[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 89 commits: Update version in version.m4 to track the next release.
Timo Aaltonen
gitlab at salsa.debian.org
Tue Jul 28 15:51:43 BST 2020
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
169ddae3 by Pavel Březina at 2020-05-19T13:10:34+02:00
Update version in version.m4 to track the next release.
- - - - -
391b9c5e by Thomas Reim at 2020-05-21T10:44:12+02:00
Minor fix in ad_access.c out of memory check
Wrong tevent request used for out-of memory check.
Fixes https://github.com/SSSD/sssd/issues/5167
Signed-off-by: Thomas Reim <reimth at gmail.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
02fbf47a by vinay mishra at 2020-05-21T10:51:49+02:00
Replaced 'enter' with 'insert'
Resolves: https://github.com/SSSD/sssd/issues/5164
Signed-off-by: vinay mishra <vmishra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
aac4dbb1 by Sumit Bose at 2020-05-21T10:54:31+02:00
NSS client: preserve errno during _nss_sss_end* calls
glibc does not expect that errno is changed by some of the calls
provided by nss modules. This caused at least issues when
_nss_sss_endpwent() is called in compat mode. According to
https://pubs.opengroup.org/onlinepubs/9699919799/functions/endpwent.html
endpwent() should only set errno in the case of an error. Since there is
no other way to report an error we will set errno in the case of an
error but preserve it otherwise. This should cause no issues because
glibc is taking precautions as well tracked by
https://sourceware.org/bugzilla/show_bug.cgi?id=25976.
To be on the safe side the other _nss_sss_end* calls will show the same
behavior.
Resolves: https://github.com/SSSD/sssd/issues/5153
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
61f4aaa5 by Tomas Halman at 2020-05-21T11:00:42+02:00
sssctl: sssctl config-check alternative config file
The sssctl config-check now allows to specify alternative config
file so it can be tested before rewriting system configuration.
sssctl config-check -c ./sssd.conf
Configuration snippets are looked up in the same place under
conf.d directory. It would be in ./conf.d/ for the example above.
Resolves:
https://github.com/SSSD/sssd/issues/5142
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
532b75c9 by Pavel Březina at 2020-05-22T09:59:56+02:00
test: avoid endian issues in network tests
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
d8d74387 by Tomas Halman at 2020-05-22T10:01:06+02:00
man: Document invalid selinux context for homedirs
The default value of fallback_homedir expands into path, that is not
expected by selinux. Generally not only selinux might be affected by
this default value. This PR documents the issue and recommends
further steps.
Resolves:
https://github.com/SSSD/sssd/issues/5155
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
3ea6e61c by Sumit Bose at 2020-05-26T18:07:08+02:00
ad: remove unused libsbmclient form libsss_ad.so
libsmbclient is only used by gpo_child where libsmbclient is linked
directly. So there is no neeed to link it to libsss_ad.so as well
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b52c4c95 by Niranjan M.R at 2020-06-03T12:00:58+02:00
pytest/testlib: Remove explcit encryption types from kdc.conf
Previously encryption types were mentioned so that
these encryption types are added in kdc.conf, These encryption
types contained des3 , which was removed in recent krb5-1.18
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f47ad87a by Yuri Chornoivan at 2020-06-04T11:48:20+02:00
general: fix minor typos
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
26c794da by Sumit Bose at 2020-06-05T11:00:35+02:00
pam_sss: add SERVICE_IS_GDM_SMARTCARD
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3ed25476 by Sumit Bose at 2020-06-05T11:00:35+02:00
pam_sss: special handling for gdm-smartcard
The gdm-smartcard service is special since it is triggered by the
presence of a Smartcard and even in the case of an error it will
immediately try again. To break this loop we should ask for an user
input and asking for a PIN is most straight forward and would show the
same behavior as pam_pkcs11.
Additionally it does not make sense to fall back the a password prompt
for gdm-smartcard so also here a PIN prompt should be shown.
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c226703f by Pavel Březina at 2020-06-05T11:01:46+02:00
Provide new link for documentation: change sssd.github.io to sssd.io
Documentation is now hosted through github pages on custom domain: sssd.io.
The original domain sssd.github.io redirects to sssd.io.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a7c75567 by Sumit Bose at 2020-06-05T11:03:07+02:00
ad_gpo_ndr.c: more ndr updates
This patch add another update to the ndr code which was previously
updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.
