[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 119 commits: Update version in version.m4 to track the next release
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Nov 17 17:20:57 GMT 2021
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
a2fc3a3a by Pavel Březina at 2021-07-12T21:39:48+02:00
Update version in version.m4 to track the next release
- - - - -
1dae17bf by Justin Stephenson at 2021-07-14T11:42:34+02:00
TESTS: Make test_kcm_renewals idempotent
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dab4448d by Jakub Jelen at 2021-07-19T14:29:12+02:00
p11_child: Add missing newline after log message
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
3e7aa107 by Yuri Chornoivan at 2021-07-19T14:30:21+02:00
Fix minor typo: indicated -> indicate
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
b6fe76e7 by Anuj Borah at 2021-07-19T15:03:38+02:00
Tests: SSSD is generating lot of LDAP queries in a very large environment Issue: https://github.com/SSSD/sssd/issues/5121 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1772513
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
861e226b by Weblate at 2021-07-20T12:27:30+02:00
po: update translations
(Russian) currently translated at 47.2% (1333 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Japanese) currently translated at 36.5% (1030 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ja/
po: update translations
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
po: update translations
(French) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Japanese) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(Japanese) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(Korean) currently translated at 3.5% (26 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Russian) currently translated at 41.1% (1160 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
Added translation using Weblate (Korean)
po: update translations
(Ukrainian) currently translated at 99.8% (2816 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
- - - - -
cdc75c53 by Sumit Bose at 2021-07-20T13:37:28+02:00
tests: do not use libcheck include file in cmocka tests
The common_check.h header file adds libcheck related macros which are
not needed by cmocka test, using common.h is sufficient here.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
7fdff741 by Sumit Bose at 2021-07-20T13:37:28+02:00
test: replace deprecated libcheck macros
The fail* macros are deprecated by libcheck some time ago. Recently a
fix for a different issue in those macros cause a 'too many arguments
for format' compiler warning which won't be fixed on the libckeck side
since the macros are deprecated.
This patch replaces the deprecated macros with the new ones:
- fail -> ck_abort_msg
- fail_unless -> ck_assert_msg
- fail_if -> sss_ck_fail_if_msg
The fail_if macro does not have a corresponding new version and I added
a local replacement sss_ck_fail_if_msg which is based on ck_assert_msg.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9b24b8db by Anuj Borah at 2021-07-28T15:17:44+02:00
Tests: Add support to verify authentication indicators in pam_sss_gss
Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if
acquired service ticket has req. indicators:'.
'2' is 'not applied' (ENOENT)
Verifies: https://github.com/SSSD/sssd/issues/5482
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1926622
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
85723a7b by Anuj Borah at 2021-07-28T15:18:01+02:00
Tests: fix sss_cache to also reset cached timestamp
Issue: https://github.com/SSSD/sssd/issues/5596
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
6f1188a0 by Steeve Goveas at 2021-07-29T12:03:53+02:00
TEST: Add id and fix indentation in docstrings
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
f5460882 by Alexey Tikhonov at 2021-07-29T14:19:01+02:00
Basics of 'subid ranges' support for IPA provider.
:feature: Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were introduced.
Limitations:
- single subid interval pair (subuid+subgid) per user
- idviews aren't supported
- only forward lookup (user -> subid ranges)
Take a note, this is MVP of experimental feature. Significant changes
might be required later, after initial feedback.
Corresponding support in shadow-utils was merged upstream, but since there
is no upstream release available yet, SSSD feature isn't built by default.
Build can be enabled with `--with-subid` configure option.
Plugin's install path can be configured with `--with-subid-lib-path=`
("${libdir}" by default)
For additional details about support in shadow-utils please see discussion
in https://github.com/shadow-maint/shadow/issues/154 and in related PRs.
:config: New IPA provider's option `ipa_subid_ranges_search_base` allows
configuration of search base for user's subid ranges.
Default: `cn=subids,%basedn`
Resolves: https://github.com/SSSD/sssd/issues/5197
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
44525a99 by Paweł Poławski at 2021-08-09T11:22:27+02:00
General: Hardeninig getenv() usage
Pointer returned by getenv() should be cached locally before
it is passed down to sub functions.
This PR fixes this for:
* pam_sm_authenticate()
* sysdb_ldb_connect()
* files_init_file_sources()
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
365cd676 by Alexey Tikhonov at 2021-08-11T14:52:56+02:00
NSS: don't treat absent 'CLEAR_MC_FLAG' as an error (This is expected in case of SIGHUP sent for log rotation.)
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7ab83f97 by Alexey Tikhonov at 2021-08-16T16:35:49+02:00
TOOLS: replace system() with execvp() to avoid execution of user supplied command
:relnote: A flaw was found in SSSD, where the sssctl command was
vulnerable to shell command injection via the logs-fetch and
cache-expire subcommands. This flaw allows an attacker to trick
the root user into running a specially crafted sssctl command,
such as via sudo, to gain root access. The highest threat from this
vulnerability is to confidentiality, integrity, as well as system
availability.
This patch fixes a flaw by replacing system() with execvp().
:fixes: CVE-2021-3621
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c1dd1211 by Paweł Poławski at 2021-08-16T16:36:10+02:00
general: Fix compilation warnings
Commit 44525a9 introduced compilation warnings related to type casting.
