[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 205 commits: Update version in version.m4 to track the next release

Wed Feb 10 11:51:11 GMT 2021

Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd

Commits:
b913ddbd by Pavel Březina at 2020-10-12T15:30:12+02:00
Update version in version.m4 to track the next release

- - - - -
f7dba450 by Alexey Tikhonov at 2020-10-19T11:19:45+02:00
SDAP: set common options for sockets open by libldap

In case of referral chasing libldap can open a new socket on its own.
This socket requires the same setup as socket created by SSSD itself.
Otherwise process can hang on blocked TCP operation.

Resolves: https://github.com/SSSD/sssd/issues/5359

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
81e757b7 by Sumit Bose at 2020-11-05T11:46:24+01:00
ifp: fix use-after-free

The variable fqdn is pointing to some data from state->res->msgs[0]. But
before fqdn is used in the next search state->res and the memory
hierarchy below is freed. As a result the location where fqdn is pointing
to might hold the expected data or other data and the search will fail
intermittently.

Resolves: https://github.com/SSSD/sssd/issues/5382

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
833034f5 by Alexey Tikhonov at 2020-11-05T11:48:15+01:00
DEBUG: journal_send() was made static

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
18233532 by Alexey Tikhonov at 2020-11-05T11:48:15+01:00
DEBUG: fixes program identifier as seen in syslog

Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
to accomodate needs of own SSSD logs, but this affected journal/syslog
as well.

This patch amends situation:
 - journal messages gets "umbrella" identifier "sssd[]"
 - syslog uses default which is program name

Resolves: https://github.com/SSSD/sssd/issues/5384

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5f3b9e1d by Sumit Bose at 2020-11-05T11:50:59+01:00
AD: do not override LDAP data during GC lookups

The Global Catalog contains user and group information of the whole
forest and hence any Global Catalog server can be used. Currently when a
Global Catalog server is looked up the data of the LDAP server is
overwritten as well. I guess the original intention was to use a single
server for both services.

However since the Global Catalog server can come from any domain in the
forest this might overwrite the LDAP data of a DC from the local domain
with the data from a AD of a remote domain and as a result lookups for
users and groups from the local domain might fail since the remote DC
does not has this information available at the LDAP port. In most cases
this overwrite is hidden by a following lookup to find a KDC for
authentication which is searched only in the local domain again where
the LDAP data is overwritten again to make sure the same DC is used for
LDAP and Kerberos communication. But depending on the connection
timeouts and lifetime of Kerberos tickets the KDC lookup might be
skipped because new credentials are not needed and as a result the wrong
LDAP data is used.

To avoid this the LDAP data is now only set if the current lookup is not
a Global Catalog lookup.

Resolves: https://github.com/SSSD/sssd/issues/5351

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e1bcf77 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: make sure domain config does not leak into global

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
385af99f by Sumit Bose at 2020-11-12T11:22:33+01:00
utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()

To allow to only iterate over a singel domain an its sub-domains a new
flag is added to get_next_domain().

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
0dc81a52 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: make sure short names are added to sub-domains

If short names are used with filter_users or filter_groups in a
[domain/...] section they should be added to the sub-domains of this
domain as well.

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fa4b46e7 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: do not use default_domain_suffix

When splitting the names from the filter_users and filter_groups options
do not use the default_domain_suffix because it will hide that the
original name is a short name and should be added everywhere.

Additionally this patch fixes a typo where sss_parse_name() was used
instead of sss_parse_name_for_domains().

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
804ae76d by Steeve Goveas at 2020-11-13T11:19:33+01:00
Move conftest.py to basic dir

Following commits have 'ad' and 'alltests' code with thier respective
conftest.py files.

This change was tested successfully in downstrea CI

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ef4c82bb by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add alltests code

This directory has all tests for ldap and krb5, basically all non ad
tests for sssd

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
73f5699b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add ad test code

This directory has all tests that need active directory to be available

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3c06709b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add ipa test code

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6cc11a9a by Steeve Goveas at 2020-11-13T11:19:33+01:00
Update sssd testlibs

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4205accc by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add empty conftest.py and update path to run basic tests

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fe56d5c9 by Steeve Goveas at 2020-11-13T11:19:33+01:00
Fix pep8 issues

Fixes have been tested

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d2d44e9a by Steeve Goveas at 2020-11-13T11:19:33+01:00
Include data directory

It contains AD sudo schema, ldif files, c programs used by the tests

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
94a9833b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Fix errors found during testing

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f404cd3e by Steeve Goveas at 2020-11-13T11:19:33+01:00
Remove trailing whitespaces

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ff24d153 by Alexey Tikhonov at 2020-11-23T11:49:47+01:00
SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in msgs[]

This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
ptrs in results of sysdb_search_with_ts_attr()

Resolves: https://github.com/SSSD/sssd/issues/5412

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37761b42 by Tomas Halman at 2020-11-23T11:51:15+01:00
CACHE: Create timestamp if missing

In some cases, object is stored in cache but the corresponding
record in timestamp cache is missing (for example when timestamp
cache file is deleted). The timestamp is never created in such
case.

With this patch we create new timestamp object if update doesn't
work for this particular reason (missing object).

