[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 216 commits: scripts: change release tag from sssd-x_y_z to x.y.z

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Aug 18 06:53:19 BST 2021



Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd


Commits:
4c47f1da by Pavel Březina at 2021-02-05T13:34:37+01:00
scripts: change release tag from sssd-x_y_z to x.y.z

- - - - -
db51ce55 by Pavel Březina at 2021-02-05T13:45:58+01:00
Update version in version.m4 to track the next release

- - - - -
d547a2dc by Alexey Tikhonov at 2021-02-05T19:02:05+01:00
BUILD: fixes gpo_child linking issue

/usr/bin/ld: src/util/gpo_child-signal.o (symbol from plugin): undefined reference to symbol 'BlockSignals@@SAMBA_UTIL_0.0.1'

Resolves: https://github.com/SSSD/sssd/issues/5385

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5ce7ced2 by Alexander Bokovoy at 2021-02-11T12:01:23+01:00
pam_sss_gss: support authentication indicators

MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:

 - when KDC issues a service ticket, a policy at KDC side can reject the
   ticket issuance based on a lack of certain indicator

 - when a server application presented with a service ticket from a
   client, it can verify that this ticket contains intended
   authentication indicators before authorizing access from the client.

Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.

This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.

Resolves: https://github.com/SSSD/sssd/issues/5482
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b100efbf by Pavel Březina at 2021-02-11T12:01:43+01:00
sudo: do not search by low usn value to improve performance

This is a follow up on these two commits.

- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea

The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.

This caused issues on OpenLDAP server which was fixed by the second patch..
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.

Now we omit the usn attribute from the filter if there is no meaningful value.

How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
   to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
75343ff5 by Pavel Březina at 2021-02-16T11:18:20+01:00
ldap: fix modifytimestamp debugging leftovers

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b1f4dc82 by Alexey Tikhonov at 2021-02-16T11:26:20+01:00
SPEC: don't hard require python3-sssdconfig in a meta package

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5c9143e9 by Stanislav Levin at 2021-02-16T11:32:20+01:00
pam_sss: Don't fail on deskprofiles phase for AD users

By default (if session_provider is not none) during session setup
pam_sss attempts to fetch desktop rules and profiles for user from
IPA domain. As part of this job, the data provider looks for the
user info(uid and gid) in IPA domain but fails to do that for AD
user from a trusted domain returning PAM_SESSION_ERR.

The requested target domain has been already found in `dp_req_new`
and may be referenced as `params->domain`. This change doesn't
introduce the possibility to fetch deskprofiles for AD users, but
at least, doesn't break PAM authentication for them.

Resolves: https://github.com/SSSD/sssd/issues/5499
Signed-off-by: Stanislav Levin <slev at altlinux.org>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
135d843f by Pavel Březina at 2021-02-19T10:11:20+01:00
spec: remove setuid bit from child helpers if sssd user is root

The setuid bit is only needed if sssd runs as non-root user.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a53c214b by Alexey Tikhonov at 2021-02-19T10:11:38+01:00
spec file: don't enable implicit files domain on RHEL

Corresponding code is built and users can enable files domain
on a as-needed basis. But there is little value running it on
RHEL "as is" by default.

(As a reminder, as a comment in this file says, this is a
"SSSD SPEC file for Fedora 34+ and RHEL-9+")

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9aaa0e51 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: limit process capabilities

This is to upstream https://src.fedoraproject.org/rpms/sssd/blob/f34/f/0502-SYSTEMD-Use-capabilities.patch

Additionally even more limited CapabilityBoundingSet is applied to ifp and
kcm services (CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_BLOCK_SUSPEND are excluded as compared to main sssd service)

:relnote: Example systemd service configs now makes use of CapabilityBoundingSet
option as a security hardening measure.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ee9dbea1 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
monitor: fixed default value of 'user' config option

1) man page explicitly and unconditionally says that default value
for this option is 'root' so this patch just aligns code with a doc

2) since at the moment "sssd running as non-root" feature isn't really
tested and is proposed at "use at your own risk" basis it wouldn't hurt
to require user to configure this option explicitly even when sssd is
built with "--with-sssd-user=sssd"

This should be changed when feature is really supported.

:relnote: default value of 'user' config option was fixed into accordance
with man page, i.e. default is 'root'

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fd7ce7b3 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: add CAP_DAC_OVERRIDE in case certain case

If sssd is configured with --with-sssd-user=<user> where <user>!='root'
but is actually run under the root we need CAP_DAC_OVERRIDE to access
files owned by <user>:<user>
If sssd is really run under non-root account that doesn't have this cap
originally then it's addition to CapabilityBoundingSet doesn't matter.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f890fc4b by ikerexxe at 2021-02-19T14:28:37+01:00
RESPONDER: check that configured sockets match

Check if the sockets defined in systemd unit and sssd.conf match. If
they don't, then print a warning message.

Moreover, change man page regarding socket_path option to indicate that
it will be overwritten by systemd's unit file.

Resolves: https://github.com/SSSD/sssd/issues/5406

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
50e3221d by Pavel Březina at 2021-02-19T16:43:14+01:00
responder: fix warning in activate_unix_sockets

