[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 220 commits: scripts: change release tag from sssd-x_y_z to x.y.z
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Aug 18 06:53:17 BST 2021
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
4c47f1da by Pavel Březina at 2021-02-05T13:34:37+01:00
scripts: change release tag from sssd-x_y_z to x.y.z
- - - - -
db51ce55 by Pavel Březina at 2021-02-05T13:45:58+01:00
Update version in version.m4 to track the next release
- - - - -
d547a2dc by Alexey Tikhonov at 2021-02-05T19:02:05+01:00
BUILD: fixes gpo_child linking issue
/usr/bin/ld: src/util/gpo_child-signal.o (symbol from plugin): undefined reference to symbol 'BlockSignals@@SAMBA_UTIL_0.0.1'
Resolves: https://github.com/SSSD/sssd/issues/5385
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5ce7ced2 by Alexander Bokovoy at 2021-02-11T12:01:23+01:00
pam_sss_gss: support authentication indicators
MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:
- when KDC issues a service ticket, a policy at KDC side can reject the
ticket issuance based on a lack of certain indicator
- when a server application presented with a service ticket from a
client, it can verify that this ticket contains intended
authentication indicators before authorizing access from the client.
Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.
This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.
Resolves: https://github.com/SSSD/sssd/issues/5482
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b100efbf by Pavel Březina at 2021-02-11T12:01:43+01:00
sudo: do not search by low usn value to improve performance
This is a follow up on these two commits.
- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea
The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.
This caused issues on OpenLDAP server which was fixed by the second patch..
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.
Now we omit the usn attribute from the filter if there is no meaningful value.
How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
75343ff5 by Pavel Březina at 2021-02-16T11:18:20+01:00
ldap: fix modifytimestamp debugging leftovers
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b1f4dc82 by Alexey Tikhonov at 2021-02-16T11:26:20+01:00
SPEC: don't hard require python3-sssdconfig in a meta package
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5c9143e9 by Stanislav Levin at 2021-02-16T11:32:20+01:00
pam_sss: Don't fail on deskprofiles phase for AD users
By default (if session_provider is not none) during session setup
pam_sss attempts to fetch desktop rules and profiles for user from
IPA domain. As part of this job, the data provider looks for the
user info(uid and gid) in IPA domain but fails to do that for AD
user from a trusted domain returning PAM_SESSION_ERR.
The requested target domain has been already found in `dp_req_new`
and may be referenced as `params->domain`. This change doesn't
introduce the possibility to fetch deskprofiles for AD users, but
at least, doesn't break PAM authentication for them.
Resolves: https://github.com/SSSD/sssd/issues/5499
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
135d843f by Pavel Březina at 2021-02-19T10:11:20+01:00
spec: remove setuid bit from child helpers if sssd user is root
The setuid bit is only needed if sssd runs as non-root user.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a53c214b by Alexey Tikhonov at 2021-02-19T10:11:38+01:00
spec file: don't enable implicit files domain on RHEL
Corresponding code is built and users can enable files domain
on a as-needed basis. But there is little value running it on
RHEL "as is" by default.
(As a reminder, as a comment in this file says, this is a
"SSSD SPEC file for Fedora 34+ and RHEL-9+")
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9aaa0e51 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: limit process capabilities
This is to upstream https://src.fedoraproject.org/rpms/sssd/blob/f34/f/0502-SYSTEMD-Use-capabilities.patch
Additionally even more limited CapabilityBoundingSet is applied to ifp and
kcm services (CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_BLOCK_SUSPEND are excluded as compared to main sssd service)
:relnote: Example systemd service configs now makes use of CapabilityBoundingSet
option as a security hardening measure.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ee9dbea1 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
monitor: fixed default value of 'user' config option
1) man page explicitly and unconditionally says that default value
for this option is 'root' so this patch just aligns code with a doc
2) since at the moment "sssd running as non-root" feature isn't really
tested and is proposed at "use at your own risk" basis it wouldn't hurt
to require user to configure this option explicitly even when sssd is
built with "--with-sssd-user=sssd"
This should be changed when feature is really supported.
:relnote: default value of 'user' config option was fixed into accordance
with man page, i.e. default is 'root'
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fd7ce7b3 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: add CAP_DAC_OVERRIDE in case certain case
If sssd is configured with --with-sssd-user=<user> where <user>!='root'
but is actually run under the root we need CAP_DAC_OVERRIDE to access
files owned by <user>:<user>
If sssd is really run under non-root account that doesn't have this cap
originally then it's addition to CapabilityBoundingSet doesn't matter.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f890fc4b by ikerexxe at 2021-02-19T14:28:37+01:00
RESPONDER: check that configured sockets match
Check if the sockets defined in systemd unit and sssd.conf match. If
they don't, then print a warning message.
Moreover, change man page regarding socket_path option to indicate that
it will be overwritten by systemd's unit file.
Resolves: https://github.com/SSSD/sssd/issues/5406
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
50e3221d by Pavel Březina at 2021-02-19T16:43:14+01:00
responder: fix warning in activate_unix_sockets
The warning is with systemd disabled.
```
src/responder/common/responder_common.c: In function ‘activate_unix_sockets’:
src/responder/common/responder_common.c:1005:15: error: unused variable ‘sockaddr_len’ [-Werror=unused-variable]
1005 | socklen_t sockaddr_len = sizeof(sockaddr);
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
709bfc4a by Pavel Březina at 2021-02-19T16:57:31+01:00
pot: update pot files
- - - - -
9eeaf23b by Pavel Březina at 2021-02-19T17:06:48+01:00
Update version in version.m4 to track the next release
- - - - -
b5c2389b by Steeve Goveas at 2021-02-24T11:27:50+01:00
TEST: Add function to control services
We can use this function to start stop or restart any service
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
0ff8d462 by Deepak Das at 2021-02-24T11:28:07+01:00
SSSD Log: write_krb5info_file word replacement
Replace write_krb5info_file in SSSD log file with exact filename.
Resolves: https://github.com/SSSD/sssd/issues/5505
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
634b3c94 by aborah at 2021-03-01T11:08:14+01:00
TESTS: First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0
Starting from sssd-1.16.5-10.el7_9, the first query performed
with smart refresh contais modifyTimestamp attribute even
if the modifyTimestamp is 0.
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
32d2aa55 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
prompt config: fix covscan errors
Covscan is confused by dangling pointers in arrays after freeing. Its
analyzer may decide to visit already visited list elements and since
they weren't NULL-ed, it may consider double-free to happen in the code.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d73f1282 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: initialize ret variable before use
covscan does consider 'ret' unitialized even though
GET_ATTR/GET_ATTR_ARRAY macros have explicit and unconditional
assignment to ret. This is confusing but causing actual failures in
covscan runs.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
42c9ca0c by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: symlink() expects non-NULL second argument
Author: Alexander Bokovoy <abokovoy at redhat.com>
Amended by: Alexey Tikhonov <atikhono at redhat.com>
(used 'EINVAL' as error code instead of 'ENOMEM')
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1724482c by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace localtime() with localtime_r()
localtime_r() is much more performant (~x12 times faster on my machine)
as it sets `tzname` only once while localtime() does this every time
it is executed (and this includes string manipulations, getenv(),
stat("/etc/localtime"), etc)
As a result of this replacement, average time consumed by a trivial debug
message (one %d arg) is reduced by ~40..45% on my machine.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f553b57d by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace gettimeofday() with time() if usec isn't needed
gettimeofday() is much slower than time() and accounts for ~2% of total
time consumed by DEBUG.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5f840192 by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: cache string representation of last timestamp
Significant part (~15%) of time consumed by DEBUG is spent formatting string
representation of a timestamp. For a case of heavy logging it makes sense
to cache this string and re-format only in case timestamp changed.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
815197cb by Pavel Březina at 2021-03-05T12:26:50+01:00
spec: do not use systemd to restart services with RefuseManualStart=true
These service unit files have RefuseManualStart=true, therefore they can
be controlled only as a dependency via the main sssd.service or socket
activation.