Resolves: https://github.com/SSSD/sssd/issues/5121

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
62b2b497 by Tomas Halman at 2020-11-23T11:51:15+01:00
TESTS: Add test for recreating cache timestamp

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e25f8790 by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
afa15cb7 by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2786071e by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3fdfb42b by Justin Stephenson at 2020-11-23T11:52:59+01:00
krb5: Remove secrets text from drop-in KCM file

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3b158934 by Sumit Bose at 2020-11-23T11:55:05+01:00
ifp: fix original fix use-after-free

The original fix stole the fqdn too earlier. Only for SSS_DP_USER
requests the steal is important. For other request where the first
result is returned to the caller the original version
might even cause issues since the name does not belong to the memory
hierarchy of the result anymore.

Resolves: https://github.com/SSSD/sssd/issues/5382

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
4ab47a91 by Samuel Cabrero at 2020-11-23T11:55:40+01:00
Improve samba version check for ndr_pull_steal_switch_value signature

The current check will fail when samba 5.0 is released.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6617f3d7 by Samuel Cabrero at 2020-11-23T11:55:40+01:00
winbind idmap plugin: Fix struct idmap_domain definition

The patch for samba bug 13052 was backported to samba >= 4.7.4 adding
the dom_sid field to the idmap_domain struct.

This missmatch in the struct definition causes the plugin to fail
all unixids_to_sids and sids_to_unixids calls with
NT_STATUS_INVALID_PARAMETER for samba versions between 4.7.4 and 4.8.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4b0bd845 by Duncan Eastoe at 2020-11-25T11:36:16+01:00
nss: Use posix_fallocate() to alloc memcache file

If sssd_nss starts up while the filesystem where the memcache files
will reside (SSS_NSS_MCACHE_DIR) does not have sufficient space,
sssd_nss can be killed by SIGBUS while attempting to write to the
mmap()'d address space.

Replace the ftruncate() call with posix_fallocate(), which will fail
in this scenario, so we can detect the condition and continue startup
without the memcache functionality.

Fixes #5369

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
311e2272 by Duncan Eastoe at 2020-11-25T11:36:16+01:00
nss: remove clear_mc_flag file after clearing caches

This has the effect of delaying the exit of sss_cache after it has
requested a clearing of the cache.

This should prevent an issue observed in the integration tests where
sssd_nss was terminated while the cache clear was in progress.
Specifically the test_*_before_stop tests in test_memory_cache.py.

All this change is really doing is delaying sending SIGTERM, to try
and give sssd_nss a chance to complete the clear operation.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e225ff7 by Alexey Tikhonov at 2020-11-30T12:40:19+01:00
KCM: avoid NULL deref

Fixes following issue:
```
/src/responder/kcm/kcmsrv_op_queue.c:129: check_after_deref: Null-checking "entry" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
 #   127|       terminating = entry->queue->qctx->kctx->rctx->shutting_down;
 #   128|
 #   129|->     if (entry == NULL) {
 #   130|           return 1;
 #   131|       /* Prevent use-after-free of req when shutting down with non-empty queue */
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c87b2208 by Sumit Bose at 2020-11-30T13:46:34+01:00
nss: check if groups are filtered during initgroups

If groups are filtered, i.e. SSSD should not handle them, they should
not appear in the group list returned by an initgroups request.

Resolves: https://github.com/SSSD/sssd/issues/5403

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
47a316c8 by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: fix typos in debug messages

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8edcea8c by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: avoid name confusion in GET_CRED_UUID_LIST handlers

The function name did not follow best practices and it got easily confused
with `kcm_op_get_cred_by_uuid_getbyname_done`.

```
kcm_op_get_cred_uuid_getbyname_done
kcm_op_get_cred_by_uuid_getbyname_done
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b8f28d9a by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: disable encryption

Encryption was a huge bottleneck for the secdb backend. This is
backwards compatible and there is no need to destroy existing
ccache. It will be stored unencrypted at first write to the cache.

Note that the encryption did not provide any security as the cache
is accessible only by root and the master key is stored together
with the cache. So once someone gains access to the file it can
be easily decrypted. Additionaly, there was also no encryption at
the memory level.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
74fdaa64 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: avoid multiple debug messages if sss_sec_put fails

sec_put() already logs a message if the underlaying function fails
so this debug message is really unnecessary.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
908c15af by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: allow to specify secret's data format

Currently, both KCM and secrets responders store JSON formatted string
in the secrets database. One of the next commits makes KCM to store
binary format instead of JSON string to improve performance. We need
to be able to distinguish the formats to keep KCM update compatible
with existing ccache and also to keep secrets responder working.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ed08ba00 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: accept binary data instead of string

Currently, both KCM and secrets responders store JSON formatted string
in the secrets database. One of the next commits makes KCM to store
binary format instead of JSON string to improve performance. We need
to be able to distinguish the formats to keep KCM update compatible
with existing ccache and also to keep secrets responder working.

Secrets responder test had to be ammended to fit into a new maximum
payload which is now reduced by one byte for the secrets responder
to hold the ending zero of a secret string.

