[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 143 commits: Updating the version for the 2.2.1 release
Timo Aaltonen
gitlab at salsa.debian.org
Wed Sep 18 13:30:42 BST 2019
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
3ee29f4b by Jakub Hrozek at 2019-06-13T20:51:30Z
Updating the version for the 2.2.1 release
Reviewed-by: N/A
- - - - -
6839e672 by Alexey Tikhonov at 2019-06-17T10:59:34Z
util/crypto/libcrypto: changed sss_hmac_sha1()
Changed libcrypto/sss_hmac_sha1 implementation to be FIPS140 compliant.
Resolves: https://pagure.io/SSSD/sssd/issue/4022
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
0b210838 by Niranjan M.R at 2019-06-17T18:37:10Z
TESTS: Test kvno correctly displays vesion numbers of principals
Multihost tests for: https://pagure.io/SSSD/sssd/issue/3757.
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1ea7e770 by Pavel Březina at 2019-06-18T19:29:32Z
ci: disable timeout
There is a bug in jenkins [1] which causes to include the time a job is
waiting for an available executor is added to the complete execution time.
As a consequence a job may time out without actually started because it
did not get the executor in time.
Therefore we disable the timeout completely. We can abort it manually if
a job hangs for some reason. The job always finished so far but many jobs
were aborted because they were waiting for an executor for a long time.
[1] https://issues.jenkins-ci.org/browse/JENKINS-46569
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2a53df35 by Jakub Hrozek at 2019-06-18T19:31:49Z
TESTS: Install expect to drive password-change modifications
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
71ae2eda by Jakub Hrozek at 2019-06-18T19:32:18Z
TESTS: Also add LDAP password when creating users
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
7ad11b28 by Jakub Hrozek at 2019-06-18T19:32:21Z
TESTS: Test changing LDAP password with extended operation and modification
A test for:
https://pagure.io/SSSD/sssd/issue/1314
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
6925b9cd by Yuri Chornoivan at 2019-06-18T19:37:57Z
Fix minor typos in docs
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
- - - - -
01ea70fa by Tomas Halman at 2019-06-20T18:33:59Z
MAN: ldap_user_home_directory default missing
The default value of "ldap_user_home_directory" is "homeDirectory"
but for AD provider it is "unixHomeDirectory"
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1673443
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
dfa50c21 by Jakub Hrozek at 2019-06-20T18:36:36Z
TEST: Add a multihost test for not returning / for an empty home dir
A multihost test for:
https://pagure.io/SSSD/sssd/issue/3901
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>
- - - - -
0a10d863 by Jakub Hrozek at 2019-06-25T20:09:07Z
MONITOR: Don't check for the nscd socket while regenerating configuration
https://pagure.io/SSSD/sssd/issue/4028
In setups where only sssd-kcm is used and not the rest of SSSD, seeing
the nscd warning might be irritating.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ee23b8e3 by Alexey Tikhonov at 2019-06-25T20:14:17Z
util/crypto/libcrypto: changed sss_hmac_sha1()
Implementation of sss_hmac_sha1() was changed (again) to support
broader range of OpenSSL versions.
Resolves: https://pagure.io/SSSD/sssd/issue/4026
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
- - - - -
e7e212b4 by Sumit Bose at 2019-06-25T20:18:49Z
negcache: add fq-usernames of know domains to all UPN neg-caches
The previous patch for this issue did not handle user with
fully-qualified names from known domains correctly. Here the user was
only added to the negative cache of the known domain but not to the
negative UPN caches for all domains. This patch fixes this.
Related to https://pagure.io/SSSD/sssd/issue/3978
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e1b678c0 by Lukas Slebodnik at 2019-06-28T14:51:23Z
PROXY: Return data in output parameter if everything is OK
The function remove_duplicate_group_members might return EOK also in the middle
of function but return parameter was not set with right data.
Processing continued in the function save_group but there was a
dereference of NULL pointer.
Introduced in: https://pagure.io/SSSD/sssd/issue/3931
Crash:
(gdb) bt
#0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, grp=grp at entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody at ldap",
alias=alias at entry=0x0) at src/providers/proxy/proxy_id.c:748
#1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx at entry=0x55c9a0f38be0, sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, gid=99, now=<optimized out>,
ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
#2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
at src/providers/proxy/proxy_id.c:1553
#3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
#4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
#5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
#6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider at entry=0x55c9a0efe0e0, domain=domain at entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target at entry=DPT_ID,
method=method at entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags at entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody at ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
(gdb) l
(gdb) bt
#0 0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, grp=grp at entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody at ldap",
alias=alias at entry=0x0) at src/providers/proxy/proxy_id.c:748
#1 0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx at entry=0x55c9a0f38be0, sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, gid=99, now=<optimized out>,
ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
#2 0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
at src/providers/proxy/proxy_id.c:1553
#3 get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
#4 proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
#5 proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
#6 0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
#7 dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider at entry=0x55c9a0efe0e0, domain=domain at entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target at entry=DPT_ID,
method=method at entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags at entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
#8 0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody at ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
#9 0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
#10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
#11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
#12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
#13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
#14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
#15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
#16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
#17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
#18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
(gdb) l
733 ret = remove_duplicate_group_members(tmp_ctx, grp, &ngroup);
734 if (ret != EOK) {
735 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove duplicate group member s\n");
736 goto done;
737 }
738
739 DEBUG_GR_MEM(SSSDBG_TRACE_LIBS, ngroup);
740
741 ret = sysdb_transaction_start(sysdb);
742 if (ret != EOK) {
743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
744 goto done;
745 }
746 in_transaction = true;
747
748 if (ngroup->gr_mem && ngroup->gr_mem[0]) {
749 attrs = sysdb_new_attrs(tmp_ctx);
750 if (!attrs) {
751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
752 ret = ENOMEM;
(gdb) p ngroup
$1 = (struct group *) 0x0
743 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
744 goto done;
745 }
746 in_transaction = true;
747
748 if (ngroup->gr_mem && ngroup->gr_mem[0]) {
749 attrs = sysdb_new_attrs(tmp_ctx);
750 if (!attrs) {
751 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
752 ret = ENOMEM;
(gdb) p ngroup
$1 = (struct group *) 0x0
Merges: https://pagure.io/SSSD/sssd/pull-request/4036
Resolves:
https://pagure.io/SSSD/sssd/issue/4037
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2c965b04 by Tomas Halman at 2019-07-03T20:10:18Z
pcre: port to pcre2
Some distributions want to drop pcre support. Sssd should work with
pcre2. With this patch sssd tries to use pcre2 if pcre is not present.