The warning is with systemd disabled.

```
src/responder/common/responder_common.c: In function ‘activate_unix_sockets’:
src/responder/common/responder_common.c:1005:15: error: unused variable ‘sockaddr_len’ [-Werror=unused-variable]
 1005 |     socklen_t sockaddr_len = sizeof(sockaddr);
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
709bfc4a by Pavel Březina at 2021-02-19T16:57:31+01:00
pot: update pot files

- - - - -
9eeaf23b by Pavel Březina at 2021-02-19T17:06:48+01:00
Update version in version.m4 to track the next release

- - - - -
b5c2389b by Steeve Goveas at 2021-02-24T11:27:50+01:00
TEST: Add function to control services

We can use this function to start stop or restart any service

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
0ff8d462 by Deepak Das at 2021-02-24T11:28:07+01:00
SSSD Log: write_krb5info_file word replacement

Replace write_krb5info_file in SSSD log file with exact filename.

Resolves: https://github.com/SSSD/sssd/issues/5505

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
634b3c94 by aborah at 2021-03-01T11:08:14+01:00
TESTS: First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0

Starting from sssd-1.16.5-10.el7_9, the first query performed
with smart refresh contais modifyTimestamp attribute even
if the modifyTimestamp is 0.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
32d2aa55 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
prompt config: fix covscan errors

Covscan is confused by dangling pointers in arrays after freeing. Its
analyzer may decide to visit already visited list elements and since
they weren't NULL-ed, it may consider double-free to happen in the code.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d73f1282 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: initialize ret variable before use

covscan does consider 'ret' unitialized even though
GET_ATTR/GET_ATTR_ARRAY macros have explicit and unconditional
assignment to ret. This is confusing but causing actual failures in
covscan runs.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
42c9ca0c by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: symlink() expects non-NULL second argument

Author: Alexander Bokovoy <abokovoy at redhat.com>

Amended by: Alexey Tikhonov <atikhono at redhat.com>
(used 'EINVAL' as error code instead of 'ENOMEM')

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1724482c by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace localtime() with localtime_r()

localtime_r() is much more performant (~x12 times faster on my machine)
as it sets `tzname` only once while localtime() does this every time
it is executed (and this includes string manipulations, getenv(),
stat("/etc/localtime"), etc)

As a result of this replacement, average time consumed by a trivial debug
message (one %d arg) is reduced by ~40..45% on my machine.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f553b57d by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace gettimeofday() with time() if usec isn't needed

gettimeofday() is much slower than time() and accounts for ~2% of total
time consumed by DEBUG.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5f840192 by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: cache string representation of last timestamp

Significant part (~15%) of time consumed by DEBUG is spent formatting string
representation of a timestamp. For a case of heavy logging it makes sense
to cache this string and re-format only in case timestamp changed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
815197cb by Pavel Březina at 2021-03-05T12:26:50+01:00
spec: do not use systemd to restart services with RefuseManualStart=true

These service unit files have RefuseManualStart=true, therefore they can
be controlled only as a dependency via the main sssd.service or socket
activation.

Resolves: https://github.com/SSSD/sssd/issues/5521

:fixes: SSSD spec file `%postun` no longer tries to restart services that
  can not be restarted directly to stop produce systemd warnings

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8e8ccca5 by ikerexxe at 2021-03-05T12:27:17+01:00
TESTS: test socket path when systemd activation

Test socket path when sssd-kcm is activated by systemd. If socket in
systemd unit and sssd.conf is defined in different locations then print a
warning.

Verifies: https://github.com/SSSD/sssd/issues/5406

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
b8d8b377 by Alexey Tikhonov at 2021-03-16T13:03:48+01:00
p11_child: fixed mistype in a debug message

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b165acb6 by Steeve Goveas at 2021-03-16T13:04:00+01:00
TEST: missing multihost in service_ctrl

This update will fix the method and make it usable

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
c7733c44 by Steeve Goveas at 2021-03-16T13:13:36+01:00
TEST: Update test docstrings enable polarion updates

These docstring updates are a requirement to enable automatic updates
into polarion using betelguese tool. It will help to add/update test
cases and import test results from CI. Each test case must have 'id' to
make it unique. The tool will use it to update the respective case and
will avoid adding duplicate test case in polarion.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
341c5e35 by Weblate at 2021-03-18T11:44:48+01:00
po: update translations

Currently translated at 2.8% (21 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

Translated using Weblate (Finnish)

Currently translated at 2.5% (68 of 2643 strings)

Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

Translated using Weblate (Chinese (Simplified) (zh_CN))

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

Translated using Weblate (Japanese)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

Translated using Weblate (French)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

Translated using Weblate (Ukrainian)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

Translated using Weblate (Polish)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

- - - - -
9da41eb9 by Alexey Tikhonov at 2021-03-22T10:44:52+01:00
SPEC: added 'BuildRequires: po4a'

'po4a' is needed when building from srpm made from upstream sources, i.e.
without prepared translations.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c796088e by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘security_context_t’ is deprecated

The type is now deprecated, char * should be used instead
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3fba29f9 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘matchpathcon’ is deprecated