This is a corner case in a long deprecated responder that is not even
built by default and has no known consumers so it is fine to fast fix
the test.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b6cc661b by Pavel Březina at 2020-12-04T11:43:31+01:00
iobuf: add more iobuf functions

These will be used in later patches.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9b1631de by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add json suffix to existing searialization functions

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e63a1503 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: move sec key parser to separate file so it can be shared

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
15069a64 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: avoid suppression of cppcheck warning

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f17740d8 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add spaces around operators in kcmsrv_ccache_key.c

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
194447d3 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: use binary format to store ccache instead of json

JSON is computationally complex and the parser is a bottleneck which
consumes about 10% of time. It also create the ccache unnecessary
large because it requires lots of unneded character and base64
encoding.

Binary format is fast, simple and small.

This is backwards compatible and there is no need to destroy existing
ccache. It will be stored in binary format at first write to the cache.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
241ee30d by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add per-connection data to be shared between requests

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a370553c by Pavel Březina at 2020-12-04T11:43:31+01:00
sss_ptr_hash: fix double free for circular dependencies

If the hash table delete callback deletes the stored item,
we can end up in double free in case when we try to override
an existing item (hash_enter(key) where key already exists).

```c
static void delete_cb(hash_entry_t *item,
                      hash_destroy_enum deltype,
                      void *pvt)
{
    talloc_free(item->value.ptr);
}

hash_enter(key);
hash_enter(key);
```