Resolves: https://github.com/SSSD/sssd/issues/5521
:fixes: SSSD spec file `%postun` no longer tries to restart services that
can not be restarted directly to stop produce systemd warnings
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8e8ccca5 by ikerexxe at 2021-03-05T12:27:17+01:00
TESTS: test socket path when systemd activation
Test socket path when sssd-kcm is activated by systemd. If socket in
systemd unit and sssd.conf is defined in different locations then print a
warning.
Verifies: https://github.com/SSSD/sssd/issues/5406
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
b8d8b377 by Alexey Tikhonov at 2021-03-16T13:03:48+01:00
p11_child: fixed mistype in a debug message
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b165acb6 by Steeve Goveas at 2021-03-16T13:04:00+01:00
TEST: missing multihost in service_ctrl
This update will fix the method and make it usable
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
c7733c44 by Steeve Goveas at 2021-03-16T13:13:36+01:00
TEST: Update test docstrings enable polarion updates
These docstring updates are a requirement to enable automatic updates
into polarion using betelguese tool. It will help to add/update test
cases and import test results from CI. Each test case must have 'id' to
make it unique. The tool will use it to update the respective case and
will avoid adding duplicate test case in polarion.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
341c5e35 by Weblate at 2021-03-18T11:44:48+01:00
po: update translations
Currently translated at 2.8% (21 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
Translated using Weblate (Finnish)
Currently translated at 2.5% (68 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
Translated using Weblate (Chinese (Simplified) (zh_CN))
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
Translated using Weblate (Japanese)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
Translated using Weblate (French)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
Translated using Weblate (Polish)
Currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
- - - - -
9da41eb9 by Alexey Tikhonov at 2021-03-22T10:44:52+01:00
SPEC: added 'BuildRequires: po4a'
'po4a' is needed when building from srpm made from upstream sources, i.e.
without prepared translations.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c796088e by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘security_context_t’ is deprecated
The type is now deprecated, char * should be used instead
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3fba29f9 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘matchpathcon’ is deprecated
```
src/util/selinux.c: In function ‘selinux_file_context’:
src/util/selinux.c:50:9: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
50 | if (matchpathcon(dst_name, 0, &scontext) < 0) {
```
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ecf26727 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: make SEC_CTX and SELINUX_CTX typedef instead of macro
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2a512fdf by Alexey Tikhonov at 2021-03-25T11:39:14+01:00
systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case
Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0e095147 by Heiko Schlittermann (HS12-RIPE) at 2021-03-25T11:41:07+01:00
Fix setXYent(): rewind always
This compensates for "forgotten" endXYent() calls during the same session,
as observed with Dovecot authd.
Affected functions:
- setgrent()
- sethostent()
- setnetent()
- setnetgrent()
- setpwent()
- setservent()
TLDR;
SSSD assumes the following sequnce in the consumer for enumeration:
setXYent(); while (getXYent()) { ... }; endXYent();
setXYent(); while (getXYent()) { ... }; endXYent();
But the 2nd setXYent() fails to rewind if in the above sequence the
call to first endXYent() is omitted.
Dovecot's authd is an example for omitting the endpwent(). They confirmed
an associated bug report already. But, formally speaking, the
documentation for setXYent() indicates that is should rewind. Period. :)
The endXYent() probably is for pure comfort, resource management, etc.
I built this into a private copy of the sssd packages Debian ships
(Buster/Debian10, 1.16.3) and used them in production (tested with AD
provided users and groups), using a simple Perl script.
#! /usr/bin/perl
use strict;
use warnings;
sub users {
my $n;
setpwent() or die "setpwent: $!\n";
$n++ while $_ = getpwent();
# enpwent(); # missing!
return $n;
}
print users(), "\n"; # reports number of all users
print users(), "\n"; # users backed by sssd are missing
Resolves: https://github.com/SSSD/sssd/issues/5523
Patch co-authored by Sumit Bose.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
98696414 by Justin Stephenson at 2021-03-31T11:41:51+02:00
CI: Use builtin command for pycodestyle check
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f1661c04 by Tomas Halman at 2021-04-01T11:17:56+02:00
DEBUG: Error is printed when everything is ok
Due to invalid condition error message that config file does not exist
is printed when there is actually no problem. This update fixes
the condition
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
0fd0681d by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved ldb_debug_messages() out of UTILS to SYSDB
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0dfb188e by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved declaration of debug related helpers defined in debug.c from util.h to debug.h
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fee3883b by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: use '--logger' as the only option to configure logger type..
This patch gets rid of:
- 'debug-to-files', 'debug-to-stderr' command line options
- undocumented 'debug_to_files' sssd.conf option
and makes '--logger' command line option the only "source of truth" for
logger type configuration.
Those options were not used much anyway but made precedence logic obscure
in case contradictory settings were used.
:config: Long time deprecated and undocumented 'debug_to_files' option was
removed.
:relnote: 'debug-to-files', 'debug-to-stderr' command line and undocumented
'debug_to_files' config options were removed.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc5b64e8 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: make use of existing SSSD_DEBUG_OPTS macro
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c14e439c by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate sss_set_logger() into DEBUG_INIT
This makes code less error-prone reducing amount of function calls required
for debug initialization.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4d133e15 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: remove sss_set_logger() from public API
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cf699170 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: added several comments to debug.h API and moved rarely used / "private" functions to the bottom.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
374d644f by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved SSSDBG_MASK_ALL out of debug.h since is it is only used in tests.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
dde57f76 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate open_debug_file() into DEBUG_INIT
This makes code less error-prone reducing amount of function calls required
for debug initialization.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
21334de2 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
MONITOR: added logging of cmd used to start services
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0cddb671 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: introduce SSSDBG_TOOLS_DEFAULT
Resolves: https://github.com/SSSD/sssd/issues/5488
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
66960c76 by Alexey Tikhonov at 2021-04-01T11:18:13+02:00
MONITOR: in case '-i' is given don't force logger to 'stderr' if its value specified explictly
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9a39ceba by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: remove unneeded kcm.h
This file was copied from MIT Kerberos code, but we do not really
need it.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
81130b23 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add support for MIT extensions
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
560e2479 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add GET_CRED_LIST for faster iteration
For large caches, one IPC operation per credential dominates the cost
of iteration. Instead transfer the whole list of credentials to the
client in one IPC operation.
Resolves: https://github.com/SSSD/sssd/issues/5545
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
49010b16 by Iker Pedrosa at 2021-04-08T11:16:54+02:00
configure: set CPP macro with AC_PROG_CPP
sssd build with an autoconf version greater than 2.70 fails because CPP
macro is empty. This change fixes this problem by setting the macro with
AC_PROG_CPP at the beginning of the configuration.