This commit fixes this by removing "const" qualifier where it is
optional.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
26654d3e by Sumit Bose at 2021-08-16T16:36:26+02:00
cache_req: cache_first fix for fully-qualified names
With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
introduce cache_behavior enumeration" the processing of cache and
backend lookups was refactored. Unfortunately this introduce an issue
when looking up users or groups with a fully-qualified name and the
'cache_first = True' option is set.
In the old code the case when a domain name is available was handle
before the cache_first first option was evaluated and cache_req was
instructed to first look in the cache and then call the backend if the
object is not available or expired, i.e. the default behavior. Since
only a single domain is involved this is in agreement with 'cache_first
= True' and only a single iteration is needed.
In the new code the cache_first option is evaluated before the presence
of a domain name is checked and as a result even for single domain
searches the first cache_req iteration is only looking at the cache and
will not call the backend. This means the now for searches with a
fully-qualified name a second iteration is needed if the object was not
found in the cache.
Unfortunately the old exit condition that if a domain name is present
only a single iteration is needed is still present in the new code which
effectively makes requests with fully-qualified named only search the
cache and never call the backends. This patch removes the exit condition
and does a second iteration for fully-qualified names as well if
'cache_first = True' is set.
Resolves: https://github.com/SSSD/sssd/issues/5744
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b9f8c2f9 by Assaf Morami at 2021-08-23T12:27:48+02:00
p11_child: do_card partially fix loop exit condition when searching for token
This commit fixes the exit condition when searching for a token in p11_child/do_card,
specifically in case a token is present in a slot, but there are empty slots before it.
This commit partially fixes issue #5025,
thanks to this comment by @sumit-bose: https://github.com/SSSD/sssd/issues/5025#issuecomment-801842175
:relnote: p11_child does not stop at the first empty slot when searching for tokens
Co-Authored-By: Sumit Bose <sbose at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d41e956c by Justin Stephenson at 2021-08-23T12:28:15+02:00
MONITOR: Return success from genconf with no config
Resolves: https://github.com/SSSD/sssd/issues/5729
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bd2ccbf6 by Alexey Tikhonov at 2021-08-25T11:41:28+02:00
file utils: reduce log level in remove_tree_with_ctx() Users of this function are responsible to decide if fail is critical.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a1f7035b by Pavel Březina at 2021-08-25T11:41:51+02:00
remove deprecated talloc_autofree_context()
```
/home/pbrezina/workspace/sssd/src/util/server.c: In function ‘server_setup’:
/home/pbrezina/workspace/sssd/src/util/server.c:545:5: error: ‘talloc_autofree_context’ is deprecated [-Werror=deprecated-declarations]
545 | event_ctx = tevent_context_init(talloc_autofree_context());
| ^~~~~~~~~
In file included from /usr/include/ldb.h:50,
from /home/pbrezina/workspace/sssd/src/util/server.c:33:
/usr/include/talloc.h:1071:16: note: declared here
1071 | _PUBLIC_ void *talloc_autofree_context(void) _DEPRECATED_;
| ^~~~~~~~~~~~~~~~~~~~~~~
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
575e1899 by Pavel Březina at 2021-08-25T11:41:51+02:00
fix warnings around sss_getenv()
Introduced in
- 44525a9995c775ac284a6203d0e505dc4bf0d459
- c1dd121142fb22648793a38e45257b348d658460
```
/home/pbrezina/workspace/sssd/src/db/sysdb_init.c: In function ‘sysdb_ldb_connect’:
/home/pbrezina/workspace/sssd/src/db/sysdb_init.c:82:49: error: passing argument 3 of ‘sss_getenv’ from incompatible pointer type [-Werror=incompatible-pointer-types]
82 | ret = sss_getenv(tmp_ctx, LDB_MODULES_PATH, &mod_path);
| ^~~~~~~~~
| |
| const char **
In file included from /home/pbrezina/workspace/sssd/src/db/sysdb_init.c:23:
/home/pbrezina/workspace/sssd/src/util/util.h:806:75: note: expected ‘char **’ but argument is of type ‘const char **’
806 | errno_t sss_getenv(TALLOC_CTX *mem_ctx, const char *variable_name, char **_value);
/home/pbrezina/workspace/sssd/src/providers/files/files_init.c: In function ‘files_init_file_sources’:
/home/pbrezina/workspace/sssd/src/providers/files/files_init.c:61:26: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
61 | dfl_passwd_files = DEFAULT_PASSWD_FILE;
| ^
/home/pbrezina/workspace/sssd/src/providers/files/files_init.c:77:25: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
77 | env_group_files = DEFAULT_GROUP_FILE;
| ^
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9f58bef3 by Justin Stephenson at 2021-08-30T10:57:36+02:00
CI: unset DEBUGINFOD_URLS
Fedora 35 adds support to automatically fetch debuginfo, this
causes slowness in valgrind and leads to timeouts/systemd-oomd
invoked on the CI make check valgrind step.
https://fedoraproject.org/wiki/Changes/DebuginfodByDefault
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a67d3bc8 by Anuj Borah at 2021-08-30T10:57:50+02:00
Test: Fix RHEL9.0 Regression - alltests-tier1
There is no "implicit" 'files provider' enabled
by default on RHEL9, SSSD doesn't serve local
users if you didn't configure this in `domains`
list explicitly. So adding a domain with
id_provider = files.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
818e4f92 by Shridhar Gadekar at 2021-09-02T11:34:46+02:00
Tests: Randomize sudo refresh timeouts
Veifies: #5609
Bugzilla: @pytest.fixture(scope='function')
Signed-off-by: Shridhar Gadekar <sgadekar at sgadekar.pnq.csb>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
c037432c by Alexey Tikhonov at 2021-09-02T11:35:05+02:00
BUILD: get rid of PCRE support
:relnote: This release removes pcre1 support. pcre2 is used
unconditionally.