The doble free it self is fine, since it is done via talloc destructor
and talloc can cope with that. However, the hash table fails to store
the new entry because hash_delete is called twice.

```
_sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c3b314db by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: store credentials list in hash table to avoid cache lookups

Iteration over ccache requires CRED_UUID_LIST and then calling
CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID
operation invoked ldb_search and decryption. This was a substantional
bottle neck.

Resolves: https://github.com/SSSD/sssd/issues/5349

:fixes: KCM performance has improved dramatically for cases where
  large amount of credentials are stored in the ccache.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
bf127d4f by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: fix may_payload_size exceeded debug message

The unit is bytes (B) not bits (b) and the conversion of the input
payload size to KiB was wrong (multiplying bytes * 1024).

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9c1b51d0 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: default to "plaintext" if "enctype" attr is missing

This is a sane fallback behavior, however it should not happen since
the attribute should be always present.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
39277cda by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: move attrs names to macros

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
325de5a5 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: remove base64 enctype

This was added as part of KCM performance improvements but never used.
Ldb is fully capable of holding binary data without the need for base64
encoding so this is not needed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3f0ba4c2 by Pavel Březina at 2020-12-04T11:51:52+01:00
cache_req: allow cache_req to return ERR_OFFLINE if all dp request failed

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e50258da by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: return ERR_OFFLINE if we fail to get information from backend and cache is empty

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9098108a by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: translate ERR_OFFLINE to EHOSTDOWN

So we do not publish internal error code.

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
34c519a4 by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: disable fast reply

If the backend is offline when autofs starts and reads auto.master map
we don't want to wait 60 seconds before the offline flag is reset. We
need to allow autofs to retry the call much sooner.

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8a22d4ad by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: correlate errors for different protocol versions

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
075519bc by Pavel Březina at 2020-12-04T11:51:52+01:00
configure: check for stdatomic.h

Recent autofs patches adds dependency on automic_uint/_Atomic type from C11
standard. This is supported in both gcc and clang for a long time now.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
78ef0828 by Madhuri Upadhye at 2020-12-04T12:03:24+01:00
Test: AD: For sssd crash in ad_get_account_domain_search

Configures the AD domain and makes it unreachable by changing
ad_domain parameter. Checks the request flag 0x0001 in log after
sssd restart.

Verifies:
  Issue: #5295
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1734040

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
18b98836 by Pavel Březina at 2020-12-11T10:31:14+01:00
kcm: decode base64 encoded secret on upgrade path

Previous unefficient code encoded the secret multiple times:
  secret -> base64 -> masterkey -> base64

To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
45f2eb57 by Pavel Březina at 2020-12-16T15:48:29+01:00
sss_format.h: include config.h

config.h is required for the definitions to work correctly. Compilation
will fail if sss_format.h is included in a file that does not include
directly or indirectly config.h

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3b0e48c3 by Pavel Březina at 2020-12-16T15:48:29+01:00
packet: add sss_packet_set_body

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6715b31f by Pavel Březina at 2020-12-16T15:48:29+01:00
domain: store hostname and keytab path

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a3e2677f by Pavel Březina at 2020-12-16T15:48:29+01:00
cache_req: add helper to call user by upn search

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dcc42015 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: fix typo in debug message

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d63172f1 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_gssapi_services option

:config: Added `pam_gssapi_services` to list PAM services
  that can authenticate using GSSAPI

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fffe3169 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_gssapi_check_upn option

:config: Added `pam_gssapi_check_upn` to enforce authentication
  only with principal that can be associated with target user.

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d09aa174 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_sss_gss module for gssapi authentication

:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI
:packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1b9b7f5a by Sumit Bose at 2020-12-16T15:55:56+01:00
pam_sss: use unique id for gdm choice list

Currently the key-id read from the Smartcard is used as key value for
the gdm choice list dialog. Since it might be possible that multiple
certificates use the same key and hence the same key-id this is not a
suitable value.

With this patch the string representation of a numerical counter is used.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8b6be52e by Sumit Bose at 2020-12-16T15:55:56+01:00
authtok: add label to Smartcard token

The key-id might not be sufficient to identify a certificate on a
Smartcard since it is possible that multiple certificates will use the
same key.

This patch adds the certificate label to the Smartcard authtok item to
resolve the ambiguity if the key-id is used for multiple certificates.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b8800d3e by Sumit Bose at 2020-12-16T15:55:56+01:00
pam_sss: add certificate label to reply to pam_sss

Add the certificate label to the data send back and forth to the pam
module to avoid the ambiguity if two certificates use the same key.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f633f37e by Sumit Bose at 2020-12-16T15:55:56+01:00
add tests multiple certs same id

Add unit test for the case that two certificates use the same key.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b5264396 by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Test: alltests: "enabled" option to domain section

Configure multiple domain and check 'enabled' parameter.
It consists of 4 test cases:
1. Add 'enabled = true' in both ldap domains and check userlookups.
2. Check userlookup when 'domains = ldap1' and add 'enabled =
   true' in both ldap1, ldap2 section.
3. Check userlookup when enabled option in snippet file and
   'domains = ' in sssd section.
4. Check userlookup when enabled option is set true in snippet
   file

Verifies:
  Issue: #4743
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884196

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
2b00d507 by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Update remove command to delete the snippet files

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
014f416d by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Update the title of test case.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
1e9abd50 by Paweł Poławski at 2020-12-22T17:10:23+01:00
data_provider_be: Add random offset default

Replace hardcoded default value of 30 with more meaningful
OFFLINE_TIMEOUT_RANDOM_OFFSET define.

This value is used to calculate task timeout during offline
status checking by formula (from SSSD MAN page):

new_interval = (old_interval * 2) + random_offset

As it is explicite mentioned in documentation it should
be expressed in the code similar way.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
171b664e by Paweł Poławski at 2020-12-22T17:10:23+01:00
data_provider_be: MAN page update

Updated description of parameters:
* offline_timeout
* offline_timeout_max

MAN page now explains that in some circumstances
corelation of offline_timeout and offline_timeout_max values
may lead to offline checking interval not incrementing.
This is a false positive error as in fact the value
just saturates almost instantly.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
e350d917 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:autofs: cosmetic updates

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
df723cb9 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB: wrong debug message corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d8af1db8 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:sudo: changed debug message to be consistent

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b4acf71d by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:iphosts: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a73df70e by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:ipnetworks: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
033c31a2 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:ops: few debug messages were corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
74458241 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:search: few debug messages were corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f55c9599 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:selinux: debug message severity level was adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e731368e by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:service: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
82dc14b0 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:upgrade: debug message corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
daa5454f by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:views: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fe0530ef by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
MONITOR: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
85d8adc4 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
P11_CHILD: severity level of few debug messages adjusted

Severity level of few debug messages was adjusted and journal message
in case of disabled certificate verification was added.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d6f6f053 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
AD: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2f70695a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
DP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
667b983a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
IPA: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9244820a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
KRB5: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ff8f44ce by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