As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.
Resolves: https://github.com/SSSD/sssd/issues/5183
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
37588754 by Alexey Tikhonov at 2020-06-05T11:05:49+02:00
DEBUG: only open child process log files when required
There was no reason to keep child process log files open permanently.
This patch:
- helps to avoid issue when SIGHUP was ignored for child process logs;
- somewhat reduces code duplication.
Resolves: https://github.com/SSSD/sssd/issues/4667
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
dce025b8 by Sumit Bose at 2020-06-05T11:06:47+02:00
GPO: fix link order in a SOM
GPOs of the same OU were applied in the wrong order. Details about how
GPOs should be processed can be found e.g. at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
Resolves: https://github.com/SSSD/sssd/issues/5103
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
8ca799ea by Sumit Bose at 2020-06-05T11:17:19+02:00
sysdb: make sysdb_update_subdomains() more robust
Some NULL checks are added basically to allow that missing values can be
set later.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d3089173 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: rename ad_master_domain_* to ad_domain_info_*
The ad_master_domain_{send|recv} are not specific to the master domain
so a more generic name seems to be suitable.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9aa26f65 by Sumit Bose at 2020-06-05T11:17:19+02:00
sysdb: make new_subdomain() public
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2bad4d4b by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx
Since the function can be used to get the id ctx of any domain the
'root' is removed from the name.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8c642a54 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: remove unused trust_type from ad_subdom_store()
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3ae3286d by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: add ad_check_domain_{send|recv}
This new request tries to get the basic domain information like domain
SID and NetBIOS domain name for a domain given by the name. To achieve
this the needed data is added to general domain structure and the SDAP
domain structure. If the domain data cannot be looked up the data is
removed again.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e25e1e92 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: check forest root directly if not present on local DC
If the information about the forest root domain cannot be read from the
local domain-controller it is tried to read it from a DC of the forest
root directly.
Resolves: https://github.com/SSSD/sssd/issues/5151
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
79e01fc9 by Lukas Slebodnik at 2020-06-05T11:26:31+02:00
python-test.py: Do not use letter similar to numbers
Running pycodestyle currently reports cases which is one of a set of three style checks
to avoid ambiguous single letter names which look like numbers
./src/tests/python-test.py:54:35: E741 ambiguous variable name 'l'
./src/tests/python-test.py:102:38: E741 ambiguous variable name 'l'
https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4c4b62b4 by Lukas Slebodnik at 2020-06-05T11:26:36+02:00
INTG: Do not use letter similar to numbers in python code
Running pycodestyle currently reports cases which is one of a set of three style checks
to avoid ambiguous single letter names which look like numbers
./src/tests/intg/krb5utils.py:101:27: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:116:23: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:140:28: E741 ambiguous variable name 'l'
https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e58853f9 by Sumit Bose at 2020-06-09T10:40:19+02:00
DEBUG: use new exec_child(_ex) interface in tests
Resolves: https://github.com/SSSD/sssd/issues/4667
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
230a5068 by David Ward at 2020-06-18T12:16:55+02:00
failover: fix documentation of default timeouts
Commit e97ff0adb62c89cfc7e75858b7e592e0303720b0 changed the default
timeouts for the DNS resolver. While it also updated the man pages,
this update did not correctly reflect the new defaults.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
39480618 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed few CHECKED_RETURN (CWE-252) warnings
Fixed few
```
src/sss_client/nfs/sss_nfs_client.c:*: check_return: Calling "sss_strnlen" without checking return value
```
warnings.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
014cbde8 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
NSS: fixed FORWARD_NULL (CWE-476)
Fixed following warning:
```
sssd-2.3.1/src/responder/nss/nsssrv.c:304: assign_zero: Assigning: "supp_gids" = "NULL".
sssd-2.3.1/src/responder/nss/nsssrv.c:351: var_deref_op: Dereferencing null pointer "supp_gids".
# 349|
# 350| for (int i = 0; i < size; i++) {
# 351|-> if (supp_gids[i] == nss_ctx->mc_gid) {
# 352| DEBUG(SSSDBG_TRACE_FUNC,
# 353| "Already assigned to the SSSD supplementary group\n");
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ee16f392 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
KCM: fixed NO_EFFECT (CWE-398)
Fixed warning:
```
sssd-2.3.1/src/responder/kcm/kcmsrv_ops.c:1359: array_null: Comparing an array to null is not useful: "uuid_list[0] == NULL", since the test will always evaluate as true.
sssd-2.3.1/src/responder/kcm/kcmsrv_ops.c:1359: remediation: Was "uuid_list[0]" formerly declared as a pointer?
