[Pkg-sssd-devel] [Git][sssd-team/sssd][experimental] 2850 commits: Updating the version to track the next release

Simon Josefsson (@jas) gitlab at salsa.debian.org
Mon Dec 18 08:19:56 GMT 2023



Simon Josefsson pushed to branch experimental at Debian SSSD packaging / sssd


Commits:
c295d072 by Jakub Hrozek at 2019-02-27T20:54:21+01:00
Updating the version to track the next release

Reviewed-by: N/A

- - - - -
2f5aca39 by Sumit Bose at 2019-03-14T22:04:19+01:00
NEGCACHE: initialize UPN negative cache as well

UPNs are handled separately in the negative cache. To properly filter
user names even in the case of the fallback to a UPN lookup the negative
cahe for UPNs has to be initialized with the names from the filter_user
option as well.

If the name from the option is a short name it will be added to the
negative UPN cache for each domain with the respective domain name. If
the name from the option is fully-qualified it will be added as is to
the negative UPN cache for each domain.

Related to https://pagure.io/SSSD/sssd/issue/3978

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
6b93ee69 by Sumit Bose at 2019-03-14T22:04:26+01:00
NEGCACHE: fix typo in debug message

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
640edac4 by Sumit Bose at 2019-03-14T22:04:30+01:00
NEGCACHE: repopulate negative cache after get_domains

If SSSD starts offline the responders might only know about the
configured domain because the sub-domains have not been discovered yet.
As a result the permanent negative cache is only populated for the
configured domain.

If later the system goes online and the sub-domains are discovered or a
new sub-domain was discovered at runtime the permanent negative cache is
currently not created for those domains.

This patch repopulates the negative cache for all known domains to the
end of the get_domains request.

Related to https://pagure.io/SSSD/sssd/issue/3983

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ce8a607c by Pavel Březina at 2019-03-14T22:22:26+01:00
netgroups: honor cache_refresh_percent

The value of cache refresh percent was not passed to cache_req.

Steps to reproduce:
1. Configure SSSD like so:
```ini
[nss]
entry_cache_nowait_percentage=10
memcache_timeout=0

[domain/mydomain]
entry_cache_timeout = 30
```

2. Run SSSD
3. Fetch netgroup for the first time
4. Wait 15 seconds (midpoint refresh will be triggered from 10-29 seconds interval)
5. Fetch netgroup again, see in logs that midpoint refresh was triggered

Resolves:
https://pagure.io/SSSD/sssd/issue/3947

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ddc49401 by Alexey Tikhonov at 2019-03-19T23:05:26+01:00
negcache: avoid "is_*_local" calls in some cases

"use_local_negative" argument of `sss_ncache_set_str()` function
only makes sense in case of non permanent record.
So it is possible to avoid blocking (and thus dangerous) "is_local*()"
calls in case "permanent == true"

Resolves: https://pagure.io/SSSD/sssd/issue/3963

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
b1d288bf by Sumit Bose at 2019-03-19T23:17:36+01:00
ldap: add users_get_handle_no_user()

If a user is not found on the server anymore but still has a cache entry
this entry should be removed. The code to remove a group is already
moved into a separate function groups_get_handle_no_group(). With this
patch the code to remove a user is moved into a similar function so that
it can be reused at other places.

Related to https://pagure.io/SSSD/sssd/issue/3984

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e8b2f0da by Sumit Bose at 2019-03-19T23:17:39+01:00
ldap: make groups_get_handle_no_group() public

To make groups_get_handle_no_group() reusable it has to be made public
and has to get a proper interface.

Related to https://pagure.io/SSSD/sssd/issue/3984

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
89d89620 by Sumit Bose at 2019-03-19T23:17:42+01:00
ipa s2n: fix typo

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
5d50621c by Sumit Bose at 2019-03-19T23:17:45+01:00
ipa s2n: do not add UPG member

Currently the IPA provider uses user private groups for users from
trusted AD domains with automatic ID-mapping. Here a single cached user
object is used for both user and group. Since the user private group is
the primary group of the user it is expected that there is no explicit
member attribute.

While processing the group membership on an IPA client the user private
group is treated as ordinary group and a member attribute is added. As a
result the user cannot be deleted anymore due to an error caused by the
memberOf plugin because there is a member attribute without a matching
memberOf. This patch makes sure user private groups are skipped.

Related to https://pagure.io/SSSD/sssd/issue/3984

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
50641d4e by Sumit Bose at 2019-03-19T23:17:49+01:00
ipa s2n: try to remove objects not found on the server

If there server returns that the search object does not exists we should
try to remove it from the cache if it still has an entry.

Related to https://pagure.io/SSSD/sssd/issue/3984

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
63ccbfe0 by Tomas Halman at 2019-03-19T23:33:27+01:00
krb5_locator: Allow hostname in kdcinfo files

Currently we support only IP addresses in kdcinfo files. We need
to resolv eventual dns name and then we have to iterate trough
list of addresses because hostname can be resolved that way, including
IPv4 and IPv6 addresses.

Resolves:
https://pagure.io/SSSD/sssd/issue/3973

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cdd0fd0b by Pavel Březina at 2019-03-19T23:49:09+01:00
sdap: add sdap_modify_passwd_send

to modify userPassword with ldap_modify instead of exop.

Resolves:
https://fedorahosted.org/sssd/ticket/1314

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f81379c6 by Pavel Březina at 2019-03-19T23:49:13+01:00
sdap: add ldap_pwmodify_mode option

Resolves:
https://pagure.io/SSSD/sssd/issue/1314

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
cf1d7ff7 by Pavel Březina at 2019-03-19T23:49:16+01:00
sdap: split password change to separate request

so it can be later extended to another method.

Resolves:
https://fedorahosted.org/sssd/ticket/1314

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7234e68d by Pavel Březina at 2019-03-19T23:49:19+01:00
sdap: use ldap_pwmodify_mode to change password

Resolves:
https://pagure.io/SSSD/sssd/issue/1314

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
735af71a by Pavel Březina at 2019-03-19T23:59:33+01:00
be: remember last good server's name instead of fo_server structure

This fo_server may be freed when collapsing servers from SRV lookup
in `collapse_srv_lookup`. This would cause crash when we try to
dereference the pointer.

Resolves:
https://pagure.io/SSSD/sssd/issue/3976

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
3b0ff297 by Pavel Březina at 2019-03-19T23:59:37+01:00
sudo ipa: do not store rules without sudoHost attribute

Unless it is cn=defaults.

This was already fixed in LDAP provider with:
47ad0778be72994a2294b2e73cc5c670be6811a7

Resolves:
https://pagure.io/SSSD/sssd/issue/3980

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
48c1e3ac by Jakub Hrozek at 2019-03-20T00:05:52+01:00
TESTS: Add a unit test for UPNs stored by sss_ncache_prepopulate

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
37547802 by Jakub Hrozek at 2019-03-20T16:01:38+01:00
UTIL: Add a is_domain_mpg shorthand

Instead of looking into the domain structure directly, add a
sss_domain_is_mpg() function. This will make sense when we add a third
state instead of the boolean that will also be mpg-like.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
7c83450a by Jakub Hrozek at 2019-03-20T16:01:45+01:00
UTIL: Convert bool mpg to an enum mpg_mode

Instead of bool mpg inside struct sss_domain_info, let's introduce enum
mpg_mode that currently maps pretty much 1:1 to the boolean. In future
patches, a third value will be added.

Also adds a getter for the mpg_mode value because we want to discourage
getting or setting the value directly. Instead, the sss_domain_info
structure should be opaque in the future.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
fae57dba by Jakub Hrozek at 2019-03-20T16:01:50+01:00
CONFDB: Read auto_private_groups as string, not bool

In preparation to adding the third value of auto_private_groups, this
patch reads the confdb value as string and checks for the option values
on its own.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
db03a19c by Jakub Hrozek at 2019-03-20T16:01:53+01:00
CONFDB/SYSDB: Add the hybrid MPG mode

Permits a new option value 'hybrid' for the auto_private_groups option.
The option was even previously marked as a string option in both the
configAPI and the man pages, so we don't have to change the type now.

If the hybrid mode is selected and the user's original GID number is
available, then during initgroups and getpwnam, it is used as their primary
GID instead of the MPG group. The original group is also not added
as a secondary group during initgroups in this case.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
2efc41cd by Jakub Hrozek at 2019-03-20T16:01:58+01:00
CACHE_REQ: Add cache_req_data_get_type()

Adds a utility function which returns the lookup type stored in struct
cache_req_data. This will be used later to switch between different
lookups as appropriate.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
2ea38097 by Jakub Hrozek at 2019-03-20T16:02:01+01:00
NSS: Add the hybrid-MPG mode

Implements the functionality of the hybrid private group mapping.
Uncharacteristically, all the functionality is implemented in the
responder only.

This is because this hybrid mode must not shadow real groups with
autogenerated ones, not even if the real group comes from another
domain. Therefore, the user or group resolution must really call the full
cache_req requests.

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
93007c40 by Jakub Hrozek at 2019-03-20T16:02:05+01:00
TESTS: Add integration tests for auto_private_groups=hybrid

Related:
https://pagure.io/SSSD/sssd/issue/3822

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
293c0933 by Yuri Chornoivan at 2019-03-20T23:05:36+01:00
Fix various minor typos

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
208a79a8 by Tomas Halman at 2019-03-23T20:25:54+01:00
krb5: Write multiple dnsnames into kdc info file

Multiple servers should be written to kdc info file. In
this PR we iterate trough server list and we write
list of primary servers followed by backup servers.

Resolves:
https://pagure.io/SSSD/sssd/issue/3974

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2f27dd9f by Michal Židek at 2019-03-26T21:52:46+01:00
GPO: Add option ad_gpo_ignore_unreadable

Add option to ignore group policy containers in AD
with unreadable or missing attributes. This is
for the case when server contains GPOs that
have very strict permissions on their attributes
in AD but are unrelated to access control.

Rather then using this option it is better to
change the permissions on the AD objects but
that may not be always possible (company policy,
not access to server etc.).

Resolves:
https://pagure.io/SSSD/sssd/issue/3867
CVE-2018-16838

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0479c6f1 by Sumit Bose at 2019-03-26T21:58:45+01:00
pam_sss: PAM_USER_UNKNOWN if socket is missing

If SSSD used without explicit configuration in the files-only mode and
pam_sss is also used in the PAM configuration, as e.g. in recent Fedora
systems, users handled by other NSS modules might get an 'Access Denied'
when trying to log in.

The culprit is the line like

    account     [default=bad success=ok user_unknown=ignore] pam_sss.so

in the PAM configuration which can only grant access if pam_sss.so
returns PAM_SUCCESS or PAM_USER_UNKNOWN. Even PAM_IGNORE causes a
rejection because of 'default=bad'.

Of the PAM responder is running PAM_USER_UNKNOWN is returned for users
from other NSS modules. With this patch PAM_USER_UNKNOWN is returned as
well during the 'account' step if the PAM responder socket is not
available.

Related to https://pagure.io/SSSD/sssd/issue/3988

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
4dd26833 by Jakub Hrozek at 2019-03-26T22:03:57+01:00
SYSDB: Inherit cached_auth_timeout from the main domain

cached_auth_timeout is a domain option used by the responder. And
because at the moment the options read from a subdomain section (e.g.
[domain/main/trusted] are only those represented by the back end specific
dp_option structure instance, the option cached_auth_timeout, which
is directly read from the confdb was not set for the main domain.

This is a minimal patch that just inherits the option from the main
domain until SSSD has a more systematic way of inheriting config
attributes regardless of how they are read and set.

Resolves:
https://pagure.io/SSSD/sssd/issue/3960

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
11bf1224 by Tom Briden at 2019-03-26T22:15:01+01:00
build: only do automagic linking against systemd if required

If syslog is not journald and initscript is not systemd, then don't
look for and ultimately link against systemd

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
41c497b8 by Jakub Hrozek at 2019-03-27T21:25:06+01:00
AD: Allow configuring auto_private_groups per subdomain or with subdomain_inherit

Resolves:
https://pagure.io/SSSD/sssd/issue/3965

Previously, subdomains that used ID mapping always only used MPGs and
POSIX subdomains always inherited the parent domain settings. This patch
is a small RFE which allows to either set the auto_private_groups option
directly per subdomain or set it for all subdomains using the
subdomain_inherit option

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1eb3ae1c by Jakub Hrozek at 2019-03-27T21:30:18+01:00
SDAP: Add sdap_has_deref_support_ex()

Related:
https://pagure.io/SSSD/sssd/issue/3979

In some cases, it makes sense for performance reasons to disable
dereference when processing user groups. But since processing of HBAC host
groups is not much of a performance sensitive operation, we can get away
with ignoring the client side setting and always using the dereference
branch if the server supports the dereference call.

This patch extends the sdap_has_deref_support call with a flag that
allows the caller to bypass the client side check.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9d636160 by Jakub Hrozek at 2019-03-27T21:30:25+01:00
IPA: Use dereference for host groups even if the configuration disables dereference

Related:
https://pagure.io/SSSD/sssd/issue/3979

In some cases, it makes sense for performance reasons to disable
dereference when processing user groups. But since processing of HBAC host
groups is not much of a performance sensitive operation, we can get away
with ignoring the client side setting and always using the dereference
branch if the server supports the dereference call.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d411febc by Pavel Březina at 2019-03-27T21:40:17+01:00
ipa: store sudo runas attribute with internal fqname

We need to be able to differentiate between external users and IPA user.

Resolves:
https://pagure.io/SSSD/sssd/issue/3957

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0aa65716 by Pavel Březina at 2019-03-27T21:40:23+01:00
sudo: format runas attributes to correct output name

sudo internally calls getpwnam and getgrnam on user and groups
that should be used for the invoked command. Output of these calls
is compared to values in runAsUser/Group attributes.

When different output format is used then what is present in LDAP,
this comparison will fail, denying user to use sudo. Now, we convert
these attributes into correct output name, respecting domain resolution
order, fully qualified domains and fqname format.

E.g. sudo call:
sudo -u tuser at ipa.vm -g tgroup at ipa.vm id

Resolves:
https://pagure.io/SSSD/sssd/issue/3957

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
6bf5bcad by Jakub Hrozek at 2019-03-27T21:49:13+01:00
KCM: Fall back to using the first ccache if the default does not exist

Resolves:
https://pagure.io/SSSD/sssd/issue/3838

KCM stores the default ccache in a separate DB entry. If the DB entry
contains a UUID that cannot be found in the DB for whatever reason, we
should just use the first ccache as the default. (This is what we
already do if there is no default)

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d82f978a by Alexey Tikhonov at 2019-03-27T22:04:56+01:00
providers/ldap: sdap_extend_map_with_list() fixed

Changed sdap_extend_map_with_list() to return src_map in case
of fail thus making behaviour consistent with sdap_extend_map()

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
80e72c85 by Alexey Tikhonov at 2019-03-27T22:05:04+01:00
providers/ldap: const params should be const

Not intended to be changed params are marked as pointer to const data.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
feb08323 by Alexey Tikhonov at 2019-03-27T22:08:23+01:00
providers/proxy: small optimization

Small optimization of for-loops in
proxy_id.c:remove_duplicate_group_members()

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0f62cc9f by Alexey Tikhonov at 2019-03-27T22:08:32+01:00
providers/proxy: fixed wrong check

Fixed evident "copy-paste" bug with wrong var being checked for NULL
in proxy_id.c:remove_duplicate_group_members()

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cc9f0f41 by Alexey Tikhonov at 2019-03-27T22:08:34+01:00
providers/proxy: fixed usage of wrong mem ctx

Temporary var `grp` in proxy_id.c:remove_duplicate_group_members()
should be created in `tmp_ctx`.
Call to
```
*_grp = talloc_steal(mem_ctx, grp);
```
as well confirms it was original intent
(before fix this call didn't have any sense).

Having `grp` created in `mem_ctx` may lead to memory leak in case
of failure. While actually this doesn't happen since caller of
remove_duplicate_group_members() cleans mem_ctx, still it is
good to fix it.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29ac739e by Alexey Tikhonov at 2019-03-27T22:08:42+01:00
providers/proxy: got rid of excessive mem copies

There is no need to create copies of strings for temporary storage
in hash_table.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cd1538bc by Alexey Tikhonov at 2019-03-27T22:08:46+01:00
providers/proxy: fixed erroneous free of orig_grp

Function `remove_duplicate_group_members(mem_ctx, orig_grp, new_grp)`
in case of empty orig_grp would return as a result:
```
*new_grp = talloc_steal(mem_ctx, orig_grp);
```
Since mem_ctx is freed in caller function that leads to deallocation
of orig_grp and to "use after free" bug.

Code was changes so remove_duplicate_group_members() behaves consistently
and always returns a new group created in given mem context.

Resolves: https://pagure.io/SSSD/sssd/issue/3931

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8efa2020 by Alexey Tikhonov at 2019-03-27T22:08:50+01:00
providers/proxy: const params should be const

grp/orig_grp param of save_group() and remove_duplicate_group_members()
is not intended to be changed so marked as pointer to const data.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6a6aad28 by Alexey Tikhonov at 2019-03-27T22:43:14+01:00
Util: added facility to load nss lib syms

Factored out (from proxy provider code) utility to load NSS symbols
from shared library.

Related: https://pagure.io/SSSD/sssd/issue/3964

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2b564f84 by Alexey Tikhonov at 2019-03-27T22:43:43+01:00
responder/negcache: avoid calling nsswitch NSS API

Changed "negcache_files.c::is_*_local_by_*()" to use functions from
"libnss_files" directly to check users (instead of calling glibc
NSS API).
Changed affected tests to avoid using NSS-wrapper and to use real
local user&group (otherwise tests were broken).

Resolves: https://pagure.io/SSSD/sssd/issue/3964

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
8e6656c9 by Alexey Tikhonov at 2019-03-27T22:43:46+01:00
negcache_files: got rid of large array on stack

Removed large buffer from function stack.
It is safe to use single (static) global buffer since:
1) Responders are single threaded
2) Code doesn't use content of this buffer anyway

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
137b684d by Alexey Tikhonov at 2019-03-27T22:43:49+01:00
TESTS: moved cwrap/test_negcache to cmocka tests

Moved cwrap/test_negcache.c to cmocka tests since it doesn't use
cwrap tools anymore.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
fe428808 by Tomas Halman at 2019-03-28T12:53:26+01:00
Providers: Delay online check on startup

Typical usecase is system startup or network restart. In such
cases SSSD receives several messages from the system about
network change and immediately starts connecting.
With multiple addresses on interface or multiple interfaces
SSSD receives even more messages.

This patch introduces 1s delay for online check after first
message.

Online callback tries 3 times to go online. There is increasing
delay between online checks up to 4s.

Resolves: https://pagure.io/SSSD/sssd/issue/3467

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e474c2dd by Jakub Hrozek at 2019-03-28T13:22:16+01:00
krb5: Do not use unindexed objectCategory in a search filter

Related:
https://pagure.io/SSSD/sssd/issue/3968

Since we switched to using objectcategory instead of objectclass for
users and groups, the objectCategory attribute is also not indexed. This
means that searches using this attribute must traverse the whole
database which can be very slow.

This patch uses the cn=users container instead of the full sysdb
container as the search base which is more or less equivalent to using
objectCategory=user anyway.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
96013bbb by Jakub Hrozek at 2019-03-28T13:22:24+01:00
SYSDB: Index the ccacheFile attribute

Related:
https://pagure.io/SSSD/sssd/issue/3968

The Kerberos ticket renewal code searches for user entries which have
the ccacheFile attribute set. Since the search can potentially traverse
all the users, it might be a good idea to index the attribute.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
22fc051d by Jakub Hrozek at 2019-03-28T13:22:31+01:00
krb5: Silence an error message if no cache entries have ccache stored but renewal is enabled

If no user entries had the ccacheFile attribute, the code would treat
ENOENT as an error and print a CRIT-level debug message.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fa8ef7c6 by Sumit Bose at 2019-04-01T22:40:14+02:00
pam: introduce prompt_config struct

prompt_config is the internal struct to control the prompting of
pam_sss. To make it easy to change internal details when more options
are added it should be opaque and only accessed by getters and setter.

Related to https://pagure.io/SSSD/sssd/issue/3264

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ac4b33f7 by Sumit Bose at 2019-04-01T22:40:30+02:00
authtok: add dedicated type for 2fa with single string

Currently the password type is used to send two-factor authentication
credentials entered in a single string to the backend, This is
unreliable and only works properly if password authentication is not
available for the user as well.

To support 2FA credentials in a single string better a new authtok type
is added.

Related to https://pagure.io/SSSD/sssd/issue/3264

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
fc26b4a8 by Sumit Bose at 2019-04-01T22:40:34+02:00
pam_sss: use configured prompting

If the responds of SSSD's PAM responder contains a prompt_config
structure use the content to prompt the user for credentials.

Related to https://pagure.io/SSSD/sssd/issue/3264

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
a4d17859 by Sumit Bose at 2019-04-01T22:40:41+02:00
PAM: add initial prompting configuration

Add new section for sssd.conf to allow more flexible prompting during
authentication.

Related to https://pagure.io/SSSD/sssd/issue/3264

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
45efba71 by Sumit Bose at 2019-04-01T22:40:44+02:00
intg: add test for password prompt configuration

Related to Related to https://pagure.io/SSSD/sssd/issue/3264

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
02045113 by Alexey Tikhonov at 2019-04-01T23:15:44+02:00
TESTS: fixed regression in cmocka/test_negcache_2.c

Fixed regression in test introduced in 2b564f8 (PR 786)
Test was relying on hardcoded values of non local users and groups.
Test was changed to find those in runtime.

Resolves: https://pagure.io/SSSD/sssd/issue/3964

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
37fafa6b by Alexey Tikhonov at 2019-04-01T23:15:48+02:00
ci/sssd.supp: getpwuid() leak suppression

Supresses following error:
 4,096 bytes in 1 blocks are definitely lost in loss record 67 of 83
    at 0x4C2CDCB: malloc (vg_replace_malloc.c:299)
    by 0xB8F8627: ???
    by 0xB91EF3F: ???
    by 0xB90E112: ???
    by 0x9992974: getpwuid_r@@GLIBC_2.2.5 (in /usr/lib64/libc-2.26.so)
    by 0x99920D7: getpwuid (in /usr/lib64/libc-2.26.so)

This https://sourceware.org/bugzilla/show_bug.cgi?id=2314#c8 might
be related.

This problem seems to be afecting Fedora < F28

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e8d806d9 by Tomas Halman at 2019-04-02T22:29:51+02:00
krb5: Lookahead resolving of host names

The caller that initializes
the fail over service (maybe with be_fo_add_service) should provide
a hint with the value of the lookahead option. Then, if a request for
server resolution is triggered, the fail over code would resolve a server
and afterwards check if enough fo_server entries with a valid hostname
in the struct server_common structure. If not, the request would
check if any of the fo_server structures represents a SRV query and
try to resolve the query to receive more host names.

Resolves:
https://pagure.io/SSSD/sssd/issue/3975

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
d409c10d by Sumit Bose at 2019-04-02T23:05:54+02:00
ipa: ipa_getkeytab don't call libnss_sss

Resolves: https://pagure.io/SSSD/sssd/issue/3992

ipa-getkeytab is a help process which might even get called during
the startup of SSSD. Hence it should not try to use any SSSD responder
especially not the NSS responder.

Typically we call helpers with the environment of the calling SSSD
component where then _SSS_LOOPS environment variable is set to 'NO' to
skip calls to SSSD in libnss_sss. Since we have to set the KRB5CCNAME
environment variable to the ccache with the current TGT for the host
principal when calling ipa-getkeytab execle() is used to call
ipa_getkeytab which unfortunately replaces the environment of the caller
with the one provided in the last argument of the call. To make sure
ipa_getkeytab does not call back into SSSD we have to set _SSS_LOOPS=NO
here as well.

Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
dda8075f by Alexey Tikhonov at 2019-04-03T22:50:17+02:00
data_provider_be: fixed dereferencing of 'bad' ptr

In case of failed `dp_req_recv_ptr()` in `be_check_online_done()`
function, `reply` ptr was not initialized and its dereferencing
was a bug.

Resolves: https://pagure.io/SSSD/sssd/issue/3990

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
bbc9f8ac by Alexey Tikhonov at 2019-04-03T22:52:09+02:00
TESTS: two `negcache` tests were merged

Resolves: https://pagure.io/SSSD/sssd/issue/3989

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
29c9ff96 by Alexey Tikhonov at 2019-04-08T21:57:50+02:00
data_provider_be: got rid of went_offline usage

Got rid of unused anymore `went_offline` variable

Resolves: https://pagure.io/SSSD/sssd/issue/3991

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
e9185622 by Niranjan M.R at 2019-04-08T22:49:10+02:00
TESTS: Add @Title to test case docstrings for basic sanity tests

Adding @Title to specify test case title makes the junit to
contain the test case title as test casename
instead of test case function

This required to create test runs for test case management
system.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0b140646 by Niranjan M.R at 2019-04-08T22:49:23+02:00
TESTS: Add @Title to test case docstrings for config tests

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7513b219 by Niranjan M.R at 2019-04-08T22:49:27+02:00
TESTS: Add @Title to test case docstrings for KCM tests.

Pep8 Fixes

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
b75dc144 by Niranjan M.R at 2019-04-08T22:49:30+02:00
TESTS: Add @Title to test case docstrings for sssctl config tests.

Pep8 fixes
Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7b455916 by Niranjan M.R at 2019-04-08T22:49:33+02:00
TESTS: Add @Title to test case docstrings for sudo tests

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
156f8970 by Niranjan M.R at 2019-04-08T22:49:36+02:00
TESTS: Add @Title to test case docstrings for files tests.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
83336b31 by Niranjan M.R at 2019-04-08T22:49:38+02:00
TESTS: Add @Title to test case docstrings for ifp tests

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
1f5d139d by Pavel Březina at 2019-04-08T22:51:29+02:00
memberof: keep memberOf attribute for nested member

If we have a member that is both direct and nested member,
memberOf attribute was removed if the direct membership
was deleted.

1)
user ----------> groupB -> groupC
     -> groupA /

2)
user -> groupA -> groupB -> groupC

If we remove user->groupB from 1), we get 2) but groupB was still
removed from user memberOf attribute.

Resolves:
https://pagure.io/SSSD/sssd/issue/3636

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7308675f by Alexey Tikhonov at 2019-04-30T21:04:25+02:00
providers/ipa: Fixed obvious copy-paste error

Fixed code to debug value of option set in this block.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2c941333 by Alexey Tikhonov at 2019-04-30T21:04:31+02:00
providers/ipa: Changed default service search base

Changed default value of `ldap_service_search_base` config option
to `cn=ipservices,cn=accounts,$BASE` to follow FreeIPA change.

Resolves: https://pagure.io/SSSD/sssd/issue/3899

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e8121515 by Alexey Tikhonov at 2019-04-30T21:06:46+02:00
TESTS: ability to run unit tests under valgrind

Adds ability to run unit tests under valgrind with handy makefile
targets. Enabled with --enable-valgrind passed  to ./configure script.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b2e48dee by Mikhail Novosyolov at 2019-04-30T21:08:11+02:00
Fix pidpath in systemd unit

Most systems with systemd now use /run instead of /var/run,
this fixes setting correct path in systemd service when built with
--with-pid-path=/run

If --with-pid-path is not defined, than pidpath=$localstatedir/run

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3328de79 by realsobek at 2019-04-30T21:09:58+02:00
fix man page reference

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
30734e5f by Sumit Bose at 2019-05-15T21:48:22+02:00
winbind idmap plugin: update struct idmap_domain to latest version

While updating to interface version 6 we forgot to add the query_user
member.

Recent version of Samba added a new member dom_sid. Unfortunately the
interface version was not update for this change so we have to enable
the member based on the Samba version.

Related to https://pagure.io/SSSD/sssd/issue/4005

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
9f9d7ec2 by Colin Walters at 2019-05-15T21:51:47+02:00
sss_cache: Do nothing if SYSTEMD_OFFLINE=1

Today running `rpm-ostree compose tree` results in a big spam
of warnings like:

```
Running pre scripts... openssh
openssh.prein: (Fri Feb 15 15:50:41:748148 2019) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
openssh.prein: Could not open available domains
openssh.prein: groupadd.rpmostreesave: sss_cache exited with status 5
openssh.prein: groupadd.rpmostreesave: Failed to flush the sssd cache.
openssh.prein: (Fri Feb 15 15:50:41:774909 2019) [sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
openssh.prein: Could not open available domains
openssh.prein: groupadd.rpmostreesave: sss_cache exited with status 5
```

This is because rpm-ostree doesn't want scripts writing into `/var`;
it's system-administrator managed state.

Really, SSSD should probably be silently ignoring system users.

But let's just silently do nothing if we're running offline, as
there won't be a sssd running.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
073b03a0 by Tomas Halman at 2019-05-15T21:52:04+02:00
sss_cache: Do nothing if /var is read-only

As suggested in commit ff8307df sss_cache should fail silently
if running under systemd in offline mode. I suggest to check also
whether DB_PATH is actually writeable or not.

Also clarify in the comment that we are talking about SYSTEMD
offline mode, not SSSD being offline.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
c911562d by Jakub Hrozek at 2019-05-20T08:58:42+02:00
PAM: Also cache SSS_PAM_PREAUTH

Related: https://pagure.io/SSSD/sssd/issue/3960

Even if cached_auth_timeout was set, the pam responder would still
forward the preauthentication requests to the back end. This could
trigger unwanted traffic towards the KDCs.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1e215a78 by Alexey Tikhonov at 2019-05-20T11:33:14+02:00
Monitor & utils: got rid of pid filename duplication

and simplified `pidfile()` function as well.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b239b4ec by Alexey Tikhonov at 2019-05-20T11:33:20+02:00
Monitor: fixed bug with services launch

Setting `services_started = true;` in case socket activated service
connects before all providers are up would prevent start of configured
services.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
819d70ef by Pavel Březina at 2019-05-21T22:00:54+02:00
sudo: always use server highest known usn for smart refresh

The sudo attributes may not be indexed on the server, therefore if
smart refresh filter is run on the server it may first search using
the indexed entryusn attribute and run the rest of the filter on
non-sudo objects. The number of objects that are filtered may increased
dramatically if sudo rules are not changed for a long time (and thus
keeping smaller and smaller last sudo usn number).

This patch makes sure that highest sudo usn number is always set to
the highest server usn number known by SSSD after each refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3997

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f1ce524e by Sumit Bose at 2019-05-21T22:01:12+02:00
sdap: update last_usn on reconnect

If we are reconnecting to the same server it makes sense the keep the
stored maximum USN values for the different object classes. But since
the highest USN is already read from the rootDSE during the reconnect it
make sense to keep this value to be able to update the maximum USN
values even of no new object where found during the related searches.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f8bae064 by Pavel Březina at 2019-05-21T22:01:21+02:00
man: update sudo smart refresh documentation to reflect new USN behavior

Resolves:
https://pagure.io/SSSD/sssd/issue/3997

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3b89934e by Sumit Bose at 2019-05-21T22:06:12+02:00
SDAP: allow GSS-SPNEGO for LDAP SASL bind as well

>From the LDAP client perspective GSS-SPNEGO and GSSAPI are quite
similar. To support GSS-SPNEGO SSSD must make sure that a Kerberos
ticket is available before the LDAP SASL bind is started.

Related to https://pagure.io/SSSD/sssd/issue/4006

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
070f22f8 by Sumit Bose at 2019-05-21T22:06:16+02:00
sdap: inherit SDAP_SASL_MECH if not set explicitly

If ldap_sasl_mech is set for the configured domain in sssd.conf the
value is inherited automatically to all sub-domains. The can be
overwritten by setting ldap_sasl_mech for a given sub-domain explicitly
in sssd.conf.

Related to https://pagure.io/SSSD/sssd/issue/4006

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
10170fe6 by Samuel Cabrero at 2019-05-22T21:25:58+02:00
SUDO: Allow defaults sudoRole without sudoUser attribute

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
722ae4b3 by Tomas Halman at 2019-05-22T21:28:49+02:00
confdb: sssd tools don't handle the implicit domain

When no sssd.conf exists, sssctl can not read objects from the cache
This happend because implicit files domain is not taken into
account when creating list of domains. With implicit files domain
it should expand at least to this one domain.

Resolves:
https://pagure.io/SSSD/sssd/issue/3769

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2720d97c by Sumit Bose at 2019-05-28T21:36:35+02:00
DP: add NULL check to be_ptask_{enable|disable}

Currently the files and the proxy provider do not provide a check online
method (DPM_CHECK_ONLINE). The files provider because it can never go
offline. The proxy provider because there is no generic way to check
since the nature of the actual provider is unknown.

Since the method is missing check_if_online() jumps into the error
handling block were we try to reset the offline state
unconditionally. If there is no check_if_online_ptask, which never
exists for the files provider and will not be available in the proxy
provider as long as the backend is online, be_ptask_{enable|disable}
will be called with a NULL pointer.

Related to https://pagure.io/SSSD/sssd/issue/4014

Reviewed-by: Tomas Halman <thalman at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9a4d5f06 by Jakub Hrozek at 2019-05-28T21:45:04+02:00
LDAP: Return the error message from the extended operation password change also on failure

Resolves: https://pagure.io/SSSD/sssd/issue/4015

If password change fails, the tevent request would call
TEVENT_REQ_RETURN_ON_ERROR before returning the error message that comes
from the server, so the server message would not be propagated to the caller.

This regressed in cf1d7ff

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9a7b0469 by Branen Salmon at 2019-05-28T22:17:48+02:00
knownhostsproxy: friendly error msg for NXDOMAIN

This patch writes a brief, familiar error message to stderr when no
addresses are able to be resolved for the host specified in argv:

  (with patch)$ ssh the-void
  sss_ssh_knownhostsproxy: Could not resolve hostname the-void
  ssh_exchange_identification: Connection closed by remote host

Users accustomed to using SSH in environments where SSSD is not deployed
may expect the usual "Could not resolve hostname" error from SSH when a
domain name is misspelled or otherwise invalid:

  (no sssd)$ ssh the-void
  ssh: Could not resolve hostname the-void: Name or service not known

When such users begin using SSH in an SSSD-enabled environment, they may
be confused when this familiar and straightforward message is replaced
by a new one:

  (sssd)$ ssh the-void
  ssh_exchange_identification: Connection closed by remote host

If such users aren't aware that the system ssh_config is proxying their
connection through sss_ssh_knownhostsproxy, they may mistakenly conclude
that a connection had been made all the way to a remote host and,
therefore, that the hostname they specified was valid and able to be
resolved.  This patch mitigates this opportunity for confusion.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
aef8e49b by Sumit Bose at 2019-05-28T23:24:14+02:00
certmap: allow missing KU in OpenSSL version

Make sure a missing key-usage (KU) is not treated as an error and is
handled equally in the NSS and OpenSSL implementation

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1660899

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e1734ba8 by Sumit Bose at 2019-05-28T23:24:30+02:00
test: add certificate without KU to certmap tests

Make sure there is a test for a certificate without key-usage (KU)

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1660899

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
1c40208a by Sumit Bose at 2019-05-28T23:24:32+02:00
certmap: add sss_certmap_display_cert_content()

To make debugging and writing certificate mapping and matching rules
more easy a new function is added to libsss_certmap to display the
certificate content as seen by libsss_certmap. Please note that the
actual output might change in future.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e122f495 by Sumit Bose at 2019-05-28T23:24:34+02:00
sssctl: add cert-show

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
b0525a69 by Sumit Bose at 2019-05-28T23:24:38+02:00
files: add missing newline to debug message

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
f91d54e2 by Sumit Bose at 2019-05-28T23:24:44+02:00
sssctl: add cert-map

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
452c4f6c by Sumit Bose at 2019-06-11T10:48:30+02:00
tests: fix enctypes in test_copy_keytab

Currently test_copy_keytab uses legacy encryption types to mock up
keytab entries. New versions of libkrb5 might not support them anymore.

With this patch only supported encryption types should be used.

Reviewed-by: Robbie Harwood <rharwood at redhat.com>

- - - - -
188a879b by Sumit Bose at 2019-06-11T10:49:16+02:00
CI: use python3-pep8 on Fedora 31 and later

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
80fdef5f by Sumit Bose at 2019-06-11T11:41:10+02:00
BUILD: fix libpython handling in Python3.8

Related to https://pagure.io/SSSD/sssd/issue/4016

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
aa73e296 by Tomislav Dukaric at 2019-06-11T11:44:48+02:00
self.OPTCRE.match(line) fails if there's a whitespace before option name, which is valid for SSSD. This will ignore any whitespace before the option

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
1b620105 by Pavel Březina at 2019-06-11T13:25:39+02:00
ci: do not fail everything when one distro fails

Currently if test on one distribution fails, it will trigger the
failure branch in post block of all stages. This is a known issue
and we must work around it.

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
60b8cad4 by Pavel Březina at 2019-06-11T13:25:44+02:00
ci: archive test-suite.log

This log file contains important information about test failures.

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
b4b2c825 by Pavel Březina at 2019-06-11T13:25:48+02:00
ci: add Fedora 30

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
f15aa6c9 by Pavel Březina at 2019-06-11T13:25:53+02:00
ci: remove code duplication in Jenkinsfile

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
a517f047 by Pavel Březina at 2019-06-11T13:25:58+02:00
ci: run moderate set of tests

All upstream unit and integration tests will be run, but it will
not run code coverage. Code coverage runs the same tests again
and prolongs the run duration more than twice.

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
32a06ec7 by Pavel Březina at 2019-06-11T13:26:05+02:00
ci: do not install dependencies

These are already installed on SSSD Test Suite machines.

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
bb4be64a by Michal Židek at 2019-06-13T20:16:52+02:00
tests: Add multihost tests to upstream tarball

Multihost tests were not part of upstream tarball
for no reason. This complicated packaging a bit.

Resolves:
https://pagure.io/SSSD/sssd/issue/3861

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2a5cc368 by Alexey Tikhonov at 2019-06-13T20:20:16+02:00
ldap/sdap_idmap.c: removed unnecessary include

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
43c3497b by Jakub Hrozek at 2019-06-13T22:22:22+02:00
Update the translations for the 2.2.0 release

Reviewed-by: N/A

- - - - -
9f144b92 by Jakub Hrozek at 2019-06-13T22:22:59+02:00
Updating the version for the 2.2.0 release

Reviewed-by: N/A

- - - - -
3ee29f4b by Jakub Hrozek at 2019-06-13T22:51:30+02:00
Updating the version for the 2.2.1 release

Reviewed-by: N/A

- - - - -
6839e672 by Alexey Tikhonov at 2019-06-17T12:59:34+02:00
util/crypto/libcrypto: changed sss_hmac_sha1()

Changed libcrypto/sss_hmac_sha1 implementation to be FIPS140 compliant.

Resolves: https://pagure.io/SSSD/sssd/issue/4022

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
0b210838 by Niranjan M.R at 2019-06-17T20:37:10+02:00
TESTS: Test kvno correctly displays vesion numbers of principals

Multihost tests for: https://pagure.io/SSSD/sssd/issue/3757.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1ea7e770 by Pavel Březina at 2019-06-18T21:29:32+02:00
ci: disable timeout

There is a bug in jenkins [1] which causes to include the time a job is
waiting for an available executor is added to the complete execution time.
As a consequence a job may time out without actually started because it
did not get the executor in time.

Therefore we disable the timeout completely. We can abort it manually if
a job hangs for some reason. The job always finished so far but many jobs
were aborted because they were waiting for an executor for a long time.

[1] https://issues.jenkins-ci.org/browse/JENKINS-46569

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2a53df35 by Jakub Hrozek at 2019-06-18T21:31:49+02:00
TESTS: Install expect to drive password-change modifications

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>

- - - - -
71ae2eda by Jakub Hrozek at 2019-06-18T21:32:18+02:00
TESTS: Also add LDAP password when creating users

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>

- - - - -
7ad11b28 by Jakub Hrozek at 2019-06-18T21:32:21+02:00
TESTS: Test changing LDAP password with extended operation and modification

A test for:
https://pagure.io/SSSD/sssd/issue/1314

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>

- - - - -
6925b9cd by Yuri Chornoivan at 2019-06-18T21:37:57+02:00
Fix minor typos in docs

Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>

- - - - -
01ea70fa by Tomas Halman at 2019-06-20T20:33:59+02:00
MAN: ldap_user_home_directory default missing

The default value of "ldap_user_home_directory" is "homeDirectory"
but for AD provider it is "unixHomeDirectory"

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1673443

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
dfa50c21 by Jakub Hrozek at 2019-06-20T20:36:36+02:00
TEST: Add a multihost test for not returning / for an empty home dir

A multihost test for:
https://pagure.io/SSSD/sssd/issue/3901

Reviewed-by: Niranjan M.R <mrniranjan at redhat.com>

- - - - -
0a10d863 by Jakub Hrozek at 2019-06-25T22:09:07+02:00
MONITOR: Don't check for the nscd socket while regenerating configuration

https://pagure.io/SSSD/sssd/issue/4028

In setups where only sssd-kcm is used and not the rest of SSSD, seeing
the nscd warning might be irritating.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ee23b8e3 by Alexey Tikhonov at 2019-06-25T22:14:17+02:00
util/crypto/libcrypto: changed sss_hmac_sha1()

Implementation of sss_hmac_sha1() was changed (again) to support
broader range of OpenSSL versions.

Resolves: https://pagure.io/SSSD/sssd/issue/4026

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>

- - - - -
e7e212b4 by Sumit Bose at 2019-06-25T22:18:49+02:00
negcache: add fq-usernames of know domains to all UPN neg-caches

The previous patch for this issue did not handle user with
fully-qualified names from known domains correctly. Here the user was
only added to the negative cache of the known domain but not to the
negative UPN caches for all domains. This patch fixes this.

Related to https://pagure.io/SSSD/sssd/issue/3978

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
49704b90 by Timo Aaltonen at 2019-06-27T22:52:39+03:00
Merge tag 'sssd-2_2_0' into experimental

Tagging the 2.2.0 release

- - - - -
e1b678c0 by Lukas Slebodnik at 2019-06-28T16:51:23+02:00
PROXY: Return data in output parameter if everything is OK

The function remove_duplicate_group_members might return EOK also in the middle
of function but return parameter was not set with right data.
Processing continued in the function save_group but there was a
dereference of NULL pointer.

Introduced in: https://pagure.io/SSSD/sssd/issue/3931

Crash:
  (gdb) bt
  #0  0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, grp=grp at entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody at ldap",
      alias=alias at entry=0x0) at src/providers/proxy/proxy_id.c:748
  #1  0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx at entry=0x55c9a0f38be0, sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, gid=99, now=<optimized out>,
      ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
  #2  0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
      at src/providers/proxy/proxy_id.c:1553
  #3  get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
  #4  proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
  #5  proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
  #6  0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
      name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
  #7  dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider at entry=0x55c9a0efe0e0, domain=domain at entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target at entry=DPT_ID,
      method=method at entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags at entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
  #8  0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
      entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody at ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
  #9  0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
  #10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
  #11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
  #12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
  #13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
  #14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
  #15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
  #16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
  #17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
  #18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
  (gdb) l
  (gdb) bt
  #0  0x00007fb4ce4a9ac5 in save_group (sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, grp=grp at entry=0x55c9a0f370f0, real_name=0x55c9a0f47340 "nobody at ldap",
      alias=alias at entry=0x0) at src/providers/proxy/proxy_id.c:748
  #1  0x00007fb4ce4aa600 in get_gr_gid (mem_ctx=mem_ctx at entry=0x55c9a0f38be0, sysdb=sysdb at entry=0x55c9a0efb230, dom=dom at entry=0x55c9a0efb420, gid=99, now=<optimized out>,
      ctx=<optimized out>) at src/providers/proxy/proxy_id.c:1160
  #2  0x00007fb4ce4ac9e5 in get_initgr_groups_process (pwd=0x55c9a0f384a0, pwd=0x55c9a0f384a0, dom=0x55c9a0efb420, sysdb=0x55c9a0efb230, ctx=0x55c9a0f048e0, memctx=0x55c9a0f38be0)
      at src/providers/proxy/proxy_id.c:1553
  #3  get_initgr (i_name=<optimized out>, dom=0x55c9a0efb420, sysdb=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1461
  #4  proxy_account_info (domain=0x55c9a0efb420, be_ctx=<optimized out>, data=<optimized out>, ctx=0x55c9a0f048e0, mem_ctx=0x55c9a0f38b70) at src/providers/proxy/proxy_id.c:1659
  #5  proxy_account_info_handler_send (mem_ctx=<optimized out>, id_ctx=0x55c9a0f048e0, data=<optimized out>, params=0x55c9a0f39790) at src/providers/proxy/proxy_id.c:1758
  #6  0x000055c99fc67677 in file_dp_request (_dp_req=<synthetic pointer>, req=0x55c9a0f39470, request_data=<optimized out>, dp_flags=1, method=DPM_ACCOUNT_HANDLER, target=DPT_ID,
      name=<optimized out>, domainname=0x55c9a0f39190 "LDAP", provider=0x55c9a0efe0e0, mem_ctx=<optimized out>) at src/providers/data_provider/dp_request.c:250
  #7  dp_req_send (mem_ctx=0x55c9a0f37b60, provider=provider at entry=0x55c9a0efe0e0, domain=domain at entry=0x55c9a0f39190 "LDAP", name=<optimized out>, target=target at entry=DPT_ID,
      method=method at entry=DPM_ACCOUNT_HANDLER, dp_flags=dp_flags at entry=1, request_data=0x55c9a0f37c00, _request_name=0x55c9a0f37b60) at src/providers/data_provider/dp_request.c:295
  #8  0x000055c99fc6a132 in dp_get_account_info_send (mem_ctx=<optimized out>, ev=0x55c9a0eddbc0, sbus_req=<optimized out>, provider=0x55c9a0efe0e0, dp_flags=1,
      entry_type=<optimized out>, filter=0x55c9a0f358d0 "name=nobody at ldap", domain=0x55c9a0f39190 "LDAP", extra=0x55c9a0f354a0 "") at src/providers/data_provider/dp_target_id.c:528
  #9  0x00007fb4da35265b in _sbus_sss_invoke_in_uusss_out_qus_step (ev=0x55c9a0eddbc0, te=<optimized out>, tv=..., private_data=<optimized out>) at src/sss_iface/sbus_sss_invokers.c:2847
  #10 0x00007fb4d9cfb1cf in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
  #11 0x00007fb4d9cfb339 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
  #12 0x00007fb4d9cfc2f9 in epoll_event_loop_once () from /lib64/libtevent.so.0
  #13 0x00007fb4d9cfa7b7 in std_event_loop_once () from /lib64/libtevent.so.0
  #14 0x00007fb4d9cf5b5d in _tevent_loop_once () from /lib64/libtevent.so.0
  #15 0x00007fb4d9cf5d8b in tevent_common_loop_wait () from /lib64/libtevent.so.0
  #16 0x00007fb4d9cfa757 in std_event_loop_wait () from /lib64/libtevent.so.0
  #17 0x00007fb4dd955ac3 in server_loop (main_ctx=0x55c9a0edf090) at src/util/server.c:724
  #18 0x000055c99fc59760 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:747
  (gdb) l
  733         ret = remove_duplicate_group_members(tmp_ctx, grp, &ngroup);
  734         if (ret != EOK) {
  735             DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove duplicate group member     s\n");
  736             goto done;
  737         }
  738
  739         DEBUG_GR_MEM(SSSDBG_TRACE_LIBS, ngroup);
  740
  741         ret = sysdb_transaction_start(sysdb);
  742         if (ret != EOK) {
  743             DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
  744             goto done;
  745         }
  746         in_transaction = true;
  747
  748         if (ngroup->gr_mem && ngroup->gr_mem[0]) {
  749             attrs = sysdb_new_attrs(tmp_ctx);
  750             if (!attrs) {
  751                 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
  752                 ret = ENOMEM;
  (gdb) p ngroup
  $1 = (struct group *) 0x0
  743             DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
  744             goto done;
  745         }
  746         in_transaction = true;
  747
  748         if (ngroup->gr_mem && ngroup->gr_mem[0]) {
  749             attrs = sysdb_new_attrs(tmp_ctx);
  750             if (!attrs) {
  751                 DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n");
  752                 ret = ENOMEM;
  (gdb) p ngroup
  $1 = (struct group *) 0x0

Merges: https://pagure.io/SSSD/sssd/pull-request/4036

Resolves:
https://pagure.io/SSSD/sssd/issue/4037

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2c965b04 by Tomas Halman at 2019-07-03T22:10:18+02:00
pcre: port to pcre2

Some distributions want to drop pcre support. Sssd should work with
pcre2. With this patch sssd tries to use pcre2 if pcre is not present.

Resolves:
https://pagure.io/SSSD/sssd/issue/3833

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
d2adfcf5 by Tomas Halman at 2019-07-03T22:12:30+02:00
CACHE: SSSD doesn't clear cache entries

Once object is in cache it is refreshed when it is expired and
requested by the system. Object ID is not checked before refresh,
but config parameter ldap_(min|max)_id could be changed by admin.
We should check object ID and not refresh objects outside min/max
ID interval.

Resolves:
https://pagure.io/SSSD/sssd/issue/3905

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e8e0f407 by Alexey Tikhonov at 2019-07-03T22:14:46+02:00
util/secrets: memory leaks are fixed

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
8aa0dfdf by Alexey Tikhonov at 2019-07-03T22:15:34+02:00
util/crypto/nss/nss_nite: params sanitization

 - `key` params made const
 - added omitted sanity checks of pointer params

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
d603d34a by Alexey Tikhonov at 2019-07-03T22:15:47+02:00
crypto/libcrypto/crypto_nite: HMAC calculation changed

Changed HMAC calculation to make it consistent with
https://pagure.io/SSSD/sssd/issue/4026

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
e232a98a by Alexey Tikhonov at 2019-07-05T12:16:38+02:00
util/find_uid.c: fixed debug message

Fixed wrong debug message in check_if_uid_is_active()

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0897be2a by Alexey Tikhonov at 2019-07-05T12:16:40+02:00
util/find_uid.c: fixed race condition bug

It was wrong to return EOK from get_uid_from_pid() in case of failed
open() or fstat() as this leaves `uid` uninitialized and no means
for caller to detect this situation.

There was no reason to fail get_active_uid_linux() completely in case
of failed get_uid_from_pid() for one of /proc entries. Function was
changed to continue with next entry instead.

Resolves: https://pagure.io/SSSD/sssd/issue/2854

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
39686a58 by Michal Židek at 2019-07-05T12:24:56+02:00
TESTS: ldb-tools and sssd-tools are required for multihost tests

Some of the test do use ldbsearch and sssd-tools.

Resolves:
https://pagure.io/SSSD/sssd/issue/3894

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
2d657dff by Tomas Halman at 2019-07-05T12:26:13+02:00
LDAP: failover does not work on non-responsive ldaps

In case ldaps:// is used, then establishing the secure socket is
a sychronous operation. If there's nothing on the other end, then
the process would be stuck waiting in for the crypto library
to finish.

Here we set socket read/write timeout so the operation can finish
in reasonable time with an error. The ldap_network_timeout
option is used for this timeout.

Resolves:
https://pagure.io/SSSD/sssd/issue/2878

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
db99504a by Jakub Hrozek at 2019-07-05T12:33:12+02:00
SYSDB: Add sysdb_search_with_ts_attr

Adds a new public sysdb call sysdb_search_with_ts_attr() that allows to
search on the timestamp cache attributes, but merge back persistent
cache attributes. The converse also works, when searching the persistent
cache the timestamp attributes or even entries matches only in the
timestamp cache are merged.

What does not work is AND-ed complex filter that contains both
attributes from the timestamp cache and the persistent cache because
the searches use the same filter, which doesn't match. We would need to
decompose the filter ourselves.

Because matching and merging the results can be time-consuming, two
flags are provided:
    SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER that only searches the timestamp
    cache, but merges back the corresponding entries from the persistent
    cache
    SYSDB_SEARCH_WITH_TS_ONLY_SYSDB_FILTER that only searches the
    persistent cache but merges back the attributes from the timestamp
    cache

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f2795529 by Jakub Hrozek at 2019-07-05T12:33:19+02:00
BE: search with sysdb_search_with_ts_attr

Previously, the background refresh code had used sysdb_search_entry()
which does not run the search on the timestamp cache. Instead, this
patch changes to using sysdb_search_with_ts_attr with the
SYSDB_SEARCH_WITH_TS_ONLY_TS_FILTER optimization because currently only
the dataExpireTimestamp attribute is included in the filter.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1a08b53d by Jakub Hrozek at 2019-07-05T12:33:23+02:00
BE: Enable refresh for multiple domains

Descend into subdomains on back end refresh and make sure to start from
users again.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bb0bd61a by Jakub Hrozek at 2019-07-05T12:33:26+02:00
BE: Make be_refresh_ctx_init set up the periodical task, too

This is mostly a preparatory patch that rolls in setting up the ptask
into be_refresh_ctx_init. Since in later patches we will call
be_refresh_ctx_init from several different places, this will prevent
code duplication.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9d49c90c by Jakub Hrozek at 2019-07-05T12:33:28+02:00
BE/LDAP: Call be_refresh_ctx_init() in the provider libraries, not in back end

Since later patches will pass different parameters to
be_refresh_ctx_init(), let's call the init function in the provider
libraries not directly in the back end.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d1eb0a70 by Jakub Hrozek at 2019-07-05T12:33:31+02:00
BE: Pass in attribute to look up with instead of hardcoding SYSDB_NAME

In later patches, we will implement refreshes for AD or IPA which might
refresh objects that do not have a name yet, but always do have a different
attribute, like a SID or a uniqueID. In this case, it's better to use that
different attribute instead of name.

This patch allows the caller to tell the refresh module which attribute
to use.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
41305ef5 by Jakub Hrozek at 2019-07-05T12:33:34+02:00
BE: Change be_refresh_ctx_init to return errno and set be_ctx->refresh_ctx

It is a bit odd that a caller to a be_ function would set a property of
be_ctx. IMO it is cleaner if the function has a side-effect and sets the
property internally and rather returns errno.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ac72bb4a by Jakub Hrozek at 2019-07-05T12:33:37+02:00
BE/LDAP: Split out a helper function from sdap_refresh for later reuse

Every refresh request will send a similar account_req. Let's split out
the function that creates the account_req into a reusable one.

Also removes the type string as it was only used in DEBUG messages and
there is already a function in the back end API that provides the same
functionality.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2cb294e6 by Jakub Hrozek at 2019-07-05T12:33:40+02:00
BE: Pass in filter_type when creating the refresh account request

For refreshing AD users and groups, we'll want to create a request by
SID, for all other requests we'll want to create a request by name. This
patch allows parametrizing the request creation by the caller.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7443498c by Jakub Hrozek at 2019-07-05T12:33:42+02:00
BE: Send refresh requests in batches

As we extend the background refresh into larger domains, the amount of
data that SSSD refreshes on the background might be larger. And
refreshing all expired entries in a single request might block sssd_be
for a long time, either triggering the watchdog or starving other
legitimate requests.

Therefore the background refresh will be done in batches of 200 entries.
The first batch of every type (up to 200 users, up to 200 groups, ...)
will be scheduled imediatelly and subsequent batches with a 0.5 second
delay.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0fbc317a by Jakub Hrozek at 2019-07-05T12:33:46+02:00
BE: Extend be_ptask_create() with control when to schedule next run after success

Related: https://pagure.io/SSSD/sssd/issue/4012

be_ptask_create() used to always schedule the next periodical run
"period" seconds after the previous run started. This is great for tasks
that are short-lived like DNS updates because we know they will be
executed really with the configured period.

But the background refresh task can potentially take a very long time in
which case the next run could have been scheduled almost immediately and
as a result sssd_be would always be quite busy. It is better to have the
option to schedule the next task period seconds after the last run has
finished. This can lead to some inconsistency, but we can warn the
admin about that.

This patch so far does not change any of the existing calls to
be_ptask_create(), just adds BE_PTASK_SCHEDULE_FROM_LAST as an
additional parameter.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
576f3691 by Jakub Hrozek at 2019-07-05T12:33:48+02:00
BE: Schedule the refresh interval from the finish time of the last run

Related: https://pagure.io/SSSD/sssd/issue/4012

Changes scheduling the periodical task so that the next run is started
relative to the previous run finish time, not start time to protect
against cases where the refresh would take too long and run practically
all the time.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b72adfcc by Jakub Hrozek at 2019-07-05T12:33:52+02:00
AD: Implement background refresh for AD domains

Split out the actual useful functionality from the AD account handler
into a tevent request. This tevent request is then subsequently used by
a new ad_refresh module.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d76756ef by Jakub Hrozek at 2019-07-05T12:33:54+02:00
IPA: Implement background refresh for IPA domains

Split out the actual useful functionality from the IPA account lookup
handler into a tevent request. This tevent request is then used in a new
ipa_refresh module.

Related:
https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1d0e75e9 by Jakub Hrozek at 2019-07-05T12:33:57+02:00
BE/IPA/AD/LDAP: Add inigroups refresh support

Related: https://pagure.io/SSSD/sssd/issue/4012

In addition to refreshing users, groups and netgroups, this patch adds
the ability to also refresh initgroups. The refresh is ran for any users
that have the initgrExpireTimestamp attribute close to expiration.

This request is ran as the first one, because the initgroups operation
refreshes the user entry and can touch groups as well.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
79223509 by Jakub Hrozek at 2019-07-05T12:33:59+02:00
BE/IPA/AD/LDAP: Initialize the refresh callback from a list to reduce logic duplication

Related: https://pagure.io/SSSD/sssd/issue/4012

This patch slightly increases the line count, but on the other hand the
code is now more declarative and contains less logic, which should
hopefully decrease the maintenance cost in the future.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
60c876ae by Jakub Hrozek at 2019-07-05T12:34:02+02:00
IPA/AD/SDAP/BE: Generate refresh callbacks with a macro

Related: https://pagure.io/SSSD/sssd/issue/4012

The per-object type refresh functions are more or less boilerplate code.
Even though macro-generated code should be used very rarely, here the
generated code does not contain any logic at all so it makese sense to
generate it with macros.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
039384b8 by Jakub Hrozek at 2019-07-05T12:34:04+02:00
MAN: Amend the documentation for the background refresh

Related: https://pagure.io/SSSD/sssd/issue/4012

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7a08d1de by Jakub Hrozek at 2019-07-05T12:34:07+02:00
DP/SYSDB: Move the code to set initgrExpireTimestamp to a reusable function

Related: https://pagure.io/SSSD/sssd/issue/4012

Because the initgroups request can, especially in the case of IPA provider
with trusts, contain several sub-requests that run some provider-specific
initgroups internally and then run post-processing AND because at the same
time concurrent requests in the responder need to be sure that the
initgrExpireTimestamp is only increased when the initgroups request is
really done, we only set the initgrExpireTimestamp in the DP when the
request finishes.

This means, the background refresh task needs to also set the
initgrExpireTimestamp attribute on its own as well. This patch so far
splits the helper function into a reusable one so it can later be used
by the background refresh.

For examples of the bugs caused by the initgrTimestamp being set before
the whole multi-step operation finishes, please see tickets #3744
or #2634.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cdc44a05 by Jakub Hrozek at 2019-07-05T12:34:11+02:00
IPA/AD/LDAP: Increase the initgrExpireTimestamp after finishing refresh request

Related: https://pagure.io/SSSD/sssd/issue/4012

Calls sysdb_set_initgr_expire_timestamp() after each successfull refresh
of initgroups data to make sure the initgrExpireTimestamp attribute is
increased.

If you're wondering why the timestamp is not set by the initgroups operation
itself, see tickets #3744 or #2634 for examples of bugs caused by setting
the initgrExpireTimestamp too soon.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8e70dd20 by Timo Aaltonen at 2019-07-08T14:01:11+03:00
bump the version

- - - - -
a8df26bd by Timo Aaltonen at 2019-07-09T11:29:59+03:00
control: Bump policy to 4.4.0.

- - - - -
ffcf6151 by Timo Aaltonen at 2019-07-09T12:17:43+03:00
control, compat, rules: Bump debhelper to 12.

- - - - -
ebf7ff31 by Timo Aaltonen at 2019-07-10T09:53:03+03:00
*.install: Updated, some files moved to /usr/libexec.

- - - - -
6f9f1b3d by Timo Aaltonen at 2019-07-10T10:20:35+03:00
releasing package sssd version 2.2.0-1

- - - - -
14ad5c00 by Timo Aaltonen at 2019-07-11T00:53:35+03:00
rules: Override dh_installman, let dh_install handle installing manpages too.

- - - - -
34469ea4 by Timo Aaltonen at 2019-07-11T00:59:49+03:00
releasing package sssd version 2.2.0-2

- - - - -
547e384d by Timo Aaltonen at 2019-07-12T10:00:33+03:00
common/ipa/krb5-common/proxy.postinst: Use libexec path. (Closes: #931859)

- - - - -
e9003d1b by Timo Aaltonen at 2019-07-12T10:20:27+03:00
releasing package sssd version 2.2.0-3

- - - - -
8be1a0e8 by Alexey Tikhonov at 2019-07-15T13:52:00+02:00
util/crypto: removed erroneous declaration

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e839acd1 by Alexey Tikhonov at 2019-07-15T13:52:07+02:00
util/crypto/sss_crypto.c: cleanup of includes

Removed unneeded include of config.h and added includes for open()
and error codes according to the man page.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9f4b7d9f by Alexey Tikhonov at 2019-07-15T13:52:10+02:00
util/crypto: generate_csprng_buffer() changed

1) generate_csprng_buffer() is renamed to sss_generate_csprng_buffer()
to make util/crypto API more consistent
2) its implementation became dependant on crypto backend being used
3) in case of libcrypto backend RAND_bytes() is used instead of
direct access to "/dev/urandom"

Relates: https://pagure.io/SSSD/sssd/issue/4024

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
93d0aba5 by Alexey Tikhonov at 2019-07-15T13:52:13+02:00
util/crypto: added sss_rand()

Introduced `sss_rand()` wrapper to be used in project sources in every
applicable case where "raw" rand()/etc are used now.

Relates: https://pagure.io/SSSD/sssd/issue/4024

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bfc02ea2 by Alexey Tikhonov at 2019-07-15T13:52:16+02:00
crypto/libcrypto/crypto_nite.c: memory leak fixed

Fixed leaking of memory in case of failure in `sss_encrypt()` function.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
548ea574 by Alexey Tikhonov at 2019-07-15T13:52:18+02:00
FIPS140 compliant usage of PRNG

Calls to `rand()`, "/dev/urandom", etc are replaced with
appropriate wrappers from `util/crypto`.

Resolves: https://pagure.io/SSSD/sssd/issue/4024

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f4e39c76 by Sam Morris at 2019-07-15T14:03:45+01:00
fix-have-systemd.patch: correct detection of systemd.pc

Caused sssd to be built without systemd notification support.

- - - - -
82b281c0 by Sam Morris at 2019-07-15T14:21:47+01:00
default-to-socket-activated-services.diff: rely on socket activation to spawn nss and pam responders

sssd-{nss,pam}.socket will only start if the corresponding backend is
_not_ listed in the 'services' line in sssd.conf. This change causes
them to be socket-activated instead of managed by sssd.

- - - - -
1f528861 by Alexey Tikhonov at 2019-07-15T15:24:18+02:00
crypto/nss: some nss_ctx_init() params made const

This patch fixes compilation issues introduced in 8aa0dfd :
as `key` parameter of sss_encrypt() and sss_decrypt() became const,
changes in signature of nss_ctx_init() were required to follow up.
For more details see https://github.com/SSSD/sssd/pull/846

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8d64e9f5 by Sam Morris at 2019-07-15T21:56:45+02:00
build: fix detection of systemd.pc

Related: https://pagure.io/SSSD/sssd/issue/4043

A typo prevents systemd.pc from being detected, in turn this means
HAVE_SYSTEMD is never set, responders are built without socket
activation support and the monitor never notifies systemd that it is
ready.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
8f22e795 by Pavel Březina at 2019-07-16T17:00:30+02:00
ci: switch to new tooling and remove 'Read trusted files' stage

The 'Read trusted files' stage was removed because all scripts are
now being executed on client machines so there is no point to prohibit
modification.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
209edb3e by Pavel Březina at 2019-07-16T17:00:33+02:00
ci: rebase pull request on the target branch

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
230de12b by Pavel Březina at 2019-07-16T17:00:37+02:00
ci: print node on which the test is being run

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
6815844d by Pavel Březina at 2019-07-18T11:02:01+02:00
sudo: use proper datetime for default modifyTimestamp value

The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.

It worked correctly on 389-ds.

Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)

The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero.

Resolves:
https://pagure.io/SSSD/sssd/issue/4046

- - - - -
7f7eb45b by Timo Aaltonen at 2019-07-19T18:16:38+03:00
releasing package sssd version 2.2.0-4

- - - - -
ff8284e2 by Alex Rodin at 2019-07-22T20:28:23+02:00
tests/cmocka/test_dyndns.c: Switching from tevent_loop_once() to tevent_loop_wait()

Switching from tevent_loop_once() to tevent_loop_wait() as the bug was fixed https://bugzilla.samba.org/show_bug.cgi?id=10012

Resolves: https://pagure.io/SSSD/sssd/issue/3962

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
15cc1e40 by Tomas Halman at 2019-07-22T20:30:34+02:00
CONFDB: Files domain if activated without .conf

Implicit files domain gets activated when no sssd.conf present
and sssd is started. This does not respect --disable-files-domain
configure option

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
31e08f30 by Tomas Halman at 2019-07-22T20:31:07+02:00
TESTS: adapt tests to enabled default files domain

Some tests expect that SSSD is compiled with --enable-files-domain
option (test_no_sssd_conf). But having this enabled by default
breaks some other tests.

This patch adds --enable-files-domain to test build and explicitly
disables the domain in configuration of some tests (ldap, enumeration).

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1713352

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
7f0a8f50 by Sumit Bose at 2019-07-22T20:33:24+02:00
p11_child: prefer better digest function if card supports it

To improve FIPS compliance and security in general p11_child now checks
which message digest functions (hashes) are support for RSA keys and
tries to use the highest bit length supported.

For EC keys sha512 is used unconditionally.

Related to https://pagure.io/SSSD/sssd/issue/4039

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
60748f69 by Sumit Bose at 2019-07-22T20:33:29+02:00
p11_child: fix a memory leak and other memory mangement issues

EVP_MD_CTX_create() was called without matching EVP_MD_CTX_destroy().

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
06479a1d by Samuel Cabrero at 2019-07-31T21:49:14+02:00
nss: Fix command 'endservent' resetting wrong struct member

Resolves:
https://pagure.io/SSSD/sssd/issue/4050

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
5b235bbd by Tomas Halman at 2019-07-31T21:52:44+02:00
BE: Introduce flag for be_ptask_create

The be_ptask_create has already too many parameters. Lets have flags
parameter to avoid future extending.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1c752189 by Tomas Halman at 2019-07-31T21:52:50+02:00
BE: Convert be_ptask params to flags

The be_ptask_create call has a lot of parameters.
Some of them can be converted to flags to simplify
the declaration.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f2c69a67 by Tomas Halman at 2019-07-31T21:52:52+02:00
DYNDNS: dyndns_update is not enough

When dyndns_update is set to True and dyndns_refresh_interval is
not set or set to 0, DNS is not updated at all.

With this patch DNS is updated when sssd changes its state to
online.

If dyndns_refresh_interval is set, updates are performed as
before - i. e. when comming online and then every
dyndns_refresh_interval.

Resolves:
https://pagure.io/SSSD/sssd/issue/4047

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b1ea33ec by Pavel Březina at 2019-07-31T21:55:14+02:00
systemd: add Restart=on-failure to sssd.service

Resolves:
https://pagure.io/SSSD/sssd/issue/4040

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
7b4635c8 by Pavel Březina at 2019-07-31T21:59:04+02:00
man: fix description of dns_resolver_op_timeout

Resolves:
https://pagure.io/SSSD/sssd/issue/3217

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3807de1d by Pavel Březina at 2019-07-31T21:59:10+02:00
man: fix description of dns_resolver_timeout

Resolves:
https://pagure.io/SSSD/sssd/issue/3217

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
99e2a107 by Pavel Březina at 2019-07-31T21:59:12+02:00
failover: add dns_resolver_server_timeout option

Resolves:
https://pagure.io/SSSD/sssd/issue/3217

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e97ff0ad by Pavel Březina at 2019-07-31T21:59:15+02:00
failover: change default timeouts

Resolves:
https://pagure.io/SSSD/sssd/issue/3217

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
049f3906 by Pavel Březina at 2019-07-31T21:59:17+02:00
config: add dns_resolver_op_timeout to option list

Resolves:
https://pagure.io/SSSD/sssd/issue/3217

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8cdb0b40 by Timo Aaltonen at 2019-08-01T17:40:37+03:00
default-to-socket-activated-services.diff: Don't enable eany services when run without a conffile.

- - - - -
db46cd08 by Jakub Jelen at 2019-08-07T18:25:56+02:00
pam_sss: Add missing colon to the PIN prompt

This can be noticed in the sudo prompt, when the system is configured
to authenticate users using smart cards.

Resolves: Pagure#4049

Signed-off-by: Jakub Jelen <jjelen at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e9091aba by Sumit Bose at 2019-08-07T19:07:02+02:00
pam: make sure p11_child.log has the right permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
8119ee21 by Sumit Bose at 2019-08-07T19:07:32+02:00
ssh: make sure p11_child.log has the right permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
9339c445 by Sumit Bose at 2019-08-07T19:07:36+02:00
BE: make sure child log files have the right permissions

If SSSD runs a unprivileged user we should make sure the log files for
child processes have the right permission so that the child process can
write to them.

Related to https://pagure.io/SSSD/sssd/issue/4056

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ca02a20c by Jakub Hrozek at 2019-08-07T20:54:51+02:00
MAN: Get rid of sssd-secrets reference

Related:
https://pagure.io/SSSD/sssd/issue/3685

There were some stray references to the secrets responder in the
sssd-kcm manual page.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
84eca2e8 by Jakub Hrozek at 2019-08-07T20:54:57+02:00
MAN: Document that it is enough to systemctl restart sssd-kcm.service lately

Related:
https://pagure.io/SSSD/sssd/issue/3862

We forgot to amend the man page after implementing the sssd-kcm service
reload.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
f74b9786 by Jakub Hrozek at 2019-08-07T20:55:00+02:00
SECRETS: Use different option names from secrets and KCM for quota options

Related:
https://pagure.io/SSSD/sssd/issue/3386

With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.

With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.

For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
940002ca by Jakub Hrozek at 2019-08-07T20:55:04+02:00
SECRETS: Don't limit the global number of ccaches

Related:
https://pagure.io/SSSD/sssd/issue/3386

In the KCM context, the global number of ccaches would limit the number
of users who can store their ccaches in the KCM deamon.

In more detail, the options have the following semantics with KCM:
    - DEFAULT_SEC_KCM_MAX_SECRETS - global number of secrets, would
    cover both how many ccaches can a user store, but this is better
    served with DEFAULT_SEC_KCM_MAX_UID_SECRETS

    - DEFAULT_SEC_KCM_MAX_UID_SECRETS - how many 'principals' can a user
    kinit with

    - DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE - the payload size of service
    tickets

With the above in mind, I think the most important limits are
max_uid_secrets to limit and the payload size to constraint how much
space can a user occupy and it doesn't make much sense to limit the
global quota.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
f00db73d by Jakub Hrozek at 2019-08-07T20:55:07+02:00
KCM: Pass confdb context to the ccache db initialization

Resolves:
https://pagure.io/SSSD/sssd/issue/3386

The libsecrets back end needs to read the quota options from confdb,
therefore it needs to know the section and access the confdb handle.

These parameters are unused for other ccache back end types, but they
are harmless and IMO it makes more sense to keep the ccache back end
abstract.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
f024b5e4 by Jakub Hrozek at 2019-08-07T20:55:11+02:00
KCM: Configurable quotas for the secdb ccache back end

Related:
https://pagure.io/SSSD/sssd/issue/3386

Exposes three new options for the [kcm] responder to set the global
ccache limit, the per-uid ccache limit and the payload size.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
247aa480 by Jakub Hrozek at 2019-08-07T20:55:15+02:00
TESTS: Add tests for the configurable quotas

Related:
https://pagure.io/SSSD/sssd/issue/3386

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
ba01db0d by Sumit Bose at 2019-08-07T21:11:14+02:00
utils: remove unused prototype (cert_to_ssh_key)

This is a leftover from a previous cleanup done in the context of
https://pagure.io/SSSD/sssd/issue/3489.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
a97ec73e by Sumit Bose at 2019-08-07T21:11:27+02:00
utils: move parse_cert_verify_opts() into separate file

parse_cert_verify_opts() is only used by p11_child, so it makes sense to
move the sources nearer together. The related test is still in
test_utils but it can be split out as well if there are more p11_child
related unit tests.

Related to https://pagure.io/SSSD/sssd/issue/4032

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
ad9dd137 by Sumit Bose at 2019-08-07T21:11:31+02:00
p11_child: make OCSP digest configurable

Currently sha1 is used to create the certid for an OCSP request. Since
sha1 is not recommend for new applications anymore and not FIPS
compliant this patch changes the default to sha256 and makes the digest
function configurable as well.

Related to https://pagure.io/SSSD/sssd/issue/4032

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
5574de0f by Sumit Bose at 2019-08-14T14:09:30+02:00
pam: fix loop in Smartcard authentication

If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.

Related to https://pagure.io/SSSD/sssd/issue/4051

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
41da9ddf by Jakub Hrozek at 2019-08-14T14:11:18+02:00
Don't qualify users from files domain when default_domain_suffix is set

Resolves:
https://pagure.io/SSSD/sssd/issue/4052

The files domain should always be non-qualified. The usual rules like
qualification of all domains except the one set with
default_domain_suffix should not apply.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
b35d88eb by Michal Židek at 2019-08-15T02:54:27+02:00
Update the translations for the 2.2.1 release

- - - - -
4bc34227 by Michal Židek at 2019-08-15T12:57:33+02:00
Bumping the version to track the 2.2.2 development

- - - - -
820151f3 by Jakub Hrozek at 2019-08-18T23:09:17+02:00
MAN: Document that PAM stack contains the systemd-user service in the account phase in RHEL-8

Resolves:
https://pagure.io/SSSD/sssd/issue/3932

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
815957cd by Pavel Březina at 2019-08-23T17:13:20+02:00
ad: remove subdomain that has been disabled through ad_enabled_domains from sysdb

If previously enabled subdomain was disabled by removing it from ad_enabled_domains
option in sssd.conf, its cached content (including the domain object itself)
was kept in sysdb. Therefore eventhough the domain was effectively disabled in
backed its cached data was still available in responders.

Subdomains that are disabled on server side are correctly removed from sysdb in
`ad_subdomains_refresh()` so this issue is related only to the configuration
option.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7a03e998 by Pavel Březina at 2019-08-23T17:13:56+02:00
sysdb: add sysdb_domain_set_enabled()

This will be used in subsequent patches to disable subdomains.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6882bc5f by Pavel Březina at 2019-08-23T17:14:01+02:00
ad: set enabled=false attribute for subdomains that no longer exists

Only forest root domain needs to be disabled because it has to be available
for other tasks. All other non-root domains are removed from cache completely
so it does not make sense for them.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d278704d by Pavel Březina at 2019-08-23T17:14:05+02:00
sysdb: read and interpret domain's enabled attribute

Disable domain if its sysdb object has enabled=false.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c7e6530d by Pavel Březina at 2019-08-23T17:14:10+02:00
sysdb: add sysdb_list_subdomains()

To list all cached subdomains names.

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d0bdaabb by Pavel Březina at 2019-08-23T17:14:13+02:00
ad: remove all subdomains if only master domain is enabled

Resolves:
https://pagure.io/SSSD/sssd/issue/4009

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b3c35421 by Pavel Březina at 2019-08-23T17:14:17+02:00
ad: make ad_enabled_domains case insensitive

The rest of the code that works with ad_enabled_domains options
is case insensitive so we rather should be consistent.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f19f8e6b by Tomas Halman at 2019-08-23T17:40:55+02:00
SERVER: Receving SIGSEGV process on shutdown

There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.

Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.

Also generic server code is changed to explicitely free
memory context when signal is received.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c2e24df4 by Jakub Hrozek at 2019-08-23T17:46:36+02:00
IPA: Allow paging when fetching external groups

For some reason (I guess a mistake during refactoring..) the LDAP search
request that fetches the external groups does not enable the paging
control. This means that the number of external groups that SSSD can
fetch is limited to 2000.

Resolves: https://pagure.io/SSSD/sssd/issue/4058

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c580c76a by Jakub Hrozek at 2019-08-23T18:38:32+02:00
KCM: Use int32_t type conversion in DEBUG message for int32_t variable

The KDC offset is stored as int32_t, but a DEBUG message in KCM was using
an uint32_t. This lead to confusion as it appeared that the offset does
not work.