Resolves:
https://pagure.io/SSSD/sssd/issue/3833
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d2adfcf5 by Tomas Halman at 2019-07-03T20:12:30Z
CACHE: SSSD doesn't clear cache entries
Once object is in cache it is refreshed when it is expired and
requested by the system. Object ID is not checked before refresh,
but config parameter ldap_(min|max)_id could be changed by admin.
We should check object ID and not refresh objects outside min/max
ID interval.
Resolves:
https://pagure.io/SSSD/sssd/issue/3905
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e8e0f407 by Alexey Tikhonov at 2019-07-03T20:14:46Z
util/secrets: memory leaks are fixed
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8aa0dfdf by Alexey Tikhonov at 2019-07-03T20:15:34Z
util/crypto/nss/nss_nite: params sanitization
- `key` params made const
- added omitted sanity checks of pointer params
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
d603d34a by Alexey Tikhonov at 2019-07-03T20:15:47Z
crypto/libcrypto/crypto_nite: HMAC calculation changed
Changed HMAC calculation to make it consistent with
https://pagure.io/SSSD/sssd/issue/4026
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
e232a98a by Alexey Tikhonov at 2019-07-05T10:16:38Z
util/find_uid.c: fixed debug message
Fixed wrong debug message in check_if_uid_is_active()
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0897be2a by Alexey Tikhonov at 2019-07-05T10:16:40Z
util/find_uid.c: fixed race condition bug
It was wrong to return EOK from get_uid_from_pid() in case of failed
open() or fstat() as this leaves `uid` uninitialized and no means
for caller to detect this situation.
There was no reason to fail get_active_uid_linux() completely in case
of failed get_uid_from_pid() for one of /proc entries. Function was
changed to continue with next entry instead.
Resolves: https://pagure.io/SSSD/sssd/issue/2854
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
39686a58 by Michal Židek at 2019-07-05T10:24:56Z
TESTS: ldb-tools and sssd-tools are required for multihost tests
Some of the test do use ldbsearch and sssd-tools.
Resolves:
https://pagure.io/SSSD/sssd/issue/3894
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
2d657dff by Tomas Halman at 2019-07-05T10:26:13Z
LDAP: failover does not work on non-responsive ldaps
In case ldaps:// is used, then establishing the secure socket is
a sychronous operation. If there's nothing on the other end, then
the process would be stuck waiting in for the crypto library
to finish.
Here we set socket read/write timeout so the operation can finish
in reasonable time with an error. The ldap_network_timeout
option is used for this timeout.
Resolves:
https://pagure.io/SSSD/sssd/issue/2878
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
db99504a by Jakub Hrozek at 2019-07-05T10:33:12Z
SYSDB: Add sysdb_search_with_ts_attr
Adds a new public sysdb call sysdb_search_with_ts_attr() that allows to
search on the timestamp cache attributes, but merge back persistent
cache attributes. The converse also works, when searching the persistent
cache the timestamp attributes or even entries matches only in the
timestamp cache are merged.
What does not work is AND-ed complex filter that contains both
attributes from the timestamp cache and the persistent cache because
the searches use the same filter, which doesn't match. We would need to
decompose the filter ourselves.
Because matching and merging the results can be time-consuming, two
flags are provided:
SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER that only searches the timestamp
cache, but merges back the corresponding entries from the persistent
cache
SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER that only searches the
persistent cache but merges back the attributes from the timestamp
cache
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f2795529 by Jakub Hrozek at 2019-07-05T10:33:19Z
BE: search with sysdb_search_with_ts_attr
Previously, the background refresh code had used sysdb_search_entry()
which does not run the search on the timestamp cache. Instead, this
patch changes to using sysdb_search_with_ts_attr with the
SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER optimization because currently only
the dataExpireTimestamp attribute is included in the filter.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1a08b53d by Jakub Hrozek at 2019-07-05T10:33:23Z
BE: Enable refresh for multiple domains
Descend into subdomains on back end refresh and make sure to start from
users again.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bb0bd61a by Jakub Hrozek at 2019-07-05T10:33:26Z
BE: Make be_refresh_ctx_init set up the periodical task, too
This is mostly a preparatory patch that rolls in setting up the ptask
into be_refresh_ctx_init. Since in later patches we will call
be_refresh_ctx_init from several different places, this will prevent
code duplication.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9d49c90c by Jakub Hrozek at 2019-07-05T10:33:28Z
BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end
Since later patches will pass different parameters to
be_refresh_ctx_init(), let's call the init function in the provider
libraries not directly in the back end.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d1eb0a70 by Jakub Hrozek at 2019-07-05T10:33:31Z
BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME
In later patches, we will implement refreshes for AD or IPA which might
refresh objects that do not have a name yet, but always do have a different
attribute, like a SID or a uniqueID. In this case, it's better to use that
different attribute instead of name.