# 1357| }
# 1358|
# 1359|-> if (uuid_list == NULL || uuid_list[0] == NULL) {
# 1360| DEBUG(SSSDBG_MINOR_FAILURE, "Nothing to list\n");
# 1361| state->op_ret = ERR_NO_MATCHING_CREDS;
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8088b3e3 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
PROXY: suppress CPPCHECK_WARNING (CWE-456)
Suppressed false positive warning:
```
sssd-2.3.1/src/providers/proxy/proxy_child.c:520: error[uninitvar]: Uninitialized variable: id
# 518| }
# 519|
# 520|-> if (id == 0) {
# 521| fprintf(stderr, "\nMissing option, "
# 522| "--id is a mandatory option.\n\n");
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b132fab8 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
MC: fixed CPPCHECK_WARNING
Fixed few
```
error[comparePointers]: Subtracting pointers that point to different objects
```
warnings.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6701ad96 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed CPPCHECK_WARNING (CWE-476)
Fixed warning:
```
sssd-2.3.1/src/sss_client/nss_group.c:95: warning[nullPointer]: Possible null pointer dereference: name
# 93| switch (type) {
# 94| case GETGR_NAME:
# 95|-> ret = strcmp(name, sss_nss_getgr_data.id.grname);
# 96| if (ret != 0) {
# 97| status = NSS_STATUS_NOTFOUND;
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
144e78df by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
util/inotify: fixed CLANG_WARNING
Fixed following warning:
```
sssd-2.3.1/src/util/inotify.c:346:17: warning: Value stored to 'ret' is never read
# ret = EOK;
# ^ ~~~
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0c5711f9 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
util/inotify: fixed bug in inotify event processing
Error was spotted with the help of the following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read
# rewatch = true;
# ^ ~~~~
```
First part of the issue was that EAGAIN returned by the process_dir_event()
didn't trigger snotify_rewatch() (as suggested by the comments).
Fixing this part is already enough to resolve issue #1031 (as it was
reported).
Another part of the issue was that process_file_event() return code wasn't
checked against EAGAIN (again, as suggested by the DEBUG message).
Strictly speaking, I'm not sure if this part is really required or
if processing DIR events would cover all cases, but rebuilding watches
on IN_IGNORED won't hurt.
Resolves: https://github.com/SSSD/sssd/issues/1031
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9c4d662d by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
TOOLS: fixed CLANG_WARNING
Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/tools/tools_mc_util.c:255:5: warning: Value stored to 'cmd' is never read
# cmd = SSS_CLI_NULL;
# ^ ~~~~~~~~~~~~
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e525ed6a by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
TOOLS: fixed a couple of CLANG_WARNINGs
Fixed following warnings (false positives):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/tools/sss_override.c:1609:15: warning: 3rd function call argument is an uninitialized value
sssd-2.3.1/src/tools/sss_override.c:1860:15: warning: 3rd function call argument is an uninitialized value
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
14e5c31e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed "Dereference of null pointer" warning
Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/sss_client/libwbclient/wbc_sid_sssd.c:152:27: warning: Dereference of null pointer (loaded from variable 'pname')
# wbcFreeMemory(*pname);
# ^~~~~~
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
464f809e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
RESPONDER/SUDO: fixed CLANG_WARNING
Fixed following warning (false positive):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/sudo/sudosrv_get_sudorules.c:203:5: warning: Undefined or garbage value returned to caller
# return ret;
# ^
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
83389697 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
RESPONDER/NSS: fixed few CLANG_WARNINGs
Fixed following warnings:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/nss/nsssrv_mmap_cache.c:910:5: warning: Value stored to 'pos' is never read
sssd-2.3.1/src/responder/nss/nsssrv_mmap_cache.c:771:5: warning: Value stored to 'pos' is never read
sssd-2.3.1/src/responder/nss/nss_protocol.c:191:5: warning: Value stored to 'p' is never read
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
316c850e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CACHE_REQ: fixed CLANG_WARNING
Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/common/cache_req/cache_req_data.c:49:5: warning: Value stored to 'i' is never read
# i = 0;
# ^ ~
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
64adcd41 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
PROVIDERS/LDAP: fixed CLANG_WARNING
Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ldap/sdap_dyndns.c:679:22: warning: The left operand of '!=' is a garbage value
# if (ss.ss_family != AF_INET && ss.ss_family != AF_INET6) {
# ^
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ce069954 by Alexey Tikhonov at 2020-06-18T12:17:23+02:00
PROVIDERS/LDAP: fixed CLANG_WARNING
Fixed following warning (false positive):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ldap/sdap_async_autofs.c:916:15: warning: 5th function call argument is an uninitialized value
# ret = save_autofs_entries(state->dom, state->opts,
# ^
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5611d242 by Alexey Tikhonov at 2020-06-18T12:17:23+02:00
PROVIDERS/IPA: fixed few CLANG_WARNINGs
Fixed following warnings:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ipa/ipa_selinux.c:1553:9: warning: Value stored to 'ret' is never read
sssd-2.3.1/src/providers/ipa/ipa_selinux.c:1631:9: warning: Value stored to 'ret' is never read
sssd-2.3.1/src/providers/ipa/ipa_deskprofile_rules_util.c:1041:9: warning: Value stored to 'ret' is never read
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
df632eec by Sumit Bose at 2020-06-18T12:18:52+02:00
ipa: add failover to subdomain override lookups
In the ipa_subdomain_account request failover handling was missing.
Related to https://github.com/SSSD/sssd/issues/5075
(was https://pagure.io/SSSD/sssd/issue/4114)
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a08d4741 by Pavel Březina at 2020-06-19T11:22:54+02:00
pam_sss: fix missing initializer
Fix the following error introduced by:
3ed254765fc92e9cc9e4c35335818eaf1256e0d6
```
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’:
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:1839:41: error: missing initializer for field ‘next’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers]
NULL, NULL, NULL, NULL, NULL };
^~~~
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:132:28: note: ‘next’ declared here
struct cert_auth_info *next;
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a06bf788 by Paweł Poławski at 2020-06-23T10:41:08+02:00
AD: Enforcing GPO rule restriction on user
This fixes bug related to ad_gpo_implicit_deny option set to True.
gpo_implict_denay was checked only for dacl_filtered_gpos,
but not for cse_filtered_gpos.
Resolves:
https://github.com/SSSD/sssd/issues/5181
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f61f972b by Alexey Tikhonov at 2020-06-24T16:11:29+02:00
DEBUG: fixed potential NULL dereference
`rotate_debug_files()`: check `debug_file` is not NULL before
attempt to close it.
Resolves: https://github.com/SSSD/sssd/issues/5217
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4fd05180 by Alexey Tikhonov at 2020-06-24T16:12:42+02:00
TRANSLATIONS: updated translations to include new source file
Some translations were previously missed when some code moved
to a new source file `src/config/SSSDConfig/sssdoptions.py`
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
88e92967 by Alexey Tikhonov at 2020-06-24T16:13:15+02:00
NEGCACHE: skip permanent entries in [users/groups] reset
Files provider calling `sss_ncache_reset_[users/groups]()`
during cache rebuilding was breaking neg-cache prepopulation.
Resolves: https://github.com/SSSD/sssd/issues/1024
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
31e57432 by Sumit Bose at 2020-06-24T16:17:22+02:00
pam_sss: make sure old certificate data is removed before retry
To avoid that certificates will be shown in the certificate selection
which are not available anymore they must be remove before a new request
to look up the certificates is send to SSSD's PAM responder.
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
66029529 by Alejandro Visiedo at 2020-06-25T14:02:56+02:00
systemtap: Missing a comma
sssd_functions.stp was missing a comma.
Thanks to William Cohen for reporting the issue and the patch to fix it.
https://bugzilla.redhat.com/show_bug.cgi?id=1840194
Resolves: https://github.com/SSSD/sssd/issues/5201
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
48f9b2cb by Alexander Bokovoy at 2020-06-29T12:10:43+02:00
ipa: Do not qualify already qualified users in sudo rules
SSSD normalizes externalUser attribute value the same way as a normal
sudoUser attribute which supposed to be non-fully qualified. This,
however, breaks for trusted AD users/groups because they are already
qualified.