Resolves:
https://pagure.io/SSSD/sssd/issue/4063

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8e1f6734 by Pavel Březina at 2019-08-23T18:45:28+02:00
ci: use python2 version of pytest

Fedora 31 changed symlink of /usr/bin/py.test from pytest2 to pytest3.
We need to run the python2 version in order to run our tests with python2.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
498a230e by Pavel Březina at 2019-08-23T18:45:50+02:00
ci: pep8 was renamed to pycodestyle in Fedora 31

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e989620b by Sumit Bose at 2019-08-23T18:51:09+02:00
pam: keep pin on the PAM stack for forward_pass

Currently only the password or the long-term part of a two-factor
authentication was kept on the PM stack if pam_sss.so has the option
forward_pass. With this patch the Smartcard PIN can be forwarded to
other PAM modules as well.

Related https://pagure.io/SSSD/sssd/issue/4067

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6e759010 by Sumit Bose at 2019-08-23T20:04:38+02:00
pam: do not accept empty PIN

The current check for an empty PIN was incomplete and if no PIN was
given pam_sss should not send a request to SSSD's pam responder. This
would match the behavior if a user name hint should be requested as
well.

Related to: https://pagure.io/SSSD/sssd/issue/4068

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
94597008 by Sumit Bose at 2019-08-23T20:04:59+02:00
pam: user PAM return codes where expected

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5dccf76a by Sumit Bose at 2019-08-23T20:14:07+02:00
pam: set PAM_USER properly with allow_missing_name

Currently if the allow_missing_name pam_sss option is used PAM_USER is
set to the fully-qualified name only for the files provider it is set to
the short name. This might cause issue with other components expecting
that the value of PAM_USER corresponds to the name returned by the nss
calls getpwnam() and getpwuid().

With this patch PAM_USER is set to the same user name as returned by the
NSS responder. For the communication between pam_sss and SSSD's PAM
responder the fully-qualified name is kept.

Related to https://pagure.io/SSSD/sssd/issue/4069

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7fcd0a70 by Tomas Halman at 2019-08-23T20:19:34+02:00
BE: Invalid oprator used in condition

There is wrong binary or used in condition. We have to use & here

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1744134

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7129979b by Pavel Březina at 2019-08-23T21:20:58+02:00
ci: remove left overs from previous rebase

If previous run of a PR failed to rebase, the code was left in rebase
in progress and was not correctly overwritten by new changes in the
patches.

Reviewed-by: Tomas Halman <thalman at redhat.com>

- - - - -
e7b7edea by Sumit Bose at 2019-08-23T21:39:30+02:00
Revert "SERVER: Receving SIGSEGV process on shutdown"

This reverts commit f19f8e6b917e77d5d2bfdedc78e5669b522ea265.

- - - - -
a9669683 by Tomas Halman at 2019-08-29T16:32:49+02:00
SERVER: Receving SIGSEGV process on shutdown

There is race condition when dynamic libraries are unloaded. Talloc
library calls our destructors but they still need openssl calls
which might be not available.

Solution is to free explicitely memory context and trigger
destructors before calling exit(). In this PR the SIGTERM
handler is moved from individual providers to generel
backend code.

Also generic server code is changed to explicitely free
memory context when signal is received.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1672584

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f9b589a4 by Pavel Březina at 2019-08-30T12:44:56+02:00
sudo: do not update last usn value on rules refresh

Refreshing specific rules may produce a higher usn value that the one
that is already remembered if the rules changed on the server. However,
there may be another rule that is not being refreshed which usn value
is higher then the current value but lower then the value of some of the
refreshed rules. If the highest usn value is updated in this case, the
rule would not be found be smart refresh.

Thus we must not update the usn value during rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3996

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
6b057002 by Jakub Hrozek at 2019-08-30T16:36:41+02:00
KCM: Add a forgotten return

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
f5f7f26a by Jakub Hrozek at 2019-08-30T16:36:41+02:00
KCM: Allow modifications of ccache's principal

Related:
https://pagure.io/SSSD/sssd/issue/4017

This patch will be useful to fix credential delegation.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
0216bfe2 by Jakub Hrozek at 2019-08-30T16:36:41+02:00
KCM: Fill empty cache, do not initialize a new one

Related:
https://pagure.io/SSSD/sssd/issue/4017

openssh uses this sequence of calls:
    gen_new()
    switch()
    initialize()

What happened before was that if there was already some cache, gen_new
would create a new empty cache, then switch would set it as the default.
But then, during the initialize call, the cache that used to be the
default was deleted, another one created and used as the default. This
meant. Afterwards, KCM would store the credentials in the previous
cache, which would no longer be the default.

The logic behind was that KCM didn't anticipate the client generating
the new and setting the default on its own.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
18611d70 by Pavel Březina at 2019-09-03T15:41:21+02:00
ifp: let cache_req parse input name so it can fallback to upn search

UPN search expects that the input name is in its fully qualified form.
However, GetUserAttr calls cache_req with unqualified username therefore
it never fallback to UPN search.

Steps to reproduce:
1. Configure SSSD against AD
2. Set UPN to `TestUserUPN at ad.vm`
3. Run:

```
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:TestUserUPN at ad.vm array:string:name
Error sbus.Error.NotFound: No such file or directory
```

Resolves:
https://pagure.io/SSSD/sssd/issue/4065

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
078ed8db by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Add macro for checking python3 modules

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
b262a7b8 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Fix typo of detecting python module for intgcheck

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
e7d1c152 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Move checking of python2 modules for intgcheck

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
87e97bb0 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Add macro for checking pytest for intgcheck

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
b0ad6860 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Change value of variable HAVE_PYTHON2/3_BINDINGS

It will simplify detection in following patches

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
4378d949 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Move python checks for intgcheck to macro

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
05aad030 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
INTG: Do hot hardcode version of python/pytest in intgcheck

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
0e1346b9 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
BUILD: Prefer python3 for intgcheck

Samba 4.11.0 dropped support for python2 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests

Merges: https://pagure.io/SSSD/sssd/pull-request/4075

Resolves:
https://pagure.io/SSSD/sssd/issue/4074

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
5dc86be0 by Lukas Slebodnik at 2019-09-05T10:38:04+02:00
intg: Install python3 dependencies for intgcheck on new distros

Samba 4.11.0 dropped support for python3 and thus it was also
dropped from samba related libraries (ldb ...)
which is required by integration tests

Merges: https://pagure.io/SSSD/sssd/pull-request/4075

Resolves:
https://pagure.io/SSSD/sssd/issue/4074

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
d625308c by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
pyhbac: Fix warning Wdiscarded-qualifiers

The macro PyDoc_STRVAR changed in python 3.8
and it defined variable with const modifier

src/python/pyhbac.c: In function ‘PyInit_pyhbac’:
src/python/pyhbac.c:1948:25: warning: passing argument 2 of
   ‘sss_exception_with_doc’ discards ‘const’ qualifier from pointer
   target type [-Wdiscarded-qualifiers]
 1948 |                         HbacError__doc__,
      |                         ^~~~~~~~~~~~~~~~
In file included from src/python/pyhbac.c:27:
./src/util/sss_python.h:33:1: note: expected ‘char *’ but argument
    is of type ‘const char *’
 33 | sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict);
    | ^~~~~~~~~~~~~~~~~~~~~~

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
0610618b by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
test_pam_responder: Fix unicore error

Use raw strings instead; other alternative would be to escepe backslash

E     File "/home/build/sssd/src/tests/intg/test_pam_responder.py", line 647
E       assert err.find("pam_authenticate for user [auth_only\user1]: " +
E                      ^
E   SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 36-37: truncated \uXXXX escape

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
f10530b3 by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
SSSDConfig: Add minimal test for parse method

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
be3588bd by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
SSSDConfig: Fix SyntaxWarning "is not" with a literal

There is a warning with python 3.8

/usr/lib/python3.8/site-packages/SSSDConfig/ipachangeconf.py:399:
 SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if len(sectopts) is not 0:

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
bce896fe by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
TESTS: Add minimal test for pysss encrypt

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
618014f4 by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
pysss: Fix DeprecationWarning PY_SSIZE_T_CLEAN

src/tests/pysss-test.py:73: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  val1 = obfuscator.encrypt("123", obfuscator.AES_256)

These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
a946d134 by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
pysss_murmur: Fix DeprecationWarning PY_SSIZE_T_CLEAN

src/tests/pysss_murmur-test.py:93: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed)
src/tests/pysss_murmur-test.py:96: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats
  hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed)

These were introduced by https://bugs.python.org/issue36381 to warn about
an upcoming Python C API change. The meaning of PY_SSIZE_T_CLEAN is described
in https://python.readthedocs.io/en/stable/c-api/arg.html#strings-and-buffers.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
f3529bed by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
test_pam_responder: Fix DeprecationWarning invalid escape sequence

test_pam_responder.py:151
  src/tests/intg/test_pam_responder.py:151: DeprecationWarning: invalid escape sequence \%
    return unindent("""\

Merges: https://pagure.io/SSSD/sssd/pull-request/4076

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
629416d8 by Lukas Slebodnik at 2019-09-05T10:43:51+02:00
testlib: Fix SyntaxWarning "is" with a literal

Reviewed-by: Pavel Březina <pbrezina at redhat.com>\

- - - - -
f52eadd3 by Michal Židek at 2019-09-12T14:09:23+02:00
Update the translations for the 2.2.2 release

- - - - -
bc35fa2f by Michal Židek at 2019-09-12T17:53:26+02:00
Bumping the version to track the 2.2.3 development

- - - - -
65de0d36 by Pavel Březina at 2019-09-16T10:33:29+02:00
sss_ptr_hash: keep value pointer when destroying spy

Oterwise its value in delete callback is NULL.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0d477763 by Pavel Březina at 2019-09-16T10:33:29+02:00
autofs: fix typo in test tool

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5097684d by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: add expiration time to autofs entries

This will be later used to expire single entries during
`get entry by name` operation.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
eadfba5c by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: add sysdb_get_autofsentry

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fb83d820 by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: add enumerationExpireTimestamp

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d01ddb06 by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: store enumeration expiration time in autofs map

We need to distinguish between 'object expired' when we need
to obtain only the map entry and 'enumeration expired' when
we need to enumerated the map entry.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e9fc0099 by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: store original dn in autofs map

This will be used later when fetching single entry.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4efe83c2 by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: add sysdb_del_autofsentry_by_key

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8b2ab488 by Pavel Březina at 2019-09-16T10:33:30+02:00
cache_req: add autofs map entries plugin

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1fc3e4a1 by Pavel Březina at 2019-09-16T10:33:30+02:00
cache_req: add autofs map by name plugin

We will use the current data provider call that downloads all map entries
but we will replace it later when new call is available.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
85c86687 by Pavel Březina at 2019-09-16T10:33:30+02:00
cache_req: add autofs entry by name plugin

We will use the current data provider call that downloads all map entries
but we will replace it later when new call is available.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
7726093e by Pavel Březina at 2019-09-16T10:33:30+02:00
autofs: convert code to cache_req

This will simplify the code a lot so it can be further extended.
At this point the conversion is done 1:1, we will do additional
changes in next patches.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e5165199 by Pavel Březina at 2019-09-16T10:33:30+02:00
autofs: use cache_req to obtain single entry in getentrybyname

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
29b1ffd0 by Pavel Březina at 2019-09-16T10:33:30+02:00
autofs: use cache_req to obtain map in setent

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ad8b4c16 by Pavel Březina at 2019-09-16T10:33:30+02:00
dp: add dp_error_to_ret

To convert (ret, dp_error) pair to single errno_t value.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0d56c1aa by Pavel Březina at 2019-09-16T10:33:30+02:00
dp: add dp_no_output type to be used in dp_set_method

This type says that there is no output value from the data provider
method. The whole data provider api should be kind of reworked as
its main functionality was superceeded by new sbus implementation
and removed. The rest of the interface can be done much better.
But this is out of scope of these patches.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0e729863 by Pavel Březina at 2019-09-16T10:33:30+02:00
dp: add additional autofs methods

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2a0b74a5 by Pavel Březina at 2019-09-16T10:33:30+02:00
dp: replace autofs handler with enumerate method

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d096eeb1 by Pavel Březina at 2019-09-16T10:33:30+02:00
ldap: add base_dn to sdap_search_bases

To implement cases where we need to search a specific dn but we need
to filter the result with configured filters.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f3f22320 by Pavel Březina at 2019-09-16T10:33:30+02:00
ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate

get_map name will be later used to obtain only the map object.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
66e1eda6 by Pavel Březina at 2019-09-16T10:33:30+02:00
ldap: implement autofs get map

This will obtain only the map object.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f3aaaca4 by Pavel Březina at 2019-09-16T10:33:30+02:00
ldap: implement autofs get entry

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e050872d by Pavel Březina at 2019-09-16T10:33:30+02:00
autofs: allow to run only setent without enumeration in test tool

So we can test that setent stores only the map object.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
09781a33 by Pavel Březina at 2019-09-16T10:33:30+02:00
autofs: always refresh auto.master

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e016ada3 by Pavel Březina at 2019-09-16T10:33:30+02:00
sysdb: invalidate also autofs entries

Autofs entries got data expiration attribute so we must
make sure it is invalidated as well.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
399b2a65 by Pavel Březina at 2019-09-16T10:33:30+02:00
sss_cache: invalidate also autofs entries

Invalidating map will also invalidate all its child entries.

Resolves:
https://pagure.io/SSSD/sssd/issue/2607

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f0f0003c by Lukas Slebodnik at 2019-09-16T10:40:56+02:00
IFP: Fix talloc hierarchy for members of struct ifp_list_domains_state

The function talloc_steal was called ifp_list_domains_recv
  *_paths = talloc_steal(mem_ctx, state->paths)

But talloc hierarchy for entries in the list state->paths was not
correct therefore memory was freed together with the state.

Merges: https://pagure.io/SSSD/sssd/pull-request/4082

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
27b141f3 by Sumit Bose at 2019-09-17T14:42:14+02:00
ipa: use LDAP not extdom to lookup IPA users and groups

Currently when an IPA client is resolving trusted users and groups with
the help of the extdom plugin it uses the extdom plugin as well to
lookup IPA objects. This might cause issues if e.g. there is a user in
IPA with the same name as a group in AD or the other way round.

To solve this and to lower the load on the extdom plugin on the IPA
server side this patch will lookup IPA object directly from LDAP on the
IPA server.

Related to https://pagure.io/SSSD/sssd/issue/4073

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b241e079 by Pavel Březina at 2019-09-17T14:47:40+02:00
ci: allow distribution specific supression files

Format: sssd.$DISTRO_ID.supp

e.g. sssd.debian.supp

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
4488908f by Pavel Březina at 2019-09-17T14:47:40+02:00
ci: suppress Debian valgrind errors

This is a known issue id Debian version of OpenSSL.

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
206d994e by Pavel Březina at 2019-09-17T14:47:40+02:00
ci: add Debian 10

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
4a806a09 by Timo Aaltonen at 2019-09-18T11:37:19+03:00
Merge branch 'upstream'

- - - - -
7bd3c922 by Timo Aaltonen at 2019-09-18T11:38:45+03:00
bump the version

- - - - -
826f9baf by Timo Aaltonen at 2019-09-18T11:38:59+03:00
fix a typo

- - - - -
4962e457 by Timo Aaltonen at 2019-09-18T12:53:29+03:00
fix-have-systemd.diff: Dropped, upstream.

- - - - -
89c01192 by Timo Aaltonen at 2019-09-18T12:53:51+03:00
default-to-socket-activated-services.diff: Refreshed.

- - - - -
16dbcf0e by Timo Aaltonen at 2019-09-18T12:56:09+03:00
signing-key: Add key from Michal Židek.

- - - - -
27763874 by Timo Aaltonen at 2019-09-18T14:46:39+03:00
Get rid of all old pre/postinst file removal fluff, since that's all obsolete by now.

- - - - -
1cb1934d by Timo Aaltonen at 2019-09-18T15:25:37+03:00
Drop python2 support. (Closes: #938566)

- - - - -
33fe794c by Timo Aaltonen at 2019-09-18T15:28:58+03:00
releasing package sssd version 2.2.2-1

- - - - -
6a203ac2 by Thorsten Scherf at 2019-09-20T10:20:26+02:00
Fix option type for ldap_group_type

Signed-off-by: Thorsten Scherf <tscherf at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
07e2850c by Niranjan M.R at 2019-09-20T10:22:35+02:00
pytest: Use idm:DL1 module to install 389-ds

the earlier command to install 389-ds is no
longer valid and to install 389-ds the module
to be used is idm:DL1.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cb04b141 by Michal Židek at 2019-09-20T10:23:18+02:00
SPECFILE: Add 'make' as build dependency

This caused some of my scripts fail when building SSSD
after fetching build dependencies from srpm because
make was not installed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2e161487 by Sumit Bose at 2019-09-20T10:24:45+02:00
utils: extend some find_domain_* calls to search disabled domain

This extension is needed to support disabled domains since it is
now important to know if a domain is really unknown or only disabled.
While an unknown domain might typically lead to an error, a caller might
just ignore requests for disabled domains or objects from disabled
domains.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3c871a3f by Sumit Bose at 2019-09-20T10:24:45+02:00
ipa: support disabled domains

IPA does not disable domains with the help of a flag in the domain
objects but more general with the help of the SID blacklist. With this
patch the blacklist is read with other data about trusted domains and if
the domain SID of a trusted domain is found the domain is disabled. As a
result uses and groups from this domain cannot be looked up anymore.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
13297b8a by Sumit Bose at 2019-09-20T10:24:45+02:00
ipa: ignore objects from disabled domains on the client

It is possible that a domain is already disabled on an IPA client but
still  active on the server. This might happen e.g. if the version of
SSSD running on the IPA server does not support disabled domains or if
SSSD on the IPA client updates the domain data before the IPA server and
sees a freshly disabled domain more early.

As a result the server is still sending objects from disabled domains in
the lists of group members or group memberships of a user. The client
should just ignore those objects.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b12e7a49 by Sumit Bose at 2019-09-20T10:24:45+02:00
sysdb: add sysdb_subdomain_content_delete()

sysdb_subdomain_content_delete() will remove all user and group objects
from a sub-domain container but not the sub-domain object and the user
and group container itself.

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fa3e53bb by Sumit Bose at 2019-09-20T10:24:45+02:00
ipa: delete content of disabled domains

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b1340960 by Pavel Březina at 2019-09-23T09:40:45+02:00
ifp: call tevent_req_post in case of error in ifp_user_get_attr_send

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
43aae7e3 by Fabiano Fidêncio at 2019-09-23T14:27:49+02:00
TESTS: Re-add tests for `kdestroy -A`

This reverts commit 89726be5a05493b7af312f0be9ac5ecb6f1822e1 and also do
a few modifications on it in order to ensure we don't have any
regression on https://pagure.io/SSSD/sssd/issue/3413

Related:
https://pagure.io/SSSD/sssd/issue/3413

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
39e16cca by Alexey Tikhonov at 2019-09-26T10:39:48+02:00
providers/ipa/: add_v1_user_data() amended

Fixes few mistypes and compilation warning:
```
sssd-2.2.3/src/providers/ipa/ipa_s2n_exop.c:665:20: warning: 'gc' may be used uninitialized in this function [-Wmaybe-uninitialized]
     attrs->ngroups = gc;
     ~~~~~~~~~~~~~~~^~~~
```

Related to https://pagure.io/SSSD/sssd/issue/4078

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c08ae6cf by Pavel Březina at 2019-09-26T10:41:08+02:00
sudo: get timezone information from previous value when constructing new usn

Steps to reproduce:
1. Run sssd with openldap server
2. Set smart refresh interval to 1 second for faster testing
3. When no new rules are found, the timezone information is missing
   when creating new usn value
 > Issuing a smart refresh of sudo rules (USN >= 20190919090710)
 instead of
 > Issuing a smart refresh of sudo rules (USN >= 20190919090710Z)
4. As a consequnce, filter is incorrect when used with openldap server

Resolves:
https://pagure.io/SSSD/sssd/issue/4085

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
dd781242 by Jakub Hrozek at 2019-10-03T11:48:55+02:00
KCM: Fix typo in allocation check

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c53311ed by Ariel O. Barria at 2019-10-10T09:03:04+02:00
sss_obfuscate: do not fail if sssd.conf contains non-ascii characters

If sssd.conf contains non-ascii characters (e.g. `# el selinux lo bloquea cuando
está en enforcing`) then sss_obfuscate fails on python2, truncating the whole
configuration file.

```
Enter password:
Re-enter password:
Traceback (most recent call last):
  File "/sbin/sss_obfuscate", line 122, in <module>
    ret = main()
  File "/sbin/sss_obfuscate", line 112, in main
    sssdconfig.write()
  File "/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py", line 1526, in write
    output = self.dump(self.opts).encode('utf-8')
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc5 in position 977: ordinal not in range(128)

-rw-------. 1 root root 0 Oct 10 09:09 /etc/sssd/sssd.conf
```

Resolves:
https://pagure.io/SSSD/sssd/issue/4030

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f68bb1bf by Niranjan M.R at 2019-10-10T09:12:04+02:00
pytest: Update README with instructions to execute tests

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c5359c18 by Niranjan M.R at 2019-10-10T09:12:04+02:00
pytest/testlib: Add python-ldap as dependency

python-ldap is required for multihost tests.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bd140002 by Niranjan M.R at 2019-10-10T09:12:04+02:00
Makefile.am: Use README.md instead of README

The README.md contains instructions to execute
multihost tests in markdown syntax for better Readability.

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
89b256df by Pavel Březina at 2019-10-10T09:13:20+02:00
ci: enable on demand runs

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
46754e54 by Pavel Březina at 2019-10-10T09:13:20+02:00
ci: set build name to pull request or branch name

This way it will be easier to orient in the build list.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
73bd961c by Pavel Březina at 2019-10-10T09:13:20+02:00
ci: notify that build awaits executor

This way, the old status will be removed with message 'awaiting executors'
instead of showing old success/failure state.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6baf291b by Pavel Březina at 2019-10-10T09:13:20+02:00
ci: convert to scripted pipeline

Declarative pipeline was nice for one system but it become quite
unflexible for testing on multiple systems. Many things must have
been solved by various hacks. Writing the Jenkinsfile as scripted
pipeline is much more flexible.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
50cf3849 by Pavel Březina at 2019-10-15T11:16:47+02:00
db: fix potential memory leak in sysdb_store_selinux_config

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
3cc0db2f by Alexey Tikhonov at 2019-10-15T11:17:27+02:00
responder/cache_req: added debug helper function

Added cache_req_get_reqid() helper function to obtain cache request id
by tevent request.

Relates: https://pagure.io/SSSD/sssd/issue/4080

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
bf2770fa by Alexey Tikhonov at 2019-10-15T11:17:27+02:00
responder/nss: improved debug messages

Debug messages of NSS responder were improved in order to:
 - be able to distinguish what data - POSIX or SID - were requested
 - be able to match client and specific request

Resolves: https://pagure.io/SSSD/sssd/issue/4080

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6f360783 by Alexey Tikhonov at 2019-10-15T11:17:27+02:00
responder/nss: DCE

nss_get_object_send(): `ret` can't be `EOK` so code was unreachable.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f69c7d0c by Alexey Tikhonov at 2019-10-15T11:17:27+02:00
responder: log cmdline of client pid

Relates: https://pagure.io/SSSD/sssd/issue/4080

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f67109c4 by Samuel Cabrero at 2019-10-15T11:18:17+02:00
SYSDB: Delete linked local user overrides when deleting a user

If a cached user having a linked userOverride is deleted from the LDAP
server, at some point it will be deleted from cache too but its linked
userOverride object will not. This causes the command sss_override to
fail:

[sssd] [append_name] (0x0020): sysdb_search_entry() failed [2]: No such file or directory
[sssd] [list_overrides] (0x0020): Unable to append name [2]: No such file or directory
[sssd] [user_export] (0x0020): Unable to get override objects
[sssd] [override_user_find] (0x0020): Unable to export users

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4981fe34 by Samuel Cabrero at 2019-10-15T11:18:49+02:00
SYSDB: Convert cached domain 'enumerated' attribute from bool to uint

Currently only the 'id' provider setup enumeration tasks and uses this
attribute, but other providers (or future ones) should be able to enumerate
idependently from each other.

The has_enumerated attribute in the domain cache entry is converted to a uint
to store a bitmap indicating which provider has enumerated.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f6ada94a by Samuel Cabrero at 2019-10-15T11:18:49+02:00
SDAP: Add provider name to enumeration and cleanup tasks

If multiple providers are enumerating it is convenient to add the
provider name to debug messages.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4555b817 by Samuel Cabrero at 2019-10-15T11:18:49+02:00
LDAP: Return errno_t for ldap id enumeration task setup functions

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
acca871d by Samuel Cabrero at 2019-10-15T11:18:49+02:00
LDAP: Rename enumeration and cleanup functions to contain the provider

This way it is clearer these functions belong to ID provider enumeration
code.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2995a895 by Samuel Cabrero at 2019-10-15T11:18:50+02:00
AD: Rename enumeration functions to contain the provider name

Makes clearer these functions belong to AD's ID provider enumeration
code.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7375083a by Samuel Cabrero at 2019-10-15T11:18:50+02:00
LDAP: Improve ldap_id_setup_enumeration error logic

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d91c1f4a by Samuel Cabrero at 2019-10-15T11:18:50+02:00
LDAP: Remove unnecessary task pointer

The cleanup and enumeration tasks of the id provider are never created
at the same time, only one task is started depending on the domain
'enumerate' value.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
66873cac by Samuel Cabrero at 2019-10-15T11:18:50+02:00
LDAP: Move enum fields to id provider context

Move the enumeration-related struct members from "struct sdap_domain" to
"struct sdap_id_ctx". These fields are used by the ID provider
enumeration/cleanup tasks and other providers could also run enumeration
tasks.

Also use a talloc destructor to destroy the task as it is allocated in
the "struct sdap_id_ctx" context.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f24e5ab5 by Alex Rodin at 2019-10-17T15:22:02+02:00
Added ERROR and PRINT macros to the tools

Tools: Added ERROR and PRINT macros to the tools

Replaced functions printf and fprintf with corresponding PRINT and ERROR macro in the tools.

Resolves: https://pagure.io/SSSD/sssd/issue/3078

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
111144cd by Alex Rodin at 2019-10-17T15:23:15+02:00
Update sss_ssh.c

SSH: Adds a message to the syslog if an SSH key is malformed

If an SSH key contains trailing whitespace (or newlines), it will be considered as malformed by sss_ssh_format_pubkey() function. With the current version the only way to detect that problem is to enable --debug option for /usr/bin/sss_ssh_authorizedkeys utility. I'm adding an additional message to the syslog which will help to determine such problems without enabling debug.

Resolves: https://pagure.io/SSSD/sssd/issue/3864

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
e47f143b by Alexey Tikhonov at 2019-10-17T15:24:46+02:00
SSS_CLIENT: got rid of using PRNG

1) no reason to expect "thundering herd issue"
2) randomization as it was done (strictly 1 or 2 secs)
   would not help much anyway
3) usage of PRNG might break app that depends on deterministic
   PRNG behaviour

Resolves: https://pagure.io/SSSD/sssd/issue/4094

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
00c60805 by Alexey Tikhonov at 2019-10-17T15:26:03+02:00
util/server: amended close_low_fds()

Rewrote close_low_fds() to use freopen() as it fits better here
and some flags passed to open() previously didn't make a sense.

Also fixed a number of identical Coverity issues:
```
Error: RESOURCE_LEAK (CWE-772):
sssd-2.2.3/src/util/server.c:58: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
sssd-2.2.3/src/util/server.c:58: var_assign: Assigning: "fd" = handle returned from "open("/dev/null", 1, 0)".
sssd-2.2.3/src/util/server.c:56: overwrite_var: Overwriting handle "fd" in "fd = open("/dev/null", 2, 0)" leaks the handle.
   54|          library routines writing to stdout etc. won't cause havoc */
   55|       for (i = 0; i < 3; i++) {
   56|->         fd = open("/dev/null", O_RDWR, 0);
   57|           if (fd < 0)
   58|               fd = open("/dev/null", O_WRONLY, 0);
```

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
d20a7f9d by Samuel Cabrero at 2019-10-17T15:26:52+02:00
MONITOR: Propagate error when resolv.conf does not exists in polling mode

Return ENOENT when resolv.conf is missing after falling back to polling
mode. This way missing_resolv_conf will schedule a timer to check again
after some seconds.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9b6323d8 by Samuel Cabrero at 2019-10-17T15:26:52+02:00
MONITOR: Add a new option to control resolv.conf monitoring

For those use-cases where resolv.conf will never exist the new
'monitor_resolv_conf' option can be set to false to skip the retry loop
which tries to set the inotify watcher.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d57c67e4 by Samuel Cabrero at 2019-10-17T15:26:52+02:00
MONITOR: Resolve symlinks setting the inotify watchers

If resolv.conf is a symlink and sssd starts before getting an address
from dhcp the data provider will remain forever offline, as the watched
parent directory is the directory containing the symlink.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b32347d3 by Pavel Březina at 2019-10-17T15:27:37+02:00
ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true

This caused an error when saving local user as a fallback:

```
[sdap_save_user] (0x0400): Storing info for user testuser at ldap.vm
[sysdb_ldb_msg_difference] (0x2000): Added attr [gecos] to entry [name=testuser at ldap.vm,cn=users,cn=ldap.vm,cn=sysdb]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax](21)[Element gecos has empty attribute in ldb message (name=testuser at ldap.vm,cn=users,cn=ldap.vm,cn=sysdb)!]
[sysdb_set_cache_entry_attr] (0x0040): Error: 22 (Invalid argument)
[sysdb_set_entry_attr] (0x0080): Cannot set attrs for name=testuser at ldap.vm,cn=users,cn=ldap.vm,cn=sysdb, 22 [Invalid argument]
[sysdb_store_user] (0x0040): Cache update failed: 22
[sysdb_store_user] (0x0400): Error: 22 (Invalid argument)
[sdap_save_user] (0x0020): Failed to save user [testuser at ldap.vm]
```

Steps to reproduce:
1. create local user `testuser`
2. add it to LDAP group memberUid
3. set `passwd: sss files`, `group: sss files` (sss must be before files)
4. set enable_files_domain = false and ldap_rfc2307_fallback_to_local_users = true
5. run sssd
6. id testuser
-> it does not contain the LDAP group without the patch

Related to:
https://pagure.io/SSSD/sssd/issue/4013

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
53d4393e by Michal Židek at 2019-10-21T11:15:28+02:00
memcache: Stop using the word fastcache for memcache

This patch removes the word fastche from our codebase.

We do not reffer to the fast in-memory mmaped cache consistently.
Sometimes we call it fastcache, sometimes memcache and sometimes
mmap cache.

While we can not get rid of memcache, because it is rooted
in some config option names and in the documentation and
mmap cache is used a lot internally in our code, so getting
rid of that would require a lot of code changes, we can
easily get rid of the 'fastcache' word because it is
only in a handful of places.

I think we should really stick to calling it memcache in
the documentation and debug messages and ideally also in
code comments to avoid confusion.

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
2c9bdcf5 by Jakub Hrozek at 2019-10-21T11:20:34+02:00
KCM: Set kdc_offset to zero initially

Resolves: https://pagure.io/SSSD/sssd/issue/4100

KCM assumed that the client library would always set the KDC offset, but
that's not always the case, especially when using multiple krb contexts
from the client application:
    https://bugzilla.redhat.com/show_bug.cgi?id=1757224#c64

Heimdal also creates ccaches with zero kdc_offset:
    https://github.com/heimdal/heimdal/commit/9f58896af958ae5e6e3ebde8c48dad4eda841986
so we should do the same..

Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Robbie Harwood <rharwood at redhat.com>

- - - - -
274b4f92 by REIM THOMAS at 2019-10-21T11:25:51+02:00
MAN: Provide minimum information on GPO access control

Update sssd-ad man page to give administrators the minimum required
information how SSSD performs GPO based access control.

Also added a hint how to configure logging to get sufficient GPO
troubleshooting information by examining the logs.

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
68bdcebc by Michal Židek at 2019-10-21T11:25:51+02:00
MAN: GPO and built-in groups

Explicitly note in man page that the current version of SSSD
does not support built-in  groups.

Related:
https://pagure.io/SSSD/sssd/issue/4099

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f95db37a by Pavel Březina at 2019-10-21T11:26:30+02:00
sss_ptr_hash: pass new hash_entry_t to custom delete callback

Setting `item->ptr = ptr` actually overwrote the original hash entry
stored in the hash. If this entry is looked up in the delete callback
it contains the overwritten value instead of the original.

Steps to reproduce:
```
1. Run sssd
2. Call e.g. `id user-1`
3. Terminate SSSD
```

You will see these `Invalid data type` messages.

(Snippet from domain log)
```
[dp_client_destructor] (0x0400): Removed IFP client
[sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
[sbus_signal_handler] (0x2000): Received D-Bus signal org.freedesktop.DBus.NameOwnerChanged on /org/freedesktop/DBus
[sbus_senders_delete] (0x2000): Removing identity of sender [sssd.ifp]
[sbus_issue_request_done] (0x0400): org.freedesktop.DBus.NameOwnerChanged: Success
[sbus_senders_delete] (0x2000): Removing identity of sender [:1.5]
[sbus_issue_request_done] (0x0400): org.freedesktop.DBus.NameOwnerChanged: Success
[sbus_dispatch_reconnect] (0x0400): Connection lost. Terminating active requests.
[sss_ptr_hash_check_type] (0x0020): Invalid data type detected. Expected [struct sss_ptr_hash_value], got [struct sbus_connection].
[sss_ptr_hash_check_type] (0x0020): Invalid data type detected. Expected [struct sss_ptr_hash_value], got [struct sbus_connection].
```

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
5086353e by Alexey Tikhonov at 2019-10-21T11:27:06+02:00
util/sss_krb5.c: elimination of unreachable code

It was wrong to check `kt_err` after
```
if (!principal_found) {
    ...
    goto done;
}
```
since getting to this point of code would mean `kt_err` equals to 0 and
thus statement inside `if (kt_err != 0) ...` was unreachable.
Moreover it was logical error to do `goto done;` inside this statement
without setting `kerr`.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8f275460 by Alexey Tikhonov at 2019-10-21T11:27:06+02:00
util/sss_krb5: find_principal_in_keytab() was amended

 - do not treat failure of krb5_kt_end_seq_get() as an fatal error
 - avoid calling sss_krb5_free_keytab_entry_contents(null_struct)
   as libkrb5 api docs do not specify explicitly behaviour in this case

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
716aebab by Alexey Tikhonov at 2019-10-21T11:27:06+02:00
util/sss_krb5: fixed few memory handling issues

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e778fa18 by Alexey Tikhonov at 2019-10-21T11:27:06+02:00
util/sss_krb5: debug messages fixes

select_principal_from_keytab() and find_principal_in_keytab()  were changed
to output more clear error messages.

Resolves: https://pagure.io/SSSD/sssd/issue/4081

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
05c078e6 by Alex Rodin at 2019-10-21T13:34:13+02:00
Update __init__.py.in

SSSDConfig: Handle the default value for providers if those weren't set in the configuration file

Resolves:
https://pagure.io/SSSD/sssd/issue/3995

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
258e9a55 by Alex Rodin at 2019-10-23T11:06:57+02:00
Added PRINT macro in the sssctl tool

sssctl: Added PRINT macro in the sssctl tool

As a continuation of PR #902 I've added a few more PRINT macros to the sssctl tool.

Resolves: https://pagure.io/SSSD/sssd/issue/3078

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
c6271470 by Alex Rodin at 2019-10-23T11:07:35+02:00
Update README.md

A few changes in README.md file:

1. Google+ is no longer available for consumer (personal) and brand accounts. I've removed the link to Google+ page as that link is no longer available.
2. I've added a link to a COPYING file.
3. Added dots to the end of paragraphs

Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
df010718 by MIZUTA Takeshi at 2019-10-31T12:50:06+01:00
sss_client/idmap/common_ex.c: fix sss_nss_timedlock() to return errno

sss_nss_timedloc() should return errno, but returns -1 if clock_gettime(2) fails.
Fix sss_nss_timedlock() to return errno if clock_gettime(2) fails.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
16124d41 by Alex Rodin at 2019-10-31T12:51:15+01:00
Updated test_pam_responder.py

Integration tests/CI: Updated test_pam_responder.py and removed libnss3-dev and libnspr4-dev from Debian dependency list

 - Modified functions create_nssdb_fixture and create_nssdb_no_cert_fixture inside test_pam_responder.py file. These functions will produce the output only if environment variable USE_NSS is defined and set
 - Since CI build for Debian is using OpenSSL this improvement allowed to drop libnss3-dev and libnspr4-dev from Debian dependency list in contrib/ci/deps.sh

Resolves: https://pagure.io/SSSD/sssd/issue/3914

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
75b1fe68 by Alexey Tikhonov at 2019-10-31T12:52:27+01:00
sssctl/sssctl_domains.c: null dereference fixed

Resolves: https://pagure.io/SSSD/sssd/issue/4102

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
f3e89aa0 by Alexey Tikhonov at 2019-11-04T11:34:04+01:00
MMAP_CACHE: use CSPRNG to init hash table seed

Resolves:
https://pagure.io/SSSD/sssd/issue/4024#comment-603526 part (2)

Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
bb8b59dd by Alexey Tikhonov at 2019-11-04T11:34:52+01:00
Moved unsecure sss_rand() out of crypto lib

sss_rand() was:
 - moved out of crypto lib,
 - non security relevant purpose was emphasized
 - attempt to "use RAND_bytes() if available" was removed to simplify
   things and make return value compatible with rand()

Resolves:
https://pagure.io/SSSD/sssd/issue/4024#comment-603526 parts (1) and (3)

Reviewed-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
3d92b14d by MIZUTA Takeshi at 2019-11-04T11:39:27+01:00
util/server.c: fix handling when error occurs in waitpid()

-1 is returned if an error occurs in waitpid().
Fixed inappropriate error handling.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fb3a8b3c by Paweł Poławski at 2019-11-04T11:40:16+01:00
selinux: Keep explicite umask() calls

libsemanage < 2.6 use to not set right file mask in our usecase.
It has been fixed by manual umask() call but is no longer needed.
Fix will be keept as a precaution for future libsemanage versions.

Resolves:
https://pagure.io/SSSD/sssd/issue/3583

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8b31be52 by Michal Židek at 2019-11-04T11:41:03+01:00
bash_rc: Build with systemtap

We build with --enable-systemtap in Fedora and RHEL by default. We
should do the same in the helper script in contrib/fedora/bashrc_sssd.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1311f728 by MIZUTA Takeshi at 2019-11-05T11:11:24+01:00
Fix timing to save errno

The timing to save some errnos is after DEBUG output, not immediately after the system call.
Fix to save errno before DEBUG output so that errno is not overwritten by DEBUG output processing.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
44d46cf2 by Tomas Halman at 2019-11-05T11:39:22+01:00
LDAP: Systemtap ldap probes fail without filter

SSSD systemtap probes for LDAP queries doesn't check the ldap search
filter. It's value can be NULL (means "no filter") and stap fails with

    ERROR: user string copy fault -14 at ...

This patch tests filter value before it is converted to printable
string and the filter is set to "<no filter>" in case of NULL value.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
7fd907cb by Tomas Halman at 2019-11-05T11:39:22+01:00
LDAP: extend LDAP systemtap probes of attr list

We would like to see list of requested attributes from LDAP server.
This patch adds attribute list to probe sdap_search_send where it
is pretty formated and stored in attrs:string variable.

Content of attrs may for example look like

    ["objectClass", "uid", "userPassword", "uidNumber", ...]

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
88b875f6 by Tomas Halman at 2019-11-05T11:39:22+01:00
LDAP: Add probes to be able print ldap attributes

This patch adds two new probes witch allows to print
received LDAP object and response. System tap script
ldap_perf.stp uses those probes and provides feedback
to admin about LDAP queries executed by backend.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
c4568a9a by Tomas Halman at 2019-11-05T11:39:22+01:00
MAN: update systemtap man page

Add new probes with their description to the man page.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
c7909707 by Tomas Halman at 2019-11-05T11:39:22+01:00
TESTS: tests have to be linked with systemtap

Having probes in sdap code requires out tests to be
linked with generated probes interface.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
c7c08e12 by Tomas Halman at 2019-11-05T11:39:22+01:00
MAN: Update SystemTap man page

Describe sample SystemTap scripts in more detail.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
08f01590 by Pavel Březina at 2019-11-07T13:15:18+01:00
failover: make sure we switch to anoter server if only port differs

This is a regression introduced in 735af71a8e169f17fa5462db610a1567c9618e29.
After this commit we checked only server name instead of name and port combo.

Steps to reproduce:
1. Configure SSSD to use two servers with same name but different ports
```
[domain/LDAP]
debug_level=0xFFF0
id_provider = ldap
ldap_uri = ldap://$SERVER1:12345,ldap://$SERVER1:389
ldap_tls_cacertdir = /etc/openldap/certs
ldap_search_base = dc=example,dc=com
```

2. The first server port is unreachable, the second is working.
3. Run sssd and try to resolve user.
4. Without the patch SSSD tries to connect to the first server twice
   because new URI is not constructed and goes offline.

Resolves:
https://pagure.io/SSSD/sssd/issue/4112

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
9f398c7b by MIZUTA Takeshi at 2019-11-07T13:15:59+01:00
Add processing to save errno before outputting DEBUG

In some processes, DEBUG is output after a system call error, and errno is returned.
errno should be saved before DEBUG is output.
Add a process to save errno before outputting DEBUG so that errno is not overwritten in DEBUG output process.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9ba136ce by Sumit Bose at 2019-11-07T13:16:35+01:00
ipa: use the right context for autofs

Related to https://pagure.io/SSSD/sssd/issue/4111

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
16be48f4 by pedrosam at 2019-11-07T13:17:23+01:00
cache_req: propagate multiple entries error to the caller

Explanation: Propagate error when multiple entries with same certificate have been found when only one was expected

Resolves:
https://pagure.io/SSSD/sssd/issue/2710

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
24d9d213 by Alexey Tikhonov at 2019-11-07T13:18:42+01:00
Reduces code duplication

This patch makes use of existing sss_fd_nonblocking() function where
applicable to reduce code duplication.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
0102a253 by Alexey Tikhonov at 2019-11-07T13:18:42+01:00
sss_ssh_knownhostsproxy: relocated O_NONBLOCK setting

Relocated sss_fd_nonblocking(0) to proxy_data() from connect_socket()
as logically it makes more sense and avoids redundant operations in case
connect_socket() is called several times in a loop.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
3c09e9dc by Alexey Tikhonov at 2019-11-07T13:18:42+01:00
sss_ssh_knownhostsproxy: fixed Coverity issue

Actually I think this Coverity error was "false positive":
```
Error: RESOURCE_LEAK (CWE-772):
sssd-2.2.3/src/sss_client/ssh/sss_ssh_knownhostsproxy.c:67: open_fn: Returning handle opened by "socket".
sssd-2.2.3/src/sss_client/ssh/sss_ssh_knownhostsproxy.c:67: var_assign: Assigning: "sock" = handle returned from "socket(family, SOCK_STREAM, IPPROTO_TCP)".
sssd-2.2.3/src/sss_client/ssh/sss_ssh_knownhostsproxy.c:76: noescape: Resource "sock" is not freed or pointed-to in "connect".
sssd-2.2.3/src/sss_client/ssh/sss_ssh_knownhostsproxy.c:88: leaked_handle: Handle variable "sock" going out of scope leaks the handle.
   86|   done:
   87|       if (ret != 0 && sock >= 0) close(sock);
   88|->     return ret;
   89|   }
   90|
```

Nonetheless it is easier to adjust the code to avoid a complaint.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
b31f1e26 by Pavel Březina at 2019-11-14T09:18:03+01:00
autofs: remove unused enum

- - - - -
14b44e72 by Pavel Březina at 2019-11-14T09:18:03+01:00
autofs: delete possible duplicate of an autofs entry

Steps to reproduce:
1. Create the following autofs objects
```ldif
dn: ou=auto.master,ou=autofs,dc=ldap,dc=vm
objectClass: automountMap
objectClass: top
ou: auto.master

dn: automountKey=/home,ou=auto.master,ou=autofs,dc=ldap,dc=vm
objectClass: automount
objectClass: top
automountInformation: auto.home
automountKey: /home

dn: ou=auto.home,ou=autofs,dc=ldap,dc=vm
objectClass: automountMap
objectClass: top
ou: auto.home

dn: automountKey=/home1,ou=auto.home,ou=autofs,dc=ldap,dc=vm
objectClass: automount
objectClass: top
automountInformation: home1
automountKey: /home1
```

2. Use e.g. the test tool to fetch the maps:
```
  ./autofs_test_client auto.master
  ./autofs_test_client auto.home -n /home1
```

3. Change automountInformation of /home1
```
dn: automountKey=/home1,ou=auto.home,ou=autofs,dc=ldap,dc=vm
objectClass: automount
objectClass: top
automountInformation: home1_1
automountKey: /home1
```

4. Run the test tool again:
```
  ./autofs_test_client auto.master
  ./autofs_test_client auto.home -n /home1
  > error happens
```

It is important the `get entry by name is called` thus the `-n` parameter.

Resolves:
https://pagure.io/SSSD/sssd/issue/4116

- - - - -
f295a028 by Pavel Březina at 2019-11-14T09:19:55+01:00
ci: store artifacts in jenkins for on-demand runs

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
6da8555a by Pavel Březina at 2019-11-14T09:19:55+01:00
ci: allow to specify systems where tests should be run for on-demand tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f80751ea by Pavel Březina at 2019-11-14T09:19:55+01:00
ci: add Fedora 31

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e079a2f8 by Pavel Březina at 2019-11-14T09:19:55+01:00
ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built

Python2 is no longer installed by default on these systems and SSSD is not
built there with python2 bindings. But we should still keep testing it.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f084e757 by Pavel Březina at 2019-11-14T09:19:55+01:00
ci: disable python2 bindings on Fedora 32+

Python2 is removed from Fedora 32+, see:
https://fedoraproject.org/wiki/Changes/RetirePython2

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
83fb5c35 by Alex Rodin at 2019-11-14T09:20:56+01:00
Created a new sssd-ldap-attributes.5 man page

man: Created a new sssd-ldap-attributes.5 man page

I've moved all SSSD LDAP mapping attributes from sssd-ldap.5 to a new sssd-ldap-attributes.5 man page

Resolves: https://pagure.io/SSSD/sssd/issue/689

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
469f1acd by Tomas Halman at 2019-11-14T11:29:11+01:00
IPA: Utilize new protocol in IPA extdom plugin

To allow @-sign in group name IPA extdom plugin had to be
extended. Now the protocol distinguishes between resolving
username and groupname.

Until now name resolution was performed as it is a user and
in case of not finding any user, group search was performed.
But the SSSD knows the type of object, that is resolved.

This change will improve the performance of the system.

The @-sign issue is completely fixed on IPA side and
will work for older clients too.

Resolves:
https://pagure.io/SSSD/sssd/issue/3219

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5d425c10 by Pavel Březina at 2019-11-14T13:19:24+01:00
man: add missing new line to autofs_attributes.xml

- - - - -
456e576b by Pavel Březina at 2019-11-19T13:41:53+01:00
pam_sss: treat whitespace name as missing name if allow_missing_name is set

Resolves:
https://pagure.io/SSSD/sssd/issue/4101

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3a96bab5 by Jakub Jelen at 2019-11-21T11:05:48+01:00
Allow smart card authentication in polkit

Resolves:
https://pagure.io/SSSD/sssd/issue/4115

Signed-off-by: Jakub Jelen <jjelen at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f4a500af by Paweł Poławski at 2019-11-21T11:07:10+01:00
files_ops: Remove unused functions parameter

enum_files_users() and enum_files_groups() has access
to struct files_id_ctx without purpose.
This argument is not used by the functions directly
and not passed down to subfunctions.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
a41451d0 by Jakub Hrozek at 2019-11-21T11:08:06+01:00
sudo: use objectCategory instead of objectClass in ad sudo provider

This improves performance because objectCategory attribute is indexed
as opposed to objectClass which may not be indexed.

See: https://docs.microsoft.com/en-us/previous-versions/ms808539(v=msdn.10)

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
0096d77f by Pavel Březina at 2019-11-21T11:08:06+01:00
sudo: add ldap_sudorule_object_class_attr

This option will be undocumented and its main purpose is to allow
AD provider to use objectCategory (which is indexed) instead of
objectClass attribute (which is not indexed).

Having it as an option instead of hardcoded value gives us the ability
to switch back to objectClass if there will be any troubles.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
a163f65e by Alexey Tikhonov at 2019-11-21T11:09:19+01:00
util/sss_krb5: amended sss_krb5_get_error_message()

Ensure `sss_krb5_get_error_message()` never returns NULL
as result is used in a lot of places where checks are not performed.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4239a85c by Alexey Tikhonov at 2019-11-21T11:09:19+01:00
Amended sss_krb5_get_error_message() usage.

Few sss_krb5_get_error_message() related memory leaks were fixed.
(Existing KRB5_DEBUG() macro did not fit to be used in those places)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
33c94b68 by Alexey Tikhonov at 2019-11-21T11:09:19+01:00
ldap_child: sanitization of error handling

Error handling was done wrong in a few aspects
in ldap_child_get_tgt_sync() function.

As per documentation:
"The behavior of krb5_get_error_message() is only defined
(1) the first time it is called after a failed call to a krb5 function
 using the same context, and
(2) only when the error code passed in is the same as that returned
by the krb5 function."

Both (1) and (2) were violated heavily.

Additionally in some cases ldap_child_get_tgt_sync() declared as
returning `krb5_error_code` was actually returning non krb5 error code.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f9f6a3df by Alexey Tikhonov at 2019-11-21T11:09:19+01:00
KEYTAB_CLEAN_NAME macro was replaced

KEYTAB_CLEAN_NAME macro was replaced with `sss_printable_keytab_name()`
function that provides real path in case of default keytab.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
337a1adf by Alexey Tikhonov at 2019-11-27T11:22:39+01:00
SBUS: defer deallocation of sbus_watch_ctx

The following flow was causing use-after-free error:
  tevent_common_invoke_fd_handler(RW) -> sbus_watch_handler(RW) ->
  dbus_watch_handle(R) -> ...libdbus detects connection is closed... ->
  sbus_watch_remove() -> talloc_free(watch_fd) ->
  ... get back to libdbus and back to sbus_watch_handler() ->
  "if (watch_fd->dbus_watch.write != NULL) dbus_watch_handle(W)"
  => use-after-free

To resolve an issue schedule deallocation of watch as immediate event.

Resolves: https://pagure.io/SSSD/sssd/issue/2660

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b22e5116 by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
util/server.c: become_daemon() made static

become_daemon() is not intended to be used outside of server.c
hence marked as static function.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c654265b by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): got rid of unused codepath

become_daemon() was never called with "Fork == false" (and there are
seems to be no reasons to), so this argument was removed.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
86dc869a by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): handle fail of fork()

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9536a911 by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): fixed waitpid()-loop

Setting "error = 0" right before "while (error == EINTR);"
didn't make any sense (or rather was a bug).

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
148eae6a by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): fix read of uninitialized value

It was wrong to use `status` in case of failed waitpid()
since value was uninitialized in this case.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
848cdbc7 by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): change handling of chdir() fail

It didn't make any sense to skip close_low_fds() but keep working
in case of chdir() fail.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5655df4e by Alexey Tikhonov at 2019-11-27T11:24:05+01:00
server:become_daemon(): handle fail of setsid()

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
02d86b2a by Sumit Bose at 2019-11-29T11:20:38+01:00
ssh: add ssh_use_certificate_keys option to config checks

Add missing entries for ssh_use_certificate_keys to API and config check
files.

Related to https://pagure.io/SSSD/sssd/issue/3688

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1a6b6c92 by Sumit Bose at 2019-11-29T11:20:38+01:00
ssh: apply certificate matching rules

Use available certificate matching rules to select certificates to
derive ssh-keys.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d2da8909 by Sumit Bose at 2019-11-29T11:20:38+01:00
ssh: add option ssh_use_certificate_matching_rules

Add a new option ssh_use_certificate_matching_rules to select the
matching rules which should be used to filter the certificates to derive
ssh keys.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
30d0ccd4 by Sumit Bose at 2019-11-29T11:20:38+01:00
ssh: enable p11_child logging

The ssh responder didn't initialize the logging for p11_child properly.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
31ebf912 by Sumit Bose at 2019-11-29T11:20:38+01:00
p11_child: allow verification with no_verification option

Currently p11_child rejects the verification of a certificate if the
'no_verification' option is set. As a result the ssh responder does not
work as expected if 'no_verification' is set.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b72c4fa8 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/memory: sanitization

 - moved private `struct mem_holder` out of public header
 - moved `sss_mem_attach()` function description to the declaration
 - changed `sss_mem_attach()` to return error code instead of a pointer
   as data it points to is not expected to be manipulated by a user
 - got rid of redundant `sdap_msg_attach()`

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f2245b53 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/memory: helper(s) to securely erase mem was reworked

Specially designated for this purpose `explicit_bzero()` function is
used in case it is available.

Otherwise well known trick with a volatile pointer to memset() is used
to prevent compiler optimization.

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0165ef11 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
tools/sss_seed: proper zeroization of sensitive data

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
be7f7312 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util: fixed potential mem leak in s3crypt_gen_salt()

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
78127eae by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/sha512_crypt_r: got rid of redundant mem align

Memory alignment of key, salt and some auxiliary variables was inherited
from original code which took care about alignment because of the way
own hash functions were implemented.
In current implementation that uses OpenSSL for hashing those gimmicks
are not required.
Removing it makes code clearer and also makes it unnecessary to clean
copied_ key/salt properly (memset() used currently is not proper way)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1f667ea3 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/sha512_crypt_r: removed misleading comments

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
275e062b by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/sha512_crypt_r: proper zeroization of sensitive data

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ad1ae003 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
db/sysdb_ops: proper zeroization of sensitive data

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
109c21ef by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
util/authtok: set destructor in sss_authtok_new()

sss_authtok_new() is the only legal way to create instance
of sss_auth_token. Setting destructor in this factory function allows
for secure erasure of sensitive data.

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0a6fdec5 by Alexey Tikhonov at 2019-11-29T11:22:28+01:00
LDAP: proper handling of master password

 - copies of LDAP master password are erased as soon as
they are not needed anymore;
 - got rid of `simple_bind_state::pw` as it was set to point
to a variable on the stack (bug) and was not used anyway

Relates: https://pagure.io/SSSD/sssd/issue/3956

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
389e2eeb by Sumit Bose at 2019-11-29T11:24:40+01:00
p11_child: add 'soft_ocsp' and 'soft_crl options

To make the checks for revoked certificates more flexible if the system
is offline this patch add the new values for the
'certificate_verification' option. With 'soft_ocsp' the OCSP check is
skipped if the OCSP responder cannot be connected. With 'soft_crl' an
expired CRL will be ignored.

If a certificate is considered valid dues to one of those option a
syslog message is generated to indicate that the certificate was allowed
because the check if the certificate was revoked was ignored.

Related to https://pagure.io/SSSD/sssd/issue/3677

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b9a53cfc by Sumit Bose at 2019-11-29T11:25:34+01:00
ipa: add failover to override lookups

In the ipa_id_get_account_info request failover handling was missing.

Related to https://pagure.io/SSSD/sssd/issue/4114

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
707fdf04 by Sumit Bose at 2019-11-29T11:25:34+01:00
ipa: add failover to access checks

While reading the different components of the HBAC rules failover
handling was missing. Since the access control is typically the second
step after authentication SSSD would have already switched to a working
server or into offline mode during authentication. But if e.g. ssh keys
are used for authentication and user data are read from cache the HABC
rule searches might have to handle failover as well.

Related to https://pagure.io/SSSD/sssd/issue/4114

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
587c8cb9 by Tomas Halman at 2019-11-30T21:49:38+01:00
INI: sssctl config-check giving the wrong message

The sssctl config-check is giving the wrong error message when
there are only snippet files and no sssd.conf.

To address this problem sss_ini code had to be partially
rewritten to allow proper configuration testing.

Resolves:
https://pagure.io/SSSD/sssd/issue/3938

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
414c1115 by Tomas Halman at 2019-11-30T21:49:38+01:00
TESTS: check "sssctl config-check" output

Check whether "sssctl config-check" prints correct message
in case that there are only configuration snippets or no
configuration at all.

Related to:
https://pagure.io/SSSD/sssd/issue/3938

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
5e768c82 by Michal Židek at 2019-11-30T22:21:55+01:00
MAN: Missing man pages in src/man/po/po4a.cfg

Some new man pages were added recentley, but they were not
added to the src/man/po/po4a.cfg. This caused failures
when generating updated translations.

- - - - -
9d1258ec by Michal Židek at 2019-11-30T22:28:19+01:00
MAN: Fix errors in Japanese translation

Missing new lines were causing errors when generating the
translations.

- - - - -
8607b482 by Michal Židek at 2019-11-30T23:00:25+01:00
Update the translations for the 2.2.3 release

- - - - -
a706ea8e by Michal Židek at 2019-12-02T11:59:58+01:00
Update version in version.m4 to track the next release.

- - - - -
7578bdea by Yuri Chornoivan at 2019-12-04T11:55:16+01:00
sssctl: fix typo in user message

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bd201746 by Tomas Halman at 2019-12-04T11:56:59+01:00
sdap: Add randomness to ldap connection timeout

In case of mass deployment, mass registration of IPA clients roughly on
the same time leads to regular CPU load spikes on IPA servers, the load
spikes are caused by all/most clients refreshing their LDAP connections
(ldap_connection_expire_timeout) every 15 minutes.

This patch introduces new random value (from 0 up to
ldap_connection_expire_offset) that is added to the timeout.

Resolves:
https://pagure.io/SSSD/sssd/issue/3630

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1cdd4314 by Andrew Gunnerson at 2019-12-04T11:59:31+01:00
ad: Add support for passing --add-samba-data to adcli

This adds a new option named `ad_update_samba_machine_account_password`,
which when enabled, will pass `--add-samba-data` to the adcli command
for updating the machine account password in Samba's secrets.tdb
database.

This option is necessary when Samba is configured to use AD for
authentication. For Kerberos auth, Samba can use the system keytab, but
for NTLM, Samba uses its own copy of the machine account password in its
secrets.tdb database.

See: https://pagure.io/SSSD/sssd/issue/3920

Signed-off-by: Andrew Gunnerson <andrewgunnerson at gmail.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
58a67cd3 by Paweł Poławski at 2019-12-04T12:02:48+01:00
sysdb_sudo: Enable LDAP time format compatibility

LDAP specification allows to ommit seconds and minutes
in time border definition. In that case they defaults to zeros.
Current sssd.sudo implementation requires precision up to
seconds in time definition. This commit allows to lower
the precision up to hours.

Resolves:
https://pagure.io/SSSD/sssd/issue/4118

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
03bc9624 by Pavel Březina at 2019-12-11T14:37:22+01:00
nss: use real primary gid if the value is overriden

SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD
because any possible override may not be known at the time of storing
the user.

Now we try to lookup group by its originalADgidNumber and if it is found
we will replace the original id with real primary group id.

Steps to reproduce:
1. Enroll SSSD to IPA domain with AD trust
2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain Users at ad.vm" --gid=40000000`
3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start`
4. On IPA server: Resolve user `id Administrator at ad.vm`

There will be visible both new and old gids without the patch.

Resolves:
https://pagure.io/SSSD/sssd/issue/4124

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
97c96fd0 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: add rhel7

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
63c38d61 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: set sssd-ci notification to pending state when job is started

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
c861a390 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: archive ci-mock-result

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
3477f2c2 by Fabiano Fidêncio at 2019-12-11T16:21:19+01:00
INTG: Increase the sleep() time so the changes are reflected on SSSD

Those tests have been failing a lot recently and it does happen becase
the time to reflect the changes on SSSD is not enough for the machine
where the tests are running.

There's no reasonable explanation in the code why 4 seconds is used as
INTERACTIVE_TIMEOUT, neither a reasonable explanation why 2 seconds is
used as the time waited in order to have those changes reflected on
SSSD (neither in the code nor in the commit messages).

This patch uses the most simple empiric way to determine a better value
for this timeout, which was "run the tests a considerable amount of time
and check that there were no failures".

So, in order to avoid failures and our tests giving us more reliable
information, let's give more time so the changes are reflected on SSSD.

Resolves:
https://pagure.io/SSSD/sssd/issue/3463

Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
116b144b by Pavel Březina at 2019-12-11T16:21:19+01:00
tests: fix race condition in enumeration tests

This change is relevant to Nyquist frequency. To ensure that enumeration has been
run we need to wait at least twice the enumeration timeout. In other words, we need
to make sure enumeration is run at least twice the frequency of our assertions to
ensure that it has been run at least once.

Patch was amended by Alexey Tikhonov <atikhono at redhat.com> to include nice
comment originally provided by Pavel Březina at
https://github.com/SSSD/sssd/pull/947#issuecomment-559440211

Relates: https://pagure.io/SSSD/sssd/issue/3463

Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b6266518 by Tomas Halman at 2019-12-11T17:27:41+01:00
INI: sssctl config-check command error messages

In case of parsing error sssctl config-check command does not give
proper error messages with line number. With this patch the error
message is printed again.

Resolves:
https://pagure.io/SSSD/sssd/issue/4129

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
580d6188 by Sumit Bose at 2019-12-14T01:51:31+01:00
ldap_child: do not try PKINIT

if the PKINIT plugin is installed and pkinit_identities is set in
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
wants to authenticate with a keytab. As a result ldap_child might try to
access a Smartcard which is either not allowed at all or might cause
unexpected delays.

To avoid this the current patch sets pkinit_identities for LDAP child
explicitly to make the PKINIT plugin fail because if installed libkrb5
will always use it.

It turned out the setting pre-authentication options requires some
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
used to initialize the options struct.

Related to https://pagure.io/SSSD/sssd/issue/4126

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
21cb9fb2 by Sumit Bose at 2019-12-14T01:57:10+01:00
certmap: mention special regex characters in man page

Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.

Related to https://pagure.io/SSSD/sssd/issue/4127

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
1d4a7ffd by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
providers/krb5: got rid of unused code

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
e41e9b37 by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
data_provider_be: got rid of duplicating SIGTERM handler

It was wrong to install two libtevent SIGTERM handlers both of which did
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
(as process was terminated with exit()) and libtevent docs doesn't say
anything about order of execution. But chances are, be_process_finalize()
was executed first so default_quit() was not executed and main_ctx was not
freed.

Moreover there is just no reason to have separate be_process_finalize()
at all: default server handler default_quit() frees main_ctx. And be_ctx
is linked to main_ctx so will be freed by default handler as well.

Resolves: https://pagure.io/SSSD/sssd/issue/4088

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
3f52de89 by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
util/server: improved debug at shutdown

Relates: https://pagure.io/SSSD/sssd/issue/4088

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
2c13d8bd by Alexey Tikhonov at 2019-12-14T02:30:17+01:00
util/watchdog: fixed watchdog implementation

In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.

Resolves: https://pagure.io/SSSD/sssd/issue/4089

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
090cf77a by Sumit Bose at 2020-01-13T12:01:32+01:00
ad: allow booleans for ad_inherit_opts_if_needed()

Currently ad_inherit_opts_if_needed() can only handle strings. With this
patch it can handle boolean options as well.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
341ba49b by Sumit Bose at 2020-01-13T12:01:32+01:00
ad: add ad_use_ldaps

With this new boolean option the AD provider should only use the LDAPS
port 636 and the Global Catalog port 3629 which is TLS protected as
well.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
78649907 by Sumit Bose at 2020-01-13T12:01:33+01:00
ldap: add new option ldap_sasl_maxssf

There is already the ldap_sasl_minssf option. To be able to control the
maximal security strength factor (ssf) e.g. when using SASL together
with TLS the option ldap_sasl_maxssf is added as well.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
24387e19 by Sumit Bose at 2020-01-13T12:01:33+01:00
ad: set min and max ssf for ldaps

AD does not allow to use encryption in the TLS and SASL layer at the
same time. To be able to use ldaps this patch sets min and max ssf to 0
if ldaps should be used.

Related to https://pagure.io/SSSD/sssd/issue/4131

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
26e33b19 by Alexey Tikhonov at 2020-01-14T11:05:51+01:00
util/sss_ptr_hash: fixed double free in sss_ptr_hash_delete_cb()

Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
to freeing of value->ptr and thus to destruction of value->spy that is
attached to value->ptr.
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
execution hash entry was actually deleted and value was freed.
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
to free value again => double free.

To prevent this bug value and hence spy are now freed before execution of
data->callback(value->ptr).

Resolves: https://pagure.io/SSSD/sssd/issue/4135

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d1f8ec8a by David Mulder at 2020-01-14T11:09:13+01:00
SSSD should accept host entries from GPO's security filter

Not accepting host entries in the security filter
creates the need for sub-OU's, each with its own
GPO, otherwise one OU with an assigned GPO would
be sufficient.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8aa2f9ed by David Mulder at 2020-01-14T11:09:13+01:00
Test the host sid checking

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8d333499 by Samuel Cabrero at 2020-01-14T11:09:13+01:00
AD: Improve host SID retrieval

Set the entry expire time for cached computers and avoid querying twice
the cache by passing the host SID in the processing state if it is found
the first time.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d6f0b432 by David Mulder at 2020-01-14T11:09:13+01:00
Remove sssd Security Filtering host comment from man

Remove the sssd-ad man page comment explaining
that host entries in GPO Security Filtering is
not supported.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a2e7f687 by David Mulder at 2020-01-14T11:09:13+01:00
Create a computer_timeout for caching GPO security filter

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5c8f7960 by David Mulder at 2020-01-14T11:09:13+01:00
Resolve computer lookup failure when sam!=cn

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
007d5b79 by Lukas Slebodnik at 2020-01-22T11:47:11+01:00
BE_REFRESH: Do not try to refresh domains from other backends

We cannot refresh domains from different sssd_be processes.
We can refresh just subdomains

Resolves:
https://pagure.io/SSSD/sssd/issue/4142

Merges: https://pagure.io/SSSD/sssd/pull-request/4139

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b47edd9f by Lukas Slebodnik at 2020-01-22T11:48:14+01:00
SSS_INI: Fix syntax error in sss_ini_add_snippets

  CC     src/util/libsss_util_la-sss_ini.lo
    src/util/sss_ini.c: In function ‘sss_ini_add_snippets’:
    src/util/sss_ini.c:325: error: expected ‘;’ before ‘}’ token

Merges: https://pagure.io/SSSD/sssd/pull-request/4140

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3bdce86b by Lukas Slebodnik at 2020-01-22T11:49:15+01:00
PROXY: Fix warning-format-overflow directive argument is null

  CC       src/providers/proxy/libsss_proxy_la-proxy_id.lo
In file included from src/util/util.h:47,
                 from src/providers/proxy/proxy.h:35,
                 from src/providers/proxy/proxy_id.c:30:
In function ‘delete_user’,
    inlined from ‘get_pw_uid’ at src/providers/proxy/proxy_id.c:383:15,
    inlined from ‘proxy_account_info’ at src/providers/proxy/proxy_id.c:1617:19,
    inlined from ‘proxy_account_info_handler_send’ at src/providers/proxy/proxy_id.c:1760:20:
src/util/debug.h:126:9: error: ‘%s’ directive argument is null
[-Werror=format-overflow=]
  126 |         sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  127 |                      __debug_macro_level, \
      |                      ~~~~~~~~~~~~~~~~~~~~~~
  128 |                      format, ##__VA_ARGS__); \
      |                      ~~~~~~~~~~~~~~~~~~~~~~
src/providers/proxy/proxy_id.c:215:5: note: in expansion of macro ‘DEBUG’
  215 |     DEBUG(SSSDBG_TRACE_FUNC,
      |     ^~~~~
src/providers/proxy/proxy_id.c: In function ‘proxy_account_info_handler_send’:
src/providers/proxy/proxy_id.c:216:17: note: format string is defined here
  216 |           "User %s does not exist (or is invalid) on remote server,"
      |                 ^~

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d7ddcc56 by Lukas Slebodnik at 2020-01-22T11:49:19+01:00
test_nss_srv: Suppress Conditional jump or move depends on uninitialised value

gcc10 reordered conditions in long "or" condition
```
if (size < 2 || _list == NULL || *_list == NULL) {
```

And _list(gr->gr_mem) could be uninitialized in size was lover than 2.
It is a simplified implementation of parsing packet in unit test due to
mocking. `gr->gr_mem` always points to some array in real code.

Therefore we could see following error

Splitting condition to two if blocks fixes warning as well but
initializing `gr->gr_mem` to `NULL` is simpler change

[ RUN      ] test_nss_getgrnam_no_members
==12857== Conditional jump or move depends on uninitialised value(s)
==12857==    at 0x41B6C5: order_string_array (test_nss_srv.c:599)
==12857==    by 0x41B6C5: assert_groups_equal (test_nss_srv.c:617)
==12857==    by 0x41B810: test_nss_getgrnam_no_members_check (test_nss_srv.c:1476)
==12857==    by 0x41CB3F: __wrap_sss_cmd_done (test_nss_srv.c:138)
==12857==    by 0x4270C4: nss_protocol_done (nss_protocol.c:69)
==12857==    by 0x423949: nss_getby_done (nss_cmd.c:571)
==12857==    by 0x4E08359: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.10.1)
==12857==    by 0x4E0837D: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.10.1)
==12857==    by 0x4E0E1BF: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857==    by 0x4E0C54A: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857==    by 0x4E075D7: _tevent_loop_once (in /usr/lib64/libtevent.so.0.10.1)
==12857==    by 0x42D45B: test_ev_loop (common_tev.c:82)
==12857==    by 0x41C442: test_nss_getgrnam_no_members (test_nss_srv.c:1503)
==12857==
[       OK ] test_nss_getgrnam_no_members

Merges: https://pagure.io/SSSD/sssd/pull-request/4141

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d3d72b90 by Pavel Březina at 2020-01-28T15:51:16+01:00
ci: add CentOS 7

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a18a6f00 by MIZUTA Takeshi at 2020-02-03T12:17:09+01:00
util/server: Fix the timing to close() the PID file

The PID file is closed just before pidfile function returns.
However, if close() is called immediately after read()/write(),
there is no need to call close() at multiple places.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
192eadaa by Alex Rodin at 2020-02-03T12:18:44+01:00
Update pam_sss.8.xml

pam_sss: Added return values on a man page

Resolves: https://pagure.io/SSSD/sssd/issue/3672

Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c3b98b2b by Lukas Slebodnik at 2020-02-04T13:18:41+01:00
CONFIGURE: Fix detection of samba version for idmap plugin

The parameter -e is not standard parameter for echo builtin.
And therefore needn't be implemented in some shells.

e.g.
  sh$ /bin/dash -c 'echo -e "#include <samba/version.h>\nSAMBA_VERSION_MAJOR"'
  -e #include <samba/version.h>
  SAMBA_VERSION_MAJOR

And it caused failures in configure
  checking Samba's idmap plugin interface version... idmap test result is: 6
  configure: Samba's idmap interface version: 6
  configure: Samba version: -e #include <samba/version.h>
  SAMBA_VERSION_MAJOR -e #include <samba/version.h>
  SAMBA_VERSION_MINOR -e #include <samba/version.h>
  SAMBA_VERSION_RELEASE
  /home/build/sssd/configure: 21832: test: #include: unexpected operator
  configure: Samba's struct idmap_domain does not have dom_sid member

Merges: https://pagure.io/SSSD/sssd/pull-request/4153

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a483bfa6 by Lukas Slebodnik at 2020-02-04T13:18:59+01:00
CONFIGURE: Fix detection of attribute fallthrough

  configure:27218: checking whether compiler supports __attribute__((fallthrough))
  configure:27228: gcc -c -Werror  conftest.c >&5
  conftest.c:185:2: error: 'fallthrough' attribute at top level [-Werror=attributes]
    185 |  __attribute__ ((fallthrough));
        |  ^~~~~~~~~~~~~
  cc1: all warnings being treated as errors

Merges: https://pagure.io/SSSD/sssd/pull-request/4153

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
50cc1963 by MIZUTA Takeshi at 2020-02-06T11:15:01+01:00
Remove redundant header file inclusion

There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4dbfaae4 by Andreas Hasenack at 2020-02-06T11:15:38+01:00
Fix another build failure with python 3.8

The parsing of python3-config --ldflags would break if multiple -L
path components were present. This change loops over these paths
until it finds the correct one.

Fixes https://pagure.io/SSSD/sssd/issue/4147

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bc56b10a by Stephen Gallagher at 2020-02-06T11:16:19+01:00
Fix build failure against samba 4.12.0rc1

The ndr_pull_get_switch() function was dropped, but it was just a wrapper
around the ndr_token_peek() function, so we can use this approach on both
old and new versions of libndr.

Signed-off-by: Stephen Gallagher <sgallagh at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
399ee9d1 by Lukas Slebodnik at 2020-02-10T11:12:00+01:00
BUILD: Accept krb5 1.18 for building the PAC plugin

Merges: https://pagure.io/SSSD/sssd/pull-request/4152

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7aa96458 by Simo Sorce at 2020-02-10T11:14:43+01:00
Add TCP level timeout to LDAP services

In some cases the TCP connection may hang with data sent because
of network conditions, this may cause the socket to stall for much
longer than the timeout intended.
Set a TCP option to forcibly timeout a socket that sees its data not
ACKed within the ldap_network_timeout seconds.

Signed-off-by: Simo Sorce <simo at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ceea56be by MIZUTA Takeshi at 2020-02-10T11:19:12+01:00
monitor: Fix check process about multiple starts of sssd when pidfile remains

If PIDFile is invalid in sssd.service, pidfile remains if sssd terminates abnormally.
Also, if /var/run is not tmpfs, the pidfile will remain when the OS is forcibly stopped.

In check process about multiple starts of sssd, only the existence of pidfile is checked.
Fix not only to check if pidfile exists, but also to check if PID exists.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2014d8f5 by Alex Rodin at 2020-02-10T11:25:13+01:00
Update __init__.py.in

We shouldn't modify the list of domain options in a loop. In some cases (for example issue #4149) that will cause problems, for example when deleting provider options after deleting the provider itself.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5b87af6f by Pavel Březina at 2020-02-10T16:57:34+01:00
sss_sockets: pass pointer instead of integer

```
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’:
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion]
  123 |         ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
      |                                                             ^~~~~
      |                                                             |
      |                                                             unsigned int
In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28:
/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’
  216 |          const void *__optval, socklen_t __optlen) __THROW;
      |          ~~~~~~~~~~~~^~~~~~~~
  CC       src/util/sssd_kcm-sss_iobuf.o
cc1: all warnings being treated as errors
```

Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9483bf41 by Alex Rodin at 2020-02-12T10:54:10+01:00
SSSDConfig: Update of config options

 - Added missing config options with a description
 - Removed not used or replaced options such as ldap_group_search_scope, ldap_group_search_filter, etc...

Resolves:
https://pagure.io/SSSD/sssd/issue/1362

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6c5ea2df by Timo Aaltonen at 2020-02-12T16:31:33+02:00
Merge branch 'upstream'

- - - - -
65da61bf by Timo Aaltonen at 2020-02-13T16:24:55+02:00
bump the version

- - - - -
f9b3c0d1 by Sumit Bose at 2020-02-17T11:35:25+01:00
ssh: do not mix different certificate lists

There was a list of binary certificates and a list with base64 encoded
ones which might be different depending on the active matching rules.
Only the base64 one with the filtered results should be used.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
849d495e by Sumit Bose at 2020-02-17T11:35:25+01:00
ssh: add 'no_rules' and 'all_rules' to ssh_use_certificate_matching_rules

To make ssh_use_certificate_matching_rules option more flexible and
predictable the keywords 'all_rules' and 'no_rules' are added.
'no_rules' can be used to allow all certificates.

If rules names are given but no matching rules can be found this is
considered an error and no ssh keys will be derived from the
certificates.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
faa5dbf6 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sbus_server: stylistic rename

Renamed sbus_server_name_remove_from_table() to
sbus_server_name_remove_from_table_cb() to keep naming consistent
with other functions used as `hash_delete_callback` argument of
sss_ptr_hash_create()

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
adc7730a by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data

There is no need to allocate memory for `sss_ptr_hash_delete_data`
if table user doesn't provide custom delete callback.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d0eb8808 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: sss_ptr_hash_delete fix/optimization

 - no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
failed
 - avoid excessive lookup if it is not required to free payload

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8cc2ce4e by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: removed redundant check

`sss_ptr_hash_check_type()` call would take care of this case.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4bc0c2c7 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: fixed memory leak

In case `override` check was failed in _sss_ptr_hash_add()
`value` was leaking.
Fixed to do `override` check before value allocation.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0bb12892 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: internal refactoring

sss_ptr_hash code was refactored:
 - got rid of a "spy" to make logic cleaner
 - table got destructor to wipe its content
 - described some usage limitation in the documentation

And resolves: https://pagure.io/SSSD/sssd/issue/4135

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
88b23bf5 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
TESTS: added sss_ptr_hash unit test

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9188aa17 by Paweł Poławski at 2020-02-20T10:51:23+01:00
GPO: Duplicated error message for unreadable GPO

sss_log() had wrong type set as log level.
The result was error message with very high
priority displayed on all terminals.