This patch allows the caller to tell the refresh module which attribute
to use.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
41305ef5 by Jakub Hrozek at 2019-07-05T10:33:34Z
BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx
It is a bit odd that a caller to a be_ function would set a property of
be_ctx. IMO it is cleaner if the function has a side-effect and sets the
property internally and rather returns errno.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ac72bb4a by Jakub Hrozek at 2019-07-05T10:33:37Z
BE/LDAP: Split out a helper function from sdap_refresh for later reuse
Every refresh request will send a similar account_req. Let's split out
the function that creates the account_req into a reusable one.
Also removes the type string as it was only used in DEBUG messages and
there is already a function in the back end API that provides the same
functionality.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2cb294e6 by Jakub Hrozek at 2019-07-05T10:33:40Z
BE: Pass in filter_type when creating the refresh account request
For refreshing AD users and groups, we'll want to create a request by
SID, for all other requests we'll want to create a request by name. This
patch allows parametrizing the request creation by the caller.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7443498c by Jakub Hrozek at 2019-07-05T10:33:42Z
BE: Send refresh requests in batches
As we extend the background refresh into larger domains, the amount of
data that SSSD refreshes on the background might be larger. And
refreshing all expired entries in a single request might block sssd_be
for a long time, either triggering the watchdog or starving other
legitimate requests.
Therefore the background refresh will be done in batches of 200 entries.
The first batch of every type (up to 200 users, up to 200 groups, ...)
will be scheduled imediatelly and subsequent batches with a 0.5 second
delay.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0fbc317a by Jakub Hrozek at 2019-07-05T10:33:46Z
BE: Extend be_ptask_create() with control when to schedule next run after success
Related: https://pagure.io/SSSD/sssd/issue/4012
be_ptask_create() used to always schedule the next periodical run
"period" seconds after the previous run started. This is great for tasks
that are short-lived like DNS updates because we know they will be
executed really with the configured period.
But the background refresh task can potentially take a very long time in
which case the next run could have been scheduled almost immediately and
as a result sssd_be would always be quite busy. It is better to have the
option to schedule the next task period seconds after the last run has
finished. This can lead to some inconsistency, but we can warn the
admin about that.
This patch so far does not change any of the existing calls to
be_ptask_create(), just adds BE_PTASK_SCHEDULE_FROM_LAST as an
additional parameter.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
576f3691 by Jakub Hrozek at 2019-07-05T10:33:48Z
BE: Schedule the refresh interval from the finish time of the last run
Related: https://pagure.io/SSSD/sssd/issue/4012
Changes scheduling the periodical task so that the next run is started
relative to the previous run finish time, not start time to protect
against cases where the refresh would take too long and run practically
all the time.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b72adfcc by Jakub Hrozek at 2019-07-05T10:33:52Z
AD: Implement background refresh for AD domains
Split out the actual useful functionality from the AD account handler
into a tevent request. This tevent request is then subsequently used by
a new ad_refresh module.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d76756ef by Jakub Hrozek at 2019-07-05T10:33:54Z
IPA: Implement background refresh for IPA domains
Split out the actual useful functionality from the IPA account lookup
handler into a tevent request. This tevent request is then used in a new
ipa_refresh module.
Related:
https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1d0e75e9 by Jakub Hrozek at 2019-07-05T10:33:57Z
BE/IPA/AD/LDAP: Add inigroups refresh support
Related: https://pagure.io/SSSD/sssd/issue/4012
In addition to refreshing users, groups and netgroups, this patch adds
the ability to also refresh initgroups. The refresh is ran for any users
that have the initgrExpireTimestamp attribute close to expiration.
This request is ran as the first one, because the initgroups operation
refreshes the user entry and can touch groups as well.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
79223509 by Jakub Hrozek at 2019-07-05T10:33:59Z
BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication
Related: https://pagure.io/SSSD/sssd/issue/4012
This patch slightly increases the line count, but on the other hand the
code is now more declarative and contains less logic, which should
hopefully decrease the maintenance cost in the future.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
60c876ae by Jakub Hrozek at 2019-07-05T10:34:02Z
IPA/AD/SDAP/BE: Generate refresh callbacks with a macro
Related: https://pagure.io/SSSD/sssd/issue/4012
The per-object type refresh functions are more or less boilerplate code.
Even though macro-generated code should be used very rarely, here the
generated code does not contain any logic at all so it makese sense to
generate it with macros.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
039384b8 by Jakub Hrozek at 2019-07-05T10:34:04Z
MAN: Amend the documentation for the background refresh
Related: https://pagure.io/SSSD/sssd/issue/4012
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7a08d1de by Jakub Hrozek at 2019-07-05T10:34:07Z
DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function
Related: https://pagure.io/SSSD/sssd/issue/4012
Because the initgroups request can, especially in the case of IPA provider
with trusts, contain several sub-requests that run some provider-specific
initgroups internally and then run post-processing AND because at the same
time concurrent requests in the responder need to be sure that the
initgrExpireTimestamp is only increased when the initgroups request is
really done, we only set the initgrExpireTimestamp in the DP when the
request finishes.