Note that FreeIPA currently doesn't allow to specify AD users and groups
in externalUser attribute but the work to add this is under way and is
pending this fix.
Fixes: https://github.com/SSSD/sssd/issues/5199
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8969c43d by Pavel Březina at 2020-06-29T12:11:11+02:00
files: allow root membership
There are two use cases that do not work with files provider:
1. User has primary GID 0:
This is fine by itself since SSSD does not store this user in cache and it is
handled only by `nss_files` so the user (`tuser`) is returned correctly. The
problem is when you try to resolve group that the user is member of. In this
case that the membership is missing the group (but only if the user was
previously resolved and thus stored in negative cache).
```
tuser:x:1001:0::/home/tuser:/bin/bash
tuser:x:1001:tuser
// tuser at files is ghost member of the group so it is returned because it is not in negative cache
$ getent group tuser
tuser:x:1001:tuser
// expire memcache
// tuser at files is ghost member but not returned because it is in negative cache
$ id tuser // returned from nss_files
uid=1001(tuser) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```
**2. root is member of other group**
The root member is missing from the membership since it was filtered out by
negative cache.
```
tuser:x:1001:root
$ id root
uid=0(root) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```
In files provider, only the users that we do not want to managed are stored
as ghost member, therefore we can let nss_files handle group that has ghost
members.
Tests are changed as well to work with this behavior. Users are added when
required and ghost are expected to return ENOENT.
Resolves:
https://github.com/SSSD/sssd/issues/5170
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ffb9ad13 by Pavel Březina at 2020-06-29T12:12:04+02:00
proxy: use 'x' as default pwfield only for sssd-shadowutils target
To avoid regression for case where files is used for proxy but authentication
is handled by other module then pam_unix. E.g. auth_provider = krb
This provides different solution to the ticket and improves the documentation.
Resolves:
https://github.com/SSSD/sssd/issues/5129
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
100839b6 by Sumit Bose at 2020-07-02T10:15:03+02:00
PAM: do not treat error for cache-only lookups as fatal
The original fatal error came from a time where at this place in the
code the response form the backend was checked and an error was clearly
fatal.
Now we only check if the entry is in the cache and valid. An error would
mean that the backend is called to lookup or refresh the entry. So the
backend can change the state of the cache and make upcoming cache
lookups successful. So it makes sense to not only call the backend if
ENOENT is returned but for all kind of errors.
Resolves https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
ceebe02e by ikerexxe at 2020-07-07T11:23:16+02:00
db/sysdb.c: remove unused variable
The variable was set with a value that was never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/db/sysdb.c:2109:9: warning: Value stored to 'ret' is never read
# ret = EIO;
# ^ ~~~
sssd-2.3.0/src/db/sysdb.c:2109:9: note: Value stored to 'ret' is never read
# ret = EIO;
# ^ ~~~
# 2107| return true;
# 2108| } else if (res->count != 1) {
# 2109|-> ret = EIO;
# 2110| goto done;
# 2111| }
```
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
f28eedc1 by Pavel Březina at 2020-07-09T10:11:48+02:00
monitor: log to syslog when service fails to start
Resolves:
https://github.com/SSSD/sssd/issues/3728
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
39e50096 by Alexey Tikhonov at 2020-07-09T10:15:01+02:00
NSS: fixed UNINIT (CWE-457)
Fixed following warning:
```
Error: UNINIT (CWE-457):
sssd-2.3.1/src/responder/nss/nss_protocol_grent.c:130: var_decl: Declaring variable "num_members" without initializer.
sssd-2.3.1/src/responder/nss/nss_protocol_grent.c:206: uninit_use: Using uninitialized value "num_members".
# 204|
# 205| done:
# 206|-> *_num_members = num_members;
# 207| talloc_free(tmp_ctx);
# 208|
```
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
cea0db2d by Pavel Březina at 2020-07-14T09:58:56+02:00
po: fix sv translation
This made sssd.conf translation truncated in the middle.