Resolves: https://github.com/SSSD/sssd/issues/5563
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cd843daf by Massimiliano Torromeo at 2021-04-08T11:17:21+02:00
configure: Fix python headers detection with recent autoconf Resolves: https://github.com/SSSD/sssd/issues/5336
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
b6efe6b1 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: handle large service tickets
Resolves: https://github.com/SSSD/sssd/issues/5568
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c6a76283 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: reduce duplication of code that handles larger-than-normal packets
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
63f318f7 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: add debug logging to assist with errors caused by overlarge packets
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
37d33177 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: further increase packet size for SSS_GSSAPI_SEC_CTX
Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
provides extra overhead should that increase in the future.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5c9fa75b by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: remove some unnecessary checks before growing packet
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b87619f9 by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: allow packets of max size
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
23197881 by aborah at 2021-04-12T13:28:43+02:00
Tests: Tests if shadow-utils are immune against bugs in 2006:0032
Tests if shadow-utils are immune against bugs in 2006:0032
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
05e75dba by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
test_pam_srv: Add test for CA certificate check using intermediate CA
Since the switch to libcrypto as security backend SSSD enforces that all
the CAs in the key chain must be trusted, so add a test that ensures
that this is true and that an intermediate certificate doesn't verify a
leaf one if we're missing the whole chain.
To build the certificates we use the test_CA main certificate
(SSSD_test_CA.pem) as the root CA authority while we create a new CA
intermediate certificate used to create new leaf certificates.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5ed48d2f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child_openssl: Free X509_VERIFY_PARAM if initialized
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
018043bb by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child: Add support for 'partial_chain' certificate_verification option
As per the switch to libcrypto by default, the CA certificates DB needs
to contain the whole certificates key-chain in order to verify a leaf
certificate. This means that if an intermediate CA authority signed a
leaf certificate the CA DB we provide to SSSD needs to contain the whole
key-chain, up to the root CA cert in order to verify the leaf one.
Now, while this is indeed more secure, it may break previous
configurations that were based on an NSS database that contained only
trusted intermediate CA certificates.
To allow such setups to continue working (once the NSS db is migrated)
we need to permit a "weaker" setup where an x509 certificate is verified
when the CA database we test against contains only the intermediate CA
certificate that was used to sign it.
As per this, support `partial_chain` value to be used as
`certification_verification` parameter that will add the
`X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the
openssl's verify `-partial-chain` parameter works.
This setup can still be considered secure as it's still needed to have
configured the SSSD ca db to contain the trusted certs.
Add tests to check that we can verify a leaf certificate against its
parent (only) when using such option.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7e3edb06 by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
pam: Add custom pam_cert_verification setting to override default
PAM uses by default the certificate_verification parameter, however we
may want to set specific settings to be used for PAM auth only.
So add pam_cert_verification setting option that will be used to define
the verification options.
If this value is unset, we'll fallback to default.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
65c90d8f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
sssd.spec: BuildRequires on openssl tool
It's needed for creating the certificates we use for testing
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
509c2ac9 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: skip id-range of unknown type
If a new range type is added in the IPA serve SSSD currently considers
this as an error and stops processing and further server side options.
With this patch unknown range types are just skipped and no error is
returned.
Resolves: https://github.com/SSSD/sssd/issues/5571
:fixes: unknown IPA id-range types are not considered as an error
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
27172c95 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: add unit test for ipa_ranges_parse_results
A unit test is added to check if unknown range types are properly
skipped. For this ipa_ranges_parse_results() is made public and moved to
a source file which is already used in a unit test to avoid the
inclusion of additional dependencies.
Resolves: https://github.com/SSSD/sssd/issues/5571
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
02d9625e by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa subdomains: do not fail completely if one step fails
Currently while updating server side data stored on an IPA server
during a subdomains request the whole request will fail if a single step
fails. As a result the remaining server side data which would have been
looked up after the failed attempt are missing.
With this patch a failure in a single lookup is not considered fatal and
SSSD will try to read the remaining data after an error occurred.
Resolves: https://github.com/SSSD/sssd/issues/5571
:fixes: During the IPA subdomains request a failure in reading a single
specific configuration option is not considered fatal and the
request will continue
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dab0ead2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: removed unused SUSE/sssd.id
see https://github.com/SSSD/sssd/pull/5535#issuecomment-814135680
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
37d255b2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: replaced '-f' option in gentoo/sssd.in
This is follow up for PR#5535
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0e145242 by peptekmail at 2021-04-13T13:46:26+02:00
TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e865b008 by Sumit Bose at 2021-04-13T13:46:40+02:00
AD GPO: respect ad_gpo_implicit_deny if no GPO is present
Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
all for the given client. With this patch this case is handled as
expected as well.
Resolves: https://github.com/SSSD/sssd/issues/5561
:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
53ae9b1e by Alexey Tikhonov at 2021-04-13T13:47:01+02:00
pam_sss: fixed potential mem leak
Fixes following covscan issue:
```
Error: RESOURCE_LEAK (CWE-772): [#def1]
src/sss_client/pam_sss.c:1714: alloc_arg: "asprintf" allocates memory that is stored into "prompt".
src/sss_client/pam_sss.c:1765: leaked_storage: Variable "prompt" going out of scope leaks the storage it points to.
# 1763| free(response);
# 1764|
# 1765|-> return ret;
# 1766| #else
# 1767| return ENOTSUP;
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
231d1118 by Sumit Bose at 2021-04-13T13:48:59+02:00
negcache: use right domain in nss_protocol_fill_initgr()
When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.
With this patch th domain the group belongs to is determined and used
while checking the negative cache.
Resolves: https://github.com/SSSD/sssd/issues/5534
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4f373427 by Paweł Poławski at 2021-04-13T14:44:26+02:00
ncache: Fix misleading function comment
sss_ncache_reset_repopulate_permanent() function is responsible
only for flushing and repopulating permament entries in negative
cache. Old inline description suggests that full negative cache
wipe will be performed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e6994359 by Paweł Poławski at 2021-04-13T14:44:26+02:00
utils: Add description for CLEAR_MC_FLAG define
CLEAR_MC_FLAG is definition of flag file which is used
to sync memory cache clearing process in between sss_cache util
and NSS responder.
When sss_cache sends SIGHUP to NSS, existence of flag file
notifies responder that memory cache clearing should be
performed. Deletion of this file by responder notifies
sss_cache back that cache clearing operation has been finished.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6195ac70 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Add negcache clearing sbus callback
NSS responder already has SBUS callback for memory cache clearing.
It is called by MONITOR when SIGHUP is handled.
This commit extends SBUS sssd.service interface with negcache
clearing ability executed under "clearNegcache" request.
<interface name="sssd.service">
<annotation name="codegen.Name" value="service" />
<annotation name="codegen.SyncCaller" value="false" />
<method name="resInit" />
<method name="goOffline" />
<method name="resetOffline" />
<method name="rotateLogs" />
<method name="clearMemcache" />
<method name="clearNegcache" />
<method name="clearEnumCache" />
<method name="sysbusReconnect" />
</interface>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7a4974c8 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Clear negative cache when SIGHUP received
When MONITOR receives SIGHUP signal it sends cache clearing
request to NSS responder using SBUS "clearMemcache" command.
This commits adds calling for negcache clearing at the same time.
It is executed by calling "clearNegcache" from NSS SBUS API.
Resolves: https://github.com/SSSD/sssd/issues/4973
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
191b5352 by Paweł Poławski at 2021-04-15T10:28:14+02:00
data_provider: Configure backend probing interval
When be_ptask is created to monitor backend when SSSD
is in offline mode checks are happening in specified intervals:
delay = delay + (sss_rand() % task->random_offset);
New configuration option is introduced in this commit:
* offline_timeout_random_offset
Using this option allows end client to decide what
should be the size of random offset when new interval
for probing backend is calculated.