LDAP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d91409df by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PROXY: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fb052a4c by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
RESOLV: debug message correction

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
018c08ac by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
AUTOFS: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
01ba32f2 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
CACHE_REQ: debug message correction

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
058644f2 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
RESPONDER: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f457a1a6 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
IFP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f028253f by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
NSS: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3cbd0465 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PAM: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5068655a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
UTIL: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ac228590 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PAM: reduce log level in may_do_cert_auth()

Reduce log level in may_do_cert_auth() as this is not a critical failure

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a7b6413d by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
UTIL: sss_ldb_error_to_errno() improved

LDB_ERR_NO_SUCH_ATTRIBUTE error code was added to mapping and log level
for unknown error code was reduced.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
52dc8554 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
99e44d9d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: added missed \n in log message

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a419b7e6 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SSS_IFACE: corrected misleading return code

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1af89925 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: corrected confusing message

Log message like:
```
sysdb_getpwnam() got more users than expected. Expected [1], got [0]
```
looks a bit confusing.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
69aa3e8c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
DP: do not log failure in case provider doesn't support check_online method

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
90dae38d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6e3b4d74 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SBUS: reduced log level in case of unexpected signal

Most probably module is not fully initialized yet.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a7b145b9 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: reduced log level in hosts_get_done()

Absent host in LDAP server isn't SSSD failure.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
26fdc3c8 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ed6ec569 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SDAP: reduced log level in case group without members

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
29f243fd by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4fe060ab by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do"

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
644453f8 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LOGS: default log level changed to <= SSSDBG_OP_FAILURE

:config: New default value of `debug_level` is 0x0070

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0986cf6c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9215cf4e by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
CERTMAP: removed stray debug message

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9390af3c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: reduce log level in apply_subdomain_homedir()

Missing UID for SYSDB_GROUP_CLASS is not an error
(see commit message of e66517dcf63f1d4aaf866c22371dac7740ce0a48 for
additional details)

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
60b17be9 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SYSDB: changed log level in sysdb_update_members_ex()

Fail to add already existing member isn't critical.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bf873598 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: ignore failed group search in certain cases

It's currently expected to see those messages with sudo or HBAC rules in play.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e86599ba by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: changed logging in ipa_get_subdom_acct_send()

Frontends do not know what kind of lookup the backends support
so it is expected that they might send unsupported requests.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dba7de0d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SYSDB: changed logging in sysdb_get_real_name()

Missing cache entry isn't an error.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
00e3ac4a by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally)

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0db68a1f by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: sdap_save_grpmem(): log level changed

There are legitimate reasons when sdap_save_grpmem() can be called
with `ignore_group_members = true`

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd2f38ab by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
UTIL: find_domain_by_object_name_ex() changed log level

It's up to user of this function to judge if fail to parse fqname is
a critical error.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4ea1739d by Pavel Březina at 2021-01-11T11:23:57+01:00
pam_sss: fix missing initializer warning

src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’:
src/sss_client/pam_sss.c:1865:41: error: missing initializer for field ‘prev’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers]
 1865 |                                         NULL, NULL, NULL, NULL, NULL, NULL };

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c0ae6d34 by Pavel Březina at 2021-01-11T11:23:57+01:00
pamsrv_gssapi: fix implicit conversion warning

src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’:
src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion]
  716 |                                      cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a25256fe by Sergio Durigan Junior at 2021-01-11T11:24:19+01:00
Only start sssd.service if there's a configuration file present

This commit is the follow-up of the discussion that is happening here:

https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1900642

In a nutshell, SSSD is compile with --disable-files-domain and
installed without a configuration file by default, which means that
it's impossible to start it successfully unless the user has actively
created/copied a sssd.conf inside /etc/sssd.

There are two possible ways to have sssd.service successfully start:

1) If SSSD is configured with --enable-files-domain, then no
   configuration file is required, and the service can start normally.

2) If SSSD is configured with --disable-files-domain, then a
   configuration file is required.  This can be either
   /etc/sssd/sssd.conf, or a snippet under /etc/sssd/conf.d/.

For this reason, I'd like to suggest that we conditionally add the
following lines to sssd.service:

  ConditionPathExists=|/etc/sssd/sssd.conf
  ConditionDirectoryNotEmpty=|/etc/sssd/conf.d/

These lines will be added only if SSSD is not configured with
--enable-files-domain.

Signed-off-by: Sergio Durigan Junior <sergio.durigan at canonical.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1a616b59 by Steeve Goveas at 2021-01-11T11:26:26+01:00
tests: modify ipa client install for fedora

freeipa installs as a package in fedora

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
f7ccc679 by Steeve Goveas at 2021-01-15T11:56:12+01:00
TEST: Split tier1 tests with new pytest marker

Runtime for tier1 tests is currently 70 minutes. It will continue to
grow as we add new tests to it and the time for execution would increase
as well. To keep the job to run within 60 minutes, we are adding a new
marker "tier1_2" and a new job. This job will run in parallel on
separate resources to bring down the total time taken for execution.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
19c2c641 by Sumit Bose at 2021-01-15T11:56:31+01:00
simple: fix memory leak while reloading lists

The simple access provider will reload the access and deny lists at
runtime to make sure that users and groups from domains which are
discovered at runtime are properly processed.

While reloading the lists the original lists are not freed and an
intermediate list wasn't removed as well.

Resolves: https://github.com/SSSD/sssd/issues/5456

:fixes: Memory leak in the simple access provider

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d207eaaf by Alexey Tikhonov at 2021-01-15T12:02:06+01:00
RESOLV: handle fail of ares_parse_*_reply() properly

With modern versions of c-ares ares_parse_*_reply() functions don't touch
`hostent **host` in case of fail.
This means it's unreliable to check for (hostent != NULL) without previous
initialization.
To be on a safe side it's better to check for return code as well.

Resolves: https://github.com/SSSD/sssd/issues/5451

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
0f2d31e2 by Steeve Goveas at 2021-01-15T12:18:45+01:00
tests: netstat command not found for test

use ss instead of installing net-tools for netstat.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
bdf461c7 by Alexey Tikhonov at 2021-01-15T12:51:49+01:00
SBUS: do not try to del non existing sender

Resolves: https://github.com/SSSD/sssd/issues/5425

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b5c5281c by aborah at 2021-01-15T12:52:24+01:00
TESTS:sssd-kcm does not store TGT with ssh login using GSSAPI

A RHEL 8.0 system set up for GSSAPI login for ssh allows to
log in but does not actually store the ticket. klist shows
no ticket after login. NFS4 with kerberos does not mount
a home directory as a result.

Verifies: https://github.com/SSSD/sssd/issues/5333

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1722842

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
39c52817 by Anuj Borah at 2021-01-15T12:52:41+01:00
TESTS:KCM: Increase client idle timeout to 5 minutes

By default, KCM has a 60-second idle client timeout.
This might not be enough, because the client is often kinit,
so there is some user interaction involved.

Verifies: https://github.com/SSSD/sssd/issues/4829

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884205

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
cc173629 by Pavel Březina at 2021-01-15T14:29:18+01:00
gssapi: default pam_gssapi_services to NULL in domain section

We need to distinguish when the option is not set in domain section and when
it is is explicitly disabled. Now if it is not set, domain->gssapi_services
is NULL and we'll use value from the pam section.

Without this change, the value in the pam section is ignored.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
111b8b4d by Pavel Březina at 2021-01-15T14:29:18+01:00
pam_sss_gssapi: fix coverity issues