This means, the background refresh task needs to also set the
initgrExpireTimestamp attribute on its own as well. This patch so far
splits the helper function into a reusable one so it can later be used
by the background refresh.
For examples of the bugs caused by the initgrTimestamp being set before
the whole multi-step operation finishes, please see tickets #3744
or #2634.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cdc44a05 by Jakub Hrozek at 2019-07-05T10:34:11Z
IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request
Related: https://pagure.io/SSSD/sssd/issue/4012
Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
of initgroups data to make sure the initgrExpireTimestamp attribute is
increased.
If you're wondering why the timestamp is not set by the initgroups operation
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
the initgrExpireTimestamp too soon.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8be1a0e8 by Alexey Tikhonov at 2019-07-15T11:52:00Z
util/crypto: removed erroneous declaration
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e839acd1 by Alexey Tikhonov at 2019-07-15T11:52:07Z
util/crypto/sss_crypto.c: cleanup of includes
Removed unneeded include of config.h and added includes for open()
and error codes according to the man page.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9f4b7d9f by Alexey Tikhonov at 2019-07-15T11:52:10Z
util/crypto: generate_csprng_buffer() changed
1) generate_csprng_buffer() is renamed to sss_generate_csprng_buffer()
to make util/crypto API more consistent
2) its implementation became dependant on crypto backend being used
3) in case of libcrypto backend RAND_bytes() is used instead of
direct access to "/dev/urandom"
Relates: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
93d0aba5 by Alexey Tikhonov at 2019-07-15T11:52:13Z
util/crypto: added sss_rand()
Introduced `sss_rand()` wrapper to be used in project sources in every
applicable case where "raw" rand()/etc are used now.
Relates: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bfc02ea2 by Alexey Tikhonov at 2019-07-15T11:52:16Z
crypto/libcrypto/crypto_nite.c: memory leak fixed
Fixed leaking of memory in case of failure in `sss_encrypt()` function.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
548ea574 by Alexey Tikhonov at 2019-07-15T11:52:18Z
FIPS140 compliant usage of PRNG
Calls to `rand()`, "/dev/urandom", etc are replaced with
appropriate wrappers from `util/crypto`.
Resolves: https://pagure.io/SSSD/sssd/issue/4024
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1f528861 by Alexey Tikhonov at 2019-07-15T13:24:18Z
crypto/nss: some nss_ctx_init() params made const
This patch fixes compilation issues introduced in 8aa0dfd :
as `key` parameter of sss_encrypt() and sss_decrypt() became const,
changes in signature of nss_ctx_init() were required to follow up.
For more details see https://github.com/SSSD/sssd/pull/846
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8d64e9f5 by Sam Morris at 2019-07-15T19:56:45Z
build: fix detection of systemd.pc
Related: https://pagure.io/SSSD/sssd/issue/4043
A typo prevents systemd.pc from being detected, in turn this means
HAVE_SYSTEMD is never set, responders are built without socket
activation support and the monitor never notifies systemd that it is
ready.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8f22e795 by Pavel Březina at 2019-07-16T15:00:30Z
ci: switch to new tooling and remove 'Read trusted files' stage
The 'Read trusted files' stage was removed because all scripts are
now being executed on client machines so there is no point to prohibit
modification.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
209edb3e by Pavel Březina at 2019-07-16T15:00:33Z
ci: rebase pull request on the target branch
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
230de12b by Pavel Březina at 2019-07-16T15:00:37Z
ci: print node on which the test is being run
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
6815844d by Pavel Březina at 2019-07-18T09:02:01Z
sudo: use proper datetime for default modifyTimestamp value
The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.
It worked correctly on 389-ds.
Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)
The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero.
Resolves:
https://pagure.io/SSSD/sssd/issue/4046
- - - - -
ff8284e2 by Alex Rodin at 2019-07-22T18:28:23Z
tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()
Switching from tevent_loop_once() to tevent_loop_wait() as the bug was fixed https://bugzilla.samba.org/show_bug.cgi?id=10012
Resolves: https://pagure.io/SSSD/sssd/issue/3962
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
15cc1e40 by Tomas Halman at 2019-07-22T18:30:34Z
CONFDB: Files domain if activated without .conf
Implicit files domain gets activated when no sssd.conf present
and sssd is started. This does not respect --disable-files-domain
configure option
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
31e08f30 by Tomas Halman at 2019-07-22T18:31:07Z
TESTS: adapt tests to enabled default files domain
Some tests expect that SSSD is compiled with --enable-files-domain
option (test_no_sssd_conf). But having this enabled by default
breaks some other tests.
This patch adds --enable-files-domain to test build and explicitly
disables the domain in configuration of some tests (ldap, enumeration).
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
7f0a8f50 by Sumit Bose at 2019-07-22T18:33:24Z
p11_child: prefer better digest function if card supports it
To improve FIPS compliance and security in general p11_child now checks
which message digest functions (hashes) are support for RSA keys and
tries to use the highest bit length supported.
For EC keys sha512 is used unconditionally.