:feature: New configuration option `offline_timeout_random_offset`
to control random factor in backend probing interval
when SSSD is in offline mode.
:config: Added `offline_timeout_random_offset` configuration option
to control maximum size of random offset added to offline timeout
SSSD backend probing interval.
Resolves: https://github.com/SSSD/sssd/issues/5556
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
5d65411f by Sumit Bose at 2021-04-16T13:24:56+02:00
sss_domain_info: add not_found_counter
This new counter should be used to track how often a domain could not be
found while discovering the environment so that it can be deleted after
a number of failed attempts.
Resolves: https://github.com/SSSD/sssd/issues/5528
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
95adf488 by Sumit Bose at 2021-04-16T13:24:56+02:00
AD: read trusted domains from local domain as well
Currently SSSD only uses information stored in a domain controller of
the forest root domain to get the names of other trusted domains in the
forest. Depending on how the forest was created the forest root might
not have LDAP objects for all domains in the forest. It looks like a
typical case are child domains of other domains in the forest.
As a start SSSD can now include trusted domains stored in the LDAP tree
of a local domain controller as well. In a long run it would make sense
to allow SSSD to explicitly search for domain by looking up DNS entries
and checking a potential domain controller with a CLDAP ping.
Resolves: https://github.com/SSSD/sssd/issues/5528
:feature: Besides trusted domains known by the forest root, trusted
domains known by the local domain are used as well.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e0fcec92 by Sumit Bose at 2021-04-20T11:14:00+02:00
man: clarify single_prompt option
Make it more clear that the single_prompt prompting configuration option
can only be used with both factor even if the second is optional.
Resolves: https://github.com/SSSD/sssd/issues/5586
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
da55e3e6 by Iker Pedrosa at 2021-04-20T11:15:41+02:00
ldap: retry ldap_install_tls() when watchdog interruption
When the call to ldap_install_tls() fails because the watchdog
interrupted it, retry it. The watchdog interruption is detected by
checking the value of the ticks before and after the call to
ldap_install_tls().
Resolves: https://github.com/SSSD/sssd/issues/5531
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
64340cac by Alexey Tikhonov at 2021-04-21T12:01:14+02:00
whitespace_test: remove 'debian' from exclude pattern as this is downstream specific.
See discussion in https://github.com/SSSD/sssd/pull/5435 for details
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
691fe494 by Sumit Bose at 2021-04-21T12:01:30+02:00
nss: prefer homedir overrides over override_homedir option
Currently the override_homedir option will overwrite every home
directory even if a dedicated user override exists. With this patch a
home directory from a dedicated override will be preferred.
Resolves: https://github.com/SSSD/sssd/issues/5589
:relnote: A home directory from a dedicated user override, either local
or centrally managed by IPA, will have a higher precedence than the
override_homedir option.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
88eec1c2 by Sumit Bose at 2021-04-21T12:02:00+02:00
nss client: make innetgr() thread safe
The innetgr() call is expected to be thread safe but SSSD's the current
implementation isn't. In glibc innetgr() is implementend by calling the
setnetgrent(), getnetgrent(), endgrent() sequence with a private context
(struct __netgrent) with provides a member where NSS modules can store
data between the calls.
With this patch setnetgrent() will read all required data from the NSS
responder and store it in the data member of the __netgrent struct.
Upcoming getnetgrent() calls will only operate on the stored data and
not connect to the NSS responder anymore. endgrent() will free the data.
Since the netgroup data is read in a single request to the NSS responder
protected by a mutex and stored in private context of innetgr() this
call is now thread-safe.
Resolves: https://github.com/SSSD/sssd/issues/5540
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
29abf94e by Sumit Bose at 2021-04-21T12:02:00+02:00
intg test: test is innetgr() is thread-safe
This integration test adds 2 large netgroups in LDAP and runs a program
with 2 threads looking up those netgroups in parallel.
Resolves: https://github.com/SSSD/sssd/issues/5540
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
38905cac by Alexey Tikhonov at 2021-04-26T11:32:50+02:00
monitor: avoid NULL deref in monitor_service_shutdown()
Resolves: https://github.com/SSSD/sssd/issues/5598
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cbfccb17 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
BUILD: prefer PCRE2 over PCRE
:relnote:This release deprecates pcre1 support. This support will be
removed completely in following releases.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
519d9434 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: local functions shall be static
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
31bcb6f0 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_dp_opts: mem leak fixed
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9aa6fb34 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_nested_groups: mem leak fixed
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0fbe5af1 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: regular talloc d-tor shouldn't fail
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f2bcf74c by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
sssd.supp: suppress false positive valgrind warning about 'pcre2_code' ptr
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6a60406b by Steeve Goveas at 2021-04-26T11:34:27+02:00
TEST: Modify subsystem to sst_idm_sssd
idm sst were sub divided in team specific sst and is now implemented in
polarion
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
2276fc42 by Shridhar Gadekar at 2021-04-27T13:58:30+02:00
Tests: alltests: fetch autofs maps after coming online
SSSD should fetch autofs maps from server when coming online
from offline state, without existing cache.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
eb61f1b2 by Shridhar Gadekar at 2021-04-29T12:04:59+02:00
test: minor change in test doc string
adding test id in the doc string
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
846296d1 by Alexey Tikhonov at 2021-04-29T12:05:17+02:00
libwbclient-sssd: removed
:relnote: SSSD's implementation of 'libwbclient' was removed
as incompatible with modern version of Samba.
Resolves: https://github.com/SSSD/sssd/issues/5459
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9854ade1 by Iker Pedrosa at 2021-04-29T12:05:38+02:00
spec: Remove ldconfig scripts
According to
https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets#Upgrade.2Fcompatibility_impact
spec files that target Fedora 28+ don't require the use of ldconfig
scriptlets. So, I'm removing them from the spec file.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
99beee3c by Alexey Tikhonov at 2021-04-29T12:05:50+02:00
LDAP: make connection log levels consistent
Connection related events (established, expired, released) now use same
debug level.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
7313efba by Sumit Bose at 2021-04-30T12:57:35+02:00
man: clarify priority in sss-certmap man page
Explain in the man page what is expected when two or more mapping and
matching rules have the same priority.
Resolves: https://github.com/SSSD/sssd/issues/4415
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a0179e31 by Hugh Cole-Baker at 2021-05-05T17:12:33+02:00
man: fix p11_uri example URIs
The p11_uri requires a pkcs11: scheme, using p11_uri = slot-description=My..
without pkcs11: as a prefix will cause p11_child to log an error:
p11_kit_uri_parse failed [-2][URI scheme must be 'pkcs11:'].
Fix the examples to include the pkcs11: scheme.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f66b5aed by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: got rid of most explicit DEBUG_IS_SET checks as a preliminary step for "logs backtrace" feature
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
59ba14e5 by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: poor man's backtrace
In case SSSD is run with debug_level < 9, log everything to
a ring buffer in memory and flush the buffer to a log file on any
error (up to and including `min(0x0040, debug_level)`)
(i.e. if `debug_level` is explicitly set to 0 or 1 then only those
error levels will trigger backtrace, otherwise up to 2).
Feature is only supported for `logger == files`:
- for stderr it doesn't make much sense: as buffer is quite large,
it would be very inconvenient to get it in console.
- for journal: support might be considered later, after getting
some feedback
:feature:If 'debug_backtrace_enabled' is set to 'true' then
on any error all prior debug messages (to some limit) are printed
even if 'debug_level' is set to low value (for details see
`man sssd.conf`: `debug_backtrace_enabled` description).