```
src/util/selinux.c: In function ‘selinux_file_context’:
src/util/selinux.c:50:9: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
   50 |         if (matchpathcon(dst_name, 0, &scontext) < 0) {
```

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ecf26727 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: make SEC_CTX and SELINUX_CTX typedef instead of macro

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2a512fdf by Alexey Tikhonov at 2021-03-25T11:39:14+01:00
systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case

Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0e095147 by Heiko Schlittermann (HS12-RIPE) at 2021-03-25T11:41:07+01:00
Fix setXYent(): rewind always

This compensates for "forgotten" endXYent() calls during the same session,
as observed with Dovecot authd.

Affected functions:

- setgrent()
- sethostent()
- setnetent()
- setnetgrent()
- setpwent()
- setservent()

TLDR;

SSSD assumes the following sequnce in the consumer for enumeration:

	setXYent(); while (getXYent()) { ... }; endXYent();
	setXYent(); while (getXYent()) { ... }; endXYent();

But the 2nd setXYent() fails to rewind if in the above sequence the
call to first endXYent() is omitted.

Dovecot's authd is an example for omitting the endpwent(). They confirmed
an associated bug report already. But, formally speaking, the
documentation for setXYent() indicates that is should rewind. Period. :)

The endXYent() probably is for pure comfort, resource management, etc.

I built this into a private copy of the sssd packages Debian ships
(Buster/Debian10, 1.16.3) and used them in production (tested with AD
provided users and groups), using a simple Perl script.

	#! /usr/bin/perl
	use strict;
	use warnings;
	sub users {
		my $n;
		setpwent() or die "setpwent: $!\n";
		$n++ while $_ = getpwent();
		# enpwent();                         # missing!
		return $n;
	}
	print users(), "\n";	    # reports number of all users
	print users(), "\n";	    # users backed by sssd are missing

Resolves: https://github.com/SSSD/sssd/issues/5523

Patch co-authored by Sumit Bose.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
98696414 by Justin Stephenson at 2021-03-31T11:41:51+02:00
CI: Use builtin command for pycodestyle check

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f1661c04 by Tomas Halman at 2021-04-01T11:17:56+02:00
DEBUG: Error is printed when everything is ok

Due to invalid condition error message that config file does not exist
is printed when there is actually no problem. This update fixes
the condition

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
0fd0681d by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved ldb_debug_messages() out of UTILS to SYSDB

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0dfb188e by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved declaration of debug related helpers defined in debug.c from util.h to debug.h

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fee3883b by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: use '--logger' as the only option to configure logger type..

This patch gets rid of:
 - 'debug-to-files', 'debug-to-stderr' command line options
 - undocumented 'debug_to_files' sssd.conf option
and makes '--logger' command line option the only "source of truth" for
logger type configuration.

Those options were not used much anyway but made precedence logic obscure
in case contradictory settings were used.

:config: Long time deprecated and undocumented 'debug_to_files' option was
removed.

:relnote: 'debug-to-files', 'debug-to-stderr' command line and undocumented
'debug_to_files' config options were removed.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fc5b64e8 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: make use of existing SSSD_DEBUG_OPTS macro

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c14e439c by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate sss_set_logger() into DEBUG_INIT

This makes code less error-prone reducing amount of function calls required
for debug initialization.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4d133e15 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: remove sss_set_logger() from public API

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cf699170 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: added several comments to debug.h API and moved rarely used / "private" functions to the bottom.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
374d644f by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved SSSDBG_MASK_ALL out of debug.h since is it is only used in tests.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
dde57f76 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate open_debug_file() into DEBUG_INIT

This makes code less error-prone reducing amount of function calls required
for debug initialization.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
21334de2 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
MONITOR: added logging of cmd used to start services

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0cddb671 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: introduce SSSDBG_TOOLS_DEFAULT

Resolves: https://github.com/SSSD/sssd/issues/5488

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
66960c76 by Alexey Tikhonov at 2021-04-01T11:18:13+02:00
MONITOR: in case '-i' is given don't force logger to 'stderr' if its value specified explictly

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9a39ceba by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: remove unneeded kcm.h

This file was copied from MIT Kerberos code, but we do not really
need it.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
81130b23 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add support for MIT extensions

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
560e2479 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add GET_CRED_LIST for faster iteration

For large caches, one IPC operation per credential dominates the cost
of iteration. Instead transfer the whole list of credentials to the
client in one IPC operation.

Resolves: https://github.com/SSSD/sssd/issues/5545

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
49010b16 by Iker Pedrosa at 2021-04-08T11:16:54+02:00
configure: set CPP macro with AC_PROG_CPP

sssd build with an autoconf version greater than 2.70 fails because CPP
macro is empty. This change fixes this problem by setting the macro with
AC_PROG_CPP at the beginning of the configuration.

Resolves: https://github.com/SSSD/sssd/issues/5563

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cd843daf by Massimiliano Torromeo at 2021-04-08T11:17:21+02:00
configure: Fix python headers detection with recent autoconf Resolves: https://github.com/SSSD/sssd/issues/5336

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
b6efe6b1 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: handle large service tickets

Resolves: https://github.com/SSSD/sssd/issues/5568

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c6a76283 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: reduce duplication of code that handles larger-than-normal packets

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
63f318f7 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: add debug logging to assist with errors caused by overlarge packets

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
37d33177 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: further increase packet size for SSS_GSSAPI_SEC_CTX

Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
provides extra overhead should that increase in the future.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5c9fa75b by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: remove some unnecessary checks before growing packet

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b87619f9 by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: allow packets of max size

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
23197881 by aborah at 2021-04-12T13:28:43+02:00
Tests: Tests if shadow-utils are immune against bugs in 2006:0032

Tests if shadow-utils are immune against bugs in 2006:0032

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
05e75dba by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
test_pam_srv: Add test for CA certificate check using intermediate CA

Since the switch to libcrypto as security backend SSSD enforces that all
the CAs in the key chain must be trusted, so add a test that ensures
that this is true and that an intermediate certificate doesn't verify a
leaf one if we're missing the whole chain.

To build the certificates we use the test_CA main certificate
(SSSD_test_CA.pem) as the root CA authority while we create a new CA
intermediate certificate used to create new leaf certificates.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5ed48d2f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child_openssl: Free X509_VERIFY_PARAM if initialized

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
018043bb by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child: Add support for 'partial_chain' certificate_verification option

As per the switch to libcrypto by default, the CA certificates DB needs
to contain the whole certificates key-chain in order to verify a leaf
certificate. This means that if an intermediate CA authority signed a
leaf certificate the CA DB we provide to SSSD needs to contain the whole
key-chain, up to the root CA cert in order to verify the leaf one.

Now, while this is indeed more secure, it may break previous
configurations that were based on an NSS database that contained only
trusted intermediate CA certificates.

To allow such setups to continue working (once the NSS db is migrated)
we need to permit a "weaker" setup where an x509 certificate is verified
when the CA database we test against contains only the intermediate CA
certificate that was used to sign it.

As per this, support `partial_chain` value to be used as
`certification_verification` parameter that will add the
`X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the
openssl's verify `-partial-chain` parameter works.

This setup can still be considered secure as it's still needed to have
configured the SSSD ca db to contain the trusted certs.

Add tests to check that we can verify a leaf certificate against its
parent (only) when using such option.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7e3edb06 by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
pam: Add custom pam_cert_verification setting to override default

PAM uses by default the certificate_verification parameter, however we
may want to set specific settings to be used for PAM auth only.

So add pam_cert_verification setting option that will be used to define
the verification options.

If this value is unset, we'll fallback to default.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
65c90d8f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
sssd.spec: BuildRequires on openssl tool

It's needed for creating the certificates we use for testing

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
509c2ac9 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: skip id-range of unknown type

If a new range type is added in the IPA serve SSSD currently considers
this as an error and stops processing and further server side options.

With this patch unknown range types are just skipped and no error is
returned.

Resolves: https://github.com/SSSD/sssd/issues/5571

:fixes: unknown IPA id-range types are not considered as an error

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
27172c95 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: add unit test for ipa_ranges_parse_results

A unit test is added to check if unknown range types are properly
skipped. For this ipa_ranges_parse_results() is made public and moved to
a source file which is already used in a unit test to avoid the
inclusion of additional dependencies.

Resolves: https://github.com/SSSD/sssd/issues/5571

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
02d9625e by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa subdomains: do not fail completely if one step fails

Currently while updating server side data stored on an IPA server
during a subdomains request the whole request will fail if a single step
fails. As a result the remaining server side data which would have been
looked up after the failed attempt are missing.

With this patch a failure in a single lookup is not considered fatal and
SSSD will try to read the remaining data after an error occurred.

Resolves: https://github.com/SSSD/sssd/issues/5571

:fixes: During the IPA subdomains request a failure in reading a single
    specific configuration option is not considered fatal and the
    request will continue

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dab0ead2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: removed unused SUSE/sssd.id

see https://github.com/SSSD/sssd/pull/5535#issuecomment-814135680

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37d255b2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: replaced '-f' option in gentoo/sssd.in

This is follow up for PR#5535

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e145242 by peptekmail at 2021-04-13T13:46:26+02:00
TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e865b008 by Sumit Bose at 2021-04-13T13:46:40+02:00
AD GPO: respect ad_gpo_implicit_deny if no GPO is present

Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
all for the given client. With this patch this case is handled as
expected as well.

Resolves: https://github.com/SSSD/sssd/issues/5561

:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
        applicable GPOs present

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
53ae9b1e by Alexey Tikhonov at 2021-04-13T13:47:01+02:00
pam_sss: fixed potential mem leak

Fixes following covscan issue:
```
Error: RESOURCE_LEAK (CWE-772): [#def1]
src/sss_client/pam_sss.c:1714: alloc_arg: "asprintf" allocates memory that is stored into "prompt".
src/sss_client/pam_sss.c:1765: leaked_storage: Variable "prompt" going out of scope leaks the storage it points to.
 # 1763|       free(response);
 # 1764|
 # 1765|->     return ret;
 # 1766|   #else
 # 1767|       return ENOTSUP;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
231d1118 by Sumit Bose at 2021-04-13T13:48:59+02:00
negcache: use right domain in nss_protocol_fill_initgr()

When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.

With this patch th domain the group belongs to is determined and used
while checking the negative cache.

Resolves: https://github.com/SSSD/sssd/issues/5534

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4f373427 by Paweł Poławski at 2021-04-13T14:44:26+02:00
ncache: Fix misleading function comment

sss_ncache_reset_repopulate_permanent() function is responsible
only for flushing and repopulating permament entries in negative
cache. Old inline description suggests that full negative cache
wipe will be performed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e6994359 by Paweł Poławski at 2021-04-13T14:44:26+02:00
utils: Add description for CLEAR_MC_FLAG define

CLEAR_MC_FLAG is definition of flag file which is used
to sync memory cache clearing process in between sss_cache util
and NSS responder.

When sss_cache sends SIGHUP to NSS, existence of flag file
notifies responder that memory cache clearing should be
performed. Deletion of this file by responder notifies
sss_cache back that cache clearing operation has been finished.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6195ac70 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Add negcache clearing sbus callback

NSS responder already has SBUS callback for memory cache clearing.
It is called by MONITOR when SIGHUP is handled.

This commit extends SBUS sssd.service interface with negcache
clearing ability executed under "clearNegcache" request.

<interface name="sssd.service">
    <annotation name="codegen.Name" value="service" />
    <annotation name="codegen.SyncCaller" value="false" />
    <method name="resInit" />
    <method name="goOffline" />
    <method name="resetOffline" />
    <method name="rotateLogs" />
    <method name="clearMemcache" />
    <method name="clearNegcache" />
    <method name="clearEnumCache" />
    <method name="sysbusReconnect" />
</interface>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7a4974c8 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Clear negative cache when SIGHUP received

When MONITOR receives SIGHUP signal it sends cache clearing
request to NSS responder using SBUS "clearMemcache" command.
This commits adds calling for negcache clearing at the same time.
It is executed by calling "clearNegcache" from NSS SBUS API.

Resolves: https://github.com/SSSD/sssd/issues/4973

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
191b5352 by Paweł Poławski at 2021-04-15T10:28:14+02:00
data_provider: Configure backend probing interval

When be_ptask is created to monitor backend when SSSD
is in offline mode checks are happening in specified intervals:

delay = delay + (sss_rand() % task->random_offset);

New configuration option is introduced in this commit:
* offline_timeout_random_offset

Using this option allows end client to decide what
should be the size of random offset when new interval
for probing backend is calculated.