Resolves:
https://pagure.io/SSSD/sssd/issue/4133

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8b74cfab by Timo Aaltonen at 2020-02-20T12:41:06+02:00
default-to-socket-activated-services.diff: Refreshed.

- - - - -
e7c15339 by Timo Aaltonen at 2020-02-20T13:06:32+02:00
sssd-ldap.install: Updated.

- - - - -
5db8609f by Timo Aaltonen at 2020-02-20T13:17:09+02:00
releasing package sssd version 2.2.3-1

- - - - -
7b647338 by Sumit Bose at 2020-02-24T12:44:11+01:00
p11_child: check if card is present in wait_for_card()

Some implementations of C_WaitForSlotEvent() might return even if no
card was inserted. So it has to be checked if a card is really present.

Resolves: https://pagure.io/SSSD/sssd/issue/4159

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37780b89 by Sumit Bose at 2020-02-24T12:44:11+01:00
PAM client: only require UID 0 for private socket

Some privileged services like e.g. gdm might only call with UID 0 but
with a different GID. This patch removes the GID 0 requirement to access
to private PAM socket so that e.g. gdm can use the wait-for-card option.

Resolves: https://pagure.io/SSSD/sssd/issue/4159

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a4219bbc by Alex Rodin at 2020-02-25T11:02:57+01:00
SSSDConfig: New SSSDOptions class

 - Moved option_strings dictionary to an external SSSDOptions class
 - Removed duplicate keys from option_strings dictionary
 - Updated Makefile.am to honor new sssdoptions.py file

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
746d4ff3 by ikerexxe at 2020-02-26T11:52:06+01:00
config: allowed auto_private_groups in child domains

sssctl config-check failed if auto_private_groups was enabled/disabled in child domains

Resolves:
https://pagure.io/SSSD/sssd/issue/4161

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b11907c6 by Michal Židek at 2020-02-27T00:16:10+01:00
Bump the version.

Recently added option ssh_use_certificate_matching_rules
changed behavior. This justifies version bump.

- - - - -
8e5aa82d by Timo Aaltonen at 2020-02-27T21:07:12+02:00
Fix sssd_be busy-looping when LDAP connection flickers. (Closes: #946847)

- - - - -
882ccd06 by Timo Aaltonen at 2020-02-27T21:09:50+02:00
libnss-sss: Add an entry for automounter to nsswitch.conf. This is needed by ipa-client-automount.

- - - - -
008cd907 by Timo Aaltonen at 2020-02-27T21:10:28+02:00
Added gitlab-ci.yml.

- - - - -
fe9eeb51 by Michal Židek at 2020-02-28T10:11:45+01:00
nss: Collision with external nss symbol

One of our internal static function names started
to collide with external nss symbol. Additional
sss_ suffix was added to avoid the collision.

This is needed to unblock Fedora Rawhide's
SSSD build.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bfa02b0b by Pavel Březina at 2020-02-28T10:14:03+01:00
ci: keep system list outside repository

This way we do not need to push new commit to repository every time
when we change the list of distribution we test on and changes
will be immediately picked up by opened pull request without the
need to rebase them.

It will also help us to temporarily disable particular distribution
when there are errors that we can not fix (e.g. current rawhide issue)
so we can still have all green results.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
feaf8891 by Pavel Březina at 2020-02-28T10:14:03+01:00
ci: remove old dependency repository

This repository is no longer needed and packages there are not maintained
for many years. Recent update of mock-core-configs changes `yum.conf` to
`dnf.conf` on Fedora and this breaks things for us.

The original purpose was to add newer libraries (such as ding-libs) to
RHEL-6 an early RHEL-7 so we could test current master there. This is no
longer needed since it contains up to date packages. Therefore it is safe
to remove it instead of trying to determine whether there should be yum.conf
or dnf.conf.

Otherwise we end up during mock build with:
```
KeyError: 'yum.conf'

ERROR: Error in configuration
```

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
7fbc7e3f by Michal Židek at 2020-03-02T11:20:23+01:00
sssd.spec: Add recommended packages

sssd-dbus is recommended for tools and SSSD's logrotate
support can only be useful with the logrotate package
in place. It makes sense to recommend them.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2143c727 by Samuel Cabrero at 2020-03-02T11:21:06+01:00
AD: use getaddrinfo with AI_CANONNAME to find the FQDN

In systems where gethostbyname() does not return the FQDN try calling
getaddrinfo().

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2dc82a24 by Thorsten Scherf at 2020-03-04T12:46:13+01:00
Fix sssd-ldap man page

The option 'ldap_default_authtok_type' also accepts non clear text passwords
in the meantime.

Signed-off-by: Thorsten Scherf <tscherf at redhat.com>

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
b19b25e1 by Thorsten Scherf at 2020-03-04T12:46:13+01:00
add reference to sss_obfuscate man page

Signed-off-by: Thorsten Scherf <tscherf at redhat.com>

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
9ccf78db by MIZUTA Takeshi at 2020-03-04T12:46:48+01:00
man: fix typos - correct manpage reference - correct wrong word - capitalize the first letter

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e4c6ebf6 by Pavel Březina at 2020-03-05T10:30:24+01:00
sdap: provide error message when password change fail in ldap_modify mode

Steps to reproduce:
1. Configure LDAP server to enable password constraints
2. Set ldap_pwmodify_mode = ldap_modify in [domain]
3. Run SSSD and authenticate as a user
4. Run passwd to change password, use password that does not meet requirements

It will print "password change successful" without this patch and server
error message with this patch applied.

Resolves:
https://pagure.io/SSSD/sssd/issue/4148

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
12bd3f96 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
STAP: Add missing session data provider target

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d263fa9d by Samuel Cabrero at 2020-03-05T10:31:44+01:00
UTIL: Add a function to canonicalize IP addresses

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
860c4570 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SYSDB: Add sysdb functions for hosts entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
62284927 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SYSDB: Add index for hostAddress attribute

Adding the IP address to the indexed attributes will speed up the
host-by-address searches.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
99ce1171 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SBUS: Add new resolver target interface

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d76d818c by Samuel Cabrero at 2020-03-05T10:31:44+01:00
DP: Add a new filter type, filter by address

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
469891df by Samuel Cabrero at 2020-03-05T10:31:44+01:00
RESPONDER: Add sss_dp_resolver_get_send

This function sends requests for IP hosts and networks to the resolver
target. Will be used by following cache req plugins:
* cache_req_ip_host_by_name
* cache_req_ip_host_by_addr
* cache_req_ip_network_by_name
* cache_req_ip_network_by_addr

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1cb20955 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Rename cache req host by name name plugin used by SSH

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dafdd066 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Add a data field to store network addresses

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6e66e321 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Implement ip_host_by_addr and ip_host_by_name plugins

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e931f27d by Samuel Cabrero at 2020-03-05T10:31:44+01:00
NSS: Add client support for hosts (non-enumeration)

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
55cfacfe by Samuel Cabrero at 2020-03-05T10:31:44+01:00
NSS: Add gethostbyname and gethostbyaddr support to the NSS responder

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
014cd3a5 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
TESTS: Add gethostbyname and gethostbyaddr NSS responder tests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2c317ce9 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
DP: Implement resolver target handler

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6f690037 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CONFDB: Add new options for resolver provider

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d6d03aaf by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CONFDB: Add a new resolver_timeout to timeout cached resolver entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b523fb6a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
UTIL: Allow to specify mandatory and optional symbols when loading nss libs

It is needed a flexibler way of loading NSS shared libraries as not all
of them provide the same symbols.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0ec8bd57 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Create a module context to store id and auth contexts

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
688e6a6b by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Load resolver NSS library

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b1fe85eb by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Register resolver hosts handler method

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
be791978 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Handle resolver hosts by name requests

Call NSS library to get IPv4 and IPv6 addresses. If host not found,
cache entries are deleted.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bbb7a45d by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Store results from NSS library call into the cache

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
00bc7897 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
SYSDB: Extend sysdb_store_host() to accept extra attributes

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
29c583b6 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Handle resolver hosts by address requests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5672d2be by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Initialize resolver provider

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1402f100 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Initialize resolver provider

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a61c6d61 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Initialize ldap_iphost_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6a777526 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Document new ldap_iphost_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0498591e by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Initialize ldap_iphost_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b8fba016 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Prepare for iphost lookups

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
29b27395 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Add support for iphost lookups (no enumeration)

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bbcd849a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
NSS: Add client support for [set|get|end]hostent()

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
11cc32e4 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
SYSDB: Add support for enumerating hosts

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8b96109f by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CACHE_REQ: Add support for enumerating hosts

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8a51bc0d by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Setup resolver enumeration tasks

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
82b808d9 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Add support for iphost enumeration

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2be80a00 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Setup resolver enumeration tasks

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
10d9346a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Add support for iphost enumeration

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ae6d042c by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Implement iphost cleanup for expired cache entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
45dbaddd by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Implement iphost cleanup for expired cache entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e980b0f6 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Add support for iphost enumeration

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8a66d6e5 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
TESTS: Add LDAP resolver target integration tests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e698d53e by Michal Židek at 2020-03-06T12:08:48+01:00
spec: Do not overwrite /etc/pam.d/sssd-shadowutils

We should not overwrite this file when sssd-common is
updated.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6ab9ac3f by Petr Vaněk at 2020-03-06T12:13:55+01:00
configure: prefer python3 if available

We should prefer python3 every time when it is available regardless of
whether python3 binding are generated, otherwise sbus_generate.sh fails
in python3 only systems, where sssd is configured with
--without-python3-bindings parameter.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
952342a5 by Timo Aaltonen at 2020-03-06T21:49:33+02:00
fix-python3.8-ftbfs.diff: Fix build against python3.8.

- - - - -
2aea1934 by Timo Aaltonen at 2020-03-06T21:58:36+02:00
releasing package sssd version 2.2.3-2

- - - - -
d4bf6626 by Pavel Březina at 2020-03-16T16:42:59+01:00
sbus: commit complete generated code

99ce117106b9c0d0e0167f1c10f5840a7912fa7f incorrectly commited generated code.

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
6f7f1569 by Sumit Bose at 2020-03-16T17:12:29+01:00
ssh: fix matching rules default

Before the ssh_use_certificate_matching_rules option was added the ssh
responder returned ssh keys derived from all valid certificates. Since
the default of the ssh_use_certificate_matching_rules option is
'all_rules' in a case where no matching rules are defined all
certificated will be filtered out and no ssh keys are returned.

The intention of the default was to allow the same same certificates
which are allowed in the PAM responder for authentication. The missing
default matching rule which is currently use by the PAM responder if no
other rules are available is added by this patch.

There might still be a small regression in case certificates without the
extended key usage (EKU) clientAuth were used for ssh. In this case
'ssh_use_certificate_matching_rules = no_rules' or a suitable matching
rule must be added to the configuration.

Related to https://pagure.io/SSSD/sssd/issue/4121

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
653df698 by Alexey Tikhonov at 2020-03-18T13:24:26+01:00
Watchdog: fixes "off-by-one" error

'man sssd.conf': timeout: "Note that after three missed heartbeats
the process will terminate itself."

But implementation was:
```
\#define WATCHDOG_MAX_TICKS 3
...
    if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
        ...
        _exit(1);
```
  -- since after reset ticks start from 0 effectively this was 4 heartbeats.

Fixed to match man page.

Resolves: https://pagure.io/SSSD/sssd/issue/4169

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
863f71ac by Alexey Tikhonov at 2020-03-26T12:41:44+01:00
sssd.spec.in: added missing Requires

This partially resolves warnings of rpmdiff tool.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b432b2c4 by Paweł Poławski at 2020-04-01T11:15:40+02:00
LDAP: Netgroups refresh in background task

refresh_expired_interval config value spawns be_task
responsible for refreshing expired cache entries
in background.

Netgroup related entries are stored in persistent
cache rather than timestamp cache. After sdap_refresh_step()
has been replaced by generic be_refresh_step()
lookup routine was searching for entries only in
timestamp cache. This result in LDAP netgroup entries
not refreshing in background.

Resolves:
https://pagure.io/SSSD/sssd/issue/4177

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
704d9f1d by Paweł Poławski at 2020-04-01T11:15:40+02:00
SYSDB: Cache selector as enum

Sysdb has two sources of cache: timestamp based and persistent.
This change changes implementation of that selector from
binary flag to enum.

Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>

- - - - -
0003eda9 by Sumit Bose at 2020-04-03T11:26:21+02:00
ipa: add missing new-line in debug message

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
27a3c0cf by Sumit Bose at 2020-04-03T11:26:21+02:00
sysdb: sanitize certmap rule name before using it in DN

The name of a certificate mapping and matching rule might contain
characters which are not allowed in RDNs an must be escaped before if
can be used in the DN of the cached certmap object.

Resolves: https://pagure.io/SSSD/sssd/issue/3721

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
626c9c2f by Tomas Halman at 2020-04-03T11:27:32+02:00
SYSDB: override_gid not working for subdomains

The override_gid is not propagated to subdomain. This patch
assigns subdomain's override_gid to the value comming from
parent domain.

Resolves:
https://pagure.io/SSSD/sssd/issue/4061

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ae5a2cdc by Pavel Březina at 2020-04-06T12:04:36+02:00
proxy: set pwfield to x for files library

Resolves:
https://pagure.io/SSSD/sssd/issue/4174

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
1fdd8fa2 by Noel Power at 2020-04-06T12:05:40+02:00
Use ndr_pull_steal_switch_value for modern samba versions

commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
fix the build error resulting from removal of 'ndr_pull_get_switch'

This change uses the new replacement method
'ndr_pull_steal_switch_value' however depending on the samba version
the ndr_pull_steal_switch_value abi is different.

Note: ndr_pull_steal_switch_value is used since samba 4.10 for
      the affected methods

Note: the following methods have been refreshed from samba-4.12 generated
      code;

    o ndr_pull_security_ace_object_type
    o ndr_pull_security_ace_object_inherited_type
    o ndr_pull_security_ace_object_ctr

Signed-off-by: Noel Power <noel.power at suse.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c031adde by Noel Power at 2020-04-06T12:05:40+02:00
ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12

Signed-off-by: Noel Power <noel.power at suse.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5019d216 by Lars Francke at 2020-04-06T12:14:14+02:00
ldap: set ldap_group_name to sAMAccountName for ad schema

This is to make it consistent with the AD provider which was changed
in adb148603344a42d6edffdda0786a10af715dacb.

"name" is an optional field for the group class.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dab522c0 by Sumit Bose at 2020-04-09T13:08:23+02:00
confdb: use proper timestamp if sssd.conf is missing

If sssd.conf is missing the timestamp is uninitialized and as a result
the lastUpdate attribute in config.ldb will contain some random binary
value.

This patch initializes the timestamp to "1".

Resolves: https://pagure.io/SSSD/sssd/issue/4178

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
c7d328ea by Pavel Březina at 2020-04-09T13:11:21+02:00
proxy: do not fail if proxy_resolver_lib_name is not set

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
23c2d376 by Pavel Březina at 2020-04-09T13:11:21+02:00
be: add BE_REQ_HOST to be_req2str

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
41220021 by Pavel Březina at 2020-04-09T13:11:21+02:00
dp: free methods if target is not configured

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
494b838d by Joakim Tjernlund at 2020-04-09T13:14:50+02:00
Update OpenRC init.d script

Modernize the script, add TERM delay,rotate,online and offline

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d028df03 by Lukas Slebodnik at 2020-04-09T13:19:22+02:00
CI: Drop usage of unnecessary copr repo for mock

Merges: https://pagure.io/SSSD/sssd/pull-request/4156

- - - - -
fa9ab958 by Alexey Tikhonov at 2020-04-17T12:53:47+02:00
PAM: fixed wrong debug message

Fixed wrong debug message in case of fail to read CONFDB_PAM_P11_URI
option from config.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d0300081 by Timo Aaltonen at 2020-04-20T17:13:50+03:00
libnss-sss: Fix a typo in adding the NSS entry for automount. (LP: #1873752)

- - - - -
6e4ae9c9 by Timo Aaltonen at 2020-04-20T17:52:14+03:00
control, watch: Update upstream url to github.

- - - - -
28bd4ca2 by Timo Aaltonen at 2020-04-20T17:52:25+03:00
releasing package sssd version 2.2.3-3

- - - - -
903fe0fa by Alexey Tikhonov at 2020-04-21T13:22:17+02:00
MAN: fixed description of pam_cert_db_path

Part about "PKCS#11 modules" only applies to NSS version.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
80b9285b by ikerexxe at 2020-04-21T13:23:07+02:00
man: in sssd-ipa clarified trusted domains section

In sssd-ipa man page added a second option when configuring trusted domains

Resolves:
https://pagure.io/SSSD/sssd/issue/4041

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1b84c3a1 by Pavel Březina at 2020-04-22T13:10:05+02:00
sysdb: check if the id override belongs to requested domain

Steps to reproduce:
1. Setup an id override (administrator at ad.vm: uid -> 10001)
2. Request user by name to fill cache
```
$ id Administrator at ad.vm
uid=10001(administrator at ad.vm) ...
```
3. Request user by id and see that domain part is missing
```
$ id 10001
uid=10001(administrator) ...
```

First, the uid is looked up in IPA domain and the override object is
found when we hit `sysdb_search_override_by_id` because id values are
not qualified. Therefore the origin object (administrator at ad.vm) is
returned as part of IPA domain.

We need to check if the original object belongs to the requested domain.

Resolves:
https://pagure.io/SSSD/sssd/issue/4173

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
233d30a5 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
SYSDB: Add sysdb functions for ipnetwork entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b37a13db by Samuel Cabrero at 2020-04-23T13:40:43+02:00
SYSDB: Add index for ipNetworkNumber attribute

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c01c1c34 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
CACHE_REQ: Implement ip_network_by_name and ip_network_by_addr plugins

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9c96d570 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
NSS: Add client support for networks (non-enumeration)

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e88aac3b by Samuel Cabrero at 2020-04-23T13:40:43+02:00
NSS: Add getnetbyname and getnetbyaddr support to the NSS responder

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0ae36657 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
TESTS: Add getnetbyname and getnetbyaddr NSS responder tests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5dfced3c by Samuel Cabrero at 2020-04-23T13:40:43+02:00
DP: Handle IP network requests in resolver target

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
be1e6c12 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Load networks symbols

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5e92783f by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Handle resolver IP network by name requests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0b88ce5d by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Handle resolver IP network by address requests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fe9f0ecf by Samuel Cabrero at 2020-04-23T13:40:44+02:00
SYSDB: Add functions to store IP networks from providers

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
92e8c1e8 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
PROXY: Store IP network results from NSS library in the cache

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
93de591c by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Initialize ldap_ipnetwork_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4ab99ef1 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Document new ldap_ipnetwork_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
407d766d by Samuel Cabrero at 2020-04-23T13:40:44+02:00
AD: Initialize new ldap_ipnetwork_* options

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3533697f by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Prepare for ipnetwork lookups (no enumeration)

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e5303ba by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Add support for ipnetwork lookups (no enumeration)

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29adb108 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
NSS: Add client support for [set|get|end]netent()

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cad60f63 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
SYSDB: Add support for enumerating ipnetworks

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5e75d695 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
CACHE_REQ: Add support for enumerating ip networks

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ab2cd9ca by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Add support for ipnetworks enumeration

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f7069573 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Implement ipnetwork cleanup for expired cache entries

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
08b774e4 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
PROXY: Add support for ipnetwork enumeration

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ebe944ba by Samuel Cabrero at 2020-04-23T13:40:44+02:00
TESTS: Add LDAP resolver IP networks tests

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f5cb0e16 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Grant access if DACL is not present

We falsely stopped GPO processing when Group Policy Container
in AD did not contain a DACL or "DACL Present" bit was not set.
Such GPOs are considered to be applicable according to MS-ADTS:
https://msdn.microsoft.com/en-us/library/cc223518.aspx.

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8527ed11 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Support group policy file main folders with upper case name

There are AD domain controller implementations that use upper case names
for the main folder on SYSVOL under which group policy files and templates
are stored. E. g. 'MACHINE' instead of 'Machine'.

gpo_child uses library libsmbclient to copy group policy files from the AD
domain controller into a local GPO cache directory. libsmbclient does not
allow to request the domain controller to perform case insensitive SMB URI
lookups, if SYSVOL is located on a case sensitive file system. If a group
policy template is stored under main folder 'MACHINE' gpo_child cannot
retrieve the policy data and exits with error code 2 (No such file or
directory). GPO based access control fails with error 22 (Invalid argument)
and users may not be able to login.

GP_EXT_GUID_SECURITY_SUFFIX constant defines a case sensitive main folder
name (/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf) for the policy
template to retrieve. If the group policy file cannot be retrieved, gpo_child
will now also try to retrieve the file using an upper case main folder name,
i.e. /MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf.

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>
Signed-off-by: Thomas Reim <reimth at gmail.com>

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
866d588a by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Close group policy file after copying

The SMB protocol sequence for copying the content of group policy files
should be:
- smbc_getFunctionOpen()
- smbc_getFunctionRead()
- smbc_getFunctionClose().

Inform the AD server, that we do not need further access to a policy file
after we have copied its content.

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5435e0a6 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Group policy access evaluation not in line with [MS-ADTS]

The implemented security ACE evaluation algorithm is too strict and does not
meet Microsoft technical specifications:
Security access rights for a group policy object may be split into several
access control entries (ACE). The implemented algorithm does not consider
this and denies access to GPOs, where the "ApplyGroupPolicy" (AGP) ACE is
preceded by a standard access rights ACE. The algorithm also denies
access, if the AGP ACE is preceded by other extended object ACEs.

Update security access right evaluation algorithms to be in line with the
applicable Microsoft technical specifications:
- Add a simple evaluation algorithm to check standard access rights for the
  complete GPO ([MS-ADTS] 5.1.3.3.2 and [MS-GOPD] 2.4):
  The requester must have been granted read access (RIGHT_DS_READ_PROPERTY)
  to the properties of the GPO
- Fix the "ApplyGroupPolicy" evaluation algorithm to be in line with
  [MS-ADTS] 5.1.3.3.4

Further improve debug messages during security filtering for administrators
to figure out why access to a GPO was denied:
- Inform administrators when a GPO with applicable AGP access right has not
  been evaluated due to missing or denied read access.
- Show the trustee's SID that specifies the particular user or group for
  which GPO access has been denied
- Align message content to Microsoft tool like Gpresult

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>
Signed-off-by: Thomas Reim <reimth at gmail.com>

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a32f94f5 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Improve logging of GPO security filtering

GPO security filtering is as critical as the actual logon policy rights
checking. Administrators should not only be able to figure out, why GPO
access check granted or denied a user login, but also why a GPO access
check was not performed due to security filtering.

GPO access check can be logged using debug level Function Data, whereas GPO
security filtering can only be logged with lowest level tracing.

- Debug the main security filtering activities on level Function Data
- Debug missing security descriptor as minor failure, because it terminates
  GPO security filtering.

Resolves:
https://pagure.io/SSSD/sssd/issue/3324

Signed-off-by: REIM THOMAS <reimth at gmail.com>

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4c93aa76 by Paweł Poławski at 2020-05-05T12:47:40+02:00
DOMAIN: Downgrade log message type

Not all domains contains flat name.
This is specific and in most cases needed for AD domain.
In case of AD domain flat name checking and failure log already exists:
src/providers/ad/ad_domain_info.c +104

src/util/usertools.c contains more generic domain related
functions. In those cases missing of flat_name should not be
considered as failure.

Resolves:
https://github.com/SSSD/sssd/issues/1032

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9b120fe0 by Alexey Tikhonov at 2020-05-06T09:41:17+02:00
SPEC: added explicit `samba-client-libs` dependency

Resolves: https://github.com/SSSD/sssd/issues/5136

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a7099b72 by Sumit Bose at 2020-05-06T09:42:40+02:00
sudo: fix ldap_sudo_include_regexp default

With https://github.com/SSSD/sssd/pull/627 the default value for
ldap_sudo_include_regexp should be set to 'false' but unfortunately the
patch was incomplete. With this patch the default should be change
properly.

Resolves https://pagure.io/SSSD/sssd/issue/3515

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
ac7248e8 by Sumit Bose at 2020-05-06T09:44:20+02:00
ad: use GSSAPI with LDAPS

There is an issue in some cyrus-sasl versions with a max SSF of 0 (zero)
is not handled correctly when using GSS-SPNEGO. To be on the safe side
we switch to GSSAPI in that case.

Related to https://pagure.io/SSSD/sssd/issue/4007

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dc21609f by Sumit Bose at 2020-05-06T09:44:20+02:00
ad: change SASL mech default to GSS-SPNEGO

Resolves: https://pagure.io/SSSD/sssd/issue/4007

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8b2c4ad0 by Alexey Tikhonov at 2020-05-07T11:23:07+02:00
config: switch to OpenSSL as default crypto backend

 - switch default to OpenSSL
 - warn about deprecation in the case NSS is selected
   during configuration

Resolves: https://github.com/SSSD/sssd/issues/1041 parts I.1 and I.2

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
5379fddb by Alexey Tikhonov at 2020-05-07T11:24:21+02:00
SPEC: 'sssd.api.*' should belong `python-sssdconfig`

`sssd.api.conf` and `sssd.api.d/*` are only used by python-sssdconfig,
not by sssd-common.

Resolves: https://github.com/SSSD/sssd/issues/1038

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0f9173aa by Timo Aaltonen at 2020-05-08T19:24:51+03:00
source: Migrate to 3.0 (quilt).

- - - - -
e0859e47 by Timo Aaltonen at 2020-05-08T19:39:57+03:00
source/local-options: Add files not found on upstream tarball to extend-diff-ignore.

- - - - -
b4354623 by Alexey Tikhonov at 2020-05-12T10:02:04+02:00
TESTS: NSS db setup is only required in NSS based build

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
090d804c by Samuel Cabrero at 2020-05-12T10:03:14+02:00
Drop obsolete SUSE spec file

Just for reference, SUSE spec files are available in openSUSE build
service: https://build.opensuse.org/package/show/network:ldap/sssd

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
ee56fbca by Pavel Březina at 2020-05-12T10:04:04+02:00
p11_child: fix initializer error

Building with:
```
$ echo $CFLAGS
-m64 -mtune=generic -fstack-protector-all -Wall -Wextra -Wno-sign-compare -Wshadow -Wunused-variable -Wno-unused-parameter -Wno-error=cpp -O0 -ggdb3 -Werror -Wp,-U_FORTIFY_SOURCE
```

Produces:
```
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c: In function ‘get_preferred_rsa_mechanism’:
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1296:9: error: missing initializer for field ‘evp_md’ of ‘struct prefs’ [-Werror=missing-field-initializers]
 1296 |         { 0, NULL }
      |         ^
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1288:23: note: ‘evp_md’ declared here
 1288 |         const EVP_MD *evp_md;
      |                       ^~~~~~
```

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
f2ac087d by Alexey Tikhonov at 2020-05-12T11:35:39+02:00
SBUS: do not return invalid connection pointer

Resolves:
https://github.com/SSSD/sssd/issues/5126

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
db6f6b6d by Alex Rodin at 2020-05-15T10:39:18+02:00
MAN: use_fully_qualified_names description updated

Has updated the information about when the option defaults to TRUE

Resolves: https://github.com/SSSD/sssd/issues/1025

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
49b9ca15 by ikerexxe at 2020-05-15T10:40:21+02:00
ipa_auth and krb5_auth: when providing wrong password return PAM_AUTH_ERR

When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.

Resolves:
https://github.com/SSSD/sssd/issues/5139

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
035271b7 by Paweł Poławski at 2020-05-15T10:41:57+02:00
MAN: refresh_expired_interval description updated

In some situations background task triggered by setting
refresh_expired_interval looks to be broken.
MAN description for refresh_expired_interval has been updated
to inform user about this scenario.

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
95c8667a by Sumit Bose at 2020-05-19T11:05:32+02:00
ad: make GSS-SPNEGO maxssf=0 workaround configurable

To allow tp by-pass the workaround if the installed cyrus-sasl can
handle maxsssf=0 with GSS-SPNEGO a new configure option
--enable-gss-spnego-for-zero-maxssf is added. By default this option is
set to 'no' and the workaround is enabled.

Resolves: https://github.com/SSSD/sssd/issues/4978
          https://pagure.io/SSSD/sssd/issue/4007

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
11435b10 by Sumit Bose at 2020-05-19T11:06:23+02:00
krb5: do not cache ccache or password during preauth

The PAM preauth step is mainly used to determine which authentication
methods (single factor, two factor, Smartcard) are available for the
user. It does not make sense to try to store the password hash or the
credential cache at this step because this information is not available
or not accurate at this step.

It might even cause issue is the credential cache name contains a random
component. This is typically used for file based credential caches
stored in the /tmp directory to avoid attacks to pre-create the file
since the name is known. Since the credential cache name still contains
the template for the random component 'XXXXXX' updating the credential
cache name in the cache during preauth destroys the information about
the currently used credential cache and upcoming authentications will
create a new one.

This causes issues with screen-savers or screen-lock where every
unlocking creates a new credential cache file and not updates the
existing one as it is expected. Another case is if a user logs in
multiple times to the same host, e.g. with ssh. Here it is expected as
well that the first session will create a new credential cache file
while all additional sessions will reuse it and only update the TGT in
the existing credential.

Resolves: https://github.com/SSSD/sssd/issues/5160

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
bf8536a0 by Alexey Tikhonov at 2020-05-19T11:12:47+02:00
Fixed unsafe usage of strncpy()

This patch fixes unsafe usage of strncpy() that renders warnings like:
```
In function ‘ad_try_to_get_fqdn’,
    inlined from ‘ad_get_common_options’ at ../src/providers/ad/ad_common.c:540:19:
../src/providers/ad/ad_common.c:468:5: warning: ‘strncpy’ specified bound 65 equals destination size [-Wstringop-truncation]
  468 |     strncpy(buf, res->ai_canonname, buflen);
```

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b5728712 by Simo Sorce at 2020-05-19T11:16:16+02:00
cache_req: introduce cache_behavior enumeration

Instead of using individual booleans for controlling the behavior
of the nss reponder with regard to cache usage, use a single
enumeration that can be extended to add new behaviors as needed.

Related:
https://pagure.io/SSSD/sssd/issue/4098

Signed-off-by: Simo Sorce <simo at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d2424bfb by Simo Sorce at 2020-05-19T11:16:16+02:00
pam: Use cache for users with existing session

Users that have an existing session do the bulk of their authentication
to unlock services that do not make use of initgroups (used only to
create a new login session). Forcing online initgroups calls for these
users leads mostly to delays in providing those services and do not
provide any useful data.

Resolves:
https://pagure.io/SSSD/sssd/issue/4098
Signed-off-by: Simo Sorce <simo at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b66f0e44 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: add option pam_initgroups_scheme

This new option should be used to tell the PAM responder to refresh the
user's group memberships either with every new PAM session or always
rely on cached data or refresh the data only if the user currently has
no active login session.

Resolves: https://pagure.io/SSSD/sssd/issue/4098

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
68aa68e8 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: use pam_initgroups_scheme

The new pam_initgroups_scheme option is used to control how the PAM
responder is refreshing the group membership data of the user.

Resolves: https://pagure.io/SSSD/sssd/issue/4098

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
74f0a451 by Sumit Bose at 2020-05-19T11:16:16+02:00
cache_req: no refresh with CACHE_REQ_BYPASS_PROVIDER

This patch fixes an unexpected behavior of the cache request code if the
CACHE_REQ_BYPASS_PROVIDER option is used. Currently even if this option
is used an expired entry in the cache is refreshed by calling the
provider. With this patch an error is returned if the entry is expired
and the provider is not called.

Resolves: https://pagure.io/SSSD/sssd/issue/4098

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
272efe49 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: make sure initgr cache is not created twice

There are now two code paths which might call pam_initgr_cache_set() so
we should make sure the initgr cache is not created twice.

Resolves: https://pagure.io/SSSD/sssd/issue/4098

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7b253751 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: changed timestamp output format

Changed timestamp format from (example) "(Tue Apr 21 14:35:30 2020)" to
"(2020-04-21 14:35:30)" to have tidier and "sorting friendly" logs.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b5604d07 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: introduce new SSSDBG_TRACE_LDB level

libldb LDB_DEBUG_TRACE messages usually doesn't bring any useful info
but create a lot of unneeded noise in the logs.
Nonetheless it feels too radical to drop them completely.
This patch introduces new debug_level=10 (0x10000) especially for those
messages.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
00e7b1ad by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: changed "debug_prg_name" format

Removed wrapping "[sssd[...]]" from "debug_prg_name" as this doesn't
carry any information but eats 8 characters of debug line.
For example instead of `[[sssd[ldap_child[12492]]]]` logs will have
`[ldap_child[12492]]`

I also was considering to remove "debug_prg_name" from the output
completely but gave up this idea. It makes sense to have program name
in the output to be able to combine few logs together (sorted by
timestamp).

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
65369f29 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
WATCHDOG: log process termination to the journal

This patch adds explicit system journal message in case process was
terminated by an internal watchdog.

Resolves: https://github.com/SSSD/sssd/issues/5146

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
69de78d8 by Pavel Březina at 2020-05-19T11:50:26+02:00
Move from Pagure to Github

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ed64f142 by Pavel Březina at 2020-05-19T12:21:35+02:00
Update the translations for the 2.3.0 release

- - - - -
169ddae3 by Pavel Březina at 2020-05-19T13:10:34+02:00
Update version in version.m4 to track the next release.

- - - - -
391b9c5e by Thomas Reim at 2020-05-21T10:44:12+02:00
Minor fix in ad_access.c out of memory check

Wrong tevent request used for out-of memory check.

Fixes https://github.com/SSSD/sssd/issues/5167

Signed-off-by: Thomas Reim <reimth at gmail.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
02fbf47a by vinay mishra at 2020-05-21T10:51:49+02:00
Replaced 'enter' with 'insert'

Resolves: https://github.com/SSSD/sssd/issues/5164

Signed-off-by: vinay mishra <vmishra at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
aac4dbb1 by Sumit Bose at 2020-05-21T10:54:31+02:00
NSS client: preserve errno during _nss_sss_end* calls

glibc does not expect that errno is changed by some of the calls
provided by nss modules. This caused at least issues when
_nss_sss_endpwent() is called in compat mode. According to
https://pubs.opengroup.org/onlinepubs/9699919799/functions/endpwent.html
endpwent() should only set errno in the case of an error. Since there is
no other way to report an error we will set errno in the case of an
error but preserve it otherwise. This should cause no issues because
glibc is taking precautions as well tracked by
https://sourceware.org/bugzilla/show_bug.cgi?id=25976.

To be on the safe side the other _nss_sss_end* calls will show the same
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5153

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
61f4aaa5 by Tomas Halman at 2020-05-21T11:00:42+02:00
sssctl: sssctl config-check alternative config file

The sssctl config-check now allows to specify alternative config
file so it can be tested before rewriting system configuration.

    sssctl config-check -c ./sssd.conf

Configuration snippets are looked up in the same place under
conf.d directory. It would be in ./conf.d/ for the example above.

Resolves:
https://github.com/SSSD/sssd/issues/5142

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
532b75c9 by Pavel Březina at 2020-05-22T09:59:56+02:00
test: avoid endian issues in network tests

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
d8d74387 by Tomas Halman at 2020-05-22T10:01:06+02:00
man: Document invalid selinux context for homedirs

The default value of fallback_homedir expands into path, that is not
expected by selinux. Generally not only selinux might be affected by
this default value. This PR documents the issue and recommends
further steps.

Resolves:
https://github.com/SSSD/sssd/issues/5155

Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>

- - - - -
3ea6e61c by Sumit Bose at 2020-05-26T18:07:08+02:00
ad: remove unused libsbmclient form libsss_ad.so

libsmbclient is only used by gpo_child where libsmbclient is linked
directly. So there is no neeed to link it to libsss_ad.so as well

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b52c4c95 by Niranjan M.R at 2020-06-03T12:00:58+02:00
pytest/testlib: Remove explcit encryption types from kdc.conf

Previously encryption types were mentioned so that
these encryption types are added in kdc.conf, These encryption
types contained des3  , which was removed in recent krb5-1.18

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f47ad87a by Yuri Chornoivan at 2020-06-04T11:48:20+02:00
general: fix minor typos

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
26c794da by Sumit Bose at 2020-06-05T11:00:35+02:00
pam_sss: add SERVICE_IS_GDM_SMARTCARD

Resolves: https://github.com/SSSD/sssd/issues/5190

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3ed25476 by Sumit Bose at 2020-06-05T11:00:35+02:00
pam_sss: special handling for gdm-smartcard

The gdm-smartcard service is special since it is triggered by the
presence of a Smartcard and even in the case of an error it will
immediately try again. To break this loop we should ask for an user
input and asking for a PIN is most straight forward and would show the
same behavior as pam_pkcs11.

Additionally it does not make sense to fall back the a password prompt
for gdm-smartcard so also here a PIN prompt should be shown.

Resolves: https://github.com/SSSD/sssd/issues/5190

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c226703f by Pavel Březina at 2020-06-05T11:01:46+02:00
Provide new link for documentation: change sssd.github.io to sssd.io

Documentation is now hosted through github pages on custom domain: sssd.io.
The original domain sssd.github.io redirects to sssd.io.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a7c75567 by Sumit Bose at 2020-06-05T11:03:07+02:00
ad_gpo_ndr.c: more ndr updates

This patch add another update to the ndr code which was previously
updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and
1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc.

As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.

Resolves: https://github.com/SSSD/sssd/issues/5183

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37588754 by Alexey Tikhonov at 2020-06-05T11:05:49+02:00
DEBUG: only open child process log files when required

There was no reason to keep child process log files open permanently.

This patch:
 - helps to avoid issue when SIGHUP was ignored for child process logs;
 - somewhat reduces code duplication.

Resolves: https://github.com/SSSD/sssd/issues/4667

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
dce025b8 by Sumit Bose at 2020-06-05T11:06:47+02:00
GPO: fix link order in a SOM

GPOs of the same OU were applied in the wrong order. Details about how
GPOs should be processed can be found e.g. at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)

Resolves: https://github.com/SSSD/sssd/issues/5103

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8ca799ea by Sumit Bose at 2020-06-05T11:17:19+02:00
sysdb: make sysdb_update_subdomains() more robust

Some NULL checks are added basically to allow that missing values can be
set later.

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d3089173 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: rename ad_master_domain_* to ad_domain_info_*

The ad_master_domain_{send|recv} are not specific to the master domain
so a more generic name seems to be suitable.

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9aa26f65 by Sumit Bose at 2020-06-05T11:17:19+02:00
sysdb: make new_subdomain() public

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2bad4d4b by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx

Since the function can be used to get the id ctx of any domain the
'root' is removed from the name.

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8c642a54 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: remove unused trust_type from ad_subdom_store()

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3ae3286d by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: add ad_check_domain_{send|recv}

This new request tries to get the basic domain information like domain
SID and NetBIOS domain name for a domain given by the name. To achieve
this the needed data is added to general domain structure and the SDAP
domain structure. If the domain data cannot be looked up the data is
removed again.

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e25e1e92 by Sumit Bose at 2020-06-05T11:17:19+02:00
ad: check forest root directly if not present on local DC

If the information about the forest root domain cannot be read from the
local domain-controller it is tried to read it from a DC of the forest
root directly.

Resolves: https://github.com/SSSD/sssd/issues/5151

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
79e01fc9 by Lukas Slebodnik at 2020-06-05T11:26:31+02:00
python-test.py: Do not use letter similar to numbers

Running pycodestyle currently reports cases which is one of a set of three style checks
to avoid ambiguous single letter names which look like numbers

./src/tests/python-test.py:54:35: E741 ambiguous variable name 'l'
./src/tests/python-test.py:102:38: E741 ambiguous variable name 'l'

https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4c4b62b4 by Lukas Slebodnik at 2020-06-05T11:26:36+02:00
INTG: Do not use letter similar to numbers in python code

Running pycodestyle currently reports cases which is one of a set of three style checks
to avoid ambiguous single letter names which look like numbers

./src/tests/intg/krb5utils.py:101:27: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:116:23: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:140:28: E741 ambiguous variable name 'l'

https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e58853f9 by Sumit Bose at 2020-06-09T10:40:19+02:00
DEBUG: use new exec_child(_ex) interface in tests

Resolves: https://github.com/SSSD/sssd/issues/4667

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
230a5068 by David Ward at 2020-06-18T12:16:55+02:00
failover: fix documentation of default timeouts

Commit e97ff0adb62c89cfc7e75858b7e592e0303720b0 changed the default
timeouts for the DNS resolver. While it also updated the man pages,
this update did not correctly reflect the new defaults.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
39480618 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed few CHECKED_RETURN (CWE-252) warnings

Fixed few
```
src/sss_client/nfs/sss_nfs_client.c:*: check_return: Calling "sss_strnlen" without checking return value
```
warnings.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
014cbde8 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
NSS: fixed FORWARD_NULL (CWE-476)

Fixed following warning:
```
sssd-2.3.1/src/responder/nss/nsssrv.c:304: assign_zero: Assigning: "supp_gids" = "NULL".
sssd-2.3.1/src/responder/nss/nsssrv.c:351: var_deref_op: Dereferencing null pointer "supp_gids".
 #  349|
 #  350|       for (int i = 0; i < size; i++) {
 #  351|->         if (supp_gids[i] == nss_ctx->mc_gid) {
 #  352|               DEBUG(SSSDBG_TRACE_FUNC,
 #  353|                     "Already assigned to the SSSD supplementary group\n");
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ee16f392 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
KCM: fixed NO_EFFECT (CWE-398)

Fixed warning:
```
sssd-2.3.1/src/responder/kcm/kcmsrv_ops.c:1359: array_null: Comparing an array to null is not useful: "uuid_list[0] == NULL", since the test will always evaluate as true.
sssd-2.3.1/src/responder/kcm/kcmsrv_ops.c:1359: remediation: Was "uuid_list[0]" formerly declared as a pointer?
 # 1357|       }
 # 1358|
 # 1359|->     if (uuid_list == NULL || uuid_list[0] == NULL) {
 # 1360|           DEBUG(SSSDBG_MINOR_FAILURE, "Nothing to list\n");
 # 1361|           state->op_ret = ERR_NO_MATCHING_CREDS;
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8088b3e3 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
PROXY: suppress CPPCHECK_WARNING (CWE-456)

Suppressed false positive warning:
```
sssd-2.3.1/src/providers/proxy/proxy_child.c:520: error[uninitvar]: Uninitialized variable: id
 #  518|       }
 #  519|
 #  520|->     if (id == 0) {
 #  521|           fprintf(stderr, "\nMissing option, "
 #  522|                           "--id is a mandatory option.\n\n");
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b132fab8 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
MC: fixed CPPCHECK_WARNING

Fixed few
```
error[comparePointers]: Subtracting pointers that point to different objects
```
warnings.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6701ad96 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed CPPCHECK_WARNING (CWE-476)

Fixed warning:
```
sssd-2.3.1/src/sss_client/nss_group.c:95: warning[nullPointer]: Possible null pointer dereference: name
 #   93|       switch (type) {
 #   94|       case GETGR_NAME:
 #   95|->         ret = strcmp(name, sss_nss_getgr_data.id.grname);
 #   96|           if (ret != 0) {
 #   97|               status = NSS_STATUS_NOTFOUND;
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
144e78df by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
util/inotify: fixed CLANG_WARNING

Fixed following warning:
```
sssd-2.3.1/src/util/inotify.c:346:17: warning: Value stored to 'ret' is never read
 #                ret = EOK;
 #                ^     ~~~
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0c5711f9 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
util/inotify: fixed bug in inotify event processing

Error was spotted with the help of the following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read
 #                    rewatch = true;
 #                    ^         ~~~~
```

First part of the issue was that EAGAIN returned by the process_dir_event()
didn't trigger snotify_rewatch() (as suggested by the comments).
Fixing this part is already enough to resolve issue #1031 (as it was
reported).

Another part of the issue was that process_file_event() return code wasn't
checked against EAGAIN (again, as suggested by the DEBUG message).
Strictly speaking, I'm not sure if this part is really required or
if processing DIR events would cover all cases, but rebuilding watches
on IN_IGNORED won't hurt.

Resolves: https://github.com/SSSD/sssd/issues/1031

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9c4d662d by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
TOOLS: fixed CLANG_WARNING

Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/tools/tools_mc_util.c:255:5: warning: Value stored to 'cmd' is never read
 #    cmd = SSS_CLI_NULL;
 #    ^     ~~~~~~~~~~~~
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e525ed6a by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
TOOLS: fixed a couple of CLANG_WARNINGs

Fixed following warnings (false positives):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/tools/sss_override.c:1609:15: warning: 3rd function call argument is an uninitialized value
sssd-2.3.1/src/tools/sss_override.c:1860:15: warning: 3rd function call argument is an uninitialized value
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
14e5c31e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CLIENT: fixed "Dereference of null pointer" warning

Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/sss_client/libwbclient/wbc_sid_sssd.c:152:27: warning: Dereference of null pointer (loaded from variable 'pname')
 #            wbcFreeMemory(*pname);
 #                          ^~~~~~
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
464f809e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
RESPONDER/SUDO: fixed CLANG_WARNING

Fixed following warning (false positive):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/sudo/sudosrv_get_sudorules.c:203:5: warning: Undefined or garbage value returned to caller
 #    return ret;
 #    ^
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
83389697 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
RESPONDER/NSS: fixed few CLANG_WARNINGs

Fixed following warnings:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/nss/nsssrv_mmap_cache.c:910:5: warning: Value stored to 'pos' is never read
sssd-2.3.1/src/responder/nss/nsssrv_mmap_cache.c:771:5: warning: Value stored to 'pos' is never read
sssd-2.3.1/src/responder/nss/nss_protocol.c:191:5: warning: Value stored to 'p' is never read
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
316c850e by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
CACHE_REQ: fixed CLANG_WARNING

Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/responder/common/cache_req/cache_req_data.c:49:5: warning: Value stored to 'i' is never read
 #    i = 0;
 #    ^   ~
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
64adcd41 by Alexey Tikhonov at 2020-06-18T12:17:22+02:00
PROVIDERS/LDAP: fixed CLANG_WARNING

Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ldap/sdap_dyndns.c:679:22: warning: The left operand of '!=' is a garbage value
 #    if (ss.ss_family != AF_INET && ss.ss_family != AF_INET6) {
 #                     ^
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ce069954 by Alexey Tikhonov at 2020-06-18T12:17:23+02:00
PROVIDERS/LDAP: fixed CLANG_WARNING

Fixed following warning (false positive):
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ldap/sdap_async_autofs.c:916:15: warning: 5th function call argument is an uninitialized value
 #        ret = save_autofs_entries(state->dom, state->opts,
 #              ^
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5611d242 by Alexey Tikhonov at 2020-06-18T12:17:23+02:00
PROVIDERS/IPA: fixed few CLANG_WARNINGs

Fixed following warnings:
```
Error: CLANG_WARNING:
sssd-2.3.1/src/providers/ipa/ipa_selinux.c:1553:9: warning: Value stored to 'ret' is never read
sssd-2.3.1/src/providers/ipa/ipa_selinux.c:1631:9: warning: Value stored to 'ret' is never read
sssd-2.3.1/src/providers/ipa/ipa_deskprofile_rules_util.c:1041:9: warning: Value stored to 'ret' is never read
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
df632eec by Sumit Bose at 2020-06-18T12:18:52+02:00
ipa: add failover to subdomain override lookups

In the ipa_subdomain_account request failover handling was missing.

Related to https://github.com/SSSD/sssd/issues/5075
      (was https://pagure.io/SSSD/sssd/issue/4114)

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a08d4741 by Pavel Březina at 2020-06-19T11:22:54+02:00
pam_sss: fix missing initializer

Fix the following error introduced by:
3ed254765fc92e9cc9e4c35335818eaf1256e0d6

```
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’:
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:1839:41: error: missing initializer for field ‘next’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers]
                                         NULL, NULL, NULL, NULL, NULL };
                                         ^~~~
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:132:28: note: ‘next’ declared here
     struct cert_auth_info *next;

```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a06bf788 by Paweł Poławski at 2020-06-23T10:41:08+02:00
AD: Enforcing GPO rule restriction on user

This fixes bug related to ad_gpo_implicit_deny option set to True.
gpo_implict_denay was checked only for dacl_filtered_gpos,
but not for cse_filtered_gpos.

Resolves:
https://github.com/SSSD/sssd/issues/5181

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f61f972b by Alexey Tikhonov at 2020-06-24T16:11:29+02:00
DEBUG: fixed potential NULL dereference

`rotate_debug_files()`: check `debug_file` is not NULL before
attempt to close it.

Resolves: https://github.com/SSSD/sssd/issues/5217

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4fd05180 by Alexey Tikhonov at 2020-06-24T16:12:42+02:00
TRANSLATIONS: updated translations to include new source file

Some translations were previously missed when some code moved
to a new source file `src/config/SSSDConfig/sssdoptions.py`

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
88e92967 by Alexey Tikhonov at 2020-06-24T16:13:15+02:00
NEGCACHE: skip permanent entries in [users/groups] reset

Files provider calling `sss_ncache_reset_[users/groups]()`
during cache rebuilding was breaking neg-cache prepopulation.

Resolves: https://github.com/SSSD/sssd/issues/1024

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
31e57432 by Sumit Bose at 2020-06-24T16:17:22+02:00
pam_sss: make sure old certificate data is removed before retry

To avoid that certificates will be shown in the certificate selection
which are not available anymore they must be remove before a new request
to look up the certificates is send to SSSD's PAM responder.

Resolves: https://github.com/SSSD/sssd/issues/5190

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
66029529 by Alejandro Visiedo at 2020-06-25T14:02:56+02:00
systemtap: Missing a comma

sssd_functions.stp was missing a comma.

Thanks to William Cohen for reporting the issue and the patch to fix it.

https://bugzilla.redhat.com/show_bug.cgi?id=1840194

Resolves: https://github.com/SSSD/sssd/issues/5201

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
48f9b2cb by Alexander Bokovoy at 2020-06-29T12:10:43+02:00
ipa: Do not qualify already qualified users in sudo rules

SSSD normalizes externalUser attribute value the same way as a normal
sudoUser attribute which supposed to be non-fully qualified. This,
however, breaks for trusted AD users/groups because they are already
qualified.

Note that FreeIPA currently doesn't allow to specify AD users and groups
in externalUser attribute but the work to add this is under way and is
pending this fix.

Fixes: https://github.com/SSSD/sssd/issues/5199

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8969c43d by Pavel Březina at 2020-06-29T12:11:11+02:00
files: allow root membership

There are two use cases that do not work with files provider:

1. User has primary GID 0:

This is fine by itself since SSSD does not store this user in cache and it is
handled only by `nss_files` so the user (`tuser`) is returned correctly. The
problem is when you try to resolve group that the user is member of. In this
case that the membership is missing the group (but only if the user was
previously resolved and thus stored in negative cache).

```
tuser:x:1001:0::/home/tuser:/bin/bash
tuser:x:1001:tuser

// tuser at files is ghost member of the group so it is returned because it is not in negative cache
$ getent group tuser
tuser:x:1001:tuser

// expire memcache
// tuser at files is ghost member but not returned because it is in negative cache
$ id tuser // returned from nss_files
uid=1001(tuser) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```

**2. root is member of other group**

The root member is missing from the membership since it was filtered out by
negative cache.

```
tuser:x:1001:root

$ id root
uid=0(root) gid=0(root) groups=0(root),1001(tuser)
[pbrezina /dev/shm/sssd]$ getent group tuser
tuser:x:1001:
```

In files provider, only the users that we do not want to managed are stored
as ghost member, therefore we can let nss_files handle group that has ghost
members.

Tests are changed as well to work with this behavior. Users are added when
required and ghost are expected to return ENOENT.

Resolves:
https://github.com/SSSD/sssd/issues/5170

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ffb9ad13 by Pavel Březina at 2020-06-29T12:12:04+02:00
proxy: use 'x' as default pwfield only for sssd-shadowutils target

To avoid regression for case where files is used for proxy but authentication
is handled by other module then pam_unix. E.g. auth_provider = krb

This provides different solution to the ticket and improves the documentation.

Resolves:
https://github.com/SSSD/sssd/issues/5129

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
317fce0b by Timo Aaltonen at 2020-07-01T09:35:57+03:00
Merge branch 'upstream'

- - - - -
d796644b by Timo Aaltonen at 2020-07-01T09:46:24+03:00
bump the version

- - - - -
7265c881 by Timo Aaltonen at 2020-07-01T09:48:19+03:00
rules: Use journald for logging. (Closes: #960673)

- - - - -
92a76458 by Timo Aaltonen at 2020-07-01T09:51:07+03:00
rules: Use /run for pid-path.

- - - - -
a7d42467 by Timo Aaltonen at 2020-07-01T10:27:35+03:00
sssd-common.sssd.default: Add DEBUG_LOGGER but commented out.

- - - - -
a596fcfa by Timo Aaltonen at 2020-07-01T18:02:59+03:00
watch: Update url to github.

- - - - -
088ed832 by Timo Aaltonen at 2020-07-01T18:03:35+03:00
Add signing-key from Pavel Březina.

- - - - -
100839b6 by Sumit Bose at 2020-07-02T10:15:03+02:00
PAM: do not treat error for cache-only lookups as fatal

The original fatal error came from a time where at this place in the
code the response form the backend was checked and an error was clearly
fatal.

Now we only check if the entry is in the cache and valid. An error would
mean that the backend is called to lookup or refresh the entry. So the
backend can change the state of the cache and make upcoming cache
lookups successful. So it makes sense to not only call the backend if
ENOENT is returned but for all kind of errors.

Resolves https://pagure.io/SSSD/sssd/issue/4098

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
fdd53777 by Timo Aaltonen at 2020-07-02T17:20:55+03:00
fix-946847.diff, fix-python3.8-ftbfs.diff: Dropped, upstream.

- - - - -
9eac9142 by Timo Aaltonen at 2020-07-07T10:01:18+03:00
control: Use debhelper-compat.

- - - - -
ceebe02e by ikerexxe at 2020-07-07T11:23:16+02:00
db/sysdb.c: remove unused variable

The variable was set with a value that was never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/db/sysdb.c:2109:9: warning: Value stored to 'ret' is never read
 #        ret = EIO;
 #        ^     ~~~
sssd-2.3.0/src/db/sysdb.c:2109:9: note: Value stored to 'ret' is never read
 #        ret = EIO;
 #        ^     ~~~
 # 2107|           return true;
 # 2108|       } else if (res->count != 1) {
 # 2109|->         ret = EIO;
 # 2110|           goto done;
 # 2111|       }
```

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
f28eedc1 by Pavel Březina at 2020-07-09T10:11:48+02:00
monitor: log to syslog when service fails to start

Resolves:
https://github.com/SSSD/sssd/issues/3728

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
39e50096 by Alexey Tikhonov at 2020-07-09T10:15:01+02:00
NSS: fixed UNINIT (CWE-457)

Fixed following warning:
```
Error: UNINIT (CWE-457):
sssd-2.3.1/src/responder/nss/nss_protocol_grent.c:130: var_decl: Declaring variable "num_members" without initializer.
sssd-2.3.1/src/responder/nss/nss_protocol_grent.c:206: uninit_use: Using uninitialized value "num_members".
 #  204|
 #  205|   done:
 #  206|->     *_num_members = num_members;
 #  207|       talloc_free(tmp_ctx);
 #  208|
```

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
f4f7bfee by Timo Aaltonen at 2020-07-13T11:25:29+03:00
control, rules: Build with openssl.

- - - - -
a26fb7b0 by Timo Aaltonen at 2020-07-13T11:34:55+03:00
rules: Disable tests until a failing pam upn test is sorted out.

- - - - -
233ae522 by Timo Aaltonen at 2020-07-13T11:35:31+03:00
control: Drop quilt from build-depends.

- - - - -
4265ea2c by Timo Aaltonen at 2020-07-13T11:37:31+03:00
releasing package sssd version 2.3.0-1

- - - - -
ca9af8f0 by Timo Aaltonen at 2020-07-13T15:49:18+03:00
rules: Drop quilt, autoreconf from dh.

- - - - -
46a6afcc by Timo Aaltonen at 2020-07-13T15:49:27+03:00
releasing package sssd version 2.3.0-2

- - - - -
cea0db2d by Pavel Březina at 2020-07-14T09:58:56+02:00
po: fix sv translation

This made sssd.conf translation truncated in the middle.

Resolves:
https://github.com/SSSD/sssd/issues/5186

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
437778b5 by ikerexxe at 2020-07-14T09:59:29+02:00
data_provider/dp_target_id: remove store statement from a never read variable

The same variable was set twice to a value that was never read:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:197:9: warning:
Value stored to 'ret' is never read
 #        ret = ENOMEM;
 #        ^     ~~~~~~
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:197:9: note:
Value stored to 'ret' is never read
 #        ret = ENOMEM;
 #        ^     ~~~~~~
 #  195|           DEBUG(SSSDBG_CRIT_FAILURE,
 #  196|                 "Failed creating temporary talloc context\n");
 #  197|->         ret = ENOMEM;
 #  198|           goto done;
 #  199|       }

Error: CLANG_WARNING:
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:308:9: warning:
Value stored to 'ret' is never read
 #        ret = ENOMEM;
 #        ^     ~~~~~~
sssd-2.3.0/src/providers/data_provider/dp_target_id.c:308:9: note:
Value stored to 'ret' is never read
 #        ret = ENOMEM;
 #        ^     ~~~~~~
 #  306|           DEBUG(SSSDBG_CRIT_FAILURE,
 #  307|                 "Failed creating attributes\n");
 #  308|->         ret = ENOMEM;
 #  309|           goto done;
 #  310|       }
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
54b1c19b by ikerexxe at 2020-07-14T09:59:29+02:00
p11_child/p11_child_common: remove store statement from a never read variable

A new value was stored in a variable that was never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/p11_child/p11_child_common.c:348:9: warning: Value stored
to 'ret' is never read
 #        ret = EINVAL;
 #        ^     ~~~~~~
sssd-2.3.0/src/p11_child/p11_child_common.c:348:9: note: Value stored to
'ret' is never read
 #        ret = EINVAL;
 #        ^     ~~~~~~
 #  346|                 "--module_name, --token_name and --key_id must be given for "
 #  347|                 "authentication");
 #  348|->         ret = EINVAL;
 #  349|           goto fail;
 #  350|       }
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
0cebd0f9 by ikerexxe at 2020-07-14T09:59:29+02:00
autofs_test_client and sss_tools: remove store statements from never read variables

New values were stored in two variables that were never read afterwards:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/sss_client/autofs/autofs_test_client.c:59:13: warning:
Although the value stored to 'ret' is used in the enclosing expression,
the value is never actually read from 'ret'
 #    while ((ret = poptGetNextOpt(pc)) > 0)
 #            ^     ~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/sss_client/autofs/autofs_test_client.c:59:13: note:
Although the value stored to 'ret' is used in the enclosing expression,
the value is never actually read from 'ret'
 #    while ((ret = poptGetNextOpt(pc)) > 0)
 #            ^     ~~~~~~~~~~~~~~~~~~
 #   57|       poptSetOtherOptionHelp(pc, "MAPNAME");
 #   58|
 #   59|->     while ((ret = poptGetNextOpt(pc)) > 0)
 #   60|           ;
 #   61|

Error: CLANG_WARNING:
sssd-2.3.0/src/tools/common/sss_tools.c:73:13: warning: Although the
value stored to 'opt' is used in the enclosing expression, the value is
never actually read from 'opt'
 #    while ((opt = poptGetNextOpt(pc)) != -1) {
 #            ^     ~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/tools/common/sss_tools.c:73:13: note: Although the value
stored to 'opt' is used in the enclosing expression, the value is never
actually read from 'opt'
 #    while ((opt = poptGetNextOpt(pc)) != -1) {
 #            ^     ~~~~~~~~~~~~~~~~~~
 #   71|
 #   72|       pc = poptGetContext(argv[0], orig_argc, argv, options, 0);
 #   73|->     while ((opt = poptGetNextOpt(pc)) != -1) {
 #   74|           /* do nothing */
 #   75|       }
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ff8d7b8f by Alejandro Visiedo at 2020-07-14T10:00:02+02:00
config: [RFE] Add "enabled" option to domain section

A new attribute is appended to [domain/*] sections so that
a domain ca be enabled/disabled by domain section and for
extension by configuration file if each domain is divided
in separate files.

This attribute override the list of domains at [sssd]
section, however the new **enabled** attribute override
the values of the list. If no **enabled** attribute is
found for a domain section, the domain list criteria is
used to enable/disable a domain.

Resolves: https://github.com/SSSD/sssd/issues/4743

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2d90e642 by Alexey Tikhonov at 2020-07-14T10:03:16+02:00
mem-cache: sizes of free and data tables were made consistent

Since size of "free table" didn't account for SSS_AVG_*_PAYLOAD factor
only small fraction of "data table" was actually used.
SSS_AVG_*_PAYLOAD differentiation for different payload types only
affected size of hash table and was removed as unjustified.

Resolves:
https://github.com/SSSD/sssd/issues/5115

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
80e7163b by Michal Židek at 2020-07-14T10:03:30+02:00
NSS: make memcache size configurable

Added options to configure memcache size:
memcache_size_passwd
memcache_size_group
memcache_size_initgroups

Related:
https://github.com/SSSD/sssd/issues/4578

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e12340e7 by Alexey Tikhonov at 2020-07-14T10:03:34+02:00
NSS: avoid excessive log messages

 - do not log error message if mem-cache was disabled explicitly
 - increase message severity in case of fail to store entry in mem-cache

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
be8052bb by Alexey Tikhonov at 2020-07-14T10:03:36+02:00
NSS: enhanced debug during mem-cache initialization

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2ad4aa8f by Alexey Tikhonov at 2020-07-14T10:03:39+02:00
mem-cache: added log message in case cache is full

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b7f31936 by Alexey Tikhonov at 2020-07-14T10:03:42+02:00
NSS: make memcache size configurable in megabytes

Memcache size was made configurable in megabytes and not in slots
to hide internal implementation from users.

Relates: https://github.com/SSSD/sssd/issues/5115

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b96b05bc by Alexey Tikhonov at 2020-07-14T10:03:45+02:00
mem-cache: comment added

Added comment explaining usage of `mcc->next_slot`

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
484507bf by Alexey Tikhonov at 2020-07-14T10:03:48+02:00
mem-cache: always cleanup old content

(Try to) cleanup old files even if currently mem-cache is disabled.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
72b8e02c by Tomas Halman at 2020-07-20T11:12:58+02:00
sssctl: sssctl config-check alternative snippet dir

The sssctl config-check now allows to specify not only alternative
config file but also snippet dir.

    sssctl config-check -c ./sssd.conf -s /etc/sssd/conf.d

Configuration snippets are still looked up in the same place under
conf.d directory by default. It would be in ./conf.d/ for the example
above.

Resolves:
https://github.com/SSSD/sssd/issues/5142

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
0609d0f7 by Pavel Březina at 2020-07-20T11:14:06+02:00
sss_ssh_knownhostsproxy: print error when unable to connect

This was partial fixed by:
9a7b04690e30fc57dce45c82b918b8d95b978df1

Now we print error also when we are unable to open the socket.

How to test:
```
$ ssh -oProxyCommand="/usr/bin/sss_ssh_knownhostsproxy -p 22 nonexistenthost" -oGlobalKnownHostsFile=/var/lib/sss/pubconf/known_hosts nonexistenthost
$ ssh -oProxyCommand="/usr/bin/sss_ssh_knownhostsproxy -p 22 localhost" -oGlobalKnownHostsFile=/var/lib/sss/pubconf/known_hosts localhost
```

(assuming `localhost` does not run ssh server)

Resolves:
https://github.com/SSSD/sssd/issues/5236

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3be349b9 by Pavel Březina at 2020-07-20T11:14:06+02:00
sss_ssh_knownhostsproxy: print error when unable to proxy data

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5d9e2328 by ikerexxe at 2020-07-21T13:09:45+02:00
responder/common/responder_packet: get packet length only once

Packet length variable was read and then read again without using the
previously read value. So, I have refactored the code a little bit to
read the value once and use it everywhere else. Moreover, I have
implemented some improvements in sss_packet_recv() function pointed by
Alexey.

Coverity errors:
```
Error: CLANG_WARNING:
sssd-2.3.0/src/responder/common/responder_packet.c:217:21: warning:
Although the value stored to 'new_len' is used in the enclosing
expression, the value is never actually read from 'new_len'
 #                && (new_len = sss_packet_get_len(packet))
 #                    ^         ~~~~~~~~~~~~~~~~~~~~~~~~~~
sssd-2.3.0/src/responder/common/responder_packet.c:217:21: note:
Although the value stored to 'new_len' is used in the enclosing
expression, the value is never actually read from 'new_len'
 #                && (new_len = sss_packet_get_len(packet))
 #                    ^         ~~~~~~~~~~~~~~~~~~~~~~~~~~
 #  215|                       || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
 #  216|                   && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
 #  217|->                 && (new_len = sss_packet_get_len(packet))
 #  218|                                      < SSS_CERT_PACKET_MAX_RECV_SIZE) {
 #  219|               new_len = sss_packet_get_len(packet);
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b9205026 by ikerexxe at 2020-07-21T13:18:41+02:00
Test: Add users_by_filter_multiple_domains_valid

Test users_by_filter_multiple_domains_valid was removed in [1] because
it was failing. Apparently, the failure was related with a filter that caused
that only users added after the request was started to be returned. When adding
back the test I haven't found that problem, but another one related with memory
handling in the test itself.

The failure was related with a filter, added when
calling cache_req_group_fy_filter_send(), that causes that only users
added after the request started are returned.

This commit adds back the test after fixing several problems related
with memory handling in the test itself.

Explanation of the test:
Given two users are present
When the users are searched by filtering domains
Then the two users are returned correctly.

Resolves:
https://github.com/SSSD/sssd/issues/3920

Links:
[1] https://github.com/SSSD/sssd/commit/bdf422fde0fd6b40b3412bad3b200f8fd7ea8693

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
0cd3f5c0 by ikerexxe at 2020-07-21T13:18:41+02:00
Test: Add groups_by_filter_multiple_domains_valid

Test groups_by_filter_multiple_domains_valid was removed in [1] because
it was failing. Apparently, the failure was related with a filter that caused
that only groups added after the request was started to be returned. When adding
back the test I haven't found that problem, but another one related with memory
handling in the test itself.

This commit adds back the test after fixing several problems related
with memory handling in the test itself.

Explanation of the test:
Given two groups are present
When the groups are searched by filtering domains
Then the two groups are returned correctly.

Resolves:
https://github.com/SSSD/sssd/issues/3920

Links:
[1] https://github.com/SSSD/sssd/commit/bdf422fde0fd6b40b3412bad3b200f8fd7ea8693

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
41a60c62 by Sumit Bose at 2020-07-23T13:42:47+02:00
libwbclient-sssd: deprecate libwbclient-sssd

Recent version of Samba require that winbindd is running to handle the
communication with AD. SSSD's implementation of libwbclient cannot be
used anymore in this case and should be deprecated so that the related
code can be removed in a later version.

With this patch libwbclient will not be build by default anymore and the
configure help messages indicates that libwbclient is deprecated.

Resolves: https://github.com/SSSD/sssd/issues/5230

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a2b9a844 by Sumit Bose at 2020-07-24T12:33:36+02:00
certmap: sanitize LDAP search filter

The sss_certmap_get_search_filter() will now sanitize the values read
from the certificates before adding them to a search filter. To be able
to get the plain values as well sss_certmap_expand_mapping_rule() is
added.

Resolves:
https://github.com/SSSD/sssd/issues/5135

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3e7633bf by Alexey Tikhonov at 2020-07-24T13:29:35+02:00
Updated translation files: Japanese, Chinese (China), French

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d999cbf4 by Pavel Březina at 2020-07-24T13:29:36+02:00
Update the translations for the 2.3.1 release

- - - - -
7e004b7c by Pavel Březina at 2020-07-24T13:29:36+02:00
tests: discard const in test_confdb_get_enabled_domain_list

```
../../src/tests/cmocka/confdb/test_confdb.c:247:51: error: passing argument 2 of ‘string_in_list’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  247 |         assert_true(string_in_list(result[index], expected_enabled_domain_list, false));
      |                                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                                                   |
      |                                                   const char **
```

- - - - -
bb48af24 by Pavel Březina at 2020-07-27T11:21:58+02:00
Update version in version.m4 to track the next release

- - - - -
b84f44d9 by Timo Aaltonen at 2020-07-28T12:42:54+03:00
Merge branch 'upstream'

- - - - -
bb7d80d2 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
DLOPEN-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros

- - - - -
7e44cfd9 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SYSDB-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros
* convert assertions to different macros

e.g.
src/tests/sysdb-tests.c:6622:5: error: too few arguments to function ‘_ck_assert_failed’
 6622 |     fail_if(ret != EOK);

- - - - -
a0945dca by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SYSDB-TESTS: Fix format string

- - - - -
bae2b416 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
STRTONUM-TESTS: Fix format string issues

- - - - -
4954da70 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
RESOLV-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros
* convert assertions to different macros

- - - - -
dc598c53 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
KRB5-UTILS-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros

- - - - -
d46b44f3 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
KRB5-UTILS-TESTS: Fix format string issues

- - - - -
692f6b7e by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
CHECK-AND-OPEN-TESTS: Fix format string issues

- - - - -
0b89f511 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
REFCOUNT-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros

- - - - -
1bb42381 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
FAIL-OVER-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros

- - - - -
a933f60e by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
FAIL-OVER-TESTS: Fix format string issues

- - - - -
6c5374f9 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
AUTH-TESTS: Fix format string issues

- - - - -
e2dc5c3b by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
IPA-LDAP-OPT-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros
* convert assertions to different macros

- - - - -
0c20b4bd by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
CRYPTO-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros
* convert assertions to different macros

- - - - -
2e270367 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
UTIL-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros
* convert assertions to different macros

- - - - -
2cb15855 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
UTIL-TESTS: Fix format string issues

- - - - -
da64aea7 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
IPA-HBAC-TESTS: Fix error too few arguments to function ‘_ck_assert_failed’

* add missing messages to fail_{if,unless} macros

- - - - -
cc896210 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
SSS-IDMAP-TESTS: Fix format string issues

- - - - -
c445d169 by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
RESPONDER-SOCKET-ACCESS-TESTS: Fix format string issues

- - - - -
d47e442d by Lukas Slebodnik at 2020-07-28T12:28:54+02:00
DEBUG-TESTS: Fix warnings format not a string literal and no format arguments

e.g.
src/tests/resolv-tests.c: In function ‘test_timeout’:
src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security]
  942 |     ck_leaks_pop(tmp_ctx);
      |

src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security]
  413 |         fail_if(result == DEBUG_TEST_NOK_TS, msg);
      |         ^~~~~~~

src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’:
src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security]
  603 |             fail(error_msg);
      |

src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’:
src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security]
  671 |         fail_unless(result == 0, msg);
      |

- - - - -
3914cc13 by Timo Aaltonen at 2020-07-28T13:36:31+03:00
bump the version

- - - - -
6cc40390 by Timo Aaltonen at 2020-07-28T16:20:27+03:00
source: Extend diff-ignore.

- - - - -
33fe1026 by Timo Aaltonen at 2020-07-28T16:49:46+03:00
rules: Set --with-libwbclient.

- - - - -
4cee69bb by Timo Aaltonen at 2020-07-28T16:50:14+03:00
control: Add libsofthsm2 to build-depends for tests.

- - - - -
3ce864a6 by Timo Aaltonen at 2020-07-28T17:15:05+03:00
releasing package sssd version 2.3.1-1

- - - - -
3bb91050 by ikerexxe at 2020-08-20T11:45:43+02:00
man: clarify AD certificate rule

Clarify AD specific certificate rule example by changing userPrincipal to
userPrincipalName. Moreover, match the subject principal name in the
example with the rule name.

Resolves:
https://github.com/SSSD/sssd/issues/5278

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4526858a by ikerexxe at 2020-08-20T11:46:32+02:00
config: allow prompting options in configuration

False warnings were logged after enabling prompting options in
configuration file. This change modifies the configuration rules to
allow prompting options.

Resolves:
https://github.com/SSSD/sssd/issues/5259

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4ad1dfa3 by Alexey Tikhonov at 2020-08-20T11:53:07+02:00
Got rid of unused Transifex settings (".tx")

Relates:
https://github.com/SSSD/sssd/issues/5097

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
70898d98 by Alexey Tikhonov at 2020-08-20T11:53:07+02:00
Got rid of "zanata.xml" due to migration to Weblate.

Relates:
https://github.com/SSSD/sssd/issues/5097

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
10366b4e by Alexey Tikhonov at 2020-08-21T10:49:43+02:00
p11_child: switch default ocsp_dgst to sha1

For details please see discussion at
https://github.com/SSSD/sssd/pull/837#issuecomment-672831519

:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1

Resolves:
https://github.com/SSSD/sssd/issues/5002

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
00ae18dc by Justin Stephenson at 2020-08-24T11:13:35+02:00
KCM: Increase client idle timeout to 5 minutes

Increase the default timeout to allow time for
user interaction on the command-line with kinit.

Resolves:
https://github.com/SSSD/sssd/issues/4829

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a4af77e0 by Justin Stephenson at 2020-08-24T11:15:33+02:00
CONFIG: Add SR exclude_users exclude_groups options

Add options to allow explicitly excluding users and groups from
enforcing session recording. These options are recognized only
when the SR configuration defines 'scope=all'.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0049ec85 by Justin Stephenson at 2020-08-24T11:15:43+02:00
UTIL: Add support for SR exclude_users exclude_groups

Read the exclude_* option values to be applied elsewhere when
'scope=all'.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
38df7a3b by Justin Stephenson at 2020-08-24T11:15:46+02:00
NSS: Rely on sessionRecording attribute

Don't force the tlog-rec-session shell when 'scope=all' is set,
instead read the sessionRecording attribute allowing
exclude_* options to work properly.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3a3be1cb by Justin Stephenson at 2020-08-24T11:15:49+02:00
PAM: Rely on sessionRecording attribute

Don't force the tlog-rec-session shell when 'scope=all' is set,
instead read the sessionRecording attribute allowing
exclude_* options to work properly.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c51a9f6b by Justin Stephenson at 2020-08-24T11:15:52+02:00
DP: Support SR excludes in initgroups postprocessing

When 'scope=all' is configured, set the user sessionRecording attribute
to false if a match is found with 'exclude_users' and 'exclude_groups'
values, and true otherwise, when no exclude match is found.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
19602d9a by Justin Stephenson at 2020-08-24T11:15:54+02:00
CACHE_REQ: Support SR exclude options

When 'scope=all' is configured, set the user sessionRecording
attribute to false if a match is found with 'exclude_users' and
'exclude_groups' values, and true otherwise, when no exclude match is found.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d947ac7a by Justin Stephenson at 2020-08-24T11:15:57+02:00
INTG: Add session recording exclude tests

Add basic tests for exclude_users and exclude_groups options.

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
733cafd7 by Justin Stephenson at 2020-08-24T11:16:00+02:00
MAN: Add SR exclude_users and exclude_groups options

Resolves:
https://github.com/SSSD/sssd/issues/5089

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2b73285e by Jonatan Pålsson at 2020-08-27T14:03:31+02:00
build: Don't use AC_CHECK_FILE when building manpages

AC_CHECK_FILE does not support cross-compilation, and will only check
the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead,
to allow building manpages when cross-compiling.

Signed-off-by: Jonatan Pålsson <jonatan.p at gmail.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
266ecc08 by Alexey Tikhonov at 2020-08-27T14:05:09+02:00
Drop support of libnss as a crypto backend

Resolves: https://github.com/SSSD/sssd/issues/1041

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a2911482 by Alexey Tikhonov at 2020-08-27T14:05:09+02:00
Get rid of "NSS DB" references.

Resolves: https://github.com/SSSD/sssd/issues/1041

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
20787da9 by Steeve Goveas at 2020-09-01T11:35:09+02:00
use prerealease option in make srpm script

With --prereleasae option enabled make_srpm.sh script can set different
version each time copr build is created. It adds date time and git
commit hash in the build version.
eg.
2.3.2-0.20200826.1356.gitdb1049057.fc31

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2f4140fa by Anuj Borah at 2020-09-01T11:36:21+02:00
libdirsrv should be modified to be compatible with new DS

Directory Server 1.4.x

As DS is going to get rid of setup-ds.pl file completely. We need to change the same on our side too.