```
1. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
2. Defect type: RESOURCE_LEAK
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
Expand
3. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
4. Defect type: RESOURCE_LEAK
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
Expand
5. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
Expand
6. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to.

1. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
Expand
2. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
Expand
3. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
Expand
4. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'
```

Also fix compilation warning
```
../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  339 |     free(reply);
      |     ^~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here
  328 |     uint8_t *reply;
      |              ^~~~~
../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  270 |     upn = malloc(reply_len * sizeof(char));
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here
  327 |     size_t reply_len;
      |            ^~~~~~~~~
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2499bd14 by Pavel Březina at 2021-01-18T10:36:33+01:00
cache_req: ignore autofs not configured error

Otherwise we return ERR_OFFLINE for domains where autofs provider is not
set (such as implicit files domain) which is undesirable.

Steps to reproduce:
1. Enable implicit files domains and LDAP domain with autofs configured
2. Setup NFS server to export `/exports` with `/exports/home/test`
3. Add autofs mount points:
```
dn: ou=mount,dc=ldap,dc=vm
ou: mount
objectClass: organizationalUnit
objectClass: top

dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.master

dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /export/home
nisMapEntry: auto.home
nisMapName: auto.master

dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.home

dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /
nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/&
nisMapName: auto.home
```
4. Run SSSD and autofs
5. cd to /exports/home/test