Resolves:
https://github.com/SSSD/sssd/issues/5186
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
437778b5 by ikerexxe at 2020-07-14T09:59:29+02:00
data_provider/dp_target_id: remove store statement from a never read variable
The same variable was set twice to a value that was never read:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:197:9: warning:
Value stored to 'ret' is never read
# ret = ENOMEM;
# ^ ~~~~~~
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:197:9: note:
Value stored to 'ret' is never read
# ret = ENOMEM;
# ^ ~~~~~~
# 195| DEBUG(SSSDBG_CRIT_FAILURE,
# 196| "Failed creating temporary talloc context\n");
# 197|-> ret = ENOMEM;
# 198| goto done;
# 199| }
Error: CLANG_WARNING:
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:308:9: warning:
Value stored to 'ret' is never read
# ret = ENOMEM;
# ^ ~~~~~~
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:308:9: note:
Value stored to 'ret' is never read
# ret = ENOMEM;
# ^ ~~~~~~
# 306| DEBUG(SSSDBG_CRIT_FAILURE,
# 307| "Failed creating attributes\n");
# 308|-> ret = ENOMEM;
# 309| goto done;
# 310| }
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
54b1c19b by ikerexxe at 2020-07-14T09:59:29+02:00
p11_child/p11_child_common: remove store statement from a never read variable
A new value was stored in a variable that was never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/p11_child/p11_child_common.c:348:9: warning: Value stored
to 'ret' is never read
# ret = EINVAL;
# ^ ~~~~~~
sssd-2.3.0/src/p11_child/p11_child_common.c:348:9: note: Value stored to
'ret' is never read
# ret = EINVAL;
# ^ ~~~~~~
# 346| "--module_name, --token_name and --key_id must be given for "
# 347| "authentication");
# 348|-> ret = EINVAL;
# 349| goto fail;
# 350| }
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
0cebd0f9 by ikerexxe at 2020-07-14T09:59:29+02:00
autofs_test_client and sss_tools: remove store statements from never read variables
New values were stored in two variables that were never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/sss_client/autofs/autofs_test_client.c:59:13: warning:
Although the value stored to 'ret' is used in the enclosing expression,
the value is never actually read from 'ret'
# while ((ret = poptGetNextOpt(pc)) > 0)
# ^ ~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/sss_client/autofs/autofs_test_client.c:59:13: note:
Although the value stored to 'ret' is used in the enclosing expression,
the value is never actually read from 'ret'
# while ((ret = poptGetNextOpt(pc)) > 0)
# ^ ~~~~~~~~~~~~~~~~~~
# 57| poptSetOtherOptionHelp(pc, "MAPNAME");
# 58|
# 59|-> while ((ret = poptGetNextOpt(pc)) > 0)
# 60| ;
# 61|
Error: CLANG_WARNING:
sssd-2.3.0/src/tools/common/sss_tools.c:73:13: warning: Although the
value stored to 'opt' is used in the enclosing expression, the value is
never actually read from 'opt'
# while ((opt = poptGetNextOpt(pc)) != -1) {
# ^ ~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/tools/common/sss_tools.c:73:13: note: Although the value
stored to 'opt' is used in the enclosing expression, the value is never
actually read from 'opt'
# while ((opt = poptGetNextOpt(pc)) != -1) {
# ^ ~~~~~~~~~~~~~~~~~~
# 71|
# 72| pc = poptGetContext(argv[0], orig_argc, argv, options, 0);
# 73|-> while ((opt = poptGetNextOpt(pc)) != -1) {
# 74| /* do nothing */
# 75| }
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ff8d7b8f by Alejandro Visiedo at 2020-07-14T10:00:02+02:00
config: [RFE] Add "enabled" option to domain section
A new attribute is appended to [domain/*] sections so that
a domain ca be enabled/disabled by domain section and for
extension by configuration file if each domain is divided
in separate files.
This attribute override the list of domains at [sssd]
section, however the new **enabled** attribute override
the values of the list. If no **enabled** attribute is
found for a domain section, the domain list criteria is
used to enable/disable a domain.
Resolves: https://github.com/SSSD/sssd/issues/4743
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2d90e642 by Alexey Tikhonov at 2020-07-14T10:03:16+02:00
mem-cache: sizes of free and data tables were made consistent
Since size of "free table" didn't account for SSS_AVG_*_PAYLOAD factor
only small fraction of "data table" was actually used.
SSS_AVG_*_PAYLOAD differentiation for different payload types only
affected size of hash table and was removed as unjustified.