Reviewed-by: Niranjan Mallapadi <mrniranjan at redhat.com>

- - - - -
f4322cd9 by Niranjan M.R at 2020-09-03T13:07:36+02:00
pytest/testlib: Execute pk12util command to create ca.p12

execute the pk12util command to create ca.p12 file
Minor fix: return variable should be out of the for loop scope

Signed-off-by: Niranjan M.R <mrniranjan at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
39c564be by Steeve Goveas at 2020-09-03T13:07:54+02:00
Add seconds in copr version

Add seconds to distiguish builds that are triigerred in the same minute.
Shorten the year by using only the last 2 digits.

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
69e1f5fe by Sumit Bose at 2020-09-03T13:08:12+02:00
GPO: respect ad_gpo_implicit_deny when evaluation rules

Currently if setting ad_gpo_implicit_deny to 'True' is rejected access
if no GPOs applied to the host since in this case there are obvious not
allow rules available.

But according to the man page we have to be more strict "When this
option is set to True users will be allowed access only when explicitly
allowed by a GPO rule". So if GPOs apply and no allow rules are present
we have to reject access as well.

Resolves: https://github.com/SSSD/sssd/issues/5061

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d79f5933 by Pavel Březina at 2020-09-03T13:08:45+02:00
gpo: remove unused variable domain_dn

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a0792b32 by Pavel Březina at 2020-09-03T13:08:45+02:00
gpo: use correct base dn

Domain name in SSSD configuration does not have to be the same
as the AD domain. GPO did not work in this case.

Steps to reproduce:
1. Join SSSD to an AD domain (ad.vm)
2. Create GPO that is applicable to the host/user
3. Name the SSSD domain differently ([domain/AD])
4. Try to authenticate as AD user

Resolves:
https://github.com/SSSD/sssd/issues/4840

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b50521e4 by Sumit Bose at 2020-09-03T13:09:12+02:00
cache_req: allow to restrict the domains an object is search in

With the new call cache_req_data_set_requested_domains() a
NULL-terminated list of domain names can be added to cache_req so
that the object is only searched in the listed domains. If the list only
contains unknown domains the cache_req will return with an error.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6ec94790 by Sumit Bose at 2020-09-03T13:09:12+02:00
tests: add unit-test for cache_req_data_set_requested_domains

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3808c04f by Sumit Bose at 2020-09-03T13:09:12+02:00
pam: use requested_domains to restrict cache_req searches

If the 'domains' is used with pam_sss.so it is expected that only users
from the given domains are allowed. Currently it is checked after the
user is searched if the result is from one of those domains.

To speed things up and to allow more flexible setups this patch
restricts the list of domains already in the cache_req. The check after
the search is kept as an additional safe-guard although the cache_req
should now only return users from the given domains or an error.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
db170d0a by Sumit Bose at 2020-09-03T13:09:12+02:00
intg: krb5 auth and pam_sss domains option test

New integration tests for Kerberos authentication and the handling of
the 'domains' option of pam_sss are added. The purpose of the latter
test is to make sure that the 'domains' option is properly evaluated
even if multiple domains with the same user base are configure in
sssd.conf.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
35ab0493 by Sumit Bose at 2020-09-03T13:09:12+02:00
pam_sss: clarify man page entry of domains option

Resolves: https://github.com/SSSD/sssd/issues/3987

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bca41326 by Sumit Bose at 2020-09-04T11:23:33+02:00
krb5: only try pkinit with Smartcard credentials

Currently pkinit is tried if a Smartcard is present. But depending on
the used PAM service and other configurations it might happen that the
user didn't provide the Smartcard PIN but e.g. the password. Hence,
before trying pkinit we should check if the right credentials are
available.

Resolves:
https://github.com/SSSD/sssd/issues/5290

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
83ae3450 by Alexey Tikhonov at 2020-09-04T11:24:26+02:00
CONFDB: fixed compilation warning

Fixed following compilation warning:
```
../src/confdb/confdb.c: In function ‘confdb_get_domains’:
../src/confdb/confdb.c:2499:12: warning: ‘enabled’ may be used uninitialized in this function [-Wmaybe-uninitialized]
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fbc70821 by Alexey Tikhonov at 2020-09-04T11:24:26+02:00
CONFDB: fixed bug in confdb_get_domain_enabled()

In case CONFDB_DOMAIN_ENABLED option was set to a value other than
"true"/"false", function would return EOK while leaving `_enabled`
uninitialized.

Resolves:
https://github.com/SSSD/sssd/issues/4743

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5fb22633 by Sumit Bose at 2020-09-14T11:37:44+02:00
ldap: add new option ldap_library_debug_level

With the new option ldap_library_debug_level the debug level for
OpenLDAP's internal debugging can be set. If set the OpenLDAP debug
messages will be written to the logs independent of the general
debug_level.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8274c68c by Andreas Hasenack at 2020-09-15T11:04:58-03:00
sssd-tools should recommend sssd-dbus

sssd-tools ships the sssctl tool, which relies on the infopipe (ifp)
responder for certains commands, and that is shipped in sssd-dbus.

There is no risk suddenly having sssd-common pull in the whole
dbus stack, because sssd-common only suggests sssd-tools.

- - - - -
cd370c08 by Timo Aaltonen at 2020-09-17T14:15:14+03:00
releasing package sssd version 2.3.1-2

- - - - -
67b3f371 by Alexey Tikhonov at 2020-09-17T14:14:13+02:00
CLIENT:PAM: fixed missed return check

Return code of `prompt_2fa()` wasn't checked and
thus its fail wasn't properly processed.

Spotted with a help of following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/sss_client/pam_sss.c:2355:21: warning: Value stored to 'ret' is never read
 #                    ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
 #                    ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
05c06cd6 by Luiz Angelo Daros de Luca at 2020-09-17T14:15:10+02:00
ldap: add ldap_sasl_realm to cfg_rules.ini

Resolves:
https://github.com/SSSD/sssd/issues/5314

Signed-off-by: Luiz Angelo Daros de Luca <luizluca at gmail.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4a84f8e1 by Pavel Březina at 2020-09-17T14:16:24+02:00
dp: fix potential race condition in provider's sbus server

We can hit a segfault if provider start is somehow delayed.

- dp_init_send
  - sbus_server_create_and_connect_send
    - sbus_server_create (*)
- dp_init_done (callback for sbus_server_create_and_connect_send)
  - sbus_server_create_and_connect_recv
  - sbus_server_set_on_connection (sets clients data and creates dp_cli)

At (*) sbus server is already created and accepts new connections once
we get into tevent loop. So it is possible that the client connects to
server before sbus_server_set_on_connection is called and thus the client
is not properly initialized. However it should not happen in normal start
because providers are started before responders and it can happen only if
data provider startup is somehow delay.

You can use this diff to reproduce the crash:
```diff

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
838baa83 by ikerexxe at 2020-09-17T14:17:52+02:00
util/sss_python: change MODINITERROR to dereference module

Change MODINITERROR macro to dereference module when PyModule_*
interfaces report some type of failure.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c008d899 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pysss_nss_idmap: check return from functions

Coverity warns that PyModule_AddIntConstant() returns operation success
or failure but this value is never checked.

```
Error: CHECKED_RETURN (CWE-252):
sssd-2.3.0/src/python/pysss_nss_idmap.c:587: check_return: Calling
"PyModule_AddIntConstant" without checking return value (as is done
elsewhere 4 out of 5 times).
sssd-2.3.0/src/python/pyhbac.c:1956: example_assign: Example 1:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_CATEGORY_ALL", 1L)".
sssd-2.3.0/src/python/pyhbac.c:1957: example_checked: Example 1 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1960: example_assign: Example 2:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_RULE_ELEMENT_USERS", 1L)".
sssd-2.3.0/src/python/pyhbac.c:1961: example_checked: Example 2 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1972: example_assign: Example 3:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_EVAL_DENY", HBAC_EVAL_DENY)".
sssd-2.3.0/src/python/pyhbac.c:1973: example_checked: Example 3 (cont.):
"ret" has its value checked in "ret == -1".
sssd-2.3.0/src/python/pyhbac.c:1982: example_assign: Example 4:
Assigning: "ret" = return value from "PyModule_AddIntConstant(m,
"HBAC_ERROR_NOT_IMPLEMENTED", HBAC_ERROR_NOT_IMPLEMENTED)".
sssd-2.3.0/src/python/pyhbac.c:1983: example_checked: Example 4 (cont.):
"ret" has its value checked in "ret == -1".
 #  585|       PyModule_AddIntConstant(module, "ID_NOT_SPECIFIED",
 #  586|                               SSS_ID_TYPE_NOT_SPECIFIED);
 #  587|->     PyModule_AddIntConstant(module, "ID_USER", SSS_ID_TYPE_UID);
 #  588|       PyModule_AddIntConstant(module, "ID_GROUP", SSS_ID_TYPE_GID);
 #  589|       PyModule_AddIntConstant(module, "ID_BOTH", SSS_ID_TYPE_BOTH);
```

Moreover, even though coverity doesn't indicate it the same happens with
PyModule_AddStringConstant().

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8b1a8cf9 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pyhbac: if PyModule* fails decrement references

If PyModule* actions fail, then references to objects have to be
decremented.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
03b00f72 by ikerexxe at 2020-09-17T14:17:52+02:00
python/pysss: if PyModule* fails decrement references

If PyModule_AddObject fails, then references to objects have to be
decremented.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1b368c72 by Timo Aaltonen at 2020-09-18T16:57:49+03:00
control: Move libsss-sudo to sssd-common Suggests. (LP: #1249777)

- - - - -
245dea6e by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
PAM responder: fixed compilation warning

Fixed following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/responder/pam/pamsrv_cmd.c:982:9: warning: Access to field 'cache_credentials' results in a dereference of a null pointer (loaded from field 'domain')
 #        preq->domain->cache_credentials &&
 #        ^     ~~~~~~
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
93bcfd15 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
KCM: supress false positive cppcheck warnings

Supress a bunch of warnings like this:
```
Error: CPPCHECK_WARNING (CWE-456):
sssd-2.3.2/src/responder/kcm/kcmsrv_ccache_json.c:154: error[uninitvar]: Uninitialized variable: key_uuid
 #  152|       uuid_t key_uuid;
 #  153|
 #  154|->     ret = sec_key_get_uuid(sec_key, key_uuid);
 #  155|       if (ret != EOK) {
 #  156|           DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n");
```

Those are clearly false positives as in all those places `uuid` is output arg and
isn't read in following execution flow. "cppcheck" fails to detect this because
`uuid_t` and uuid_parse()/uuid_copy() are opaque for analyzer.

There is no sane way to initialize uuid_t in a way that would please cppcheck.
Moreover, it doesn't make sense to do so from performance point of view.
Hence suppression.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
c273a78c by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
RESOLV: makes use of sss_rand() helper

Makes use of sss_rand() helper instead of plain srand()/rand()

Reduces amount of "Error: DC.WEAK_CRYPTO (CWE-327)" warnings.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
20b8b955 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
UTIL: fortify IS_SSSD_ERROR() check

Fixes following warning:
```
Error: NEGATIVE_RETURNS (CWE-394):
sssd-2.3.2/src/providers/ldap/sdap_async.c:1516: var_tested_neg: Variable "lret" tests negative.
sssd-2.3.2/src/providers/ldap/sdap_async.c:1525: negative_returns: "lret" is passed to a parameter that cannot be negative.
 # 1523|               }
 # 1524|               else {
 # 1525|->                 sss_log(SSS_LOG_ERR, "LDAP connection error, %s",
 # 1526|                                        sss_ldap_err2string(lret));
 # 1527|               }
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
4c218a55 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
LDAP: sdap_parse_entry() optimization

It doesn't make sense to iterate over `map` if sdap_parse_range()
returned ECANCELED anyway.

Also fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.3.2/src/providers/ldap/sdap.c:529:13: warning: Value stored to 'ret' is never read
 #            ret = EOK;
 #            ^     ~~~
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
0c193e82 by Alexey Tikhonov at 2020-09-21T11:51:41+02:00
DP: fixes couple of covscan's complains

Fixes warnings like:
```
Error: MISSING_RESTORE (CWE-573):
sssd-2.3.2/src/providers/data_provider_fo.c:61: compare: Verifying that non-local "ctx->be_fo" is initially equal to sentinel value "NULL".
sssd-2.3.2/src/providers/data_provider_fo.c:65: modify: Modifying non-local "ctx->be_fo".
sssd-2.3.2/src/providers/data_provider_fo.c:67: end_of_path: Value of non-local "ctx->be_fo" that was verified to be "NULL" is not restored as it was along other paths.
sssd-2.3.2/src/providers/data_provider_fo.c:87: restore_example: The original value of non-local "ctx->be_fo" was restored here.
 #   65|       ctx->be_fo = talloc_zero(ctx, struct be_failover_ctx);
 #   66|       if (!ctx->be_fo) {
 #   67|->         return ENOMEM;
 #   68|       }
 #   69|
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
cf15e9ea by Luiz Angelo Daros de Luca at 2020-09-21T11:52:04+02:00
SSSCTL: fix logs-remove when log directory is empty

"sssctl logs-remove" calls "truncate --size 0 *.log" and "*.log"
will expand to literal '*.log' when directory is empty. The result
is a new empty '*.log' file.

Add '--no-create' to truncate call.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca at gmail.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f434fedf by Alexey Tikhonov at 2020-09-23T14:03:43+02:00
cmocka based tests: explicitly turn LTO off

cmocka based tests use "-Wl,-wrap" to wrap calls at link time. This is
incompatible with LTO.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d34eb963 by Alexey Tikhonov at 2020-09-23T14:03:43+02:00
Makefile.am: get rid of `libsss_nss_idmap_tests`

`libsss_nss_idmap_tests` isn't required since
https://github.com/SSSD/sssd/pull/632

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5f23f237 by Alexey Tikhonov at 2020-09-23T14:04:04+02:00
sss_nss_idmap-tests: fixed error in iteration over `test_data`

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b377253b by Thorsten Scherf at 2020-09-23T14:04:21+02:00
MAN: fix 'pam_responsive_filter' option type

Resolves: https://github.com/SSSD/sssd/issues/5325

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
b1ef82b6 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
data_provider_be: Configurable max offline time

The offline_timeout period determines the minimum time between
attempts of a data provider to go back online, if it is offline due
to eg. unreachable servers. Each time this check fails there is a
backoff factor applied meaning there can be up to 60 minutes between
these attempts.

Here we introduce the offline_timeout_max option which allows the
the maximum period between attempts to be defined in the configuration,
instead of the default 60 minutes; therefore providing more
flexibility.

Setting offline_timeout_max to 0 disables the backoff functionality.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
7807ffd7 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
be_ptask: max_backoff may not be reached

If the incremented delay value was greater than max_backoff then
the previous delay was used, rather than using max_backoff as a
ceiling value.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
904ff17c by Duncan Eastoe at 2020-09-23T14:05:02+02:00
be_ptask: backoff not applied on first re-schedule

The task interval backoff is not applied on the first re-schedule
operation, since when scheduling the first run (BE_PTASK_FIRST_DELAY)
we do not calculate the backed off period for the next re-schedule.

Calculate the backed off period for the current scheduling operation,
rather than the next, to resolve this.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
04ea4220 by Duncan Eastoe at 2020-09-23T14:05:02+02:00
data_provider_be: Add OFFLINE_TIMEOUT_DEFAULT

Replace hardcoded default value of 60 in a couple of places.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
e5bdc0b7 by Thorsten Scherf at 2020-09-29T12:20:55+02:00
MAN: update 'ldap_referrals' config entry

Add explicit statement that 'ldap_referrals' should be turned off when Active Directory is used as a backend with the SSSD LDAP provider.

Resolves: https://github.com/SSSD/sssd/issues/5338

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dda652a2 by Steeve Goveas at 2020-09-29T12:21:30+02:00
enable files domain in copr builds for testing

Tests against copr build fail without this option enabled

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
abd19122 by Pavel Březina at 2020-09-29T12:22:20+02:00
conf: disable python2 bindings by default

Python2 is being fully replaced by Python3 on modern distros so
there is no need to build the bindings by default. We even don't
ship python2 packages in Fedora for quite some time now.

Keeping this on by default requires using --without-python2-bindings
on modern distributions where python2 is not installed by default.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f126afc9 by Justin Stephenson at 2020-09-29T14:24:10+02:00
KCM: Fix GSSAPI delegation for the memory back end

When GSSAPI credentials are delegated over SSH, the KCM set default ccache
operation looks for a ERR_NO_CREDS return code to continue handling the
SSH-created ccache correctly. The memory back end will now return this
error code in this situation, matching the default secdb back end.

Resolves: https://github.com/SSSD/sssd/issues/5333

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0b069085 by Joakim Tjernlund at 2020-09-29T14:24:47+02:00
Add dyndns_auth_ptr support

Allows to specify auth method for DNS PTR updates.
Default to same as dyndns_auth.

Resolves: https://github.com/SSSD/sssd/issues/5274

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
62aceaf9 by Alexey Tikhonov at 2020-09-30T14:31:32+02:00
UTIL:utf8: code cleanup

This patch touches `sss_*_utf8_*_tolower()` helpers:
 - gets rid of some of them
 - simplifies / optimizes code (avoiding excessive realloc's / memcpy's)
 - limits visibility of "internal" helper

It also fixes following covscan error:
```
Error: OVERRUN (CWE-119):
sssd-2.3.2/src/util/sss_utf8.c:75: strlen_assign: Setting variable "nlen" to the return value of strlen called with argument "glower".
sssd-2.3.2/src/util/sss_utf8.c:77: alloc_strlen: Allocating insufficient memory for the terminating null of the string.
 #   75|       nlen = strlen(glower);
 #   76|
 #   77|->     lower = g_malloc(nlen);
 #   78|       if (!lower) {
 #   79|           g_free(glower);
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a0bf4b3d by Alexey Tikhonov at 2020-09-30T14:31:32+02:00
UTIL:utf8: moved a couple of helper

`sss_utf8_free()` and `sss_utf8_tolower` were moved to sss_tc_utf8.c
and made static as those helpers are only used there.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
430e695a by Samuel Cabrero at 2020-09-30T14:32:00+02:00
PROXY: Fix iphost not found code path in get_host_by_name_internal

Return the correct error code ENOENT when the iphost is not found.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9d350e04 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
NSS: Fix get ip network by address when address type is AF_UNSPEC

If type is AF_UNSPEC try to parse to a IPv4 address.

Resolves:
    https://github.com/SSSD/sssd/issues/5256

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2c456951 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
NSS: Fix _nss_sss_getnetbyaddr_r address byte order

The address is received in host byte order, but the nss protocol
parser expects it in network byte order.

Resolves:
    https://github.com/SSSD/sssd/issues/5256

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a590fd98 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
PROXY: getnetbyaddr_r expects the net argument in host byte order

The inet_pton function returns the address in network byte order, but
getnetbyaddr_r expects it in host byte order.

Resolves:
    https://github.com/SSSD/sssd/issues/5256

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9edc3c49 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: getnetbyaddr_r expects network in host byte order

Resolves:
    https://github.com/SSSD/sssd/issues/5256

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
69af6848 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: Fix resolver test calling getnetbyname instead of getnetbyaddr

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
77734063 by Samuel Cabrero at 2020-09-30T14:32:00+02:00
TESTS: Extend resolver tests to check getnetbyaddr with AF_UNSPEC

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8fa70232 by Alexey Tikhonov at 2020-09-30T14:32:20+02:00
AD: validate `search_bases` in DPM_ACCT_DOMAIN_HANDLER

In specific circumstances "sdom->*_search_bases" might be unset yet
when "ad_get_account_domain_send() -> ad_get_account_domain_prepare_search()"
is executed.

Resolves:
https://github.com/SSSD/sssd/issues/5295

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
edec0ee3 by Alexey Tikhonov at 2020-09-30T14:32:20+02:00
DP:getAccountDomain: add DP_FAST_REPLY support

Let `getAccountDomain()` fail immediately if offline.

Resolves: https://github.com/SSSD/sssd/issues/5295

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
49481da2 by ikerexxe at 2020-10-01T13:03:07+02:00
IFP: GetUserGroups() returns origPrimaryGroupGidNumber

There was a mismatch between the information provided by NSS and IFP
interfaces. nss_protocol_fill_initgr() returned
origPrimaryGroupGidNumber as one of the group members of a user, but
GetUserGroups() didn't. This commit makes GetUserGroups() also return
origPrimaryGroupGidNumber value.

Resolves:
https://github.com/SSSD/sssd/issues/4569

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5ddabede by ikerexxe at 2020-10-01T13:03:07+02:00
IFP-TESTS: GetUserGroups() returns origPrimaryGroupGidNumber

New infopipe test case to check:
Given auto_private_groups is enabled
When GetUserGroups is called
Then the origPrimaryGroupGidNumber is returned as part of the group
memberships

Resolves:
https://github.com/SSSD/sssd/issues/4569

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7fbcaa8f by Pavel Březina at 2020-10-01T16:01:22+02:00
be: remove accidental sleep

This sleep was used to test a crash in data provider and quite unfortunately
it was left in the patch.

dp: fix potential race condition in provider's sbus server
4a84f8e18ea5604ac7e69849dee492718fd96296.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
414593cc by Pavel Březina at 2020-10-02T12:18:54+02:00
ldap: add support for cldap and udp connections

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8265674a by Pavel Březina at 2020-10-02T12:18:54+02:00
ad: use cldap for site and forrest discover (perform CLDAP ping)

All Windows clients uses CLDAP (UDP) for LDAP ping. Even though AD
also supports LDAP ping over TCP IPA does not therefore it is crusial
for us to perform the ping over CLDAP protocol.

Resolves:
https://github.com/SSSD/sssd/issues/5215

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1889ca60 by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: connect to the first available server for cldap ping

Resolves:
https://github.com/SSSD/sssd/issues/3743

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fcfd834c by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: if all in-site dc are unreachable try off-site controllers

Previous implementation would not fallback to the off-site domain
controllers. This would cause problems if the site actually changed.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a62a13ae by Pavel Březina at 2020-10-02T12:18:55+02:00
man: fix typo in failover description

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9fdf5cfa by Pavel Březina at 2020-10-02T12:18:55+02:00
ad: renew site information only when SSSD was previously offline

Site and forest information is stable not dynamic. To avoid spamming
network with cldap pings all the time we will renew netlogon information
only when SSSD starts and when we are recovering from an offline state
to detect possible change (e.g. user moves to another location with laptop).

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f0d65079 by Pavel Březina at 2020-10-02T12:18:55+02:00
tevent: correctly handle req timeout error

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
093061f5 by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: DN sanitization

Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.

Resolves:
https://github.com/SSSD/sssd/issues/5261

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
21b9417e by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: Use sss_sanitize_dn where we deal with DN

Resolves:
https://github.com/SSSD/sssd/issues/5261

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fe0f1e64 by Tomas Halman at 2020-10-02T12:19:51+02:00
UTIL: Use sss_sanitize_dn where we deal with DN 2

Tests show that also ldb_dn_get_linearized can
return DN with extra spaces. We have to trim that too.

Resolves:
https://github.com/SSSD/sssd/issues/5261

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
50d0d154 by Sumit Bose at 2020-10-02T12:19:51+02:00
ldap: use member DN to create ghost user hash table

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
88631392 by Sumit Bose at 2020-10-02T12:19:51+02:00
intg: allow member DN to have a different case

Make sure that group members are added properly to the group even if the
user DN in the RFC2307bis member attribute differs in case from the
original DN of the user object.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a409ffae by Timothée Ravier at 2020-10-02T12:21:23+02:00
sss_cache: Do nothing if SYSTEMD_OFFLINE=1

Do not check for /var being RO as this will break cases where we
explicitely request sssd not to update the cache by setting
SYSTEMD_OFFLINE=1.

This will still complain if /var is RO and SYSTEMD_OFFLINE is not set.

See initial discussion at: https://pagure.io/SSSD/sssd/pull-request/3959

Fixes: sss_cache: Do nothing if /var is read-only
https://github.com/SSSD/sssd/commit/073b03a096a763170165fe3814fa987881713e75

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1b016774 by Alexey Tikhonov at 2020-10-06T11:48:18+02:00
Got rid of unused providers/data_provider/dp_pam_data.h

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d1ed68bd by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
UTILS: adds helper to convert authtok type to str

This patch introduces helper to convert authtok type to string
and makes use of this helper in `pam_print_data()`

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
038385dd by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
krb5_child: fixed few mistypes in debug messages

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
44581276 by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
parse_krb5_child_response: adds verbosity

This patch decodes krb5 child response status and message types in
the log messages.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
68497dc1 by Alexey Tikhonov at 2020-10-06T11:53:22+02:00
krb5_child: adds verbosity

This patch decodes krb5 child command in the log messages.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
37ba37a4 by Sumit Bose at 2020-10-06T11:54:43+02:00
ad: fix handling of current site and forest in cldap ping

The current site and forest are stored in a long living context and we
have to make sure that they are not moved to a different talloc parent
with a shorter lifetime. To achieve this the values are copied at the
start of a new cldap ping although it is expected that the values won't
change.

Resolves: https://github.com/SSSD/sssd/issues/3743

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
93e35c76 by Pavel Březina at 2020-10-06T11:55:13+02:00
autofs: if more then one entry is found store all of them

There can be more entries with same cn (automountKey) attribute value
that differs only in casing if different attribute is chosen as rdn.
SSSD then searches for (cn=name)when name folder is being mounted but
this returns both lowercase and uppercase entry and we only store one
(which may not be the desired one based on the order in the result)
and fail to mount one of the directories.

Resolves:
https://github.com/SSSD/sssd/issues/5330

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
971cbe24 by Timo Aaltonen at 2020-10-06T15:56:46+03:00
releasing package sssd version 2.3.1-3

- - - - -
d39b6580 by Justin Stephenson at 2020-10-07T13:57:23+02:00
KCM: Fix access after free on shutdown

Skip triggering the queue entry destructor on KCM shutdown
to prevent a crash when multiple requests are queued.

Resolves: https://github.com/SSSD/sssd/issues/4733

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4f65a8d1 by Sumit Bose at 2020-10-07T14:00:17+02:00
ad: add ad_allow_remote_domain_local_groups

As the option name says if set to true Domain Local groups from remote
domains won't be filtered out. This option is added to facilitate the
migration from other solution and should only be used for this purpose.

Resolves: https://github.com/SSSD/sssd/issues/5346

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b427e059 by Pavel Březina at 2020-10-07T16:19:40+02:00
pot: update pot files to allow updated translations

- - - - -
bc1ce6f0 by Simo Sorce at 2020-10-08T13:29:41+02:00
krb5_child: Harden credentials validation code

The krb5_verify_init_creds() call is used to validate the credentials
just obtained by trying to acquire a ticket from the KDC that we can
decrypti. This insures the KDC is indeed legitimate as it proves
possesion of the shared key.

However this function will *enforce* this behavior only if the
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL options is set to the value
TRUE.

If this option is unset it defaults to FALSE which means verify will
silently return success if no key is available.

SSSD *does* ensure that a key is always available for validation, so
this is not a security bug with the current code. However we add belt
and suspenders here to futureproof this code in case of future
inadvertent changes that may lead to a code path where a key may be
missing.

Signed-off-by: Simo Sorce <simo at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
78f221ed by Pavel Březina at 2020-10-08T13:29:55+02:00
multihost: move sssd.testlib closer to tests

So it can be used directly without the need of installing the package.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
974b4e90 by Pavel Březina at 2020-10-08T13:29:55+02:00
multihost: remove packaging files

The test library is not currently published in pypi nor Fedora and it is
not being reused by other projects so it makes no sense for us to keep
maintaining these files.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3379dac2 by Pavel Březina at 2020-10-08T13:29:55+02:00
spec: enable kcm by default

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d7d53141 by Pavel Březina at 2020-10-08T13:29:55+02:00
tests: run TIER-0 multihost tests in PRCI

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d1e5d188 by Alexey Tikhonov at 2020-10-12T12:01:05+02:00
krb5_child: reduce log severity in sss_krb5_prompter

krb5_child primarily uses krb5_get_init_creds_opt_set_responder() /
sss_krb5_responder() to do a work, old scheme sss_krb5_prompter()
is mostly used for debug purposes and password prompt request isn't
a real error here.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5c309f52 by Sumit Bose at 2020-10-12T12:01:26+02:00
cert: move cert_to_ssh_key_send/recv() to ssh responder

The cert_to_ssh_key_send/recv() request is currently only used by the
SSD responder and adds an unneeded dependency to libsss_certmap to
lib_sss_cert.

Resolves: https://github.com/SSSD/sssd/issues/1030

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
deefae78 by Sumit Bose at 2020-10-12T12:01:26+02:00
sysdb: add sysdb_cert_derb64_to_ldap_filter()

sysdb_cert_derb64_to_ldap_filter() is a simplyfied version  of
sss_cert_derb64_to_ldap_filter() for the case when no certificate
mapping context is available.

Resolves: https://github.com/SSSD/sssd/issues/1030

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
7fcc8b0e by Sumit Bose at 2020-10-12T12:01:26+02:00
cert: move sss_cert_derb64_to_ldap_filter() out of libsss_cert.so

To avoid a dependency to libsss_certmap.so
sss_cert_derb64_to_ldap_filter() is removed from the internal
libsss_cert.so library.

Resolves: https://github.com/SSSD/sssd/issues/1030

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
bb50ad83 by Sumit Bose at 2020-10-12T12:01:26+02:00
build: remove libsss_certmap from dependencies of libsss_cert

The internal library libsss_cert is used at various places and the
dependency to the public library libsss_certmap is not needed in most of
those places.

Resolves: https://github.com/SSSD/sssd/issues/1030

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ad694411 by Pavel Březina at 2020-10-12T12:01:47+02:00
git-template: add tags to help with release notes automation

This commit add information on several tags that should be used
so we are able to generate release notes on each new release
automatically. This will make release notes more thorough and it
will also simplify the process a lot since it take lots of time
to do it manually.

Why I chose `:tag:` format:
1. Using @ notation creates user references in github so I wanted
   to use something different. This notation is used in  ReST
   documentation language so it is commonly known.
2. Using a plain text like (Resolves) leads people to create their
   own variations (Fixes, Resolves XYZ, ...) which adds additional
   burden to maintainers. Using this format makes it less error
   prone and easier to parse.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c94d91c4 by Weblate at 2020-10-12T12:04:43+02:00
Update the translations for the 2.4.0 release

- - - - -
51db6a23 by Pavel Březina at 2020-10-12T12:16:19+02:00
Release sssd-2.4.0

- - - - -
b913ddbd by Pavel Březina at 2020-10-12T15:30:12+02:00
Update version in version.m4 to track the next release

- - - - -
f7dba450 by Alexey Tikhonov at 2020-10-19T11:19:45+02:00
SDAP: set common options for sockets open by libldap

In case of referral chasing libldap can open a new socket on its own.
This socket requires the same setup as socket created by SSSD itself.
Otherwise process can hang on blocked TCP operation.

Resolves: https://github.com/SSSD/sssd/issues/5359

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
159d58f6 by Timo Aaltonen at 2020-10-20T16:17:47+03:00
Merge branch 'upstream'

- - - - -
8565f9c5 by Timo Aaltonen at 2020-10-20T16:18:12+03:00
bump the version

- - - - -
81e757b7 by Sumit Bose at 2020-11-05T11:46:24+01:00
ifp: fix use-after-free

The variable fqdn is pointing to some data from state->res->msgs[0]. But
before fqdn is used in the next search state->res and the memory
hierarchy below is freed. As a result the location where fqdn is pointing
to might hold the expected data or other data and the search will fail
intermittently.

Resolves: https://github.com/SSSD/sssd/issues/5382

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
833034f5 by Alexey Tikhonov at 2020-11-05T11:48:15+01:00
DEBUG: journal_send() was made static

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
18233532 by Alexey Tikhonov at 2020-11-05T11:48:15+01:00
DEBUG: fixes program identifier as seen in syslog

Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name`
to accomodate needs of own SSSD logs, but this affected journal/syslog
as well.

This patch amends situation:
 - journal messages gets "umbrella" identifier "sssd[]"
 - syslog uses default which is program name

Resolves: https://github.com/SSSD/sssd/issues/5384

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5f3b9e1d by Sumit Bose at 2020-11-05T11:50:59+01:00
AD: do not override LDAP data during GC lookups

The Global Catalog contains user and group information of the whole
forest and hence any Global Catalog server can be used. Currently when a
Global Catalog server is looked up the data of the LDAP server is
overwritten as well. I guess the original intention was to use a single
server for both services.

However since the Global Catalog server can come from any domain in the
forest this might overwrite the LDAP data of a DC from the local domain
with the data from a AD of a remote domain and as a result lookups for
users and groups from the local domain might fail since the remote DC
does not has this information available at the LDAP port. In most cases
this overwrite is hidden by a following lookup to find a KDC for
authentication which is searched only in the local domain again where
the LDAP data is overwritten again to make sure the same DC is used for
LDAP and Kerberos communication. But depending on the connection
timeouts and lifetime of Kerberos tickets the KDC lookup might be
skipped because new credentials are not needed and as a result the wrong
LDAP data is used.

To avoid this the LDAP data is now only set if the current lookup is not
a Global Catalog lookup.

Resolves: https://github.com/SSSD/sssd/issues/5351

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e1bcf77 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: make sure domain config does not leak into global

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
385af99f by Sumit Bose at 2020-11-12T11:22:33+01:00
utils: add SSS_GND_SUBDOMAINS flag for get_next_domain()

To allow to only iterate over a singel domain an its sub-domains a new
flag is added to get_next_domain().

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
0dc81a52 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: make sure short names are added to sub-domains

If short names are used with filter_users or filter_groups in a
[domain/...] section they should be added to the sub-domains of this
domain as well.

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fa4b46e7 by Sumit Bose at 2020-11-12T11:22:33+01:00
negcache: do not use default_domain_suffix

When splitting the names from the filter_users and filter_groups options
do not use the default_domain_suffix because it will hide that the
original name is a short name and should be added everywhere.

Additionally this patch fixes a typo where sss_parse_name() was used
instead of sss_parse_name_for_domains().

Resolves: https://github.com/SSSD/sssd/issues/5238

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
804ae76d by Steeve Goveas at 2020-11-13T11:19:33+01:00
Move conftest.py to basic dir

Following commits have 'ad' and 'alltests' code with thier respective
conftest.py files.

This change was tested successfully in downstrea CI

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ef4c82bb by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add alltests code

This directory has all tests for ldap and krb5, basically all non ad
tests for sssd

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
73f5699b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add ad test code

This directory has all tests that need active directory to be available

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3c06709b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add ipa test code

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6cc11a9a by Steeve Goveas at 2020-11-13T11:19:33+01:00
Update sssd testlibs

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4205accc by Steeve Goveas at 2020-11-13T11:19:33+01:00
Add empty conftest.py and update path to run basic tests

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fe56d5c9 by Steeve Goveas at 2020-11-13T11:19:33+01:00
Fix pep8 issues

Fixes have been tested

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d2d44e9a by Steeve Goveas at 2020-11-13T11:19:33+01:00
Include data directory

It contains AD sudo schema, ldif files, c programs used by the tests

Signed-off-by: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
94a9833b by Steeve Goveas at 2020-11-13T11:19:33+01:00
Fix errors found during testing

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f404cd3e by Steeve Goveas at 2020-11-13T11:19:33+01:00
Remove trailing whitespaces

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ff24d153 by Alexey Tikhonov at 2020-11-23T11:49:47+01:00
SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in msgs[]

This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL
ptrs in results of sysdb_search_with_ts_attr()

Resolves: https://github.com/SSSD/sssd/issues/5412

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37761b42 by Tomas Halman at 2020-11-23T11:51:15+01:00
CACHE: Create timestamp if missing

In some cases, object is stored in cache but the corresponding
record in timestamp cache is missing (for example when timestamp
cache file is deleted). The timestamp is never created in such
case.

With this patch we create new timestamp object if update doesn't
work for this particular reason (missing object).

Resolves: https://github.com/SSSD/sssd/issues/5121

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
62b2b497 by Tomas Halman at 2020-11-23T11:51:15+01:00
TESTS: Add test for recreating cache timestamp

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e25f8790 by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
afa15cb7 by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2786071e by tobias-gruenewald at 2020-11-23T11:52:19+01:00
Change LDAP group type from int to string

https://github.com/SSSD/sssd/issues/5402

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3fdfb42b by Justin Stephenson at 2020-11-23T11:52:59+01:00
krb5: Remove secrets text from drop-in KCM file

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3b158934 by Sumit Bose at 2020-11-23T11:55:05+01:00
ifp: fix original fix use-after-free

The original fix stole the fqdn too earlier. Only for SSS_DP_USER
requests the steal is important. For other request where the first
result is returned to the caller the original version
might even cause issues since the name does not belong to the memory
hierarchy of the result anymore.

Resolves: https://github.com/SSSD/sssd/issues/5382

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
4ab47a91 by Samuel Cabrero at 2020-11-23T11:55:40+01:00
Improve samba version check for ndr_pull_steal_switch_value signature

The current check will fail when samba 5.0 is released.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6617f3d7 by Samuel Cabrero at 2020-11-23T11:55:40+01:00
winbind idmap plugin: Fix struct idmap_domain definition

The patch for samba bug 13052 was backported to samba >= 4.7.4 adding
the dom_sid field to the idmap_domain struct.

This missmatch in the struct definition causes the plugin to fail
all unixids_to_sids and sids_to_unixids calls with
NT_STATUS_INVALID_PARAMETER for samba versions between 4.7.4 and 4.8.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4b0bd845 by Duncan Eastoe at 2020-11-25T11:36:16+01:00
nss: Use posix_fallocate() to alloc memcache file

If sssd_nss starts up while the filesystem where the memcache files
will reside (SSS_NSS_MCACHE_DIR) does not have sufficient space,
sssd_nss can be killed by SIGBUS while attempting to write to the
mmap()'d address space.

Replace the ftruncate() call with posix_fallocate(), which will fail
in this scenario, so we can detect the condition and continue startup
without the memcache functionality.

Fixes #5369

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
311e2272 by Duncan Eastoe at 2020-11-25T11:36:16+01:00
nss: remove clear_mc_flag file after clearing caches

This has the effect of delaying the exit of sss_cache after it has
requested a clearing of the cache.

This should prevent an issue observed in the integration tests where
sssd_nss was terminated while the cache clear was in progress.
Specifically the test_*_before_stop tests in test_memory_cache.py.

All this change is really doing is delaying sending SIGTERM, to try
and give sssd_nss a chance to complete the clear operation.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e225ff7 by Alexey Tikhonov at 2020-11-30T12:40:19+01:00
KCM: avoid NULL deref

Fixes following issue:
```
/src/responder/kcm/kcmsrv_op_queue.c:129: check_after_deref: Null-checking "entry" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
 #   127|       terminating = entry->queue->qctx->kctx->rctx->shutting_down;
 #   128|
 #   129|->     if (entry == NULL) {
 #   130|           return 1;
 #   131|       /* Prevent use-after-free of req when shutting down with non-empty queue */
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c87b2208 by Sumit Bose at 2020-11-30T13:46:34+01:00
nss: check if groups are filtered during initgroups

If groups are filtered, i.e. SSSD should not handle them, they should
not appear in the group list returned by an initgroups request.

Resolves: https://github.com/SSSD/sssd/issues/5403

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
47a316c8 by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: fix typos in debug messages

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8edcea8c by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: avoid name confusion in GET_CRED_UUID_LIST handlers

The function name did not follow best practices and it got easily confused
with `kcm_op_get_cred_by_uuid_getbyname_done`.

```
kcm_op_get_cred_uuid_getbyname_done
kcm_op_get_cred_by_uuid_getbyname_done
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b8f28d9a by Pavel Březina at 2020-12-04T11:43:30+01:00
kcm: disable encryption

Encryption was a huge bottleneck for the secdb backend. This is
backwards compatible and there is no need to destroy existing
ccache. It will be stored unencrypted at first write to the cache.

Note that the encryption did not provide any security as the cache
is accessible only by root and the master key is stored together
with the cache. So once someone gains access to the file it can
be easily decrypted. Additionaly, there was also no encryption at
the memory level.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
74fdaa64 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: avoid multiple debug messages if sss_sec_put fails

sec_put() already logs a message if the underlaying function fails
so this debug message is really unnecessary.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
908c15af by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: allow to specify secret's data format

Currently, both KCM and secrets responders store JSON formatted string
in the secrets database. One of the next commits makes KCM to store
binary format instead of JSON string to improve performance. We need
to be able to distinguish the formats to keep KCM update compatible
with existing ccache and also to keep secrets responder working.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ed08ba00 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: accept binary data instead of string

Currently, both KCM and secrets responders store JSON formatted string
in the secrets database. One of the next commits makes KCM to store
binary format instead of JSON string to improve performance. We need
to be able to distinguish the formats to keep KCM update compatible
with existing ccache and also to keep secrets responder working.

Secrets responder test had to be ammended to fit into a new maximum
payload which is now reduced by one byte for the secrets responder
to hold the ending zero of a secret string.

This is a corner case in a long deprecated responder that is not even
built by default and has no known consumers so it is fine to fast fix
the test.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b6cc661b by Pavel Březina at 2020-12-04T11:43:31+01:00
iobuf: add more iobuf functions

These will be used in later patches.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9b1631de by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add json suffix to existing searialization functions

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e63a1503 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: move sec key parser to separate file so it can be shared

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
15069a64 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: avoid suppression of cppcheck warning

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f17740d8 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add spaces around operators in kcmsrv_ccache_key.c

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
194447d3 by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: use binary format to store ccache instead of json

JSON is computationally complex and the parser is a bottleneck which
consumes about 10% of time. It also create the ccache unnecessary
large because it requires lots of unneded character and base64
encoding.

Binary format is fast, simple and small.

This is backwards compatible and there is no need to destroy existing
ccache. It will be stored in binary format at first write to the cache.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
241ee30d by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: add per-connection data to be shared between requests

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a370553c by Pavel Březina at 2020-12-04T11:43:31+01:00
sss_ptr_hash: fix double free for circular dependencies

If the hash table delete callback deletes the stored item,
we can end up in double free in case when we try to override
an existing item (hash_enter(key) where key already exists).

```c
static void delete_cb(hash_entry_t *item,
                      hash_destroy_enum deltype,
                      void *pvt)
{
    talloc_free(item->value.ptr);
}

hash_enter(key);
hash_enter(key);
```

The doble free it self is fine, since it is done via talloc destructor
and talloc can cope with that. However, the hash table fails to store
the new entry because hash_delete is called twice.

```
_sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c3b314db by Pavel Březina at 2020-12-04T11:43:31+01:00
kcm: store credentials list in hash table to avoid cache lookups

Iteration over ccache requires CRED_UUID_LIST and then calling
CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID
operation invoked ldb_search and decryption. This was a substantional
bottle neck.

Resolves: https://github.com/SSSD/sssd/issues/5349

:fixes: KCM performance has improved dramatically for cases where
  large amount of credentials are stored in the ccache.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
bf127d4f by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: fix may_payload_size exceeded debug message

The unit is bytes (B) not bits (b) and the conversion of the input
payload size to KiB was wrong (multiplying bytes * 1024).

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9c1b51d0 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: default to "plaintext" if "enctype" attr is missing

This is a sane fallback behavior, however it should not happen since
the attribute should be always present.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
39277cda by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: move attrs names to macros

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
325de5a5 by Pavel Březina at 2020-12-04T11:43:31+01:00
secrets: remove base64 enctype

This was added as part of KCM performance improvements but never used.
Ldb is fully capable of holding binary data without the need for base64
encoding so this is not needed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3f0ba4c2 by Pavel Březina at 2020-12-04T11:51:52+01:00
cache_req: allow cache_req to return ERR_OFFLINE if all dp request failed

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e50258da by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: return ERR_OFFLINE if we fail to get information from backend and cache is empty

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9098108a by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: translate ERR_OFFLINE to EHOSTDOWN

So we do not publish internal error code.

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
34c519a4 by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: disable fast reply

If the backend is offline when autofs starts and reads auto.master map
we don't want to wait 60 seconds before the offline flag is reset. We
need to allow autofs to retry the call much sooner.

Resolves:
https://github.com/SSSD/sssd/issues/3413

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8a22d4ad by Pavel Březina at 2020-12-04T11:51:52+01:00
autofs: correlate errors for different protocol versions

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
075519bc by Pavel Březina at 2020-12-04T11:51:52+01:00
configure: check for stdatomic.h

Recent autofs patches adds dependency on automic_uint/_Atomic type from C11
standard. This is supported in both gcc and clang for a long time now.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
78ef0828 by Madhuri Upadhye at 2020-12-04T12:03:24+01:00
Test: AD: For sssd crash in ad_get_account_domain_search

Configures the AD domain and makes it unreachable by changing
ad_domain parameter. Checks the request flag 0x0001 in log after
sssd restart.

Verifies:
  Issue: #5295
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1734040

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
ffc7cea9 by Timo Aaltonen at 2020-12-08T22:16:17+02:00
source: Update diff-ignore.

- - - - -
baa83e17 by Timo Aaltonen at 2020-12-08T22:37:06+02:00
releasing package sssd version 2.4.0-1

- - - - -
18b98836 by Pavel Březina at 2020-12-11T10:31:14+01:00
kcm: decode base64 encoded secret on upgrade path

Previous unefficient code encoded the secret multiple times:
  secret -> base64 -> masterkey -> base64

To allow smooth upgrade for already existant ccache we need to also decode
the secret if it is still in the old format (type == simple). Otherwise
users are not able to log in.

Resolves: https://github.com/SSSD/sssd/issues/5349

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
45f2eb57 by Pavel Březina at 2020-12-16T15:48:29+01:00
sss_format.h: include config.h

config.h is required for the definitions to work correctly. Compilation
will fail if sss_format.h is included in a file that does not include
directly or indirectly config.h

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3b0e48c3 by Pavel Březina at 2020-12-16T15:48:29+01:00
packet: add sss_packet_set_body

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6715b31f by Pavel Březina at 2020-12-16T15:48:29+01:00
domain: store hostname and keytab path

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a3e2677f by Pavel Březina at 2020-12-16T15:48:29+01:00
cache_req: add helper to call user by upn search

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dcc42015 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: fix typo in debug message

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d63172f1 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_gssapi_services option

:config: Added `pam_gssapi_services` to list PAM services
  that can authenticate using GSSAPI

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fffe3169 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_gssapi_check_upn option

:config: Added `pam_gssapi_check_upn` to enforce authentication
  only with principal that can be associated with target user.

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d09aa174 by Pavel Březina at 2020-12-16T15:48:29+01:00
pam: add pam_sss_gss module for gssapi authentication

:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI
:packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page

Reviewed-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1b9b7f5a by Sumit Bose at 2020-12-16T15:55:56+01:00
pam_sss: use unique id for gdm choice list

Currently the key-id read from the Smartcard is used as key value for
the gdm choice list dialog. Since it might be possible that multiple
certificates use the same key and hence the same key-id this is not a
suitable value.

With this patch the string representation of a numerical counter is used.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8b6be52e by Sumit Bose at 2020-12-16T15:55:56+01:00
authtok: add label to Smartcard token

The key-id might not be sufficient to identify a certificate on a
Smartcard since it is possible that multiple certificates will use the
same key.

This patch adds the certificate label to the Smartcard authtok item to
resolve the ambiguity if the key-id is used for multiple certificates.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b8800d3e by Sumit Bose at 2020-12-16T15:55:56+01:00
pam_sss: add certificate label to reply to pam_sss

Add the certificate label to the data send back and forth to the pam
module to avoid the ambiguity if two certificates use the same key.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
f633f37e by Sumit Bose at 2020-12-16T15:55:56+01:00
add tests multiple certs same id

Add unit test for the case that two certificates use the same key.

Resolves: https://github.com/SSSD/sssd/issues/5400

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b5264396 by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Test: alltests: "enabled" option to domain section

Configure multiple domain and check 'enabled' parameter.
It consists of 4 test cases:
1. Add 'enabled = true' in both ldap domains and check userlookups.
2. Check userlookup when 'domains = ldap1' and add 'enabled =
   true' in both ldap1, ldap2 section.
3. Check userlookup when enabled option in snippet file and
   'domains = ' in sssd section.
4. Check userlookup when enabled option is set true in snippet
   file

Verifies:
  Issue: #4743
  Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884196

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
2b00d507 by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Update remove command to delete the snippet files

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
014f416d by Madhuri Upadhye at 2020-12-16T16:05:00+01:00
Update the title of test case.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
1e9abd50 by Paweł Poławski at 2020-12-22T17:10:23+01:00
data_provider_be: Add random offset default

Replace hardcoded default value of 30 with more meaningful
OFFLINE_TIMEOUT_RANDOM_OFFSET define.

This value is used to calculate task timeout during offline
status checking by formula (from SSSD MAN page):

new_interval = (old_interval * 2) + random_offset

As it is explicite mentioned in documentation it should
be expressed in the code similar way.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
171b664e by Paweł Poławski at 2020-12-22T17:10:23+01:00
data_provider_be: MAN page update

Updated description of parameters:
* offline_timeout
* offline_timeout_max

MAN page now explains that in some circumstances
corelation of offline_timeout and offline_timeout_max values
may lead to offline checking interval not incrementing.
This is a false positive error as in fact the value
just saturates almost instantly.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
e350d917 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:autofs: cosmetic updates

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
df723cb9 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB: wrong debug message corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d8af1db8 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:sudo: changed debug message to be consistent

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b4acf71d by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:iphosts: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a73df70e by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:ipnetworks: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
033c31a2 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:ops: few debug messages were corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
74458241 by Alexey Tikhonov at 2020-12-22T19:34:47+01:00
SYSDB:search: few debug messages were corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f55c9599 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:selinux: debug message severity level was adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e731368e by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:service: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
82dc14b0 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:upgrade: debug message corrected

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
daa5454f by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB:views: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fe0530ef by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
MONITOR: severity level of few debug messages adjusted

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
85d8adc4 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
P11_CHILD: severity level of few debug messages adjusted

Severity level of few debug messages was adjusted and journal message
in case of disabled certificate verification was added.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d6f6f053 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
AD: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2f70695a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
DP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
667b983a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
IPA: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9244820a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
KRB5: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ff8f44ce by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
LDAP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d91409df by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PROXY: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fb052a4c by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
RESOLV: debug message correction

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
018c08ac by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
AUTOFS: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
01ba32f2 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
CACHE_REQ: debug message correction

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
058644f2 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
RESPONDER: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f457a1a6 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
IFP: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f028253f by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
NSS: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3cbd0465 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PAM: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5068655a by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
UTIL: few debug message corrections

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ac228590 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
PAM: reduce log level in may_do_cert_auth()

Reduce log level in may_do_cert_auth() as this is not a critical failure

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a7b6413d by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
UTIL: sss_ldb_error_to_errno() improved

LDB_ERR_NO_SUCH_ATTRIBUTE error code was added to mapping and log level
for unknown error code was reduced.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
52dc8554 by Alexey Tikhonov at 2020-12-22T19:34:48+01:00
SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
99e44d9d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: added missed \n in log message

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a419b7e6 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SSS_IFACE: corrected misleading return code

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1af89925 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: corrected confusing message

Log message like:
```
sysdb_getpwnam() got more users than expected. Expected [1], got [0]
```
looks a bit confusing.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
69aa3e8c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
DP: do not log failure in case provider doesn't support check_online method

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
90dae38d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6e3b4d74 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SBUS: reduced log level in case of unexpected signal

Most probably module is not fully initialized yet.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a7b145b9 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: reduced log level in hosts_get_done()

Absent host in LDAP server isn't SSSD failure.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
26fdc3c8 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ed6ec569 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SDAP: reduced log level in case group without members

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
29f243fd by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4fe060ab by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do"

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
644453f8 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LOGS: default log level changed to <= SSSDBG_OP_FAILURE

:config: New default value of `debug_level` is 0x0070

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0986cf6c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9215cf4e by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
CERTMAP: removed stray debug message

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9390af3c by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: reduce log level in apply_subdomain_homedir()

Missing UID for SYSDB_GROUP_CLASS is not an error
(see commit message of e66517dcf63f1d4aaf866c22371dac7740ce0a48 for
additional details)

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
60b17be9 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SYSDB: changed log level in sysdb_update_members_ex()

Fail to add already existing member isn't critical.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bf873598 by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: ignore failed group search in certain cases

It's currently expected to see those messages with sudo or HBAC rules in play.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e86599ba by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
IPA: changed logging in ipa_get_subdom_acct_send()

Frontends do not know what kind of lookup the backends support
so it is expected that they might send unsupported requests.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dba7de0d by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
SYSDB: changed logging in sysdb_get_real_name()

Missing cache entry isn't an error.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
00e3ac4a by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally)

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0db68a1f by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
LDAP: sdap_save_grpmem(): log level changed

There are legitimate reasons when sdap_save_grpmem() can be called
with `ignore_group_members = true`

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd2f38ab by Alexey Tikhonov at 2020-12-22T19:34:49+01:00
UTIL: find_domain_by_object_name_ex() changed log level

It's up to user of this function to judge if fail to parse fqname is
a critical error.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4ea1739d by Pavel Březina at 2021-01-11T11:23:57+01:00
pam_sss: fix missing initializer warning

src/sss_client/pam_sss.c: In function ‘prompt_sc_pin’:
src/sss_client/pam_sss.c:1865:41: error: missing initializer for field ‘prev’ of ‘struct cert_auth_info’ [-Werror=missing-field-initializers]
 1865 |                                         NULL, NULL, NULL, NULL, NULL, NULL };

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c0ae6d34 by Pavel Březina at 2021-01-11T11:23:57+01:00
pamsrv_gssapi: fix implicit conversion warning

src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’:
src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion]
  716 |                                      cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX,

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a25256fe by Sergio Durigan Junior at 2021-01-11T11:24:19+01:00
Only start sssd.service if there's a configuration file present

This commit is the follow-up of the discussion that is happening here:

https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1900642

In a nutshell, SSSD is compile with --disable-files-domain and
installed without a configuration file by default, which means that
it's impossible to start it successfully unless the user has actively
created/copied a sssd.conf inside /etc/sssd.

There are two possible ways to have sssd.service successfully start:

1) If SSSD is configured with --enable-files-domain, then no
   configuration file is required, and the service can start normally.

2) If SSSD is configured with --disable-files-domain, then a
   configuration file is required.  This can be either
   /etc/sssd/sssd.conf, or a snippet under /etc/sssd/conf.d/.

For this reason, I'd like to suggest that we conditionally add the
following lines to sssd.service:

  ConditionPathExists=|/etc/sssd/sssd.conf
  ConditionDirectoryNotEmpty=|/etc/sssd/conf.d/

These lines will be added only if SSSD is not configured with
--enable-files-domain.

Signed-off-by: Sergio Durigan Junior <sergio.durigan at canonical.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1a616b59 by Steeve Goveas at 2021-01-11T11:26:26+01:00
tests: modify ipa client install for fedora

freeipa installs as a package in fedora

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
f7ccc679 by Steeve Goveas at 2021-01-15T11:56:12+01:00
TEST: Split tier1 tests with new pytest marker

Runtime for tier1 tests is currently 70 minutes. It will continue to
grow as we add new tests to it and the time for execution would increase
as well. To keep the job to run within 60 minutes, we are adding a new
marker "tier1_2" and a new job. This job will run in parallel on
separate resources to bring down the total time taken for execution.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
19c2c641 by Sumit Bose at 2021-01-15T11:56:31+01:00
simple: fix memory leak while reloading lists

The simple access provider will reload the access and deny lists at
runtime to make sure that users and groups from domains which are
discovered at runtime are properly processed.

While reloading the lists the original lists are not freed and an
intermediate list wasn't removed as well.

Resolves: https://github.com/SSSD/sssd/issues/5456

:fixes: Memory leak in the simple access provider

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d207eaaf by Alexey Tikhonov at 2021-01-15T12:02:06+01:00
RESOLV: handle fail of ares_parse_*_reply() properly

With modern versions of c-ares ares_parse_*_reply() functions don't touch
`hostent **host` in case of fail.
This means it's unreliable to check for (hostent != NULL) without previous
initialization.
To be on a safe side it's better to check for return code as well.

Resolves: https://github.com/SSSD/sssd/issues/5451

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
0f2d31e2 by Steeve Goveas at 2021-01-15T12:18:45+01:00
tests: netstat command not found for test

use ss instead of installing net-tools for netstat.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
bdf461c7 by Alexey Tikhonov at 2021-01-15T12:51:49+01:00
SBUS: do not try to del non existing sender

Resolves: https://github.com/SSSD/sssd/issues/5425

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b5c5281c by aborah at 2021-01-15T12:52:24+01:00
TESTS:sssd-kcm does not store TGT with ssh login using GSSAPI

A RHEL 8.0 system set up for GSSAPI login for ssh allows to
log in but does not actually store the ticket. klist shows
no ticket after login. NFS4 with kerberos does not mount
a home directory as a result.

Verifies: https://github.com/SSSD/sssd/issues/5333

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1722842

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
39c52817 by Anuj Borah at 2021-01-15T12:52:41+01:00
TESTS:KCM: Increase client idle timeout to 5 minutes

By default, KCM has a 60-second idle client timeout.
This might not be enough, because the client is often kinit,
so there is some user interaction involved.

Verifies: https://github.com/SSSD/sssd/issues/4829

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884205

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
cc173629 by Pavel Březina at 2021-01-15T14:29:18+01:00
gssapi: default pam_gssapi_services to NULL in domain section

We need to distinguish when the option is not set in domain section and when
it is is explicitly disabled. Now if it is not set, domain->gssapi_services
is NULL and we'll use value from the pam section.

Without this change, the value in the pam section is ignored.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
111b8b4d by Pavel Březina at 2021-01-15T14:29:18+01:00
pam_sss_gssapi: fix coverity issues

```
1. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
2. Defect type: RESOURCE_LEAK
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
Expand
3. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
4. Defect type: RESOURCE_LEAK
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
Expand
5. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
Expand
6. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to.

1. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
Expand
2. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
Expand
3. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
Expand
4. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'
```

Also fix compilation warning
```
../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  339 |     free(reply);
      |     ^~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here
  328 |     uint8_t *reply;
      |              ^~~~~
../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  270 |     upn = malloc(reply_len * sizeof(char));
      |           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here
  327 |     size_t reply_len;
      |            ^~~~~~~~~
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2499bd14 by Pavel Březina at 2021-01-18T10:36:33+01:00
cache_req: ignore autofs not configured error

Otherwise we return ERR_OFFLINE for domains where autofs provider is not
set (such as implicit files domain) which is undesirable.

Steps to reproduce:
1. Enable implicit files domains and LDAP domain with autofs configured
2. Setup NFS server to export `/exports` with `/exports/home/test`
3. Add autofs mount points:
```
dn: ou=mount,dc=ldap,dc=vm
ou: mount
objectClass: organizationalUnit
objectClass: top

dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.master

dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /export/home
nisMapEntry: auto.home
nisMapName: auto.master

dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisMap
objectClass: top
nisMapName: auto.home

dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm
objectClass: nisObject
objectClass: top
cn: /
nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/&
nisMapName: auto.home
```
4. Run SSSD and autofs
5. cd to /exports/home/test

The directory will not be mounted with the new autofs protocol. It
will succeed with the old protocol. In both versions, you'll see
that SSSD returned ERR_OFFLINE:

```
(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured
...
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache
(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache
(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c48a4e80 by Alexey Tikhonov at 2021-01-18T11:15:33+01:00
Removed leftovers after PR #5246

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6ca29942 by Sumit Bose at 2021-01-18T11:15:52+01:00
krb5_child: use proper umask for DIR type ccaches

The current umask only had files in mind and hence only allowed read and
write permissions for the user. If the new directory must be created
for DIR type credentials caches the 'execute' permission is needed as
well so that the user can change into the directory. This patch changes
the umask to allow this if a DIR type credential cache is requested.

Resolves: https://github.com/SSSD/sssd/issues/5436

:fixes: krb5_child uses proper umask for DIR type ccaches

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
66ef363b by Alexey Tikhonov at 2021-01-18T11:16:20+01:00
dhash tables are now created with count=0 whenever no useful size hint available

This improves performance. For justification see
https://github.com/SSSD/sssd/issues/5134#issuecomment-737443576
and next comment.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cdad9480 by Madhuri Upadhye at 2021-01-21T10:49:05+01:00
Tests: alltests: "ldap_library_debug_level" option to domain section

Configure single domain and check "ldap_library_debug_level"
parameter.
It consists of three test cases:
  1. Check ldap_library_debug_level option with config-check
  2. Set ldap_library_debug_level to zero and check
     corresponding logs
  3. Set ldap_library_debug_level to two and check
     corresponding logs

Verifies:
Issue: #5178
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1884207

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
a06ce210 by Marco Trevisan (Treviño) at 2021-01-21T10:49:21+01:00
test_ca: Look for libsofthsm2 in libdir before falling back to hardcoded paths

Right now building SSSD in archs different from amd64 (at least in
debian and derivatives) won't ever get the test_CA built because
libsofthsm2 won't be found (leading also to #5397 at times).

As per this, until they won't provide a pkg-config file:
 - Prioritize looking for libsofthsm2 in configured libdir (will help
   the developer case when using custom prefixes with custom softhsm2)
 - Fallback to /usr prefixes, supporting any arch (not only x86_64)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0c6924b8 by Alexey Tikhonov at 2021-01-22T12:57:50+01:00
SBUS: set sbus_name before dp_init_send()

Some async task might access sbus_name before dp_initialized() was executed

Resolves: https://github.com/SSSD/sssd/issues/5466

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e7fb88fc by Sumit Bose at 2021-01-22T12:58:10+01:00
BUILD: Accept krb5 1.19 for building the PAC plugin

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fb6edec6 by Shridhar Gadekar at 2021-01-22T12:58:38+01:00
Tests:ad:sudo: support non-posix groups in sudo rules

Verifies #sudo: support non-posix groups in sudo rules
bz1826272

Signed-off-by: Shridhar Gadekar <sgadekar at sgadekar.pnq.csb>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6c9f929a by Deepak Das at 2021-01-25T11:31:14+01:00
man: sss_override clarification

Clarify sss_override in man pages to indicate that the command is only
supported with LDAP and AD provider.

Resolves: https://github.com/SSSD/sssd/issues/5471

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e07eeea7 by Sumit Bose at 2021-01-25T11:31:38+01:00
responders: add callback to schedule_get_domains_task()

To allow responders to run dedicated code at the end of the initial
getDomains request a callback is added.

Resolves: https://github.com/SSSD/sssd/issues/5469

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cb936e92 by Sumit Bose at 2021-01-25T11:31:38+01:00
pam: refresh certificate maps at the end of initial domains lookup

During startup SSSD's responders send a getDomains request to all
backends to refresh some domain related needed by the responders.

The PAM responder specifically needs the certificate mapping and
matching rules when Smartcard authentication is enable. Currently the
rules are not refreshed at the end of the initial request but the code
assumed that the related structures are initialized after the request
finished.

To avoid a race condition this patch adds a callback to the end of the
request to make sure the rules are properly refreshed even if they are
already initialized before.

Resolves: https://github.com/SSSD/sssd/issues/5469

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cd48ef50 by Alexander Bokovoy at 2021-01-26T11:53:52+01:00
sudo runas: do not add '%' to external groups in IPA

When IPA allows to add AD users and groups directly to sudo rules
(FreeIPA 4.9.1 or later), external groups will already have '%' prefix.
Thus, we don't need to add additional '%'.

Resolves: https://github.com/SSSD/sssd/issues/5475
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0eb0281c by Pavel Březina at 2021-01-26T11:56:22+01:00
man: add auto_private_groups to subdomain_inherit

This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
12eb04b2 by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to inherit case_sensitive=Preserving

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive` option can be now inherited by subdomains

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f2655950 by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to set case_sensitive=Preserving in subdomain section

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive` can be now set separately for each
  subdomain in `[domain/parent/subdomain]` section
:feature: `case_sensitive=Preserving` can now be set for trusted domains with AD provider

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f6bb31af by Pavel Březina at 2021-01-26T11:56:22+01:00
subdomains: allow to inherit case_sensitive=Preserving for IPA

Resolves: https://github.com/SSSD/sssd/issues/5250

:feature: `case_sensitive=Preserving` can now be set for trusted domains
  with IPA provider. However, the option needs to be set to `Preserving`
  on both client and the server for it to take effect.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
944c47e2 by Pavel Březina at 2021-01-26T11:56:22+01:00
man: update case_sensitive documentation to reflect changes for subdomains

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
568bb1a0 by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

3rd party smartcard providers sometimes use rsassapss for signing combined with a smaller nonstandard exponent.
Unexpected characters in the commonname field creates troubles.
Add more unexpected settings to this cert to easily create future checks.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
92ed415c by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

3rd party smartcard providers sometimes use rsassapss for signing combined with a smaller nonstandard exponent.
Unexpected characters in the commonname field creates troubles.
Add more unexpected settings to this cert to easily create future checks.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7f3576ea by peptekmail at 2021-01-26T11:59:10+01:00
Add rsassapss cert for future checks

Fix README typo

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b0edc83e by Armin Kuster at 2021-01-29T10:19:31+01:00
Provide missing defines which otherwise are available on glibc system headers

Signed-off-by: Armin Kuster <akuster808 at gmail.com>

--
V2]
remove space before define

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3986dead by Alexey Tikhonov at 2021-01-29T10:19:50+01:00
PROXY: child process security hardening

Resolves: https://github.com/SSSD/sssd/issues/3730

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b6fc7c0e by Alexey Tikhonov at 2021-01-29T10:19:50+01:00
Sanitize --domain option to allow safe usage as a part of log file name

Resolves: https://github.com/SSSD/sssd/issues/3730

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2d26c95d by Sumit Bose at 2021-02-04T14:09:13+01:00
ssh: restore default debug level

The recent change of the default debug level for the main SSSD
components affected the ssh helpers sss_ssh_authorizedkeys and
sss_ssh_knownhostsproxy as well.

To avoid any confusion about unexpected debug messages this patch
restores to original value for the two helpers.

Resolves: https://github.com/SSSD/sssd/issues/5488

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
536e8b83 by Madhuri Upadhye at 2021-02-04T14:09:35+01:00
alltests: password_policy: Removing the log debug messages

Removing the debug messages since it's neither from PAM, SSSD,
nor passwd and test does not depend on this dubug messages.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
5892c367 by Evgeny Sinelnikov at 2021-02-04T14:09:50+01:00
krb5: allow to use subdomain realm during authentication

Resolves: https://github.com/SSSD/sssd/issues/4759

:feature: `krb5_use_subdomain_realm=True` can now be used then subdomain user
  principal names with different upnSuffixes not found in parent domain as it
  requires to be supported on serverside, but not implemented in samba yet.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
78af35c3 by Pavel Březina at 2021-02-05T11:56:52+01:00
po: add pam_sss_gss to translated man pages

- - - - -
6add2ef3 by Pavel Březina at 2021-02-05T11:59:35+01:00
pot: update pot files

- - - - -
01cc2674 by Valters Jansons at 2021-02-05T13:06:43+01:00
DEBUG: Drop custom syslog identifier from journald

`SYSLOG_IDENTIFIER` field is removed from logging output to journald.
The default behavior will use the program name automatically.

This ensures that if there is rsyslog in place, producing BSD-format
syslog output (RFC 3164), then there are no unexpected `[` characters.
The resulting syslog output will also be aligned with the behavior
of `--with-syslog=syslog` which uses the program name by default.

`SSSD_PRG_NAME` field has been added to the journald log as well,
to be consistent with the `DEBUG()` output. This field holds the
value that `SYSLOG_IDENTIFIER` had previously and can be used for
filtering journal as a drop-in replacement.

Resolves: https://github.com/SSSD/sssd/issues/4590

:relnote: `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald
  output, to avoid issues with PID parsing in rsyslog (BSD-style
  forwarder) output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d163a120 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: synchronize with Fedora 34 spec file

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3e5ff111 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unneeded conditionals and unused variables

This patch removes unused variables and unneeded conditions that
reflect current state.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
8b68aa28 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: keep _strict_symbol_defs_build

SSSD now builds fine with -Wl,-z,defs

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
eb6a3bac by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: enable LTO

SSSD builds fine with LTO. The only problem was in tests but it is now fixed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2b1c3c3d by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove support for NSS

We no longer built with NSS. --with-crypto option no longer exist and
we don't require these packages anymore.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
fcbbf124 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove --without-python2-bindings

Python2 bindings are not built by default anymore.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2970cd63 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: re-import changes that were not merged in Fedora

There were several changes in upstream spec file that were not merged
in Fedora but fixed valid problems. These are:

- https://github.com/SSSD/sssd/pull/1008
- https://github.com/SSSD/sssd/pull/1039
- https://github.com/SSSD/sssd/pull/5137
- https://github.com/SSSD/sssd/commit/e698d53e0ddd3c2778e04fd8e405f8c0cee0a766
- https://github.com/SSSD/sssd/commit/7fbc7e3ffb7a5c0090bb2091011762dabf1f512f

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5eb4d5c8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: synchronize with RHEL spec file

Bring stuff from RHEL spec file that was not available in Fedora.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e56ddbed by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: use sssd user on RHEL

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
38d76146 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove conflicts that no longer make sense

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
bf1482c2 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unused BuildRequires

- http-parser-devel, libcurl-devel - needed by secrets responder which is not built anymore
- dbus-libs, openssl, systemd - pulled in by -devel packages
- libcollection-devel, nspr-devel - not required

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
6f47eaca by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: remove unused Requires

- simpleifp was required by sssctl but not anymore
- we don't call ldconfig in post for client

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5d02f1e8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: sort Requires, BuildRequires and configure for better clarity

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
482ab2d8 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: comment some requirements

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ff0f7656 by Alexey Tikhonov at 2021-02-05T13:09:33+01:00
Makefile: add missing '-fno-lto' to some tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ea55cd02 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: fix spelling in package description

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3ee3c4c6 by Pavel Březina at 2021-02-05T13:09:33+01:00
spec: use %autosetup instead of %setup

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
78323d44 by Pavel Březina at 2021-02-05T13:09:33+01:00
configure: libcollection is not required

libcollection is required by other ding-libs libraries but it is not
directly required for sssd.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b38701b9 by Weblate at 2021-02-05T13:12:14+01:00
Update the translations for the 2.4.1 release

- - - - -
4c47f1da by Pavel Březina at 2021-02-05T13:34:37+01:00
scripts: change release tag from sssd-x_y_z to x.y.z

- - - - -
db51ce55 by Pavel Březina at 2021-02-05T13:45:58+01:00
Update version in version.m4 to track the next release

- - - - -
d547a2dc by Alexey Tikhonov at 2021-02-05T19:02:05+01:00
BUILD: fixes gpo_child linking issue

/usr/bin/ld: src/util/gpo_child-signal.o (symbol from plugin): undefined reference to symbol 'BlockSignals@@SAMBA_UTIL_0.0.1'

Resolves: https://github.com/SSSD/sssd/issues/5385

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
33ff9f78 by Timo Aaltonen at 2021-02-09T13:10:42+02:00
Merge branch 'upstream'

- - - - -
325d22db by Timo Aaltonen at 2021-02-09T13:11:07+02:00
bump the version

- - - - -
2d2b2465 by Timo Aaltonen at 2021-02-09T13:19:28+02:00
libpam-sss.install: Add pam_sss_gss.

- - - - -
fce8477a by Timo Aaltonen at 2021-02-10T11:32:41+02:00
releasing package sssd version 2.4.1-1

- - - - -
17621910 by Marco Trevisan (Treviño) at 2021-02-10T13:27:25+02:00
debian/control: Mark test packages as <!nocheck>

- - - - -
0f18dac8 by Marco Trevisan (Treviño) at 2021-02-10T13:27:29+02:00
debian/rules: Don't run tests if nocheck is set

- - - - -
10090fd8 by Marco Trevisan (Treviño) at 2021-02-10T13:27:34+02:00
debian/control: Add missing test dependencies

- - - - -
88f59818 by Marco Trevisan (Treviño) at 2021-02-10T13:27:38+02:00
debian/patches: Get libsofthsm2 from right path for each architecture

- - - - -
d2817ef4 by Marco Trevisan (Treviño) at 2021-02-10T13:27:42+02:00
debian/rules: Enable tests again

- - - - -
69297dcf by Marco Trevisan (Treviño) at 2021-02-10T13:27:46+02:00
debian/control: Enable libcmocka (and so unit tests) all the archs

- - - - -
a4812d2d by Marco Trevisan (Treviño) at 2021-02-10T13:28:18+02:00
debian/changelog: Update

- - - - -
8e54d15c by Timo Aaltonen at 2021-02-10T13:49:02+02:00
test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch: Dropped, upstream.

- - - - -
a70c003a by Timo Aaltonen at 2021-02-10T13:49:10+02:00
releasing package sssd version 2.4.1-2

- - - - -
c0e2e2b1 by Sergio Durigan Junior at 2021-02-10T15:24:21-05:00
d/apparmor-profile: Update profile:

- Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
- Add read/execute permission to /usr/libexec/sssd/*.

- - - - -
c5691ca9 by Sergio Durigan Junior at 2021-02-10T15:26:28-05:00
Update changelog for 2.4.1-3 release

- - - - -
5ce7ced2 by Alexander Bokovoy at 2021-02-11T12:01:23+01:00
pam_sss_gss: support authentication indicators

MIT Kerberos allows to associate authentication indicators with the
issued ticket based on the way how the TGT was obtained. The indicators
present in the TGT then copied to service tickets. There are two ways to
check the authentication indicators:

 - when KDC issues a service ticket, a policy at KDC side can reject the
   ticket issuance based on a lack of certain indicator

 - when a server application presented with a service ticket from a
   client, it can verify that this ticket contains intended
   authentication indicators before authorizing access from the client.

Add support to validate presence of a specific (set of) authentication
indicator(s) in pam_sss_gss when validating a user's TGT.

This concept can be used to only allow access to a PAM service when user
is in possession of a ticket obtained using some of pre-authentication
mechanisms that require multiple factors: smart-cards (PKINIT), 2FA
tokens (otp/radius), etc.

Resolves: https://github.com/SSSD/sssd/issues/5482
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b100efbf by Pavel Březina at 2021-02-11T12:01:43+01:00
sudo: do not search by low usn value to improve performance

This is a follow up on these two commits.

- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57
- 6815844daa7701c76e31addbbdff74656cd30bea

The first one improved the search filter little bit to achieve better
performance, however it also changed the behavior: we started to search
for `usn >= 1` in the filter if no usn number was known.

This caused issues on OpenLDAP server which was fixed by the second patch.
However, the fix was wrong and searching by this meaningfully low number
can cause performance issues depending on how the filter is optimized and
evaluated on the server.

Now we omit the usn attribute from the filter if there is no meaningful value.

How to test:
1. Setup LDAP with no sudo rules defined
2. Make sure that the LDAP server does not support USN or use the following diff
   to enforce modifyTimestamp (last USN is always available from rootDSE)
```diff

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
75343ff5 by Pavel Březina at 2021-02-16T11:18:20+01:00
ldap: fix modifytimestamp debugging leftovers

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b1f4dc82 by Alexey Tikhonov at 2021-02-16T11:26:20+01:00
SPEC: don't hard require python3-sssdconfig in a meta package

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5c9143e9 by Stanislav Levin at 2021-02-16T11:32:20+01:00
pam_sss: Don't fail on deskprofiles phase for AD users

By default (if session_provider is not none) during session setup
pam_sss attempts to fetch desktop rules and profiles for user from
IPA domain. As part of this job, the data provider looks for the
user info(uid and gid) in IPA domain but fails to do that for AD
user from a trusted domain returning PAM_SESSION_ERR.

The requested target domain has been already found in `dp_req_new`
and may be referenced as `params->domain`. This change doesn't
introduce the possibility to fetch deskprofiles for AD users, but
at least, doesn't break PAM authentication for them.

Resolves: https://github.com/SSSD/sssd/issues/5499
Signed-off-by: Stanislav Levin <slev at altlinux.org>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
135d843f by Pavel Březina at 2021-02-19T10:11:20+01:00
spec: remove setuid bit from child helpers if sssd user is root

The setuid bit is only needed if sssd runs as non-root user.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a53c214b by Alexey Tikhonov at 2021-02-19T10:11:38+01:00
spec file: don't enable implicit files domain on RHEL

Corresponding code is built and users can enable files domain
on a as-needed basis. But there is little value running it on
RHEL "as is" by default.

(As a reminder, as a comment in this file says, this is a
"SSSD SPEC file for Fedora 34+ and RHEL-9+")

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9aaa0e51 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: limit process capabilities

This is to upstream https://src.fedoraproject.org/rpms/sssd/blob/f34/f/0502-SYSTEMD-Use-capabilities.patch

Additionally even more limited CapabilityBoundingSet is applied to ifp and
kcm services (CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_BLOCK_SUSPEND are excluded as compared to main sssd service)

:relnote: Example systemd service configs now makes use of CapabilityBoundingSet
option as a security hardening measure.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ee9dbea1 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
monitor: fixed default value of 'user' config option

1) man page explicitly and unconditionally says that default value
for this option is 'root' so this patch just aligns code with a doc

2) since at the moment "sssd running as non-root" feature isn't really
tested and is proposed at "use at your own risk" basis it wouldn't hurt
to require user to configure this option explicitly even when sssd is
built with "--with-sssd-user=sssd"

This should be changed when feature is really supported.

:relnote: default value of 'user' config option was fixed into accordance
with man page, i.e. default is 'root'

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fd7ce7b3 by Alexey Tikhonov at 2021-02-19T10:12:00+01:00
systemd configs: add CAP_DAC_OVERRIDE in case certain case

If sssd is configured with --with-sssd-user=<user> where <user>!='root'
but is actually run under the root we need CAP_DAC_OVERRIDE to access
files owned by <user>:<user>
If sssd is really run under non-root account that doesn't have this cap
originally then it's addition to CapabilityBoundingSet doesn't matter.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f890fc4b by ikerexxe at 2021-02-19T14:28:37+01:00
RESPONDER: check that configured sockets match

Check if the sockets defined in systemd unit and sssd.conf match. If
they don't, then print a warning message.

Moreover, change man page regarding socket_path option to indicate that
it will be overwritten by systemd's unit file.

Resolves: https://github.com/SSSD/sssd/issues/5406

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
50e3221d by Pavel Březina at 2021-02-19T16:43:14+01:00
responder: fix warning in activate_unix_sockets

The warning is with systemd disabled.