The directory will not be mounted with the new autofs protocol. It
will succeed with the old protocol. In both versions, you'll see
that SSSD returned ERR_OFFLINE:

```
(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured
...
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache
(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c48a4e80 by Alexey Tikhonov at 2021-01-18T11:15:33+01:00
Removed leftovers after PR #5246

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6ca29942 by Sumit Bose at 2021-01-18T11:15:52+01:00
krb5_child: use proper umask for DIR type ccaches

The current umask only had files in mind and hence only allowed read and
write permissions for the user. If the new directory must be created
for DIR type credentials caches the 'execute' permission is needed as
well so that the user can change into the directory. This patch changes
the umask to allow this if a DIR type credential cache is requested.

Resolves: https://github.com/SSSD/sssd/issues/5436

:fixes: krb5_child uses proper umask for DIR type ccaches

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
66ef363b by Alexey Tikhonov at 2021-01-18T11:16:20+01:00
dhash tables are now created with count=0 whenever no useful size hint available

This improves performance. For justification see
https://github.com/SSSD/sssd/issues/5134#issuecomment-737443576
and next comment.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cdad9480 by Madhuri Upadhye at 2021-01-21T10:49:05+01:00
Tests: alltests: "ldap_library_debug_level" option to domain section

Configure single domain and check "ldap_library_debug_level"
parameter.
It consists of three test cases:
  1. Check ldap_library_debug_level option with config-check
  2. Set ldap_library_debug_level to zero and check
     corresponding logs
  3. Set ldap_library_debug_level to two and check
     corresponding logs

Verifies:
Issue: #5178
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884207

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
a06ce210 by Marco Trevisan (Treviño) at 2021-01-21T10:49:21+01:00
test_ca: Look for libsofthsm2 in libdir before falling back to hardcoded paths

Right now building SSSD in archs different from amd64 (at least in
debian and derivatives) won't ever get the test_CA built because
libsofthsm2 won't be found (leading also to #5397 at times).

As per this, until they won't provide a pkg-config file:
 - Prioritize looking for libsofthsm2 in configured libdir (will help
   the developer case when using custom prefixes with custom softhsm2)
 - Fallback to /usr prefixes, supporting any arch (not only x86_64)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0c6924b8 by Alexey Tikhonov at 2021-01-22T12:57:50+01:00
SBUS: set sbus_name before dp_init_send()

Some async task might access sbus_name before dp_initialized() was executed

Resolves: https://github.com/SSSD/sssd/issues/5466

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e7fb88fc by Sumit Bose at 2021-01-22T12:58:10+01:00
BUILD: Accept krb5 1.19 for building the PAC plugin

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fb6edec6 by Shridhar Gadekar at 2021-01-22T12:58:38+01:00
Tests:ad:sudo: support non-posix groups in sudo rules

Verifies #sudo: support non-posix groups in sudo rules
bz1826272

Signed-off-by: Shridhar Gadekar <sgadekar at sgadekar.pnq.csb>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6c9f929a by Deepak Das at 2021-01-25T11:31:14+01:00
man: sss_override clarification

Clarify sss_override in man pages to indicate that the command is only
supported with LDAP and AD provider.

Resolves: https://github.com/SSSD/sssd/issues/5471

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e07eeea7 by Sumit Bose at 2021-01-25T11:31:38+01:00
responders: add callback to schedule_get_domains_task()

To allow responders to run dedicated code at the end of the initial
getDomains request a callback is added.

Resolves: https://github.com/SSSD/sssd/issues/5469

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cb936e92 by Sumit Bose at 2021-01-25T11:31:38+01:00
pam: refresh certificate maps at the end of initial domains lookup

During startup SSSD's responders send a getDomains request to all
backends to refresh some domain related needed by the responders.

The PAM responder specifically needs the certificate mapping and
matching rules when Smartcard authentication is enable. Currently the
rules are not refreshed at the end of the initial request but the code
assumed that the related structures are initialized after the request
finished.

To avoid a race condition this patch adds a callback to the end of the
request to make sure the rules are properly refreshed even if they are
already initialized before.

Resolves: https://github.com/SSSD/sssd/issues/5469

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cd48ef50 by Alexander Bokovoy at 2021-01-26T11:53:52+01:00
sudo runas: do not add '%' to external groups in IPA

When IPA allows to add AD users and groups directly to sudo rules
(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
Thus, we don't need to add additional '%'.

Resolves: https://github.com/SSSD/sssd/issues/5475
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0eb0281c by Pavel Březina at 2021-01-26T11:56:22+01:00
man: add auto_private_groups to subdomain_inherit

This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
12eb04b2 by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to inherit case_sensitive=Preserving

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive` option can be now inherited by subdomains

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f2655950 by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to set case_sensitive=Preserving in subdomain section

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive` can be now set separately for each
  subdomain in `[domain/parent/subdomain]` section
:feature: `case_sensitive=Preserving` can now be set for trusted domains with AD provider

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f6bb31af by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to inherit case_sensitive=Preserving for IPA

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive=Preserving` can now be set for trusted domains
  with IPA provider. However, the option needs to be set to `Preserving`
  on both client and the server for it to take effect.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
944c47e2 by Pavel Březina at 2021-01-26T11:56:22+01:00
man: update case_sensitive documentation to reflect changes for subdomains

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
568bb1a0 by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

3rd party smartcard providers sometimes use rsassapss for signing combined with a smaller nonstandard exponent.
Unexpected characters in the commonname field creates troubles.
Add more unexpected settings to this cert to easily create future checks.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
92ed415c by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

3rd party smartcard providers sometimes use rsassapss for signing combined with a smaller nonstandard exponent.
Unexpected characters in the commonname field creates troubles.
Add more unexpected settings to this cert to easily create future checks.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7f3576ea by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

Fix README typo

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b0edc83e by Armin Kuster at 2021-01-29T10:19:31+01:00
Provide missing defines which otherwise are available on glibc system headers

Signed-off-by: Armin Kuster <akuster808 at gmail.com>

--
V2]
remove space before define

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3986dead by Alexey Tikhonov at 2021-01-29T10:19:50+01:00
PROXY: child process security hardening

Resolves: https://github.com/SSSD/sssd/issues/3730

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b6fc7c0e by Alexey Tikhonov at 2021-01-29T10:19:50+01:00
Sanitize --domain option to allow safe usage as a part of log file name

Resolves: https://github.com/SSSD/sssd/issues/3730

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2d26c95d by Sumit Bose at 2021-02-04T14:09:13+01:00
ssh: restore default debug level

The recent change of the default debug level for the main SSSD
