coverity issue
Usage of
strncpy(nssaddr.sun_path, socket_name, sizeof(nssaddr.sun_path))
1) confuses Coverity due to 3rd argument being equal to sizeof(1st)
2) again zeroes previously zeroed buffer
So replaced with strcpy()
This should be safe due to existing check of sizes.
Resolves:
https://pagure.io/SSSD/sssd/issue/3841
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9959fbe7 by Alexey Tikhonov at 2019-01-28T20:45:34Z
sss_client/common.c: fix off-by-one error in sizes check
`sizeof(nssaddr.sun_path)` being equal to `strlen(socket_name) + 1`
should be fine, not error.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
bc92d36c by Alexey Tikhonov at 2019-01-28T20:48:52Z
sss_client/common.c: comment amended
Amended comment for `make_safe_fd()`
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
6e2df759 by Alexey Tikhonov at 2019-01-28T20:48:59Z
sss_client/nss_services.c: indentation fixed
Fixed indentation (tabs -> spaces) to follow "Coding guidelines"
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
08d5dabc by Alexey Tikhonov at 2019-01-28T20:49:01Z
sss_client/nss_services.c: fixed incorrect mutex usage
Fixed "unlock mutex without previous lock" bug
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0d96e175 by Alexey Tikhonov at 2019-01-28T20:49:04Z
sss_client: global unexported symbols made static
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
88c0c3fc by Lukas Slebodnik at 2019-01-29T19:55:43Z
sss_cache: Do not fail for missing domains
The conf.db needn't exist(sssd has never been started) and in such situation
sss_cache failed when trying to invalidate all entries.
There is nothing to invalidate and therefore we are already in state
which we want to achieve with calling sss_cache.
No reason to fail.
Resolves:
https://pagure.io/SSSD/sssd/issue/3919
Merges: https://pagure.io/SSSD/sssd/pull-request/3926
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
325df4ac by Lukas Slebodnik at 2019-01-29T19:55:50Z
intg: Add test for sss_cache & shadow-utils use-case
Related to:
https://pagure.io/SSSD/sssd/issue/3919
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
71475f1e by Lukas Slebodnik at 2019-01-29T19:55:53Z
sss_cache: Do not fail if noting was cached
It might happen that we have some domains in conf.db but nothing
has been cached yet. sss_cache failed in such situation,
bash-4.4# sss_cache -E
No cache object matched the specified search
bash-4.4# echo $?
2
Because there is nothing to invalidate and so we are already in state
which we want to achieve with calling sss_cache.
There is no reason to fail.
We will still fail for invalidating particular entry. User might have a
typo in the name and should be informed about possible mistake.
bash-4.4# sss_cache -u test_user
No cache object matched the specified search
bash-4.4# echo $?
2
Resolves:
https://pagure.io/SSSD/sssd/issue/3919
Merges: https://pagure.io/SSSD/sssd/pull-request/3926
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
41509468 by Lukas Slebodnik at 2019-01-29T19:55:59Z
test_sss_cache: Add test case for invalidating missing entries
Related to:
https://pagure.io/SSSD/sssd/issue/3919
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9b06c750 by Lukas Slebodnik at 2019-01-29T20:11:11Z
pyhbac-test: Do not use assertEquals
src/tests/pyhbac-test.py:163: DeprecationWarning: Please use assertEqual instead.
self.assertEquals(el.__repr__(), u'<category 0 names [] groups []>')
src/tests/pyhbac-test.py:169: DeprecationWarning: Please use assertEqual instead.
u'<category 1 names [foo] groups [bar, baz]>')
Merges: https://pagure.io/SSSD/sssd/pull-request/3927
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
c4db34c1 by Lukas Slebodnik at 2019-01-29T20:11:14Z
SSSDConfigTest: Do not use assertEquals
src/config/SSSDConfigTest.py:88: DeprecationWarning: Please use assertEqual instead.
self.assertEquals(new_options['debug_level'][0], int)
src/config/SSSDConfigTest.py:91: DeprecationWarning: Please use assertEqual instead.
self.assertEquals(new_options['command'][0], str)
src/config/SSSDConfigTest.py:94: DeprecationWarning: Please use assertEqual instead.