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e3426ebe by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
PAM: fixes a couple of covscan issues
Fixes:
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%.*s' directive argument is null
# 127 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 128 | level, \
# | ~~~~~~~~
# 129 | format, ##__VA_ARGS__); \
# | ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'filter_responses'
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:569:51: note: format string is defined here
# 569 | "Found PAM ENV filter for variable [%.*s] and service [%s].\n",
# | ^~~~
```
and
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/util.h:47: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:24: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'pam_check_user_search_next'
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%s' directive argument is null
# 127 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
# | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# 128 | level, \
# | ~~~~~~~~
# 129 | format, ##__VA_ARGS__); \
# | ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:1947:53: note: format string is defined here
# 1947 | DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
# | ^~
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6b78b7aa by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CACHE_REQ: fixed REVERSE_INULL warning
Fixes following warning:
```
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:807: check_after_deref: Null-checking "domain" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:784: deref_ptr: Directly dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:790: deref_ptr_in_call: Dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:805: alias: Assigning: "state->selected_domain" = "domain".
# 805| state->selected_domain = domain;
# 806|
# 807|-> if (domain == NULL) {
# 808| break;
# 809| }
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0aaf61c6 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: makes debug backtrace switchable
:config: Introduced new option 'debug_backtrace_enabled' to control
debug backtrace.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
97f046e7 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: log IMPORTANT_INFO if any bit >= OP_FAILURE is on
This makes sense in general and ensures IMPORTANT_INFO doesn't trigger
backtrace dump.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f693078f by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CERTMAP: removed "sss_certmap initialized" debug
Most lib users expect only errors to be logged and provide logger function
with SSSDBG_OP_FAILURE debug level.
Thus "sss_certmap initialized" was triggering backtrace dump for no reason.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6fb987b5 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SERVER: decrease log level in `orderly_shutdown()` to avoid backtrace in this case.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
80963d68 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SBUS: changed debug level in sbus_issue_request_done() to avoid backtrace dump in case of 'ERR_MISSING_DP_TARGET'
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f55c41b7 by Deepak Das at 2021-05-05T17:13:07+02:00
SSSD Log: log_timeout_parameter_display
Display timeout parameter in SSSD logs.
Resolves: https://github.com/SSSD/sssd/issues/5514
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c79ee66f by Pavel Březina at 2021-05-07T11:34:27+02:00
pot: update pot files
- - - - -
c8274b24 by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'local-provider'
:relnote:'local-provider' is deprecated and will be removed in one
of the next versions of SSSD.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8736776a by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'secrets' support
:relnote:'secrets' support is deprecated and will be removed in one
of the next versions of SSSD.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ba99c1fb by Steeve Goveas at 2021-05-07T13:01:30+02:00
modify check for rhel version before package install
Include check for rhel9 and remove nss-pam-ldapd install for rhel9 as it
wont be available. Test with nss-pam-ldap only for rhel8.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
d264a2b6 by Steeve Goveas at 2021-05-07T13:01:30+02:00
TEST: remove pytest warning for yield_fixture
this change would remove this warning message
"PytestDeprecationWarning: @pytest.yield_fixture is deprecated"
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
61a03b2c by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to disable sudo smart and full refresh
Resolves: https://github.com/SSSD/sssd/issues/5601
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b3247eeb by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to tune sudo performance
Resolves: https://github.com/SSSD/sssd/issues/5603
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c0204c06 by Pavel Březina at 2021-05-07T13:01:47+02:00
be: add be_ptask_postpone
This will cancel the next event and schedule it to now + period.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d9d5c291 by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: reschedule periodic tasks when full refresh is finished
We postpone periodic full and smart refresh tasks when full refresh
(either per-request or periodic) is finished.
Resolves: https://github.com/SSSD/sssd/issues/5604
:feature: Completing a sudo full refresh now postpones the smart refresh
by `ldap_sudo_smart_refresh_interval` value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ca47acca by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: add ldap_sudo_random_offset
Resolves: https://github.com/SSSD/sssd/issues/5609
:feature: Backround sudo periodic tasks (smart and full refresh) periods
are now extended by a random offset to spread the load on the server in
environments with many clients. The random offset can be changed with
`ldap_sudo_random_offset`.
:config: Added `ldap_sudo_random_offset` (default to `30`) to add a
random offset to backround sudo periodic tasks (smart and full
refresh).
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
421c0a77 by aborah at 2021-05-07T13:03:24+02:00
Tests: getent group ldapgroupname doesn't show any LDAP users
'getent group ldapgroupname' doesn't show
any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD
Verifies: https://github.com/SSSD/sssd/issues/5311
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1817122
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
47b40cca by aborah at 2021-05-10T11:13:21+02:00
Tests: automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)
With 2 automount entries in LDAP with same key ( cn: MIT and cn: mit),
autofs only works for one of them ( the one in uppercase )
Verifies: https://github.com/SSSD/sssd/issues/5330
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1873715
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
de170904 by Sumit Bose at 2021-05-10T11:13:38+02:00
sss_cache: reset original timestamp and USN
Currently the sss_cache utility only resets the internal/operational
timestamp attributes to indicate that the object should be refreshed.
But the timestamp cache also stored the last modification time and the
update sequence number (USN) of the original LDAP attribute to detect
changes of the original object. During some types of refreshes those
options might be checked, currently the modification timestamp during
group updates, and might prevent that the data object is refresh because
it was assume that the original object did not change.
Since it is expected that after calling e.g. sss_cache -E the cached
objects are refreshed unconditionally it makes sense to reset those
attributes in the timestamp cache as well.
Resolves: https://github.com/SSSD/sssd/issues/5596
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
c227ea4e by Sumit Bose at 2021-05-10T11:13:38+02:00
sysdb: add SYSDB_INITGR_EXPIRE to new user objects
SYSDB_INITGR_EXPIRE belongs to the timestamp cache attributes and if
only those attributes are modified it is expected that the data object
is not modified only the related object in the timestamp cache. Until
now SYSDB_INITGR_EXPIRE was missing from the user objects if the group
membership of the user was not lookup up (initgroups request). As a
result of user object might change if only timestamp cache attributes
are changed since the SYSDB_INITGR_EXPIRE was missing. With this patch
the SYSDB_INITGR_EXPIRE is addded with value '0' if a new user object is
created.
Resolves: https://github.com/SSSD/sssd/issues/5596
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
993b66d4 by Justin Stephenson at 2021-05-10T14:53:56+02:00
KCM: Read and set KCM renewal and krb5 options
Add new renewal options to enable KCM renewal functionality
tgt_renewal
tgt_renewal_inherit
Krb5 options below will be read from the [kcm] configuration
section, or a domain section when a tgt_renewal_inherit domain
is provided.
krb5_renew_interval
krb5_renewable_lifetime
krb5_lifetime
krb5_validate
krb5_canonicalize
krb5_auth_timeout
Resolves: https://github.com/SSSD/sssd/issues/2765
:config: Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*`
KCM options to enable, and tune behavior of new KCM renewal feature.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
599f0ad0 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Prepare and execute renewals
Find and unmarshal renewable tickets in the list of KCM ccaches, process
and trigger renewals for tgts aftert half of their lifetime is exceeded.