:feature: New configuration option `offline_timeout_random_offset`
          to control random factor in backend probing interval
          when SSSD is in offline mode.

:config: Added `offline_timeout_random_offset` configuration option
         to control maximum size of random offset added to offline timeout
         SSSD backend probing interval.

Resolves: https://github.com/SSSD/sssd/issues/5556

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
5d65411f by Sumit Bose at 2021-04-16T13:24:56+02:00
sss_domain_info: add not_found_counter

This new counter should be used to track how often a domain could not be
found while discovering the environment so that it can be deleted after
a number of failed attempts.

Resolves: https://github.com/SSSD/sssd/issues/5528

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
95adf488 by Sumit Bose at 2021-04-16T13:24:56+02:00
AD: read trusted domains from local domain as well

Currently SSSD only uses information stored in a domain controller of
the forest root domain to get the names of other trusted domains in the
forest. Depending on how the forest was created the forest root might
not have LDAP objects for all domains in the forest. It looks like a
typical case are child domains of other domains in the forest.

As a start SSSD can now include trusted domains stored in the LDAP tree
of a local domain controller as well. In a long run it would make sense
to allow SSSD to explicitly search for domain by looking up DNS entries
and checking a potential domain controller with a CLDAP ping.

Resolves: https://github.com/SSSD/sssd/issues/5528

:feature: Besides trusted domains known by the forest root, trusted
          domains known by the local domain are used as well.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e0fcec92 by Sumit Bose at 2021-04-20T11:14:00+02:00
man: clarify single_prompt option

Make it more clear that the single_prompt prompting configuration option
can only be used with both factor even if the second is optional.

Resolves: https://github.com/SSSD/sssd/issues/5586

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
da55e3e6 by Iker Pedrosa at 2021-04-20T11:15:41+02:00
ldap: retry ldap_install_tls() when watchdog interruption

When the call to ldap_install_tls() fails because the watchdog
interrupted it, retry it. The watchdog interruption is detected by
checking the value of the ticks before and after the call to
ldap_install_tls().

Resolves: https://github.com/SSSD/sssd/issues/5531

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
64340cac by Alexey Tikhonov at 2021-04-21T12:01:14+02:00
whitespace_test: remove 'debian' from exclude pattern as this is downstream specific.

See discussion in https://github.com/SSSD/sssd/pull/5435 for details

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
691fe494 by Sumit Bose at 2021-04-21T12:01:30+02:00
nss: prefer homedir overrides over override_homedir option

Currently the override_homedir option will overwrite every home
directory even if a dedicated user override exists. With this patch a
home directory from a dedicated override will be preferred.

Resolves: https://github.com/SSSD/sssd/issues/5589

:relnote: A home directory from a dedicated user override, either local
    or centrally managed by IPA, will have a higher precedence than the
    override_homedir option.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
88eec1c2 by Sumit Bose at 2021-04-21T12:02:00+02:00
nss client: make innetgr() thread safe

The innetgr() call is expected to be thread safe but SSSD's the current
implementation isn't. In glibc innetgr() is implementend by calling the
setnetgrent(), getnetgrent(), endgrent() sequence with a private context
(struct __netgrent) with provides a member where NSS modules can store
data between the calls.

With this patch setnetgrent() will read all required data from the NSS
responder and store it in the data member of the __netgrent struct.
Upcoming getnetgrent() calls will only operate on the stored data and
not connect to the NSS responder anymore. endgrent() will free the data.
Since the netgroup data is read in a single request to the NSS responder
protected by a mutex and stored in private context of innetgr() this
call is now thread-safe.

Resolves: https://github.com/SSSD/sssd/issues/5540

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29abf94e by Sumit Bose at 2021-04-21T12:02:00+02:00
intg test: test is innetgr() is thread-safe

This integration test adds 2 large netgroups in LDAP and runs a program
with 2 threads looking up those netgroups in parallel.

Resolves: https://github.com/SSSD/sssd/issues/5540

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
38905cac by Alexey Tikhonov at 2021-04-26T11:32:50+02:00
monitor: avoid NULL deref in monitor_service_shutdown()

Resolves: https://github.com/SSSD/sssd/issues/5598

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cbfccb17 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
BUILD: prefer PCRE2 over PCRE

:relnote:This release deprecates pcre1 support. This support will be
removed completely in following releases.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
519d9434 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: local functions shall be static

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
31bcb6f0 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_dp_opts: mem leak fixed

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9aa6fb34 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_nested_groups: mem leak fixed

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0fbe5af1 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: regular talloc d-tor shouldn't fail

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f2bcf74c by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
sssd.supp: suppress false positive valgrind warning about 'pcre2_code' ptr

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6a60406b by Steeve Goveas at 2021-04-26T11:34:27+02:00
TEST: Modify subsystem to sst_idm_sssd

idm sst were sub divided in team specific sst and is now implemented in
polarion

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
2276fc42 by Shridhar Gadekar at 2021-04-27T13:58:30+02:00
Tests: alltests: fetch autofs maps after coming online

SSSD should fetch autofs maps from server when coming online
from offline state, without existing cache.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
eb61f1b2 by Shridhar Gadekar at 2021-04-29T12:04:59+02:00
test: minor change in test doc string

adding test id in the doc string

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
846296d1 by Alexey Tikhonov at 2021-04-29T12:05:17+02:00
libwbclient-sssd: removed

:relnote: SSSD's implementation of 'libwbclient' was removed
as incompatible with modern version of Samba.

Resolves: https://github.com/SSSD/sssd/issues/5459

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9854ade1 by Iker Pedrosa at 2021-04-29T12:05:38+02:00
spec: Remove ldconfig scripts

According to
https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets#Upgrade.2Fcompatibility_impact
spec files that target Fedora 28+ don't require the use of ldconfig
scriptlets. So, I'm removing them from the spec file.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
99beee3c by Alexey Tikhonov at 2021-04-29T12:05:50+02:00
LDAP: make connection log levels consistent

Connection related events (established, expired, released) now use same
debug level.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
7313efba by Sumit Bose at 2021-04-30T12:57:35+02:00
man: clarify priority in sss-certmap man page

Explain in the man page what is expected when two or more mapping and
matching rules have the same priority.

Resolves: https://github.com/SSSD/sssd/issues/4415

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a0179e31 by Hugh Cole-Baker at 2021-05-05T17:12:33+02:00
man: fix p11_uri example URIs

The p11_uri requires a pkcs11: scheme, using p11_uri = slot-description=My..
without pkcs11: as a prefix will cause p11_child to log an error:

p11_kit_uri_parse failed [-2][URI scheme must be 'pkcs11:'].

Fix the examples to include the pkcs11: scheme.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f66b5aed by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: got rid of most explicit DEBUG_IS_SET checks as a preliminary step for "logs backtrace" feature

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
59ba14e5 by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: poor man's backtrace

In case SSSD is run with debug_level < 9, log everything to
a ring buffer in memory and flush the buffer to a log file on any
error (up to and including `min(0x0040, debug_level)`)
(i.e. if `debug_level` is explicitly set to 0 or 1 then only those
error levels will trigger backtrace, otherwise up to 2).