Related to https://pagure.io/SSSD/sssd/issue/4039
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
60748f69 by Sumit Bose at 2019-07-22T18:33:29Z
p11_child: fix a memory leak and other memory mangement issues
EVP_MD_CTX_create() was called without matching EVP_MD_CTX_destroy().
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
06479a1d by Samuel Cabrero at 2019-07-31T19:49:14Z
nss: Fix command 'endservent' resetting wrong struct member
Resolves:
https://pagure.io/SSSD/sssd/issue/4050
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5b235bbd by Tomas Halman at 2019-07-31T19:52:44Z
BE: Introduce flag for be_ptask_create
The be_ptask_create has already too many parameters. Lets have flags
parameter to avoid future extending.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1c752189 by Tomas Halman at 2019-07-31T19:52:50Z
BE: Convert be_ptask params to flags
The be_ptask_create call has a lot of parameters.
Some of them can be converted to flags to simplify
the declaration.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f2c69a67 by Tomas Halman at 2019-07-31T19:52:52Z
DYNDNS: dyndns_update is not enough
When dyndns_update is set to True and dyndns_refresh_interval is
not set or set to 0, DNS is not updated at all.
With this patch DNS is updated when sssd changes its state to
online.
If dyndns_refresh_interval is set, updates are performed as
before - i. e. when comming online and then every
dyndns_refresh_interval.
Resolves:
https://pagure.io/SSSD/sssd/issue/4047
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b1ea33ec by Pavel Březina at 2019-07-31T19:55:14Z
systemd: add Restart=on-failure to sssd.service
Resolves:
https://pagure.io/SSSD/sssd/issue/4040
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
7b4635c8 by Pavel Březina at 2019-07-31T19:59:04Z
man: fix description of dns_resolver_op_timeout
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3807de1d by Pavel Březina at 2019-07-31T19:59:10Z
man: fix description of dns_resolver_timeout
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
99e2a107 by Pavel Březina at 2019-07-31T19:59:12Z
failover: add dns_resolver_server_timeout option
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e97ff0ad by Pavel Březina at 2019-07-31T19:59:15Z
failover: change default timeouts
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
049f3906 by Pavel Březina at 2019-07-31T19:59:17Z
config: add dns_resolver_op_timeout to option list
Resolves:
https://pagure.io/SSSD/sssd/issue/3217
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8cdb0b40 by Timo Aaltonen at 2019-08-01T14:40:37Z
default-to-socket-activated-services.diff: Don't enable eany services when run without a conffile.
- - - - -
db46cd08 by Jakub Jelen at 2019-08-07T16:25:56Z
pam_sss: Add missing colon to the PIN prompt
This can be noticed in the sudo prompt, when the system is configured
to authenticate users using smart cards.
Resolves: Pagure#4049
Signed-off-by: Jakub Jelen <jjelen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e9091aba by Sumit Bose at 2019-08-07T17:07:02Z
pam: make sure p11_child.log has the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
8119ee21 by Sumit Bose at 2019-08-07T17:07:32Z
ssh: make sure p11_child.log has the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
9339c445 by Sumit Bose at 2019-08-07T17:07:36Z
BE: make sure child log files have the right permissions
If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.
Related to https://pagure.io/SSSD/sssd/issue/4056
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ca02a20c by Jakub Hrozek at 2019-08-07T18:54:51Z
MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
84eca2e8 by Jakub Hrozek at 2019-08-07T18:54:57Z
MAN: Document that it is enough to systemctl restart sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
f74b9786 by Jakub Hrozek at 2019-08-07T18:55:00Z
SECRETS: Use different option names from secrets and KCM for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
940002ca by Jakub Hrozek at 2019-08-07T18:55:04Z
SECRETS: Don't limit the global number of ccaches
Related:
https://pagure.io/SSSD/sssd/issue/3386
In the KCM context, the global number of ccaches would limit the number
of users who can store their ccaches in the KCM deamon.
In more detail, the options have the following semantics with KCM:
- DEFAULT_SEC_KCM_MAX_SECRETS - global number of secrets, would
cover both how many ccaches can a user store, but this is better
served with DEFAULT_SEC_KCM_MAX_UID_SECRETS
- DEFAULT_SEC_KCM_MAX_UID_SECRETS - how many 'principals' can a user
kinit with
- DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE - the payload size of service
tickets
With the above in mind, I think the most important limits are
max_uid_secrets to limit and the payload size to constraint how much
space can a user occupy and it doesn't make much sense to limit the
global quota.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
f00db73d by Jakub Hrozek at 2019-08-07T18:55:07Z
KCM: Pass confdb context to the ccache db initialization
Resolves:
https://pagure.io/SSSD/sssd/issue/3386
The libsecrets back end needs to read the quota options from confdb,
therefore it needs to know the section and access the confdb handle.
These parameters are unused for other ccache back end types, but they
are harmless and IMO it makes more sense to keep the ccache back end
abstract.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
f024b5e4 by Jakub Hrozek at 2019-08-07T18:55:11Z
KCM: Configurable quotas for the secdb ccache back end
Related:
https://pagure.io/SSSD/sssd/issue/3386
Exposes three new options for the [kcm] responder to set the global
ccache limit, the per-uid ccache limit and the payload size.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
247aa480 by Jakub Hrozek at 2019-08-07T18:55:15Z
TESTS: Add tests for the configurable quotas
Related:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
ba01db0d by Sumit Bose at 2019-08-07T19:11:14Z
utils: remove unused prototype (cert_to_ssh_key)
This is a leftover from a previous cleanup done in the context of
https://pagure.io/SSSD/sssd/issue/3489.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
a97ec73e by Sumit Bose at 2019-08-07T19:11:27Z
utils: move parse_cert_verify_opts() into separate file
parse_cert_verify_opts() is only used by p11_child, so it makes sense to
move the sources nearer together. The related test is still in
test_utils but it can be split out as well if there are more p11_child
related unit tests.