Resolves: https://github.com/SSSD/sssd/issues/5768
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6acb1d63 by Alexey Tikhonov at 2021-09-02T11:35:05+02:00
UNICODE: drop support of glib2 for Unicode processing
:relnote: This release drops support of `--with-unicode-lib` configure option.
`libunistring` will be used unconditionally for Unicode processing.
Resolves: https://github.com/SSSD/sssd/issues/5767
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3e94b64d by Alexey Tikhonov at 2021-09-03T14:50:56+02:00
Got rid of 'local' provider.
:relnote: Support of long time deprecated 'local' provider was dropped.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a9218fbe by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Restore functionality of --wait_for_card
Previously, the loop in do_card() would find the first PKCS#11 slot with
support for removable tokens, whether or not a token was present. If one
was not, and --wait_for_card was specified, then it would wait for a token
to be inserted in this slot (or any slot in the same PKCS#11 module).
Commit b9f8c2f99d04 ("p11_child: do_card partially fix loop exit condition
when searching for token") changed the loop so it finds the first PKCS#11
slot that has a removable token present. Adjust this to allow the existing
handling of --wait_for_card to work when no token is found. Fixes #5746.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f3aa4b47 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Ensure OpenSSL cleanup is performed
OpenSSL is initialized during init_p11_ctx(), which also sets a destructor
that will perform OpenSSL cleanup when p11_ctx is freed.
During init_verification(), the destructor for p11_ctx is replaced, and as
a result OpenSSL cleanup will no longer occur. Merge these destructors into
one which works correctly whether or not init_verification() was called.
Additionally, OpenSSL cleanup does not occur if the memory allocation for
p11_ctx fails. Re-order the steps in init_p11_ctx() so this is not needed..
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3f1d03fc by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Handle failure from p11_kit_uri_new()
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f5a9d814 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Return updated CK_SLOT_INFO from wait_for_card()
When a token has been inserted, wait_for_card() returns the corresponding
slot ID. Update the slot info as well.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a036fc87 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Fix printing of non-null-terminated strings in do_card()
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ccebfc9c by Jakub Vavra at 2021-09-07T08:17:03+02:00
Tests: Add test_nss_get_by_name_with_private_group.
Verifies
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1837090
- - - - -
e8055b8a by Weblate at 2021-09-07T15:52:32+02:00
po: update translations
(Korean) currently translated at 9.1% (258 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 6.5% (48 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Finnish) currently translated at 3.2% (92 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Swedish) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Korean) currently translated at 6.4% (47 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Swedish) currently translated at 98.9% (2791 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Korean) currently translated at 8.1% (230 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 5.6% (41 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Swedish) currently translated at 98.2% (2771 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 97.2% (2743 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 97.1% (2741 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 95.7% (2701 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Russian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Russian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Korean) currently translated at 3.5% (99 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Swedish) currently translated at 95.5% (2696 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Russian) currently translated at 98.0% (2766 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Swedish) currently translated at 93.2% (2631 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Turkish) currently translated at 10.9% (80 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Swedish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Russian) currently translated at 92.9% (2623 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Russian) currently translated at 85.8% (2422 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Turkish) currently translated at 7.3% (54 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Korean) currently translated at 2.3% (67 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 6.1% (45 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Russian) currently translated at 82.4% (2327 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Korean) currently translated at 2.3% (66 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 5.7% (42 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Russian) currently translated at 78.6% (2219 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 76.6% (2162 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Korean) currently translated at 2.2% (64 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Russian) currently translated at 75.1% (2119 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Spanish) currently translated at 67.2% (1898 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Korean) currently translated at 1.2% (35 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 4.6% (34 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
Added translation using Weblate (Korean)
po: update translations
(Russian) currently translated at 61.2% (1729 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 52.8% (1490 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
- - - - -
9e47b63e by Pavel Březina at 2021-09-08T10:36:23+02:00
configure: do not unset PYTHON_PREFIX and PYTHON_EXEC_PREFIX
Recent changes in autoconf changed location of directories from:
```
checking for /usr/bin/python3 script directory... ${prefix}/lib/python3.9/site-packages
checking for /usr/bin/python3 extension module directory... ${exec_prefix}/lib64/python3.9/site-packages
```
to
```
checking for /usr/bin/python3 script directory... ${PYTHON_PREFIX}/lib/python3.10/site-packages
checking for /usr/bin/python3 extension module directory... ${PYTHON_EXEC_PREFIX}/lib64/python3.10/site-packages
```
However, we unset these variables in SSS_CLEAN_PYTHON_VARIABLES and
therefore the correct prefix is not applied anymore during installation.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
1d4095fb by Steeve Goveas at 2021-09-08T10:36:40+02:00
TEST: usermod -d needs absolute path
usermod -d failed when it was given an empty string to update. This was
noticed in #5754. Updating test to check for modified home dir
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4b7b6fa7 by Justin Stephenson at 2021-09-08T10:36:55+02:00
KCM: Add krb5-libs dependency in spec
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b606eb62 by Pavel Březina at 2021-09-09T10:23:53+02:00
spec: fix invalid condition
This was introduced in 4b7b6fa70399654b8a6d2f691be832c0680ee1fb
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
dfb6594e by Pavel Březina at 2021-09-13T12:03:35+02:00
ad: fallback to ldap if cldap is not available in libldap
Some distributions do not have cldap support available in libldap. Now
we fallback to ad ping over ldap conditionally during build time.