Resolves: https://github.com/SSSD/sssd/issues/2765
:feature: Added support for automatic renewal of renewable TGTs that are
stored in KCM ccache. This can be enabled by setting `tgt_renewal =
true`. See the sssd-kcm man page for more details. This feature requires
MIT Kerberos krb5-1.19-0.beta2.3 or higher.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1dc3c33c by Justin Stephenson at 2021-05-10T14:53:57+02:00
SECRETS: Don't hardcode SECRETS_DB_PATH
Allow for overriding in cmocka tests
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a55405b3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
TESTS: Add kcm_renewals unit test
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0202eb53 by Justin Stephenson at 2021-05-10T14:53:57+02:00
INTG: Add KCM Renewal integration test
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ddcedbf3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Conditionally build KCM renewals support
Use --enable-kcm-renewal, --disable-kcm-renewal or allw
autodetection of MIT kerberos marshalling functions
required to enable KCM renewal support.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ec932d35 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Disable responder idle timeout with renewals
When KCM renewals are configured and enabled, disable the
responder idle timeout to prevent KCM from being in a shut-down
state when it should be executing TGT renewals.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ce54789e by Alexey Tikhonov at 2021-05-10T14:56:44+02:00
DEBUG: fix _all_levels_enabled()
Expression was wrong in case `debug_level` had any bit without
associated level turned on (for example, 0xfff0).
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c07a7beb by Weblate at 2021-05-10T14:57:47+02:00
po: update translations
(Ukrainian) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 99.8% (728 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Finnish) currently translated at 5.5% (40 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 2.6% (70 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Swedish) currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
- - - - -
e3012941 by Pavel Březina at 2021-05-10T15:06:24+02:00
man: add krb5_options to po4a.cfg
- - - - -
b3336ab9 by Pavel Březina at 2021-05-10T15:11:58+02:00
pot: update pot files
- - - - -
3f29bc26 by Pavel Březina at 2021-05-10T15:14:31+02:00
Release sssd-2.5.0
- - - - -
a95db4e1 by Pavel Březina at 2021-05-10T17:13:00+02:00
Update version in version.m4 to track the next release
- - - - -
6eb845d0 by Madhuri Upadhye at 2021-05-13T12:37:06+02:00
Test: IPA: filter_groups option partially filters the group from 'id' output
It consists of following test case:
filter_groups option partially filters the group from 'id'
output of the user because gidNumber still appears in 'id' output
Verifies:
Issue: #5403
Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1876658
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9b017dbc by Pavel Březina at 2021-05-14T11:34:24+02:00
KCM: return KRB5_FCC_INTERNAL for unknown or not implemented operation
sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
for cases where operation code is not known or not implemented. See:
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792
We returned different codes before this patch which makes Kerberos to differentiate
between Heimdal and sssd implementation. This leads to errors like:
* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703
Resolves: https://github.com/SSSD/sssd/issues/5628
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
dbde4e69 by Justin Stephenson at 2021-05-19T19:24:12+02:00
SECRETS: Resolve mkey path correctly
Use the correct master key path for the secrets database,
fixing an issue on upgrade.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9777427f by Alexey Tikhonov at 2021-05-19T19:24:31+02:00
UTIL/SECRETS: mistype fix
Wrong variable was tested after mem allocation.
Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
# 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
# 1010| if (uuid_list == NULL) {
# 1011|-> ret = ENOMEM;
# 1012| goto done;
# 1013| }
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b099498f by Pavel Březina at 2021-05-19T19:24:48+02:00
ipa: read auto_private_groups from id range if available
Resolves: https://github.com/SSSD/sssd/issues/4216
:feature: `auto_private_groups` option can be set centrally through
ID range setting in IPA (see `ipa idrange` commands family). This
feature requires SSSD update on both client and server.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
706627cf by Pavel Březina at 2021-05-19T19:24:48+02:00
cache_req: consider mpg_mode of each domain
Before this patch the mpg_mode == hybrid was used only if the main domain
had this mode set. This fails in multi domain environments as well as with
subdomains.
Now we lookup the hybrid object in each domain that has the hybrid mode
enabled.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ac1a07a3 by Iker Pedrosa at 2021-05-24T18:04:25+02:00
responder: fix covscan issues
Fix two covscan issues that I accidentally included in commit
f890fc4b592767f3f0b2bd5515cbd9516505ebe9.
Error: FORWARD_NULL (CWE-476): [#def60]
sssd-2.4.0/src/responder/common/responder_common.c:1009: var_compare_op: Comparing "rctx->sock_name" to null implies that "rctx->sock_name" might be null.
sssd-2.4.0/src/responder/common/responder_common.c:1039: var_deref_model: Passing null pointer "rctx->sock_name" to "strlen", which dereferences it.
Error: CLANG_WARNING: [#def61]
sssd-2.4.0/src/responder/common/responder_common.c:1039:64: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
Resolves: https://github.com/SSSD/sssd/issues/5638
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
43b9b092 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification
Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf
Resolves: https://github.com/SSSD/sssd/issues/5616
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7190f6b5 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification
Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf
Resolves: https://github.com/SSSD/sssd/issues/5616
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
fbf33bab by Alexey Tikhonov at 2021-05-24T18:06:10+02:00
TOOLS: removed unneeded debug message
This message was logged before `sss_tool_init()` that sets debug level,
thus ignoring configured debug level.
Since the same message is printed via `ERROR` on a next line, this log
message doesn't add any information and can be simply removed.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
348512b0 by Steeve Goveas at 2021-05-24T18:07:52+02:00
TEST: Fixes after running new tests downstream
tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
9cb89666 by Sumit Bose at 2021-05-25T12:24:28+02:00
nss: fix getsidbyname for IPA user-private-groups
Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases are handled.
The first is about the default automatic user-private-groups
where the group is a managed object. In this case there will be a user
and a group object with the same name in the cache which will both be
found by the lookup by name. Since only the user object will have a SID
we can return this SID for the request.
The second case is the manual creation of a user and a groups with UID
and GIDs so that the group is a user-private group. Here the user and
the group object will both get a different SID assigned since they are
independent objects. In this case, both objects have a SID and the UID
and GID of the user and the GID of the group all have the same numerical
value, the SID of the user is returned.
Resolves: https://github.com/SSSD/sssd/issues/5607
:fixes: Fix getsidbyname issues with IPA users with a user-private-group
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
e147d272 by Steeve Goveas at 2021-05-31T14:18:53+02:00
TEST: add ldap_sudo_random_offset 0 to offline test
New was option added in #5609
As there are no other requests in the test after a restart, sssd
would attempt a connection only after 10 to 30 seconds by default. To
enable immediate look up, we can set this option and continue with the
test
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
98400ef6 by Madhuri Upadhye at 2021-05-31T14:19:06+02:00
Tests: common: Update the remove_sss_cache function
Remove the sssd exception as we dont find the path,
test fails with exception file does not exist.
so added print statement to print the error message.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
33f136f8 by Madhuri Upadhye at 2021-05-31T14:19:19+02:00
Tests: alltests: Code update for test_kcm_check_socket_path
Remove unwanted import.
Minor changes in test code.
Change the marker to tier1_2.
Verifies:
Issues: #5406
Bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1632159
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
36746524 by Sumit Bose at 2021-05-31T14:19:33+02:00
kcm: use %zu as format for size_t
size_t might be a different integer type on different platforms. The %z
length modifier was added to handle this.