Feature is only supported for `logger == files`:
 - for stderr it doesn't make much sense: as buffer is quite large,
it would be very inconvenient to get it in console.
 - for journal: support might be considered later, after getting
some feedback

:feature:If 'debug_backtrace_enabled' is set to 'true' then
on any error all prior debug messages (to some limit) are printed
even if 'debug_level' is set to low value (for details see
`man sssd.conf`: `debug_backtrace_enabled` description).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e3426ebe by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
PAM: fixes a couple of covscan issues

Fixes:
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%.*s' directive argument is null
 #  127 |     sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
 #      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #  128 |                  level, \
 #      |                  ~~~~~~~~
 #  129 |                  format, ##__VA_ARGS__); \
 #      |                  ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'filter_responses'
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:569:51: note: format string is defined here
 #  569 |               "Found PAM ENV filter for variable [%.*s] and service [%s].\n",
 #      |                                                   ^~~~
```

and

```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/util.h:47: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:24: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'pam_check_user_search_next'
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%s' directive argument is null
 #  127 |     sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
 #      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #  128 |                  level, \
 #      |                  ~~~~~~~~
 #  129 |                  format, ##__VA_ARGS__); \
 #      |                  ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:1947:53: note: format string is defined here
 # 1947 |     DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
 #      |                                                     ^~
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6b78b7aa by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CACHE_REQ: fixed REVERSE_INULL warning

Fixes following warning:
```
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:807: check_after_deref: Null-checking "domain" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:784: deref_ptr: Directly dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:790: deref_ptr_in_call: Dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:805: alias: Assigning: "state->selected_domain" = "domain".
 #  805|           state->selected_domain = domain;
 #  806|
 #  807|->         if (domain == NULL) {
 #  808|               break;
 #  809|           }
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0aaf61c6 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: makes debug backtrace switchable

:config: Introduced new option 'debug_backtrace_enabled' to control
debug backtrace.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
97f046e7 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: log IMPORTANT_INFO if any bit >= OP_FAILURE is on

This makes sense in general and ensures IMPORTANT_INFO doesn't trigger
backtrace dump.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f693078f by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CERTMAP: removed "sss_certmap initialized" debug

Most lib users expect only errors to be logged and provide logger function
with SSSDBG_OP_FAILURE debug level.

Thus "sss_certmap initialized" was triggering backtrace dump for no reason.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6fb987b5 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SERVER: decrease log level in `orderly_shutdown()` to avoid backtrace in this case.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
80963d68 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SBUS: changed debug level in sbus_issue_request_done() to avoid backtrace dump in case of 'ERR_MISSING_DP_TARGET'

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f55c41b7 by Deepak Das at 2021-05-05T17:13:07+02:00
SSSD Log: log_timeout_parameter_display

Display timeout parameter in SSSD logs.

Resolves: https://github.com/SSSD/sssd/issues/5514

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c79ee66f by Pavel Březina at 2021-05-07T11:34:27+02:00
pot: update pot files

- - - - -
c8274b24 by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'local-provider'

:relnote:'local-provider' is deprecated and will be removed in one
of the next versions of SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8736776a by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'secrets' support

:relnote:'secrets' support is deprecated and will be removed in one
of the next versions of SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ba99c1fb by Steeve Goveas at 2021-05-07T13:01:30+02:00
modify check for rhel version before package install

Include check for rhel9 and remove nss-pam-ldapd install for rhel9 as it
wont be available. Test with nss-pam-ldap only for rhel8.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
d264a2b6 by Steeve Goveas at 2021-05-07T13:01:30+02:00
TEST: remove pytest warning for yield_fixture

this change would remove this warning message
"PytestDeprecationWarning: @pytest.yield_fixture is deprecated"

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
61a03b2c by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to disable sudo smart and full refresh

Resolves: https://github.com/SSSD/sssd/issues/5601

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b3247eeb by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to tune sudo performance

Resolves: https://github.com/SSSD/sssd/issues/5603

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c0204c06 by Pavel Březina at 2021-05-07T13:01:47+02:00
be: add be_ptask_postpone

This will cancel the next event and schedule it to now + period.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d9d5c291 by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: reschedule periodic tasks when full refresh is finished

We postpone periodic full and smart refresh tasks when full refresh
(either per-request or periodic) is finished.

Resolves: https://github.com/SSSD/sssd/issues/5604

:feature: Completing a sudo full refresh now postpones the smart refresh
  by `ldap_sudo_smart_refresh_interval` value. This ensure that the smart
  refresh is not run too soon after a successful full refresh.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ca47acca by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: add ldap_sudo_random_offset

Resolves: https://github.com/SSSD/sssd/issues/5609

:feature: Backround sudo periodic tasks (smart and full refresh) periods
  are now extended by a random offset to spread the load on the server in
  environments with many clients. The random offset can be changed with
  `ldap_sudo_random_offset`.

:config: Added `ldap_sudo_random_offset` (default to `30`) to add a
  random offset to backround sudo periodic tasks (smart and full
  refresh).

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
421c0a77 by aborah at 2021-05-07T13:03:24+02:00
Tests: getent group ldapgroupname doesn't show any LDAP users

'getent group ldapgroupname' doesn't show
any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD

Verifies: https://github.com/SSSD/sssd/issues/5311

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1817122

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
47b40cca by aborah at 2021-05-10T11:13:21+02:00
Tests: automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)

With 2 automount entries in LDAP with same key ( cn: MIT and cn: mit),
autofs only works for one of them ( the one in uppercase )

Verifies: https://github.com/SSSD/sssd/issues/5330

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1873715

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
de170904 by Sumit Bose at 2021-05-10T11:13:38+02:00
sss_cache: reset original timestamp and USN

Currently the sss_cache utility only resets the internal/operational
timestamp attributes to indicate that the object should be refreshed.
But the timestamp cache also stored the last modification time and the
update sequence number (USN) of the original LDAP attribute to detect
changes of the original object. During some types of refreshes those
options might be checked, currently the modification timestamp during
group updates, and might prevent that the data object is refresh because
it was assume that the original object did not change.

Since it is expected that after calling e.g. sss_cache -E the cached
objects are refreshed unconditionally it makes sense to reset those
attributes in the timestamp cache as well.

Resolves: https://github.com/SSSD/sssd/issues/5596

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
c227ea4e by Sumit Bose at 2021-05-10T11:13:38+02:00
sysdb: add SYSDB_INITGR_EXPIRE to new user objects

SYSDB_INITGR_EXPIRE belongs to the timestamp cache attributes and if
only those attributes are modified it is expected that the data object
is not modified only the related object in the timestamp cache. Until
now SYSDB_INITGR_EXPIRE was missing from the user objects if the group
membership of the user was not lookup up (initgroups request). As a
result of user object might change if only timestamp cache attributes
are changed since the SYSDB_INITGR_EXPIRE was missing. With this patch
the SYSDB_INITGR_EXPIRE is addded with value '0' if a new user object is
created.

Resolves: https://github.com/SSSD/sssd/issues/5596

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
993b66d4 by Justin Stephenson at 2021-05-10T14:53:56+02:00
KCM: Read and set KCM renewal and krb5 options

Add new renewal options to enable KCM renewal functionality

  tgt_renewal
  tgt_renewal_inherit

Krb5 options below will be read from the [kcm] configuration
section, or a domain section when a tgt_renewal_inherit domain
is provided.

  krb5_renew_interval
  krb5_renewable_lifetime
  krb5_lifetime
  krb5_validate
  krb5_canonicalize
  krb5_auth_timeout

Resolves: https://github.com/SSSD/sssd/issues/2765

:config: Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*`
KCM options to enable, and tune behavior of new KCM renewal feature.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
599f0ad0 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Prepare and execute renewals

Find and unmarshal renewable tickets in the list of KCM ccaches, process
and trigger renewals for tgts aftert half of their lifetime is exceeded.

Resolves: https://github.com/SSSD/sssd/issues/2765

:feature: Added support for automatic renewal of renewable TGTs that are
stored in KCM ccache. This can be enabled by setting `tgt_renewal =
true`. See the sssd-kcm man page for more details. This feature requires
MIT Kerberos krb5-1.19-0.beta2.3 or higher.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1dc3c33c by Justin Stephenson at 2021-05-10T14:53:57+02:00
SECRETS: Don't hardcode SECRETS_DB_PATH

Allow for overriding in cmocka tests

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a55405b3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
TESTS: Add kcm_renewals unit test

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0202eb53 by Justin Stephenson at 2021-05-10T14:53:57+02:00
INTG: Add KCM Renewal integration test

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ddcedbf3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Conditionally build KCM renewals support

Use --enable-kcm-renewal, --disable-kcm-renewal or allw
autodetection of MIT kerberos marshalling functions
required to enable KCM renewal support.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ec932d35 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Disable responder idle timeout with renewals

When KCM renewals are configured and enabled, disable the
responder idle timeout to prevent KCM from being in a shut-down
state when it should be executing TGT renewals.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ce54789e by Alexey Tikhonov at 2021-05-10T14:56:44+02:00
DEBUG: fix _all_levels_enabled()

Expression was wrong in case `debug_level` had any bit without
associated level turned on (for example, 0xfff0).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c07a7beb by Weblate at 2021-05-10T14:57:47+02:00
po: update translations

(Ukrainian) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 99.8% (728 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Finnish) currently translated at 5.5% (40 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 2.6% (70 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

- - - - -
e3012941 by Pavel Březina at 2021-05-10T15:06:24+02:00
man: add krb5_options to po4a.cfg

- - - - -
b3336ab9 by Pavel Březina at 2021-05-10T15:11:58+02:00
pot: update pot files

- - - - -
3f29bc26 by Pavel Březina at 2021-05-10T15:14:31+02:00
Release sssd-2.5.0

- - - - -
a95db4e1 by Pavel Březina at 2021-05-10T17:13:00+02:00
Update version in version.m4 to track the next release

- - - - -
6eb845d0 by Madhuri Upadhye at 2021-05-13T12:37:06+02:00
Test: IPA: filter_groups option partially filters the group from 'id' output

It consists of following test case:
  filter_groups option partially filters the group from 'id'
  output of the user because gidNumber still appears in 'id' output

Verifies:
  Issue: #5403

Bugs:
  https://bugzilla.redhat.com/show_bug.cgi?id=1876658

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
9b017dbc by Pavel Březina at 2021-05-14T11:34:24+02:00
KCM: return KRB5_FCC_INTERNAL for unknown or not implemented operation

sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
for cases where operation code is not known or not implemented. See:

* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792

We returned different codes before this patch which makes Kerberos to differentiate
between Heimdal and sssd implementation. This leads to errors like:

* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703

Resolves: https://github.com/SSSD/sssd/issues/5628

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
dbde4e69 by Justin Stephenson at 2021-05-19T19:24:12+02:00
SECRETS: Resolve mkey path correctly

Use the correct master key path for the secrets database,
fixing an issue on upgrade.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9777427f by Alexey Tikhonov at 2021-05-19T19:24:31+02:00
UTIL/SECRETS: mistype fix

Wrong variable was tested after mem allocation.

Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
 # 1009|   	uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
 # 1010|       if (uuid_list == NULL) {
 # 1011|->         ret = ENOMEM;
 # 1012|           goto done;
 # 1013|       }
```