self.assertEquals(new_options['reconnection_retries'][0], int)
+ many more
Merges: https://pagure.io/SSSD/sssd/pull-request/3927
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
769dc244 by Lukas Slebodnik at 2019-01-29T20:11:16Z
SSSDConfig: Fix ResourceWarning unclosed file
/usr/lib64/python3.7/unittest/case.py:763:
ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/sssd-invalid.conf'
mode='r' encoding='UTF-8'>
context = None
ResourceWarning: Enable tracemalloc to get the object allocation traceback
/usr/lib64/python3.7/unittest/case.py:763:
ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/noparse.api.conf'
mode='r' encoding='UTF-8'>
context = None
ResourceWarning: Enable tracemalloc to get the object allocation traceback
Merges: https://pagure.io/SSSD/sssd/pull-request/3927
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
21bba050 by Lukas Slebodnik at 2019-01-29T20:11:18Z
SSSDConfigTest: Remove usage of failUnless
src/config/SSSDConfigTest.py:1855: DeprecationWarning: Please use assertTrue instead.
self.failUnless(domain.get_name() in sssdconfig.list_domains())
src/config/SSSDConfigTest.py:1856: DeprecationWarning: Please use assertTrue instead.
self.failUnless(domain.get_name() in sssdconfig.list_inactive_domains())
src/config/SSSDConfigTest.py:1585: DeprecationWarning: Please use assertTrue instead.
self.failUnless(service.get_name() in sssdconfig.list_services())
Merges: https://pagure.io/SSSD/sssd/pull-request/3927
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
39b3b0e4 by Lukas Slebodnik at 2019-01-29T20:14:30Z
BUILD: Fix condition for building sssd-kcm man page
Merges: https://pagure.io/SSSD/sssd/pull-request/3928
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
f2a327f5 by Lukas Slebodnik at 2019-01-29T20:20:15Z
DIST: Do not use conditional include for template files
We do not use AC_CONFIG_FILES in configure.ac for replacing some values
at configure time because we need to replace them at build time in make.
And because such files are not listed in AC_CONFIG_FILES we need to have
them in the automake variable EXTRA_DIST. And they must not be included
conditionally. We want to have always in dist tarball besides. It must
not depend on the configuration of system which was used for generating
tarball
The automake documentation says:
Still, sometimes there are files which must be distributed, but which
are not covered in the automatic rules. These files should be listed
in the EXTRA_DIST variable.
Merges: https://pagure.io/SSSD/sssd/pull-request/3929
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
afd23bd7 by Lukas Slebodnik at 2019-01-29T20:26:42Z
NSS: Do not use deprecated header files
In file included from src/util/cert/nss/cert.c:26:
/usr/include/nss3/key.h:9:9: note: #pragma message: key.h is deprecated. Please include keyhi.h instead.
#pragma message("key.h is deprecated. Please include keyhi.h instead.")
^~~~~~~
Merges: https://pagure.io/SSSD/sssd/pull-request/3930
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
49c13e9a by Alexey Tikhonov at 2019-01-31T21:06:50Z
providers/ldap: abort unsecure authentication requests
Abort LDAP authentication if the connection is not authenticated and
SDAP_DISABLE_AUTH_TLS is off.
Resolves: https://pagure.io/SSSD/sssd/issue/3889
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
53cc1187 by Alexey Tikhonov at 2019-01-31T21:06:53Z
providers/ldap: fixed check of ldap_get_option return value
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a04d088d by Alexey Tikhonov at 2019-01-31T21:06:57Z
providers/ldap: init sasl_ssf in specific case
Set value of sasl ssf if ldap_get_option fails.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
19443883 by Pavel Březina at 2019-02-05T20:56:26Z
sbus: avoid using invalid stack point in SBUS_INTERFACE
SBUS_INTERFACE macros expanded as:
struct sbus_interface bus =
({ sbus_interface(
"org.freedesktop.DBus",
((void *)0),
(((const struct sbus_method[])
{
({
/* ... compile time check of function signature omitted */ ;
sbus_method_sync(/* ... full list of params omitted */);
}),
...
This however includes an issue that methods/properties/signals are returned
by value, however stored in sbus_interface as pointers. Once we return out
of the top-level block and assign resulting sbus_interface into 'bus' variable
those objects allocated on stack becomes invalid and can be overwritten by other
allocations on stack.