Resolves:
https://github.com/SSSD/sssd/issues/5115
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
80e7163b by Michal Židek at 2020-07-14T10:03:30+02:00
NSS: make memcache size configurable
Added options to configure memcache size:
memcache_size_passwd
memcache_size_group
memcache_size_initgroups
Related:
https://github.com/SSSD/sssd/issues/4578
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e12340e7 by Alexey Tikhonov at 2020-07-14T10:03:34+02:00
NSS: avoid excessive log messages
- do not log error message if mem-cache was disabled explicitly
- increase message severity in case of fail to store entry in mem-cache
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
be8052bb by Alexey Tikhonov at 2020-07-14T10:03:36+02:00
NSS: enhanced debug during mem-cache initialization
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2ad4aa8f by Alexey Tikhonov at 2020-07-14T10:03:39+02:00
mem-cache: added log message in case cache is full
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b7f31936 by Alexey Tikhonov at 2020-07-14T10:03:42+02:00
NSS: make memcache size configurable in megabytes
Memcache size was made configurable in megabytes and not in slots
to hide internal implementation from users.
Relates: https://github.com/SSSD/sssd/issues/5115
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b96b05bc by Alexey Tikhonov at 2020-07-14T10:03:45+02:00
mem-cache: comment added
Added comment explaining usage of `mcc->next_slot`
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
484507bf by Alexey Tikhonov at 2020-07-14T10:03:48+02:00
mem-cache: always cleanup old content
(Try to) cleanup old files even if currently mem-cache is disabled.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
72b8e02c by Tomas Halman at 2020-07-20T11:12:58+02:00
sssctl: sssctl config-check alternative snippet dir
The sssctl config-check now allows to specify not only alternative
config file but also snippet dir.
sssctl config-check -c ./sssd.conf -s /etc/sssd/conf.d
Configuration snippets are still looked up in the same place under
conf.d directory by default. It would be in ./conf.d/ for the example
above.
Resolves:
https://github.com/SSSD/sssd/issues/5142
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
0609d0f7 by Pavel Březina at 2020-07-20T11:14:06+02:00
sss_ssh_knownhostsproxy: print error when unable to connect
This was partial fixed by:
9a7b04690e30fc57dce45c82b918b8d95b978df1
Now we print error also when we are unable to open the socket.
How to test:
```
$ ssh -oProxyCommand="/usr/bin/sss_ssh_knownhostsproxy -p 22 nonexistenthost" -oGlobalKnownHostsFile=/var/lib/sss/pubconf/known_hosts nonexistenthost
$ ssh -oProxyCommand="/usr/bin/sss_ssh_knownhostsproxy -p 22 localhost" -oGlobalKnownHostsFile=/var/lib/sss/pubconf/known_hosts localhost
```
(assuming `localhost` does not run ssh server)
Resolves:
https://github.com/SSSD/sssd/issues/5236
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3be349b9 by Pavel Březina at 2020-07-20T11:14:06+02:00
sss_ssh_knownhostsproxy: print error when unable to proxy data
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5d9e2328 by ikerexxe at 2020-07-21T13:09:45+02:00
responder/common/responder_packet: get packet length only once
Packet length variable was read and then read again without using the
previously read value. So, I have refactored the code a little bit to
read the value once and use it everywhere else. Moreover, I have
implemented some improvements in sss_packet_recv() function pointed by
Alexey.
Coverity errors:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/responder/common/responder_packet.c:217:21: warning:
Although the value stored to 'new_len' is used in the enclosing
expression, the value is never actually read from 'new_len'
# && (new_len = sss_packet_get_len(packet))
# ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/responder/common/responder_packet.c:217:21: note:
Although the value stored to 'new_len' is used in the enclosing
expression, the value is never actually read from 'new_len'
# && (new_len = sss_packet_get_len(packet))
# ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
# 215| || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
# 216| && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
# 217|-> && (new_len = sss_packet_get_len(packet))
# 218| < SSS_CERT_PACKET_MAX_RECV_SIZE) {
# 219| new_len = sss_packet_get_len(packet);
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b9205026 by ikerexxe at 2020-07-21T13:18:41+02:00
Test: Add users_by_filter_multiple_domains_valid
Test users_by_filter_multiple_domains_valid was removed in [1] because
it was failing. Apparently, the failure was related with a filter that caused
that only users added after the request was started to be returned. When adding
back the test I haven't found that problem, but another one related with memory
handling in the test itself.