components affected the ssh helpers sss_ssh_authorizedkeys and
sss_ssh_knownhostsproxy as well.

To avoid any confusion about unexpected debug messages this patch
restores to original value for the two helpers.

Resolves: https://github.com/SSSD/sssd/issues/5488

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
536e8b83 by Madhuri Upadhye at 2021-02-04T14:09:35+01:00
alltests: password_policy: Removing the log debug messages

Removing the debug messages since it's neither from PAM, SSSD,
nor passwd and test does not depend on this dubug messages.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
5892c367 by Evgeny Sinelnikov at 2021-02-04T14:09:50+01:00
krb5: allow to use subdomain realm during authentication

Resolves: https://github.com/SSSD/sssd/issues/4759

:feature: `krb5_use_subdomain_realm=True` can now be used then subdomain user
  principal names with different upnSuffixes not found in parent domain as it
  requires to be supported on serverside, but not implemented in samba yet.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
78af35c3 by Pavel Březina at 2021-02-05T11:56:52+01:00
po: add pam_sss_gss to translated man pages

- - - - -
6add2ef3 by Pavel Březina at 2021-02-05T11:59:35+01:00
pot: update pot files

- - - - -
01cc2674 by Valters Jansons at 2021-02-05T13:06:43+01:00
DEBUG: Drop custom syslog identifier from journald

`SYSLOG_IDENTIFIER` field is removed from logging output to journald.
The default behavior will use the program name automatically.

This ensures that if there is rsyslog in place, producing BSD-format
syslog output (RFC 3164), then there are no unexpected `[` characters.
The resulting syslog output will also be aligned with the behavior
of `--with-syslog=syslog` which uses the program name by default.

`SSSD_PRG_NAME` field has been added to the journald log as well,
to be consistent with the `DEBUG()` output. This field holds the
value that `SYSLOG_IDENTIFIER` had previously and can be used for
filtering journal as a drop-in replacement.

Resolves: https://github.com/SSSD/sssd/issues/4590

:relnote: `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald
  output, to avoid issues with PID parsing in rsyslog (BSD-style
  forwarder) output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d163a120 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: synchronize with Fedora 34 spec file

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3e5ff111 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unneeded conditionals and unused variables

This patch removes unused variables and unneeded conditions that
reflect current state.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8b68aa28 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: keep _strict_symbol_defs_build

SSSD now builds fine with -Wl,-z,defs

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
eb6a3bac by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: enable LTO

SSSD builds fine with LTO. The only problem was in tests but it is now fixed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2b1c3c3d by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove support for NSS

We no longer built with NSS. --with-crypto option no longer exist and
we don't require these packages anymore.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fcbbf124 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove --without-python2-bindings

Python2 bindings are not built by default anymore.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2970cd63 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: re-import changes that were not merged in Fedora

There were several changes in upstream spec file that were not merged
in Fedora but fixed valid problems. These are:

- https://github.com/SSSD/sssd/pull/1008
- https://github.com/SSSD/sssd/pull/1039
- https://github.com/SSSD/sssd/pull/5137
- https://github.com/SSSD/sssd/commit/e698d53e0ddd3c2778e04fd8e405f8c0cee0a766
- https://github.com/SSSD/sssd/commit/7fbc7e3ffb7a5c0090bb2091011762dabf1f512f

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5eb4d5c8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: synchronize with RHEL spec file

Bring stuff from RHEL spec file that was not available in Fedora.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e56ddbed by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: use sssd user on RHEL

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
38d76146 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove conflicts that no longer make sense

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
bf1482c2 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unused BuildRequires

- http-parser-devel, libcurl-devel - needed by secrets responder which is not built anymore
- dbus-libs, openssl, systemd - pulled in by -devel packages
- libcollection-devel, nspr-devel - not required

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
6f47eaca by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unused Requires

- simpleifp was required by sssctl but not anymore
- we don't call ldconfig in post for client

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5d02f1e8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: sort Requires, BuildRequires and configure for better clarity

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
482ab2d8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: comment some requirements

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ff0f7656 by Alexey Tikhonov at 2021-02-05T13:09:33+01:00
Makefile: add missing '-fno-lto' to some tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ea55cd02 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: fix spelling in package description

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3ee3c4c6 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: use %autosetup instead of %setup

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
78323d44 by Pavel Březina at 2021-02-05T13:09:33+01:00
configure: libcollection is not required

libcollection is required by other ding-libs libraries but it is not
directly required for sssd.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b38701b9 by Weblate at 2021-02-05T13:12:14+01:00
Update the translations for the 2.4.1 release

- - - - -
33ff9f78 by Timo Aaltonen at 2021-02-09T13:10:42+02:00
Merge branch 'upstream'

- - - - -
325d22db by Timo Aaltonen at 2021-02-09T13:11:07+02:00
bump the version

- - - - -
2d2b2465 by Timo Aaltonen at 2021-02-09T13:19:28+02:00
libpam-sss.install: Add pam_sss_gss.

- - - - -
fce8477a by Timo Aaltonen at 2021-02-10T11:32:41+02:00
releasing package sssd version 2.4.1-1

- - - - -
17621910 by Marco Trevisan (Treviño) at 2021-02-10T13:27:25+02:00
debian/control: Mark test packages as <!nocheck>

- - - - -
0f18dac8 by Marco Trevisan (Treviño) at 2021-02-10T13:27:29+02:00
debian/rules: Don't run tests if nocheck is set

- - - - -
10090fd8 by Marco Trevisan (Treviño) at 2021-02-10T13:27:34+02:00
debian/control: Add missing test dependencies

- - - - -
88f59818 by Marco Trevisan (Treviño) at 2021-02-10T13:27:38+02:00
debian/patches: Get libsofthsm2 from right path for each architecture

- - - - -
d2817ef4 by Marco Trevisan (Treviño) at 2021-02-10T13:27:42+02:00
debian/rules: Enable tests again

- - - - -
69297dcf by Marco Trevisan (Treviño) at 2021-02-10T13:27:46+02:00
debian/control: Enable libcmocka (and so unit tests) all the archs

- - - - -
a4812d2d by Marco Trevisan (Treviño) at 2021-02-10T13:28:18+02:00
debian/changelog: Update

- - - - -
8e54d15c by Timo Aaltonen at 2021-02-10T13:49:02+02:00
test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch: Dropped, upstream.

- - - - -
a70c003a by Timo Aaltonen at 2021-02-10T13:49:10+02:00
releasing package sssd version 2.4.1-2

- - - - -

11 changed files:

- Makefile.am
- configure.ac
- contrib/ci/run-multihost
- contrib/kcm_default_ccache
- contrib/sssd.spec.in
- debian/changelog
- debian/control
- debian/libpam-sss.install
- debian/rules
- po/LINGUAS
- po/bg.po

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/33e94cc5761b1448dcb027884dee03d65d29ea13...a70c003a9cc2b861b7659f9cf9a092d9c102f870

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/33e94cc5761b1448dcb027884dee03d65d29ea13...a70c003a9cc2b861b7659f9cf9a092d9c102f870
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20210210/3b237b67/attachment-0001.html>