```
src/responder/common/responder_common.c: In function ‘activate_unix_sockets’:
src/responder/common/responder_common.c:1005:15: error: unused variable ‘sockaddr_len’ [-Werror=unused-variable]
 1005 |     socklen_t sockaddr_len = sizeof(sockaddr);
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
709bfc4a by Pavel Březina at 2021-02-19T16:57:31+01:00
pot: update pot files

- - - - -
9eeaf23b by Pavel Březina at 2021-02-19T17:06:48+01:00
Update version in version.m4 to track the next release

- - - - -
b5c2389b by Steeve Goveas at 2021-02-24T11:27:50+01:00
TEST: Add function to control services

We can use this function to start stop or restart any service

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
0ff8d462 by Deepak Das at 2021-02-24T11:28:07+01:00
SSSD Log: write_krb5info_file word replacement

Replace write_krb5info_file in SSSD log file with exact filename.

Resolves: https://github.com/SSSD/sssd/issues/5505

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
634b3c94 by aborah at 2021-03-01T11:08:14+01:00
TESTS: First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0

Starting from sssd-1.16.5-10.el7_9, the first query performed
with smart refresh contais modifyTimestamp attribute even
if the modifyTimestamp is 0.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
32d2aa55 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
prompt config: fix covscan errors

Covscan is confused by dangling pointers in arrays after freeing. Its
analyzer may decide to visit already visited list elements and since
they weren't NULL-ed, it may consider double-free to happen in the code.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d73f1282 by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: initialize ret variable before use

covscan does consider 'ret' unitialized even though
GET_ATTR/GET_ATTR_ARRAY macros have explicit and unconditional
assignment to ret. This is confusing but causing actual failures in
covscan runs.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
42c9ca0c by Alexander Bokovoy at 2021-03-05T12:26:17+01:00
covscan: symlink() expects non-NULL second argument

Author: Alexander Bokovoy <abokovoy at redhat.com>

Amended by: Alexey Tikhonov <atikhono at redhat.com>
(used 'EINVAL' as error code instead of 'ENOMEM')

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1724482c by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace localtime() with localtime_r()

localtime_r() is much more performant (~x12 times faster on my machine)
as it sets `tzname` only once while localtime() does this every time
it is executed (and this includes string manipulations, getenv(),
stat("/etc/localtime"), etc)

As a result of this replacement, average time consumed by a trivial debug
message (one %d arg) is reduced by ~40..45% on my machine.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f553b57d by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: replace gettimeofday() with time() if usec isn't needed

gettimeofday() is much slower than time() and accounts for ~2% of total
time consumed by DEBUG.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5f840192 by Alexey Tikhonov at 2021-03-05T12:26:35+01:00
DEBUG: cache string representation of last timestamp

Significant part (~15%) of time consumed by DEBUG is spent formatting string
representation of a timestamp. For a case of heavy logging it makes sense
to cache this string and re-format only in case timestamp changed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
815197cb by Pavel Březina at 2021-03-05T12:26:50+01:00
spec: do not use systemd to restart services with RefuseManualStart=true

These service unit files have RefuseManualStart=true, therefore they can
be controlled only as a dependency via the main sssd.service or socket
activation.

Resolves: https://github.com/SSSD/sssd/issues/5521

:fixes: SSSD spec file `%postun` no longer tries to restart services that
  can not be restarted directly to stop produce systemd warnings

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8e8ccca5 by ikerexxe at 2021-03-05T12:27:17+01:00
TESTS: test socket path when systemd activation

Test socket path when sssd-kcm is activated by systemd. If socket in
systemd unit and sssd.conf is defined in different locations then print a
warning.

Verifies: https://github.com/SSSD/sssd/issues/5406

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
b8d8b377 by Alexey Tikhonov at 2021-03-16T13:03:48+01:00
p11_child: fixed mistype in a debug message

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b165acb6 by Steeve Goveas at 2021-03-16T13:04:00+01:00
TEST: missing multihost in service_ctrl

This update will fix the method and make it usable

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
c7733c44 by Steeve Goveas at 2021-03-16T13:13:36+01:00
TEST: Update test docstrings enable polarion updates

These docstring updates are a requirement to enable automatic updates
into polarion using betelguese tool. It will help to add/update test
cases and import test results from CI. Each test case must have 'id' to
make it unique. The tool will use it to update the respective case and
will avoid adding duplicate test case in polarion.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
341c5e35 by Weblate at 2021-03-18T11:44:48+01:00
po: update translations

Currently translated at 2.8% (21 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

Translated using Weblate (Finnish)

Currently translated at 2.5% (68 of 2643 strings)

Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

Translated using Weblate (Chinese (Simplified) (zh_CN))

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

Translated using Weblate (Japanese)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

Translated using Weblate (French)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

Translated using Weblate (Ukrainian)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

Translated using Weblate (Polish)

Currently translated at 100.0% (726 of 726 strings)

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

- - - - -
9da41eb9 by Alexey Tikhonov at 2021-03-22T10:44:52+01:00
SPEC: added 'BuildRequires: po4a'

'po4a' is needed when building from srpm made from upstream sources, i.e.
without prepared translations.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c796088e by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘security_context_t’ is deprecated

The type is now deprecated, char * should be used instead
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3fba29f9 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: fix warning ‘matchpathcon’ is deprecated

```
src/util/selinux.c: In function ‘selinux_file_context’:
src/util/selinux.c:50:9: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
   50 |         if (matchpathcon(dst_name, 0, &scontext) < 0) {
```

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ecf26727 by Pavel Březina at 2021-03-22T10:45:59+01:00
selinux: make SEC_CTX and SELINUX_CTX typedef instead of macro

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2a512fdf by Alexey Tikhonov at 2021-03-25T11:39:14+01:00
systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case

Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0e095147 by Heiko Schlittermann (HS12-RIPE) at 2021-03-25T11:41:07+01:00
Fix setXYent(): rewind always

This compensates for "forgotten" endXYent() calls during the same session,
as observed with Dovecot authd.

Affected functions:

- setgrent()
- sethostent()
- setnetent()
- setnetgrent()
- setpwent()
- setservent()

TLDR;

SSSD assumes the following sequnce in the consumer for enumeration:

	setXYent(); while (getXYent()) { ... }; endXYent();
	setXYent(); while (getXYent()) { ... }; endXYent();

But the 2nd setXYent() fails to rewind if in the above sequence the
call to first endXYent() is omitted.

Dovecot's authd is an example for omitting the endpwent(). They confirmed
an associated bug report already. But, formally speaking, the
documentation for setXYent() indicates that is should rewind. Period. :)

The endXYent() probably is for pure comfort, resource management, etc.

I built this into a private copy of the sssd packages Debian ships
(Buster/Debian10, 1.16.3) and used them in production (tested with AD
provided users and groups), using a simple Perl script.

	#! /usr/bin/perl
	use strict;
	use warnings;
	sub users {
		my $n;
		setpwent() or die "setpwent: $!\n";
		$n++ while $_ = getpwent();
		# enpwent();                         # missing!
		return $n;
	}
	print users(), "\n";	    # reports number of all users
	print users(), "\n";	    # users backed by sssd are missing

Resolves: https://github.com/SSSD/sssd/issues/5523

Patch co-authored by Sumit Bose.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
98696414 by Justin Stephenson at 2021-03-31T11:41:51+02:00
CI: Use builtin command for pycodestyle check

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f1661c04 by Tomas Halman at 2021-04-01T11:17:56+02:00
DEBUG: Error is printed when everything is ok

Due to invalid condition error message that config file does not exist
is printed when there is actually no problem. This update fixes
the condition

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
0fd0681d by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved ldb_debug_messages() out of UTILS to SYSDB

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0dfb188e by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved declaration of debug related helpers defined in debug.c from util.h to debug.h

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fee3883b by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: use '--logger' as the only option to configure logger type.

This patch gets rid of:
 - 'debug-to-files', 'debug-to-stderr' command line options
 - undocumented 'debug_to_files' sssd.conf option
and makes '--logger' command line option the only "source of truth" for
logger type configuration.

Those options were not used much anyway but made precedence logic obscure
in case contradictory settings were used.

:config: Long time deprecated and undocumented 'debug_to_files' option was
removed.

:relnote: 'debug-to-files', 'debug-to-stderr' command line and undocumented
'debug_to_files' config options were removed.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fc5b64e8 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: make use of existing SSSD_DEBUG_OPTS macro

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c14e439c by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate sss_set_logger() into DEBUG_INIT

This makes code less error-prone reducing amount of function calls required
for debug initialization.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4d133e15 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: remove sss_set_logger() from public API

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cf699170 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: added several comments to debug.h API and moved rarely used / "private" functions to the bottom.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
374d644f by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
Moved SSSDBG_MASK_ALL out of debug.h since is it is only used in tests.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
dde57f76 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: incorporate open_debug_file() into DEBUG_INIT

This makes code less error-prone reducing amount of function calls required
for debug initialization.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
21334de2 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
MONITOR: added logging of cmd used to start services

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0cddb671 by Alexey Tikhonov at 2021-04-01T11:18:12+02:00
DEBUG: introduce SSSDBG_TOOLS_DEFAULT

Resolves: https://github.com/SSSD/sssd/issues/5488

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
66960c76 by Alexey Tikhonov at 2021-04-01T11:18:13+02:00
MONITOR: in case '-i' is given don't force logger to 'stderr' if its value specified explictly

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9a39ceba by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: remove unneeded kcm.h

This file was copied from MIT Kerberos code, but we do not really
need it.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
81130b23 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add support for MIT extensions

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
560e2479 by Pavel Březina at 2021-04-06T10:45:25+02:00
kcm: add GET_CRED_LIST for faster iteration

For large caches, one IPC operation per credential dominates the cost
of iteration. Instead transfer the whole list of credentials to the
client in one IPC operation.

Resolves: https://github.com/SSSD/sssd/issues/5545

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
49010b16 by Iker Pedrosa at 2021-04-08T11:16:54+02:00
configure: set CPP macro with AC_PROG_CPP

sssd build with an autoconf version greater than 2.70 fails because CPP
macro is empty. This change fixes this problem by setting the macro with
AC_PROG_CPP at the beginning of the configuration.

Resolves: https://github.com/SSSD/sssd/issues/5563

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cd843daf by Massimiliano Torromeo at 2021-04-08T11:17:21+02:00
configure: Fix python headers detection with recent autoconf Resolves: https://github.com/SSSD/sssd/issues/5336

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
b6efe6b1 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: handle large service tickets

Resolves: https://github.com/SSSD/sssd/issues/5568

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c6a76283 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: reduce duplication of code that handles larger-than-normal packets

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
63f318f7 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: add debug logging to assist with errors caused by overlarge packets

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
37d33177 by Sam Morris at 2021-04-12T13:28:14+02:00
responder/common/responder_packet: further increase packet size for SSS_GSSAPI_SEC_CTX

Tokens can be 48 KiB in Windows Server 2012. Limiting to 128 KiB
provides extra overhead should that increase in the future.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5c9fa75b by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: remove some unnecessary checks before growing packet

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b87619f9 by Sam Morris at 2021-04-12T13:28:15+02:00
responder/common/responder_packet: allow packets of max size

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
23197881 by aborah at 2021-04-12T13:28:43+02:00
Tests: Tests if shadow-utils are immune against bugs in 2006:0032

Tests if shadow-utils are immune against bugs in 2006:0032

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
05e75dba by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
test_pam_srv: Add test for CA certificate check using intermediate CA

Since the switch to libcrypto as security backend SSSD enforces that all
the CAs in the key chain must be trusted, so add a test that ensures
that this is true and that an intermediate certificate doesn't verify a
leaf one if we're missing the whole chain.

To build the certificates we use the test_CA main certificate
(SSSD_test_CA.pem) as the root CA authority while we create a new CA
intermediate certificate used to create new leaf certificates.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5ed48d2f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child_openssl: Free X509_VERIFY_PARAM if initialized

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
018043bb by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
p11_child: Add support for 'partial_chain' certificate_verification option

As per the switch to libcrypto by default, the CA certificates DB needs
to contain the whole certificates key-chain in order to verify a leaf
certificate. This means that if an intermediate CA authority signed a
leaf certificate the CA DB we provide to SSSD needs to contain the whole
key-chain, up to the root CA cert in order to verify the leaf one.

Now, while this is indeed more secure, it may break previous
configurations that were based on an NSS database that contained only
trusted intermediate CA certificates.

To allow such setups to continue working (once the NSS db is migrated)
we need to permit a "weaker" setup where an x509 certificate is verified
when the CA database we test against contains only the intermediate CA
certificate that was used to sign it.

As per this, support `partial_chain` value to be used as
`certification_verification` parameter that will add the
`X509_V_FLAG_PARTIAL_CHAIN` verify param flag to the store, as the
openssl's verify `-partial-chain` parameter works.

This setup can still be considered secure as it's still needed to have
configured the SSSD ca db to contain the trusted certs.

Add tests to check that we can verify a leaf certificate against its
parent (only) when using such option.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7e3edb06 by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
pam: Add custom pam_cert_verification setting to override default

PAM uses by default the certificate_verification parameter, however we
may want to set specific settings to be used for PAM auth only.

So add pam_cert_verification setting option that will be used to define
the verification options.

If this value is unset, we'll fallback to default.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
65c90d8f by Marco Trevisan (Treviño) at 2021-04-12T13:28:58+02:00
sssd.spec: BuildRequires on openssl tool

It's needed for creating the certificates we use for testing

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
509c2ac9 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: skip id-range of unknown type

If a new range type is added in the IPA serve SSSD currently considers
this as an error and stops processing and further server side options.

With this patch unknown range types are just skipped and no error is
returned.

Resolves: https://github.com/SSSD/sssd/issues/5571

:fixes: unknown IPA id-range types are not considered as an error

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
27172c95 by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa: add unit test for ipa_ranges_parse_results

A unit test is added to check if unknown range types are properly
skipped. For this ipa_ranges_parse_results() is made public and moved to
a source file which is already used in a unit test to avoid the
inclusion of additional dependencies.

Resolves: https://github.com/SSSD/sssd/issues/5571

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
02d9625e by Sumit Bose at 2021-04-13T13:45:49+02:00
ipa subdomains: do not fail completely if one step fails

Currently while updating server side data stored on an IPA server
during a subdomains request the whole request will fail if a single step
fails. As a result the remaining server side data which would have been
looked up after the failed attempt are missing.

With this patch a failure in a single lookup is not considered fatal and
SSSD will try to read the remaining data after an error occurred.

Resolves: https://github.com/SSSD/sssd/issues/5571

:fixes: During the IPA subdomains request a failure in reading a single
    specific configuration option is not considered fatal and the
    request will continue

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dab0ead2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: removed unused SUSE/sssd.id

see https://github.com/SSSD/sssd/pull/5535#issuecomment-814135680

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37d255b2 by Alexey Tikhonov at 2021-04-13T13:46:11+02:00
SYSV: replaced '-f' option in gentoo/sssd.in

This is follow up for PR#5535

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0e145242 by peptekmail at 2021-04-13T13:46:26+02:00
TEST: FIX: When generating a ssh pubkey from a cert extra padding is needed if a nonstandard eponent is chosen.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e865b008 by Sumit Bose at 2021-04-13T13:46:40+02:00
AD GPO: respect ad_gpo_implicit_deny if no GPO is present

Currently ad_gpo_implicit_deny=True is not applied if there is no GPO at
all for the given client. With this patch this case is handled as
expected as well.

Resolves: https://github.com/SSSD/sssd/issues/5561

:fixes: `ad_gpo_implicit_deny` is now respected even if there are no
        applicable GPOs present

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
53ae9b1e by Alexey Tikhonov at 2021-04-13T13:47:01+02:00
pam_sss: fixed potential mem leak

Fixes following covscan issue:
```
Error: RESOURCE_LEAK (CWE-772): [#def1]
src/sss_client/pam_sss.c:1714: alloc_arg: "asprintf" allocates memory that is stored into "prompt".
src/sss_client/pam_sss.c:1765: leaked_storage: Variable "prompt" going out of scope leaks the storage it points to.
 # 1763|       free(response);
 # 1764|
 # 1765|->     return ret;
 # 1766|   #else
 # 1767|       return ENOTSUP;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
231d1118 by Sumit Bose at 2021-04-13T13:48:59+02:00
negcache: use right domain in nss_protocol_fill_initgr()

When checking if a group returned by an initgroups request is filtered
in the negative cache the domain of the user was used. This does not
work reliable if the user can be a member of groups from multiple
domains.

With this patch th domain the group belongs to is determined and used
while checking the negative cache.

Resolves: https://github.com/SSSD/sssd/issues/5534

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4f373427 by Paweł Poławski at 2021-04-13T14:44:26+02:00
ncache: Fix misleading function comment

sss_ncache_reset_repopulate_permanent() function is responsible
only for flushing and repopulating permament entries in negative
cache. Old inline description suggests that full negative cache
wipe will be performed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e6994359 by Paweł Poławski at 2021-04-13T14:44:26+02:00
utils: Add description for CLEAR_MC_FLAG define

CLEAR_MC_FLAG is definition of flag file which is used
to sync memory cache clearing process in between sss_cache util
and NSS responder.

When sss_cache sends SIGHUP to NSS, existence of flag file
notifies responder that memory cache clearing should be
performed. Deletion of this file by responder notifies
sss_cache back that cache clearing operation has been finished.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6195ac70 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Add negcache clearing sbus callback

NSS responder already has SBUS callback for memory cache clearing.
It is called by MONITOR when SIGHUP is handled.

This commit extends SBUS sssd.service interface with negcache
clearing ability executed under "clearNegcache" request.

<interface name="sssd.service">
    <annotation name="codegen.Name" value="service" />
    <annotation name="codegen.SyncCaller" value="false" />
    <method name="resInit" />
    <method name="goOffline" />
    <method name="resetOffline" />
    <method name="rotateLogs" />
    <method name="clearMemcache" />
    <method name="clearNegcache" />
    <method name="clearEnumCache" />
    <method name="sysbusReconnect" />
</interface>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7a4974c8 by Paweł Poławski at 2021-04-13T14:44:26+02:00
nss: Clear negative cache when SIGHUP received

When MONITOR receives SIGHUP signal it sends cache clearing
request to NSS responder using SBUS "clearMemcache" command.
This commits adds calling for negcache clearing at the same time.
It is executed by calling "clearNegcache" from NSS SBUS API.

Resolves: https://github.com/SSSD/sssd/issues/4973

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
191b5352 by Paweł Poławski at 2021-04-15T10:28:14+02:00
data_provider: Configure backend probing interval

When be_ptask is created to monitor backend when SSSD
is in offline mode checks are happening in specified intervals:

delay = delay + (sss_rand() % task->random_offset);

New configuration option is introduced in this commit:
* offline_timeout_random_offset

Using this option allows end client to decide what
should be the size of random offset when new interval
for probing backend is calculated.

:feature: New configuration option `offline_timeout_random_offset`
          to control random factor in backend probing interval
          when SSSD is in offline mode.

:config: Added `offline_timeout_random_offset` configuration option
         to control maximum size of random offset added to offline timeout
         SSSD backend probing interval.

Resolves: https://github.com/SSSD/sssd/issues/5556

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
5d65411f by Sumit Bose at 2021-04-16T13:24:56+02:00
sss_domain_info: add not_found_counter

This new counter should be used to track how often a domain could not be
found while discovering the environment so that it can be deleted after
a number of failed attempts.

Resolves: https://github.com/SSSD/sssd/issues/5528

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
95adf488 by Sumit Bose at 2021-04-16T13:24:56+02:00
AD: read trusted domains from local domain as well

Currently SSSD only uses information stored in a domain controller of
the forest root domain to get the names of other trusted domains in the
forest. Depending on how the forest was created the forest root might
not have LDAP objects for all domains in the forest. It looks like a
typical case are child domains of other domains in the forest.

As a start SSSD can now include trusted domains stored in the LDAP tree
of a local domain controller as well. In a long run it would make sense
to allow SSSD to explicitly search for domain by looking up DNS entries
and checking a potential domain controller with a CLDAP ping.

Resolves: https://github.com/SSSD/sssd/issues/5528

:feature: Besides trusted domains known by the forest root, trusted
          domains known by the local domain are used as well.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e0fcec92 by Sumit Bose at 2021-04-20T11:14:00+02:00
man: clarify single_prompt option

Make it more clear that the single_prompt prompting configuration option
can only be used with both factor even if the second is optional.

Resolves: https://github.com/SSSD/sssd/issues/5586

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
da55e3e6 by Iker Pedrosa at 2021-04-20T11:15:41+02:00
ldap: retry ldap_install_tls() when watchdog interruption

When the call to ldap_install_tls() fails because the watchdog
interrupted it, retry it. The watchdog interruption is detected by
checking the value of the ticks before and after the call to
ldap_install_tls().

Resolves: https://github.com/SSSD/sssd/issues/5531

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
64340cac by Alexey Tikhonov at 2021-04-21T12:01:14+02:00
whitespace_test: remove 'debian' from exclude pattern as this is downstream specific.

See discussion in https://github.com/SSSD/sssd/pull/5435 for details

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
691fe494 by Sumit Bose at 2021-04-21T12:01:30+02:00
nss: prefer homedir overrides over override_homedir option

Currently the override_homedir option will overwrite every home
directory even if a dedicated user override exists. With this patch a
home directory from a dedicated override will be preferred.

Resolves: https://github.com/SSSD/sssd/issues/5589

:relnote: A home directory from a dedicated user override, either local
    or centrally managed by IPA, will have a higher precedence than the
    override_homedir option.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
88eec1c2 by Sumit Bose at 2021-04-21T12:02:00+02:00
nss client: make innetgr() thread safe

The innetgr() call is expected to be thread safe but SSSD's the current
implementation isn't. In glibc innetgr() is implementend by calling the
setnetgrent(), getnetgrent(), endgrent() sequence with a private context
(struct __netgrent) with provides a member where NSS modules can store
data between the calls.

With this patch setnetgrent() will read all required data from the NSS
responder and store it in the data member of the __netgrent struct.
Upcoming getnetgrent() calls will only operate on the stored data and
not connect to the NSS responder anymore. endgrent() will free the data.
Since the netgroup data is read in a single request to the NSS responder
protected by a mutex and stored in private context of innetgr() this
call is now thread-safe.

Resolves: https://github.com/SSSD/sssd/issues/5540

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29abf94e by Sumit Bose at 2021-04-21T12:02:00+02:00
intg test: test is innetgr() is thread-safe

This integration test adds 2 large netgroups in LDAP and runs a program
with 2 threads looking up those netgroups in parallel.

Resolves: https://github.com/SSSD/sssd/issues/5540

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
38905cac by Alexey Tikhonov at 2021-04-26T11:32:50+02:00
monitor: avoid NULL deref in monitor_service_shutdown()

Resolves: https://github.com/SSSD/sssd/issues/5598

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cbfccb17 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
BUILD: prefer PCRE2 over PCRE

:relnote:This release deprecates pcre1 support. This support will be
removed completely in following releases.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
519d9434 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: local functions shall be static

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
31bcb6f0 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_dp_opts: mem leak fixed

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9aa6fb34 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
tests/test_nested_groups: mem leak fixed

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0fbe5af1 by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
util/regexp: regular talloc d-tor shouldn't fail

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f2bcf74c by Alexey Tikhonov at 2021-04-26T11:34:01+02:00
sssd.supp: suppress false positive valgrind warning about 'pcre2_code' ptr

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6a60406b by Steeve Goveas at 2021-04-26T11:34:27+02:00
TEST: Modify subsystem to sst_idm_sssd

idm sst were sub divided in team specific sst and is now implemented in
polarion

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
2276fc42 by Shridhar Gadekar at 2021-04-27T13:58:30+02:00
Tests: alltests: fetch autofs maps after coming online

SSSD should fetch autofs maps from server when coming online
from offline state, without existing cache.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
eb61f1b2 by Shridhar Gadekar at 2021-04-29T12:04:59+02:00
test: minor change in test doc string

adding test id in the doc string

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
846296d1 by Alexey Tikhonov at 2021-04-29T12:05:17+02:00
libwbclient-sssd: removed

:relnote: SSSD's implementation of 'libwbclient' was removed
as incompatible with modern version of Samba.

Resolves: https://github.com/SSSD/sssd/issues/5459

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9854ade1 by Iker Pedrosa at 2021-04-29T12:05:38+02:00
spec: Remove ldconfig scripts

According to
https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets#Upgrade.2Fcompatibility_impact
spec files that target Fedora 28+ don't require the use of ldconfig
scriptlets. So, I'm removing them from the spec file.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
99beee3c by Alexey Tikhonov at 2021-04-29T12:05:50+02:00
LDAP: make connection log levels consistent

Connection related events (established, expired, released) now use same
debug level.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
7313efba by Sumit Bose at 2021-04-30T12:57:35+02:00
man: clarify priority in sss-certmap man page

Explain in the man page what is expected when two or more mapping and
matching rules have the same priority.

Resolves: https://github.com/SSSD/sssd/issues/4415

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a0179e31 by Hugh Cole-Baker at 2021-05-05T17:12:33+02:00
man: fix p11_uri example URIs

The p11_uri requires a pkcs11: scheme, using p11_uri = slot-description=My..
without pkcs11: as a prefix will cause p11_child to log an error:

p11_kit_uri_parse failed [-2][URI scheme must be 'pkcs11:'].

Fix the examples to include the pkcs11: scheme.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f66b5aed by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: got rid of most explicit DEBUG_IS_SET checks as a preliminary step for "logs backtrace" feature

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
59ba14e5 by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
DEBUG: poor man's backtrace

In case SSSD is run with debug_level < 9, log everything to
a ring buffer in memory and flush the buffer to a log file on any
error (up to and including `min(0x0040, debug_level)`)
(i.e. if `debug_level` is explicitly set to 0 or 1 then only those
error levels will trigger backtrace, otherwise up to 2).

Feature is only supported for `logger == files`:
 - for stderr it doesn't make much sense: as buffer is quite large,
it would be very inconvenient to get it in console.
 - for journal: support might be considered later, after getting
some feedback

:feature:If 'debug_backtrace_enabled' is set to 'true' then
on any error all prior debug messages (to some limit) are printed
even if 'debug_level' is set to low value (for details see
`man sssd.conf`: `debug_backtrace_enabled` description).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e3426ebe by Alexey Tikhonov at 2021-05-05T17:12:49+02:00
PAM: fixes a couple of covscan issues

Fixes:
```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%.*s' directive argument is null
 #  127 |     sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
 #      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #  128 |                  level, \
 #      |                  ~~~~~~~~
 #  129 |                  format, ##__VA_ARGS__); \
 #      |                  ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'filter_responses'
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:569:51: note: format string is defined here
 #  569 |               "Found PAM ENV filter for variable [%.*s] and service [%s].\n",
 #      |                                                   ^~~~
```

and

```
Error: COMPILER_WARNING (CWE-758):
sssd-2.4.3/src/util/util.h:47: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:24: included_from: Included from here.
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c: scope_hint: In function 'pam_check_user_search_next'
sssd-2.4.3/src/util/debug.h:127:5: warning[-Wformat-overflow=]: '%s' directive argument is null
 #  127 |     sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
 #      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #  128 |                  level, \
 #      |                  ~~~~~~~~
 #  129 |                  format, ##__VA_ARGS__); \
 #      |                  ~~~~~~~~~~~~~~~~~~~~~~
sssd-2.4.3/src/responder/pam/pamsrv_cmd.c:1947:53: note: format string is defined here
 # 1947 |     DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n",
 #      |                                                     ^~
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6b78b7aa by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CACHE_REQ: fixed REVERSE_INULL warning

Fixes following warning:
```
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:807: check_after_deref: Null-checking "domain" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:784: deref_ptr: Directly dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:790: deref_ptr_in_call: Dereferencing pointer "domain".
sssd-2.4.3/src/responder/common/cache_req/cache_req.c:805: alias: Assigning: "state->selected_domain" = "domain".
 #  805|           state->selected_domain = domain;
 #  806|
 #  807|->         if (domain == NULL) {
 #  808|               break;
 #  809|           }
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0aaf61c6 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: makes debug backtrace switchable

:config: Introduced new option 'debug_backtrace_enabled' to control
debug backtrace.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
97f046e7 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
DEBUG: log IMPORTANT_INFO if any bit >= OP_FAILURE is on

This makes sense in general and ensures IMPORTANT_INFO doesn't trigger
backtrace dump.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f693078f by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
CERTMAP: removed "sss_certmap initialized" debug

Most lib users expect only errors to be logged and provide logger function
with SSSDBG_OP_FAILURE debug level.

Thus "sss_certmap initialized" was triggering backtrace dump for no reason.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6fb987b5 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SERVER: decrease log level in `orderly_shutdown()` to avoid backtrace in this case.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
80963d68 by Alexey Tikhonov at 2021-05-05T17:12:50+02:00
SBUS: changed debug level in sbus_issue_request_done() to avoid backtrace dump in case of 'ERR_MISSING_DP_TARGET'

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f55c41b7 by Deepak Das at 2021-05-05T17:13:07+02:00
SSSD Log: log_timeout_parameter_display

Display timeout parameter in SSSD logs.

Resolves: https://github.com/SSSD/sssd/issues/5514

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c79ee66f by Pavel Březina at 2021-05-07T11:34:27+02:00
pot: update pot files

- - - - -
c8274b24 by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'local-provider'

:relnote:'local-provider' is deprecated and will be removed in one
of the next versions of SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8736776a by Alexey Tikhonov at 2021-05-07T13:01:12+02:00
BUILD: deprecate 'secrets' support

:relnote:'secrets' support is deprecated and will be removed in one
of the next versions of SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ba99c1fb by Steeve Goveas at 2021-05-07T13:01:30+02:00
modify check for rhel version before package install

Include check for rhel9 and remove nss-pam-ldapd install for rhel9 as it
wont be available. Test with nss-pam-ldap only for rhel8.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
d264a2b6 by Steeve Goveas at 2021-05-07T13:01:30+02:00
TEST: remove pytest warning for yield_fixture

this change would remove this warning message
"PytestDeprecationWarning: @pytest.yield_fixture is deprecated"

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
61a03b2c by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to disable sudo smart and full refresh

Resolves: https://github.com/SSSD/sssd/issues/5601

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b3247eeb by Pavel Březina at 2021-05-07T13:01:47+02:00
man: document how to tune sudo performance

Resolves: https://github.com/SSSD/sssd/issues/5603

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c0204c06 by Pavel Březina at 2021-05-07T13:01:47+02:00
be: add be_ptask_postpone

This will cancel the next event and schedule it to now + period.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d9d5c291 by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: reschedule periodic tasks when full refresh is finished

We postpone periodic full and smart refresh tasks when full refresh
(either per-request or periodic) is finished.

Resolves: https://github.com/SSSD/sssd/issues/5604

:feature: Completing a sudo full refresh now postpones the smart refresh
  by `ldap_sudo_smart_refresh_interval` value. This ensure that the smart
  refresh is not run too soon after a successful full refresh.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ca47acca by Pavel Březina at 2021-05-07T13:01:47+02:00
sudo: add ldap_sudo_random_offset

Resolves: https://github.com/SSSD/sssd/issues/5609

:feature: Backround sudo periodic tasks (smart and full refresh) periods
  are now extended by a random offset to spread the load on the server in
  environments with many clients. The random offset can be changed with
  `ldap_sudo_random_offset`.

:config: Added `ldap_sudo_random_offset` (default to `30`) to add a
  random offset to backround sudo periodic tasks (smart and full
  refresh).

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
421c0a77 by aborah at 2021-05-07T13:03:24+02:00
Tests: getent group ldapgroupname doesn't show any LDAP users

'getent group ldapgroupname' doesn't show
any LDAP users or some LDAP users when
'rfc2307bis' schema is used with SSSD

Verifies: https://github.com/SSSD/sssd/issues/5311

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1817122

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
47b40cca by aborah at 2021-05-10T11:13:21+02:00
Tests: automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase)

With 2 automount entries in LDAP with same key ( cn: MIT and cn: mit),
autofs only works for one of them ( the one in uppercase )

Verifies: https://github.com/SSSD/sssd/issues/5330

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1873715

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
de170904 by Sumit Bose at 2021-05-10T11:13:38+02:00
sss_cache: reset original timestamp and USN

Currently the sss_cache utility only resets the internal/operational
timestamp attributes to indicate that the object should be refreshed.
But the timestamp cache also stored the last modification time and the
update sequence number (USN) of the original LDAP attribute to detect
changes of the original object. During some types of refreshes those
options might be checked, currently the modification timestamp during
group updates, and might prevent that the data object is refresh because
it was assume that the original object did not change.

Since it is expected that after calling e.g. sss_cache -E the cached
objects are refreshed unconditionally it makes sense to reset those
attributes in the timestamp cache as well.

Resolves: https://github.com/SSSD/sssd/issues/5596

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
c227ea4e by Sumit Bose at 2021-05-10T11:13:38+02:00
sysdb: add SYSDB_INITGR_EXPIRE to new user objects

SYSDB_INITGR_EXPIRE belongs to the timestamp cache attributes and if
only those attributes are modified it is expected that the data object
is not modified only the related object in the timestamp cache. Until
now SYSDB_INITGR_EXPIRE was missing from the user objects if the group
membership of the user was not lookup up (initgroups request). As a
result of user object might change if only timestamp cache attributes
are changed since the SYSDB_INITGR_EXPIRE was missing. With this patch
the SYSDB_INITGR_EXPIRE is addded with value '0' if a new user object is
created.

Resolves: https://github.com/SSSD/sssd/issues/5596

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
993b66d4 by Justin Stephenson at 2021-05-10T14:53:56+02:00
KCM: Read and set KCM renewal and krb5 options

Add new renewal options to enable KCM renewal functionality

  tgt_renewal
  tgt_renewal_inherit

Krb5 options below will be read from the [kcm] configuration
section, or a domain section when a tgt_renewal_inherit domain
is provided.

  krb5_renew_interval
  krb5_renewable_lifetime
  krb5_lifetime
  krb5_validate
  krb5_canonicalize
  krb5_auth_timeout

Resolves: https://github.com/SSSD/sssd/issues/2765

:config: Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*`
KCM options to enable, and tune behavior of new KCM renewal feature.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
599f0ad0 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Prepare and execute renewals

Find and unmarshal renewable tickets in the list of KCM ccaches, process
and trigger renewals for tgts aftert half of their lifetime is exceeded.

Resolves: https://github.com/SSSD/sssd/issues/2765

:feature: Added support for automatic renewal of renewable TGTs that are
stored in KCM ccache. This can be enabled by setting `tgt_renewal =
true`. See the sssd-kcm man page for more details. This feature requires
MIT Kerberos krb5-1.19-0.beta2.3 or higher.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1dc3c33c by Justin Stephenson at 2021-05-10T14:53:57+02:00
SECRETS: Don't hardcode SECRETS_DB_PATH

Allow for overriding in cmocka tests

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a55405b3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
TESTS: Add kcm_renewals unit test

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0202eb53 by Justin Stephenson at 2021-05-10T14:53:57+02:00
INTG: Add KCM Renewal integration test

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ddcedbf3 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Conditionally build KCM renewals support

Use --enable-kcm-renewal, --disable-kcm-renewal or allw
autodetection of MIT kerberos marshalling functions
required to enable KCM renewal support.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ec932d35 by Justin Stephenson at 2021-05-10T14:53:57+02:00
KCM: Disable responder idle timeout with renewals

When KCM renewals are configured and enabled, disable the
responder idle timeout to prevent KCM from being in a shut-down
state when it should be executing TGT renewals.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ce54789e by Alexey Tikhonov at 2021-05-10T14:56:44+02:00
DEBUG: fix _all_levels_enabled()

Expression was wrong in case `debug_level` had any bit without
associated level turned on (for example, 0xfff0).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c07a7beb by Weblate at 2021-05-10T14:57:47+02:00
po: update translations

(Ukrainian) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 99.8% (728 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Finnish) currently translated at 5.5% (40 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 2.6% (70 of 2643 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (726 of 726 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

- - - - -
e3012941 by Pavel Březina at 2021-05-10T15:06:24+02:00
man: add krb5_options to po4a.cfg

- - - - -
b3336ab9 by Pavel Březina at 2021-05-10T15:11:58+02:00
pot: update pot files

- - - - -
3f29bc26 by Pavel Březina at 2021-05-10T15:14:31+02:00
Release sssd-2.5.0

- - - - -
a95db4e1 by Pavel Březina at 2021-05-10T17:13:00+02:00
Update version in version.m4 to track the next release

- - - - -
6eb845d0 by Madhuri Upadhye at 2021-05-13T12:37:06+02:00
Test: IPA: filter_groups option partially filters the group from 'id' output

It consists of following test case:
  filter_groups option partially filters the group from 'id'
  output of the user because gidNumber still appears in 'id' output

Verifies:
  Issue: #5403

Bugs:
  https://bugzilla.redhat.com/show_bug.cgi?id=1876658

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
9b017dbc by Pavel Březina at 2021-05-14T11:34:24+02:00
KCM: return KRB5_FCC_INTERNAL for unknown or not implemented operation

sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
for cases where operation code is not known or not implemented. See:

* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792

We returned different codes before this patch which makes Kerberos to differentiate
between Heimdal and sssd implementation. This leads to errors like:

* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703

Resolves: https://github.com/SSSD/sssd/issues/5628

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
dbde4e69 by Justin Stephenson at 2021-05-19T19:24:12+02:00
SECRETS: Resolve mkey path correctly

Use the correct master key path for the secrets database,
fixing an issue on upgrade.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9777427f by Alexey Tikhonov at 2021-05-19T19:24:31+02:00
UTIL/SECRETS: mistype fix

Wrong variable was tested after mem allocation.

Also fixes following covscan issues:
```
Error: DEADCODE (CWE-561):
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
 # 1009|   	uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
 # 1010|       if (uuid_list == NULL) {
 # 1011|->         ret = ENOMEM;
 # 1012|           goto done;
 # 1013|       }
```

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b099498f by Pavel Březina at 2021-05-19T19:24:48+02:00
ipa: read auto_private_groups from id range if available

Resolves: https://github.com/SSSD/sssd/issues/4216

:feature: `auto_private_groups` option can be set centrally through
  ID range setting in IPA (see `ipa idrange` commands family). This
  feature requires SSSD update on both client and server.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
706627cf by Pavel Březina at 2021-05-19T19:24:48+02:00
cache_req: consider mpg_mode of each domain

Before this patch the mpg_mode == hybrid was used only if the main domain
had this mode set. This fails in multi domain environments as well as with
subdomains.

Now we lookup the hybrid object in each domain that has the hybrid mode
enabled.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ac1a07a3 by Iker Pedrosa at 2021-05-24T18:04:25+02:00
responder: fix covscan issues

Fix two covscan issues that I accidentally included in commit
f890fc4b592767f3f0b2bd5515cbd9516505ebe9.

Error: FORWARD_NULL (CWE-476): [#def60]
sssd-2.4.0/src/responder/common/responder_common.c:1009: var_compare_op: Comparing "rctx->sock_name" to null implies that "rctx->sock_name" might be null.
sssd-2.4.0/src/responder/common/responder_common.c:1039: var_deref_model: Passing null pointer "rctx->sock_name" to "strlen", which dereferences it.

Error: CLANG_WARNING: [#def61]
sssd-2.4.0/src/responder/common/responder_common.c:1039:64: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'

Resolves: https://github.com/SSSD/sssd/issues/5638

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
43b9b092 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification

Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf

Resolves: https://github.com/SSSD/sssd/issues/5616

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7190f6b5 by Deepak Das at 2021-05-24T18:05:19+02:00
SSSD man: man_dns_resolver_parameter_modification

Adding parameter dns_resolver_server_timeout
and dns_resolver_op_timeout in sssd.conf

Resolves: https://github.com/SSSD/sssd/issues/5616

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
fbf33bab by Alexey Tikhonov at 2021-05-24T18:06:10+02:00
TOOLS: removed unneeded debug message

This message was logged before `sss_tool_init()` that sets debug level,
thus ignoring configured debug level.

Since the same message is printed via `ERROR` on a next line, this log
message doesn't add any information and can be simply removed.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
348512b0 by Steeve Goveas at 2021-05-24T18:07:52+02:00
TEST: Fixes after running new tests downstream

tests have been synced downstream. Some test were failing or needed
docstring updates for new polarion format

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
9cb89666 by Sumit Bose at 2021-05-25T12:24:28+02:00
nss: fix getsidbyname for IPA user-private-groups

Currently the getsidbyname request does not work properly for IPA users
due to the way IPA user-private-groups are handled by SSSD. With this
patch two different cases are handled.

The first is about the default automatic user-private-groups
where the group is a managed object. In this case there will be a user
and a group object with the same name in the cache which will both be
found by the lookup by name. Since only the user object will have a SID
we can return this SID for the request.

The second case is the manual creation of a user and a groups with UID
and GIDs so that the group is a user-private group. Here the user and
the group object will both get a different SID assigned since they are
independent objects. In this case, both objects have a SID and the UID
and GID of the user and the GID of the group all have the same numerical
value, the SID of the user is returned.

Resolves: https://github.com/SSSD/sssd/issues/5607

:fixes: Fix getsidbyname issues with IPA users with a user-private-group

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
e147d272 by Steeve Goveas at 2021-05-31T14:18:53+02:00
TEST: add ldap_sudo_random_offset 0 to offline test

New was option added in #5609
As there are no other requests in the test after a restart, sssd
would attempt a connection only after 10 to 30 seconds by default. To
enable immediate look up, we can set this option and continue with the
test

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
98400ef6 by Madhuri Upadhye at 2021-05-31T14:19:06+02:00
Tests: common: Update the remove_sss_cache function

Remove the sssd exception as we dont find the path,
test fails with exception file does not exist.
so added print statement to print the error message.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
33f136f8 by Madhuri Upadhye at 2021-05-31T14:19:19+02:00
Tests: alltests: Code update for test_kcm_check_socket_path

Remove unwanted import.
Minor changes in test code.
Change the marker to tier1_2.

Verifies:
  Issues: #5406

Bug:
  https://bugzilla.redhat.com/show_bug.cgi?id=1632159

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
36746524 by Sumit Bose at 2021-05-31T14:19:33+02:00
kcm: use %zu as format for size_t

size_t might be a different integer type on different platforms. The %z
length modifier was added to handle this.

Resolves: https://github.com/SSSD/sssd/issues/2765

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5b5e3827 by Jakub Vavra at 2021-05-31T14:20:21+02:00
Tests: Add test_ipa_missing_secondary_ipa_posix_groups

Verifies
Issue: #5534
Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1945552
https://bugzilla.redhat.com/show_bug.cgi?id=1937919
https://bugzilla.redhat.com/show_bug.cgi?id=1945654

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d35f36f0 by Deepak Das at 2021-05-31T14:20:41+02:00
SSSD Log: log_error_reading_file_msg_modification

Replacing error reading file error code with proper message

Resolves: https://github.com/SSSD/sssd/issues/5615

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
9c06088d by Deepak Das at 2021-05-31T14:21:00+02:00
SSSD Log: no_such_file_or_directory_modification

Replacing no such file or directory error code with alternate message

Resolves: https://github.com/SSSD/sssd/issues/5614

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b75ef442 by Sumit Bose at 2021-05-31T14:22:06+02:00
pac: allow larger PACs

Currently the PAC responder only accepts request which are about 1k in
size. Since a PAC can be larger there are cases where the PAC is not
accepted by the PAC responder. Recently SSS_GSSAPI_PACKET_MAX_RECV_SIZE
was added to be able to handle Kerberos tickets which can be also larger
than 1k. Since typically if present the PAC is the largest part of a
Kerberos ticket it make sense to use the same limit for the PAC
responder.

Resolves: https://github.com/SSSD/sssd/issues/5650

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1f6377d5 by Weblate at 2021-06-04T09:08:39+02:00
po: update translations

(Finnish) currently translated at 5.4% (40 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Polish) currently translated at 100.0% (729 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Russian) currently translated at 25.7% (188 of 729 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

- - - - -
597a6c2a by Joakim Tjernlund at 2021-06-04T09:10:18+02:00
Gentoo/openrc: Add sssd-kcm service script

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
850af600 by Pavel Březina at 2021-06-04T09:40:38+02:00
pot: update pot files

- - - - -
a3cb9812 by Pavel Březina at 2021-06-04T14:29:44+02:00
sudo: disable ldap_sudo_random_offset by default

Resolves: https://github.com/SSSD/sssd/issues/5609

:config: Default value of `ldap_sudo_random_offset` changed to 0 (disabled). This
  makes sure that sudo rules are available as soon as possible after SSSD start
  in default configuration.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1c655610 by Paweł Poławski at 2021-06-04T14:40:28+02:00
README: Update documentation links

Documentation links in README are broken due to sssd.io website
content recent update. This PR fix this and remaps links to point
correct content in new upstream documentation.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
669ee920 by Pavel Březina at 2021-06-04T14:46:26+02:00
readme: update documentation repository

- - - - -
c415dde6 by Pavel Březina at 2021-06-04T14:47:41+02:00
pot: update pot files

- - - - -
73cbe0b1 by Sumit Bose at 2021-06-07T11:34:34+02:00
utils: add mod_defaults_list

This patch adds a new utility function to handle options with values
prefixed by '+' or '-' to modify default lists. Unit tests are included.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
70a808d5 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: replace first argument of filter_responses()

The first argument of filter_responses() is replaced with a more generic
context to allow more flexible use in future.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f491979d by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: parse pam_response_filter values only once

To avoid parsing the configuration options for each PAM request the code
is modified to parse them only once. If the configuration is changed it
is already expected that SSSD is restarted which mean that with this
change no functionality is lost.

Tests  had to be updated to make sure new values are read.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2a4c3833 by Sumit Bose at 2021-06-07T11:34:34+02:00
pam: change default for pam_response_filter

So far pam_response_filter didn't had any default. It turned out that it
would be useful to filter the environment variable KRB5CCANME by default
for sudo. The reason is the e.g. in contrast to su the calling user is
authenticated and hence only the Kerberos credentials of the calling
user are available. But this causes a couple of inconsistencies. E.g.
depending on the credential cache type the target user might not have
access to the credential cache and even if the credential cache can be
accessed it will contain credentials which different privileges than the
target user. As a result  it seems better to not make KRB5CCANME in the
environment of the target user and let him pick the matching default
credential cache.

Resolves: https://github.com/SSSD/sssd/issues/5660

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ecb2ae7a by Paweł Poławski at 2021-06-08T11:02:59+02:00
krb5_child: Honor Kerberos keytab location

Kerberos keytab location can be specified per domain in sssd.conf.
If it is not specified - default path is used: /etc/krb5.keytab
The problem is that default path itself can be redefined for kerberos
by adding entry in krb5.conf:

  [libdefaults]
  default_keytab_name = /<PATH>/krb5.keytab

krb5_child will still use /etc/krb5.keytab as default value which
will cause an error.

This patch adds config checking to krb5_child.
If keytab parameter will be set to /etc/krb5.keytab,
krb5_child will validate it against krb5.conf and eventually
overwritte with value presented there.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c917f977 by Justin Stephenson at 2021-06-08T11:04:15+02:00
RESPONDER: Generate incrementing client ID

This client ID will be passed through SSSD components to allow
tracking requests across SSSD.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bee426c8 by Justin Stephenson at 2021-06-08T11:04:15+02:00
SBUS: Send Client ID across to DP interfaces

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7ed87872 by Justin Stephenson at 2021-06-08T11:04:16+02:00
RESPONDER LOGS: Log the Client ID where accessible

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d0e35894 by Justin Stephenson at 2021-06-08T11:04:16+02:00
CACHE_REQ: Log the Client ID of the cache request

Log the Client ID at the initial cache request submission.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4f1a06d1 by Justin Stephenson at 2021-06-08T11:04:16+02:00
DP: Propagate down the client id and sender name

Make the client ID and responder name available to log where
the DP request is attached. This will ensure we log the CID,
originating responder name, and DP-internal request ID for
all DP requests.

[dp_attach_req] (0x0400): DP Request [Initgroups #14]: REQ_TRACE: New
request. [sssd.pam CID #1] Flags [0x0001].

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5674aaed by Pavel Březina at 2021-06-08T11:45:35+02:00
pot: update pot files

- - - - -
dbd50453 by Pavel Březina at 2021-06-08T13:37:23+02:00
Update version in version.m4 to track the next release

- - - - -
c6cd2fe3 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
krb5_child: reduce log severity in sss_send_pac() in case PAC responder isn't running.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0eccee18 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
secrets: reduce log severity in local_db_create() in case entry already exists since this is expected during normal oprations.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
624e3fe7 by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: use SSSDBG_MINOR_FAILURE for ERR_KCM_OP_NOT_IMPLEMENTED

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0646917c by Alexey Tikhonov at 2021-06-17T12:25:50+02:00
KCM: reduce log severity in sec_get() in case entry not found

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b0474248 by Yuri Chornoivan at 2021-06-17T12:25:50+02:00
Fix minor typos in docs

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
2a3fb3bd by Justin Stephenson at 2021-06-17T12:25:50+02:00
KCM: Unset _SSS_LOOPS

Since sssd_kcm is working independently of other SSSD components,
especially the nss responder, and the kcm client side in libkrb5 of
course does not check for _SSS_LOOPS to protect sssd_kcm from calling
into itself the variable is not needed.

This allows repeated getpwuid() calls in KCM renewals code to succeed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
daad8387 by Jakub Vavra at 2021-06-17T12:25:50+02:00
Tests: Add test_innetgr_threads

Verifies
Issue: #5540
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1703436

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
9d576e47 by Dan Lavu at 2021-06-17T12:28:39+02:00
tests: Adding multihost test for supporting asymmetric nsupdate auth

* https://bugzilla.redhat.com/show_bug.cgi?id=1884301

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
ff3f8570 by Dan Lavu at 2021-06-17T12:29:16+02:00
tests: Adding tests to cover ad discovery improvements using cldap

* This test requires a primary and secondary domain controller so AD can be moved between sites
* Currently contains four test cases
** Two DCs in one site no restrictions.
** Two DCs in one site, traffic blocked to the other DC
** DCs in seperate sites no restrictions
** DCs in seperate sites, traffic blocked to the other DC

Signed-off-by: Dan Lavu <dlavu at redhat.com>

SSSD-2497

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
68ed4d4a by Paweł Poławski at 2021-06-17T12:31:31+02:00
README: Dead social media link remove

Back in 2011 SSSD started using twitter account to broadcast releases.
Last time it happened 13.06.2019 so this account can be considered as
dead. This PR removes link to it from main README.

Resolves: https://github.com/SSSD/sssd/issues/5649

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4e3e8727 by Pavel Březina at 2021-06-17T15:36:27+02:00
tests: fix pep8 issues

- - - - -
a6e5d53a by Pavel Březina at 2021-06-18T12:33:05+02:00
kcm: terminate client on bad message

The debug message clearly says that the original intention was to
abort the client, not send an error message.

We may end up in a state where we get into an infinit loop, fo example
when the client send an message that indicates 0 lenght, but there is
actually more data written. In this case, we never read the rest of the
message but the file descriptor is still readable so the fd handler gets
fired again and again.

More information can be seen in relevant FreeIPA ticket:
https://pagure.io/freeipa/issue/8877

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
8dba7476 by Alexey Tikhonov at 2021-06-21T13:36:25+02:00
DEBUG: don't reset debug_timestamps/microseconds to DEFAULT in `_sss_debug_init()`.

Otherwise `server_setup()` skips reading config settings.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
89a40e77 by Deepak Das at 2021-06-21T16:21:34+02:00
SSSD Log: invalid_argument msg mod

Improve invalid argument msg with additional information

Resolves: https://github.com/SSSD/sssd/issues/5578

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
71301ccf by Alexey Tikhonov at 2021-06-24T10:27:32+02:00
KCM: removed unneeded assignment

Fixes following warning:
```
Error: CLANG_WARNING:
sssd-2.5.1/src/responder/kcm/kcm_renew.c:481:9: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
 #  479|       ctx = talloc_zero(auth_data, struct kcm_renew_auth_ctx);
 #  480|       if (ctx == NULL) {
 #  481|->         ret = ENOMEM;
 #  482|           DEBUG(SSSDBG_FATAL_FAILURE, "Failed to allocate renew auth ctx\n");
 #  483|           return;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ac0c0b00 by Justin Stephenson at 2021-07-08T11:28:14+02:00
KCM: Drop unnecessary c-ares linking

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b9e60ae0 by Sumit Bose at 2021-07-08T11:28:27+02:00
man: clarify effects of sss_cache on the memory cache

Resolves: https://github.com/SSSD/sssd/issues/5697

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
e373408a by Sofia Nieves at 2021-07-08T11:28:42+02:00
Replacing freenode with libera

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
5feeb8ac by Shridhar Gadekar at 2021-07-08T11:30:12+02:00
Test: sudo rule with runAS set to short-username value

sudo rule containing sudoRunAs attribute to a short-username
should not generate error in the sssd log.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
7646ac95 by Deepak Das at 2021-07-08T11:30:25+02:00
SSSD Log: log_bad_address_msg_mod

Improve Log Containing Bad Address string

Resolves: https://github.com/SSSD/sssd/issues/5577

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
865330c6 by Iker Pedrosa at 2021-07-08T12:28:04+02:00
cache_req: parse name to get shortname

Unless parse_name is set to false parse the name to get the shortname in
cache_req_process_input(). Moreover, check that the input domain name
and the parsed domain name are equal and fail otherwise.

Updated unit tests to mock call to parse function.

Also include an integration test to check that UpdateMemberList()
and GetAll() return the correct users that are members of a group. This
is done by first adding a member to a group and checking that it is
returned correctly. Then, the member is deleted and the interface returns
no members.

Resolves: https://github.com/SSSD/sssd/issues/4255

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5288ddaa by Sumit Bose at 2021-07-09T11:36:19+02:00
files: split update into batches

If the files managed by the files provider contain many users or groups
processing them might take a considerable amount of time. To keep the
backend responsive this patch splits the update into multiple steps
running one after the other but returning to the main loop in between.

This avoids issues during startup because the watchdog timer state is
reset properly. Additionally SBUS messages are process and as a result
the domain can be marked inconsistent in the frontends properly.

Resolves: https://github.com/SSSD/sssd/issues/5557

:fixes: Update large files in the files provider in batches to avoid
  timeouts

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
0fbd6740 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: add new option fallback_to_nss

To not block callers when SSSD's files is doing a refresh of
/etc/passwd or /etc/group allow to fall back to the next nss module
which is typically libnss_files.

Resolves: https://github.com/SSSD/sssd/issues/5557

:config: Add new config option 'fallback_to_nss'

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
dd1aa579 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: delay refresh and not run in parallel

To avoid constant refreshes if /etc/passwd or /etc/group are modified
multiple times in a short interval the refresh is only started after 1s
of inactivity.

Additionally the request makes sure that only one instance is run.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
19b85063 by Sumit Bose at 2021-07-09T11:36:19+02:00
files: queue certmap requests if a refresh is running

To make sure current and valid data is used when a certificate should be
matched to a users from the files provider the request has to wait until
a running refresh is finished.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b4ee698a by Sumit Bose at 2021-07-09T11:36:19+02:00
cache_req: do not return cached data if domain is inconsistent

If a domain is inconsistent the cached data might be inconsistent as
well, so better not return it.

Resolves: https://github.com/SSSD/sssd/issues/5557

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
b85984a3 by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix whitespace issues

whitespace test fails with:

```
Missing new line at the eof: src/tests/multihost/ipa/add-groups.ps1
Missing new line at the eof: src/tests/multihost/ipa/nestedgroups.csv
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
75c204ff by Pavel Březina at 2021-07-09T12:06:59+02:00
multihost: fix pep8 issues

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
17e339d5 by Paweł Poławski at 2021-07-12T20:44:33+02:00
SYSDB: Add search index "originalADgidNumber"

Commit 03bc962 introduced a change which can result in
unindexed search in some scenarios. The result is performance
drop comparing to older SSSD version.

This PR adds missing search index: originalADgidNumber

:relnote: Add search index "originalADgidNumber" to SYSDB

Resolves: https://github.com/SSSD/sssd/issues/5430

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2ebf463f by Alexey Tikhonov at 2021-07-12T20:44:56+02:00
CACHE_REQ: fixed covscan issues

Fixed following warning:
```
Error: GCC_ANALYZER_WARNING (CWE-476):
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c: scope_hint: In function 'cache_req_data_create'
sssd-2.5.1/src/responder/common/cache_req/cache_req_data.c:160:28: warning[-Wanalyzer-null-dereference]: dereference of NULL '0'
 #  158|           break;
 #  159|       case CACHE_REQ_SVC_BY_NAME:
 #  160|->         if (input->svc.name->input == NULL) {
 #  161|               DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n");
 #  162|               ret = ERR_INTERNAL;
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f02ac230 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: add support for tevent chain id

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
881a1a41 by Pavel Březina at 2021-07-12T20:45:17+02:00
debug: enable chain id in backend

:feature: Debug messages in data provider include a unique request ID that can be used
  to track the request from its start to its end.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
161ff0e8 by Weblate at 2021-07-12T20:46:47+02:00
po: update translations

(Russian) currently translated at 20.7% (583 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Spanish) currently translated at 67.0% (1888 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/

po: update translations

(Finnish) currently translated at 3.2% (91 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Ukrainian) currently translated at 100.0% (2814 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Ukrainian) currently translated at 97.7% (2750 of 2814 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

- - - - -
57ac5809 by Pavel Březina at 2021-07-12T20:53:56+02:00
pot: update pot files

- - - - -
a2fc3a3a by Pavel Březina at 2021-07-12T21:39:48+02:00
Update version in version.m4 to track the next release

- - - - -
1dae17bf by Justin Stephenson at 2021-07-14T11:42:34+02:00
TESTS: Make test_kcm_renewals idempotent

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dab4448d by Jakub Jelen at 2021-07-19T14:29:12+02:00
p11_child: Add missing newline after log message

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
3e7aa107 by Yuri Chornoivan at 2021-07-19T14:30:21+02:00
Fix minor typo: indicated -> indicate

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
b6fe76e7 by Anuj Borah at 2021-07-19T15:03:38+02:00
Tests: SSSD is generating lot of LDAP queries in a very large environment Issue: https://github.com/SSSD/sssd/issues/5121 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1772513

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
861e226b by Weblate at 2021-07-20T12:27:30+02:00
po: update translations

(Russian) currently translated at 47.2% (1333 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Japanese) currently translated at 36.5% (1030 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ja/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(French) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Japanese) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Japanese) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Korean) currently translated at 3.5% (26 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Russian) currently translated at 41.1% (1160 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

Added translation using Weblate (Korean)

po: update translations

(Ukrainian) currently translated at 99.8% (2816 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

- - - - -
cdc75c53 by Sumit Bose at 2021-07-20T13:37:28+02:00
tests: do not use libcheck include file in cmocka tests

The common_check.h header file adds libcheck related macros which are
not needed by cmocka test, using common.h is sufficient here.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
7fdff741 by Sumit Bose at 2021-07-20T13:37:28+02:00
test: replace deprecated libcheck macros

The fail* macros are deprecated by libcheck some time ago. Recently a
fix for a different issue in those macros cause a 'too many arguments
for format' compiler warning which won't be fixed on the libckeck side
since the macros are deprecated.

This patch replaces the deprecated macros with the new ones:

 - fail -> ck_abort_msg
 - fail_unless -> ck_assert_msg
 - fail_if -> sss_ck_fail_if_msg

The fail_if macro does not have a corresponding new version and I added
a local replacement sss_ck_fail_if_msg which is based on ck_assert_msg.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9b24b8db by Anuj Borah at 2021-07-28T15:17:44+02:00
Tests: Add support to verify authentication indicators in pam_sss_gss

Error code of '[pam_cmd_gssapi_sec_ctx] (0x0400): Check if
acquired service ticket has req. indicators:'.
'2' is 'not applied' (ENOENT)

Verifies: https://github.com/SSSD/sssd/issues/5482

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1926622

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
85723a7b by Anuj Borah at 2021-07-28T15:18:01+02:00
Tests: fix sss_cache to also reset cached timestamp

Issue: https://github.com/SSSD/sssd/issues/5596

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1902280

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6f1188a0 by Steeve Goveas at 2021-07-29T12:03:53+02:00
TEST: Add id and fix indentation in docstrings

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
f5460882 by Alexey Tikhonov at 2021-07-29T14:19:01+02:00
Basics of 'subid ranges' support for IPA provider.

:feature: Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were introduced.
Limitations:
 - single subid interval pair (subuid+subgid) per user
 - idviews aren't supported
 - only forward lookup (user -> subid ranges)
Take a note, this is MVP of experimental feature. Significant changes
might be required later, after initial feedback.
Corresponding support in shadow-utils was merged upstream, but since there
is no upstream release available yet, SSSD feature isn't built by default.
Build can be enabled with `--with-subid` configure option.
Plugin's install path can be configured with `--with-subid-lib-path=`
("${libdir}" by default)

For additional details about support in shadow-utils please see discussion
in https://github.com/shadow-maint/shadow/issues/154 and in related PRs.

:config: New IPA provider's option `ipa_subid_ranges_search_base` allows
configuration of search base for user's subid ranges.
Default: `cn=subids,%basedn`

Resolves: https://github.com/SSSD/sssd/issues/5197

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
44525a99 by Paweł Poławski at 2021-08-09T11:22:27+02:00
General: Hardeninig getenv() usage

Pointer returned by getenv() should be cached locally before
it is passed down to sub functions.

This PR fixes this for:
* pam_sm_authenticate()
* sysdb_ldb_connect()
* files_init_file_sources()

Reviewed-by: Michal Židek <mzidek at redhat.com>

- - - - -
365cd676 by Alexey Tikhonov at 2021-08-11T14:52:56+02:00
NSS: don't treat absent 'CLEAR_MC_FLAG' as an error (This is expected in case of SIGHUP sent for log rotation.)

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
45a07308 by Timo Aaltonen at 2021-08-16T11:01:06+03:00
Merge branch 'upstream'

- - - - -
ab7c8a29 by Timo Aaltonen at 2021-08-16T11:02:22+03:00
bump the version

- - - - -
30033e68 by Timo Aaltonen at 2021-08-16T11:10:32+03:00
fix-whitespace-test.diff: Refreshed.

- - - - -
7ab83f97 by Alexey Tikhonov at 2021-08-16T16:35:49+02:00
TOOLS: replace system() with execvp() to avoid execution of user supplied command

:relnote: A flaw was found in SSSD, where the sssctl command was
vulnerable to shell command injection via the logs-fetch and
cache-expire subcommands. This flaw allows an attacker to trick
the root user into running a specially crafted sssctl command,
such as via sudo, to gain root access. The highest threat from this
vulnerability is to confidentiality, integrity, as well as system
availability.
This patch fixes a flaw by replacing system() with execvp().

:fixes: CVE-2021-3621

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c1dd1211 by Paweł Poławski at 2021-08-16T16:36:10+02:00
general: Fix compilation warnings

Commit 44525a9 introduced compilation warnings related to type casting.
This commit fixes this by removing "const" qualifier where it is
optional.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
26654d3e by Sumit Bose at 2021-08-16T16:36:26+02:00
cache_req: cache_first fix for fully-qualified names

With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
introduce cache_behavior enumeration" the processing of cache and
backend lookups was refactored. Unfortunately this introduce an issue
when looking up users or groups with a fully-qualified name and the
'cache_first = True' option is set.

In the old code the case when a domain name is available was handle
before the cache_first first option was evaluated and cache_req was
instructed to first look in the cache and then call the backend if the
object is not available or expired, i.e. the default behavior. Since
only a single domain is involved this is in agreement with 'cache_first
= True' and only a single iteration is needed.

In the new code the cache_first option is evaluated before the presence
of a domain name is checked and as a result even for single domain
searches the first cache_req iteration is only looking at the cache and
will not call the backend. This means the now for searches with a
fully-qualified name a second iteration is needed if the object was not
found in the cache.

Unfortunately the old exit condition that if a domain name is present
only a single iteration is needed is still present in the new code which
effectively makes requests with fully-qualified named only search the
cache and never call the backends. This patch removes the exit condition
and does a second iteration for fully-qualified names as well if
'cache_first = True' is set.

Resolves: https://github.com/SSSD/sssd/issues/5744

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c8bd4e6c by Timo Aaltonen at 2021-08-18T13:26:54+03:00
control, rules: Drop libwbclient-sssd-*, support for it was dropped upstream.

- - - - -
b9f8c2f9 by Assaf Morami at 2021-08-23T12:27:48+02:00
p11_child: do_card partially fix loop exit condition when searching for token

This commit fixes the exit condition when searching for a token in p11_child/do_card,
specifically in case a token is present in a slot, but there are empty slots before it.

This commit partially fixes issue #5025,
thanks to this comment by @sumit-bose: https://github.com/SSSD/sssd/issues/5025#issuecomment-801842175

:relnote: p11_child does not stop at the first empty slot when searching for tokens

Co-Authored-By: Sumit Bose <sbose at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d41e956c by Justin Stephenson at 2021-08-23T12:28:15+02:00
MONITOR: Return success from genconf with no config

Resolves: https://github.com/SSSD/sssd/issues/5729

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd2ccbf6 by Alexey Tikhonov at 2021-08-25T11:41:28+02:00
file utils: reduce log level in remove_tree_with_ctx() Users of this function are responsible to decide if fail is critical.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a1f7035b by Pavel Březina at 2021-08-25T11:41:51+02:00
remove deprecated talloc_autofree_context()

```
/home/pbrezina/workspace/sssd/src/util/server.c: In function ‘server_setup’:
/home/pbrezina/workspace/sssd/src/util/server.c:545:5: error: ‘talloc_autofree_context’ is deprecated [-Werror=deprecated-declarations]
  545 |     event_ctx = tevent_context_init(talloc_autofree_context());
      |     ^~~~~~~~~
In file included from /usr/include/ldb.h:50,
                 from /home/pbrezina/workspace/sssd/src/util/server.c:33:
/usr/include/talloc.h:1071:16: note: declared here
 1071 | _PUBLIC_ void *talloc_autofree_context(void) _DEPRECATED_;
      |                ^~~~~~~~~~~~~~~~~~~~~~~
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
575e1899 by Pavel Březina at 2021-08-25T11:41:51+02:00
fix warnings around sss_getenv()

Introduced in
- 44525a9995c775ac284a6203d0e505dc4bf0d459
- c1dd121142fb22648793a38e45257b348d658460

```
/home/pbrezina/workspace/sssd/src/db/sysdb_init.c: In function ‘sysdb_ldb_connect’:
/home/pbrezina/workspace/sssd/src/db/sysdb_init.c:82:49: error: passing argument 3 of ‘sss_getenv’ from incompatible pointer type [-Werror=incompatible-pointer-types]
   82 |     ret = sss_getenv(tmp_ctx, LDB_MODULES_PATH, &mod_path);
      |                                                 ^~~~~~~~~
      |                                                 |
      |                                                 const char **
In file included from /home/pbrezina/workspace/sssd/src/db/sysdb_init.c:23:
/home/pbrezina/workspace/sssd/src/util/util.h:806:75: note: expected ‘char **’ but argument is of type ‘const char **’
  806 | errno_t sss_getenv(TALLOC_CTX *mem_ctx, const char *variable_name, char **_value);

/home/pbrezina/workspace/sssd/src/providers/files/files_init.c: In function ‘files_init_file_sources’:
/home/pbrezina/workspace/sssd/src/providers/files/files_init.c:61:26: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
   61 |         dfl_passwd_files = DEFAULT_PASSWD_FILE;
      |                          ^
/home/pbrezina/workspace/sssd/src/providers/files/files_init.c:77:25: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
   77 |         env_group_files = DEFAULT_GROUP_FILE;
      |                         ^
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
9f58bef3 by Justin Stephenson at 2021-08-30T10:57:36+02:00
CI: unset DEBUGINFOD_URLS

Fedora 35 adds support to automatically fetch debuginfo, this
causes slowness in valgrind and leads to timeouts/systemd-oomd
invoked on the CI make check valgrind step.

https://fedoraproject.org/wiki/Changes/DebuginfodByDefault

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a67d3bc8 by Anuj Borah at 2021-08-30T10:57:50+02:00
Test: Fix RHEL9.0 Regression - alltests-tier1

There is no "implicit" 'files provider' enabled
by default on RHEL9, SSSD doesn't serve local
users if you didn't configure this in `domains`
list explicitly. So adding a domain with
id_provider = files.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
818e4f92 by Shridhar Gadekar at 2021-09-02T11:34:46+02:00
Tests: Randomize sudo refresh timeouts

Veifies: #5609

Bugzilla: @pytest.fixture(scope='function')

Signed-off-by: Shridhar Gadekar <sgadekar at sgadekar.pnq.csb>

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
c037432c by Alexey Tikhonov at 2021-09-02T11:35:05+02:00
BUILD: get rid of PCRE support

:relnote: This release removes pcre1 support. pcre2 is used
unconditionally.

Resolves: https://github.com/SSSD/sssd/issues/5768

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6acb1d63 by Alexey Tikhonov at 2021-09-02T11:35:05+02:00
UNICODE: drop support of glib2 for Unicode processing

:relnote: This release drops support of `--with-unicode-lib` configure option.
`libunistring` will be used unconditionally for Unicode processing.

Resolves: https://github.com/SSSD/sssd/issues/5767

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3e94b64d by Alexey Tikhonov at 2021-09-03T14:50:56+02:00
Got rid of 'local' provider.

:relnote: Support of long time deprecated 'local' provider was dropped.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a9218fbe by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Restore functionality of --wait_for_card

Previously, the loop in do_card() would find the first PKCS#11 slot with
support for removable tokens, whether or not a token was present. If one
was not, and --wait_for_card was specified, then it would wait for a token
to be inserted in this slot (or any slot in the same PKCS#11 module).

Commit b9f8c2f99d04 ("p11_child: do_card partially fix loop exit condition
when searching for token") changed the loop so it finds the first PKCS#11
slot that has a removable token present. Adjust this to allow the existing
handling of --wait_for_card to work when no token is found. Fixes #5746.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f3aa4b47 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Ensure OpenSSL cleanup is performed

OpenSSL is initialized during init_p11_ctx(), which also sets a destructor
that will perform OpenSSL cleanup when p11_ctx is freed.

During init_verification(), the destructor for p11_ctx is replaced, and as
a result OpenSSL cleanup will no longer occur. Merge these destructors into
one which works correctly whether or not init_verification() was called.

Additionally, OpenSSL cleanup does not occur if the memory allocation for
p11_ctx fails. Re-order the steps in init_p11_ctx() so this is not needed.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3f1d03fc by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Handle failure from p11_kit_uri_new()

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f5a9d814 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Return updated CK_SLOT_INFO from wait_for_card()

When a token has been inserted, wait_for_card() returns the corresponding
slot ID. Update the slot info as well.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a036fc87 by David Ward at 2021-09-06T13:57:07+02:00
p11_child: Fix printing of non-null-terminated strings in do_card()

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ccebfc9c by Jakub Vavra at 2021-09-07T08:17:03+02:00
Tests: Add test_nss_get_by_name_with_private_group.

Verifies
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1837090

- - - - -
e8055b8a by Weblate at 2021-09-07T15:52:32+02:00
po: update translations

(Korean) currently translated at 9.1% (258 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 6.5% (48 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Finnish) currently translated at 3.2% (92 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Korean) currently translated at 6.4% (47 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Swedish) currently translated at 98.9% (2791 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Korean) currently translated at 8.1% (230 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 5.6% (41 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Swedish) currently translated at 98.2% (2771 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 97.2% (2743 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 97.1% (2741 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 95.7% (2701 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Russian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Russian) currently translated at 100.0% (2821 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Korean) currently translated at 3.5% (99 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Swedish) currently translated at 95.5% (2696 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Russian) currently translated at 98.0% (2766 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Swedish) currently translated at 93.2% (2631 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Turkish) currently translated at 10.9% (80 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Swedish) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Russian) currently translated at 92.9% (2623 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Russian) currently translated at 85.8% (2422 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Turkish) currently translated at 7.3% (54 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 2.3% (67 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 6.1% (45 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Russian) currently translated at 82.4% (2327 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Korean) currently translated at 2.3% (66 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 5.7% (42 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Russian) currently translated at 78.6% (2219 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 76.6% (2162 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Korean) currently translated at 2.2% (64 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Russian) currently translated at 75.1% (2119 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Spanish) currently translated at 67.2% (1898 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/

po: update translations

(Russian) currently translated at 100.0% (730 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Korean) currently translated at 1.2% (35 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 4.6% (34 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

Added translation using Weblate (Korean)

po: update translations

(Russian) currently translated at 61.2% (1729 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 52.8% (1490 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

- - - - -
9e47b63e by Pavel Březina at 2021-09-08T10:36:23+02:00
configure: do not unset PYTHON_PREFIX and PYTHON_EXEC_PREFIX

Recent changes in autoconf changed location of directories from:

```
checking for /usr/bin/python3 script directory... ${prefix}/lib/python3.9/site-packages
checking for /usr/bin/python3 extension module directory... ${exec_prefix}/lib64/python3.9/site-packages
```

to

```
checking for /usr/bin/python3 script directory... ${PYTHON_PREFIX}/lib/python3.10/site-packages
checking for /usr/bin/python3 extension module directory... ${PYTHON_EXEC_PREFIX}/lib64/python3.10/site-packages
```

However, we unset these variables in SSS_CLEAN_PYTHON_VARIABLES and
therefore the correct prefix is not applied anymore during installation.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
1d4095fb by Steeve Goveas at 2021-09-08T10:36:40+02:00
TEST: usermod -d needs absolute path

usermod -d failed when it was given an empty string to update. This was
noticed in #5754. Updating test to check for modified home dir

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4b7b6fa7 by Justin Stephenson at 2021-09-08T10:36:55+02:00
KCM: Add krb5-libs dependency in spec

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b606eb62 by Pavel Březina at 2021-09-09T10:23:53+02:00
spec: fix invalid condition

This was introduced in 4b7b6fa70399654b8a6d2f691be832c0680ee1fb

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
dfb6594e by Pavel Březina at 2021-09-13T12:03:35+02:00
ad: fallback to ldap if cldap is not available in libldap

Some distributions do not have cldap support available in libldap. Now
we fallback to ad ping over ldap conditionally during build time.

Resolves: https://github.com/SSSD/sssd/issues/5720

:fixes: AD ping is now sent over `ldap` if `cldap` support is not available
  during build. This helps to build SSSD on distributions without `cldap`
  support in `libldap`.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
bd422ccd by Anuj Borah at 2021-09-16T11:17:33+02:00
Tests: Suppress log message

Suppress log message "[sssd] [service_signal_done]
(0x0010): Unable to signal service [2]:
No such file or directory" during logrote

bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1909755

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
c3a8aad2 by Anuj Borah at 2021-09-16T11:18:16+02:00
Tests: RHEL9.0 Regression - alltests-tier1_2

1. 'files provider' enabled
2. nss-pam-ldapd has been removed from rhel9.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
8640fa90 by Timo Aaltonen at 2021-09-16T13:44:56+03:00
fix_newer_autoconf.patch: Don't unset python prefix/exec-prefix.

- - - - -
a8d94f30 by Timo Aaltonen at 2021-09-16T13:53:32+03:00
patches: Fix CVE-2021-3621. (Closes: #992710)

- - - - -
86c472f5 by Timo Aaltonen at 2021-09-16T14:35:12+03:00
close a bug, builds with current autoconf now

and someone requested the new version

"Fix setXYent(): rewind always" is also included

- - - - -
bc484ad2 by Timo Aaltonen at 2021-09-16T14:52:05+03:00
releasing package sssd version 2.5.2-1

- - - - -
ef6aa9e4 by Sumit Bose at 2021-09-20T13:00:51+02:00
krb5: fix ccache ownership for offline Smartcard authentication

During Smartcard authentication/PKINIT the krb5_child process is running
as privileged user for some time to make sure pcscd allows access to the
Smartcard. If SSSD is offline those privileges are currently not dropped
before creating an empty ccache and as a result file based ccaches might
have a wrong ownership. With the patch the privileges are dropped is
SSSD is offline and the ccache is created with the expected ownership.