Related to https://pagure.io/SSSD/sssd/issue/4032
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
ad9dd137 by Sumit Bose at 2019-08-07T19:11:31Z
p11_child: make OCSP digest configurable
Currently sha1 is used to create the certid for an OCSP request. Since
sha1 is not recommend for new applications anymore and not FIPS
compliant this patch changes the default to sha256 and makes the digest
function configurable as well.
Related to https://pagure.io/SSSD/sssd/issue/4032
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
5574de0f by Sumit Bose at 2019-08-14T12:09:30Z
pam: fix loop in Smartcard authentication
If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.
Related to https://pagure.io/SSSD/sssd/issue/4051
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
41da9ddf by Jakub Hrozek at 2019-08-14T12:11:18Z
Don't qualify users from files domain when default_domain_suffix is set
Resolves:
https://pagure.io/SSSD/sssd/issue/4052
The files domain should always be non-qualified. The usual rules like
qualification of all domains except the one set with
default_domain_suffix should not apply.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
b35d88eb by Michal Židek at 2019-08-15T00:54:27Z
Update the translations for the 2.2.1 release
- - - - -
4bc34227 by Michal Židek at 2019-08-15T10:57:33Z
Bumping the version to track the 2.2.2 development
- - - - -
820151f3 by Jakub Hrozek at 2019-08-18T21:09:17Z
MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8
Resolves:
https://pagure.io/SSSD/sssd/issue/3932
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
815957cd by Pavel Březina at 2019-08-23T15:13:20Z
ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb
If previously enabled subdomain was disabled by removing it from ad_enabled_domains
option in sssd.conf, its cached content (including the domain object itself)
was kept in sysdb. Therefore eventhough the domain was effectively disabled in
backed its cached data was still available in responders.
Subdomains that are disabled on server side are correctly removed from sysdb in
`ad_subdomains_refresh()` so this issue is related only to the configuration
option.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7a03e998 by Pavel Březina at 2019-08-23T15:13:56Z
sysdb: add sysdb_domain_set_enabled()
This will be used in subsequent patches to disable subdomains.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6882bc5f by Pavel Březina at 2019-08-23T15:14:01Z
ad: set enabled=false attribute for subdomains that no longer exists
Only forest root domain needs to be disabled because it has to be available
for other tasks. All other non-root domains are removed from cache completely
so it does not make sense for them.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d278704d by Pavel Březina at 2019-08-23T15:14:05Z
sysdb: read and interpret domain's enabled attribute
Disable domain if its sysdb object has enabled=false.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c7e6530d by Pavel Březina at 2019-08-23T15:14:10Z
sysdb: add sysdb_list_subdomains()
To list all cached subdomains names.
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d0bdaabb by Pavel Březina at 2019-08-23T15:14:13Z
ad: remove all subdomains if only master domain is enabled
Resolves:
https://pagure.io/SSSD/sssd/issue/4009
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b3c35421 by Pavel Březina at 2019-08-23T15:14:17Z
ad: make ad_enabled_domains case insensitive
The rest of the code that works with ad_enabled_domains options
is case insensitive so we rather should be consistent.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f19f8e6b by Tomas Halman at 2019-08-23T15:40:55Z
SERVER: Receving SIGSEGV process on shutdown
There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.
Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.
Also generic server code is changed to explicitely free
memory context when signal is received.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c2e24df4 by Jakub Hrozek at 2019-08-23T15:46:36Z
IPA: Allow paging when fetching external groups
For some reason (I guess a mistake during refactoring..) the LDAP search
request that fetches the external groups does not enable the paging
control. This means that the number of external groups that SSSD can
fetch is limited to 2000.
Resolves: https://pagure.io/SSSD/sssd/issue/4058
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c580c76a by Jakub Hrozek at 2019-08-23T16:38:32Z
KCM: Use int32_t type conversion in DEBUG message for int32_t variable
The KDC offset is stored as int32_t, but a DEBUG message in KCM was using
an uint32_t. This lead to confusion as it appeared that the offset does
not work.
Resolves:
https://pagure.io/SSSD/sssd/issue/4063
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8e1f6734 by Pavel Březina at 2019-08-23T16:45:28Z
ci: use python2 version of pytest
Fedora 31 changed symlink of /usr/bin/py.test from pytest2 to pytest3.
We need to run the python2 version in order to run our tests with python2.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
498a230e by Pavel Březina at 2019-08-23T16:45:50Z
ci: pep8 was renamed to pycodestyle in Fedora 31
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e989620b by Sumit Bose at 2019-08-23T16:51:09Z
pam: keep pin on the PAM stack for forward_pass
Currently only the password or the long-term part of a two-factor
authentication was kept on the PM stack if pam_sss.so has the option
forward_pass. With this patch the Smartcard PIN can be forwarded to
other PAM modules as well.