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b099498f by Pavel Březina at 2021-05-19T19:24:48+02:00
ipa: read auto_private_groups from id range if available

Resolves: https://github.com/SSSD/sssd/issues/4216

:feature: `auto_private_groups` option can be set centrally through
  ID range setting in IPA (see `ipa idrange` commands family). This
  feature requires SSSD update on both client and server.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
706627cf by Pavel Březina at 2021-05-19T19:24:48+02:00
cache_req: consider mpg_mode of each domain

Before this patch the mpg_mode == hybrid was used only if the main domain
had this mode set. This fails in multi domain environments as well as with
subdomains.

Now we lookup the hybrid object in each domain that has the hybrid mode
enabled.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ac1a07a3 by Iker Pedrosa at 2021-05-24T18:04:25+02:00
responder: fix covscan issues

Fix two covscan issues that I accidentally included in commit
f890fc4b592767f3f0b2bd5515cbd9516505ebe9.

Error: FORWARD_NULL (CWE-476): [#def60]
sssd-2.4.0/src/responder/common/responder_common.c:1009: var_compare_op: Comparing "rctx->sock_name" to null implies that "rctx->sock_name" might be null.
sssd-2.4.0/src/responder/common/responder_common.c:1039: var_deref_model: Passing null pointer "rctx->sock_name" to "strlen", which dereferences it.

Error: CLANG_WARNING: [#def61]
sssd-2.4.0/src/responder/common/responder_common.c:1039:64: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'

Resolves: https://github.com/SSSD/sssd/issues/5638

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
43b9b092 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification

Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf

Resolves: https://github.com/SSSD/sssd/issues/5616

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7190f6b5 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification

Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf

Resolves: https://github.com/SSSD/sssd/issues/5616

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
fbf33bab by Alexey Tikhonov at 2021-05-24T18:06:10+02:00
TOOLS: removed unneeded debug message

This message was logged before `sss_tool_init()` that sets debug level,
thus ignoring configured debug level.

Since the same message is printed via `ERROR` on a next line, this log
message doesn't add any information and can be simply removed.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
348512b0 by Steeve Goveas at 2021-05-24T18:07:52+02:00
TEST: Fixes after running new tests downstream

tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
9cb89666 by Sumit Bose at 2021-05-25T12:24:28+02:00
nss: fix getsidbyname for IPA user-private-groups

Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases are handled.

The first is about the default automatic user-private-groups
where the group is a managed object. In this case there will be a user
and a group object with the same name in the cache which will both be
found by the lookup by name. Since only the user object will have a SID
we can return this SID for the request.

The second case is the manual creation of a user and a groups with UID
and GIDs so that the group is a user-private group. Here the user and
the group object will both get a different SID assigned since they are
independent objects. In this case, both objects have a SID and the UID
and GID of the user and the GID of the group all have the same numerical
value, the SID of the user is returned.

Resolves: https://github.com/SSSD/sssd/issues/5607

:fixes: Fix getsidbyname issues with IPA users with a user-private-group

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
e147d272 by Steeve Goveas at 2021-05-31T14:18:53+02:00
TEST: add ldap_sudo_random_offset 0 to offline test

New was option added in #5609
As there are no other requests in the test after a restart, sssd
would attempt a connection only after 10 to 30 seconds by default. To
enable immediate look up, we can set this option and continue with the
test

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
98400ef6 by Madhuri Upadhye at 2021-05-31T14:19:06+02:00
Tests: common: Update the remove_sss_cache function

Remove the sssd exception as we dont find the path,
test fails with exception file does not exist.
so added print statement to print the error message.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
33f136f8 by Madhuri Upadhye at 2021-05-31T14:19:19+02:00
Tests: alltests: Code update for test_kcm_check_socket_path

Remove unwanted import.
Minor changes in test code.
Change the marker to tier1_2.