Resolves: https://github.com/SSSD/sssd/issues/5785

:fixes: ccache files are created with the right ownership during offline
  Smartcard authentication

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a5716cd7 by Jakub Vavra at 2021-09-20T13:07:48+02:00
Tests: Add AD Parameters tests ported from bash.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
6dff5576 by Timo Aaltonen at 2021-09-20T17:38:17+03:00
rules: Disable tests for now. (Closes: #994479)

- - - - -
f64f3720 by Timo Aaltonen at 2021-09-20T17:38:26+03:00
releasing package sssd version 2.5.2-2

- - - - -
10fd3c51 by Timo Aaltonen at 2021-09-22T10:40:11+03:00
rules, add-cap_dac_override.diff: Explicitly set sssd-user as root, and add CAP_DAC_OVERRIDE so files owned by sssd system user can be read by the service. (Closes: #994807)

- - - - -
aeab7bd8 by Timo Aaltonen at 2021-09-22T10:40:28+03:00
install: Add sssd-pcsc.rules to -common.

- - - - -
23692067 by Timo Aaltonen at 2021-09-22T11:41:07+03:00
postinst: Correct file/dir permissions and ownership when the daemon is run as root.

- - - - -
6f09ad58 by Timo Aaltonen at 2021-09-22T11:42:25+03:00
dac override patch is not needed when permissions are corrected

- - - - -
eca5bf35 by Timo Aaltonen at 2021-09-22T17:33:05+03:00
0001-ad-fallback-to-ldap-if-cldap-is-not-available-in-lib.patch: Our libldap is built without LDAP_CONNECTIONLESS, cope with that. (Closes: #994879)

- - - - -
b19b59bc by Timo Aaltonen at 2021-09-22T18:54:14+03:00
releasing package sssd version 2.5.2-3

- - - - -
e92988a6 by Sumit Bose at 2021-09-24T14:24:10+02:00
debug: reduce logging of GetAccountDomain() in the frontends

The return code ERR_GET_ACCT_DOM_NOT_SUPPORTED is an expected return
code if the backend does not support the GetAccountDomain() request and
there is no need to have a log message for this on the default log level
or to trigger a backtrace in the logs in this case.

For all other error a log message at the default log level make sense to
indicate an issue in the backend but a backtrace in the frontend logs is
not needed as well.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ca8b655f by Sumit Bose at 2021-09-24T14:24:10+02:00
debug: suppress backtrace for backend errors

Only log a message in the frontend without a backtrace if the backend
returns an error.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2a617c0e by Sumit Bose at 2021-09-24T14:24:21+02:00
sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770

:fixes: Even if the forest root is disabled for lookups all required
  internal data is initialized to be able to refresh the list of trusted
  domains in the forest from a DC of the forest root.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
aab4fe9c by Anuj Borah at 2021-09-24T14:24:41+02:00
Tests: SSSD logs improvements: clarify which config option applies to each timeout in the logs

issue: https://github.com/SSSD/sssd/issues/5514

bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928648

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
4be5fcd9 by Sumit Bose at 2021-09-24T14:26:11+02:00
sysdb: more specific mpg search filter

Originally all user of an mpg domain had an automatically created
user-private group and as a result the ID space was unified in the sense
that a given ID either belongs to a group or to a user with a
user-private group.

With the introduction of id-overrides and the auto_private_groups option
this assumption is not true anymore and as a result the search filter
for GIDs must be more specific with respect to the user objects.

Resolves: https://github.com/SSSD/sssd/issues/5790

:fixes: Improve mpg search filter to be more reliable with id-overrides
  and the new auto_private_groups options.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
10d33986 by Anuj Borah at 2021-10-01T12:51:14+02:00
Tests: Fix RHEL8.5 failures for IDM-CI

Fix test case:  test_009_maps_after_coming_online
Fix some code errors in utils.py

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
f0925489 by Steeve Goveas at 2021-10-01T12:51:41+02:00
Tests: Add firewalld package install on clients

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
b22f6195 by Anuj Borah at 2021-10-01T12:51:53+02:00
Tests: sss_cache prints spurious error messages

verifies: https://github.com/SSSD/sssd/issues/4904

bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661182

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
fd3e397c by Justin Stephenson at 2021-10-05T11:21:44+02:00
KCM: Remove unneeded allocation

Memory is allocated later for the individual ccache when retrieved
with secdb_get_cc()

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e0d85ab6 by Shridhar Gadekar at 2021-10-05T11:21:57+02:00
Tests: improve sssd refresh timers for sudo queries

verifies:#5604

bugzilla:https://github.com/shridhargadekar/sssd/pull/new/sssd-3162

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
aca2e08b by Pavel Březina at 2021-10-05T11:22:08+02:00
krb5: remove unused mem_ctx from get_krb5_data_from_cred()

Also don't return value since it is useless.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
55c5de2d by Pavel Březina at 2021-10-05T11:22:08+02:00
kcm: replace existing credentials to avoid unnecessary ccache growth

Currently, we just append input credential to the ccache. This however
make the ccache grow over time as credentials expires and more control
credentials are stored.

Now we remove or credentials that are the same and overwrite them with
the input credential.

Resolves: https://github.com/SSSD/sssd/issues/5775

:fixes: KCM now replace the old credential with new one when storing
  an update credential that is however already present in the ccache
  to avoid unnecessary growth of the ccache.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
57247096 by Massimiliano Torromeo at 2021-10-05T11:22:21+02:00
TEST: Use absolute path for the MODPATH assertions in python tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
efd155f0 by Sergio Durigan Junior at 2021-10-05T11:22:32+02:00
Improve assertion when verifying paths for Python modules

In Ubuntu we're facing a problem where the 3 Python tests under
src/tests/*-test.py are failing due to cosmetical differences between
what the '.__file__' method returns and what 'MODPATH' ends up being.

I have not been able to pinpoint exactly what is causing this issue;
it only happens when SSSD is built inside a chroot environment (with
sbuild, for example).  The logs look like this:

F
======================================================================
FAIL: testImport (__main__.PyHbacImport)
Import the module and assert it comes from tree
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/<<PKGBUILDDIR>>/src/tests/pyhbac-test.py", line 91, in testImport
    self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so")
AssertionError: '/<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so' != './tp_pyhbac_xw2omut2/pyhbac.so'
- /<<PKGBUILDDIR>>/build/./tp_pyhbac_xw2omut2/pyhbac.so
+ ./tp_pyhbac_xw2omut2/pyhbac.so

Given that the intention of the test is to verify that the two paths
are equal, I suggest that we do this slight improvement and call
'os.path.realpath' before comparing both paths.  This way we guarantee
that they're both properly canonicalized.

I have verified that the tests still pass with this change.

Signed-off-by: Sergio Durigan Junior <sergio.durigan at canonical.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
9121fbf9 by Anuj Borah at 2021-10-06T12:56:47+05:30
Tests: Remove shadow-utils test cases from sssd repo

- - - - -
51eaed9d by Anuj Borah at 2021-10-06T11:06:54+02:00
Tests: Fix Failure of sssctl_local test

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
3d8dd128 by Justin Stephenson at 2021-10-06T11:07:05+02:00
debug: Add chain ID support for journald logger

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1a1e914b by Mantas Mikulėnas at 2021-10-06T11:07:17+02:00
NSS client: avoid using NETDB_INTERNAL if daemon is not available

It seems that returning NETDB_INTERNAL as h_errno will cause glibc's
getaddrinfo() to immediately return EAI_SYSTEM *without* falling through
to other configured NSS modules.

This means that if /etc/nsswitch.conf has 'sss' listed before 'dns' (for
example), hostname resolution will be completely broken whenever SSSD is
not running.

(Even hostname lookups done by SSSD itself will fail, as the _SSS_LOOPS
environment variable merely forces errno=0 but the getaddrinfo() call as
a whole still returns EAI_SYSTEM.)

This commit makes the NSS client return h_errno=NO_RECOVERY, as that's
what systemd's nss-resolve and nss-mymachines seem to be doing.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
770c7ce9 by Pavel Březina at 2021-10-07T12:39:10+02:00
debug: fix unused variable warnings

```
/home/pbrezina/workspace/sssd/src/util/debug.c: In function ‘sss_vdebug_fn’:
/home/pbrezina/workspace/sssd/src/util/debug.c:274:11: error: unused variable ‘result_fmt’ [-Werror=unused-variable]
  274 |     char *result_fmt;
      |           ^~~~~~~~~~
/home/pbrezina/workspace/sssd/src/util/debug.c:273:11: error: unused variable ‘chain_id_fmt_dyn’ [-Werror=unused-variable]
  273 |     char *chain_id_fmt_dyn = NULL;
      |           ^~~~~~~~~~~~~~~~
/home/pbrezina/workspace/sssd/src/util/debug.c:272:10: error: unused variable ‘chain_id_fmt_fixed’ [-Werror=unused-variable]
  272 |     char chain_id_fmt_fixed[256];

```

Introduced in: 3d8dd1282ffb7d0188e36d0109340ce622745717

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c4c0fd69 by Alexey Tikhonov at 2021-10-07T12:40:35+02:00
CONF: removed unused 'sbus_timeout' option

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
8ed53d28 by Timotej Lazar at 2021-10-07T12:41:40+02:00
Include sys/types.h in debug.h

The chown_debug_file function has uid_t and gid_t arguments, defined
in types.h.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
bb6d9d9c by Pavel Březina at 2021-10-11T14:28:46+02:00
monitor: fix unused variable warning

```
src/monitor/monitor.c: In function ‘get_monitor_config’:
src/monitor/monitor.c:898:9: error: unused variable ‘timeout_seconds’ [-Werror=unused-variable]
  898 |     int timeout_seconds;
```

Introduced in c4c0fd690d82f9a8a714784ad4e036a39e1017fc.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
10069b1d by Alexey Tikhonov at 2021-10-11T14:28:57+02:00
Got rid of 'secrets' responder and it's support in KCM

:relnote: Support of long time deprecated 'secrets' responder was dropped.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5bb5380c by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
libsecrets was disbanded and merged into KCM responder as this is the only its user now.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9466aa4d by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secrets db: got rid of legacy json format support

sssd_kcm doesn't use this format to store ccaches since 2.4.1

:relnote: Support of legacy json format for ccaches was dropped

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f5431c3a by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secrets db: got rid of legacy encrypted payload format

sssd_kcm doesn't use this format to store ccaches since 2.4.1

Additionally, some leftovers of 'secrets' responder support were removed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dfb97f07 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
crypto: removed sss_encrypt()/sss_decrypt() helpers as those aren't used anymore.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
29f8a795 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
TESTS: avoid cross-test tainting of os.environ

Operations on `os.environ` reference were leaking settings from one test
to another (in particular `KRB5CCNAME` from `test_kcm.py` to
`test_pam_responder.py`)

Discovered by Pavel Březina.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1e64a762 by Alexey Tikhonov at 2021-10-11T14:28:58+02:00
KCM: secdb: treat secdb_get_cc() == ENOENT the same way as corresponding key_by_*() == ENOENT (mostly)

Everywhere secdb_get_cc() is used there is a corresponding
key_by_*() executed first to create a `secdb_key`.
There is special handling in place already for a case when
key_by_*() returns ENOENT (return NULL cc, ERR_NO_CREDS).
And this seems to be properly handled further down the code paths.

Hence it makes sense to use the same logic if secdb_get_cc(secdn_key)
returns ENOENT - from user of those functions point of view there should
be no difference.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
629f149e by Weblate at 2021-10-11T14:43:33+02:00
po: update translations

(Korean) currently translated at 12.3% (349 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 28.0% (205 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 12.2% (345 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 27.1% (198 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 11.5% (326 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Turkish) currently translated at 13.5% (99 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 26.9% (197 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Spanish) currently translated at 66.2% (1804 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/

po: update translations

(Spanish) currently translated at 88.7% (648 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Czech) currently translated at 4.0% (111 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/

po: update translations

(Czech) currently translated at 87.3% (638 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 10.3% (291 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 26.3% (192 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 9.8% (278 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Swedish) currently translated at 100.0% (2724 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Finnish) currently translated at 5.7% (42 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 3.3% (91 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Korean) currently translated at 9.6% (271 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 11.6% (85 of 730 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (2724 of 2724 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

- - - - -
11c7f6a6 by Pavel Březina at 2021-10-11T14:55:53+02:00
pot: update pot files

- - - - -
07cd441a by Timo Aaltonen at 2021-10-11T17:38:48+03:00
control: Make sssd-common to break older versions of libnss-sss and libpam-sss. (Closes: #995730)

- - - - -
9e188bae by Timo Aaltonen at 2021-10-11T17:44:24+03:00
common: Drop old Breaks/Replaces.

- - - - -
4e37fc66 by Timo Aaltonen at 2021-10-11T17:46:01+03:00
control: Promote libnss-sss and libpam-sss to sssd-common Depends. (Closes: #995730)

- - - - -
332af07d by Timo Aaltonen at 2021-10-11T17:46:10+03:00
releasing package sssd version 2.5.2-4

- - - - -
79412710 by Sumit Bose at 2021-10-13T19:29:35+02:00
krb5: use hidden file when creating config snippets

When creating config snippets fir libkrb5 SSSD first creates a temporary
file with a random suffix and renames this file after all content is
written. If this temporary file is not properly removed or renamed dur
to an error it might confuse libkrb5.

To avoid this confusion with this patch the temporary files are created
as hidden files, the name will start with a '.', which are ignored by
libkrb5.

Resolves: https://github.com/SSSD/sssd/issues/5824

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
03f6ef36 by Alexey Tikhonov at 2021-10-13T19:29:48+02:00
krb5_child: fixed incorrect checks on length value

It is safer to isolate the checked (unknown/untrusted) value on
the left hand side in the conditions to avoid overflows/underflows.

(addition to 9f0bffebd070115ab47a92eadc6890a721c7b78d)

Resolves: https://github.com/SSSD/sssd/issues/2739

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
01ff8155 by Alexey Tikhonov at 2021-10-13T19:30:02+02:00
MONITOR: reduce logs severity around signalling and termination of services to avoid useless in those cases backtraces

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8e22258c by Anuj Borah at 2021-10-13T19:30:13+02:00
Tests: support subid ranges managed by FreeIPA

issue: https://github.com/SSSD/sssd/issues/5197

bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1803943

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
3343b5a8 by Justin Stephenson at 2021-10-14T11:28:41+02:00
DP: Log offline warning for REQ_TRACE tracking

This allows the sssctl analyze parsing tool to report if the
backend was offline when the request came in to the data
provider.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
26086212 by Justin Stephenson at 2021-10-14T11:28:41+02:00
Responder: Log client uid that started a request

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
82e051e1 by Justin Stephenson at 2021-10-14T11:28:41+02:00
TOOLS: Add sss_analyze utility

Add log parsing tool which can be used to track requests across
responder and backend logs.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
097feb32 by Justin Stephenson at 2021-10-14T11:28:41+02:00
SSSCTL: Add analyze command

Wrapper for sss_analyze

Print a message about limited functionality when tevent chain ID
support is not built.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd71ae53 by Pavel Březina at 2021-10-14T11:43:05+02:00
Release sssd-2.6.0

- - - - -
62527473 by Alexey Tikhonov at 2021-10-18T12:37:03+02:00
DEBUG: fix missing "va_end"

Fixes following warning:
```
Error: VARARGS (CWE-237):
sssd-2.6.0/src/util/debug.c:294: va_init: Initializing va_list "ap_fallback".
sssd-2.6.0/src/util/debug.c:305: missing_va_end: "va_end" was not called for "ap_fallback".
 #  303|                                  debug_chain_id, format);
 #  304|                   if (ret < 0) {
 #  305|->                     return;
 #  306|                   }
 #  307|                   result_fmt = chain_id_fmt_dyn;
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
305120b9 by Anuj Borah at 2021-10-21T14:51:50+02:00
Tests: Regression 8.5 - sssd-ipa

Changing sys_hostname to ip helps in testing in internal CI systems

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
92e16799 by Tomas Halman at 2021-10-21T14:52:01+02:00
CONFDB: Change ownership of config.ldb

Config database is owned by root. This prevents our socket
activated services to start because they are started under
the sssd user. Changing the ownership to sssd fixes the issue.

Resolves: https://github.com/SSSD/sssd/issues/5781

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
7db6cfd0 by Tomas Halman at 2021-10-21T14:52:01+02:00
CONFDB: Change ownership before dropping privileges

>From previous SSSD version, config file can exist and can be
owned by root. To allow smooth transition we can change
the ownership.

This commit can be reverted later.

Resolves: https://github.com/SSSD/sssd/issues/5781

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
766fe623 by Alexey Tikhonov at 2021-10-21T15:15:57+02:00
GPO: fixed compilation warning

Fixes following compilation warning:
```
../src/providers/ad/ad_gpo.c: In function ‘ad_gpo_access_send’:
../src/util/debug.h:138:5: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
  138 |     sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  139 |                  level, \
      |                  ~~~~~~~~
  140 |                  format, ##__VA_ARGS__); \
      |                  ~~~~~~~~~~~~~~~~~~~~~~
../src/providers/ad/ad_gpo.c:1847:5: note: in expansion of macro ‘DEBUG’
 1847 |     DEBUG(SSSDBG_TRACE_FUNC, "service %s maps to %s\n", service,
      |     ^~~~~
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
84a4230b by Alexey Tikhonov at 2021-10-21T15:15:57+02:00
KCM: fixed uninitialized value

Fixes following warnings:
```
Error: UNINIT (CWE-457):
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:285: var_decl: Declaring variable "ret" without initializer.
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323: uninit_use: Using uninitialized value "ret".
 #  321|       krb5_free_context(kctx);
 #  322|
 #  323|->     return ret;
 #  324|   #else
 #  325|       return EOK;

Error: CLANG_WARNING:
sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323:5: warning[core.uninitialized.UndefReturn]: Undefined or garbage value returned to caller
 #  321|       krb5_free_context(kctx);
 #  322|
 #  323|->     return ret;
 #  324|   #else
 #  325|       return EOK;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bb94a18f by Pavel Březina at 2021-10-25T14:30:18+02:00
cache_req: return success for autofs when ENOENT is returned from provider

The receive function should return true if data provider lookup was
successfull and false if there was an error. "Not found" result is
considered a successful lookup, only failure to perform a search
should result in false return code.

Resolves: https://github.com/SSSD/sssd/issues/5832

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
8db2485c by Pavel Březina at 2021-10-25T14:30:39+02:00
sbus: maintain correct refcount before sending a reply

sbus_reply decreases the refcount of @reply. This usuall means that
refcount drops to zero and the message is freed. However, under
special circumstances the refcount is increased inside libdbus,
the refcount will be 1 when we leave the function and we drop it
to zero in talloc_free(state) later in this function. This will
leave an invalid message to be send inside dbus connection and
eventually crash.

Increasing the refcount here makes sure that the refcount is always
correct.

Resolves: https://github.com/SSSD/sssd/issues/5672

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
de6eba31 by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
Removed excessive includes around 'strtonum'

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a2cc7dae by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
'strtonum' helpers: usage sanitization

To properly check for an error during string to number conversion
one needs to:
 - check `errno`
 - check that something was really converted (i.e. start != end)
 - (if this is expected) check that entire string was consumed

Some of those error conditions weren't checked in various locations
over the code.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
3c17a57e by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
'strto*()': usage sanitization

To properly check for an error during string to number conversion
one needs to:
 - check `errno`
 - check that something was really converted (i.e. start != end)
 - (if this is expected) check that entire string was consumed

Some of those error conditions weren't checked in various locations
over the code.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a664e9ce by Alexey Tikhonov at 2021-10-25T14:30:57+02:00
TESTS: fixed a bug in define->string conversion

Previously result of `AS_STR(OFFLINE_TIMEOUT)` was "OFFLINE_TIMEOUT"
instead of expected integer value.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
48234ed8 by Anuj Borah at 2021-10-25T15:14:57+02:00
Tests: sss_override does not take precedence over override_homedir directive

bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1919942

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
86413e5f by Alexey Tikhonov at 2021-10-27T13:43:02+02:00
SUDO: decrease log level in case object wasn't found

It is expected sudo responder can be requested to lookup unknown entry.
One of typical examples is lookup for a local user.

Resolves: https://github.com/SSSD/sssd/issues/5839

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
bd521abe by Shridhar Gadekar at 2021-11-01T11:10:44+01:00
Tests: pam_sss_gss.so doesn't work with large kerberos tickets #5815

Verifies: #5568
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1948657

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
7cba8ed6 by Alexey Tikhonov at 2021-11-01T11:10:56+01:00
KCM: delete malformed 'cn=default' entries

This is needed to cleanup outdated entries in old (encrypted)
format that are no longer supported.

Steps to reproduce:

With an old SSSD version that still writes encrypted content in secrets db:
 - obtain any ticket (even one ticket is enough)
 - `kswitch -c ...` to any cache (any successful execution of `kswitch`
   will use `SET_DEFAULT_CACHE` KCM op and create
   'cn=default,cn=$uid,cn=persistent,cn=kcm' entry)

Then update SSSD and try `klist`:
 - 2.6.0 version will fail with "[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size ..."
 - 2.6.0 + this patch will remove this entry:
```
[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size 152, deleting this entry
[sss_sec_delete] (0x0400): Removing a secret from [persistent/1000/default]
```
and continue as if default isn't set (since all encrypted entries will be purged,
cache will appear empty)

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
301659a6 by Iker Pedrosa at 2021-11-01T11:11:09+01:00
proxy: allow removing group members

The proxy provider doesn't allow to remove group members once they have
been added. This patch allows to do it by looping the member list from
the cache and comparing it with the actual membership list. If a member
is missing then it's removed from the cache.

Resolves: https://github.com/SSSD/sssd/issues/5783

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4c48c4a7 by Sumit Bose at 2021-11-02T13:09:28+01:00
ad: filter trusted domains

The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.

Resolves: https://github.com/SSSD/sssd/issues/5819

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4292f9fd by Fernando Apesteguia at 2021-11-04T12:12:58+01:00
Fix untranslated string

Promote format string to gettext's PRIu64 instead of using SSSD's
SPRIuid which is not recognized. This caused the original string to be
truncated in the translation files.

How to test:

Apply patch and run:

make -C po/ update-pot

Translations should contain the full string now:

msgid "Running under %, must be root\n"

Resolves: #5738

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e8b43cc8 by Alexey Tikhonov at 2021-11-04T12:13:12+01:00
SSH: changed default value of `ssh_hash_known_hosts` to false

:config: Default value of `ssh_hash_known_hosts` setting was changed
to false for the sake of consistency with OpenSSH that does not hash
host names by default.

Typical use case of this feature in general is FreeIPA where this is
configured and automatically used. Since by default any IPA user can
read the list of all hosts and the public host keys from LDAP directly,
the content of the file can be considered as public information anyway.

Resolves: https://github.com/SSSD/sssd/issues/5848

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
60353300 by Justin Stephenson at 2021-11-04T12:13:25+01:00
Tests: Fix warning about deprecated res_randomid()

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b30861d8 by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
SPEC: enabled build of 'subid ranges' support

Since feature support in shadow-utils is available since
upstream release version 4.9, support in SSSD can also be
enabled by default.

:packaging: 'subid ranges' support was enabled by default.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d469a810 by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
SPEC: disable running files provider by default

This is to sync Fedora and upstream spec-files.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7121e56d by Alexey Tikhonov at 2021-11-05T12:42:47+01:00
INTG-TESTS: enable build of 'subid ranges' support

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7bfdd3db by Stanislav Levin at 2021-11-05T12:42:58+01:00
pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC

IPA domain controller may not support desktop profiles since this
functionality is optional and distributed as the IPA plugin:

- in case of online authentication ipa_session detects such DC properly
  and returns PAM_SUCCESS for ENOENT, nothing is cached on sysdb (see
  ipa_deskprofile_get_config_send/ipa_deskprofile_get_config_done and
  ipa_pam_session_handler_done for details).

- in case of offline authentication ipa_session falls back to cache and
  receives ENOENT (since nothing was cached previously). But *any* error
  is treated as actual error and overall result is PAM_SESSION_ERR (see
  ipa_pam_session_handler_save_deskprofile_rules and
  ipa_pam_session_handler_done for details).  Note: actually, only
  deskprofile_get_cached_priority breaks PAM session since
  ipa_common_get_cached_rules successfully handles ENOENT.

- in either case sssd tries to send dbus notification to fleet
  commander even if there are no desktop profile rules to apply.

With this change ENOENT result of cache query is treated similarly
to ENOENT result of actual backend query (PAM_SUCCESS).

Resolves: https://github.com/SSSD/sssd/issues/5846
Signed-off-by: Stanislav Levin <slev at altlinux.org>

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bb8da430 by Alexey Tikhonov at 2021-11-08T11:33:29+01:00
DEBUG: avoid backtrace dups.

In case the same error(s) is repeated again and again repeating the same
backtrace doesn't add much value. In this case let's add just a note.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
bd903865 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
P11: refactoring of get_preferred_rsa_mechanism()

Flattened code structure and more accurate errors handling.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
71b6d548 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
P11: add support of 'CKM_RSA_PKCS' mechanism

Resolves: https://github.com/SSSD/sssd/issues/5854

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b5073394 by Alexey Tikhonov at 2021-11-08T11:33:48+01:00
TESTS: added two tests to check cert auth with specific RSA mechanisms: CKM_RSA_PKCS and CKM_SHA384_RSA_PKCS. (CKM_SHA384_RSA_PKCS is arbitrary chosen as one of CKM_SHA*_RSA_PKCS family)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a4877ee3 by Timo Aaltonen at 2021-11-08T21:17:01+02:00
control: Fix libsemanage-dev build-dep. (Closes: #998634)

- - - - -
14adef9a by Timo Aaltonen at 2021-11-08T21:17:38+02:00
releasing package sssd version 2.5.2-5

- - - - -
cf75d897 by Iker Pedrosa at 2021-11-09T11:08:23+01:00
ifp: new interface to validate a certificate

New interface to validate a certificate. The input is the certificate to
validate and the output the user path.

:feature: New infopipe method FindByValidCertificate() which accepts the
certificate as input, validates it against configured CAs, and outputs
the user path on success. This is similar to the existing
FindByCertificate(), but that does not do any trust validation.

Resolves: https://github.com/SSSD/sssd/issues/5224

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
50e6070e by Iker Pedrosa at 2021-11-09T11:08:23+01:00
Tests: ifp interface to validate certificate

Integration test to check the interface that validates the user
certificate.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
232ba7f0 by Justin Stephenson at 2021-11-09T15:57:33+01:00
DP: Resolve intermediate groups prior to SR overlay

SSSD SR exclude_groups checking can fail when only intermediate
groups are fetched during the login process. Add a step to
resolve these groups during Initgroups processing to ensure
the exclude groups check matches against the group name correctly.

This logic exists already similarly in the simple access provider.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8406af35 by Weblate at 2021-11-09T15:58:26+01:00
po: update translations

(Korean) currently translated at 12.6% (331 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 30.6% (189 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 29.6% (183 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Spanish) currently translated at 68.8% (1804 of 2621 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/

po: update translations

(Spanish) currently translated at 93.3% (576 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Finnish) currently translated at 6.1% (38 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Korean) currently translated at 12.4% (326 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (2621 of 2621 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (617 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (617 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

- - - - -
19a902a1 by Pavel Březina at 2021-11-09T16:03:44+01:00
pot: update pot files

- - - - -
02183611 by Pavel Březina at 2021-11-09T16:05:41+01:00
Release sssd-2.6.1

- - - - -
282cdde3 by Timo Aaltonen at 2021-11-12T13:31:29+02:00
Merge branch 'upstream'

- - - - -
c48b62af by Timo Aaltonen at 2021-11-17T19:08:07+02:00
patches: Dropped upstream patches.

- - - - -
f4ecffd6 by Timo Aaltonen at 2021-11-17T19:19:56+02:00
control: Add libunistring-dev to build-depends.

- - - - -
9b7a3f9a by Timo Aaltonen at 2021-11-17T19:20:37+02:00
sssd-common.install: Drop libsss_secrets, removed upstream.

- - - - -
6ef374fb by Timo Aaltonen at 2021-11-17T19:49:35+02:00
tools: Add sss_analyze.

- - - - -
b227f59c by Timo Aaltonen at 2021-11-17T20:33:36+02:00
releasing package sssd version 2.6.1-1

- - - - -
edb7cfb2 by Timo Aaltonen at 2021-11-18T14:09:15+02:00
control: Migrate to PCRE2. (Closes: #999951)

- - - - -
a10172a9 by Steeve Goveas at 2021-11-24T09:07:17+01:00
Test: Update marker to tier1_2 for some ad tier1 tests

To reduce test runtime to around 1 hour

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
94bc8a35 by Steeve Goveas at 2021-11-24T09:07:18+01:00
Test: fix the restore of ldap.conf in test_0016_forceLDAPS

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
c6207ead by Shridhar Gadekar at 2021-11-25T13:11:55+01:00
Tests: autofs lookups for unknown mounts are delayed for 50s

Verifies: #5832
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2013218

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
2b41ffd4 by Shridhar Gadekar at 2021-11-25T13:11:55+01:00
removed the testcase

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
23afbce7 by Shridhar Gadekar at 2021-11-25T13:11:55+01:00
Verifies: #5832 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2013218

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
54dd529d by Tomas Halman at 2021-11-25T13:12:13+01:00
CONFDB: check the return values

Covscan pointed out that return value of chown and sete[ug]id is
not checked in some cases. There is not much we can do
in case of failure so only minor failure is logged.

Resolves: https://github.com/SSSD/sssd/issues/5876

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
be687109 by Dhairya Parmar at 2021-11-25T13:12:28+01:00
TEST: Lookup with fully-qualified name with 'cache_first = True'

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5744
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2013294

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
5615ffa6 by Steeve Goveas at 2021-11-25T13:12:41+01:00
TEST: Remove check for rhel 9 to enable CRB repo

Tests will run for 8.6 and rhel 9 and both need CRB to be enabled.
Removing the check for rhel 9, to make it work for 8.6 as well

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
1831c50d by Steeve Goveas at 2021-11-25T13:51:41+01:00
TESTS: Add tier2 marker for ipa tests

Some of the ipa tests would be executed as tier1 tests. Added markers
for the ones that were not marked and would run as tier2 tests

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
34ee1b3e by Steeve Goveas at 2021-11-26T12:16:50+01:00
TEST: Add missing polarion requirements to tests

Some tests were not linked to polarion requirements
The subid tests added recently is linked to
"IDM-IPA-REQ: ipa subid range" in this PR

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
b2eb01e5 by Shridhar Gadekar at 2021-11-26T12:17:02+01:00
Tests: Removed secondary group shown in cache

Verifies: #5783
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1917970

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6dae77c8 by Alexey Tikhonov at 2021-12-02T12:35:13+01:00
Monitor: reduce log severity and add error text in case of fail to read from netlink fd.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
a34e3090 by Iker Pedrosa at 2021-12-02T12:35:24+01:00
ifp: fix covscan issues

Fix covscan issues introduced in commit
cf75d897b8ef03fdc471059214e86824f19b1bd1

Resolves: https://github.com/SSSD/sssd/issues/5877

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
66472035 by Vincent Vanlaer at 2021-12-02T12:35:38+01:00
LDAP: expire accounts when today >= shadowExpire

This brings the behavior of SSSD with regards to account expiry based on
shadow attributes in line with other projects.

Resolves: https://github.com/SSSD/sssd/issues/5873

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
886ba465 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Fix printing of non-null-terminated strings in wait_for_card()

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e3e27466 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Include return value of PKCS #11 API calls in debug messages

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d1f0dbf1 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Make debug messages about URI matching more specific

Indicate whether the URI does not match the module info, slot info, slot ID
or token info. Only print the URI once in the debug messages.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd8b5260 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Perform URI matching inside wait_for_card()

If the slot or token does not match the URI, continue waiting for another
token instead of failing.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2bd61f4b by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Check if module supports C_WaitForSlotEvent()

If the module does not support blocking calls to C_WaitForSlotEvent(), use
non-blocking calls separated by a one-second delay. If these calls are not
supported either, then return with failure.

Before this change, if blocking calls were not supported, wait_for_card()
passed an uninitialized slot ID to C_GetSlotInfo() after a 10-second wait.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8a4c222b by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Allow slot changes to take effect before resuming search

After the slot list has been obtained with C_GetSlotList(), a module cannot
expose any new or removed slots, until C_GetSlotList() is called again with
NULL as the second argument.

Do this instead of reloading all of the modules before resuming the search
for a slot/token.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
17ac1290 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Adjust exit conditions when looping over modules/slots

When a slot is found that supports removable tokens, set "module". If the
slot contains a usable token, set "slot_id", and use this condition to exit
the loop immediately.

With this change, the flags in the slot info can be checked earlier.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
33fa634b by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Skip uninitialized tokens

These cannot be used for authentication, and attempting to open a session
results in failure.

With this change, obtain token_info unconditionally when looping over
slots/tokens.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1c24c3ee by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Combine subsequent loops over certificate list

With this change, obtain module_info unconditionally when looping over
slots/tokens.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4d877816 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Filter certificate list in place

A subset of the items in all_cert_list are copied in memory and added to
cert_list. all_cert_list does not get used again, and its items are never
freed directly. Instead, just populate cert_list and remove the unwanted
items from it (freeing their memory after doing so).

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1cc7b802 by David Ward at 2021-12-02T12:35:52+01:00
p11_child: Handle failure when obtaining module list or names

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b37e2713 by Sumit Bose at 2021-12-03T14:00:25+01:00
ad: require name when looking up root domain

To properly identify the forest root domain the name of this domain is
needed. It is discovered with a cldap-ping requesting the netlogon
attribute. If the name is missing it does not make sense to proceed
further because there is currently no other way to determine the forest
root domain.

Resolves: https://github.com/SSSD/sssd/issues/5820

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4508ef5f by Sumit Bose at 2021-12-03T14:00:25+01:00
ad: move current site and forest name to a more global context

Currently only during the DNS discovery steps the stored forest and site
name are reused to avoid redundant lookups. Since those names are needed
in other areas of the code as well it would be good to make them
available in a more global context.

Resolves: https://github.com/SSSD/sssd/issues/5820

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
99c41619 by Sumit Bose at 2021-12-03T14:00:25+01:00
ad: use already discovered forest name

If the cldap-ping on the current connection does not return a reply with
the name of the forest root and the site of the client the stored values
from the DNS discovery step are used.

Resolves: https://github.com/SSSD/sssd/issues/5820

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
918abaf3 by Sumit Bose at 2021-12-03T14:00:25+01:00
ad: make ad_srv_plugin_ctx_switch_site() public

If the name of the AD DCs are given explicitly with the ad_server option
the forest and site lookups are not done in the discovery phase, which
is skipped, but with a netlogon query on the current connection. This
patch makes sure the results are stored in the same way as during the
discovery step.

Resolves: https://github.com/SSSD/sssd/issues/5820

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
724293d0 by Sumit Bose at 2021-12-03T14:00:25+01:00
ad: only send cldap-ping to our local domain

Since we are using the name of the local domain in the search filter of
the CLDAP ping only a DC from the local domain can send a proper reply.
DCs from other domains will only return an error so we can skip the
CLDAP ping for those domains.

Resolves: https://github.com/SSSD/sssd/issues/5822

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c0941810 by Sumit Bose at 2021-12-03T14:00:25+01:00
cldap: use dns_resolver_server_timeout timeout for cldap ping

Currently the cldap ping is using the ldap_search_timeout since it is
basically a LDAP search operation. However, the default of
ldap_search_timeout is 6s which is quite a long time for the discovery
of the AD DCs where the cldap ping is a part of. The default even
collides which the default of dns_resolver_timeout which might easily
lead to failures during the discovery phase.

To avoid the addition of a new option this patch is using
dns_resolver_server_timeout, which has a default of 1000ms (1s), as new
timeout for the clapd ping. Since the original purpose of the timeout is
the waiting time for a reply from a DNS server and both DNS and cldap by
default use UDP I think reusing the option here is justified.

Resolves: https://github.com/SSSD/sssd/issues/5875

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
beb5dd52 by Alexey Tikhonov at 2021-12-07T13:19:15+01:00
SSS_CLIENT: fixed few covscan issues

Fixes following covscan issues:
```
Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing "repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets "num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call to function "safealign_memcpy" with tainted argument "*repbuf" transitively taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: tainted_data: Passing tainted expression "num_results * 16UL" to "malloc", which uses it as an allocation size.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  114|       }
 #  115|
 #  116|->     *ranges = malloc(num_results * sizeof(struct subid_range));
 #  117|       if (!*ranges) {
 #  118|           free(repbuf);

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing "repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets "num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call to function "safealign_memcpy" with tainted argument "*repbuf" transitively taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: tainted_data: Using tainted variable "num_results" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  120|       }
 #  121|
 #  122|->     for (uint32_t c = 0; c < num_results; ++c) {
 #  123|           SAFEALIGN_COPY_UINT32(&val, repbuf + index, &index);
 #  124|           (*ranges)[c].start = val;

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:176: tainted_argument: Calling function "shadow_subid_list_owner_ranges" taints argument "amount".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: tainted_data: Using tainted variable "amount" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  181|       *result = false;
 #  182|
 #  183|->     for (int i = 0; i < amount; ++i) {
 #  184|           if ((range[i].start <= start) &&
 #  185|               (range[i].start + range[i].count >= end)) {
```

Resolves: https://github.com/SSSD/sssd/issues/5878

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a56b8d1a by Pavel Březina at 2021-12-07T13:19:37+01:00
utils: ignore systemd and sd-pam process in get_active_uid_linux()

We iterate processes in /proc to get the list of active users (users
that has any process running). However, recent change in systemd makes
systemd and sd-pam process ligner for few more seconds when the user has
logged out which breaks the no-session functionality in pam responder.

If user is logged in, another process then systemd and sd-pam must be
running. Therefore we can just ignore these from the list.

```
admin     351997  0.4  0.0  22648 14636 ?        Ss   13:25   0:00 /usr/lib/systemd/systemd --user
admin     351999  0.0  0.0 201464  7756 ?        S    13:25   0:00 (sd-pam)
```

Resolves: https://github.com/SSSD/sssd/issues/5900

:fixes: Quick log out and log in did not correctly refresh
  user's initgroups in `no_session` PAM schema due to lingering
  systemd processes.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
29515ace by Anuj Borah at 2021-12-09T10:11:06+01:00
Tests: Podman supports subid ranges managed by FreeIPA

Podman supports subid ranges managed by FreeIPA

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
23b9c5e9 by Jakub Vavra at 2021-12-09T10:11:21+01:00
Tests: Add test for bz1636002.

Verifies: #5782
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1636002

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cde56349 by Anuj Borah at 2021-12-10T13:05:18+01:00
Tests: Fix pytest-alltests-tier1

https://bugzilla.redhat.com/show_bug.cgi?id=1914843

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
9acd1177 by Pavel Březina at 2021-12-13T20:15:29+01:00
intg: remove unused is_secrets_socket()

Use of this function was removed in:
10069b1d39e671b7502c5211883c94ceaa91aebb

```
sssd/build/../src/tests/intg/getsockopt_wrapper.c:31:13: error: ‘is_secrets_socket’ defined but not used [-Werror=unused-function]
   31 | static bool is_secrets_socket(int fd)
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5ee8657c by Alexey Tikhonov at 2021-12-13T20:15:39+01:00
SPEC: avoid weak dependencies

Require packages if really needed, suggest otherwise.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c6ad2827 by Dan Lavu at 2021-12-13T20:17:03+01:00
Adding multidomain test cases for bz2013297 and bz2018432

Created multidomain pytest test suite
- test cases to for bz2013297 and bz2018432 has been added
- testsuite will provision a parent and tree domain and two childs
- qeclass had to be modified to count AD servers outside of a single
  domain for allow pytest-multihost to work.

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
9c447dc8 by Iker Pedrosa at 2021-12-13T20:19:17+01:00
usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3d25724d by Iker Pedrosa at 2021-12-13T20:19:17+01:00
man: sssd.conf and sssd-ifp clarify user option

user and allowed_uids options should be accessible via the files service
of nsswitch.conf.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d4357235 by Alexey Tikhonov at 2021-12-13T20:19:37+01:00
P11_CHILD: fix mem leak in case get_preferred_rsa_mechanism() doesn't match anything.

Spotted by David Ward at https://github.com/SSSD/sssd/pull/5855#discussion_r767161781

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2a3035d3 by Iker Pedrosa at 2021-12-15T12:51:39+01:00
contrib: sssd krb5 configuration snippet

Add a configuration snippet for krb5 that points to the folder where the
sssd configuration for this service is located. This will enable
passwordless (GSSAPI) ssh to work without any sssd configuration change.

Resolves: https://github.com/SSSD/sssd/issues/5893

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
3ef7952e by Justin Stephenson at 2021-12-16T13:43:06+01:00
Analyzer: Remove python-click dependency

As python-click will not be in RHEL9, switch to using the builtin
argparse python module.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
46843d02 by Iker Pedrosa at 2021-12-16T17:06:32+01:00
test: fix pep8 complaint

Fix pep8 complaint about over-indentation in test_multidomain.py file. I
guess this is only happening in RHEL8 and Debian because the tool was
forked to pycodestyle, only it is being updated and pycodestyle isn't
available for those distributions from the package manager.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1e747fad by Iker Pedrosa at 2021-12-17T20:42:55+01:00
krb5: write kdcinfo.* file with port configuration

When writing the 'kdcinfo.*' file take into account all the information
set in the 'krb5_server' option, including the port. This wasn't taken
into account and that's why the kerberos child only used the address
part, thus being unable to contact the service in the server.

Resolves: https://github.com/SSSD/sssd/issues/5919

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8d54b8c0 by Iker Pedrosa at 2021-12-17T22:45:48+01:00
man: update ifp options for FindByValidCertificate

Include a reference to ca_db, p11_child_timeout and
certificate_verification in sssd-ifp man page. These options can used be
to control how the certificates are validated with
FindByValidCertificate() API.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fd0f087a by Iker Pedrosa at 2021-12-17T22:45:48+01:00
ifp: improve FindByValidCertificate() error

Improve the error handling for FindByValidCertificate() by returning a
specific exception ID when the certificate authority file is missing.
Moreover, the log lines have been changed to point to p11_child logs
when an unknown error happens.

Finally, a new test case has been created for the certificate authority
file missing situation.

Resolves: https://github.com/SSSD/sssd/issues/5911

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
21caecae by Scott Poore at 2021-12-20T15:12:50+01:00
Tests: add docstring in intg/test_infopipe.py

Adding docstring to test_find_by_valid_certificate to define some
metadata for tracking the test case.

Minimal content needed is:
- """<test_function_name_next_to_opening_docstring_quotes>
- <blank line after opening quotes>
- :id: <generated UUID>
- :title: SSSD-TC: <Feature or functional area>: <Title of test>
- :casecompoent: sssd
- :subsystemteam: sst_idm_sssd

The id and title will differ per tests going forward but, the last two
are defaults needed.

The opening quotes line needs to include the test function or method
name so that the UUID used for the id is associated with function name
within the docstring.  The blank line is also needed after to indicate
the start of the parameters list.

Command used to generate UUID:
python3 -c 'import uuid; print(uuid.uuid4())'

Tests: #5224

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
662f9296 by Weblate at 2021-12-20T17:49:00+03:00
po: update translations

(Czech) currently translated at 5.7% (151 of 2621 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/

po: update translations

(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 99.3% (615 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Spanish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Korean) currently translated at 13.8% (362 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Spanish) currently translated at 96.9% (600 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Korean) currently translated at 13.3% (349 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 13.0% (341 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 30.7% (190 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

- - - - -
33ab1110 by Alexey Tikhonov at 2021-12-20T16:42:16+01:00
pot: update pot files

- - - - -
d0079cd9 by Weblate at 2021-12-22T13:29:32+03:00
po: update translations

(Korean) currently translated at 13.8% (362 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Japanese) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

- - - - -
1f75fbf8 by Alexey Tikhonov at 2021-12-22T11:38:00+01:00
pot: update pot files

- - - - -
e8e7e23a by Justin Stephenson at 2021-12-22T23:54:19+01:00
util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6f217eac by Justin Stephenson at 2021-12-22T23:54:19+01:00
RESPONDER: Remove extraneous client ID logging

Prevent duplicate ID logging. ID will be logged in separate commit
with added tevent chain ID support in responders.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9296eaf9 by Justin Stephenson at 2021-12-22T23:54:19+01:00
sbus: Remember outgoing request chain ID

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2b6edf77 by Justin Stephenson at 2021-12-22T23:54:20+01:00
RESPONDER: Support chain ID logging

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
526f7314 by Justin Stephenson at 2021-12-22T23:54:20+01:00
chain_id: Add support for custom debug format

Inform the debug module when a responder process is sending debug
log messages, use the [CID #] tag in responder code and [RID #]
tag in backend/child process code.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cb70739f by Justin Stephenson at 2021-12-22T23:54:20+01:00
krb5_child: Add chain ID logging support

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
60712f31 by Justin Stephenson at 2021-12-22T23:54:20+01:00
gpo: Add chain ID logging support

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c92d39a3 by Justin Stephenson at 2021-12-22T23:54:20+01:00
ipa_selinux: Add chain ID logging support

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
be482ac3 by Justin Stephenson at 2021-12-22T23:54:20+01:00
p11_child: Add chain ID logging support

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
06d3e79c by Justin Stephenson at 2021-12-22T23:54:20+01:00
proxy_child: Add chain ID logging support

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1959a2bb by Justin Stephenson at 2021-12-22T23:54:20+01:00
Analyzer: Parse the responder request ID

This is needed to parse out the responder request ID field properly. Due
to Responder tevent chain ID support, the Request ID is in a
different part of the log message.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0ba456f9 by Justin Stephenson at 2021-12-22T23:54:20+01:00
Analyzer: Add --child argument to 'request show'

The analyzer tool will search for requests (RID# log messages)
in any existing child log files when --child is provided.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7825e0d3 by Justin Stephenson at 2021-12-22T23:54:20+01:00
Analyzer: Search all responder log files

With the tevent chain ID logged into all responder debug messages,
the analyzer can search responders for [CID#X] in 'request show' output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ca1d7e29 by Stanislav Levin at 2021-12-22T23:54:20+01:00
sss-analyze: Fix self imports

- fixed self imports to allow any other Python stuff use `sssd`
  Python package

- tranformed `sssd` Python package from namespace to regular one

- moved the executable out to libexec directory to split library and
  actual executable (sss_analyze is not intended to be a standalone tool)

- fixed W0611(unused-import) found by Pylint

Resolves: https://github.com/SSSD/sssd/issues/5842
Signed-off-by: Stanislav Levin <slev at altlinux.org>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9d627081 by Justin Stephenson at 2021-12-22T23:54:20+01:00
Analyzer: Avoid circular import

Addresses the following error:

Traceback (most recent call last):
  File "/usr/libexec/sssd/sss_analyze", line 3, in <module>
    from sssd import sss_analyze
  File "/usr/lib/python3/site-packages/sssd/sss_analyze.py", line 3, in
<module>
    from sssd.modules import request
  File "/usr/lib/python3/site-packages/sssd/modules/request.py", line 6,
in <module>
    from sssd.sss_analyze import SubparsersAction
ImportError: cannot import name 'SubparsersAction' from partially
initialized module 'sssd.sss_analyze' (most likely due to a circular
import) (/usr/lib/python3/site-packages/sssd/sss_analyze.py)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1110bd59 by Justin Stephenson at 2021-12-22T23:54:20+01:00
Analyzer: Fail if chain ID support is missing

Some distributions may install the SSSD log analyzer with
an older version of libtevent which does not support tevent chain ID.

Without chain ID support, the analyzer is effectively useless so we
will just fail and return in this condition.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
977d450e by Alexey Tikhonov at 2021-12-23T13:22:24+01:00
pot: update pot files

- - - - -
36ba613a by Alexey Tikhonov at 2021-12-23T13:23:57+01:00
Release sssd-2.6.2

- - - - -
14c5da6f by Dhairya Parmar at 2021-12-27T14:36:36+01:00
localuser changed to user on line 59

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
cf5270a9 by Dhairya Parmar at 2021-12-27T14:36:36+01:00
indentation of ssh.close() on line 66 corrected

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d5467ad7 by Jakub Vavra at 2021-12-27T14:40:29+01:00
Tests: Update AD ssh password change test.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
17c08573 by Timo Aaltonen at 2022-01-04T10:40:07+02:00
Merge branch 'upstream'

- - - - -
1829eeaf by Timo Aaltonen at 2022-01-04T10:43:01+02:00
bump version

- - - - -
62346811 by Timo Aaltonen at 2022-01-04T10:43:16+02:00
Update signing-key.asc.

- - - - -
d525dc73 by Timo Aaltonen at 2022-01-04T10:58:56+02:00
control: Drop python3-click from sssd-tools depends.

- - - - -
273294cd by Timo Aaltonen at 2022-01-04T10:59:10+02:00
sssd-tools.install: Updated.

- - - - -
3f89b86d by Timo Aaltonen at 2022-01-04T11:05:05+02:00
tests: Drop RANDFILE from tests/util. (Closes: #1001476)

- - - - -
5a2e0ebe by Sumit Bose at 2022-01-04T13:03:37+01:00
ipa: fix reply socket of selinux_child

Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5939

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
104f513c by Alexey Tikhonov at 2022-01-05T16:48:39+01:00
IPA: get_object_from_cache(): don't touch output arg `_msg` in case object wasn't found (i.e. ENOENT returned)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e9a25bb0 by Alexey Tikhonov at 2022-01-05T16:48:39+01:00
IPA: get_object_from_cache(): - reduce log level in case object wasn't found in cache - slightly reduce code duplication

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
28af1752 by Alexey Tikhonov at 2022-01-05T16:49:36+01:00
Removed unused file.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>

- - - - -
868f3874 by Alexey Tikhonov at 2022-01-05T17:06:46+01:00
RESPONDER: reduce log level in case files provider in inconsistent state falls back to NSS.

`ENOENT` return code of `sss_dp_account_files_params()` means
"can't serve request, but 'falls back to NSS' is enabled".

This (consciously configured) scenario doesn't justify `SSSDBG_OP_FAILURE`
that triggers a backtrace with default logging settings.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e7069c53 by Weblate at 2022-01-05T19:23:14+03:00
po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Japanese) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Finnish) currently translated at 3.5% (93 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Korean) currently translated at 14.4% (379 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 14.4% (379 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Finnish) currently translated at 6.1% (38 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 6.1% (38 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Chinese (Traditional) (zh_TW)) currently translated at 7.9% (49 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_TW/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Ukrainian) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Turkish) currently translated at 15.1% (94 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Turkish) currently translated at 15.1% (94 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Tajik) currently translated at 0.9% (6 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tg/

po: update translations

(Swedish) currently translated at 99.0% (613 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Swedish) currently translated at 99.0% (613 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Russian) currently translated at 99.0% (613 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Russian) currently translated at 99.0% (613 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Russian) currently translated at 99.0% (613 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Portuguese (Brazil)) currently translated at 0.8% (5 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt_BR/

po: update translations

(Portuguese) currently translated at 15.6% (97 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/

po: update translations

(Polish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Polish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Dutch) currently translated at 47.6% (295 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nl/

po: update translations

(Norwegian Bokmål) currently translated at 2.2% (14 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/nb_NO/

po: update translations

(Japanese) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Japanese) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Japanese) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Italian) currently translated at 19.0% (118 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/

po: update translations

(Italian) currently translated at 19.0% (118 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/

po: update translations

(Indonesian) currently translated at 8.7% (54 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/id/

po: update translations

(Hungarian) currently translated at 7.1% (44 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/hu/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(French) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Basque) currently translated at 6.7% (42 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/eu/

po: update translations

(Spanish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Spanish) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(German) currently translated at 51.5% (319 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/

po: update translations

(German) currently translated at 51.5% (319 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/

po: update translations

(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Catalan) currently translated at 55.7% (345 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ca/

po: update translations

(Bulgarian) currently translated at 15.1% (94 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/bg/

po: update translations

(Ukrainian) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

- - - - -
9ba593e9 by Anuj Borah at 2022-01-06T12:38:18+01:00
Tests: Fix python-alltests-tier1-2

only local users can be configured in `allowed_uids`
This check is now enforced - see https://github.com/SSSD/sssd/pull/5867

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
58b3233f by Shridhar Gadekar at 2022-01-06T12:38:35+01:00
Tests: Health and Support Analyzer - Add request log parsing utility

Verifies: #5712
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1294670

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
4897c287 by Jakub Vavra at 2022-01-06T12:39:12+01:00
Tests: Add a test for BZ2004406

Overriding both user and group names and ids in
an idview for user and group from AD results in error in sssd
when running id command.

Bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=2004406
  https://bugzilla.redhat.com/show_bug.cgi?id=2031729
Verifies: #5790

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
bf6059eb by Sumit Bose at 2022-01-17T12:27:35+01:00
ad: add required 'cn' attribute to subdomain object

If the forest root is not part of the return trusted domain objects
from the local domain controller we generate an object for further
processing. During this processing it is expected that the 'cn'
attribute is set and contains the name of the forest root. So far this
attribute was missing and it is now added by this patch.

Resolves: https://github.com/SSSD/sssd/issues/5926

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ca8cef0f by Iker Pedrosa at 2022-01-17T16:28:26+01:00
krb5: AD and IPA don't change Kerberos port

AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).

In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.

:fixes: A critical regression that prevented authentication of users via
AD and IPA providers was fixed. LDAP port was reused for Kerberos
communication and this provider would send incomprehensible information
to this port.

Resolves: https://github.com/SSSD/sssd/issues/5947

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b6929c44 by Anuj Borah at 2022-01-17T16:28:40+01:00
Tests: Fix python-alltests-tier1-2 Add local users

only local users can be configured in `allowed_uids`
This check is now enforced - see https://github.com/SSSD/sssd/pull/5867

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
42a3f8fe by Sumit Bose at 2022-01-19T11:46:16+01:00
man: clarify ldap_idmap_range_max

ldap_idmap_range_max is the first ID which cannot be used for mapping
anymore.

Resolves: https://github.com/SSSD/sssd/issues/5938

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b76436f8 by Justin Stephenson at 2022-01-19T11:50:14+01:00
TESTS: Restrict smartcard in sc auth tests

Smartcard auth related tests can fail when tests are run on a
machine(F34) with a yubikey inserted. Add a p11_uri option to filter
only the softhsm2-used test cards.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e03a2dea by Justin Stephenson at 2022-01-19T11:50:14+01:00
P11: Increase array size of extra_args

Setting the p11_uri for PAM smartcard auth tests leads to some
tests (test_pam_cert_autH) requiring >18 elements as arg_c.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7e926941 by Anuj Borah at 2022-01-20T16:56:03+01:00
Tests: Fix yum repoquery --recommends sssd-tools test

The reason for this patch is the change of sssd-tools's sssd-dbus dependency
from Recommends to Requires included in
https://github.com/SSSD/sssd/commit/5ee8657c38f4849694bcb3f2ce958012f072ace0

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
237b99b8 by Anuj Borah at 2022-01-25T11:10:01+01:00
Tests: Fix setup_ipa_client fixture

Fix setup_ipa_client fixture as it does not use mkhomedir
option while configuring client with IPA server.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
2b0bd0b3 by Tomas Halman at 2022-01-25T11:10:14+01:00
ad: do not write kdc info file for GC lookup

:fixes: When authenticating AD users, backtrace was triggered even
though everything was working correctly. This was caused by a search
in the global catalog. Servers from the global catalog are filtered
out of the list before writing the KDC info file. With this fix,
SSSD does not attempt to write to the KDC info file when performing
a GC lookup.

Resolves: https://github.com/SSSD/sssd/issues/5956

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4e3385c9 by Anuj Borah at 2022-01-25T11:10:27+01:00
Tests: RFE pass KRB5CCNAME to pam_authenticate environment if available

Automation of sudo bug 1917379 in sssd tests

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
244c9f66 by Dan Lavu at 2022-01-25T11:10:46+01:00
Adding pytest multiforest tests

- admultidomain requires a minimum of four servers but will be extended
to five.
- test_multiforest will test authentication from two different forests
- updating test_multidomain with better test logic

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
a8c2e399 by Madhuri Upadhye at 2022-01-25T11:11:03+01:00
Check default debug level of sssd and corresponding logs

It consists of five test cases:
  1. Check default debug level when sssd start
        successfully
  2. Check default debug level by
        successful authentication of the user
  3. Check default level as 0 and 1
  4. Check default level as 2
  5. Check SBUS code should not trigger failure
        message during modules startup

Verifies:
Issues: #5422
        #5425

Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1893159
      https://bugzilla.redhat.com/show_bug.cgi?id=1915319

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
d3424c02 by Steeve Goveas at 2022-01-25T11:11:03+01:00
prepend 'r' raw to avoid deprecation errors

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
d8f558c2 by Weblate at 2022-01-25T11:34:37+01:00
po: update translations

(Korean) currently translated at 24.5% (641 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 18.6% (488 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

- - - - -
e58b14af by Pavel Březina at 2022-01-25T11:44:04+01:00
pot: update pot files

- - - - -
2de07587 by Pavel Březina at 2022-01-25T11:44:31+01:00
Release sssd-2.6.3

- - - - -
ad8f0d35 by Pavel Březina at 2022-01-26T14:43:54+01:00
BUILD.txt: fix invalid link

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
2054f990 by Alexey Tikhonov at 2022-01-26T14:44:07+01:00
TESTS: fixed use-after-free

`test_ctx->filename` was allocated on the `owner` context that
is freed by this moment.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c2e2036a by Alexey Tikhonov at 2022-01-26T14:44:07+01:00
UTILS: removed unused file helpers

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
23286d27 by Jakub Vavra at 2022-01-28T08:20:11+01:00
Tests: Update/fix AD parameters tests ported from bash

Update ssh password change test to set Min Age policy on AD.
Update ktutil automation in AD params to fix tests using it.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
c0f767c5 by Anuj Borah at 2022-02-01T11:44:15+01:00
Tests: Fix test_pass_krb5cname_to_pam test

Need restart and new ssd connection

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
7f6c2755 by Alexey Tikhonov at 2022-02-01T11:44:49+01:00
debug: suppress backtrace for backend errors

Don't trigger backtrace in responder log in case of backend fail.
(an addition to ca8b655fb676dde48eb72cfa6a520c696ada362c)

Resolves: https://github.com/SSSD/sssd/issues/5968

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
fa47bd1d by Alexey Tikhonov at 2022-02-01T11:45:06+01:00
CACHE_REQ: removed unused code

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
95b17d15 by Shridhar Gadekar at 2022-02-01T11:45:18+01:00
Tests: sssctl analyze capture tevent chain ID logic in logs

sssctl analyze should capture tevent chain ID in the logs,
verifies #5863

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7e41098e by Jakub Vavra at 2022-02-01T11:45:28+01:00
Tests: Add a test for bz1859315 - sssd does not use kerberos port that is set.

Verifies: SSSD-2827, SSSD-4262
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1859315
     https://bugzilla.redhat.com/show_bug.cgi?id=2041560

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
7f4e04ba by Anuj Borah at 2022-02-01T11:45:39+01:00
Tests: Port the old ns_account_lock.sh script to pytest

Port the old ns_account_lock.sh script to pytest

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
fa2d7a49 by Sumit Bose at 2022-02-01T16:41:25+01:00
TEST: fix long line pep8 error

Was introduced by c0f767c5513183048a3abae447881ded505cce47

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
10a14594 by Jakub Vavra at 2022-02-04T14:50:05+01:00
Tests: [SSSD-3579]: Update test_0018_bz1734040 for RHEL 9.

The logging changed in RHEL 9, so regex update was done.
To trigger the condition it was needed to query for AD user
instead of root.
Made the mode of failure more clear from assert .

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
bd6f6671 by Jakub Vavra at 2022-02-08T15:36:13+01:00
Tests: Use lazy initialization for ad_conn property of AD.

The lazy initialization of ad_conn should prevent failing in setup
in adjoin for tests that are not actively touching AD through ldap
connection. This way we isolate the LDAPS ldap.STRONG_AUTH_REQUIRED
error only to tests/fixtures that are actively using it.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
eb85382c by Jakub Vavra at 2022-02-08T15:36:13+01:00
Tests: Update ADOperations methods to use powershell.

Replace the direct ldap access with powershell in these functions.
Replace dsadd dsrm calls with powershell as well.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
6845db5a by Jakub Vavra at 2022-02-09T13:23:52+01:00
Tests: Add sleep before collecting logs in flaky ad parameters tests.

The tests in TestADParamsPorted:
test_0021_ad_parameters_ssh_change_password_logon
test_0022_ad_parameters_account_disabled
test_0023_ad_parameters_account_expired
collected log immediately after event but when cloud is under load
they were randomly failing as the log was not written yet.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
121576a4 by Iker Pedrosa at 2022-02-10T09:54:48+01:00
util: fix rawhide compilation problem

The signature for krb5_expire_callback_func() changed in
https://github.com/krb5/krb5/commit/aedd1fea8405d857c072fb41f2d38db9df31c70d
but it wasn't updated in sssd. That was causing a compilation issue in
rawhide that this commit fixes. The change only updates the sssd
signature to match the one provided by krb5.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d1ad68fa by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5_child: move FAST TGT request into a function

Make the code more flexible to add another method to get FAST
credentials.

Resolves: https://github.com/SSSD/sssd/issues/5961

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
58ab4137 by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5_child: add fast-use-anonymous-pkinit option

Add anonymous PKINIT as an alternative method to get FAST credentials.

Resolves: https://github.com/SSSD/sssd/issues/5961

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
7e839bef by Sumit Bose at 2022-02-10T09:56:42+01:00
krb5: add krb5_fast_use_anonymous_pkinit option

With the new option krb5_fast_use_anonymous_pkinit SSSD can be told to
use anonymous PKINIT to get FAST credential

:relnote: Add support for anonymous PKINIT to get FAST credentials

Resolves: https://github.com/SSSD/sssd/issues/5961

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0eb8564c by Steeve Goveas at 2022-02-10T09:57:25+01:00
Tests: Add tests for poor man's backtrace

Tests are added to check that no duplicate backtrace is generated and it
is generated when
* no debug level is defined / default debug level
* debug level is set to 0 or 1
* no backtrace when debug level is >= 9
* backtrace can be disabled

Verifies: #5585
          https://bugzilla.redhat.com/show_bug.cgi?id=1949149
          https://bugzilla.redhat.com/show_bug.cgi?id=2021196

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
b67caf27 by Samuel Cabrero at 2022-02-10T09:57:40+01:00
Tests: Use group1_dom1-19661 in test_pysss_nss_idmap.py

The group3_dom1-17775 group has a member referencing a user in a
different domain, which will make the test fail in the following
commits.

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
941418f4 by Samuel Cabrero at 2022-02-10T09:57:40+01:00
SDAP: Add 'ldap_ignore_unreadable_references' parameter

When resolving a group using the AD provider it may happen sssd doesn't
have permissions to read the entry referenced in the 'member' attribute,
for example when the entry is located under a restricted LDAP sub-tree
for security reasons.

In this scenario, the sssd behavior is not consistent and depends on the
ldap_deref_threshold parameter, that controls if an attribute scoped
query (ASQ) will be used or if the group members will be searched
individually. If an ASQ operation is issued, the operation will fail
because the referenced entry can't be parsed and this can
lead to missing groups and makes impossible to use the group in simple
access provider. On the other hand, when the group members are looked
up individually sssd just ignores the unreadable entry.

This patch adds a new parameter 'ldap_ignore_unreadable_references' to
control if the current operation will fail when an unreadable entry is
found or the entry will be ignored, regardless if sssd issued an ASQ or
the members are looked up individually.

The issue can be replicated deploying this AD setup:

    CN=users,DC=aforest,DC=ad
      CN=g1,CN=users,DC=aforest,DC=ad
        member: CN=g2,CN=users,DC=aforest,DC=ad
        member: CN=g3,CN=users,DC=aforest,DC=ad
        member: CN=g4,CN=users,DC=aforest,DC=ad
        member: CN=g5,CN=users,DC=aforest,DC=ad
        member: CN=user1,CN=users,DC=aforest,DC=ad
      CN=g2,CN=users,DC=aforest,DC=ad
        member: CN=g3,CN=users,DC=aforest,DC=ad
        member: CN=g4,CN=users,DC=aforest,DC=ad
        member: CN=g5,CN=users,DC=aforest,DC=ad
        member: CN=user2,CN=users,DC=aforest,DC=ad
        memberOf: CN=g1,CN=users,DC=aforest,DC=ad
      CN=g3,CN=users,DC=aforest,DC=ad               <-- Deny access to sssd account
        member: CN=g4,CN=users,DC=aforest,DC=ad
        member: CN=g5,CN=users,DC=aforest,DC=ad
        member: CN=user3,CN=users,DC=aforest,DC=ad
        memberOf: CN=g2,CN=users,DC=aforest,DC=ad
        memberOf: CN=g1,CN=users,DC=aforest,DC=ad
      CN=g4,CN=users,DC=aforest,DC=ad
        member: CN=g5,CN=users,DC=aforest,DC=ad
        member: CN=user5,CN=users,DC=aforest,DC=ad
        memberOf: CN=g3,CN=users,DC=aforest,DC=ad
        memberOf: CN=g2,CN=users,DC=aforest,DC=ad
        memberOf: CN=g1,CN=users,DC=aforest,DC=ad
      CN=g5,CN=users,DC=aforest,DC=ad
        member: CN=user5,CN=users,DC=aforest,DC=ad
        memberOf: CN=g4,CN=users,DC=aforest,DC=ad
        memberOf: CN=g3,CN=users,DC=aforest,DC=ad
        memberOf: CN=g2,CN=users,DC=aforest,DC=ad
        memberOf: CN=g1,CN=users,DC=aforest,DC=ad
      CN=user1,CN=users,DC=aforest,DC=ad
        memberOf: CN=g1,CN=users,DC=aforest,DC=ad
      CN=user2,CN=users,DC=aforest,DC=ad
        memberOf: CN=g2,CN=users,DC=aforest,DC=ad
      CN=user3,CN=users,DC=aforest,DC=ad
        memberOf: CN=g3,CN=users,DC=aforest,DC=ad
      CN=user4,CN=users,DC=aforest,DC=ad
        memberOf: CN=g4,CN=users,DC=aforest,DC=ad
      CN=user5,CN=users,DC=aforest,DC=ad
        memberOf: CN=g5,CN=users,DC=aforest,DC=ad

And using this sssd.conf
-------------------------------------------------------------------------------
[sssd]
    config_file_version = 2
    services = nss, pam
    domains = aforest.ad

[nss]

[pam]

[domain/aforest.ad]
    auth_provider = ad
    id_provider = ad
    access_provider = simple
    simple_allow_groups = g1
    ldap_deref_threshold = 1
    debug_level = 10
-------------------------------------------------------------------------------

In this setup sssd can't resolve group 'g1' because it fails parsing one
of the referenced members, 'g3':

    $> getent group g1
    No output.

    $> id user5
    uid=1862001108(user5) gid=1862000513(domain users) groups=1862000513(domain users),1862001111,18620011

When the group is used to filter access it does not work:

    ...
    [simple_access_check_send] (0x0200): [RID#7] Simple access check for user1 at aforest.ad
    ...
    [simple_check_get_groups_send] (0x0400): [RID#7] Need to resolve 3 groups
    [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectSID=S-1-5-21-3230
    ...
    [sdap_nested_group_hash_insert] (0x4000): [RID#8] Inserting [CN=g1,CN=Users,DC=aforest,DC=ad] into has
    [sdap_nested_group_process_send] (0x2000): [RID#8] About to process group [CN=g1,CN=Users,DC=aforest,D
    ...
    [sdap_nested_group_process_send] (0x0400): [RID#8] More members were missing than the deref threshold
    [sdap_nested_group_process_send] (0x2000): [RID#8] Looking up 2/5 members of group [CN=g1,CN=Users,DC=
    [sdap_nested_group_process_send] (0x2000): [RID#8] Dereferencing members of group [CN=g1,CN=Users,DC=a
    [sdap_deref_search_send] (0x2000): [RID#8] Server supports ASQ
    [sdap_asq_search_send] (0x0400): [RID#8] Dereferencing entry [CN=g1,CN=Users,DC=aforest,DC=ad] using A
    ...
    [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [no filter][CN=g1,CN=Users,
    ...
    [sdap_process_message] (0x4000): [RID#8] Message type: [LDAP_RES_SEARCH_ENTRY]
    [sdap_asq_search_parse_entry] (0x0040): [RID#8] Unknown entry type, no objectClass found for DN [CN=g3
    [sdap_get_generic_op_finished] (0x0020): [RID#8] reply parsing callback failed.
    [sdap_op_destructor] (0x1000): [RID#8] Abandoning operation 3
    [generic_ext_search_handler] (0x0020): [RID#8] sdap_get_generic_ext_recv request failed: [22]: Invalid
    [sdap_deref_search_done] (0x0040): [RID#8] dereference processing failed [22]: Invalid argument
    [sdap_nested_group_deref_direct_done] (0x0020): [RID#8] Error processing direct membership [22]: Inval
    [sdap_nested_done] (0x0020): [RID#8] Nested group processing failed: [22][Invalid argument]
    ...
    [simple_resolve_group_done] (0x0080): [RID#8] Cannot refresh data from DP: 3,0: Group lookup failed
    ...
    [simple_check_get_groups_next] (0x2000): [RID#9] All groups resolved. Done.
    [simple_access_check_done] (0x0040): [RID#9] Could not collect groups of user user1 at aforest.ad
    [simple_access_check_done] (0x0400): [RID#9] But no deny groups were defined so we can continue.
    [simple_check_groups] (0x4000): [RID#9] Checking against allow list group name [g1 at aforest.ad].
    [simple_access_check_done] (0x2000): [RID#9] Group check done
    [simple_access_check_recv] (0x1000): [RID#9] Access not granted
    ...

Resolves: https://github.com/SSSD/sssd/issues/4893

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5c7fb41f by Samuel Cabrero at 2022-02-10T09:57:40+01:00
SDAP: Honor ldap_ignore_unreadable_references parameter

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
57d6af2f by Samuel Cabrero at 2022-02-10T09:57:40+01:00
Tests: Add a test for the ldap_ignore_unreadable_references parameter

Signed-off-by: Samuel Cabrero <scabrero at suse.de>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bf9deea1 by Anuj Borah at 2022-02-10T11:35:49+01:00
Tests: Add 389-ds package to client machine

We need dsidm in client machine

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
30b1ea0b by Timo Aaltonen at 2022-02-10T18:37:09+02:00
Merge branch 'upstream'

- - - - -
2fba130a by Timo Aaltonen at 2022-02-10T18:37:57+02:00
version bump

- - - - -
d54c50a0 by Timo Aaltonen at 2022-02-11T09:36:10+02:00
releasing package sssd version 2.6.3-1

- - - - -
ef86c7e6 by Timo Aaltonen at 2022-02-11T15:02:38+02:00
rules: Disable lto.

- - - - -
00940cd1 by Tomas Halman at 2022-02-15T17:20:06+01:00
systemtap: Hard-coded path instead of @libdir@

There were hard-coded paths in the sssd.stp.in file. The probes did not
work on another platforms or if SSSD was compiled with different prefix
like /usr/local.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
c41cc16c by Justin Stephenson at 2022-02-15T17:20:27+01:00
CI: Remove unused travis CI related files

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3935e89c by Tomas Halman at 2022-02-15T17:20:54+01:00
ci: discard old builds

Until now builds were kept forever or until manual removal. That
caused an issue with running out of space occasionally.

With this change all builds older than 30 days are discarded.
The second limit removes oldest builds to keep the history
up to 70 builds.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
775150b5 by Sumit Bose at 2022-02-15T17:22:09+01:00
debug: add new dubug level SSSDBG_PERF_STAT

SSSDBG_PERF_STAT should be use for statistical or performance data, e.g
time needed for a request.

:relnote: A new debug level is added to show statistical and performance
data. Currently the duration of a backend request and of single LDAP
operations are recorded if debug_level is set to 9 or the bit 0x20000 is
set.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2fb5cbfa by Sumit Bose at 2022-02-15T17:22:09+01:00
util: add time measurement helpers

Two new calls get_start_time() and get_spend_time_us() are added to make
it easy to calculate time differences in micro-seconds (us).

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3b795530 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: record time needed for a sdap operation

The start time of an sdap operation is stored to calculate the spend
time when the operation finished. This spend time is an upper limit for
the time the underlying LDAP operation took. The actual time of the LDAP
operation might be shorter. This might happen is many sdap operations
are running in parallel and the given operation has to wait for
processing due to the asynchronous handling of the operations.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3063a73c by Sumit Bose at 2022-02-15T17:22:09+01:00
dp: adding log message with spend time

The time a backend request needs from start to finish is recorded in the
logs.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
23e64bee by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: split out function to get the server IP as string

Currently the IP address of the current LDAP server is only available in
a log message. The new call sdap_get_server_ip_str() makes it available
for other purposes as well.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5dc34b75 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap_op: add strings member for extra statistical information

Besides the LDAP message id other information might be helpful when
collections statistics about LDAP operations.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
a9b4ae62 by Sumit Bose at 2022-02-15T17:22:09+01:00
ldap: add info string for statistics

Add the server IP address and other information about the current LDAP
request to the timing statistics.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e2082c03 by Sumit Bose at 2022-02-15T17:22:09+01:00
ipa: add info string for statistics

Add the server IPA address and other information about the current
extdom LDAP extended operation to the timing statistics.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
b3646c66 by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: warn if request needs 80% of timeout

To easy identify LDAP request which are running longer than expected all
requests needing 80% of there timeout are recorded wit h log level
SSSDBG_IMPORTANT_INFO.

The threshold of 80% is currently hard-coded.

Please note that due to the asynchronous processing in the backend some
requests might be logged with a long execution time not because they
need the recorded time but because their processing is delayed by
another request which was processed before.

:relnote: A warning is added in the logs if an LDAP operation needs more
than 80% of the configured timeout.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
15f66efc by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: make struct sdap_op private

Only the msgid member of struct sdap_op is used for debugging messages
in some other places of the code.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
5494f7ff by Sumit Bose at 2022-02-15T17:22:09+01:00
sdap: add sdap_get_server_ip_str_safe()

This new call is similar to sdap_get_server_ip_str() but will never
return NULL so that the caller can always expect a string.
sdap_get_server_ip_str() is replaced with the new call where needed.

Resolves: https://github.com/SSSD/sssd/issues/5967

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
27e2a0f4 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
CI: enable CodeQL analysis

Enable the CodeQL analysis on the master branch for push, pull-request
and nightly.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bcfb1cb1 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
CI: split dependencies for Ubuntu

python-ldap, python-ldb and python-requests have been renamed in Ubuntu
to python3-*, thus the dependencies need to be split.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d53bb2be by Iker Pedrosa at 2022-02-17T11:04:28+01:00
sbus: Multiplication result converted to larger type

A multiplication result that is converted to a larger type can be a sign
that the result can overflow the type converted from. Using a cast to
the target type (size_t) to avoid overflow.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
923c94b4 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Duplicate include guard

Using the same include guard macro in more than one header file may
cause unexpected behavior from the compiler. Rename the macros to avoid
problem.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5ea0c927 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Array offset used before range check

Accessing an array offset before checking the range means that the
program may attempt to read beyond the end of a buffer. Reverse order of
conditions to avoid the problem.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
94976819 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Potentially uninitialized local variable

Reading from a local variable that has not been assigned to will
typically yield garbage. Fix by assigning a value when defining the
variable.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c30356d0 by Iker Pedrosa at 2022-02-17T11:04:28+01:00
Inconsistent nullness check

The result value of a function is often checked for nullness, but not
always. Since the value is mostly checked, it is likely that the
function can return null values in some cases, and omitting the check
could crash the program. To avoid it check the return value in all
cases.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6df69052 by Pavel Březina at 2022-02-17T13:13:59+01:00
ci: move languages parameter to codeql init

codeql analyze does not have this parameter:

```
Warning: Unexpected input(s) 'languages', valid inputs are ['check_name', 'output', 'upload', 'cleanup-level', 'ram', 'add-snippets', 'skip-queries', 'threads', 'checkout_path', 'ref', 'sha', 'category', 'upload-database', 'wait-for-processing', 'token', 'matrix']
```

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f36deb3e by Iker Pedrosa at 2022-02-17T13:14:49+01:00
tests: Remove unused format_interactive_conf()

CodeQL was reporting "Wrong number of arguments in a call" for an unused
function.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dd5f2338 by Iker Pedrosa at 2022-02-17T13:14:49+01:00
tests: Remove unused gethostbyaddr_r()

CodeQL was reporting "Potentially uninitialized local variable" in an
unused function.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
2ec51872 by Jakub Vavra at 2022-02-21T12:25:45+01:00
Tests: Update KeytabRotation tests in AD tier 2

Remove class fixture clear_sssd_cache from TestHostKeytabRotation.
In the case that the environment is not tainted the tests fail to
restart sssd in setup because it is not configured yet resulting in ERROR.
Clearing cache and restart of sssd added in keytab_sssd_conf fixture,
where it is actually needed.
Added extra debug information when sssd fails to start.
The test Testsmbsecretrotation::test_0001_rotation needs to restart
sssd so the changed configuration is properly applied.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
5f944543 by Alexey Tikhonov at 2022-02-22T12:10:39+01:00
SIMPLE: reduce severity level of debug message in case primary group is missing in the domain cache

Since this is not treated as an error, this shouldn't trigger
a backtrace as well.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5cdb7e2c by Alexey Tikhonov at 2022-02-22T12:10:51+01:00
Test: fix wrong messages

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
25faf983 by Alexey Tikhonov at 2022-02-22T12:10:51+01:00
AD/IPA: ignore 'ldap_default_authtok_type' conf setting

AD/IPA providers can't use simple bind, but this option
can be set in case AD/IPA and LDAP provider types are mixed
in the same domain, causing issues during `sdap_cli_auth_step()`

Resolves: https://github.com/SSSD/sssd/issues/5998

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d082681a by Dhairya Parmar at 2022-02-22T12:11:05+01:00
TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode

Explanation
- In SSSD the default value for ssh_hash_known_hosts is set to true,
  It should be changed to false for consistency with the OpenSSH
  setting that does not hashes host names by default

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5848
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
616e69f6 by Justin Stephenson at 2022-02-22T12:11:17+01:00
make_srpm: Add option to specify package version

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
21a91ce2 by Justin Stephenson at 2022-02-22T12:11:17+01:00
CI: Add internal covscan workflow to Jenkins

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b2154298 by Pavel Březina at 2022-02-23T12:23:54+01:00
ci: build pull requests in copr

New copr project will be created for each pull request under the sssd
group. The project will be automatically deleted after 60 days or after
the pull request is closed.