Related https://pagure.io/SSSD/sssd/issue/4067
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6e759010 by Sumit Bose at 2019-08-23T18:04:38Z
pam: do not accept empty PIN
The current check for an empty PIN was incomplete and if no PIN was
given pam_sss should not send a request to SSSD's pam responder. This
would match the behavior if a user name hint should be requested as
well.
Related to: https://pagure.io/SSSD/sssd/issue/4068
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
94597008 by Sumit Bose at 2019-08-23T18:04:59Z
pam: user PAM return codes where expected
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5dccf76a by Sumit Bose at 2019-08-23T18:14:07Z
pam: set PAM_USER properly with allow_missing_name
Currently if the allow_missing_name pam_sss option is used PAM_USER is
set to the fully-qualified name only for the files provider it is set to
the short name. This might cause issue with other components expecting
that the value of PAM_USER corresponds to the name returned by the nss
calls getpwnam() and getpwuid().
With this patch PAM_USER is set to the same user name as returned by the
NSS responder. For the communication between pam_sss and SSSD's PAM
responder the fully-qualified name is kept.
Related to https://pagure.io/SSSD/sssd/issue/4069
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7fcd0a70 by Tomas Halman at 2019-08-23T18:19:34Z
BE: Invalid oprator used in condition
There is wrong binary or used in condition. We have to use & here
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1744134
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7129979b by Pavel Březina at 2019-08-23T19:20:58Z
ci: remove left overs from previous rebase
If previous run of a PR failed to rebase, the code was left in rebase
in progress and was not correctly overwritten by new changes in the
patches.
Reviewed-by: Tomas Halman <thalman at redhat.com>
- - - - -
e7b7edea by Sumit Bose at 2019-08-23T19:39:30Z
Revert "SERVER: Receving SIGSEGV process on shutdown"
This reverts commit f19f8e6b917e77d5d2bfdedc78e5669b522ea265.
- - - - -
a9669683 by Tomas Halman at 2019-08-29T14:32:49Z
SERVER: Receving SIGSEGV process on shutdown
There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.
Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.
Also generic server code is changed to explicitely free
memory context when signal is received.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f9b589a4 by Pavel Březina at 2019-08-30T10:44:56Z
sudo: do not update last usn value on rules refresh
Refreshing specific rules may produce a higher usn value that the one
that is already remembered if the rules changed on the server. However,
there may be another rule that is not being refreshed which usn value
is higher then the current value but lower then the value of some of the
refreshed rules. If the highest usn value is updated in this case, the
rule would not be found be smart refresh.
Thus we must not update the usn value during rules refresh.
Resolves:
https://pagure.io/SSSD/sssd/issue/3996
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
6b057002 by Jakub Hrozek at 2019-08-30T14:36:41Z
KCM: Add a forgotten return
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
f5f7f26a by Jakub Hrozek at 2019-08-30T14:36:41Z
KCM: Allow modifications of ccache's principal
Related:
https://pagure.io/SSSD/sssd/issue/4017
This patch will be useful to fix credential delegation.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
0216bfe2 by Jakub Hrozek at 2019-08-30T14:36:41Z
KCM: Fill empty cache, do not initialize a new one
Related:
https://pagure.io/SSSD/sssd/issue/4017
openssh uses this sequence of calls:
gen_new()
switch()
initialize()
What happened before was that if there was already some cache, gen_new
would create a new empty cache, then switch would set it as the default.
But then, during the initialize call, the cache that used to be the
default was deleted, another one created and used as the default. This
meant. Afterwards, KCM would store the credentials in the previous
cache, which would no longer be the default.
The logic behind was that KCM didn't anticipate the client generating
the new and setting the default on its own.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
18611d70 by Pavel Březina at 2019-09-03T13:41:21Z
ifp: let cache_req parse input name so it can fallback to upn search
UPN search expects that the input name is in its fully qualified form.
However, GetUserAttr calls cache_req with unqualified username therefore
it never fallback to UPN search.