Resolves: https://github.com/SSSD/sssd/issues/5720
:fixes: AD ping is now sent over `ldap` if `cldap` support is not available
during build. This helps to build SSSD on distributions without `cldap`
support in `libldap`.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
bd422ccd by Anuj Borah at 2021-09-16T11:17:33+02:00
Tests: Suppress log message
Suppress log message "[sssd] [service_signal_done]
(0x0010): Unable to signal service [2]:
No such file or directory" during logrote
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1909755
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
c3a8aad2 by Anuj Borah at 2021-09-16T11:18:16+02:00
Tests: RHEL9.0 Regression - alltests-tier1_2
1. 'files provider' enabled
2. nss-pam-ldapd has been removed from rhel9.
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
ef6aa9e4 by Sumit Bose at 2021-09-20T13:00:51+02:00
krb5: fix ccache ownership for offline Smartcard authentication
During Smartcard authentication/PKINIT the krb5_child process is running
as privileged user for some time to make sure pcscd allows access to the
Smartcard. If SSSD is offline those privileges are currently not dropped
before creating an empty ccache and as a result file based ccaches might
have a wrong ownership. With the patch the privileges are dropped is
SSSD is offline and the ccache is created with the expected ownership.
Resolves: https://github.com/SSSD/sssd/issues/5785
:fixes: ccache files are created with the right ownership during offline
Smartcard authentication
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a5716cd7 by Jakub Vavra at 2021-09-20T13:07:48+02:00
Tests: Add AD Parameters tests ported from bash.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
e92988a6 by Sumit Bose at 2021-09-24T14:24:10+02:00
debug: reduce logging of GetAccountDomain() in the frontends
The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return
code if the backend does not support the GetAccountDomain() request and
there is no need to have a log message for this on the default log level
or to trigger a backtrace in the logs in this case.
For all other error a log message at the default log level make sense to
indicate an issue in the backend but a backtrace in the frontend logs is
not needed as well.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ca8b655f by Sumit Bose at 2021-09-24T14:24:10+02:00
debug: suppress backtrace for backend errors
Only log a message in the frontend without a backtrace if the backend
returns an error.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2a617c0e by Sumit Bose at 2021-09-24T14:24:21+02:00
sdap: always create sdap object for a forest root
Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.
This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.
Resolves: https://github.com/SSSD/sssd/issues/5770
:fixes: Even if the forest root is disabled for lookups all required
internal data is initialized to be able to refresh the list of trusted
domains in the forest from a DC of the forest root.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
aab4fe9c by Anuj Borah at 2021-09-24T14:24:41+02:00
Tests: SSSD logs improvements: clarify which config option applies to each timeout in the logs
issue: https://github.com/SSSD/sssd/issues/5514
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928648
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
4be5fcd9 by Sumit Bose at 2021-09-24T14:26:11+02:00
sysdb: more specific mpg search filter
Originally all user of an mpg domain had an automatically created
user-private group and as a result the ID space was unified in the sense
that a given ID either belongs to a group or to a user with a
user-private group.
With the introduction of id-overrides and the auto_private_groups option
this assumption is not true anymore and as a result the search filter
for GIDs must be more specific with respect to the user objects.
Resolves: https://github.com/SSSD/sssd/issues/5790
:fixes: Improve mpg search filter to be more reliable with id-overrides
and the new auto_private_groups options.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
10d33986 by Anuj Borah at 2021-10-01T12:51:14+02:00
Tests: Fix RHEL8.5 failures for IDM-CI
Fix test case: test_009_maps_after_coming_online
Fix some code errors in utils.py
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
f0925489 by Steeve Goveas at 2021-10-01T12:51:41+02:00
Tests: Add firewalld package install on clients
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
b22f6195 by Anuj Borah at 2021-10-01T12:51:53+02:00
Tests: sss_cache prints spurious error messages
verifies: https://github.com/SSSD/sssd/issues/4904
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661182
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
fd3e397c by Justin Stephenson at 2021-10-05T11:21:44+02:00
KCM: Remove unneeded allocation
Memory is allocated later for the individual ccache when retrieved
with secdb_get_cc()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
e0d85ab6 by Shridhar Gadekar at 2021-10-05T11:21:57+02:00
Tests: improve sssd refresh timers for sudo queries
verifies:#5604
bugzilla:https://github.com/shridhargadekar/sssd/pull/new/sssd-3162
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
aca2e08b by Pavel Březina at 2021-10-05T11:22:08+02:00
krb5: remove unused mem_ctx from get_krb5_data_from_cred()
Also don't return value since it is useless.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
55c5de2d by Pavel Březina at 2021-10-05T11:22:08+02:00
kcm: replace existing credentials to avoid unnecessary ccache growth
Currently, we just append input credential to the ccache. This however
make the ccache grow over time as credentials expires and more control
credentials are stored.
Now we remove or credentials that are the same and overwrite them with
the input credential.