The workflow works like this:
- build tarball and spec file (rvn is sssd-pr#prid-#runid)
- build srpm
- upload srpm as an artifact to the job
- create copr project @sssd/pr#prid if not exist
- cancel previous pending/running builds if there are any
- build package in centos-* and fedora-*

One job is created for each chroot.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0d7ae85f by Pavel Březina at 2022-02-24T10:23:57+01:00
sifp: fix coverity issue

```
Error: GCC_ANALYZER_WARNING (CWE-457):
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c: scope_hint: In function 'sss_sifp_parse_dict'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:233:18: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value 'table_key.<U7260>.str'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:461:5: note: in expansion of macro 'check_dbus_arg'
sssd-pr5762_14/src/lib/sifp/sss_sifp_parser.c:147:5: note: in expansion of macro 'check_dbus_arg'
  231|
  232|   done:
  233|->     if (table_key.str != NULL) {
  234|           _free(ctx, table_key.str);
  235|       }
```

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
90ad1ea4 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
tests: Unreachable code

src/tests/multihost/alltests/conftest.py: correct indentation.
src/tests/multihost/basic/test_sudo.py: remove the unreachable code.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9bd821b6 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Comparison result is always the same

Remove the condition and clean the code.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b9783436 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
ad: Empty branch of conditional

Remove condition.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
36920a04 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Commented-out code

Remove the unused code.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f04ca9b2 by Iker Pedrosa at 2022-03-01T12:10:34+01:00
Implicit string concatenation in a list

Make clear the strings that need to be concatenated.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0a9c00c3 by Justin Stephenson at 2022-03-01T12:10:50+01:00
Add external covscan workflow

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
81936d43 by Jakub Vavra at 2022-03-02T13:49:59+01:00
Tests: Reduce sleeps before collecting logs in AD parameters tests.

Partially undo https://github.com/SSSD/sssd/pull/5985 where
sleep was added by a mistake to test 0021.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
63ab01f3 by Jakub Vavra at 2022-03-02T13:52:17+01:00
Tests: Port ad-schema test suite from bash.

Reviewed-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
961e320d by Justin Stephenson at 2022-03-07T13:13:27+01:00
CI: Update apt cache

Debian based distro CI workflows may error when apt cache is not
up-to-date. For example in GitHub Actions:

Fetched 46.1 MB in 13s (3596 kB/s)
E: Failed to fetch
http://azure.archive.ubuntu.com/ubuntu/pool/main/g/glibc/libc6-dbg_2.31-0ubuntu9.2_amd64.deb
404  Not Found [IP: 40.81.13.82 80]
E: Unable to fetch some archives, maybe run apt-get update or try with
--fix-missing?

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f1573e51 by Alexey Tikhonov at 2022-03-07T13:13:38+01:00
UTILS: reduce debug level in case well_known_sid_to_name() fails

It's up to a function user to decide on a severity of a helper fail.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
439b9fc6 by Iker Pedrosa at 2022-03-09T10:59:58+01:00
CI: change pycodestyle max line length

Change the maximum length from 79 to 119 characters.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
91e8c4fb by Jean-Baptiste Denis at 2022-03-10T13:53:25+01:00
Increase listen backlog

The previous value (10) could introduce delays in responder answer in some highly used environment.

See https://github.com/SSSD/sssd/issues/6035 for test and details.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bab44e92 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix missing name (F821)

Define the missing name: missing import, missing variable declaration,
self instance variable...

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
94e5466e by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix indentation(E12*) and whitespace(E20*)

Fix indentation and remove whitespaces.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b3244e39 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix missing whitespace after ',' (E231)

Add whitespace.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e81f8991 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: fix unexpected spaces around '/' (E251)

Remove whitespace.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5be30ac0 by Iker Pedrosa at 2022-03-10T13:53:38+01:00
Tests: remove 12 years old TODOs

These TODOs were being reported by flake8 for several reasons.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
6bbfd1b6 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix ambiguous variable (E741)

Fix the ambiguous variable name reported by flake8 by renaming it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
58605202 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix shadowed variable (F402)

Fix the shadowed variable reported by flake8 by renaming it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
fe46bd3b by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix f-strings usage (F541)

Fix the f-strings misuse reported by flake8.

f-string is a new and improved way of formatting strings in python. It
is commonly used to concatenate strings. The code that I have changed
was either not concatenating a string so a simple string would have
been enough, or concatenating f-strings in the old way.

For more information check https://realpython.com/python-f-strings/

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
56b37520 by Iker Pedrosa at 2022-03-10T13:53:50+01:00
Tests: fix comparison symbols (F632)

Fix the comparison symbols misuse reported by flake8 by using "==" or
"!=" to compare str, bytes, int, float and tuple.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
899a7df9 by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix indentation issues (E111 and E117)

Fix indentation issues reported by flake8.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
294debcd by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix end semicolon (E703)

Fix the end semicolon reported by flake8 by removing it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0534fd3e by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix incorrect comparison with "==" (E711)

Fix the incorrect usage of "==" reported by flake8 by changing the
comparison to "None" using the "is" keyword instead of "==".

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
089123bd by Iker Pedrosa at 2022-03-10T13:54:03+01:00
Tests: fix bare 'except' (E722)

Fix the bare 'except' reported by flake8 by specifying the exception
handler.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
556f42e1 by Anuj Borah at 2022-03-10T13:54:15+01:00
Tests: Regressions 8.5 - alltests-tier3

1. Add new marker tier1_3
2. Fix test_krb_ldap_connection.py test script
3. Add a new test script test_krb_ldap_connection_gssapi.py with
   setup_sssd_gssapi fixture

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
5cf46fc8 by Alejandro López at 2022-03-10T13:56:32+01:00
COMMIT TEMPLATE: Fixed two typos

Twice the word "desription" was written instead of "description."

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1b24149e by Steeve Goveas at 2022-03-11T12:17:36+01:00
TEST: Enable files domain, fix flake8 issues, improve test code

Steps to reproduce needs the files domain to be enabled for rhel 9.
Updated variable names for easy readability, changed %-formatting to f
strings, deleted unused variables and instead updated raiseronerr to
'True' where cmd is expected to pass and added assert to verify expected
exit code where raiseonerr is 'False', made use of 'userlist' variable
and updated steps and expectedresults in docstring.

Verifies
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1824323

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
d377d1da by Iker Pedrosa at 2022-03-11T18:14:14+01:00
Tests: fix continuation line under-indented (E128)

Commit 1b24149eeb0489b8a2d35629ff41c085dbf2c538 introduced a linter
issue that makes all CI runs to fail. Fix it by adding an additional
whitespace.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
2f742fc9 by Iker Pedrosa at 2022-03-14T14:20:38+01:00
Tests: fix star imports (F403 and F405)

Fix the start imports detected by flake8 by changing to the proper name.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
634c91b0 by Iker Pedrosa at 2022-03-14T14:20:38+01:00
Tests: fix imported but unused modules (F401)

Fix the unused modules detected by flake8 by removing them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
8cdfd3d2 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix blank lines (E302 and E303)

Fix the black lines issues detected by flake8 by adding or removing
them depending on the case.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
4f303da4 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix blank line at end of file (W391)

Fix the black line at the end of file detected by flake8 by removing it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
838669d9 by Iker Pedrosa at 2022-03-14T14:21:04+01:00
Tests: fix line too long (E501)

Fix the too long lines detected by flake8 by moving the content to a new
line.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
3f8493f9 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: fix missing name (F821)

Fix the missing name (missing import, missing variable declaration, self
instance variable...) detected by flake8 by defining it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c71d83b8 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: fix missing whitespace after ',' (E231)

Fix the missing whitespace after ',' detected by flake8 by adding it.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b8f4c171 by Iker Pedrosa at 2022-03-14T14:36:35+01:00
Tests: block comment should start with '# ' (E265)

Fix the block comment start issue detected by flake8 by adding the
space.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b963aa3c by Alexey Tikhonov at 2022-03-16T11:22:13+01:00
SDAP: sdap_nested_group_hash_insert(): don't create key copy - hash_enter() takes care of this.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
709e9cc9 by Pavel Březina at 2022-03-16T11:22:26+01:00
authtok: add SSS_AUTHTOK_TYPE_OAUTH2

Add a new authentication token type: SSS_AUTHTOK_TYPE_OAUTH2.
It will be used later to enable OAuth2 authentication via Kerberos.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
292bde66 by Pavel Březina at 2022-03-16T11:22:26+01:00
pam: add new SSS_CHILD_KEEP_ALIVE pam item

This pam item indicates that the child process performing authenticate
is kept alive and should be used to further continue with the
authentication instead of creating a new child process.

This patch only adds the pam item and forwards it back and forth pam_sss
and the backend. It will be used in following commits.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7d688556 by Pavel Březina at 2022-03-16T11:22:26+01:00
pam: add new SSS_PAM_OAUTH2_INFO pam item

This item will hold OAuth2 authentication url and pin. It will be used
in one of the next patch to allow OAuth2 authentication via Kerberos.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8ca8fcf0 by Pavel Březina at 2022-03-16T11:22:26+01:00
conf: add libjansson dependency

Currently required for KRB5 IdP plugins.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
67314942 by Pavel Březina at 2022-03-16T11:22:26+01:00
make: define RUNDIR

Required for KRB5 IdP plugins.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
68a8a2d7 by Pavel Březina at 2022-03-16T11:22:26+01:00
krb5: add idp preauth plugins

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3a2add67 by Pavel Březina at 2022-03-16T11:22:26+01:00
krb5: support to exchange multiple messages with the same child

Previously, we expected the krb5_child to exit immediately after
receiving a response. However, now we require to exchange multiple
messages in order to maintain internal Kerberos state.

This patch adds a hash table that stores file descriptors for each child
(pid:child_io_fds). The file descriptors are closed when the child exits
but are kept open until then.

If pam_data->child_pid is not 0 we lookup the file descriptors in the
hash table and use them to continue the authentication process instead
of creating a new child.

If the pid is zero, we create a new child and store new file descriptors
in the table.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5f9e5c2e by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: terminate child if it fails to setup

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
689bb4f8 by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: exchange messages with krb5_child with exact length

This is needed so we don't rely on received EOF when reading from
a pipe so we can exchange multiple messages. Now the protocol
contains a uin32_t header that contains length of the rest of
the message.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dcd7133e by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: add support for idp:oauth2 responder question

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8cba6b4b by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: fix memory hierarchy in krb5_child unpack_buffer()

Fields that belong to krb5_req were attached to pam_data which caused
unexpected troubles when kr->pd gets freed and swapped with new one.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
95495e7b by Pavel Březina at 2022-03-16T11:22:27+01:00
krb5: add keep alive timeout for krb5_child

This timeout will kill the child after a longer time in order to
allow interactive communication with the user.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
918d493c by Pavel Březina at 2022-03-16T11:22:27+01:00
pam: add oauth2 url+pin prompt

Add a new prompt for oauth2 authentication. The user is prompted with
url and pin. He/she must visit the url, provide the pin and
authenticate. Then just press enter to continue the authentication.

The RADIUS server will then ask the identify provider if the
authentication was successful and then reply back.

The answer is set to the same pin, just to provide some verification
mechanism and because Kerberos requires non-empty token.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9c5632df by Sumit Bose at 2022-03-17T11:54:58+01:00
nss: add sss_nss_getorigbyusername and sss_nss_getorigbygroupname

Since the user and group namespaces are independent in POSIX/Linux it is
important to be able to indicate if a user or a group is search by name.
Currently the sss_nss_getorigbyname() call does not allow this and this
patches adds two new calls to fix this.

Resolves: https://github.com/SSSD/sssd/issues/6042

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d241b552 by Alexey Tikhonov at 2022-03-17T11:55:18+01:00
GPO: ignore non-ascii symbols in values in GPT.INI

Windows uses ANSI (extended-ASCII) to encode the GPT.INI file.
See https://lists.samba.org/archive/cifs-protocol/2019-March/003228.html
for details.

There is no trivial way to figure out actual code page used. But from
practical point of view, it seems the only key whose value might be
non-ascii is "DisplayName", and SSSD doesn't use it anyway.

This patch replaces non-ascii symbols in values of GPT.INI with '?'
character to make content compatible with libini_config parser.

Resolves: https://github.com/SSSD/sssd/issues/4138

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ad1f64e4 by Iker Pedrosa at 2022-03-18T11:58:34+01:00
Tests: fix unused variable (F841)

Fix the unused variables detected by flake8 by removing or using them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Co-Authored-By: Steeve Goveas <sgoveas at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
abc41d0b by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Switch distro.sh to use /etc/os-release

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
59484ef0 by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Add shadow and unused-variable to SSS_WARNINGS

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
098c3fcf by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Update rpm-spec-builddeps to python3 shebang

Needed to support using contrib/ci/deps.sh inside a
fedora:latest container.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a0f454aa by Justin Stephenson at 2022-03-21T12:52:48+01:00
CONTRIB: Add install dependencies option to contrib/ci/run

Add support to only install dependencies and execute no other steps.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
94254dd7 by Justin Stephenson at 2022-03-21T12:52:48+01:00
CI: Install dependencies with contrib/ci/run

Contrib/ci/run script is already used by sssd-ci/* targets, use
it as a frontend for this GH action also.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
81450b9a by Justin Stephenson at 2022-03-21T12:52:48+01:00
CI: Add warnings enabled build and make check

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
027e89b4 by Sumit Bose at 2022-03-21T12:52:59+01:00
test: suppress memory leak in _dl_find_object_update

Some recent version of glibc have a memory leak causing a failure if the
dlopen-tests runs under valgrind.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3baf161e by Sumit Bose at 2022-03-21T12:53:00+01:00
integration tests: switch OpenLDAP from hdb to mdb

The latest versions of OpenLDAP do not support hdb anymore.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6edbb6cd by Steeve Goveas at 2022-03-23T12:21:10+01:00
Tests: prefix 'session_' to avoid failure

It was accidently removed during the flake8 fixes

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
e538db29 by Steeve Goveas at 2022-03-23T12:21:10+01:00
Tests: CRB repo name has changed in IDM CI

CRB repo is prefixed with the name of the OS, adding a '*' should solve
the issue.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
0c0705e3 by Tomas Halman at 2022-03-23T12:21:41+01:00
usertools: better default for IPA/AD re_expression

Some Active Directory groups, typically those used for MS Exchange
contain an “@” sign in the name. New IPA and AD re_expression
default handles it correctly, considering that the domain is everything
that follows the last '@'.

:relnote: Better default for IPA/AD re_expression. Tunning for
group names containing '@' is no longer needed.

Resolves: https://github.com/SSSD/sssd/issues/6055

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c159f529 by Tomas Halman at 2022-03-23T12:21:41+01:00
usertools: move default re_expression definition

With this patch the defaults for re_expression are moved to utils.h
and both defaults (ad/ipa and ldap) are defined in one place.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dde276e2 by Tomas Halman at 2022-03-23T12:21:41+01:00
TESTS: New tests for IPA/AD re_expression default

New tests for default IPA/AD re_expression. This expression defines
how to parse the string containing user name and domain into these
components.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8a9458df by Alejandro López at 2022-03-24T11:58:45+01:00
confdb: refactor confdb_get_domain_internal()

All the actions previously done in confdb_get_domain_internal() are now done
in separate functions and those functions are called from it.

Resolves: https://github.com/SSSD/sssd/issues/5380

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
51e92297 by Sumit Bose at 2022-03-25T11:22:58+01:00
ad: use right sdap_domain in ad_domain_info_send

Originally ad_domain_info_send() was only called when there was only a
single domain available and hence only a single sdap_domain struct with
the search bases in the sdap_domain list. Since ad_domain_info_send() is
now called at other times as well the right sdap_domain struct must be
selected so that the right search bases are used.

Resolves: https://github.com/SSSD/sssd/issues/6063

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
81d67a59 by Alexey Sheplyakov at 2022-03-25T11:23:19+01:00
ad: gpo: ignore GPO if SecEdit/GptTmpl.inf is missing

This makes it possible to use sssd's group policy based access control with
samba4 domain controllers `out of the box`. The problem is caused by

1) group policy based control denies access (to all users) if
   `${GPO_GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf`
   file is missing.
2) The `Default Domain Policy` and the `Default Domain Controller Policy`
   GPOs created by samba4 list the Security Protocol Extension CSE GUID
   {827D319E-6EAC-11D2-A4EA-00C04F79F83A} in their `gPCMachineExtensionNames`,
   however there are no .../SecEdit/GptTmpl.inf files in the sysvol.

According to the section 3.2.5 of [MS-GPSM] current sssd's behavior is
correct. However Windows GPO client (at least the one in Windows 2008 r2)
just skips such broken GPOs. This patch makes sssd behave in the same way,
and makes setting up samba4 based AD domain less painful.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fd19512a by Iker Pedrosa at 2022-03-25T14:04:25+01:00
ccpcheck: fix issues

The issues fixed fall in the following categories: invalid printf
argument type and redundant check for a pointer.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b5abee44 by Timo Aaltonen at 2022-03-29T10:05:45+03:00
releasing package sssd version 2.6.3-2

- - - - -
74ef76b8 by Pavel Březina at 2022-03-29T11:35:25+02:00
ci: avoid concurrent runs

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e8b22f2d by Pavel Březina at 2022-03-29T11:35:25+02:00
ci: allow to run coverity scan on demand

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
71cd2822 by Pavel Březina at 2022-03-29T11:35:36+02:00
cache_req: fallback to UPN even with cache_first = true

The condition `ret == ENOENT && state->first_iteration` was not met
with `cache_first = true` because `state->first_iteration` got set
to `false`.

Resolves: https://github.com/SSSD/sssd/issues/6059

:fixes: SSSD now correctly falls back to UPN search if the user was
  not found even with `cache_first = true`.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a049ac71 by Alejandro López at 2022-03-29T11:35:50+02:00
systemd: only relaunch after crashes and do not retry forever

Set Relaunch=on-abnormal to only relaunch after a crash. Systemd
will not try to relaunch sssd if it returned with an error code,
for instance, on a wrong configuration file.
Use StartLimitIntevalSec and StartLimitBurst to limit the number of
times it is relaunched. Avoid blocking the boot process.

Resolves: https://github.com/SSSD/sssd/issues/5753

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8b95efa2 by Pavel Březina at 2022-03-29T12:50:00+02:00
intg: do not run valgrind on infopipe tests

This was done only to workaround some issue that does not exists
anymore.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
ee752f8e by Pavel Březina at 2022-03-29T12:50:00+02:00
intg: make kcm renewal test user independent

intgcheck are called in nss_wrapper environment, the tests itself
are still executed with the same uid as the original user. This
means that kcm tests are running kinit as the user who called
`make intgcheck`.

Previously, `test_kcm_renewals` failed if the user uid != 1000 because
it was not found by sssd_kcm. Now, we create user with the same uid
as the caller and it works.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
52e53926 by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: make sure that $USER is available

USER is not set when running command on container directly through
'podman exec' or from shell created from 'podman exec -it ... /bin/bash'

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5def61fb by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: disable mock build in contrib/ci/run

It is not possible to run mock build against RHEL-8/9 due to missing
packages and we have COPR builds in place so it is a redundant check.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
df44fc20 by Pavel Březina at 2022-03-29T12:50:00+02:00
ci: make intgcheck work on CentOS Stream and RHEL 9

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
4ea511c6 by Pavel Březina at 2022-03-29T12:50:01+02:00
ci: include acl package in basic multihost tests

Otherwise 389ds setup will fail on Fedora 36, see:
https://bugzilla.redhat.com/show_bug.cgi?id=2057436

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
562a4507 by Pavel Březina at 2022-03-29T12:50:01+02:00
ci: run intgcheck and multihost tests

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
1abda838 by Iker Pedrosa at 2022-03-29T12:50:13+02:00
CI: enable cppcheck analysis

Enable the cppcheck analysis tool for pull-requests.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
67b12923 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
CI: enable flake8 analysis

Enable the flake8 analysis for pull-requests.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
3c39d007 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
Tests: remove unused module (F401)

Remove unused module reported by flake8.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
73bd21b3 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
SSSDConfig: fix indentation for bracket (E124)

Fix the closing bracket visual indentantion issue reported by flake8.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
30831cc3 by Iker Pedrosa at 2022-03-29T12:52:14+02:00
GDB: rename duplicated function (F811)

Rename duplicated function reported by flake8.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
22bbb7a0 by Pavel Březina at 2022-03-29T15:00:07+02:00
ci: fix concurrency group for copr

github.ref points to the target branch on pull_request_target

- - - - -
6d105980 by Madhuri Upadhye at 2022-03-31T12:30:12+02:00
Tests: ipa: Minor fix while add users in groups in windows bash shell script.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
aa054c22 by Anuj Borah at 2022-03-31T12:30:23+02:00
Tests: Install nss-pam-ldapd package for alltests-tier2

Install nss-pam-ldapd package for alltests-tier2

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
60c30a3f by Alexey Tikhonov at 2022-03-31T13:18:47+02:00
UTILS: fixes CWE-394

like:

```
src/responder/nss/nsssrv.c:339: negative_return_fn: Function "sss_mmap_cache_init(nctx, "passwd", nctx->mc_uid, nctx->mc_gid, SSS_MC_PASSWD, mc_size_passwd * 26214UL, (time_t)memcache_timeout, &nctx->pwd_mc_ctx)" returns a negative number.
src/responder/nss/nsssrv.c:339: assign: Assigning: "ret" = "sss_mmap_cache_init(nctx, "passwd", nctx->mc_uid, nctx->mc_gid, SSS_MC_PASSWD, mc_size_passwd * 26214UL, (time_t)memcache_timeout, &nctx->pwd_mc_ctx)".
src/responder/nss/nsssrv.c:346: negative_returns: "ret" is passed to a parameter that cannot be negative.
 #  344|                                 &nctx->pwd_mc_ctx);
 #  345|       if (ret) {
 #  346|->         DEBUG(SSSDBG_CRIT_FAILURE,
 #  347|                 "Failed to initialize passwd mmap cache: '%s'\n",
 #  348|                 sss_strerror(ret));
```

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d1bce130 by Anuj Borah at 2022-03-31T13:19:41+02:00
Tests: Porting of proxy provider test suits to pytest

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/krb_auth

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
38636ffa by Shridhar Gadekar at 2022-04-06T11:13:49+02:00
minor change in testcase description

The testcase description mentioned ssh_cache instead of sss_cache.
Correcting the command in description.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d8d25758 by Sumit Bose at 2022-04-06T11:14:02+02:00
pam: fix section parsing issue

Due to a typo it was always necessary to have a `[prompting/password]`
section in sssd.conf to enable the other `prompting` section.

This patch fixes this and adds some unit test to cover that part of the
code.

Resolves: https://github.com/SSSD/sssd/issues/6081

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
34829d3b by Sumit Bose at 2022-04-06T11:14:02+02:00
tests: add utilities for cmocka based unit tests

Calls to list all tests and run only a single test are added.

Resolves: https://github.com/SSSD/sssd/issues/6081

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5c5a6b89 by Sumit Bose at 2022-04-06T11:14:02+02:00
tests: allow to run single pam-srv-tests tests

Since each pam-srv-test will remove the test directory the --no-cleanup
option only makes sense if a test can be run individually.

Resolves: https://github.com/SSSD/sssd/issues/6081

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6a51ffee by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: add working-directory to build-sssd-srpm

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
4396cd4b by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: integrate covscan into github actions

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
872bbbcc by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: fix concurrency group in analyze-target workflow

github.ref points to the target branch not the the pull request

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0fbabd4a by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: switch to next-actions

SSSD/action-build-srpm and SSSD/action-copr were move to new
next-actions organization so we do not pollute SSSD namespace with
generic and unrelated stuff.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c321fa5f by Pavel Březina at 2022-04-08T12:39:43+02:00
ci: switch to next-actions/print-logs

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a84797cb by Anuj Borah at 2022-04-08T12:39:54+02:00
Tests: Fix FileNotFoundError for environment_setup

Fix FileNotFoundError for environment_setup

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
f853a868 by Pavel Březina at 2022-04-08T12:40:05+02:00
krb5: switch to Proxy-State in idp plugin

State attribute can be present only once (RFC-2865), but some IdPs can
return larger data. This patch switches to Proxy-State which make take
multiple values and concatenates these into single krb5_data like we
already do with Reply-Message.

Resolves: https://github.com/SSSD/sssd/issues/6088

Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
63e6365c by Alexander Bokovoy at 2022-04-08T12:40:05+02:00
krb5: switch to Proxy-State in idp plugin reply

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
74cb09ea by Pavel Březina at 2022-04-08T12:40:06+02:00
krb5: idp method is only supported if FAST channel is available

Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2980f114 by Pavel Březina at 2022-04-08T16:05:30+02:00
ci: use correct checkout path for covscan

- - - - -
d84f7885 by Timo Aaltonen at 2022-04-09T16:12:14+03:00
tests: Dump the daemon status after restart, hoping to see what the error is if it fails to start.

- - - - -
b91487b9 by Timo Aaltonen at 2022-04-09T20:47:47+03:00
tests: fix checking for systemctl status

- - - - -
e1585ce9 by Timo Aaltonen at 2022-04-10T10:31:10+03:00
rules: Drop --with-ldb-dir, use the default value from the pkgconfig file. (Closes: #1009223)

- - - - -
6dffd5ff by Timo Aaltonen at 2022-04-10T10:57:35+03:00
releasing package sssd version 2.6.3-3

- - - - -
0c568e94 by Pavel Březina at 2022-04-11T10:51:13+02:00
ci: disable fedora-review for copr pr builds

fedora-review switched logic and if source can not be downloaded
from url in the spec file it is now considered an error. Pull request
do not have tarballs, so we need to disable this tool.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
42d3e28c by Iker Pedrosa at 2022-04-11T12:50:48+02:00
CI: disable result comment for cppcheck

cppcheck action posts a result comment every time that a code changes is
pushed to a PR. This commit updates the action reference to avoid
posting the comment.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37f90057 by Alexey Tikhonov at 2022-04-14T10:56:16+02:00
Revert "usertools: force local user for sssd process user"

This reverts commit 9c447dc85853116c035bbc2f9e3b8553a65be621.

Resolves: https://github.com/SSSD/sssd/issues/6107

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3c6218aa by Alexey Tikhonov at 2022-04-14T10:56:16+02:00
Revert "man: sssd.conf and sssd-ifp clarify user option"

This reverts commit 3d25724dc63dffb6d734790e58b1647e3a64e84f.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
720c39a1 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SID mem-cache: config, init, man page

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2a160adb by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
mem-cache: fix error in the comment

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
d5e4753e by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SID mem-cache: data structure and store function

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f869c694 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: debug message in case of collision: - fixed mistype (users -> groups) - added SIDs of colliding entries

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
a87dfd62 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: reduced code duplication

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
25426f6a by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: mem-cache: const correctness

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
aec620f6 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: store results in mem-cache

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
483d26e9 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: sss_get_ex() should be static

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
24770866 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: NSS: SID: mem-cache support for sid-by-id and id-by-sid lookups

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8cee413b by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
NSS: SID: don't try to deduce object type based on request type

Effectively, this code was no-op anyway as `cmd_ctx->sid_id_type` wasn't
set for SID related requests to anything but SSS_ID_TYPE_NOT_SPECIFIED
anyway.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b2be59f1 by Alexey Tikhonov at 2022-04-14T10:56:31+02:00
SSS_CLIENT: NSS: SID: improved sss_nss_mc_get_sid_by_id()

Resolves: https://github.com/SSSD/sssd/issues/3768

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
731b3e66 by Sumit Bose at 2022-04-14T10:56:46+02:00
pam: add more checks for require_cert_auth

Fail authentication if no Smartcard based credentials are available if
require_cert_auth is set.

Resolves: https://github.com/SSSD/sssd/issues/6023

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4d2277f8 by Sumit Bose at 2022-04-14T10:56:46+02:00
pam: better SC fallback message

If no suitable certificates were found or if gdm-smartcard was somehow
activated without a Smartcard present ask to (re)-insert a Smartcard.

Resolves: https://github.com/SSSD/sssd/issues/6022

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
878737c8 by Sumit Bose at 2022-04-14T12:37:11+02:00
oidc_child: add initial implementation of oidc_child

Currently oidc_child will be used by FreeIPA's ipa_otpd to authenticate
a user against an IdP with the device code workflow. For the
communication with the user the recently added OAuth2 patches with the
Kerberos pre-authentication module will be used.

Later on it might be possible to add a SSSD authentication provider
which is using oidc_child as well.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cc811edf by Sumit Bose at 2022-04-14T12:37:11+02:00
oidc_child: make build configurable

With the configure option '--with-oidc-child=no' oidc_child is not
build.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
66f60aad by Pavel Březina at 2022-04-14T15:18:25+02:00
contrib: add sssd public key

This key will be used for SSSD-related activities such as signing
release tarballs.

It is also uploaded to `keys.openpgp.org` key server, it can be fetched with:

```
gpg2 --keyserver keys.openpgp.org --recv-keys C13CD07FFB2DB1408E457A3CD3D21B2910CF6759
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e09ac40a by Weblate at 2022-04-14T15:18:54+02:00
po: update translations

(Korean) currently translated at 30.5% (861 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 30.2% (853 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 29.4% (830 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 7.7% (48 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 3.6% (96 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Finnish) currently translated at 6.3% (39 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Finnish) currently translated at 3.6% (95 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Korean) currently translated at 29.3% (829 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 29.2% (824 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 28.8% (814 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Czech) currently translated at 100.0% (619 of 619 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Korean) currently translated at 28.7% (812 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 28.5% (805 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 28.3% (799 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 26.9% (761 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 3.5% (94 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Ukrainian) currently translated at 100.0% (2627 of 2627 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Korean) currently translated at 27.3% (715 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 24.5% (641 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 18.6% (488 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

- - - - -
f9901d5a by Pavel Březina at 2022-04-14T15:22:01+02:00
pot: update pot files

- - - - -
f48eddc3 by Pavel Březina at 2022-04-14T15:23:57+02:00
Release sssd-2.7.0

- - - - -
ecc8aa71 by Iker Pedrosa at 2022-04-28T13:02:49+02:00
CI: update flake8 action reference

flake8 action was pointing to my fork because there was an unresolved
problem in the main repository. Now that the fix has been merged we can
update the reference.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0751f1cf by Iker Pedrosa at 2022-04-28T13:02:53+02:00
CI: update flake8 action reference

flake8 action was pointing to my fork because there was an unresolved
problem in the main repository. Now that the fix has been merged we can
update the reference.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ecc8aa71429040e718b2155422ab0dbe0df58802)

- - - - -
e83e1065 by Iker Pedrosa at 2022-04-28T13:03:20+02:00
p11_child: enable more than one CRL PEM file

Enable support for more than one CRL PEM file. p11_child parses the
crl_file list passed as argument, loads all the files and makes the
validation.

Finally, add a new test case in test_utils to check that the p11_child
crl_file argument has been parsed correctly. Add another five test
cases in test_oam_srv to check the validation process.

:config: multiple crl_file arguments can be used in the
certificate_verification option.

Resolves: https://github.com/SSSD/sssd/issues/6086

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
84e3a8d6 by Iker Pedrosa at 2022-04-28T13:03:24+02:00
p11_child: enable more than one CRL PEM file

Enable support for more than one CRL PEM file. p11_child parses the
crl_file list passed as argument, loads all the files and makes the
validation.

Finally, add a new test case in test_utils to check that the p11_child
crl_file argument has been parsed correctly. Add another five test
cases in test_oam_srv to check the validation process.

:config: multiple crl_file arguments can be used in the
certificate_verification option.

Resolves: https://github.com/SSSD/sssd/issues/6086

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e83e10652be58e13bf9b2f307f16ff018fbbc9b8)

- - - - -
dff9ba78 by Pavel Březina at 2022-04-28T13:03:40+02:00
ci: switch to write-file-action

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
14044af0 by Pavel Březina at 2022-04-28T13:03:44+02:00
ci: switch to write-file-action

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit dff9ba783bd620a7826bf43db0d00029bbf62061)

- - - - -
a2517ef8 by Alexey Tikhonov at 2022-05-02T11:22:45+02:00
SDAP: got rid of unused function argument

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4b8d781f by Alexey Tikhonov at 2022-05-02T11:22:45+02:00
SDAP: got rid of unsused state member

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
cabc6cee by Alexey Tikhonov at 2022-05-02T11:22:45+02:00
SDAP: sdap_get_generic_send(): fix mem leak

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
460d02d1 by Pavel Březina at 2022-05-05T15:28:14+02:00
ci: disable Jenkins jobs

All jobs were replaced by Github Actions.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e0c2c0e3 by Pavel Březina at 2022-05-05T15:28:17+02:00
ci: disable Jenkins jobs

All jobs were replaced by Github Actions.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 460d02d12d4443b0b44608114c8ba204d8d223cd)

- - - - -
3f177aa3 by Steeve Goveas at 2022-05-06T12:28:24+02:00
TEST: Fix docstrings for successful polarion import

A blank line after the first line in the doc is important for betelgeuse
The steps and expectedresults should have proper indents for importer to
adde the steps in the table format in the test case in polarion

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
6c0e6fc8 by Steeve Goveas at 2022-05-06T12:28:28+02:00
TEST: Fix docstrings for successful polarion import

A blank line after the first line in the doc is important for betelgeuse
The steps and expectedresults should have proper indents for importer to
adde the steps in the table format in the test case in polarion

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 3f177aa379b2db9abc22ed7407f9e2ab93782b82)

- - - - -
da1d8eb4 by Anuj Borah at 2022-05-06T12:28:45+02:00
Tests: Fix ns_account test with sleep time

Fix ns_account test with sleep time

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
439b8c3c by Anuj Borah at 2022-05-06T12:28:49+02:00
Tests: Fix ns_account test with sleep time

Fix ns_account test with sleep time

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit da1d8eb4e08bbe55075a8d9a36452f8007af0572)

- - - - -
8edb287a by Madhuri Upadhye at 2022-05-06T12:29:04+02:00
Tests: ipa: Add automation of BZ1859751

Add automation of Allow SSSD to use anonymous
pkinit for FAST

verify:
  https://bugzilla.redhat.com/show_bug.cgi?id=1859751
  https://github.com/SSSD/sssd/issues/5961

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
181070c4 by Madhuri Upadhye at 2022-05-06T12:29:07+02:00
Tests: ipa: Add automation of BZ1859751

Add automation of Allow SSSD to use anonymous
pkinit for FAST

verify:
  https://bugzilla.redhat.com/show_bug.cgi?id=1859751
  https://github.com/SSSD/sssd/issues/5961

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 8edb287afed5b785f5485f21aaf5b53042c55e12)

- - - - -
0c35ed53 by Shridhar Gadekar at 2022-05-06T12:29:22+02:00
Tests:port rfc2307 username begin with a space

Minor string-formatter change (added f-string)

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
21052b97 by Shridhar Gadekar at 2022-05-06T12:29:26+02:00
Tests:port rfc2307 username begin with a space

Minor string-formatter change (added f-string)

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 0c35ed53a43974cb104882f06dd91382ac294a69)

- - - - -
ba5d4708 by Madhuri Upadhye at 2022-05-06T12:29:40+02:00
Tests: Document: Document to run the tests using multihost config.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
5187a2d5 by Madhuri Upadhye at 2022-05-06T12:29:44+02:00
Tests: Document: Document to run the tests using multihost config.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit ba5d4708be5d4fe6e260e2458e897cae93d0c6ec)

- - - - -
a6566e1c by Madhuri Upadhye at 2022-05-06T12:29:58+02:00
Tests: Document: Setup python virtual environment to run pytest.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
5945dac5 by Madhuri Upadhye at 2022-05-06T12:30:02+02:00
Tests: Document: Setup python virtual environment to run pytest.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit a6566e1c5d38ca2af3d98176fba7998cb6186ae3)

- - - - -
1eec0aae by Pavel Březina at 2022-05-06T12:30:59+02:00
ci: enable ci for sssd-2-7

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
950a77d5 by Pavel Březina at 2022-05-06T12:30:59+02:00
ci: fix syntax for flake8 job

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7d55af15 by Pavel Březina at 2022-05-06T12:31:03+02:00
ci: enable ci for sssd-2-7

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 1eec0aae2d478d7eb02b0615dd106377822e101e)

- - - - -
2aeab506 by Pavel Březina at 2022-05-06T12:31:03+02:00
ci: fix syntax for flake8 job

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 950a77d5bf7fc9106c273c49e79178c4b6e81f3c)

- - - - -
2591f8d7 by Sumit Bose at 2022-05-09T10:17:06+02:00
spec: mention oidc_child in description

Since oidc_child is part of the sssd-idp sub-package it should be
mentioned in the summary and the description.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
bca43389 by Sumit Bose at 2022-05-09T10:17:10+02:00
spec: mention oidc_child in description

Since oidc_child is part of the sssd-idp sub-package it should be
mentioned in the summary and the description.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 2591f8d75e83175de7f4a0e1483ce3bc553a0fe8)

- - - - -
0a8d8f9e by Pavel Březina at 2022-05-09T10:17:28+02:00
ci: enable copr builds for CentOS Stream 8

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
74dd0049 by Pavel Březina at 2022-05-09T10:17:32+02:00
ci: enable copr builds for CentOS Stream 8

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0a8d8f9e94f9118ddca8bce24c188b41dfb94c8d)

- - - - -
1859523d by Tomas Halman at 2022-05-09T10:17:50+02:00
SPEC: python egg info format change

In the new python egg-info changed from a file to a folder with
several files.

This patch fixes the SPEC file to handle it correctly in both cases.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9d2d6c07 by Tomas Halman at 2022-05-09T10:17:50+02:00
make: clean python new files

New python produces more files during build. We have to
remove them during cleanup.

This patch fixes the `make distcheck` error in Fedora Rawhide.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f4219061 by Tomas Halman at 2022-05-09T10:17:54+02:00
SPEC: python egg info format change

In the new python egg-info changed from a file to a folder with
several files.

This patch fixes the SPEC file to handle it correctly in both cases.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 1859523d5946cc53e2a6ee73eaf93ab9aef262c2)

- - - - -
c90153de by Tomas Halman at 2022-05-09T10:17:54+02:00
make: clean python new files

New python produces more files during build. We have to
remove them during cleanup.

This patch fixes the `make distcheck` error in Fedora Rawhide.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 9d2d6c079021e44eed1d91268b2d9a51fc956284)

- - - - -
2b6349c3 by Pavel Březina at 2022-05-09T12:19:10+02:00
ci: fix syntax error in copr build

- - - - -
4b843859 by Pavel Březina at 2022-05-09T19:36:27+02:00
configure: fix libkrad detection

`main` is obviously not a symbold defined in the library

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
e4d75912 by Pavel Březina at 2022-05-09T19:36:27+02:00
cert: fix assignment discards _const_ qualifier from pointer target type

```
/shared/workspace/sssd/src/util/cert/libcrypto/cert.c:307:17: error: assignment discards _const_ qualifier from pointer target type [-Werror=discarded-qualifiers]
  307 |     rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key);
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
ef014b8b by Pavel Březina at 2022-05-09T19:36:27+02:00
ci: allow deprecated functions during build

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
af9f390c by Pavel Březina at 2022-05-09T19:36:30+02:00
configure: fix libkrad detection

`main` is obviously not a symbold defined in the library

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 4b8438593c0de7ca3d47b4fdcdb135dda9997922)