Resolves: https://github.com/SSSD/sssd/issues/2765
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5b5e3827 by Jakub Vavra at 2021-05-31T14:20:21+02:00
Tests: Add test_ipa_missing_secondary_ipa_posix_groups
Verifies
Issue: #5534
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1945552
https://bugzilla.redhat.com/show_bug.cgi?id=1937919
https://bugzilla.redhat.com/show_bug.cgi?id=1945654
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
d35f36f0 by Deepak Das at 2021-05-31T14:20:41+02:00
SSSD Log: log_error_reading_file_msg_modification
Replacing error reading file error code with proper message
Resolves: https://github.com/SSSD/sssd/issues/5615
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
9c06088d by Deepak Das at 2021-05-31T14:21:00+02:00
SSSD Log: no_such_file_or_directory_modification
Replacing no such file or directory error code with alternate message
Resolves: https://github.com/SSSD/sssd/issues/5614
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b75ef442 by Sumit Bose at 2021-05-31T14:22:06+02:00
pac: allow larger PACs
Currently the PAC responder only accepts request which are about 1k in
size. Since a PAC can be larger there are cases where the PAC is not
accepted by the PAC responder. Recently SSS_GSSAPI_PACKET_MAX_RECV_SIZE
was added to be able to handle Kerberos tickets which can be also larger
than 1k. Since typically if present the PAC is the largest part of a
Kerberos ticket it make sense to use the same limit for the PAC
responder.
Resolves: https://github.com/SSSD/sssd/issues/5650
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1f6377d5 by Weblate at 2021-06-04T09:08:39+02:00
po: update translations
(Finnish) currently translated at 5.4% (40 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Polish) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Russian) currently translated at 25.7% (188 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
- - - - -
597a6c2a by Joakim Tjernlund at 2021-06-04T09:10:18+02:00
Gentoo/openrc: Add sssd-kcm service script
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
850af600 by Pavel Březina at 2021-06-04T09:40:38+02:00
pot: update pot files
- - - - -
a3cb9812 by Pavel Březina at 2021-06-04T14:29:44+02:00
sudo: disable ldap_sudo_random_offset by default
Resolves: https://github.com/SSSD/sssd/issues/5609
:config: Default value of `ldap_sudo_random_offset` changed to 0 (disabled). This
makes sure that sudo rules are available as soon as possible after SSSD start
in default configuration.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1c655610 by Paweł Poławski at 2021-06-04T14:40:28+02:00
README: Update documentation links
Documentation links in README are broken due to sssd.io website
content recent update. This PR fix this and remaps links to point
correct content in new upstream documentation.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
669ee920 by Pavel Březina at 2021-06-04T14:46:26+02:00
readme: update documentation repository
- - - - -
c415dde6 by Pavel Březina at 2021-06-04T14:47:41+02:00
pot: update pot files
- - - - -
73cbe0b1 by Sumit Bose at 2021-06-07T11:34:34+02:00
utils: add mod_defaults_list
This patch adds a new utility function to handle options with values
prefixed by '+' or '-' to modify default lists. Unit tests are included.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
70a808d5 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: replace first argument of filter_responses()
The first argument of filter_responses() is replaced with a more generic
context to allow more flexible use in future.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f491979d by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: parse pam_response_filter values only once
To avoid parsing the configuration options for each PAM request the code
is modified to parse them only once. If the configuration is changed it
is already expected that SSSD is restarted which mean that with this
change no functionality is lost.
Tests had to be updated to make sure new values are read.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2a4c3833 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: change default for pam_response_filter
So far pam_response_filter didn't had any default. It turned out that it
would be useful to filter the environment variable KRB5CCANME by default
for sudo. The reason is the e.g. in contrast to su the calling user is
authenticated and hence only the Kerberos credentials of the calling
user are available. But this causes a couple of inconsistencies. E.g.
depending on the credential cache type the target user might not have
access to the credential cache and even if the credential cache can be
accessed it will contain credentials which different privileges than the
target user. As a result it seems better to not make KRB5CCANME in the
environment of the target user and let him pick the matching default
credential cache.
Resolves: https://github.com/SSSD/sssd/issues/5660
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ecb2ae7a by Paweł Poławski at 2021-06-08T11:02:59+02:00
krb5_child: Honor Kerberos keytab location
Kerberos keytab location can be specified per domain in sssd.conf.
If it is not specified - default path is used: /etc/krb5.keytab
The problem is that default path itself can be redefined for kerberos
by adding entry in krb5.conf:
[libdefaults]
default_keytab_name = /<PATH>/krb5.keytab
krb5_child will still use /etc/krb5.keytab as default value which
will cause an error.
This patch adds config checking to krb5_child.
If keytab parameter will be set to /etc/krb5.keytab,
krb5_child will validate it against krb5.conf and eventually
overwritte with value presented there.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c917f977 by Justin Stephenson at 2021-06-08T11:04:15+02:00
RESPONDER: Generate incrementing client ID
This client ID will be passed through SSSD components to allow
tracking requests across SSSD.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bee426c8 by Justin Stephenson at 2021-06-08T11:04:15+02:00
SBUS: Send Client ID across to DP interfaces
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7ed87872 by Justin Stephenson at 2021-06-08T11:04:16+02:00
RESPONDER LOGS: Log the Client ID where accessible
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d0e35894 by Justin Stephenson at 2021-06-08T11:04:16+02:00
CACHE_REQ: Log the Client ID of the cache request
Log the Client ID at the initial cache request submission.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4f1a06d1 by Justin Stephenson at 2021-06-08T11:04:16+02:00
DP: Propagate down the client id and sender name
Make the client ID and responder name available to log where
the DP request is attached. This will ensure we log the CID,
originating responder name, and DP-internal request ID for
all DP requests.
[dp_attach_req] (0x0400): DP Request [Initgroups #14]: REQ_TRACE: New
request. [sssd.pam CID #1] Flags [0x0001].
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5674aaed by Pavel Březina at 2021-06-08T11:45:35+02:00
pot: update pot files
- - - - -
dbd50453 by Pavel Březina at 2021-06-08T13:37:23+02:00
Update version in version.m4 to track the next release
- - - - -
c6cd2fe3 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
krb5_child: reduce log severity in sss_send_pac() in case PAC responder isn't running.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0eccee18 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
secrets: reduce log severity in local_db_create() in case entry already exists since this is expected during normal oprations.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
624e3fe7 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: use SSSDBG_MINOR_FAILURE for ERR_KCM_OP_NOT_IMPLEMENTED
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0646917c by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: reduce log severity in sec_get() in case entry not found
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b0474248 by Yuri Chornoivan at 2021-06-17T12:25:50+02:00
Fix minor typos in docs
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
2a3fb3bd by Justin Stephenson at 2021-06-17T12:25:50+02:00
KCM: Unset _SSS_LOOPS
Since sssd_kcm is working independently of other SSSD components,
especially the nss responder, and the kcm client side in libkrb5 of
course does not check for _SSS_LOOPS to protect sssd_kcm from calling
into itself the variable is not needed.
This allows repeated getpwuid() calls in KCM renewals code to succeed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
daad8387 by Jakub Vavra at 2021-06-17T12:25:50+02:00
Tests: Add test_innetgr_threads
Verifies
Issue: #5540
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1703436
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
9d576e47 by Dan Lavu at 2021-06-17T12:28:39+02:00
tests: Adding multihost test for supporting asymmetric nsupdate auth
* https://bugzilla.redhat.com/show_bug.cgi?id=1884301
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
ff3f8570 by Dan Lavu at 2021-06-17T12:29:16+02:00
tests: Adding tests to cover ad discovery improvements using cldap
* This test requires a primary and secondary domain controller so AD can be moved between sites
* Currently contains four test cases
** Two DCs in one site no restrictions.
** Two DCs in one site, traffic blocked to the other DC
** DCs in seperate sites no restrictions
** DCs in seperate sites, traffic blocked to the other DC
Signed-off-by: Dan Lavu <dlavu at redhat.com>
SSSD-2497
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
68ed4d4a by Paweł Poławski at 2021-06-17T12:31:31+02:00
README: Dead social media link remove
Back in 2011 SSSD started using twitter account to broadcast releases.