Resolves: https://github.com/SSSD/sssd/issues/5775
:fixes: KCM now replace the old credential with new one when storing
an update credential that is however already present in the ccache
to avoid unnecessary growth of the ccache.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
57247096 by Massimiliano Torromeo at 2021-10-05T11:22:21+02:00
TEST: Use absolute path for the MODPATH assertions in python tests
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
efd155f0 by Sergio Durigan Junior at 2021-10-05T11:22:32+02:00
Improve assertion when verifying paths for Python modules
In Ubuntu we're facing a problem where the 3 Python tests under
src/tests/*-test.py are failing due to cosmetical differences between
what the '.__file__' method returns and what 'MODPATH' ends up being.
I have not been able to pinpoint exactly what is causing this issue;
it only happens when SSSD is built inside a chroot environment (with
sbuild, for example). The logs look like this:
F
======================================================================
FAIL: testImport (__main__.PyHbacImport)
Import the module and assert it comes from tree
----------------------------------------------------------------------
Traceback (most recent call last):
File "/<<PKGBUILDDIR>>/src/tests/pyhbac-test.py", line 91, in testImport
self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so")
AssertionError: '/<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so' != './tp_pyhbac_xw2omut2/pyhbac.so'
- /<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so
+ ./tp_pyhbac_xw2omut2/pyhbac.so
Given that the intention of the test is to verify that the two paths
are equal, I suggest that we do this slight improvement and call
'os.path.realpath' before comparing both paths. This way we guarantee
that they're both properly canonicalized.
I have verified that the tests still pass with this change.
Signed-off-by: Sergio Durigan Junior <sergio.durigan at canonical.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
9121fbf9 by Anuj Borah at 2021-10-06T12:56:47+05:30
Tests: Remove shadow-utils test cases from sssd repo
- - - - -
51eaed9d by Anuj Borah at 2021-10-06T11:06:54+02:00
Tests: Fix Failure of sssctl_local test
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
3d8dd128 by Justin Stephenson at 2021-10-06T11:07:05+02:00
debug: Add chain ID support for journald logger
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1a1e914b by Mantas Mikulėnas at 2021-10-06T11:07:17+02:00
NSS client: avoid using NETDB_INTERNAL if daemon is not available
It seems that returning NETDB_INTERNAL as h_errno will cause glibc's
getaddrinfo() to immediately return EAI_SYSTEM *without* falling through
to other configured NSS modules.
This means that if /etc/nsswitch.conf has 'sss' listed before 'dns' (for
example), hostname resolution will be completely broken whenever SSSD is
not running.
(Even hostname lookups done by SSSD itself will fail, as the _SSS_LOOPS
environment variable merely forces errno=0 but the getaddrinfo() call as
a whole still returns EAI_SYSTEM.)
This commit makes the NSS client return h_errno=NO_RECOVERY, as that's
what systemd's nss-resolve and nss-mymachines seem to be doing.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
770c7ce9 by Pavel Březina at 2021-10-07T12:39:10+02:00
debug: fix unused variable warnings
```
/home/pbrezina/workspace/sssd/src/util/debug.c: In function ‘sss_vdebug_fn’:
/home/pbrezina/workspace/sssd/src/util/debug.c:274:11: error: unused variable ‘result_fmt’ [-Werror=unused-variable]
274 | char *result_fmt;
| ^~~~~~~~~~
/home/pbrezina/workspace/sssd/src/util/debug.c:273:11: error: unused variable ‘chain_id_fmt_dyn’ [-Werror=unused-variable]
273 | char *chain_id_fmt_dyn = NULL;
| ^~~~~~~~~~~~~~~~
/home/pbrezina/workspace/sssd/src/util/debug.c:272:10: error: unused variable ‘chain_id_fmt_fixed’ [-Werror=unused-variable]
272 | char chain_id_fmt_fixed[256];
```
Introduced in: 3d8dd1282ffb7d0188e36d0109340ce622745717
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c4c0fd69 by Alexey Tikhonov at 2021-10-07T12:40:35+02:00
CONF: removed unused 'sbus_timeout' option
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
8ed53d28 by Timotej Lazar at 2021-10-07T12:41:40+02:00
Include sys/types.h in debug.h
The chown_debug_file function has uid_t and gid_t arguments, defined
in types.h.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
bb6d9d9c by Pavel Březina at 2021-10-11T14:28:46+02:00
monitor: fix unused variable warning
```
src/monitor/monitor.c: In function ‘get_monitor_config’:
src/monitor/monitor.c:898:9: error: unused variable ‘timeout_seconds’ [-Werror=unused-variable]
898 | int timeout_seconds;
```
Introduced in c4c0fd690d82f9a8a714784ad4e036a39e1017fc.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
10069b1d by Alexey Tikhonov at 2021-10-11T14:28:57+02:00
Got rid of 'secrets' responder and it's support in KCM
:relnote: Support of long time deprecated 'secrets' responder was dropped.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5bb5380c by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
libsecrets was disbanded and merged into KCM responder as this is the only its user now.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9466aa4d by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secrets db: got rid of legacy json format support
sssd_kcm doesn't use this format to store ccaches since 2.4.1
:relnote: Support of legacy json format for ccaches was dropped
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f5431c3a by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secrets db: got rid of legacy encrypted payload format
sssd_kcm doesn't use this format to store ccaches since 2.4.1
Additionally, some leftovers of 'secrets' responder support were removed.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dfb97f07 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
crypto: removed sss_encrypt()/sss_decrypt() helpers as those aren't used anymore.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
29f8a795 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
TESTS: avoid cross-test tainting of os.environ
Operations on `os.environ` reference were leaking settings from one test
to another (in particular `KRB5CCNAME` from `test_kcm.py` to
`test_pam_responder.py`)
Discovered by Pavel Březina.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1e64a762 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secdb: treat secdb_get_cc() == ENOENT the same way as corresponding key_by_*() == ENOENT (mostly)
Everywhere secdb_get_cc() is used there is a corresponding
key_by_*() executed first to create a `secdb_key`.