Steps to reproduce:
1. Configure SSSD against AD
2. Set UPN to `TestUserUPN at ad.vm`
3. Run:
```
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:TestUserUPN at ad.vm array:string:name
Error sbus.Error.NotFound: No such file or directory
```
Resolves:
https://pagure.io/SSSD/sssd/issue/4065
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
078ed8db by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Add macro for checking python3 modules
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
b262a7b8 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Fix typo of detecting python module for intgcheck
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
e7d1c152 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Move checking of python2 modules for intgcheck
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
87e97bb0 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Add macro for checking pytest for intgcheck
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
b0ad6860 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS
It will simplify detection in following patches
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
4378d949 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Move python checks for intgcheck to macro
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
05aad030 by Lukas Slebodnik at 2019-09-05T08:38:04Z
INTG: Do hot hardcode version of python/pytest in intgcheck
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
0e1346b9 by Lukas Slebodnik at 2019-09-05T08:38:04Z
BUILD: Prefer python3 for intgcheck
Samba 4.11.0 dropped support for python2 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests
Merges: https://pagure.io/SSSD/sssd/pull-request/4075
Resolves:
https://pagure.io/SSSD/sssd/issue/4074
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
5dc86be0 by Lukas Slebodnik at 2019-09-05T08:38:04Z
intg: Install python3 dependencies for intgcheck on new distros
Samba 4.11.0 dropped support for python3 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests
Merges: https://pagure.io/SSSD/sssd/pull-request/4075
Resolves:
https://pagure.io/SSSD/sssd/issue/4074
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
d625308c by Lukas Slebodnik at 2019-09-05T08:43:51Z
pyhbac: Fix warning Wdiscarded-qualifiers
The macro PyDoc_STRVAR changed in python 3.8
and it defined variable with const modifier
src/python/pyhbac.c: In function ‘PyInit_pyhbac’:
src/python/pyhbac.c:1948:25: warning: passing argument 2 of
‘sss_exception_with_doc’ discards ‘const’ qualifier from pointer
target type [-Wdiscarded-qualifiers]
1948 | HbacError__doc__,
| ^~~~~~~~~~~~~~~~
In file included from src/python/pyhbac.c:27:
./src/util/sss_python.h:33:1: note: expected ‘char *’ but argument
is of type ‘const char *’
33 | sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
| ^~~~~~~~~~~~~~~~~~~~~~
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
0610618b by Lukas Slebodnik at 2019-09-05T08:43:51Z
test_pam_responder: Fix unicore error
Use raw strings instead; other alternative would be to escepe backslash
E File "/home/build/sssd/src/tests/intg/test_pam_responder.py", line 647
E assert err.find("pam_authenticate for user [auth_only\user1]: " +
E ^
E SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 36-37: truncated \uXXXX escape
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
f10530b3 by Lukas Slebodnik at 2019-09-05T08:43:51Z
SSSDConfig: Add minimal test for parse method
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
be3588bd by Lukas Slebodnik at 2019-09-05T08:43:51Z
SSSDConfig: Fix SyntaxWarning "is not" with a literal
There is a warning with python 3.8
/usr/lib/python3.8/site-packages/SSSDConfig/ipachangeconf.py:399:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
if len(sectopts) is not 0:
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
bce896fe by Lukas Slebodnik at 2019-09-05T08:43:51Z
TESTS: Add minimal test for pysss encrypt
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
618014f4 by Lukas Slebodnik at 2019-09-05T08:43:51Z
pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN
src/tests/pysss-test.py:73: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
val1 = obfuscator.encrypt("123", obfuscator.AES_256)
These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
a946d134 by Lukas Slebodnik at 2019-09-05T08:43:51Z
pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN
src/tests/pysss_murmur-test.py:93: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
src/tests/pysss_murmur-test.py:96: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)
These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
f3529bed by Lukas Slebodnik at 2019-09-05T08:43:51Z
test_pam_responder: Fix DeprecationWarning invalid escape sequence
test_pam_responder.py:151
src/tests/intg/test_pam_responder.py:151: DeprecationWarning: invalid escape sequence \%
return unindent("""\
Merges: https://pagure.io/SSSD/sssd/pull-request/4076
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
629416d8 by Lukas Slebodnik at 2019-09-05T08:43:51Z
testlib: Fix SyntaxWarning "is" with a literal
Reviewed-by: Pavel Březina <pbrezina at redhat.com>\
- - - - -
f52eadd3 by Michal Židek at 2019-09-12T12:09:23Z
Update the translations for the 2.2.2 release
- - - - -
4a806a09 by Timo Aaltonen at 2019-09-18T08:37:19Z
Merge branch 'upstream'
- - - - -
7bd3c922 by Timo Aaltonen at 2019-09-18T08:38:45Z
bump the version
- - - - -
826f9baf by Timo Aaltonen at 2019-09-18T08:38:59Z
fix a typo
- - - - -
4962e457 by Timo Aaltonen at 2019-09-18T09:53:29Z
fix-have-systemd.diff: Dropped, upstream.
- - - - -
89c01192 by Timo Aaltonen at 2019-09-18T09:53:51Z
default-to-socket-activated-services.diff: Refreshed.
- - - - -
16dbcf0e by Timo Aaltonen at 2019-09-18T09:56:09Z
signing-key: Add key from Michal Židek.
- - - - -
27763874 by Timo Aaltonen at 2019-09-18T11:46:39Z
Get rid of all old pre/postinst file removal fluff, since that's all obsolete by now.
- - - - -
1cb1934d by Timo Aaltonen at 2019-09-18T12:25:37Z
Drop python2 support. (Closes: #938566)
- - - - -
33fe794c by Timo Aaltonen at 2019-09-18T12:28:58Z
releasing package sssd version 2.2.2-1
- - - - -
28 changed files:
- Jenkinsfile
- Makefile.am
- configure.ac
- contrib/ci/deps.sh
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/test-suite/README.md
- − contrib/test-suite/run-client.sh
- − contrib/test-suite/run.sh
- + contrib/test-suite/test-suite.yml
- debian/changelog
- debian/control
- debian/patches/default-to-socket-activated-services.diff
- − debian/patches/fix-have-systemd.diff
- debian/patches/series
- − debian/python-libipa-hbac.install
- − debian/python-libsss-nss-idmap.install
- − debian/python-sss.install
- debian/rules
- − debian/sssd-ad-common.postinst
- debian/sssd-common.postinst
- debian/sssd-common.preinst
- − debian/sssd-dbus.postinst
- − debian/sssd.maintscript
- debian/upstream/signing-key.asc
- po/bg.po
- po/ca.po
- po/cs.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/7f7eb45b835c9a286082dce009e3915378718cb9...33fe794c915e367025ba231369375f2072eb3bd6
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/compare/7f7eb45b835c9a286082dce009e3915378718cb9...33fe794c915e367025ba231369375f2072eb3bd6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20190918/b9679d03/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list