This patch overcomes this issue by changing declaration of SBUS_INTERFACE and
avoiding using this top-level block. This still keeps the declarative structure
and simplifies the code as it does not require any memory handling and
tests for successful allocations.
const struct sbus_method __ ## varname ## _m[] = methods; \
const struct sbus_signal __ ## varname ## _s[] = signals; \
const struct sbus_property __ ## varname ## _p[] = properties; \
struct sbus_interface varname = SBUS_IFACE_ ## iface( \
(__ ## varname ## _m), \
(__ ## varname ## _s), \
(__ ## varname ## _p) \
)
Resolves:
https://pagure.io/SSSD/sssd/issue/3924
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
e185b039 by Pavel Březina at 2019-02-05T20:58:12Z
sbus: improve documentation of SBUS_INTERFACE
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
38ebae7e by Alexey Tikhonov at 2019-02-05T21:01:21Z
sbus/interface: fixed interface copy helpers
In `sbus_method_copy()` and other copy helpers there was code like:
```
copy = talloc_zero_array(mem_ctx, struct sbus_method, count + 1);
memcpy(copy, input, sizeof(struct sbus_method) * count + 1);
```
Copy of one byte of "sentinel" doesn't make a sense.
We can either rely on the fact that sentinel is zero-initialized struct
*and* `talloc_zero_array()` zero-initializes memory (so copying of
sentinel may be omitted at all) or just copy sentinel in a whole.
Opted for second option as more clear variant.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bb98486f by Jakub Hrozek at 2019-02-05T21:03:10Z
MULTIHOST: Do not use the deprecated namespace
This issue was causing warnings with the current pytest versions as
installed from pip.
See:
https://docs.pytest.org/en/latest/deprecations.html#pytest-namespace
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
ee9fdb08 by Tomas Halman at 2019-02-05T21:13:40Z
SSSCTL: user-checks does not show custom attributes
"sssctl user-checks" also query the IFP interface of sssd. The problem
is, that this command only displays POSIX user attrs, no matter if we
configured the InfoPipe for additional user attributes.
With this patch additional attributes are also printed out.
Resolves:
https://pagure.io/SSSD/sssd/issue/3866
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2de3c5fb by Lukas Slebodnik at 2019-02-05T21:38:57Z
sss_cache: Fail if unknown domain is passed in parameter
If sss_cache is called with --domain parameter we should fail
in case of unknown domain. It might be a typo and user should know
about such case.
Resolves:
https://pagure.io/SSSD/sssd/issue/3919
Merges: https://pagure.io/SSSD/sssd/pull-request/3940
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
159a2316 by Lukas Slebodnik at 2019-02-05T21:39:00Z
test_sss_cache: Add test case for wrong domain in parameter
Related to:
https://pagure.io/SSSD/sssd/issue/3919
Merges: https://pagure.io/SSSD/sssd/pull-request/3940
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7133c7fc by Lukas Slebodnik at 2019-02-05T21:42:36Z
Remove macro ZERO_STRUCT
It was used just on few places and we directly call memset on many
other places
[~/sssd]$ git grep memset | grep sizeof | wc -l
97
Merges: https://pagure.io/SSSD/sssd/pull-request/3941
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
334950e4 by Jakub Hrozek at 2019-02-08T14:02:43Z
KCM: Return a valid tevent error code if a request cannot be created
Previously we were returning whatever was in 'ret' which is wrong,
typically it would have been EOK as returned from a previous successfull
call or even an uninitialized value.
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
- - - - -
7c441a13 by Jakub Hrozek at 2019-02-08T14:02:52Z
KCM: Allow representing ccaches with a NULL principal
Related:
https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
krb5_cc_new_unique
krb5_cc_switch
krb5_cc_initialize
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
- - - - -
d0eae059 by Jakub Hrozek at 2019-02-08T14:03:01Z
KCM: Create an empty ccache on switch to a non-existing one
Related:
https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
cc = krb5_cc_new_unique
krb5_cc_switch(cc)
krb5_cc_initialize(cc, principal)
Since switch changes the default ccache, we create a 'dummy' ccache with
krb5_cc_switch() and then the initialize call just fills in the details.
Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
ac95d4f0 by Jakub Hrozek at 2019-02-08T14:03:08Z
TESTS: Add a multihost test for ssh credentials forwarding
Related:
https://pagure.io/SSSD/sssd/issue/3873
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Simo Sorce <simo at redhat.com>
- - - - -
3eb99a17 by Sumit Bose at 2019-02-10T20:20:14Z
PAM: use user name hint if any domain has set it
When using multiple domains the user name hint should be shown even if
only one domain has set the flag to have a consistent user experience.