There is special handling in place already for a case when
key_by_*() returns ENOENT (return NULL cc, ERR_NO_CREDS).
And this seems to be properly handled further down the code paths.
Hence it makes sense to use the same logic if secdb_get_cc(secdn_key)
returns ENOENT - from user of those functions point of view there should
be no difference.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
629f149e by Weblate at 2021-10-11T14:43:33+02:00
po: update translations
(Korean) currently translated at 12.3% (349 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 28.0% (205 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 12.2% (345 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 27.1% (198 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 11.5% (326 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Turkish) currently translated at 13.5% (99 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 26.9% (197 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Spanish) currently translated at 66.2% (1804 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 88.7% (648 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Czech) currently translated at 4.0% (111 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 87.3% (638 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 9.8% (278 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Swedish) currently translated at 100.0% (2724 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Finnish) currently translated at 5.7% (42 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 3.3% (91 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Korean) currently translated at 9.6% (271 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 11.6% (85 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2724 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
- - - - -
11c7f6a6 by Pavel Březina at 2021-10-11T14:55:53+02:00
pot: update pot files
- - - - -
79412710 by Sumit Bose at 2021-10-13T19:29:35+02:00
krb5: use hidden file when creating config snippets
When creating config snippets fir libkrb5 SSSD first creates a temporary
file with a random suffix and renames this file after all content is
written. If this temporary file is not properly removed or renamed dur
to an error it might confuse libkrb5.
To avoid this confusion with this patch the temporary files are created
as hidden files, the name will start with a '.', which are ignored by
libkrb5.
Resolves: https://github.com/SSSD/sssd/issues/5824
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
03f6ef36 by Alexey Tikhonov at 2021-10-13T19:29:48+02:00
krb5_child: fixed incorrect checks on length value
It is safer to isolate the checked (unknown/untrusted) value on
the left hand side in the conditions to avoid overflows/underflows.
(addition to 9f0bffebd070115ab47a92eadc6890a721c7b78d)
Resolves: https://github.com/SSSD/sssd/issues/2739
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
01ff8155 by Alexey Tikhonov at 2021-10-13T19:30:02+02:00
MONITOR: reduce logs severity around signalling and termination of services to avoid useless in those cases backtraces
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8e22258c by Anuj Borah at 2021-10-13T19:30:13+02:00
Tests: support subid ranges managed by FreeIPA
issue: https://github.com/SSSD/sssd/issues/5197
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
- - - - -
3343b5a8 by Justin Stephenson at 2021-10-14T11:28:41+02:00
DP: Log offline warning for REQ_TRACE tracking
This allows the sssctl analyze parsing tool to report if the
backend was offline when the request came in to the data
provider.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
26086212 by Justin Stephenson at 2021-10-14T11:28:41+02:00
Responder: Log client uid that started a request
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
82e051e1 by Justin Stephenson at 2021-10-14T11:28:41+02:00
TOOLS: Add sss_analyze utility
Add log parsing tool which can be used to track requests across
responder and backend logs.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
097feb32 by Justin Stephenson at 2021-10-14T11:28:41+02:00
SSSCTL: Add analyze command
Wrapper for sss_analyze
Print a message about limited functionality when tevent chain ID
support is not built.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bd71ae53 by Pavel Březina at 2021-10-14T11:43:05+02:00
Release sssd-2.6.0
- - - - -
62527473 by Alexey Tikhonov at 2021-10-18T12:37:03+02:00
DEBUG: fix missing "va_end"
Fixes following warning:
```
Error: VARARGS (CWE-237):
sssd-2.6.0/src/util/debug.c:294: va_init: Initializing va_list "ap_fallback".
sssd-2.6.0/src/util/debug.c:305: missing_va_end: "va_end" was not called for "ap_fallback".
# 303| debug_chain_id, format);
# 304| if (ret < 0) {
# 305|-> return;
# 306| }
# 307| result_fmt = chain_id_fmt_dyn;
```
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
305120b9 by Anuj Borah at 2021-10-21T14:51:50+02:00
Tests: Regression 8.5 - sssd-ipa
Changing sys_hostname to ip helps in testing in internal CI systems
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
92e16799 by Tomas Halman at 2021-10-21T14:52:01+02:00
CONFDB: Change ownership of config.ldb
Config database is owned by root. This prevents our socket
activated services to start because they are started under
the sssd user. Changing the ownership to sssd fixes the issue.
Resolves: https://github.com/SSSD/sssd/issues/5781
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
7db6cfd0 by Tomas Halman at 2021-10-21T14:52:01+02:00
CONFDB: Change ownership before dropping privileges
>From previous SSSD version, config file can exist and can be
owned by root. To allow smooth transition we can change
the ownership.
This commit can be reverted later.