Last time it happened 13.06.2019 so this account can be considered as
dead. This PR removes link to it from main README.
Resolves: https://github.com/SSSD/sssd/issues/5649
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4e3e8727 by Pavel Březina at 2021-06-17T15:36:27+02:00
tests: fix pep8 issues
- - - - -
a6e5d53a by Pavel Březina at 2021-06-18T12:33:05+02:00
kcm: terminate client on bad message
The debug message clearly says that the original intention was to
abort the client, not send an error message.
We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.
More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
8dba7476 by Alexey Tikhonov at 2021-06-21T13:36:25+02:00
DEBUG: don't reset debug_timestamps/microseconds to DEFAULT in `_sss_debug_init()`.
Otherwise `server_setup()` skips reading config settings.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
89a40e77 by Deepak Das at 2021-06-21T16:21:34+02:00
SSSD Log: invalid_argument msg mod
Improve invalid argument msg with additional information
Resolves: https://github.com/SSSD/sssd/issues/5578
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
71301ccf by Alexey Tikhonov at 2021-06-24T10:27:32+02:00
KCM: removed unneeded assignment
Fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
# 479| ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
# 480| if (ctx == NULL) {
# 481|-> ret = ENOMEM;
# 482| DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
# 483| return;
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ac0c0b00 by Justin Stephenson at 2021-07-08T11:28:14+02:00
KCM: Drop unnecessary c-ares linking
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b9e60ae0 by Sumit Bose at 2021-07-08T11:28:27+02:00
man: clarify effects of sss_cache on the memory cache
Resolves: https://github.com/SSSD/sssd/issues/5697
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
e373408a by Sofia Nieves at 2021-07-08T11:28:42+02:00
Replacing freenode with libera
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
5feeb8ac by Shridhar Gadekar at 2021-07-08T11:30:12+02:00
Test: sudo rule with runAS set to short-username value
sudo rule containing sudoRunAs attribute to a short-username
should not generate error in the sssd log.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
7646ac95 by Deepak Das at 2021-07-08T11:30:25+02:00
SSSD Log: log_bad_address_msg_mod
Improve Log Containing Bad Address string
Resolves: https://github.com/SSSD/sssd/issues/5577
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
865330c6 by Iker Pedrosa at 2021-07-08T12:28:04+02:00
cache_req: parse name to get shortname
Unless parse_name is set to false parse the name to get the shortname in
cache_req_process_input(). Moreover, check that the input domain name
and the parsed domain name are equal and fail otherwise.
Updated unit tests to mock call to parse function.
Also include an integration test to check that UpdateMemberList()
and GetAll() return the correct users that are members of a group. This
is done by first adding a member to a group and checking that it is
returned correctly. Then, the member is deleted and the interface returns
no members.
Resolves: https://github.com/SSSD/sssd/issues/4255
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5288ddaa by Sumit Bose at 2021-07-09T11:36:19+02:00
files: split update into batches
If the files managed by the files provider contain many users or groups
processing them might take a considerable amount of time. To keep the
backend responsive this patch splits the update into multiple steps
running one after the other but returning to the main loop in between.
This avoids issues during startup because the watchdog timer state is
reset properly. Additionally SBUS messages are process and as a result
the domain can be marked inconsistent in the frontends properly.
Resolves: https://github.com/SSSD/sssd/issues/5557
:fixes: Update large files in the files provider in batches to avoid
timeouts
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
0fbd6740 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: add new option fallback_to_nss
To not block callers when SSSD's files is doing a refresh of
/etc/passwd or /etc/group allow to fall back to the next nss module
which is typically libnss_files.
Resolves: https://github.com/SSSD/sssd/issues/5557
:config: Add new config option 'fallback_to_nss'
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
dd1aa579 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: delay refresh and not run in parallel
To avoid constant refreshes if /etc/passwd or /etc/group are modified
multiple times in a short interval the refresh is only started after 1s
of inactivity.
Additionally the request makes sure that only one instance is run.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
19b85063 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: queue certmap requests if a refresh is running
To make sure current and valid data is used when a certificate should be
matched to a users from the files provider the request has to wait until
a running refresh is finished.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b4ee698a by Sumit Bose at 2021-07-09T11:36:19+02:00
cache_req: do not return cached data if domain is inconsistent
If a domain is inconsistent the cached data might be inconsistent as
well, so better not return it.
Resolves: https://github.com/SSSD/sssd/issues/5557
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b85984a3 by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix whitespace issues
whitespace test fails with:
```
Missing new line at the eof: src/tests/multihost/ipa/add-groups.ps1
Missing new line at the eof: src/tests/multihost/ipa/nestedgroups.csv
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
75c204ff by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix pep8 issues
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
17e339d5 by Paweł Poławski at 2021-07-12T20:44:33+02:00
SYSDB: Add search index "originalADgidNumber"
Commit 03bc962 introduced a change which can result in
unindexed search in some scenarios. The result is performance
drop comparing to older SSSD version.
This PR adds missing search index: originalADgidNumber
:relnote: Add search index "originalADgidNumber" to SYSDB
Resolves: https://github.com/SSSD/sssd/issues/5430
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2ebf463f by Alexey Tikhonov at 2021-07-12T20:44:56+02:00
CACHE_REQ: fixed covscan issues
Fixed following warning:
```
Error: GCC_ANALYZER_WARNING (CWE-476):
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c: scope_hint: In function 'cache_req_data_create'
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c:160:28: warning[-Wanalyzer-null-dereference]: dereference of NULL '0'
# 158| break;
# 159| case CACHE_REQ_SVC_BY_NAME:
# 160|-> if (input->svc.name->input == NULL) {
# 161| DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
# 162| ret = ERR_INTERNAL;
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
f02ac230 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: add support for tevent chain id
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
881a1a41 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: enable chain id in backend
:feature: Debug messages in data provider include a unique request ID that can be used
to track the request from its start to its end.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
161ff0e8 by Weblate at 2021-07-12T20:46:47+02:00
po: update translations
(Russian) currently translated at 20.7% (583 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Spanish) currently translated at 67.0% (1888 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Finnish) currently translated at 3.2% (91 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Ukrainian) currently translated at 100.0% (2814 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Ukrainian) currently translated at 97.7% (2750 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
- - - - -
57ac5809 by Pavel Březina at 2021-07-12T20:53:56+02:00
pot: update pot files
- - - - -
45a07308 by Timo Aaltonen at 2021-08-16T11:01:06+03:00
Merge branch 'upstream'
- - - - -
ab7c8a29 by Timo Aaltonen at 2021-08-16T11:02:22+03:00
bump the version
- - - - -
30033e68 by Timo Aaltonen at 2021-08-16T11:10:32+03:00
fix-whitespace-test.diff: Refreshed.
- - - - -
ee3312ae by Timo Aaltonen at 2021-08-17T16:02:53+03:00
rules: Drop config option for smbclient, support for it was removed upstream.
- - - - -
10 changed files:
- Makefile.am
- README.md
- configure.ac
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- debian/changelog
- debian/patches/fix-whitespace-test.diff
- debian/rules
- po/bg.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/c5691ca90c00bdccd429411e10787ad4d7591569...ee3312aec7b2224f676dbefa70e376007c5d5797
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/c5691ca90c00bdccd429411e10787ad4d7591569...ee3312aec7b2224f676dbefa70e376007c5d5797
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20210818/80ee9e75/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list