Verifies:
  Issues: #5406

Bug:
  https://bugzilla.redhat.com/show_bug.cgi?id=1632159

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
36746524 by Sumit Bose at 2021-05-31T14:19:33+02:00
kcm: use %zu as format for size_t

size_t might be a different integer type on different platforms. The %z
length modifier was added to handle this.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5b5e3827 by Jakub Vavra at 2021-05-31T14:20:21+02:00
Tests: Add test_ipa_missing_secondary_ipa_posix_groups

Verifies
Issue: #5534
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1945552
https://bugzilla.redhat.com/show_bug.cgi?id=1937919
https://bugzilla.redhat.com/show_bug.cgi?id=1945654

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d35f36f0 by Deepak Das at 2021-05-31T14:20:41+02:00
SSSD Log: log_error_reading_file_msg_modification

Replacing error reading file error code with proper message

Resolves: https://github.com/SSSD/sssd/issues/5615

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
9c06088d by Deepak Das at 2021-05-31T14:21:00+02:00
SSSD Log: no_such_file_or_directory_modification

Replacing no such file or directory error code with alternate message

Resolves: https://github.com/SSSD/sssd/issues/5614

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b75ef442 by Sumit Bose at 2021-05-31T14:22:06+02:00
pac: allow larger PACs

Currently the PAC responder only accepts request which are about 1k in
size. Since a PAC can be larger there are cases where the PAC is not
accepted by the PAC responder. Recently SSS_GSSAPI_PACKET_MAX_RECV_SIZE
was added to be able to handle Kerberos tickets which can be also larger
than 1k. Since typically if present the PAC is the largest part of a
Kerberos ticket it make sense to use the same limit for the PAC
responder.

Resolves: https://github.com/SSSD/sssd/issues/5650

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1f6377d5 by Weblate at 2021-06-04T09:08:39+02:00
po: update translations

(Finnish) currently translated at 5.4% (40 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Polish) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Russian) currently translated at 25.7% (188 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

- - - - -
597a6c2a by Joakim Tjernlund at 2021-06-04T09:10:18+02:00
Gentoo/openrc: Add sssd-kcm service script

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
850af600 by Pavel Březina at 2021-06-04T09:40:38+02:00
pot: update pot files

- - - - -
a3cb9812 by Pavel Březina at 2021-06-04T14:29:44+02:00
sudo: disable ldap_sudo_random_offset by default

Resolves: https://github.com/SSSD/sssd/issues/5609

:config: Default value of `ldap_sudo_random_offset` changed to 0 (disabled). This
  makes sure that sudo rules are available as soon as possible after SSSD start
  in default configuration.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1c655610 by Paweł Poławski at 2021-06-04T14:40:28+02:00
README: Update documentation links

Documentation links in README are broken due to sssd.io website
content recent update. This PR fix this and remaps links to point
correct content in new upstream documentation.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
669ee920 by Pavel Březina at 2021-06-04T14:46:26+02:00
readme: update documentation repository

- - - - -
c415dde6 by Pavel Březina at 2021-06-04T14:47:41+02:00
pot: update pot files

- - - - -
73cbe0b1 by Sumit Bose at 2021-06-07T11:34:34+02:00
utils: add mod_defaults_list

This patch adds a new utility function to handle options with values
prefixed by '+' or '-' to modify default lists. Unit tests are included.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
70a808d5 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: replace first argument of filter_responses()

The first argument of filter_responses() is replaced with a more generic
context to allow more flexible use in future.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f491979d by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: parse pam_response_filter values only once

To avoid parsing the configuration options for each PAM request the code
is modified to parse them only once. If the configuration is changed it
is already expected that SSSD is restarted which mean that with this
change no functionality is lost.

Tests  had to be updated to make sure new values are read.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2a4c3833 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: change default for pam_response_filter

So far pam_response_filter didn't had any default. It turned out that it
would be useful to filter the environment variable KRB5CCANME by default
for sudo. The reason is the e.g. in contrast to su the calling user is
authenticated and hence only the Kerberos credentials of the calling
user are available. But this causes a couple of inconsistencies. E.g.
depending on the credential cache type the target user might not have
access to the credential cache and even if the credential cache can be
accessed it will contain credentials which different privileges than the
target user. As a result  it seems better to not make KRB5CCANME in the
environment of the target user and let him pick the matching default
credential cache.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ecb2ae7a by Paweł Poławski at 2021-06-08T11:02:59+02:00
krb5_child: Honor Kerberos keytab location

Kerberos keytab location can be specified per domain in sssd.conf.
If it is not specified - default path is used: /etc/krb5.keytab
The problem is that default path itself can be redefined for kerberos
by adding entry in krb5.conf:

  [libdefaults]
  default_keytab_name = /<PATH>/krb5.keytab

krb5_child will still use /etc/krb5.keytab as default value which
will cause an error.

This patch adds config checking to krb5_child.
If keytab parameter will be set to /etc/krb5.keytab,
krb5_child will validate it against krb5.conf and eventually
overwritte with value presented there.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c917f977 by Justin Stephenson at 2021-06-08T11:04:15+02:00
RESPONDER: Generate incrementing client ID

This client ID will be passed through SSSD components to allow
tracking requests across SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bee426c8 by Justin Stephenson at 2021-06-08T11:04:15+02:00
SBUS: Send Client ID across to DP interfaces

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7ed87872 by Justin Stephenson at 2021-06-08T11:04:16+02:00
RESPONDER LOGS: Log the Client ID where accessible

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d0e35894 by Justin Stephenson at 2021-06-08T11:04:16+02:00
CACHE_REQ: Log the Client ID of the cache request

Log the Client ID at the initial cache request submission.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4f1a06d1 by Justin Stephenson at 2021-06-08T11:04:16+02:00
DP: Propagate down the client id and sender name

Make the client ID and responder name available to log where
the DP request is attached. This will ensure we log the CID,
originating responder name, and DP-internal request ID for
all DP requests.

[dp_attach_req] (0x0400): DP Request [Initgroups #14]: REQ_TRACE: New
request. [sssd.pam CID #1] Flags [0x0001].

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5674aaed by Pavel Březina at 2021-06-08T11:45:35+02:00
pot: update pot files

- - - - -
dbd50453 by Pavel Březina at 2021-06-08T13:37:23+02:00
Update version in version.m4 to track the next release

- - - - -
c6cd2fe3 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
krb5_child: reduce log severity in sss_send_pac() in case PAC responder isn't running.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0eccee18 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
secrets: reduce log severity in local_db_create() in case entry already exists since this is expected during normal oprations.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
624e3fe7 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: use SSSDBG_MINOR_FAILURE for ERR_KCM_OP_NOT_IMPLEMENTED

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0646917c by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: reduce log severity in sec_get() in case entry not found

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b0474248 by Yuri Chornoivan at 2021-06-17T12:25:50+02:00
Fix minor typos in docs

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
2a3fb3bd by Justin Stephenson at 2021-06-17T12:25:50+02:00
KCM: Unset _SSS_LOOPS

Since sssd_kcm is working independently of other SSSD components,
especially the nss responder, and the kcm client side in libkrb5 of
course does not check for _SSS_LOOPS to protect sssd_kcm from calling
into itself the variable is not needed.