Resolves: https://github.com/SSSD/sssd/issues/5781
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
766fe623 by Alexey Tikhonov at 2021-10-21T15:15:57+02:00
GPO: fixed compilation warning
Fixes following compilation warning:
```
../src/providers/ad/ad_gpo.c: In function ‘ad_gpo_access_send’:
../src/util/debug.h:138:5: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
138 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139 | level, \
| ~~~~~~~~
140 | format, ##__VA_ARGS__); \
| ~~~~~~~~~~~~~~~~~~~~~~
../src/providers/ad/ad_gpo.c:1847:5: note: in expansion of macro ‘DEBUG’
1847 | DEBUG(SSSDBG_TRACE_FUNC, "service %s maps to %s\n", service,
| ^~~~~
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
84a4230b by Alexey Tikhonov at 2021-10-21T15:15:57+02:00
KCM: fixed uninitialized value
Fixes following warnings:
```
Error: UNINIT (CWE-457):
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:285: var_decl: Declaring variable "ret" without initializer.
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323: uninit_use: Using uninitialized value "ret".
# 321| krb5_free_context(kctx);
# 322|
# 323|-> return ret;
# 324| #else
# 325| return EOK;
Error: CLANG_WARNING:
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323:5: warning[core.uninitialized.UndefReturn]: Undefined or garbage value returned to caller
# 321| krb5_free_context(kctx);
# 322|
# 323|-> return ret;
# 324| #else
# 325| return EOK;
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bb94a18f by Pavel Březina at 2021-10-25T14:30:18+02:00
cache_req: return success for autofs when ENOENT is returned from provider
The receive function should return true if data provider lookup was
successfull and false if there was an error. "Not found" result is
considered a successful lookup, only failure to perform a search
should result in false return code.
Resolves: https://github.com/SSSD/sssd/issues/5832
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
8db2485c by Pavel Březina at 2021-10-25T14:30:39+02:00
sbus: maintain correct refcount before sending a reply
sbus_reply decreases the refcount of @reply. This usuall means that
refcount drops to zero and the message is freed. However, under
special circumstances the refcount is increased inside libdbus,
the refcount will be 1 when we leave the function and we drop it
to zero in talloc_free(state) later in this function. This will
leave an invalid message to be send inside dbus connection and
eventually crash.
Increasing the refcount here makes sure that the refcount is always
correct.
Resolves: https://github.com/SSSD/sssd/issues/5672
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
de6eba31 by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
Removed excessive includes around 'strtonum'
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a2cc7dae by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
'strtonum' helpers: usage sanitization
To properly check for an error during string to number conversion
one needs to:
- check `errno`
- check that something was really converted (i.e. start != end)
- (if this is expected) check that entire string was consumed
Some of those error conditions weren't checked in various locations
over the code.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
3c17a57e by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
'strto*()': usage sanitization
To properly check for an error during string to number conversion
one needs to:
- check `errno`
- check that something was really converted (i.e. start != end)
- (if this is expected) check that entire string was consumed
Some of those error conditions weren't checked in various locations
over the code.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
a664e9ce by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
TESTS: fixed a bug in define->string conversion
Previously result of `AS_STR(OFFLINE_TIMEOUT)` was "OFFLINE_TIMEOUT"
instead of expected integer value.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
48234ed8 by Anuj Borah at 2021-10-25T15:14:57+02:00
Tests: sss_override does not take precedence over override_homedir directive
bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919942
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
86413e5f by Alexey Tikhonov at 2021-10-27T13:43:02+02:00
SUDO: decrease log level in case object wasn't found
It is expected sudo responder can be requested to lookup unknown entry.
One of typical examples is lookup for a local user.
Resolves: https://github.com/SSSD/sssd/issues/5839
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
bd521abe by Shridhar Gadekar at 2021-11-01T11:10:44+01:00
Tests: pam_sss_gss.so doesn't work with large kerberos tickets #5815
Verifies: #5568
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
7cba8ed6 by Alexey Tikhonov at 2021-11-01T11:10:56+01:00
KCM: delete malformed 'cn=default' entries
This is needed to cleanup outdated entries in old (encrypted)
format that are no longer supported.
Steps to reproduce:
With an old SSSD version that still writes encrypted content in secrets db:
- obtain any ticket (even one ticket is enough)
- `kswitch -c ...` to any cache (any successful execution of `kswitch`
will use `SET_DEFAULT_CACHE` KCM op and create
'cn=default,cn=$uid,cn=persistent,cn=kcm' entry)
Then update SSSD and try `klist`:
- 2.6.0 version will fail with "[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size ..."
- 2.6.0 + this patch will remove this entry:
```
[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size 152, deleting this entry
[sss_sec_delete] (0x0400): Removing a secret from [persistent/1000/default]
```
and continue as if default isn't set (since all encrypted entries will be purged,
cache will appear empty)
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
301659a6 by Iker Pedrosa at 2021-11-01T11:11:09+01:00
proxy: allow removing group members
The proxy provider doesn't allow to remove group members once they have
been added. This patch allows to do it by looping the member list from
the cache and comparing it with the actual membership list. If a member
is missing then it's removed from the cache.
Resolves: https://github.com/SSSD/sssd/issues/5783
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4c48c4a7 by Sumit Bose at 2021-11-02T13:09:28+01:00
ad: filter trusted domains
The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.
Resolves: https://github.com/SSSD/sssd/issues/5819
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4292f9fd by Fernando Apesteguia at 2021-11-04T12:12:58+01:00
Fix untranslated string
Promote format string to gettext's PRIu64 instead of using SSSD's
SPRIuid which is not recognized. This caused the original string to be
truncated in the translation files.