Currently this would only be related to logins with GDM and activated
GDM Smartcard plugin.
Related to https://pagure.io/SSSD/sssd/issue/3949
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
12f74f8c by Alexey Tikhonov at 2019-02-10T20:22:53Z
lib/cifs_idmap_sss: fixed unaligned mem access
Fixed following warning:
```
lib/cifs_idmap_sss/cifs_idmap_sss.c: In function ‘sss_sid_to_id’:
lib/cifs_idmap_sss/cifs_idmap_sss.c:221:47: warning: taking address
of packed member of ‘struct cifs_uxid’ may result in an unaligned
pointer value [-Waddress-of-packed-member]
err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type);
```
Actually there are two issues:
1) Packed `cifs_uxid::id.uid` may be unaligned thus generating run time
error on some architectures (as compiler complains);
2) In theory size of `uid_t` may be different than size of `uint32_t`
thus resulting in corruption of `cifs_uxid` content.
Proposed patch is not ideal due to `(uid_t)uid` cast but solves most
of issues with minimal effor. Proper solution would require patching of
`sss_nss_getidbysid()` and all underlying functions for no good reason.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d409df33 by Jakub Hrozek at 2019-02-10T20:28:22Z
MAN: Add sssd-files(5) to the See Also section
Resolves:
https://pagure.io/SSSD/sssd/issue/3936
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e32920a9 by Sumit Bose at 2019-02-16T21:52:09Z
utils: make N_ELEMENTS public
The calculation of the size of an array is used in the main code as
well, so it makes sense to move N_ELEMENTS to a common header to use it
more often.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e1ff063f by Sumit Bose at 2019-02-16T21:52:15Z
ad: replace ARRAY_SIZE with N_ELEMENTS
ARRAY_SIZE is taken from the Samba header file memory.h which is not
available as a public header in newer Samba versions anymore. This patch
replaces it with an internal macro.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d575d85c by Alexey Tikhonov at 2019-02-16T22:05:26Z
Util: fixed mistype in error string representation
Resolves: https://pagure.io/SSSD/sssd/issue/3916
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
138059b2 by Pavel Březina at 2019-02-16T22:14:46Z
ci: add Fedora Rawhide
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
05c6ed55 by Jakub Hrozek at 2019-02-16T22:18:29Z
TESTS: Add a simple integration test for retrieving the extraAttributes property
Related:
https://pagure.io/SSSD/sssd/issue/3906
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
e1755a00 by Tomas Halman at 2019-02-16T22:21:43Z
ssh: sssd_ssh fails completely on p11_child timeout
When p11_child fails or timeout is reached, ssh login fails.
With this patch sssd_ssh proceeds to ssh key and password login.
Resolves:
https://pagure.io/SSSD/sssd/issue/3937
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
52c83361 by Tomas Halman at 2019-02-16T22:21:50Z
ssh: p11_child error message is too generic
We have only one error core for p11_child error. With this patch
new error ERR_P11_CHILD_TIMEOUT is introduced. It is then used
for better log message.
Resolves:
https://pagure.io/SSSD/sssd/issue/3937
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
938dd6c1 by mateusz at 2019-02-16T22:25:12Z
Added note about default value of ad_gpo_map_batch parameter
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
85e36308 by Thorsten Scherf at 2019-02-20T20:46:09Z
CONFIG: add missing ldap attributes for validation
https://pagure.io/SSSD/sssd/issue/3961
This patch adds missing 'ldap_host_*' attributes for config validation.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
bc65ba9a by Victor Tapia at 2019-02-26T21:45:37Z
GPO: Allow customization of GPO_CROND per OS
For both Debian and Ubuntu, the cron PAM service is named "cron" instead
of "crond", denying the use of the service by default.
This patch enables the HAVE_$OS (HAVE_DEBIAN/HAVE_FEDORA...) macros to select
the service name during build, allowing further customization if required.
Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
c0136434 by Sumit Bose at 2019-02-26T21:47:53Z
responder: fix domain lookup refresh timeout
Currently the timeout to check for new domains is reset whenever there
is a request with an unknown domain name. If those requests happen more
then once a minute (the default timeout) the timeout is always reset
before it can expire and as a result the domain list is never refreshed.