The failure was related with a filter, added when
calling cache_req_group_fy_filter_send(), that causes that only users
added after the request started are returned.
This commit adds back the test after fixing several problems related
with memory handling in the test itself.
Explanation of the test:
Given two users are present
When the users are searched by filtering domains
Then the two users are returned correctly.
Resolves:
https://github.com/SSSD/sssd/issues/3920
Links:
[1] https://github.com/SSSD/sssd/commit/bdf422fde0fd6b40b3412bad3b200f8fd7ea8693
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
0cd3f5c0 by ikerexxe at 2020-07-21T13:18:41+02:00
Test: Add groups_by_filter_multiple_domains_valid
Test groups_by_filter_multiple_domains_valid was removed in [1] because
it was failing. Apparently, the failure was related with a filter that caused
that only groups added after the request was started to be returned. When adding
back the test I haven't found that problem, but another one related with memory
handling in the test itself.
This commit adds back the test after fixing several problems related
with memory handling in the test itself.
Explanation of the test:
Given two groups are present
When the groups are searched by filtering domains
Then the two groups are returned correctly.
Resolves:
https://github.com/SSSD/sssd/issues/3920
Links:
[1] https://github.com/SSSD/sssd/commit/bdf422fde0fd6b40b3412bad3b200f8fd7ea8693
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
41a60c62 by Sumit Bose at 2020-07-23T13:42:47+02:00
libwbclient-sssd: deprecate libwbclient-sssd
Recent version of Samba require that winbindd is running to handle the
communication with AD. SSSD's implementation of libwbclient cannot be
used anymore in this case and should be deprecated so that the related
code can be removed in a later version.
With this patch libwbclient will not be build by default anymore and the
configure help messages indicates that libwbclient is deprecated.
Resolves: https://github.com/SSSD/sssd/issues/5230
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a2b9a844 by Sumit Bose at 2020-07-24T12:33:36+02:00
certmap: sanitize LDAP search filter
The sss_certmap_get_search_filter() will now sanitize the values read
from the certificates before adding them to a search filter. To be able
to get the plain values as well sss_certmap_expand_mapping_rule() is
added.
Resolves:
https://github.com/SSSD/sssd/issues/5135
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3e7633bf by Alexey Tikhonov at 2020-07-24T13:29:35+02:00
Updated translation files: Japanese, Chinese (China), French
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d999cbf4 by Pavel Březina at 2020-07-24T13:29:36+02:00
Update the translations for the 2.3.1 release
- - - - -
7e004b7c by Pavel Březina at 2020-07-24T13:29:36+02:00
tests: discard const in test_confdb_get_enabled_domain_list
```
../../src/tests/cmocka/confdb/test_confdb.c:247:51: error: passing argument 2 of ‘string_in_list’ from incompatible pointer type [-Werror=incompatible-pointer-types]
247 | assert_true(string_in_list(result[index], expected_enabled_domain_list, false));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| const char **
```
- - - - -
b84f44d9 by Timo Aaltonen at 2020-07-28T12:42:54+03:00
Merge branch 'upstream'
- - - - -
3914cc13 by Timo Aaltonen at 2020-07-28T13:36:31+03:00
bump the version
- - - - -
6cc40390 by Timo Aaltonen at 2020-07-28T16:20:27+03:00
source: Extend diff-ignore.
- - - - -
33fe1026 by Timo Aaltonen at 2020-07-28T16:49:46+03:00
rules: Set --with-libwbclient.
- - - - -
4cee69bb by Timo Aaltonen at 2020-07-28T16:50:14+03:00
control: Add libsofthsm2 to build-depends for tests.
- - - - -
3ce864a6 by Timo Aaltonen at 2020-07-28T17:15:05+03:00
releasing package sssd version 2.3.1-1
- - - - -
16 changed files:
- BUILD.txt
- Makefile.am
- README.md
- contrib/sssd.spec.in
- debian/changelog
- debian/control
- debian/rules
- debian/source/local-options
- po/POTFILES.in
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fr.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/46a6afccb45ee699a649e8f3ebbcfde55e83dcea...3ce864a60a7dfb3f1b22634fee2d6ccc36d9ed4e
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/46a6afccb45ee699a649e8f3ebbcfde55e83dcea...3ce864a60a7dfb3f1b22634fee2d6ccc36d9ed4e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20200728/4f1f4778/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list