This allows repeated getpwuid() calls in KCM renewals code to succeed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
daad8387 by Jakub Vavra at 2021-06-17T12:25:50+02:00
Tests: Add test_innetgr_threads

Verifies
Issue: #5540
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1703436

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
9d576e47 by Dan Lavu at 2021-06-17T12:28:39+02:00
tests: Adding multihost test for supporting asymmetric nsupdate auth

* https://bugzilla.redhat.com/show_bug.cgi?id=1884301

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
ff3f8570 by Dan Lavu at 2021-06-17T12:29:16+02:00
tests: Adding tests to cover ad discovery improvements using cldap

* This test requires a primary and secondary domain controller so AD can be moved between sites
* Currently contains four test cases
** Two DCs in one site no restrictions.
** Two DCs in one site, traffic blocked to the other DC
** DCs in seperate sites no restrictions
** DCs in seperate sites, traffic blocked to the other DC

Signed-off-by: Dan Lavu <dlavu at redhat.com>

SSSD-2497

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
68ed4d4a by Paweł Poławski at 2021-06-17T12:31:31+02:00
README: Dead social media link remove

Back in 2011 SSSD started using twitter account to broadcast releases.
Last time it happened 13.06.2019 so this account can be considered as
dead. This PR removes link to it from main README.

Resolves: https://github.com/SSSD/sssd/issues/5649

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4e3e8727 by Pavel Březina at 2021-06-17T15:36:27+02:00
tests: fix pep8 issues

- - - - -
a6e5d53a by Pavel Březina at 2021-06-18T12:33:05+02:00
kcm: terminate client on bad message

The debug message clearly says that the original intention was to
abort the client, not send an error message.

We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.

More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
8dba7476 by Alexey Tikhonov at 2021-06-21T13:36:25+02:00
DEBUG: don't reset debug_timestamps/microseconds to DEFAULT in `_sss_debug_init()`.

Otherwise `server_setup()` skips reading config settings.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
89a40e77 by Deepak Das at 2021-06-21T16:21:34+02:00
SSSD Log: invalid_argument msg mod

Improve invalid argument msg with additional information

Resolves: https://github.com/SSSD/sssd/issues/5578

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
71301ccf by Alexey Tikhonov at 2021-06-24T10:27:32+02:00
KCM: removed unneeded assignment

Fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
 #  479|       ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
 #  480|       if (ctx == NULL) {
 #  481|->         ret = ENOMEM;
 #  482|           DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
 #  483|           return;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ac0c0b00 by Justin Stephenson at 2021-07-08T11:28:14+02:00
KCM: Drop unnecessary c-ares linking

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b9e60ae0 by Sumit Bose at 2021-07-08T11:28:27+02:00
man: clarify effects of sss_cache on the memory cache

Resolves: https://github.com/SSSD/sssd/issues/5697

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
e373408a by Sofia Nieves at 2021-07-08T11:28:42+02:00
Replacing freenode with libera

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
5feeb8ac by Shridhar Gadekar at 2021-07-08T11:30:12+02:00
Test: sudo rule with runAS set to short-username value

sudo rule containing sudoRunAs attribute to a short-username
should not generate error in the sssd log.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
7646ac95 by Deepak Das at 2021-07-08T11:30:25+02:00
SSSD Log: log_bad_address_msg_mod

Improve Log Containing Bad Address string

Resolves: https://github.com/SSSD/sssd/issues/5577

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
865330c6 by Iker Pedrosa at 2021-07-08T12:28:04+02:00
cache_req: parse name to get shortname

Unless parse_name is set to false parse the name to get the shortname in
cache_req_process_input(). Moreover, check that the input domain name
and the parsed domain name are equal and fail otherwise.

Updated unit tests to mock call to parse function.

Also include an integration test to check that UpdateMemberList()
and GetAll() return the correct users that are members of a group. This
is done by first adding a member to a group and checking that it is
returned correctly. Then, the member is deleted and the interface returns
no members.

Resolves: https://github.com/SSSD/sssd/issues/4255

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5288ddaa by Sumit Bose at 2021-07-09T11:36:19+02:00
files: split update into batches

If the files managed by the files provider contain many users or groups
processing them might take a considerable amount of time. To keep the
backend responsive this patch splits the update into multiple steps
running one after the other but returning to the main loop in between.

This avoids issues during startup because the watchdog timer state is
reset properly. Additionally SBUS messages are process and as a result
the domain can be marked inconsistent in the frontends properly.

Resolves: https://github.com/SSSD/sssd/issues/5557

:fixes: Update large files in the files provider in batches to avoid
  timeouts

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
0fbd6740 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: add new option fallback_to_nss

To not block callers when SSSD's files is doing a refresh of
/etc/passwd or /etc/group allow to fall back to the next nss module
which is typically libnss_files.

Resolves: https://github.com/SSSD/sssd/issues/5557

:config: Add new config option 'fallback_to_nss'

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
dd1aa579 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: delay refresh and not run in parallel

To avoid constant refreshes if /etc/passwd or /etc/group are modified
multiple times in a short interval the refresh is only started after 1s
of inactivity.

Additionally the request makes sure that only one instance is run.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
19b85063 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: queue certmap requests if a refresh is running

To make sure current and valid data is used when a certificate should be
matched to a users from the files provider the request has to wait until
a running refresh is finished.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b4ee698a by Sumit Bose at 2021-07-09T11:36:19+02:00
cache_req: do not return cached data if domain is inconsistent

If a domain is inconsistent the cached data might be inconsistent as
well, so better not return it.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b85984a3 by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix whitespace issues

whitespace test fails with:

```
Missing new line at the eof: src/tests/multihost/ipa/add-groups.ps1
Missing new line at the eof: src/tests/multihost/ipa/nestedgroups.csv
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
75c204ff by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix pep8 issues

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
17e339d5 by Paweł Poławski at 2021-07-12T20:44:33+02:00
SYSDB: Add search index "originalADgidNumber"

Commit 03bc962 introduced a change which can result in
unindexed search in some scenarios. The result is performance
drop comparing to older SSSD version.

This PR adds missing search index: originalADgidNumber

:relnote: Add search index "originalADgidNumber" to SYSDB

Resolves: https://github.com/SSSD/sssd/issues/5430

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2ebf463f by Alexey Tikhonov at 2021-07-12T20:44:56+02:00
CACHE_REQ: fixed covscan issues

Fixed following warning:
```
Error: GCC_ANALYZER_WARNING (CWE-476):
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c: scope_hint: In function 'cache_req_data_create'
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c:160:28: warning[-Wanalyzer-null-dereference]: dereference of NULL '0'
 #  158|           break;
 #  159|       case CACHE_REQ_SVC_BY_NAME:
 #  160|->         if (input->svc.name->input == NULL) {
 #  161|               DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
 #  162|               ret = ERR_INTERNAL;
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f02ac230 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: add support for tevent chain id

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
881a1a41 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: enable chain id in backend

:feature: Debug messages in data provider include a unique request ID that can be used
  to track the request from its start to its end.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
161ff0e8 by Weblate at 2021-07-12T20:46:47+02:00
po: update translations

(Russian) currently translated at 20.7% (583 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Spanish) currently translated at 67.0% (1888 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/

po: update translations

(Finnish) currently translated at 3.2% (91 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Ukrainian) currently translated at 100.0% (2814 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Ukrainian) currently translated at 97.7% (2750 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

- - - - -
57ac5809 by Pavel Březina at 2021-07-12T20:53:56+02:00
pot: update pot files

- - - - -


7 changed files:

- Makefile.am
- README.md
- configure.ac
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- po/bg.po


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/b38701b9ebdfe1291e0d9f7aa6ff814f9b42b51a...57ac580928664a356f07c38e2aca4cf33d145524

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/b38701b9ebdfe1291e0d9f7aa6ff814f9b42b51a...57ac580928664a356f07c38e2aca4cf33d145524
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20210818/30f639cf/attachment-0001.htm>


More information about the Pkg-sssd-devel mailing list