If SSSD starts offline with an empty domain list the NSS responder might
never be able to resolve sub-domain users or groups even if the backend
has switched to the online state and already refreshed the domain list.
Related to https://pagure.io/SSSD/sssd/issue/3967
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
eaece8b2 by Sumit Bose at 2019-02-26T21:52:30Z
ldap: add get_ldap_conn_from_sdom_pvt
Related:
https://pagure.io/SSSD/sssd/issue/2474
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
b2352a01 by Sumit Bose at 2019-02-26T21:52:35Z
ldap: prefer LDAP port during initgroups user lookup
The first step of an initgroups request is to lookup the user. When
using the AD provider the Global Catalog will be the preferred source.
But not all LDAP attributes of the user might be replicated to the
Global Catalog and as a result some of the missing attributes might be
removed from the cached user object.
Related to https://pagure.io/SSSD/sssd/issue/2474
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
3cb9a3db by Sumit Bose at 2019-02-26T21:52:36Z
ldap: user get_ldap_conn_from_sdom_pvt() where possible
Currently when trying to prefer LDAP port lookups over Global Catalog
searches some AD specific structs are needed in the common LDAP
provider code. By using get_ldap_conn_from_sdom_pvt() this can be
avoided and all AD specific details are handled inside
sdap_async_initgroups_ad.c now.
Related to https://pagure.io/SSSD/sssd/issue/2474
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
05350abd by Sumit Bose at 2019-02-26T21:58:38Z
krb5_locator: always use port 88 for master KDC
If the kpasswdinfo file exists and the found IP address includes a port
number as well the master KDC lookup will use this port number which is
most probably wrong. Better use the default port 88 always for master
KDC lookups.
This patch also updates the man page for the locator plugin which was
quite outdated.
Related to https://pagure.io/SSSD/sssd/issue/3958
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9ad7173e by Alexey Tikhonov at 2019-02-26T22:07:42Z
TESTS: fixed bug in guests startup function
`start-guest()` function always started `client` machine ignoring
supplied argument.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
713e4f92 by Jakub Hrozek at 2019-02-26T22:09:12Z
TESTS: Don't fail when trying to create an OU that already exists
If a fixture that creates an OU was used twice, the second invocation
would fail, because the OU already exists. This patch ignores the
already exists error when adding an OU.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
686a8f5f by Lukas Slebodnik at 2019-02-26T22:16:50Z
test_files_provider: Do not use pytest fixtures as functions
test_files_provider.py::test_getpwnam_after_start
src/tests/intg/test_files_provider.py:344: RemovedInPytest4Warning:
Fixture "passwd_ops_setup" called directly. Fixtures are not meant
to be called directly, are created automatically when test functions
request them as parameters.
See https://docs.pytest.org/en/latest/fixture.html for more information.
src/tests/intg/test_files_provider.py:362: RemovedInPytest4Warning:
Fixture "group_ops_setup" called directly. Fixtures are not meant
to be called directly, are created automatically when test functions
request them as parameters.
See https://docs.pytest.org/en/latest/fixture.html for more information.
return setup_gr_with_list(request, [GROUP1, CANARY_GR])
Resolves:
https://pagure.io/SSSD/sssd/issue/3942
Merges: https://pagure.io/SSSD/sssd/pull-request/3953
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
948cd08c by Lukas Slebodnik at 2019-02-26T22:16:55Z
test_ldap: Do not uses pytest fixtures as functions
test_ldap.py::test_local_negative_timeout_enabled_by_default
/usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly.
Fixtures are not meant to be called directly, are created
automatically when test functions request them as parameters. See
https://docs.pytest.org/en/latest/fixture.html for more information.
res = fixturefunc(**kwargs)
/usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
RemovedInPytest4Warning: Fixture "group_ops_setup" called directly.
Fixtures are not meant to be called directly, are created
automatically when test functions request them as parameters. See
https://docs.pytest.org/en/latest/fixture.html for more information.
res = fixturefunc(**kwargs)
/usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
RemovedInPytest4Warning: Fixture "user_and_group_rfc2307" called directly.
Fixtures are not meant to be called directly, are created
automatically when test functions request them as parameters. See
https://docs.pytest.org/en/latest/fixture.html for more information.
Resolves:
https://pagure.io/SSSD/sssd/issue/3942
Merges: https://pagure.io/SSSD/sssd/pull-request/3953
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
57734633 by Lukas Slebodnik at 2019-02-26T22:22:17Z
Revert "intg: Generate tmp dir with lowercase"
This reverts commit 929bb1170931d7aafac4dc0572ce18747c919a56.