How to test:
Apply patch and run:
make -C po/ update-pot
Translations should contain the full string now:
msgid "Running under %, must be root\n"
Resolves: #5738
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e8b43cc8 by Alexey Tikhonov at 2021-11-04T12:13:12+01:00
SSH: changed default value of `ssh_hash_known_hosts` to false
:config: Default value of `ssh_hash_known_hosts` setting was changed
to false for the sake of consistency with OpenSSH that does not hash
host names by default.
Typical use case of this feature in general is FreeIPA where this is
configured and automatically used. Since by default any IPA user can
read the list of all hosts and the public host keys from LDAP directly,
the content of the file can be considered as public information anyway.
Resolves: https://github.com/SSSD/sssd/issues/5848
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
60353300 by Justin Stephenson at 2021-11-04T12:13:25+01:00
Tests: Fix warning about deprecated res_randomid()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b30861d8 by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
SPEC: enabled build of 'subid ranges' support
Since feature support in shadow-utils is available since
upstream release version 4.9, support in SSSD can also be
enabled by default.
:packaging: 'subid ranges' support was enabled by default.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d469a810 by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
SPEC: disable running files provider by default
This is to sync Fedora and upstream spec-files.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7121e56d by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
INTG-TESTS: enable build of 'subid ranges' support
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7bfdd3db by Stanislav Levin at 2021-11-05T12:42:58+01:00
pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
IPA domain controller may not support desktop profiles since this
functionality is optional and distributed as the IPA plugin:
- in case of online authentication ipa_session detects such DC properly
and returns PAM_SUCCESS for ENOENT, nothing is cached on sysdb (see
ipa_deskprofile_get_config_send/ipa_deskprofile_get_config_done and
ipa_pam_session_handler_done for details).
- in case of offline authentication ipa_session falls back to cache and
receives ENOENT (since nothing was cached previously). But *any* error
is treated as actual error and overall result is PAM_SESSION_ERR (see
ipa_pam_session_handler_save_deskprofile_rules and
ipa_pam_session_handler_done for details). Note: actually, only
deskprofile_get_cached_priority breaks PAM session since
ipa_common_get_cached_rules successfully handles ENOENT.
- in either case sssd tries to send dbus notification to fleet
commander even if there are no desktop profile rules to apply.
With this change ENOENT result of cache query is treated similarly
to ENOENT result of actual backend query (PAM_SUCCESS).
Resolves: https://github.com/SSSD/sssd/issues/5846
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bb8da430 by Alexey Tikhonov at 2021-11-08T11:33:29+01:00
DEBUG: avoid backtrace dups.
In case the same error(s) is repeated again and again repeating the same
backtrace doesn't add much value. In this case let's add just a note.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bd903865 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
P11: refactoring of get_preferred_rsa_mechanism()
Flattened code structure and more accurate errors handling.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
71b6d548 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
P11: add support of 'CKM_RSA_PKCS' mechanism
Resolves: https://github.com/SSSD/sssd/issues/5854
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b5073394 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
TESTS: added two tests to check cert auth with specific RSA mechanisms: CKM_RSA_PKCS and CKM_SHA384_RSA_PKCS. (CKM_SHA384_RSA_PKCS is arbitrary chosen as one of CKM_SHA*_RSA_PKCS family)
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cf75d897 by Iker Pedrosa at 2021-11-09T11:08:23+01:00
ifp: new interface to validate a certificate
New interface to validate a certificate. The input is the certificate to
validate and the output the user path.
:feature: New infopipe method FindByValidCertificate() which accepts the
certificate as input, validates it against configured CAs, and outputs
the user path on success. This is similar to the existing
FindByCertificate(), but that does not do any trust validation.
Resolves: https://github.com/SSSD/sssd/issues/5224
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
50e6070e by Iker Pedrosa at 2021-11-09T11:08:23+01:00
Tests: ifp interface to validate certificate
Integration test to check the interface that validates the user
certificate.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
232ba7f0 by Justin Stephenson at 2021-11-09T15:57:33+01:00
DP: Resolve intermediate groups prior to SR overlay
SSSD SR exclude_groups checking can fail when only intermediate
groups are fetched during the login process. Add a step to
resolve these groups during Initgroups processing to ensure
the exclude groups check matches against the group name correctly.
This logic exists already similarly in the simple access provider.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8406af35 by Weblate at 2021-11-09T15:58:26+01:00
po: update translations
(Korean) currently translated at 12.6% (331 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 30.6% (189 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 29.6% (183 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Spanish) currently translated at 68.8% (1804 of 2621 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 93.3% (576 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Finnish) currently translated at 6.1% (38 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Korean) currently translated at 12.4% (326 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2621 of 2621 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (617 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (617 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
- - - - -
19a902a1 by Pavel Březina at 2021-11-09T16:03:44+01:00
pot: update pot files
- - - - -
02183611 by Pavel Březina at 2021-11-09T16:05:41+01:00
Release sssd-2.6.1
- - - - -
10 changed files:
- Makefile.am
- configure.ac
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/run
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- po/LINGUAS
- po/POTFILES.in
- po/bg.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/57ac580928664a356f07c38e2aca4cf33d145524...02183611c3c94744de31ca8817ab11d022a26062
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/57ac580928664a356f07c38e2aca4cf33d145524...02183611c3c94744de31ca8817ab11d022a26062
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20211117/0c719d92/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list