It is already fixed in upstream.
Combination of python-urllib3-1.24 and python-requests-2.19
works well.
Resolves:
https://pagure.io/SSSD/sssd/issue/3276
Merges: https://pagure.io/SSSD/sssd/pull-request/3952
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
54d7175d by Lukas Slebodnik at 2019-02-26T22:25:10Z
ent_test: Update assertions for python 3.7.2
pwd and grp modules return different string in KeyError
since python 3.7.2
sh-4.4$ python3 --version
Python 3.7.1
sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");'
Traceback (most recent call last):
File "<string>", line 1, in <module>
KeyError: 'getgrnam(): name not found: non-exist'
sh-4.4$ python3 --version
Python 3.7.2
sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");'
Traceback (most recent call last):
File "<string>", line 1, in <module>
KeyError: "getgrnam(): name not found: 'non-exist'"
Merges: https://pagure.io/SSSD/sssd/pull-request/3951
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ffd7536d by Pavel Březina at 2019-02-27T18:44:58Z
sbus: terminated active ongoing request when reconnecting
Connection to the remote dbus server was lost. If there are any outgoing
requests they are waiting for a pretty long timeout. During this timeout
we kept chaining even new requests that come after successful reconnection
and these request were waiting for the timeout to ocurr as well because
they were chain to request that started before reconnection.
Now, we terminated all active outgoing request that have a key associated
so we can immediately start sending new requests.
Resolves:
https://pagure.io/SSSD/sssd/issue/3907
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
6a8e906e by Jakub Hrozek at 2019-02-27T19:04:20Z
Updating translations for the 2.1 release
- - - - -
3aee2b3a by Jakub Hrozek at 2019-02-27T19:11:12Z
Updating the version for the 2.1.0 release
- - - - -
41820e4f by Timo Aaltonen at 2019-05-27T09:04:22Z
Merge tag 'sssd-1_16_4' into exp
Tagging the 1.16.4 release
- - - - -
33090ef0 by Timo Aaltonen at 2019-05-27T09:04:35Z
Merge branch 'experimental' into exp
- - - - -
0540daf4 by Timo Aaltonen at 2019-05-27T09:05:46Z
bump the version
- - - - -
8622e22d by Timo Aaltonen at 2019-05-27T09:55:49Z
fix changelog whitespace
- - - - -
488c638d by Timo Aaltonen at 2019-05-27T09:59:43Z
sssd-tools.install: Local domain support is deprecated and not built by default anymore, so drop the files.
- - - - -
c0156c40 by Timo Aaltonen at 2019-05-27T10:09:56Z
control, sssd-common.install: Secrets responder is dropped, deprecated.
- - - - -
63551dbf by Timo Aaltonen at 2019-05-27T10:10:26Z
control: Add ldap-utils to build-depends, tests need it.
- - - - -
78d54632 by Timo Aaltonen at 2019-05-27T10:34:56Z
sssd-common.install: Add new internal libs for iface/sbus.
- - - - -
32bd5773 by Timo Aaltonen at 2019-05-27T10:39:25Z
fix-whitespace-test.diff: Fix ignoring the debian dir.
- - - - -
fc016d58 by Timo Aaltonen at 2019-05-27T10:55:37Z
rules: Update the clean target.
- - - - -
74e0e0d4 by Timo Aaltonen at 2019-05-27T10:55:44Z
releasing package sssd version 2.1.0-1
- - - - -
18 changed files:
- + Jenkinsfile
- Makefile.am
- configure.ac
- contrib/ci/deps.sh
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- + contrib/test-suite/README.md
- + contrib/test-suite/run-client.sh
- + contrib/test-suite/run.sh
- debian/changelog
- debian/control
- + debian/patches/fix-whitespace-test.diff
- debian/patches/series
- debian/rules
- debian/sssd-common.install
- debian/sssd-tools.install
- po/POTFILES.in
- po/bg.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/0f5034094c829aa0e66374e20c774d32336c8293...74e0e0d4142b7fc7645c0f7a4bb32268a43db689
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/0f5034094c829aa0e66374e20c774d32336c8293...74e0e0d4142b7fc7645c0f7a4bb32268a43db689
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20190527/9f35f880/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list