- - - - -
b92255ee by Pavel Březina at 2022-05-09T19:36:30+02:00
cert: fix assignment discards _const_ qualifier from pointer target type

```
/shared/workspace/sssd/src/util/cert/libcrypto/cert.c:307:17: error: assignment discards _const_ qualifier from pointer target type [-Werror=discarded-qualifiers]
  307 |     rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key);
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit e4d75912a6c243ab8192eca7588df67af2f695a7)

- - - - -
51600e45 by Pavel Březina at 2022-05-09T19:36:30+02:00
ci: allow deprecated functions during build

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit ef014b8b293ca7859dc8c30db4cdcfa343c3c477)

- - - - -
0eb470f6 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Bulgarian) currently translated at 15.0% (94 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/bg/

- - - - -
1d4f8a86 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Catalan) currently translated at 55.2% (345 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ca/

- - - - -
0c617aac by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Czech) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/cs/

- - - - -
0429439e by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(German) currently translated at 51.0% (319 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/de/

- - - - -
7f137099 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Spanish) currently translated at 98.7% (617 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/es/

- - - - -
ce389491 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Basque) currently translated at 6.7% (42 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/eu/

- - - - -
4a6a8639 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Finnish) currently translated at 7.6% (48 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/fi/

- - - - -
c6028dc0 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(French) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/fr/

- - - - -
203f53f7 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Hungarian) currently translated at 7.0% (44 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/hu/

- - - - -
bd3af70f by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Indonesian) currently translated at 8.6% (54 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/id/

- - - - -
4fb521f8 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Italian) currently translated at 18.8% (118 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/it/

- - - - -
b7fc2cc7 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Japanese) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ja/

- - - - -
37eeb49c by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Korean) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

- - - - -
db7330de by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Norwegian Bokmål) currently translated at 2.2% (14 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/nb_NO/

- - - - -
53285ebd by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Dutch) currently translated at 47.2% (295 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/nl/

- - - - -
374e46e1 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Polish) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pl/

- - - - -
c2d6854a by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Portuguese) currently translated at 15.5% (97 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pt/

- - - - -
7ac8d2e9 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Portuguese (Brazil)) currently translated at 0.8% (5 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pt_BR/

- - - - -
36c4bea4 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Russian) currently translated at 98.0% (613 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ru/

- - - - -
8820b9bf by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Swedish) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/sv/

- - - - -
53dc281f by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Tajik) currently translated at 0.9% (6 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tg/

- - - - -
b0d96840 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Turkish) currently translated at 15.0% (94 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

- - - - -
45e0519f by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Ukrainian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/uk/

- - - - -
9c93f392 by Yuri Chornoivan at 2022-05-11T13:58:40+03:00
po: update translations

(Ukrainian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/uk/

- - - - -
30a845f8 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 99.0% (619 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/zh_CN/

- - - - -
80af4e57 by Anonymous at 2022-05-11T13:58:40+03:00
po: update translations

(Chinese (Traditional) (zh_TW)) currently translated at 7.8% (49 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/zh_TW/

- - - - -
386c6d3e by Alexey Tikhonov at 2022-05-12T12:57:39+02:00
SPEC: drop sssd-ipa dependency on sssd-idp

:packaging: sssd-ipa doesn't require sssd-idp

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e0e23dfb by Alexey Tikhonov at 2022-05-12T12:57:43+02:00
SPEC: drop sssd-ipa dependency on sssd-idp

:packaging: sssd-ipa doesn't require sssd-idp

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 386c6d3ea022afc37a16c87d2a07874b808d0dab)

- - - - -
f7c50980 by Madhuri Upadhye at 2022-05-12T12:57:58+02:00
Test: ipa: remove useless fixture call

remove setup_ipa_client from list as its a session scope
fixture with autouse is true.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
ebda07b9 by Madhuri Upadhye at 2022-05-12T12:58:01+02:00
Test: ipa: remove useless fixture call

remove setup_ipa_client from list as its a session scope
fixture with autouse is true.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit f7c50980110ce44bbf120351042ed608df34f16e)

- - - - -
72a403e9 by Anuj Borah at 2022-05-12T12:58:15+02:00
Tests: Fix sss_analyzer tests

Fix sss_analyzer tests

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
53ca6638 by Anuj Borah at 2022-05-12T12:58:19+02:00
Tests: Fix sss_analyzer tests

Fix sss_analyzer tests

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 72a403e92bcda3969e28f4db2fac6a501d35220a)

- - - - -
e254ba8f by Anuj Borah at 2022-05-12T12:58:34+02:00
Tests: Enabling ssctl_ldap test cases

copr build of nss-pam-ldapd package would be used
to execute these tests. We no longer need to skip it.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
7edcd1fa by Anuj Borah at 2022-05-12T12:58:37+02:00
Tests: Enabling ssctl_ldap test cases

copr build of nss-pam-ldapd package would be used
to execute these tests. We no longer need to skip it.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit e254ba8fcb2dd4bbccc8c28b33e678eda2749a0b)

- - - - -
b9094ee6 by Steeve Goveas at 2022-05-12T12:58:51+02:00
TEST: Update default debug levels expected in logs

new debug level "SSSDBG_PERF_STAT" is added to show statistical and performance
data and included in "SSSDBG_IMPORTANT_INFO" making it 0x3f7c0
https://github.com/SSSD/sssd/commit/775150b5800611191da85b01c5113b446f997d1b

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
deaca2f5 by Steeve Goveas at 2022-05-12T12:58:55+02:00
TEST: Update default debug levels expected in logs

new debug level "SSSDBG_PERF_STAT" is added to show statistical and performance
data and included in "SSSDBG_IMPORTANT_INFO" making it 0x3f7c0
https://github.com/SSSD/sssd/commit/775150b5800611191da85b01c5113b446f997d1b

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b9094ee681e4ad43a9c17f880b9bbaf8193a2eb0)

- - - - -
624ad523 by Steeve Goveas at 2022-05-12T12:59:21+02:00
TEST: Add missing markers in pytest.ini

Some markers from alltests were missing in pytest.ini causing warning
messages. Add those markers and sorted them alphabetically for
readability.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
6e92bb2f by Steeve Goveas at 2022-05-12T12:59:25+02:00
TEST: Add missing markers in pytest.ini

Some markers from alltests were missing in pytest.ini causing warning
messages. Add those markers and sorted them alphabetically for
readability.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 624ad523af3ad8ec0abe23073d630ae1fc75e3f4)

- - - - -
7b1033d1 by Alexey Tikhonov at 2022-05-12T12:59:39+02:00
sssctl: fixed log message

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a90ef949 by Alexey Tikhonov at 2022-05-12T12:59:39+02:00
SDAP: sdap_nested_group_deref_direct_process(): store 'state->members' in a hash table to reduce computational complexity during "new member" check.

Resolves: https://github.com/SSSD/sssd/issues/5134

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0ef863f1 by Alexey Tikhonov at 2022-05-12T12:59:43+02:00
sssctl: fixed log message

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 7b1033d10f4a592907f079d51dc80745be2acf56)

- - - - -
64b38715 by Alexey Tikhonov at 2022-05-12T12:59:43+02:00
SDAP: sdap_nested_group_deref_direct_process(): store 'state->members' in a hash table to reduce computational complexity during "new member" check.

Resolves: https://github.com/SSSD/sssd/issues/5134

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit a90ef949e51a4177afcb3128e11867ae7b70f439)

- - - - -
bd085431 by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: move some functions from sysdb to sdap

Some functions which are currently provided by sysdb are only used in
the LDAP provider to process data received from LDAP. In this case it is
about functions which try to determine a suitable name for the object in
the cache. The goal is to be able to use some calls form libldap without
adding a dependency to libldap to the sysdb code.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
3af930e5 by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: rename functions copied from sysdb

The functions copied from sysdb to the sdap code are renamed to remove
the 'sysdb' prefix.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e88559fa by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: replace sysdb_attrs_primary_name() with sdap_get_primary_name()

sdap_get_primary_name() is basically a wrapper for
sysdb_attrs_primary_name(). To remove the sysdb dependency to allow a
different implementation of sdap_get_primary_name() all calls to
sysdb_attrs_primary_name() are replaced by calls to
sdap_get_primary_name().

To be compatible with the parameter list the talloc memory context is
remove from the parameter list of sdap_get_primary_name() and the
function will return a reference to existing memory which should not be
modified.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e587572b by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: move sysdb_attrs_primary_name() into sdap_get_primary_name()

sysdb_attrs_primary_name() is not called directly anymore but only
through sdap_get_primary_name(). The implementation is removed from the
sysdb code and moved into sdap_get_primary_name().

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
bb4e9301 by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: make sdap_get_primary_name() aware of multi-valued RDNs

The RDN related functions of libldb are not aware of multi-valued RDNs
like e.g. "cn=host.example.net+ipHostNumber=198.168.1.1" as defined in
section 2.3.1 of RFC-4512. To be able to reliable derive a name for the
object in the cache in case the object stored in LDAP has multiple
values for e.g. the 'cn' attribute assigned SSSD must be able to handle
the multi-valued RDNs properly. Since OpenLDAP's libldap allows this the
current implementation is replace by a new one which is using the
decomposed LDAPDN structure returned by ldap_str2dn().

:relnote: SSSD can now handle multi-valued RDNs if a unique name must be
determined with the help of the RDN.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
dd1f4902 by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: removed unused dom parameter from sdap_get_primary_name()

For the new implementation the dom parameter is not needed anymore and
can be removed.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
952b9bd7 by Sumit Bose at 2022-05-12T13:00:07+02:00
sdap: add tests for sdap_get_primary_name

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8547e699 by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: move some functions from sysdb to sdap

Some functions which are currently provided by sysdb are only used in
the LDAP provider to process data received from LDAP. In this case it is
about functions which try to determine a suitable name for the object in
the cache. The goal is to be able to use some calls form libldap without
adding a dependency to libldap to the sysdb code.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit bd08543161d076c9c27f0827fc3746c052f20624)

- - - - -
75a70ac9 by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: rename functions copied from sysdb

The functions copied from sysdb to the sdap code are renamed to remove
the 'sysdb' prefix.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3af930e5bb9f46bf88ad579142fe01a422332224)

- - - - -
10f86ad3 by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: replace sysdb_attrs_primary_name() with sdap_get_primary_name()

sdap_get_primary_name() is basically a wrapper for
sysdb_attrs_primary_name(). To remove the sysdb dependency to allow a
different implementation of sdap_get_primary_name() all calls to
sysdb_attrs_primary_name() are replaced by calls to
sdap_get_primary_name().

To be compatible with the parameter list the talloc memory context is
remove from the parameter list of sdap_get_primary_name() and the
function will return a reference to existing memory which should not be
modified.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e88559fa88c1f5a4cea089bd3dc7e74d740324d1)

- - - - -
c1531822 by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: move sysdb_attrs_primary_name() into sdap_get_primary_name()

sysdb_attrs_primary_name() is not called directly anymore but only
through sdap_get_primary_name(). The implementation is removed from the
sysdb code and moved into sdap_get_primary_name().

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e587572b4a3993a330cfe0dcbe57ed2790073713)

- - - - -
19b45201 by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: make sdap_get_primary_name() aware of multi-valued RDNs

The RDN related functions of libldb are not aware of multi-valued RDNs
like e.g. "cn=host.example.net+ipHostNumber=198.168.1.1" as defined in
section 2.3.1 of RFC-4512. To be able to reliable derive a name for the
object in the cache in case the object stored in LDAP has multiple
values for e.g. the 'cn' attribute assigned SSSD must be able to handle
the multi-valued RDNs properly. Since OpenLDAP's libldap allows this the
current implementation is replace by a new one which is using the
decomposed LDAPDN structure returned by ldap_str2dn().

:relnote: SSSD can now handle multi-valued RDNs if a unique name must be
determined with the help of the RDN.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit bb4e93015c47ae76f6e4d240994f7af7c2525b2d)

- - - - -
676b5dce by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: removed unused dom parameter from sdap_get_primary_name()

For the new implementation the dom parameter is not needed anymore and
can be removed.

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit dd1f4902b8ba4e5a081a77c0faece9bfcdccb697)

- - - - -
26bbaf7f by Sumit Bose at 2022-05-12T13:00:11+02:00
sdap: add tests for sdap_get_primary_name

Resolves: https://github.com/SSSD/sssd/issues/6122

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 952b9bd71762ce9abeae3f506a5f65601e1769f9)

- - - - -
97eabb7e by Sumit Bose at 2022-05-12T13:00:30+02:00
proxy: lower child count even if there is an error

If the proxy_child_send() request returns an error the number of running
child processes is not updated although most probably SIGKILL was
already send to the child.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
67270a08 by Sumit Bose at 2022-05-12T13:00:30+02:00
proxy: finish request if proxy_child is terminated

If proxy_child is terminated by a signal, e.g. by the child's watchdog,
the backend is handling the signal but any related tevent request is not
finished. It will eventually finish if the SBus/DBus timeout is
reached.

This patch makes the signal handler aware of the request so that is can
be finished with an error.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4af071af by Sumit Bose at 2022-05-12T13:00:30+02:00
data_provider: add dp_client_cancel_timeout()

Add a call to remove a timeout handler from a sbus_connection.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4950bc00 by Sumit Bose at 2022-05-12T13:00:30+02:00
proxy: remove DP client timeout handler

Since the proxy_child is using a dedicated Register method for its SBus
connection to the backend it has to remove the generic timeout handler
added during the initial connection by dp_client_init() during its
registration.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
90617845 by Sumit Bose at 2022-05-12T13:00:33+02:00
proxy: lower child count even if there is an error

If the proxy_child_send() request returns an error the number of running
child processes is not updated although most probably SIGKILL was
already send to the child.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 97eabb7ed7b67713fb6f2f27b9c5f26e99d27da8)

- - - - -
2e4786e7 by Sumit Bose at 2022-05-12T13:00:33+02:00
proxy: finish request if proxy_child is terminated

If proxy_child is terminated by a signal, e.g. by the child's watchdog,
the backend is handling the signal but any related tevent request is not
finished. It will eventually finish if the SBus/DBus timeout is
reached.

This patch makes the signal handler aware of the request so that is can
be finished with an error.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 67270a0881cfad4870d1c3929ee4eb7b640291f4)

- - - - -
3cb0dda5 by Sumit Bose at 2022-05-12T13:00:33+02:00
data_provider: add dp_client_cancel_timeout()

Add a call to remove a timeout handler from a sbus_connection.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4af071af64593c83f3a95180b609c32c470070f6)

- - - - -
7ad0a6d5 by Sumit Bose at 2022-05-12T13:00:33+02:00
proxy: remove DP client timeout handler

Since the proxy_child is using a dedicated Register method for its SBus
connection to the backend it has to remove the generic timeout handler
added during the initial connection by dp_client_init() during its
registration.

Resolves: https://github.com/SSSD/sssd/issues/6114

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4950bc00b6bb92a13e62da808b99ec9730aff53d)

- - - - -
45411d84 by Steeve Goveas at 2022-05-12T13:16:47+02:00
TEST: Implement time logging for the LDAP queries

Test time logging is enabled on setting debug level 9 or bitmask 0x20000
Test to trigger warning message for long query time

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5967
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1925559

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0bad124d by Steeve Goveas at 2022-05-12T13:16:50+02:00
TEST: Implement time logging for the LDAP queries

Test time logging is enabled on setting debug level 9 or bitmask 0x20000
Test to trigger warning message for long query time

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5967
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1925559

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 45411d8448a435e7d3411f6434895e120ad1ae48)

- - - - -
91969611 by Anuj Borah at 2022-05-16T12:39:19+02:00
Tests: Fix ns_account test with clear_sssd_cache

Fix ns_account test with clear_sssd_cache

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
a86265f7 by Anuj Borah at 2022-05-16T12:39:23+02:00
Tests: Fix ns_account test with clear_sssd_cache

Fix ns_account test with clear_sssd_cache

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 91969611fe788c9296ac13305a93d765e8b3af06)

- - - - -
a45d58c5 by Steeve Goveas at 2022-05-18T15:39:58+02:00
TEST: Add test for memcache SID

Verifies
  Issue: #3768
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1245367

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
686b1c8c by Steeve Goveas at 2022-05-18T15:39:58+02:00
TEST: Update and sort ad pytest.ini

Some test markers were missing. Added them and sorted for readability.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
eeaa77a2 by Steeve Goveas at 2022-05-18T15:40:01+02:00
TEST: Add test for memcache SID

Verifies
  Issue: #3768
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1245367

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit a45d58c56171ee7aa14726dfed50548637f4489e)

- - - - -
bc14ede7 by Steeve Goveas at 2022-05-18T15:40:01+02:00
TEST: Update and sort ad pytest.ini

Some test markers were missing. Added them and sorted for readability.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 686b1c8ce8d8e83ef21a78198d765c94990bbae8)

- - - - -
063d3a7f by Timo Aaltonen at 2022-05-25T09:48:42+03:00
Merge branch 'upstream'

- - - - -
2418b327 by Timo Aaltonen at 2022-05-25T09:49:06+03:00
version bump

- - - - -
c471fb92 by Timo Aaltonen at 2022-05-25T09:50:58+03:00
Update signing-key.asc.

- - - - -
18fdac4a by Timo Aaltonen at 2022-05-25T09:56:28+03:00
source: Update diff-ignores.

- - - - -
3ea1f683 by Timo Aaltonen at 2022-05-25T10:29:34+03:00
control, rules: Add sssd-idp package, which includes plugins for external identity providers.

- - - - -
c9cc2fb6 by Timo Aaltonen at 2022-05-25T10:52:00+03:00
control, rules: Enable krb5 config snippets by default.

- - - - -
c5c8f926 by Timo Aaltonen at 2022-05-25T11:04:47+03:00
control: modify idp description

- - - - -
d0fd1667 by Timo Aaltonen at 2022-05-25T12:59:10+03:00
releasing package sssd version 2.7.0-1

- - - - -
abce8dbe by Steeve Goveas at 2022-05-25T12:17:24+02:00
TEST: Install iproute-tc for tc

For tc we need iproute-tc package installed if it is not already
installed. In RHEL9.1 it was installed by default but in 8.7 it is not
present.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
3dbcb812 by Steeve Goveas at 2022-05-25T12:17:28+02:00
TEST: Install iproute-tc for tc

For tc we need iproute-tc package installed if it is not already
installed. In RHEL9.1 it was installed by default but in 8.7 it is not
present.

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit abce8dbebcfa14f5e5656facaa2111b74694e1cf)

- - - - -
886ff516 by Alejandro López at 2022-05-25T12:18:02+02:00
sssctl: free one malloc-allocated variable.

One variable is allocated by popt using malloc and has to be freed.
As it is a const char *, we need to bypass the const modifier.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
97cffab3 by Alejandro López at 2022-05-25T12:18:02+02:00
sss_tools: More flexible sss_tool_popt_ex()

Let sss_tool_popt_ex()'s caller decide whether the free option is mandatory.
This is done with a new argument called fopt_require.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a809db92 by Alejandro López at 2022-05-25T12:18:02+02:00
sbus: Getter for the debug_level property

New debug_level property added to the sssd.service interface.
Getter implemented.

Resolves: https://github.com/SSSD/sssd/issues/6019

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e82135eb by Alejandro López at 2022-05-25T12:18:02+02:00
sbus: Setter for the debug_level property.

The setter for the recently added property.

Resolves: https://github.com/SSSD/sssd/issues/6019

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e7974472 by Alejandro López at 2022-05-25T12:18:02+02:00
sssctl: Get and set per-component debug-level

:feature: sssctl is now able to read and set each component's
debug level independently.

Use D-Bus to set/get the debug level.

Resolves: https://github.com/SSSD/sssd/issues/6019

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d550b5f6 by Pavel Březina at 2022-05-30T12:12:17+02:00
man: add idp indicator

Resolves: https://github.com/SSSD/sssd/issues/6181

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f20db24a by Pavel Březina at 2022-05-30T12:12:21+02:00
man: add idp indicator

Resolves: https://github.com/SSSD/sssd/issues/6181

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit d550b5f60ccf23f977efd36f30ef6973abdd905d)

- - - - -
9aad3071 by Pavel Březina at 2022-05-30T12:12:38+02:00
pam_sss_gss: KRB5CCNAME may be NULL

Resolves: https://github.com/SSSD/sssd/issues/6180

:fixes: A regression in pam_sss_gss module causing a failure if
  KRB5CCNAME environment variable was not set was fixed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0eae7db9 by Pavel Březina at 2022-05-30T12:12:42+02:00
pam_sss_gss: KRB5CCNAME may be NULL

Resolves: https://github.com/SSSD/sssd/issues/6180

:fixes: A regression in pam_sss_gss module causing a failure if
  KRB5CCNAME environment variable was not set was fixed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9aad30711a5928f0e8a3627305b6449291de507f)

- - - - -
71b14474 by Sumit Bose at 2022-05-30T12:12:58+02:00
ad: add fallback in ad_domain_info_send()

Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
ad_domain_info_send() to handle multiple domains by searching for the
matching sdap_domain data. Unfortunately it assumed that the configured
name and the DNS domain name are always matching. This is true for all
sub-domains discovered at runtime by DNS lookups but might not be true
for the domain configured in sssd.conf. Since the configured domain is
the first in the list of sdap_domain data it will be used as a fallback
in case no data could be found by name.

Resolves: https://github.com/SSSD/sssd/issues/6170

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
80ffa314 by Sumit Bose at 2022-05-30T12:13:07+02:00
ad: add fallback in ad_domain_info_send()

Commit 51e92297157562511baf8902777f02a4aa2e70e6 allowed
ad_domain_info_send() to handle multiple domains by searching for the
matching sdap_domain data. Unfortunately it assumed that the configured
name and the DNS domain name are always matching. This is true for all
sub-domains discovered at runtime by DNS lookups but might not be true
for the domain configured in sssd.conf. Since the configured domain is
the first in the list of sdap_domain data it will be used as a fallback
in case no data could be found by name.

Resolves: https://github.com/SSSD/sssd/issues/6170

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 71b14474bec82a0c57065ad45915ebfeb9e3d03e)

- - - - -
8270d4c9 by Pavel Březina at 2022-05-30T12:14:55+02:00
readme: add status badges

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
1e142041 by Alexey Tikhonov at 2022-05-30T12:34:12+02:00
TESTS: new case to test ad_gpo_parse_ini_file()

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dfadb7da by Iker Pedrosa at 2022-05-30T12:34:18+02:00
ad: prepend GPO_CACHE_PATH in caller function

Prepend the GPO_CACHE_PATH to the samba path in the
ad_gpo_parse_ini_file() caller instead of in this function. This way, we
make ad_gpo_parse_ini_file() completely agnostic to the exact samba path
and we fix the testing setup issues with valgrind.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
37d2a184 by Alexey Tikhonov at 2022-05-30T12:34:24+02:00
GPO: make ad_gpo_parse_ini_file() to accept full path

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
67814634 by Iker Pedrosa at 2022-06-01T14:54:22+02:00
CI: flake8 move target to pull_request_target

Move flake8 target from pull_request to pull_request_target to be able
to write comments in the PR.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5c3d6090 by Iker Pedrosa at 2022-06-01T14:54:22+02:00
CI: update actions version

CodeQL Action v1 is being deprecated and v2 needs to be used instead.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
abac841d by Iker Pedrosa at 2022-06-01T14:55:52+02:00
CI: flake8 move target to pull_request_target

Move flake8 target from pull_request to pull_request_target to be able
to write comments in the PR.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 67814634868523c59dec98876bcf34fb97d3dee8)

- - - - -
e7cc73c2 by Iker Pedrosa at 2022-06-01T14:55:54+02:00
CI: update actions version

CodeQL Action v1 is being deprecated and v2 needs to be used instead.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 5c3d60907e773bf2c897a5f305d8eb4cc457727c)

- - - - -
2d52fffd by Sumit Bose at 2022-06-02T12:42:27+02:00
ad: make new PAC buffers available

Recently new PAC buffers, PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO,
PAC_REQUESTER_SID were added. With this patch ad_get_data_from_pac() can
return those new buffers as well.

Additionally the information from the PAC_LOGON_INFO and
PAC_UPN_DNS_INFO buffers are checked for consistency and compared with
the user principal name stored in the user object.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e57ab1ea by Sumit Bose at 2022-06-02T12:42:27+02:00
tests: add PAC upn_dns_info test

Add basic unit tests for the PAC_UPN_DNS_INFO PAC buffer.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
a28f8a33 by Sumit Bose at 2022-06-02T12:42:27+02:00
krb5: add krb5_check_pac option

A new option krb5_check_pac for the krb5 provider is added to control
how the PAC is validated. Currently only the option 'present' which
makes the PAC mandatory, is available.

:config: New option krb5_check_pac to control the PAC validation
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6970cb1b by Sumit Bose at 2022-06-02T12:42:27+02:00
pac: apply new pac check options

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
30dbecaa by Sumit Bose at 2022-06-02T12:42:28+02:00
ad: enable the PAC responder implicitly for AD provider

To be able to run the extra consistency checks on the PAC the PAC
responder must be running.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9c12e962 by Sumit Bose at 2022-06-02T12:42:28+02:00
monitor: add implicit_pac_responder option.

The PAC responder is started automatically if the IPA or AD providers
are configured. In case the PAC responder is causing issues the
implicit_pac_responder option is added to disable to automatic start.

:config: New option implicit_pac_responder to control if the PAC
responder is started for the IPA and AD providers, default is 'true'.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4c7f730b by Sumit Bose at 2022-06-02T12:42:28+02:00
localauth: improve localauth add man page

A man page is added for the Kerberos localauth plugin and the plugin is
using the system's getpwnam_r() to find the user by name instead of
directly talking to SSSD to have the same view as other applications
running on the system.

Resolves: https://github.com/SSSD/sssd/issues/4677

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
a912c125 by Sumit Bose at 2022-06-02T12:42:31+02:00
ad: make new PAC buffers available

Recently new PAC buffers, PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO,
PAC_REQUESTER_SID were added. With this patch ad_get_data_from_pac() can
return those new buffers as well.

Additionally the information from the PAC_LOGON_INFO and
PAC_UPN_DNS_INFO buffers are checked for consistency and compared with
the user principal name stored in the user object.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2d52fffdbda1558407fe51b0ad91c0b5bea7bae9)

- - - - -
d6354e0a by Sumit Bose at 2022-06-02T12:42:31+02:00
tests: add PAC upn_dns_info test

Add basic unit tests for the PAC_UPN_DNS_INFO PAC buffer.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e57ab1ea5cb0d10e7b689ef72f5862e125bcb17d)

- - - - -
1c90333b by Sumit Bose at 2022-06-02T12:42:31+02:00
krb5: add krb5_check_pac option

A new option krb5_check_pac for the krb5 provider is added to control
how the PAC is validated. Currently only the option 'present' which
makes the PAC mandatory, is available.

:config: New option krb5_check_pac to control the PAC validation
behavior.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a28f8a337b9df61615015c045695fd21e9aab13f)

- - - - -
8e265c76 by Sumit Bose at 2022-06-02T12:42:31+02:00
pac: apply new pac check options

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 6970cb1bfd2e50286956ea311167ac77f78c3ee5)

- - - - -
e7163273 by Sumit Bose at 2022-06-02T12:42:31+02:00
ad: enable the PAC responder implicitly for AD provider

To be able to run the extra consistency checks on the PAC the PAC
responder must be running.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 30dbecaa9ef6957b74692bf86e34afcf3cafae70)

- - - - -
fcc1bd84 by Sumit Bose at 2022-06-02T12:42:31+02:00
monitor: add implicit_pac_responder option.

The PAC responder is started automatically if the IPA or AD providers
are configured. In case the PAC responder is causing issues the
implicit_pac_responder option is added to disable to automatic start.

:config: New option implicit_pac_responder to control if the PAC
responder is started for the IPA and AD providers, default is 'true'.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9c12e962e0fcd6e74c9cc844e2e98e0b0dce79fa)

- - - - -
0dc42cba by Sumit Bose at 2022-06-02T12:42:31+02:00
localauth: improve localauth add man page

A man page is added for the Kerberos localauth plugin and the plugin is
using the system's getpwnam_r() to find the user by name instead of
directly talking to SSSD to have the same view as other applications
running on the system.

Resolves: https://github.com/SSSD/sssd/issues/4677

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4c7f730b858c09e092cdecec973bd20af32b46d4)

- - - - -
2d03e3b1 by 김인수 at 2022-06-02T12:43:26+02:00
po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

- - - - -
5457584d by Piotr Drąg at 2022-06-02T12:43:26+02:00
po: update translations

(Polish) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pl/

- - - - -
188d8148 by Elena Mishina at 2022-06-02T12:43:26+02:00
po: update translations

(Russian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ru/

- - - - -
ccf55aff by 김인수 at 2022-06-02T12:43:26+02:00
po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

- - - - -
2a2c0574 by Luna Jernberg at 2022-06-02T12:43:26+02:00
po: update translations

(Swedish) currently translated at 99.5% (622 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/sv/

- - - - -
167f87e5 by Göran Uddeborg at 2022-06-02T12:43:26+02:00
po: update translations

(Swedish) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/sv/

- - - - -
0d7db9e8 by Pavel Borecki at 2022-06-02T12:43:26+02:00
po: update translations

(Czech) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/cs/

- - - - -
b24fd01b by Weblate at 2022-06-02T12:43:32+02:00
po: update translations

(Korean) currently translated at 31.8% (899 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Czech) currently translated at 5.9% (157 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/

po: update translations

(Czech) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Swedish) currently translated at 100.0% (2632 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Swedish) currently translated at 99.8% (2627 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 99.5% (622 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Russian) currently translated at 100.0% (2632 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Russian) currently translated at 100.0% (2632 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Korean) currently translated at 31.6% (894 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Russian) currently translated at 100.0% (2632 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Korean) currently translated at 31.6% (893 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 31.3% (885 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 31.3% (884 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Polish) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Ukrainian) currently translated at 100.0% (2632 of 2632 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

- - - - -
7126f664 by Pavel Březina at 2022-06-02T12:49:25+02:00
po: translate sssd_krb5_localauth_plugin.8.xml

- - - - -
1a7b53ac by Pavel Březina at 2022-06-02T12:52:38+02:00
pot: update pot files

- - - - -
bd5a48bf by Pavel Březina at 2022-06-02T12:53:14+02:00
po: translate sssd_krb5_localauth_plugin.8.xml

- - - - -
1a2754f8 by Pavel Březina at 2022-06-02T12:55:04+02:00
pot: update translations

- - - - -
4c02953f by Pavel Březina at 2022-06-02T13:12:26+02:00
Release sssd-2.7.1

- - - - -
01748ec5 by Timo Aaltonen at 2022-06-02T19:35:54+03:00
Merge branch 'upstream'

- - - - -
8ea13c16 by Timo Aaltonen at 2022-06-02T19:36:21+03:00
version bump

- - - - -
9e3d52ef by Timo Aaltonen at 2022-06-02T19:37:16+03:00
control: Drop sssd-ipd from sssd-ipa depends.

- - - - -
e6952101 by Timo Aaltonen at 2022-06-02T19:39:56+03:00
sssd-common.install: Add a new manpage.

- - - - -
686786c6 by Pavel Březina at 2022-06-03T13:07:29+02:00
sbus: ensure single new line at end of file

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d1aa1ab6 by Pavel Březina at 2022-06-03T13:07:29+02:00
sbus: apply changes in codegen

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
242fb3f9 by Iker Pedrosa at 2022-06-06T13:35:57+02:00
Revert "CI: flake8 move target to pull_request_target"

This reverts commit 67814634868523c59dec98876bcf34fb97d3dee8.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
eb4a2f3a by Iker Pedrosa at 2022-06-06T13:36:01+02:00
Revert "CI: flake8 move target to pull_request_target"

This reverts commit 67814634868523c59dec98876bcf34fb97d3dee8.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 242fb3f9e6992795764c402250da27db9016d7b1)

- - - - -
bff0a4a6 by Steeve Goveas at 2022-06-06T13:36:25+02:00
TEST: Fix the indentation in doctrings

The indentation of multiple lines in the steps and expectedresults must
be properly aligned for the importer to pick correctly.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
5f387805 by Steeve Goveas at 2022-06-06T13:36:29+02:00
TEST: Fix the indentation in doctrings

The indentation of multiple lines in the steps and expectedresults must
be properly aligned for the importer to pick correctly.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit bff0a4a6a605b303fe9754acc6c4097f9bafbecf)

- - - - -
d1ab0d09 by Timo Aaltonen at 2022-06-06T16:32:39+03:00
releasing package sssd version 2.7.1-1

- - - - -
e89d7e44 by Steeve Goveas at 2022-06-08T12:12:45+02:00
TEST: Update to search the start string for hostname

There was a recent dns fix in idm-ci due to which the username in the
known_hosts keys has the FQDN of the host. This caused the test to fail.

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
3fc66049 by Steeve Goveas at 2022-06-08T12:12:49+02:00
TEST: Update to search the start string for hostname

There was a recent dns fix in idm-ci due to which the username in the
known_hosts keys has the FQDN of the host. This caused the test to fail.

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit e89d7e442918afc6efe9d30970f6df0dd9614613)

- - - - -
954ea61b by Timo Aaltonen at 2022-06-09T10:19:35+03:00
pac-relax-default-for-pac_check-option.diff: Drop pac_present from default PAC check. (Closes: #1012502)

- - - - -
6388f9ae by Timo Aaltonen at 2022-06-09T10:19:41+03:00
releasing package sssd version 2.7.1-2

- - - - -
55e93cf1 by Sumit Bose at 2022-06-09T10:29:58+02:00
pac: relax default for pac_check option

PAC might not be always present, especially in IPA environments. So the
default of pac_check should not contain 'pac_present'.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
26d8601e by Sumit Bose at 2022-06-09T10:30:02+02:00
pac: relax default for pac_check option

PAC might not be always present, especially in IPA environments. So the
default of pac_check should not contain 'pac_present'.

Resolves: https://github.com/SSSD/sssd/issues/5868

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 55e93cf1cf4d61c6de7975cbdc97a723545586c0)

- - - - -
bb4e054c by Anuj Borah at 2022-06-10T14:43:24+02:00
Tests: port proxy_provider/misc

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/proxy_provider/misc

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
dbb9d62b by Anuj Borah at 2022-06-10T14:43:29+02:00
Tests: port proxy_provider/misc

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/proxy_provider/misc

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit bb4e054cf84529c735cebdac654284cae3c9bc1e)

- - - - -
50a6f23d by Jakub Vavra at 2022-06-13T09:32:26+02:00
Tests: Set FIPS:AD-SUPPORT crypto-policy for AD integration

There is now a new crypto sub-policy for enabling AD interoperability
that needs to be set make AD krb5 work.
https://bugzilla.redhat.com/show_bug.cgi?id=2056676

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
56a15877 by Jakub Vavra at 2022-06-13T09:32:30+02:00
Tests: Set FIPS:AD-SUPPORT crypto-policy for AD integration

There is now a new crypto sub-policy for enabling AD interoperability
that needs to be set make AD krb5 work.
https://bugzilla.redhat.com/show_bug.cgi?id=2056676

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 50a6f23d7d6fd7f1931c1dea4ae1c11c42369edc)

- - - - -
9656516b by Sumit Bose at 2022-06-13T12:17:44+02:00
names: only check sub-domains for regex match

It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.

E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.

With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.

Resolves: https://github.com/SSSD/sssd/issues/6055

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
536dc9e4 by Sumit Bose at 2022-06-13T12:17:49+02:00
names: only check sub-domains for regex match

It is allowed to have different regular-expression to split the input
name for different domains. After the regex is evaluated and a domain
name was found in the input it has to be check if the domain name
corresponds to the domain the regex is coming from.

E.g. with the implicit files provider enabled the file provider might
use a simple default regex while and additional IPA or AD provider will
have a more complex one which e.g. properly handles @-characters in
names. When evaluation in input the simple regex will come first and
will split the name but will miss part of the user name part if the name
contains an @-character. Currently SSSD check if the found domain name
matches any of the know domains or sub-domains which is wrong because
the regex was coming from the files provider and hence it should only
handle its own objects.

With this patch not all domains are checked but only the current one and
its sub-domains, if any. This behavior is also mentioned in a comment
already in the code. As a result in the above example the check with
the results form the simple regex with fail and then the more complex
regex of the other domain will be used which can split the name
properly.

Resolves: https://github.com/SSSD/sssd/issues/6055

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9656516b9af2b3ea4627eab42f11c7667564020f)

- - - - -
ef79966b by Pavel Březina at 2022-06-13T15:35:19+02:00
Release sssd-2.7.2

- - - - -
3d16e741 by 김인수 at 2022-06-14T22:38:05+03:00
po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

- - - - -
3678f40b by Elena Mishina at 2022-06-14T22:38:05+03:00
po: update translations

(Russian) currently translated at 100.0% (628 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ru/

- - - - -
0239ad06 by Yuri Chornoivan at 2022-06-14T22:38:05+03:00
po: update translations

(Ukrainian) currently translated at 100.0% (628 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/uk/

- - - - -
8c0c5949 by Weblate at 2022-06-14T22:38:14+03:00
po: update translations

(Ukrainian) currently translated at 100.0% (2658 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Russian) currently translated at 100.0% (2658 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Ukrainian) currently translated at 100.0% (634 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Russian) currently translated at 100.0% (634 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 32.3% (912 of 2821 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (625 of 625 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

- - - - -
8ff6dee1 by Yuri Chornoivan at 2022-06-15T15:23:07+02:00
Fix minor typo

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
8136a60f by Yuri Chornoivan at 2022-06-15T15:23:11+02:00
Fix minor typo

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 8ff6dee14190790560f13ccbec2210177a553f60)

- - - - -
2156e378 by Iker Pedrosa at 2022-06-15T15:23:28+02:00
CI: update python dependencies to version 3

Update python dependencies in debian derivatives to version 3. Also
update the python style checker.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a8fc21c2 by Iker Pedrosa at 2022-06-15T15:23:28+02:00
CI: build debian without python 2 bindings

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ab49bfd7 by Pavel Březina at 2022-06-15T15:23:28+02:00
tests: fix pep8 issues

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
24de04dd by Pavel Březina at 2022-06-15T15:23:28+02:00
ci: switch to debian-latest

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
42e4bbff by Iker Pedrosa at 2022-06-15T15:23:32+02:00
CI: update python dependencies to version 3

Update python dependencies in debian derivatives to version 3. Also
update the python style checker.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 2156e37802f93d9e20298023c4dc72622b67c0ef)

- - - - -
3bf58985 by Iker Pedrosa at 2022-06-15T15:23:32+02:00
CI: build debian without python 2 bindings

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit a8fc21c292bace832351146c524d8080d56c0418)

- - - - -
5d39cd5c by Pavel Březina at 2022-06-15T15:23:32+02:00
tests: fix pep8 issues

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit ab49bfd7e84ecdb89fe26a611c41282a927191be)

- - - - -
b7893b9a by Pavel Březina at 2022-06-15T15:23:32+02:00
ci: switch to debian-latest

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 24de04dde39a191bd7b9b3a680d8770879eefb8f)

- - - - -
34528ef2 by Alejandro López at 2022-06-15T15:23:53+02:00
NSS: Replace the nss_ prefix for SSSD internal functions

Replaced all nss_ prefixes by sss_nss_.
_nss_sss were not replaced as they are used through external libraries
and do not risk a conflict.

Resolves: https://github.com/SSSD/sssd/issues/5120

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
fc3797ab by Alejandro López at 2022-06-15T15:23:53+02:00
NSS: Removed the unused function sss_nss_setnetgrent_recv()

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d415f354 by Alejandro López at 2022-06-15T15:23:53+02:00
NSS: Removed the unused function sss_nss_protocol_fill_name_list()

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
dc0eec59 by Pavel Březina at 2022-06-15T15:25:33+02:00
ci: upload test-suite.log as an artifact

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7f71eec4 by Pavel Březina at 2022-06-15T15:25:37+02:00
ci: upload test-suite.log as an artifact

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit dc0eec59f3d805abc2d97f68021de801db1bf561)

- - - - -
fd90c0d6 by Jakub Vavra at 2022-06-17T06:57:07+02:00
Tests: Fix/finish Sasl authid tests, minor tweak to hostname test.

The ported sasl authid tests did not work because the realm join in the original
bash was slightly different than what was done in adjoin fixture.
Fixed that by joining the AD manually in those two tests. Removed unneeded code from sasl tests.
Test test_0015_ad_parameters_ad_hostname_machine is not quite stable,
hopefully changing the command order a bit can improve that.
Fixed violations found by flake8, pylint in the file (or added pylint ignore).
Removed stopping of sssd before configuration as it is done inside clear_sssd_cache anyway.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
490b23be by Jakub Vavra at 2022-06-17T06:57:10+02:00
Tests: Fix/finish Sasl authid tests, minor tweak to hostname test.

The ported sasl authid tests did not work because the realm join in the original
bash was slightly different than what was done in adjoin fixture.
Fixed that by joining the AD manually in those two tests. Removed unneeded code from sasl tests.
Test test_0015_ad_parameters_ad_hostname_machine is not quite stable,
hopefully changing the command order a bit can improve that.
Fixed violations found by flake8, pylint in the file (or added pylint ignore).
Removed stopping of sssd before configuration as it is done inside clear_sssd_cache anyway.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit fd90c0d61644038911f92dae9f91aa2067a68867)

- - - - -
27f48118 by Shridhar Gadekar at 2022-06-17T11:44:39+02:00
Test: Minor trival testcase doc-string changes of rfc2307

Corrected the related bug for rfc207 related testcase.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
8e2b83b5 by Shridhar Gadekar at 2022-06-17T11:44:43+02:00
Test: Minor trival testcase doc-string changes of rfc2307

Corrected the related bug for rfc207 related testcase.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 27f481182bbed18f330b26f1adc69c529a3edfd7)

- - - - -
b207d1de by Jakub Vavra at 2022-06-17T11:44:59+02:00
Fix some flake 8 violations

W504 line break after binary operator
E226 missing whitespace around arithmetic operator
E241 multiple spaces after ','
E502 the backslash is redundant between brackets
F541 f-string is missing placeholders

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
ae400d25 by Jakub Vavra at 2022-06-17T11:45:03+02:00
Fix some flake 8 violations

W504 line break after binary operator
E226 missing whitespace around arithmetic operator
E241 multiple spaces after ','
E502 the backslash is redundant between brackets
F541 f-string is missing placeholders

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b207d1de93105786bc8c0173f1cb7b24b369652a)

- - - - -
c104e250 by Timotej Lazar at 2022-06-17T11:45:18+02:00
Analyzer: Only import sssd.source_* when needed

This allows sss_analyze to run without python-systemd when using the
Files backend.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a7faea3e by Jakub Vavra at 2022-06-17T11:45:30+02:00
Tests: Add a test for bz2026799 bz2070138

SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message
causing sssd_be to go offline (cross inter_ference of different provider plugins options)

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5998
  Bugzilla:
    - https://bugzilla.redhat.com/show_bug.cgi?id=2026799
    - https://bugzilla.redhat.com/show_bug.cgi?id=2070138

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
0b0fdb66 by Jakub Vavra at 2022-06-17T11:45:34+02:00
Tests: Add a test for bz2026799 bz2070138

SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message
causing sssd_be to go offline (cross inter_ference of different provider plugins options)

Verifies
  Issue: https://github.com/SSSD/sssd/issues/5998
  Bugzilla:
    - https://bugzilla.redhat.com/show_bug.cgi?id=2026799
    - https://bugzilla.redhat.com/show_bug.cgi?id=2070138

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit a7faea3e28d9e42143838ec97af007cd78835bbc)

- - - - -
9a33cb82 by Pavel Březina at 2022-06-17T17:12:25+02:00
intgcheck: mark files provider tests as flaky

If python3-flaky is installed, it will re-run the test several times
to add it additional chance to pass to avoid ci failure.

These tests often fail in ci environment due to a race condition that
we were not able to identify so far.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7f30777e by Pavel Březina at 2022-06-17T17:12:29+02:00
intgcheck: mark files provider tests as flaky

If python3-flaky is installed, it will re-run the test several times
to add it additional chance to pass to avoid ci failure.

These tests often fail in ci environment due to a race condition that
we were not able to identify so far.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 9a33cb82467723ceaccf4464cbca5e8c80416aed)

- - - - -
446002b9 by Pavel Březina at 2022-06-17T17:14:57+02:00
sbus: ensure single new line at end of file

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 686786c65c4bb4c072ce63d770ba9f92857347e4)

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
440076eb by Pavel Březina at 2022-06-17T17:14:57+02:00
sbus: apply changes in codegen

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
003b94fb by Pavel Březina at 2022-06-20T11:09:10+02:00
confdb: allow empty sssd/domains option

:fixes: `domains` option in `[sssd]` section can now be completely
omitted if domains are enabled via `domains/enabled` option

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
0ae94c16 by Pavel Březina at 2022-06-20T11:09:10+02:00
confdb: consider enabled option when expanding app domains

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c5933066 by Pavel Březina at 2022-06-20T11:09:10+02:00
confdb: log to syslog when no domains are configured

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fbdc213b by Pavel Březina at 2022-06-20T11:09:10+02:00
tests: add domains enabled tests

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8096abc5 by Weblate at 2022-06-21T12:33:21+03:00
Added translation using Weblate (Georgian)

po: update translations

(Korean) currently translated at 34.9% (911 of 2610 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 34.0% (888 of 2610 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (634 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Turkish) currently translated at 30.5% (194 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Polish) currently translated at 100.0% (634 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

- - - - -
fe79c4a0 by 김인수 at 2022-06-21T12:33:32+03:00
po: update translations

(Korean) currently translated at 100.0% (628 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

- - - - -
e5902e1a by Piotr Drąg at 2022-06-21T12:33:32+03:00
po: update translations

(Polish) currently translated at 100.0% (628 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pl/

- - - - -
2b62330c by Kemal Oktay Aktoğan at 2022-06-21T12:33:32+03:00
po: update translations

(Turkish) currently translated at 30.8% (194 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

- - - - -
97b706ea by Weblate at 2022-06-21T14:10:22+03:00
po: update translations

(Turkish) currently translated at 30.9% (196 of 634 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

- - - - -
590ff906 by Kemal Oktay Aktoğan at 2022-06-21T14:10:30+03:00
po: update translations

(Turkish) currently translated at 31.2% (196 of 628 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

- - - - -
f25ab6d7 by Iker Pedrosa at 2022-06-21T13:16:09+02:00
Fix E226 reported by flake8

E226 missing whitespace around arithmetic operator

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
289ff0ca by Iker Pedrosa at 2022-06-21T13:16:13+02:00
Fix E226 reported by flake8

E226 missing whitespace around arithmetic operator

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit f25ab6d7324da2f1a6fb626fb862beef230a75a7)

- - - - -
1ed59fb6 by Alexey Tikhonov at 2022-06-21T13:16:37+02:00
PAM P11: fixed mistype in a log message

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f1195229 by Alexey Tikhonov at 2022-06-21T13:16:37+02:00
PAM P11: fixed minor mem-leak

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5433961b by Alexey Tikhonov at 2022-06-21T13:16:37+02:00
PAM: user feedback when login fails due to blocked PIN

Resolves: https://github.com/SSSD/sssd/issues/6153

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
abc2ae56 by Alexey Tikhonov at 2022-06-21T13:16:41+02:00
PAM P11: fixed mistype in a log message

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1ed59fb6e6a1f244b6954e689be10c213ffebed3)

- - - - -
aec97331 by Alexey Tikhonov at 2022-06-21T13:16:41+02:00
PAM P11: fixed minor mem-leak

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit f1195229e016e2a3e1a7358ff87954d573b1dcac)

- - - - -
f0609d82 by Alexey Tikhonov at 2022-06-21T13:16:41+02:00
PAM: user feedback when login fails due to blocked PIN

Resolves: https://github.com/SSSD/sssd/issues/6153

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5433961b932010c6cdbdc7ffe5be0d119aeac2ad)

- - - - -
12d4b679 by Pavel Březina at 2022-06-21T13:27:45+02:00
pot: update translations

- - - - -
1861d434 by Pavel Březina at 2022-06-21T13:30:28+02:00
pot: update translations

- - - - -
89191dd1 by Jakub Vavra at 2022-06-22T06:20:48+02:00
Tests: Extend test to cover bz2098615.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
17c60bb8 by Jakub Vavra at 2022-06-22T06:20:51+02:00
Tests: Extend test to cover bz2098615.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 89191dd13e8287b0f0602ffe55ce194c117a6b1a)

- - - - -
b43baa3e by Timo Aaltonen at 2022-06-22T11:34:18+03:00
Merge branch 'upstream'

- - - - -
11b98356 by Timo Aaltonen at 2022-06-22T11:34:40+03:00
version bump

- - - - -
56473fe3 by Timo Aaltonen at 2022-06-22T12:03:44+03:00
pac-relax-default-for-pac_check-option.diff: Dropped, upstream.

- - - - -
209f4b29 by Timo Aaltonen at 2022-06-22T13:19:33+03:00
releasing package sssd version 2.7.2-1

- - - - -
a64db42f by Timo Aaltonen at 2022-06-22T14:35:25+03:00
rules: Fix python install directory. (LP: #1979453)

- - - - -
296b4f3a by Timo Aaltonen at 2022-06-22T16:54:51+03:00
releasing package sssd version 2.7.2-2

- - - - -
b1a4e9c2 by Sergio Durigan Junior at 2022-06-22T11:00:00-04:00
d/p/fix-shebang-on-sss_analyze.patch: Fix shebang on sss_analyze.

- - - - -
ec56c0c6 by Sergio Durigan Junior at 2022-06-22T11:00:19-04:00
Update changelog for 2.7.2-3 release

- - - - -
9cddeb8b by Alejandro López at 2022-06-28T14:51:26+02:00
Config: Add the %h template for the 'override_homedir' option

:config: override_homedir now recognizes the %h template which
is replaced by the original home directory retrieved from the
identity provider, but in lower case.

Resolves: https://github.com/SSSD/sssd/issues/6210

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7b34401b by Alejandro López at 2022-06-28T14:51:52+02:00
AD: Fixed a wrong index.

Wrong index used to check a result.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
35c35de4 by Alejandro López at 2022-06-28T14:51:52+02:00
PTasks: Make sure periodical tasks use randomization

For several tasks the random offset was set to 0. Made then use a
configurable offset.

The default values are based on the associated period's default value.

Some changes:
1) ad_machine_account_password_renewal_opts becomes
period:initial_delay[:offset]

If offset is not specified, it is considered to be 0 for
compatibility (same behavior as before).
If the whole string is not specified, the default is 86400:750:300

2) refresh_expired_interval could not be greater than
entry_cache_timeout. In that situation, it was set to
0.75 * entry_cache_timeout.

Now, refresh_expired_interval + refresh_expired_interval_offset
cannot be greater than entry_cache_timeout. In that situation,
refresh_expired_interval is set to 0.70 * entry_cache_timeout,
and refresh_expired_interval_offset becomes
refresh_expired_interval * 0.1. This makes a 5% variation around
75% (70%~80%).

:config: New option 'ldap_enumeration_refresh_offset' to set the
maximum period deviation between enumeration updates.
Defaults to 30 seconds.

:config: New option 'subdomain_refresh_interval_offset' to set
the maximum period deviation when refreshing the subdomain list.

:config: New option 'dyndns_refresh_interval_offset' to set the
maximum period deviation when updating the client's DNS entry.
Defaults to 0.

:config: New option 'refresh_expired_interval_offset' to set
the maximum period deviation when refreshing expired entries
in background.

:config: New option 'ldap_purge_cache_offset' to set the maximum time
deviation between cache cleanups. Defaults to 0.

:config: Option 'ad_machine_account_password_renewal_opts' now accepts
an optional third part as the maximum deviation in the provided period
(first part) and initial delay (second part). If the period and initial
delay are provided but not the offset, the offset is assumed to be 0.
If no part is provided, the default is 86400:750:300.

Resolves: https://github.com/SSSD/sssd/issues/4646

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b7c78b5c by Shridhar Gadekar at 2022-06-28T14:52:09+02:00
Tests: 2FA prompting setting

minor edit of user fuser to {usr}
from the sssd.conf
Verifies: #6081

Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
754bacec by Shridhar Gadekar at 2022-06-28T14:52:13+02:00
Tests: 2FA prompting setting

minor edit of user fuser to {usr}
from the sssd.conf
Verifies: #6081

Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b7c78b5cdae5c6e414bfe3495f0a617e79df36ba)

- - - - -
41cc0864 by Shridhar Gadekar at 2022-06-28T14:52:30+02:00
Test: better default for IPA/AD re_expression

AD-groups containing '@' sign in name, should be fetched
with default re_expression

Verify:
https://bugzilla.redhat.com/show_bug.cgi?id=2061795

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
a123419e by Shridhar Gadekar at 2022-06-28T14:52:34+02:00
Test: better default for IPA/AD re_expression

AD-groups containing '@' sign in name, should be fetched
with default re_expression

Verify:
https://bugzilla.redhat.com/show_bug.cgi?id=2061795

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 41cc086421b77bee64c59344573a824f45bfc83f)

- - - - -
fdc89c74 by Anuj Borah at 2022-06-28T14:52:51+02:00
Tests: Add automation for bz 2056035

'getent hosts' not return hosts if they have more than one CN in LDAP

Verifies
	Issue:https://github.com/SSSD/sssd/issues/6122
	Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056035

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a694a206 by Anuj Borah at 2022-06-28T14:52:55+02:00
Tests: Add automation for bz 2056035

'getent hosts' not return hosts if they have more than one CN in LDAP

Verifies
	Issue:https://github.com/SSSD/sssd/issues/6122
	Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056035

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit fdc89c7407ff8f32cce77249bc948dc0b702fa73)

- - - - -
e40b9e92 by Alejandro López at 2022-06-28T14:53:14+02:00
Monitor: Set _SSS_LOOPS conditionally at monitor startup

_SSS_LOOPS is not longer systematically set to "NO" and unset when
not required, but set to "NO" only when needed.

Resolves: https://github.com/SSSD/sssd/issues/5696

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c2ae062d by Alejandro López at 2022-06-28T14:53:14+02:00
Tests: make test_kcm_renewals immune to LC_TIME

The test expects the date to be in %m/%d/%y %H:%M:%S format but,
if the LC_TIME environment variable is set, the time can be
provided in a different format.
Remove the variable for the test and use the default format,
which is the one the test expects.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
73ba58a8 by Alejandro López at 2022-06-28T14:53:14+02:00
Responders: Remove unused argument

Removing the parameter prevent_sss_loops which is always 'false' when
calling the function csv_string_to_uid_array(). Only in tests it is
passed a 'true' value.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
ba628d18 by Iker Pedrosa at 2022-06-30T11:38:24+02:00
version.m4: update version to 2.8.0

This will generate nightly builds in COPR with a higher version number
than the current released version. This, in turn, will allow us to test
the FreeIPA tests.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5e032bbd by Alejandro López at 2022-07-01T11:03:57+02:00
sssctl: Fix malformed localizable string

po4a get confused with _("Target the " #NAME " service").
Strings are no longer generated at compile-time.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f4f28ac0 by Alejandro López at 2022-07-01T11:03:57+02:00
sssctl: Add an argument's missing description

sssctl debug-level --domain misses the description of the
argument it receives.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
00e5f330 by Sumit Bose at 2022-07-01T11:06:47+02:00
conf: make libjose and libcurl required for oidc_child

With this patch configure will fail if oidc_child should be build but
either libcurl or libjose devel packages are not installed.

Resolves: https://github.com/SSSD/sssd/issues/6218

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
0816b64c by Sumit Bose at 2022-07-01T11:06:51+02:00
conf: make libjose and libcurl required for oidc_child

With this patch configure will fail if oidc_child should be build but
either libcurl or libjose devel packages are not installed.

Resolves: https://github.com/SSSD/sssd/issues/6218

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 00e5f3306dc4372d17e088df719dc6b11ee30b6b)

- - - - -
94352a9f by Alexey Tikhonov at 2022-07-01T11:14:44+02:00
New option for system hardening.

:config: New option 'core_dumpable' to manage 'PR_SET_DUMPABLE' flag of SSSD
processes. Enabled by default.

Resolves: https://github.com/SSSD/sssd/issues/4930

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
27f35f02 by Alexey Tikhonov at 2022-07-01T11:25:07+02:00
CLIENT: use thread local storage for socket to avoid the need for a lock.

:relnote:All SSSD client libraries (nss, pam, etc) won't
serialize requests anymore by default, i.e. requests from
multiple threads can be executed in parallel.
Old behavior (serialization) can be enabled by setting
environment variable "SSS__LOCKFREE" to "NO".

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ffec9993 by Alexey Tikhonov at 2022-07-01T11:25:07+02:00
SSS_CLIENT: mem-cache: fixed missing error code

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ef26371a by Alexey Tikhonov at 2022-07-01T11:25:07+02:00
SSS_CLIENT: got rid of code duplication

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
43c6bf31 by Alexey Tikhonov at 2022-07-01T11:25:07+02:00
TESTS: test_memory_cache: execute NSS functions in teardown to force sss_client libs to realize mem-cache files were deleted

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
98f2f9f5 by Alexey Tikhonov at 2022-07-01T11:25:07+02:00
confdb: supress false positive warning: src/confdb/confdb.c:260:10: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value 'secdn'

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c7918bef by Alexey Tikhonov at 2022-07-01T11:25:11+02:00
CLIENT: use thread local storage for socket to avoid the need for a lock.

:relnote:All SSSD client libraries (nss, pam, etc) won't
serialize requests anymore by default, i.e. requests from
multiple threads can be executed in parallel.
Old behavior (serialization) can be enabled by setting
environment variable "SSS__LOCKFREE" to "NO".

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 27f35f029e5f2acdbad0bf254f9784f038e52bf8)

- - - - -
455940d9 by Alexey Tikhonov at 2022-07-01T11:25:11+02:00
SSS_CLIENT: mem-cache: fixed missing error code

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ffec99930ec84b586f4532246d04be6207396e54)

- - - - -
ddcf9a06 by Alexey Tikhonov at 2022-07-01T11:25:11+02:00
SSS_CLIENT: got rid of code duplication

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ef26371aba94bdacf3898105398df7ef29fce57e)

- - - - -
0a8a5b6c by Alexey Tikhonov at 2022-07-01T11:25:11+02:00
TESTS: test_memory_cache: execute NSS functions in teardown to force sss_client libs to realize mem-cache files were deleted

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 43c6bf31cd83c27499f786c9457d01ab166eef17)

- - - - -
ab749f02 by Alexey Tikhonov at 2022-07-01T11:25:11+02:00
confdb: supress false positive warning: src/confdb/confdb.c:260:10: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value 'secdn'

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 98f2f9f581a4e6a68bf6bf6e409f8f306ee9eb93)

- - - - -
19e47452 by Anuj Borah at 2022-07-01T14:55:56+02:00
Tests: sssd runs out of proxy child slots and doesn't clear the counter for Active requests

When using authentication provider as proxy, User authentication suddenly
stops working and starts working again only after restarting the sssd service.

Verifies
	Issue:https://github.com/SSSD/sssd/issues/6114
	Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1927195

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ff67197a by Anuj Borah at 2022-07-01T14:56:00+02:00
Tests: sssd runs out of proxy child slots and doesn't clear the counter for Active requests

When using authentication provider as proxy, User authentication suddenly
stops working and starts working again only after restarting the sssd service.

Verifies
	Issue:https://github.com/SSSD/sssd/issues/6114
	Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1927195

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 19e47452788181197156fabe938dd993716f5cbd)

- - - - -
ad7d1de9 by Alexey Tikhonov at 2022-07-01T17:26:08+02:00
NSS MC: deleted misleading comment

This comment is incorrect since dda0258705de7255e6ec54b7f9adbde83a220996

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1690ae1c by Alexey Tikhonov at 2022-07-01T17:26:08+02:00
NSS MS: trivial simplification

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7abc9cfa by Alexey Tikhonov at 2022-07-01T17:26:08+02:00
NSS: MC: no need to convert name to output format.

`memcache_delete_entry()` performs this conversion.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cceb136f by Alexey Tikhonov at 2022-07-01T17:26:08+02:00
NSS: fix initgroups store key (one of)

According to the https://sssd.io/contrib/mmap_cache.html#the-initgr-data
one of keys should be a canonical name.

Based on the proposal by Sumit Bose:
https://github.com/SSSD/sssd/pull/6128#issuecomment-1143738625

Resolves: https://github.com/SSSD/sssd/issues/4728

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
810d9220 by Alexey Tikhonov at 2022-07-01T17:26:08+02:00
NSS: mem-cache: don't update domains other than the one where an entry was found.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
124cc3f1 by Weblate at 2022-07-04T11:57:25+02:00
po: update translations

(Turkish) currently translated at 49.1% (312 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 100.0% (635 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Turkish) currently translated at 46.7% (297 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(German) currently translated at 50.8% (323 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/de/

po: update translations

(Polish) currently translated at 100.0% (635 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Korean) currently translated at 35.1% (917 of 2610 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (635 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 99.0% (629 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 99.0% (629 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Turkish) currently translated at 35.2% (224 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Japanese) currently translated at 99.0% (629 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(French) currently translated at 99.0% (629 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(French) currently translated at 99.0% (629 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Ukrainian) currently translated at 100.0% (2658 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Russian) currently translated at 100.0% (2658 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Ukrainian) currently translated at 100.0% (635 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Russian) currently translated at 100.0% (635 of 635 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

- - - - -
eb3b0fad by Weblate at 2022-07-04T11:57:29+02:00
Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/

po: update translations

(Turkish) currently translated at 49.6% (312 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(Turkish) currently translated at 47.2% (297 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(Korean) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

po: update translations

(German) currently translated at 51.3% (323 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/de/

po: update translations

(Polish) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/pl/

po: update translations

(Turkish) currently translated at 35.6% (224 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(French) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/fr/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/zh_CN/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/zh_CN/

po: update translations

(Korean) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

po: update translations

(Japanese) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ja/

po: update translations

(French) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/fr/

po: update translations

(French) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/fr/

po: update translations

(Ukrainian) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/uk/

po: update translations

(Russian) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ru/

- - - - -
c5dab4bc by Pavel Březina at 2022-07-04T12:00:11+02:00
pot: update translations

- - - - -
acfec613 by Pavel Březina at 2022-07-04T12:02:05+02:00
pot: update translations

- - - - -
160bbf48 by Pavel Březina at 2022-07-04T12:03:26+02:00
Release sssd-2.7.2

- - - - -
270ead6f by Timo Aaltonen at 2022-07-06T08:48:04+03:00
Merge branch 'upstream'

- - - - -
63888064 by Timo Aaltonen at 2022-07-06T08:48:47+03:00
version bump

- - - - -
121dedc2 by Timo Aaltonen at 2022-07-06T08:53:04+03:00
releasing package sssd version 2.7.3-1

- - - - -
e1eaf638 by Pavel Březina at 2022-07-07T13:28:21+02:00
Release sssd-2.7.3

- - - - -
db05816a by Madhuri Upadhye at 2022-07-08T12:17:50+02:00
common: Install krb5-pkinit package

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
c90a1f61 by Madhuri Upadhye at 2022-07-08T12:17:54+02:00
common: Install krb5-pkinit package

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit db05816a0f568be92e3fc5fc2f4922263aee710a)

- - - - -
556649de by Madhuri Upadhye at 2022-07-08T12:18:10+02:00
Tests: alltests/test_services.py: Port the failing test cases in pytest

Ported following test cases:

1. Enhance sssd init script so that it would source a configuration
   https://bugzilla.redhat.com/show_bug.cgi?id=971435
2. Give a more detailed debug and system-log message if krb5_init_context() failed
   https://bugzilla.redhat.com/show_bug.cgi?id=1516266

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
6ac200c8 by Madhuri Upadhye at 2022-07-08T12:18:14+02:00
Tests: alltests/test_services.py: Port the failing test cases in pytest

Ported following test cases:

1. Enhance sssd init script so that it would source a configuration
   https://bugzilla.redhat.com/show_bug.cgi?id=971435
2. Give a more detailed debug and system-log message if krb5_init_context() failed
   https://bugzilla.redhat.com/show_bug.cgi?id=1516266

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 556649de7150b40b3defb52bb8d77de209c7d44f)

- - - - -
95295952 by Steeve Goveas at 2022-07-08T12:18:42+02:00
TEST: Modify test to compare backtrace for same error

test_0001_bz2021196 occasionally failed if the same error with backtrace
skipped is seen on startup. Truncating the logs helps to focus on one
error not repeating the backtrace.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d0fad499 by Steeve Goveas at 2022-07-08T12:18:42+02:00
update the sequence number of tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
1944b18c by Steeve Goveas at 2022-07-08T12:18:46+02:00
TEST: Modify test to compare backtrace for same error

test_0001_bz2021196 occasionally failed if the same error with backtrace
skipped is seen on startup. Truncating the logs helps to focus on one
error not repeating the backtrace.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 952959525da9f1694a2696c7dd4011775373f887)

- - - - -
7985fc3b by Steeve Goveas at 2022-07-08T12:18:46+02:00
update the sequence number of tests

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit d0fad49987fbe76efc0b8f8994a10c0d6caedcc4)

- - - - -
f03768e5 by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Add oddjob fixture to enable working homes in basic tests.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
5f31118e by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Update auth_from_client to allow both short and full user names.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
24d35a16 by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: remove python paramiko library from tests.

Tests: Remove paramiko from test_0010_bz1527662
Tests: Remove paramiko from ad/test_sudo.py
Tests: Remove paramiko from test_services.py
Tests: Remove paramiko from test_basic.py
Tests: Remove paramiko from test_kcm.py
Tests: Remove paramiko from test_ldap.py
Tests: Remove paramiko from test_ns_account_lock.py
Tests: Remove paramiko from basic/test_sudo.py
Tests: Remove paramiko from test_proxy_provider_krb_auth.py
Tests: Remove paramiko from alltests/test_multidomain.py
Tests: Remove paramiko from alltests/test_sudo.py
Tests: Remove paramiko from alltests/test_krb_fips.py
Tests: Remove paramiko from alltests/test_password_policy.py
Tests: Remove paramiko from alltests/test_failover.py
Tests: Remove paramiko from requirements and documentation.
Tests: Remove paramiko from ipa/test_subid_ranges.py
Tests: Remove paramiko from ipa/test_misc.py
Tests: Remove paramiko from ipa/test_adtrust.py
Tests: Remove SSHClient/paramiko from alltests/test_misc_proxy.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6c16b4bf by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Remove SSHClient from ipa/conftest.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d38461b1 by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Remove paramiko/SSHClient from utils.py.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
a163a63e by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Code review fixes for paramiko removal.

Tests: Add missing eoln
Tests: Remove duplicate supbrocess import.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
f9d36586 by Jakub Vavra at 2022-07-12T05:59:03+02:00
Tests: Add pexpect to requirements.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
0f0fd4d5 by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Add oddjob fixture to enable working homes in basic tests.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit f03768e526ce03779b90f3f2d2b78c877212a8ca)

- - - - -
863cfda6 by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Update auth_from_client to allow both short and full user names.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 5f31118e9a6fce1d261d19d99c0db823acd6cd43)

- - - - -
705f01ff by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: remove python paramiko library from tests.

Tests: Remove paramiko from test_0010_bz1527662
Tests: Remove paramiko from ad/test_sudo.py
Tests: Remove paramiko from test_services.py
Tests: Remove paramiko from test_basic.py
Tests: Remove paramiko from test_kcm.py
Tests: Remove paramiko from test_ldap.py
Tests: Remove paramiko from test_ns_account_lock.py
Tests: Remove paramiko from basic/test_sudo.py
Tests: Remove paramiko from test_proxy_provider_krb_auth.py
Tests: Remove paramiko from alltests/test_multidomain.py
Tests: Remove paramiko from alltests/test_sudo.py
Tests: Remove paramiko from alltests/test_krb_fips.py
Tests: Remove paramiko from alltests/test_password_policy.py
Tests: Remove paramiko from alltests/test_failover.py
Tests: Remove paramiko from requirements and documentation.
Tests: Remove paramiko from ipa/test_subid_ranges.py
Tests: Remove paramiko from ipa/test_misc.py
Tests: Remove paramiko from ipa/test_adtrust.py
Tests: Remove SSHClient/paramiko from alltests/test_misc_proxy.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 24d35a161c69f10990cdac16bc76912183499a06)

- - - - -
26521890 by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Remove SSHClient from ipa/conftest.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 6c16b4bf41be585903e56e6eaf79a3ff0f72f432)

- - - - -
6dde7e62 by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Remove paramiko/SSHClient from utils.py.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit d38461b1e9176a96ec164bef98d672a5c5aa521e)

- - - - -
c6c0186e by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Code review fixes for paramiko removal.

Tests: Add missing eoln
Tests: Remove duplicate supbrocess import.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit a163a63e0298c53876e979873389bd8babe06742)

- - - - -
4cc8d794 by Jakub Vavra at 2022-07-12T05:59:08+02:00
Tests: Add pexpect to requirements.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit f9d365863b410583756d577ee67d40d040882b47)

- - - - -
3d862203 by Justin Stephenson at 2022-07-18T11:32:58+02:00
Analyzer: Fix escaping raw fstring

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f9020583 by Justin Stephenson at 2022-07-18T11:33:02+02:00
Analyzer: Fix escaping raw fstring

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 3d8622031b5240e215201aae1f9c9d05624cca19)

- - - - -
f68d4e84 by roy214 at 2022-07-18T11:34:29+02:00
COMPONENT: /src/util/server.c

Explanation
Currently there is no new line character at the end of the “Shutting down” log message.
This log message is printed every time any SSSD process is being shut down.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3618b295 by Alejandro López at 2022-07-18T11:34:42+02:00
Tests: Minor improvement to the Multihost RST files

Fixed the example which was outdated.
Fixed a broken link.
Fixed some typos.
Included some missing dependencies.
Minor changes to the document organization.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
7f5adf71 by Alejandro López at 2022-07-18T11:34:46+02:00
Tests: Minor improvement to the Multihost RST files

Fixed the example which was outdated.
Fixed a broken link.
Fixed some typos.
Included some missing dependencies.
Minor changes to the document organization.

Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 3618b2957a94e5271c1f9330b537843cbd74818a)

- - - - -
0acb80a7 by Paul Donohue at 2022-07-18T11:35:00+02:00
LDAP: Add an idle connection timeout

In addition to the current expire timeout that limits the total
duration of the connection.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
baab4dbc by Paul Donohue at 2022-07-18T11:35:00+02:00
Minor formatting and typo fixes (no functional changes)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5f05aa69 by Paul Donohue at 2022-07-18T11:35:00+02:00
LDAP: Reduce idle timer reschedule frequency

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3cb87047 by Paul Donohue at 2022-07-18T11:35:00+02:00
Add ldap_connection_idle_timeout to subdomain_inherit

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
17c3a124 by roy214 at 2022-07-18T11:36:32+02:00
COMPONENT: sdap_handle_id_collision_for_incomplete_groups

sdap_handle_id_collision_for_incomplete_groups debug message missing a new line

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2096031

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com

- - - - -
06d007fc by Anuj Borah at 2022-07-18T11:39:08+02:00
Tests: avoid interlocking among threads that use `libsss_nss_idmap` API

[Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)

Buzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1978119

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d928192e by Anuj Borah at 2022-07-18T11:39:12+02:00
Tests: avoid interlocking among threads that use `libsss_nss_idmap` API

[Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)

Buzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1978119

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 06d007fc963bb73254096fdda61266b2117120a0)

- - - - -
fb712c62 by Jakub Vavra at 2022-07-20T12:55:40+02:00
Tests: Fix issue in the test test_0002_ad_parameters_junk_domain.

Updating test to extend its coverege for bz2098615 uncovered
issue in the test with user principal.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
98dd014c by Jakub Vavra at 2022-07-20T12:55:44+02:00
Tests: Fix issue in the test test_0002_ad_parameters_junk_domain.

Updating test to extend its coverege for bz2098615 uncovered
issue in the test with user principal.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit fb712c62f00f206d034677e6197bcd634fa12793)

- - - - -
d0b01cf2 by Jakub Vavra at 2022-07-20T12:56:04+02:00
Tests: Rewrite autofs_ad_schema from direct ldap access to powershell.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
e8004792 by Jakub Vavra at 2022-07-20T12:56:04+02:00
Tests: Modify sambaTools to lazy initialize ldap AD connection.

The AD has forbidden plain ldap connection, so test are failing on
ldap connection with ldap.STRONG_AUTH_REQUIRED. In sambaTools was
the connection initiated on creation of the class. It was failing
all tests that are using the class instead of affecting only tests
that use it.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
8a17029a by Jakub Vavra at 2022-07-20T12:56:04+02:00
Tests: Add a fixture add_etc_host_records for Testcifs to solve name resolution issue.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
6e8701a6 by Jakub Vavra at 2022-07-20T12:56:04+02:00
Tests: Re-implement reset_machine_password using powershell instead of direct ldap access.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
d6743c33 by Jakub Vavra at 2022-07-20T12:56:04+02:00
Tests: Update failure message for nismap manipulation.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
38a2423d by Jakub Vavra at 2022-07-20T12:56:08+02:00
Tests: Rewrite autofs_ad_schema from direct ldap access to powershell.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit d0b01cf2e47e507a68d977b6612fbbeeab97c14c)

- - - - -
b2f5f373 by Jakub Vavra at 2022-07-20T12:56:08+02:00
Tests: Modify sambaTools to lazy initialize ldap AD connection.

The AD has forbidden plain ldap connection, so test are failing on
ldap connection with ldap.STRONG_AUTH_REQUIRED. In sambaTools was
the connection initiated on creation of the class. It was failing
all tests that are using the class instead of affecting only tests
that use it.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit e8004792fb5d69d24380efb0daa3d768f28619ab)

- - - - -
576e15e3 by Jakub Vavra at 2022-07-20T12:56:08+02:00
Tests: Add a fixture add_etc_host_records for Testcifs to solve name resolution issue.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 8a17029a242d7eb01a75a3e609a401eb02bd6d4b)

- - - - -
b4eef054 by Jakub Vavra at 2022-07-20T12:56:08+02:00
Tests: Re-implement reset_machine_password using powershell instead of direct ldap access.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit 6e8701a61a4623f393ec3c1efb3634ffabcfcb49)

- - - - -
06c9230e by Jakub Vavra at 2022-07-20T12:56:08+02:00
Tests: Update failure message for nismap manipulation.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit d6743c33d7f5e4dd45476da9aa254e054d395a58)

- - - - -
473752e2 by Alexey Tikhonov at 2022-07-25T17:57:09+02:00
RESPONDER: fixed condition in responder_idle_handler()

Man page says about `responder_idle_timeout` the following:
```
number of seconds that an SSSD responder process can be up without being used.
```
Idle timer fires every responder_idle_timeout/2 seconds and checks if
current_time > (last_request_time + timeout).
In a trivial case - no additional requests after initial one / startup -
condition will became 'true' only when timer fires for a 3rd time, i.e.
after 3*(timeout/2) seconds. This contradicts man page statement.

This patch changes condition to '>=' so that responder would be terminated
in 2*(timeout/2) seconds.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b5fbb283 by Pavel Březina at 2022-07-25T18:03:19+02:00
tests: fix missing new line at the eof: src/tests/multihost/requirements.txt

FAIL: src/tests/whitespace_test
===============================

Missing new line at the eof: src/tests/multihost/requirements.txt
FAIL src/tests/whitespace_test (exit status: 1)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
582e66c1 by Pavel Březina at 2022-07-25T18:03:23+02:00
tests: fix missing new line at the eof: src/tests/multihost/requirements.txt

FAIL: src/tests/whitespace_test
===============================

Missing new line at the eof: src/tests/multihost/requirements.txt
FAIL src/tests/whitespace_test (exit status: 1)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit b5fbb283705cf08fb60fb817e2413d4ae8862a94)

- - - - -
0a9e0c11 by Anuj Borah at 2022-07-25T18:04:09+02:00
Tests: Fix test_avoid_interlocking_among_threads

Test is failing due to gcc error
Will be fixed adding lpthread after gcc

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
e56ca540 by Anuj Borah at 2022-07-25T18:04:13+02:00
Tests: Fix test_avoid_interlocking_among_threads

Test is failing due to gcc error
Will be fixed adding lpthread after gcc

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 0a9e0c11a3eab2cb40c709c6dc475522542c3b0e)

- - - - -
0f3a761e by Alexey Tikhonov at 2022-08-03T10:27:35+02:00
CLIENT:MC: store context mutex outside of context as it should survive context destruction / re-initialization

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
03142f8d by Alexey Tikhonov at 2022-08-03T10:27:39+02:00
CLIENT:MC: store context mutex outside of context as it should survive context destruction / re-initialization

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 0f3a761ed9d654a61f8caed8eae3863c518b9911)

- - - - -
c6226c29 by Alexey Tikhonov at 2022-08-03T10:28:46+02:00
Makefile: remove unneeded dependency

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
4e9e8321 by Alexey Tikhonov at 2022-08-03T10:28:49+02:00
Makefile: remove unneeded dependency

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit c6226c2986ffae9ed17562eb40407367ca37d23f)

- - - - -
7e286aff by Pavel Březina at 2022-08-05T11:20:49+02:00
ci: fix copr builds

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b98bcf28 by Alexey Tikhonov at 2022-08-05T11:21:04+02:00
DB: upgrades aren't errors

Fix log level to SSSDBG_IMPORTANT_INFO

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9aff9c53 by Alexey Tikhonov at 2022-08-05T11:21:04+02:00
CFG: domain ranges overlap requires attention

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
68042d72 by Alexey Tikhonov at 2022-08-05T11:21:17+02:00
RESPONDER: add missing \n

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
ce817478 by Sumit Bose at 2022-08-05T11:21:29+02:00
ldap: allow password changes with shadow pwd policy

Currently a password change is rejected if
"ldap_pwd_policy = shadow" is used because it was not clear if the
corresponding shadow LDAP attributes get updates as well. But with
commit c975031 SSSD can update the attribute on its own so there is no
need to reject the password change.

Since it is important for SSSD to know if the LDAP server can update the
shadow LDAP attribute automatically or not it is checked if the
ldap_chpass_update_last_change option is set explicitly in sssd.conf. If
not there will be a log message.

Resolves: https://github.com/SSSD/sssd/issues/6220

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
610b4711 by Pavel Březina at 2022-08-05T11:23:45+02:00
ci: fix syntax error in copr build

(cherry picked from commit 2b6349c3fd235b132be9f6775d1b3f4f70fba6e9)

- - - - -
9ca7d6ba by Pavel Březina at 2022-08-05T11:23:50+02:00
ci: fix copr builds

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 7e286aff35247777c9e729c354ed8653cd5e23d0)

- - - - -
96a1dce8 by Justin Stephenson at 2022-08-08T12:17:28+02:00
CACHE_REQ: Fix hybrid lookup log spamming

Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
is NULL for certain NSS request types (e.g. Service by Name).

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
49eb8718 by Justin Stephenson at 2022-08-08T12:17:32+02:00
CACHE_REQ: Fix hybrid lookup log spamming

Skip calling cache_req_data_set_hybrid_lookup() when hybrid data
is NULL for certain NSS request types (e.g. Service by Name).

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 96a1dce8096d45e986ab01aaac11d8c77c36d1d7)

- - - - -
ccc87860 by Jakub Vavra at 2022-08-10T12:40:41+02:00
Tests: Fix rid computation for windows 2012.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
4360fb3d by Jakub Vavra at 2022-08-10T12:40:41+02:00
Tests: Extend info functions to handle line breaks.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
b3150506 by Jakub Vavra at 2022-08-10T12:40:41+02:00
Tests: Modify ad schema tests for compatibility with windows 2012.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
4b82be81 by Jakub Vavra at 2022-08-10T12:40:46+02:00
Tests: Fix rid computation for windows 2012.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit ccc8786099c807fac7d2e548e3b026f89c7fea0b)

- - - - -
2328fc76 by Jakub Vavra at 2022-08-10T12:40:46+02:00
Tests: Extend info functions to handle line breaks.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 4360fb3d3645e7bf40037f8d85d742bedf88326d)

- - - - -
1da8c80b by Jakub Vavra at 2022-08-10T12:40:46+02:00
Tests: Modify ad schema tests for compatibility with windows 2012.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit b3150506f9e63b7f5feb949c39bea60ec005f496)

- - - - -
e9667329 by Timo Aaltonen at 2022-08-17T14:13:32+03:00
patches: Allow building the pac_responder with krb5 1.20. (Closes: #1016220)

- - - - -
62b8a467 by Gioele Barabucci at 2022-08-17T11:13:58+00:00
d/libnss-sss.post{inst,rm}: Add DPKG_ROOT support

- - - - -
4ded9ab2 by Gioele Barabucci at 2022-08-17T11:13:58+00:00
d/libnss-sss.postinst: Fix use of outdated `automounter` instead of `automount`

- - - - -
e020fd0b by Gioele Barabucci at 2022-08-17T11:13:58+00:00
d/libnss-sss.nss: Install NSS service `sss` via dh_installnss

`dh_installnss` provides a declarative way to install NSS services.

In comparison to the existing scripts, `dh_installnss` also handles
`DPKG_ROOT` and various edge-cases such as invalid `/etc/nsswitch.conf`
files, database lines with comments, etc.

- - - - -
67eb44eb by Timo Aaltonen at 2022-08-17T16:47:27+03:00
releasing package sssd version 2.7.3-2

- - - - -
5e9d72f2 by Justin Stephenson at 2022-08-19T17:21:53+02:00
Fix new pycodestyle E275 requirement

Per the pycodestyle changelog https://pypi.org/project/pycodestyle/

2.9.0 (2022-07-30)

Changes:
E275: requires whitespace around keywords. PR #1063.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4a46d62c by Justin Stephenson at 2022-08-19T17:21:57+02:00
Fix new pycodestyle E275 requirement

Per the pycodestyle changelog https://pypi.org/project/pycodestyle/

2.9.0 (2022-07-30)

Changes:
E275: requires whitespace around keywords. PR #1063.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 5e9d72f23eb17b987a61295f5c5ea3bfedae1ef0)

- - - - -
579cc0b2 by Alexey Tikhonov at 2022-08-19T17:28:25+02:00
CLIENT:MC: -1 is more appropriate initial value for fd

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4ac93d9c by Alexey Tikhonov at 2022-08-19T17:28:25+02:00
CLIENT:MC: pointer to the context mutex shouldn't be touched

Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
was creating a possibility for a race.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0eae0862 by Alexey Tikhonov at 2022-08-19T17:28:29+02:00
CLIENT:MC: -1 is more appropriate initial value for fd

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 579cc0b266d5f8954bc71cfcd3fe68002d681a5f)

- - - - -
d386e94e by Alexey Tikhonov at 2022-08-19T17:28:29+02:00
CLIENT:MC: pointer to the context mutex shouldn't be touched

Even brief window inside `sss_nss_mc_destroy_ctx()` when `mutex == NULL`
was creating a possibility for a race.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4ac93d9c5df59cdb7f397b4467f1c1c4822ff757)

- - - - -
4e1ce1c1 by Justin Stephenson at 2022-08-19T17:44:05+02:00
SSSCTL: Allow analyzer to work without SSSD setup

Fixes an issue when the sssctl analyzer option is
used on systems where SSSD is not running or configured. This is
an expected use case when using --logdir option to analyze external
log files.

Resolves: https://github.com/SSSD/sssd/issues/6298

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f8704cc2 by Justin Stephenson at 2022-08-22T12:19:34+02:00
SSSCTL: Allow analyzer to work without SSSD setup

Fixes an issue when the sssctl analyzer option is
used on systems where SSSD is not running or configured. This is
an expected use case when using --logdir option to analyze external
log files.

Resolves: https://github.com/SSSD/sssd/issues/6298

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
3c6bfc2d by roy214 at 2022-08-22T12:19:47+02:00
COMPONENT: domain_info_utils.c

Fixing the race condition krb5_child access file after rename() but before chmod()

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cec7e8b7 by Anuj Borah at 2022-08-22T12:20:01+02:00
Tests: Fix test cases for signoff CI

Fix test cases for signoff CI

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
173e6755 by Anuj Borah at 2022-08-22T12:20:06+02:00
Tests: Fix test cases for signoff CI

Fix test cases for signoff CI

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit cec7e8b7ae75505f3664cbe48f761f92fad9e3ea)

- - - - -
46b53b23 by Justin Stephenson at 2022-08-22T12:20:20+02:00
Tests: Add missing URI for device restriction

This fixes an issue when running unit tests on a system (f35) with
a yubikey inserted. This was done already for other pam-srv tests
but this covers newly added pam-srv tests.

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
3f7ccfbd by Dan Lavu at 2022-08-22T12:20:47+02:00
TEST: Fixing multidomain testcase bz2077893

implicit files is no longer being listed in sssctl domain-list
it no longer has to be pruned from the output

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
e46295f8 by Paul Donohue at 2022-08-22T12:21:00+02:00
LDAP: Allow group rename with non-identical attributes

Previously, if a group was renamed and any other attributes were changed
at the same time then the original group would become permanently stuck
in the SSSD cache.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4ded61f8 by Paul Donohue at 2022-08-22T12:21:12+02:00
LDAP: Document interaction between ldap_connection_expire_timeout and ldap_opt_timeout

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b4aa4f12 by Justin Stephenson at 2022-08-22T21:25:07+02:00
CI: pycodestyle fixes evident on centos8 stream

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
6c6b0969 by Justin Stephenson at 2022-08-23T12:39:46+02:00
CI: pycodestyle fixes evident on centos8 stream

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
abd8966a by Sumit Bose at 2022-08-23T12:39:58+02:00
BUILD: Accept krb5 1.20 for building the PAC plugin

Additionally following MIT Kerberos the 'name' member of struct
krb5plugin_authdata_client_ftable_v0 is made 'const' and the related
code to set the name is simplified.

Resolves: https://github.com/SSSD/sssd/issues/6306

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ad4b3aa9 by Justin Stephenson at 2022-08-23T15:49:13+02:00
RESPONDER: Fix client ID tracking

Client ID is not stored properly to match requests
when parallel requests are made to client SSSD

Resolves: https://github.com/SSSD/sssd/issues/6307

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5ef7435f by Justin Stephenson at 2022-08-23T15:49:13+02:00
Analyzer: support parallel requests parsing

Analyzer code(primarily the list verbose command) needs
changes to handle parsing the necessary lines from
NSS/PAM log files when multiple intermixed/parallel
client requests are sent to SSSD.

Resolves: https://github.com/SSSD/sssd/issues/6307

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e6d450d4 by Justin Stephenson at 2022-08-23T16:17:06+02:00
RESPONDER: Fix client ID tracking

Client ID is not stored properly to match requests
when parallel requests are made to client SSSD

Resolves: https://github.com/SSSD/sssd/issues/6307

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
d22ea2df by Justin Stephenson at 2022-08-23T16:17:06+02:00
Analyzer: support parallel requests parsing

Analyzer code(primarily the list verbose command) needs
changes to handle parsing the necessary lines from
NSS/PAM log files when multiple intermixed/parallel
client requests are sent to SSSD.

Resolves: https://github.com/SSSD/sssd/issues/6307

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
860b0548 by Timo Aaltonen at 2022-08-26T09:46:36+03:00
control: Add bind9-dnsutils to sssd-common Recommends, and rename dnsutils build-dep. (Closes: #1018144)

- - - - -
1a6f67c9 by Alexey Tikhonov at 2022-08-26T18:08:07+02:00
CLIENT: fix client fd leak

 - close client socket at thread exit
 - only build lock-free client support if libc has required
   functionality for a proper cleanup
 - use proper mechanisms to init lock_mode only once

:relnote:Lock-free client support will be only built if libc
provides `pthread_key_create()` and `pthread_once()`. For glibc
this means version 2.34+

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1b2e4760 by Alexey Tikhonov at 2022-08-26T18:08:11+02:00
CLIENT: fix client fd leak

 - close client socket at thread exit
 - only build lock-free client support if libc has required
   functionality for a proper cleanup
 - use proper mechanisms to init lock_mode only once

:relnote:Lock-free client support will be only built if libc
provides `pthread_key_create()` and `pthread_once()`. For glibc
this means version 2.34+

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1a6f67c92399ff8e358a6c6cdda43fb2547a5fdb)

- - - - -
a6ed0ad7 by Weblate at 2022-08-26T21:50:15+02:00
po: update translations

(Swedish) currently translated at 100.0% (2662 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 99.2% (2642 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Georgian) currently translated at 7.3% (48 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/

po: update translations

(Turkish) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Turkish) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Turkish) currently translated at 60.9% (396 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Russian) currently translated at 100.0% (2662 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Turkish) currently translated at 60.0% (390 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Polish) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Korean) currently translated at 98.9% (643 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (2662 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

- - - - -
3abcd18d by Weblate at 2022-08-26T21:50:26+02:00
po: update translations

(Swedish) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/sv/

po: update translations

(Turkish) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(Turkish) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(Korean) currently translated at 100.0% (629 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/ko/

po: update translations

(Turkish) currently translated at 62.0% (390 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

po: update translations

(Turkish) currently translated at 61.0% (384 of 629 strings)
Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/tr/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/SSSD-2-7
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-7/

- - - - -
c4a26ebe by Pavel Březina at 2022-08-26T21:53:21+02:00
pot: update translations

- - - - -
c8b2a764 by Pavel Březina at 2022-08-26T22:13:41+02:00
pot: update translations

- - - - -
fd06791e by Pavel Březina at 2022-08-26T22:34:52+02:00
Release sssd-2.7.4

- - - - -
169d3688 by Sergio Durigan Junior at 2022-08-27T23:32:26-04:00
Simplify logic to add "automount" database into nsswitch.

- d/libnss-sss.nss: Add "automount database" directive.

- d/libnss-sss.postinst: Remove logic to insert "automount" database
  into nsswitch; not necessary anymore now that the package uses dh-nss.

- - - - -
8d497caa by Sergio Durigan Junior at 2022-08-27T23:34:18-04:00
changelog for 2.7.3-3

- - - - -
c12ea488 by Timo Aaltonen at 2022-08-29T16:51:27+03:00
Merge tag '2.7.3' into m

2.7.3

- - - - -
5074337f by Timo Aaltonen at 2022-08-29T16:51:31+03:00
Merge branch 'master' into m

- - - - -
14f70b52 by Timo Aaltonen at 2022-08-29T16:52:02+03:00
version bump

- - - - -
6fe83c77 by Jakub Vavra at 2022-08-30T06:56:14+02:00
Tests: Skip TestBugzillaAutomation::test_0016_forceLDAPS on Windows 2012

Skip the test as it is not valid on Windows 2012R2.
https://bugzilla.redhat.com/show_bug.cgi?id=1822087

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
77f22429 by Jakub Vavra at 2022-08-30T06:56:47+02:00
Tests: Port AD Login Attributes suite from bash.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
e100afc3 by Steeve Goveas at 2022-09-01T11:07:57+02:00
TEST: sssctl analyze --logdir does not need sssd running

Test that 'logdir' option does not need sssd configured and running

Verifies
  Issue: #6298
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2119726
            https://bugzilla.redhat.com/show_bug.cgi?id=2119373

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
2230107d by Steeve Goveas at 2022-09-01T11:07:57+02:00
TEST: Remove duplicate 'SSS_PAM_AUTHENTICATE'

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
a1f1398f by Steeve Goveas at 2022-09-01T11:07:57+02:00
TEST: Add new marker tier1_4

Runtime is exceeding 60 mins. This set and new tests can use this marker
moving forward.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
2dc5bc1b by Anuj Borah at 2022-09-01T11:08:34+02:00
Tests: port proxy_provider/netgroup

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/netgroup

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
72246c97 by Madhuri Upadhye at 2022-09-01T11:20:35+02:00
Tests: ipa: Add krb5-pkinit package to install

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
c533d090 by Steeve Goveas at 2022-09-02T09:46:21+02:00
TEST: Add status field in docstrings

Imported tests into the internal test case management system are set to
draft state. This has to be manually moved into approved state. Adding
this field set with 'approved' state would prevent us from missing to
updated the state and also avoid the extra manual step.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
4937c08a by Pavel Březina at 2022-09-02T13:58:32+02:00
intg: fix test_rename_incomplete_group_rdn_changed

The behaviour has changed with e46295f8d1162eb69b5c01c3c154dd1f787cc3d7

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
830296c2 by Alejandro López at 2022-09-07T12:22:55+02:00
SIDs: Update the well-known SID tables

New RIDs were added to the existing tables. Two new tables were created.
One particular case was handled (S-1-1-5-5-x-y).

This was done based on https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

Resolves: https://github.com/SSSD/sssd/issues/6285

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6f7f7237 by Jakub Vavra at 2022-09-16T07:53:41+02:00
Tests: Refactor code to reduce number of called commands via ssh.

The clear_sssd_cache, remove_sss_cache was listing and deleting
all files one by one making the operation needesly slow
talkative in the log.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
3c993544 by Jakub Vavra at 2022-09-16T07:55:39+02:00
Tests: Add ADOperation methods for sudorules, update fixture sudorules

Add add_sudo_ou, del_sudo_ou, add_sudo_rule, del_sudo_rule methods.
Modify sudorules fixture to use the new methods instead of the ldap ones.
Minor tweaking of the sudo tests.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
69fd828c by Alexey Tikhonov at 2022-09-16T14:59:55+02:00
CLIENT: fix thread unsafe acces to get*ent structs.

All get*ent structs were protected with socket mutex. In case SSSD
is built with lock-free client support, `sss_nss_lock()` is a no-op,
thus resulting in thread unsafe access.

This patch changes those structs to have thread local storage.

This conradicts following note in the man page:
```
The function getgrent_r() is not really reentrant since it shares
the reading position in the stream with all other threads.
```
I'm not sure if 3rd party apps can legally assume this behaviour
based on a note in a man page. And in some cases, non-sharing reading
position between threads might make more sense.
But that way or another, this is better than thread unsafe access.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
12d5c634 by Sumit Bose at 2022-09-16T15:00:25+02:00
oidc_child: escape scopes

Before using the user provided scopes in the HTTP request they should be
properly escaped according to RFC-3986.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a4d4617e by Sumit Bose at 2022-09-16T15:00:25+02:00
oidc_child: use client secret if available to get device code

Some IdP have the concept of confidential client, i.e. clients where the
client's secret can be stored safely by the related application. For a
confidential client some IdPs expects that the client secret is used in
all requests together with the client ID although OAuth2 specs currently
only mention this explicitly for the token request. To make sure the
device code can be requested in this case the client secret is added to
the device code request if the secret is provided.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
5ed76707 by Sumit Bose at 2022-09-16T15:00:25+02:00
oidc_child: increase wait interval by 5s if 'slow_down' is returned

While waiting for the user to authenticate with the IdP oidc_child
currently only handles the error code 'authorization_pending' and waits
for the given interval until a new request is send. But there is also
'slow_down' which should not be treated as fatal error but should just
increase the waiting time permanently for 5s.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
1a475e0c by Sumit Bose at 2022-09-16T15:00:25+02:00
oidc_child: add --client-secret-stdin option

Since there is the use-case of confidential client which requires that
the client secret must be sent to the IdP we should handle it
confidentially by not putting it on the command line but sending it via
stdin.

Resolves: https://github.com/SSSD/sssd/issues/6146

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
794fd130 by Justin Stephenson at 2022-09-16T15:01:07+02:00
MAN: Add note about AD Group types

Linux admins/users may not know that the AD distribution group type
is intended only for email. Per microsoft: Distribution groups are
not security enabled, which means that they cannot be listed in
discretionary access control lists (DACLs).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6bf93c27 by Justin Stephenson at 2022-09-20T14:56:13+02:00
CI: Remove pep8 from contrib/ci/run

flake8 is being run in GitHub actions, which executes pycodestyle checks.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a915531f by Justin Stephenson at 2022-09-20T14:56:13+02:00
CI: Remove make check from contrib/ci/run

make check is already run separately in GitHub actions

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
ad49db49 by Justin Stephenson at 2022-09-20T14:56:13+02:00
CI: Remove make distcheck from contrib/ci/run

make distcheck is already run separately in GitHub actions

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b274f359 by Justin Stephenson at 2022-09-20T14:56:13+02:00
CI: Remove coverage builds from contrib/ci/run

SSSD Coverage builds are not being used or analyzed.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
162adb02 by Timo Aaltonen at 2022-09-22T14:58:44+03:00
Merge branch 'master' into m

- - - - -
09dcb3ce by Timo Aaltonen at 2022-09-22T15:34:11+03:00
releasing package sssd version 2.7.4-1

- - - - -
461131fa by Sam Morris at 2022-09-23T05:38:52+00:00
Remove remnants of support for multiple init systems

This was an artifact of the time when we supported upstart and sysvinit.

- - - - -
f4dffaea by Sumit Bose at 2022-09-23T13:34:24+02:00
krb5: respect krb5_validate for PAC checks

The first step of checking the PAC is the same as during the Kerberos
ticket validation, requesting a service ticket for a service principal
from the local keytab. By default ticket validation is enable for the
IPA and AD provider where checking the PAC might become important. If
ticket validation is disabled manually it is most probably because there
are issues requesting the service ticket and fixing those is currently
not possible.

Currently when SSSD is configured to check the PAC it ignores the
krb5_validate setting and tries to request a service ticket which would
fail in the case ticket validation is disabled for a reason. To not
cause regressions with this patch SSSD will skip the PAC checks if
ticket validation is disabled.

Resolves: https://github.com/SSSD/sssd/issues/6355

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
8e23ec89 by Pavel Březina at 2022-09-23T13:36:13+02:00
ci: add final result to workflows

Given that we have many jobs running as part of the pull request CI it
is quite simple to miss that one of the job has failed.

This commit adds a placeholder job that holds the final result of each
workflow. These jobs are added as 'required to succeed' in GitHub repository
settings to make potential failures more visible.

If one of the job fails, the status check web ui is visible red so it is
simple to spot a failure.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
d4a1b71b by David Mulder at 2022-09-23T13:36:36+02:00
Fix sdap_access_host No matching host rule found

Canonicalize the hostname to ensure we have the
FQDN.

Signed-off-by: David Mulder <dmulder at samba.org>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d07dee78 by Alexey Tikhonov at 2022-09-23T13:39:27+02:00
UTILS: change of log level isn't an error

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a2417753 by Justin Stephenson at 2022-09-23T13:39:43+02:00
MAN: Remove duplicate dns options

dns_resolver_server_timeout and dns_resolver_op_timeout
are shown twice.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1ed3baa2 by aborah-sudo at 2022-09-27T12:50:49+02:00
Tests: Fix multidomain tests

Multidomain tests are failing in RHEL9 due to config error.
This PR will fix them for RHEL9.

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
f418e940 by Alejandro López at 2022-09-27T12:51:23+02:00
D-Bus: Do not use timestamp optimization on "files" provider.

Avoid requesting only the latest updates when using the "files"
provider as it only updates the cache if /etc/files or /etc/group
is touched.

Added a test for this situation.

Resolves: https://github.com/SSSD/sssd/issues/6342

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
0198f64c by Anton Bobrov at 2022-09-27T12:54:53+02:00
SUDO: Fix timezone issues with sudoNotBefore and sudoNotAfter

The current code does not respect generalized time as specified in related before/after attributes.
The problem with the current implementation is that it essentially treats them as local time,
with no regard to TZ and DST.

This patch is using timegm(3) instead of mktime(3) to address said timezone issues and some bare
minimum static unit tests with known verified values to make sure the API is consitent with them.

Resolves:
https://github.com/SSSD/sssd/issues/6354

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d91a814c by Sergio Durigan Junior at 2022-10-03T12:15:23+02:00
Initialize UID/GID when using popt in "main" functions

When using popt to parse the "--uid" and "--gid" parameters that can
be passed to providers/responders, we have to make sure to initialize
the corresponding UID and GID variables with zero otherwise they can
end up with garbage when no "--uid" nor "--gid" parameters are
provided.

Issue: #6347

Bugs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001377
      https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1989356

Signed-off-by: Sergio Durigan Junior <sergiodj at sergiodj.net>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
74be536f by Paul Donohue at 2022-10-03T12:16:22+02:00
AD: Ignore option inherit failure

The previous code logged a message indicating that errors are ignored,
but it did not actually ignore errors, and did not properly free
subdom_conf_path if inheriting AD_USE_LDAP failed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
6e3d2d76 by Paul Donohue at 2022-10-03T12:16:22+02:00
Split dp_option_inherit() into two functions

dp_option_inherit() previously included both option matching logic and option
inheritance logic.  Code that only needed the inheritance logic generated a
dummy option list to bypass the matching logic.

Eliminate the need for dummy option lists by moving the matching logic into a
separate dp_option_inherit_match() function.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
068c9980 by Paul Donohue at 2022-10-03T12:16:22+02:00
Add LDAP timeout support to subdomain_inherit

And adjust the position of SDAP_KRB5_KEYTAB in the inherit_options list
so that the list order matches the order in which options are listed in
`man 5 sssd.conf`

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b96077c5 by Iker Pedrosa at 2022-10-03T12:18:25+02:00
sssctl: fix memory management with new POPT

POPT library behaviour change due to a memory leak. With the new version
the value returned by poptGetArg() needs to be copied to avoid pointing
to an already freed value.

Resolves: https://github.com/SSSD/sssd/issues/6331

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
35a4ebf0 by aborah-sudo at 2022-10-03T12:20:39+02:00
Tests: Fix failure of SSSD pam module accepts usernames with leading spaces

Test was failling in nightly test run. Output of client.command changed.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
c7f95991 by Steeve Goveas at 2022-10-03T12:21:08+02:00
TEST: Add README.rst as index.rst is not rendered

index.rst is not rendered in github. README.rst will help users to
navigate the contents.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
14f1bcdb by Steeve Goveas at 2022-10-03T12:21:08+02:00
Tests: Add doc for docstrings for test files and cases

Adding a rst document that defines the various parameters used in the
doctrings of the test files and test cases with examples.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
3e5251bf by Alejandro López at 2022-10-05T14:46:49+02:00
sssctl: Management of indexes on cache DBs.

A new command was added to sssctl in order to manage indexes on the
cache DBs.

sssctl cache-index create -a attr [-d domain]
sssctl cache-index delete -a attr [-d domain]
sssctl cache-index list [-a attr] [-d domain]

:feature: sssctl is now able to create, list and delete indexes on
          the local caches. Indexes are useful for the new D-Bus
          ListByAttr() function.

:relnote: The new D-Bus function ListByAttr() allows the caller to
          look for users that have an attribute with a certain value.
          For performance reasons, it is recommended that the
          attribute is indexed both on the remote server and on the
          local cache. The sssctl tool now provides the cache-index
          command to help you manage indexes on the local cache.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
70d5460b by Tomas Halman at 2022-10-05T14:47:06+02:00
CACHE: implement ncache_add_fn for ncache SID

This patch implements function to add non existing SID to negative
cache for individual domains.

Resolves: https://github.com/SSSD/sssd/issues/6352

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5ea1ed27 by Tomas Halman at 2022-10-05T14:47:06+02:00
CACHE: implement *get_domain* for SID lookup

This patch adds handlers for the dp_get_domain_check_fn(),
dp_get_domain_send_fn() and dp_get_domain_recv_fn() functions
to requests that resolve objects by SID.

The patch also extends the AD provider so it can handle those
domain-by-sid lookups.

This patch also adds domain-local negcache set/check methods
for SID lookups.

Resolves: https://github.com/SSSD/sssd/issues/6352

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
acfe3b29 by Alejandro López at 2022-10-07T12:41:31+02:00
DBUS: Add ListByAttr(attr, filter, limit)

Extended ListByName()'s mechanics to handle an attribute passed
as parameters instead of forcing "name." ListByName() will pass "name."

Created a dbus function ListByAttr() using ListByName()'s mechanics
but passing the attribute requested by the user.

Resolves: https://github.com/SSSD/sssd/issues/6020

:feature: Introduced the dbus function
          org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
          listing upto limit users matching the filter attr=value.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
58adcbcf by Weblate at 2022-10-07T12:47:25+02:00
po: update translations

(Russian) currently translated at 100.0% (2668 of 2668 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Korean) currently translated at 100.0% (650 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Polish) currently translated at 0.4% (13 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Spanish) currently translated at 95.5% (621 of 650 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/

po: update translations

(Polish) currently translated at 0.4% (13 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Russian) currently translated at 100.0% (2668 of 2668 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Polish) currently translated at 0.2% (7 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Ukrainian) currently translated at 100.0% (2668 of 2668 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Polish) currently translated at 0.1% (4 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

Added translation using Weblate (Polish)

- - - - -
59cd1970 by Pavel Březina at 2022-10-07T12:50:04+02:00
pot: update translations

- - - - -
6a2de710 by Pavel Březina at 2022-10-07T12:58:06+02:00
Update version in version.m4 to track the next release

- - - - -
7a1976c9 by Iker Pedrosa at 2022-10-10T13:07:02+02:00
fido2: register key with helper process

Create a helper process to handle the FIDO2 key registration. In order
to do that the helper process will parse the command line arguments,
list the connected devices, select the first one in the list, prepare
the user credentials, generate the key credentials, verify them to
ensure that everything has worked correctly and print the credentials.

FIDO U2F fallback has been disabled to force a PIN usage, thus
increasing the security as a lost or stolen key would be unusable with
it.

Moreover, include the libfido2 dependency in the configuration and the
spec file.

Finally, several test cases have been added to the unit tests. Most of
them just check the happy path but some error handling is also tested.

:packaging: include libfido2 dependency
:config: New config to build passkey authentication

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5b27a353 by Justin Stephenson at 2022-10-10T13:07:02+02:00
Fido2 child: Add missing options

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9a2548ea by Iker Pedrosa at 2022-10-10T13:07:02+02:00
fido2: make the build conditional

Add a condition to build the FIDO2 support.

Resolves: SSSD#6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f800471e by Iker Pedrosa at 2022-10-10T13:07:02+02:00
sssd.supp: suppress leak errors

The suppression rule for popt malloc needs to be more generic. Moreover,
create a new suppression rule for sssd debug initialization when being
executed twice: from the production code and from the unit-tests.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8bdcc028 by Iker Pedrosa at 2022-10-10T13:07:02+02:00
passkey: change fido2 to passkey

Passkey is a more general term that the industry is using currently.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ab89455b by Justin Stephenson at 2022-10-12T14:22:14+02:00
CI: Build srpm fix for illegal version tag '-'

error: line 45: Illegal char '-' (0x2d) in: Version: sssd-2-7

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
587fe968 by Justin Stephenson at 2022-10-12T14:22:20+02:00
CI: Build srpm fix for illegal version tag '-'

error: line 45: Illegal char '-' (0x2d) in: Version: sssd-2-7

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit ab89455be398f4688f95489b805c8ae204ba6f0d)

- - - - -
a5403f78 by Alexey Tikhonov at 2022-10-13T21:00:10+02:00
IPA: "trusted user not found" isn't an error

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e6f94e25 by Alexey Tikhonov at 2022-10-13T21:00:16+02:00
IPA: "trusted user not found" isn't an error

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit a5403f7896a685d09f6449915d5216b6b1224bcb)

- - - - -
b38fdc81 by Pavel Březina at 2022-10-13T21:00:38+02:00
confdb: avoid syslog message when no domains are enabled

This syslog message would also appear when calling other tools like
sss_cache which is confusing. We return specific error code instead
and let the error be syslogged in the monitor in monitor.c:main (this
is already implemented).

Resolves: https://github.com/SSSD/sssd/issues/6387

:fixes: A regression when running sss_cache when no SSSD domain is
  enabled would produce a syslog critical message was fixed.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4da86136 by Pavel Březina at 2022-10-13T21:00:38+02:00
monitor: read all enabled domains in add_implicit_services

Reading sssd/domains option is no longer sufficient since domains
can be enabled through domain/enabled.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
64c22dd1 by Pavel Březina at 2022-10-13T21:00:38+02:00
sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
df55b1f1 by Pavel Březina at 2022-10-13T21:00:38+02:00
confdb: chande debug level when no domain are found in confdb_get_domains

We print the error as fatal error in the monitor to make sure the
message is correctly visible. However, the error is not fatal for tools
like sss_cache and it should not be printed there by default.

Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it
is sufficient to just drop the level to critical.

Resolves: https://github.com/SSSD/sssd/issues/6387

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a6d52145 by Pavel Březina at 2022-10-13T21:00:44+02:00
confdb: avoid syslog message when no domains are enabled

This syslog message would also appear when calling other tools like
sss_cache which is confusing. We return specific error code instead
and let the error be syslogged in the monitor in monitor.c:main (this
is already implemented).

Resolves: https://github.com/SSSD/sssd/issues/6387

:fixes: A regression when running sss_cache when no SSSD domain is
  enabled would produce a syslog critical message was fixed.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b38fdc8185fcd6a2e5d4b483d3119964f9922070)

- - - - -
1df02947 by Pavel Březina at 2022-10-13T21:00:44+02:00
monitor: read all enabled domains in add_implicit_services

Reading sssd/domains option is no longer sufficient since domains
can be enabled through domain/enabled.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4da861368b88c03b22993f95de5b508ad5637c25)

- - - - -
a6312c46 by Pavel Březina at 2022-10-13T21:00:44+02:00
sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 64c22dd1c4f79f953b879fc167b535de928f4bfd)

- - - - -
ab7cbb5f by Pavel Březina at 2022-10-13T21:00:44+02:00
confdb: chande debug level when no domain are found in confdb_get_domains

We print the error as fatal error in the monitor to make sure the
message is correctly visible. However, the error is not fatal for tools
like sss_cache and it should not be printed there by default.

Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it
is sufficient to just drop the level to critical.

Resolves: https://github.com/SSSD/sssd/issues/6387

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit df55b1f16ea2fb5e56f0fe69419904d50b7e2476)

- - - - -
a05719fa by Shridhar Gadekar at 2022-10-13T21:01:45+02:00
Tests: Porting the AD-Access-control test-suite to pytest

Minor docstring modifcations. Adding detailed expectedresults
instead of 'should succeed' in docstrings of testcases

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
6c0ae779 by aborah-sudo at 2022-10-20T11:04:07+02:00
Tests: port proxy_provider/rfc2307

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
62276737 by aborah-sudo at 2022-10-20T11:04:12+02:00
Tests: port proxy_provider/rfc2307

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307

Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6c0ae779fca1450d3256e9d718164dfb75880cdf)

- - - - -
4328c135 by Timo Aaltonen at 2022-10-27T12:38:43+03:00
Merge tag '2.7.4' into m

2.7.4

- - - - -
65eb40a5 by Timo Aaltonen at 2022-10-27T12:38:49+03:00
Merge branch 'master' into m

- - - - -
7b448ad2 by Timo Aaltonen at 2022-10-27T12:39:26+03:00
version bump

- - - - -
f1beb051 by Timo Aaltonen at 2022-10-27T12:50:11+03:00
watch: Updated for current github behaviour.

- - - - -
82285406 by Timo Aaltonen at 2022-10-27T12:51:16+03:00
support-krb5-1.20.diff: Dropped, upstream.

- - - - -
8a2fd06b by Alexey Tikhonov at 2022-11-01T17:15:46+01:00
CFG RULES: allow 'fallback_to_nss' option

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
cfaa06b0 by Alexey Tikhonov at 2022-11-01T17:15:51+01:00
CFG RULES: allow 'fallback_to_nss' option

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 8a2fd06b2928189bcf0c3373c9e38437063b5241)

- - - - -
71466a8d by Alexey Tikhonov at 2022-11-01T17:19:07+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e0026e38 by Alexey Tikhonov at 2022-11-01T17:19:14+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 71466a8dbdb1d755ace15680cc2b4b11b68a0573)

- - - - -
103a4888 by Pavel Březina at 2022-11-01T17:19:35+01:00
autofs: do not yield warning on default configuratoin

This warning has been there for a long time now (since 1.14, 7 years,
see 999d6066c7a96f102b692d31435d76114478e874) and it was intended to
be removed eventually.

:relnote: SSSD will no longer warn about changed defaults when using
  `ldap_schema = rfc2307` and default autofs mapping. This warning was
  introduced in 1.14 to loudly warn about different default values.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
6d87af5e by Justin Stephenson at 2022-11-01T17:19:56+01:00
SSSCTL: Add passkey exec command

Simple wrapper which calls the passkey_child process, planned to be
used with passkey_child --register and also for troubleshooting.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ee0d73a2 by Justin Stephenson at 2022-11-01T17:19:56+01:00
SSSCTL: Use wrapper function for analyze

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
62458d49 by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: enable ci for sssd-2-8 branch

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c526acba by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: switch to actions/checkout at v3

checkout at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
770bf7bf by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: use GITHUB_OUTPUT instead of set-output

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b2d193b9 by Pavel Březina at 2022-11-01T17:37:18+01:00
ci: switch to actions/upload-artifact at v3

upload-artifact at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
7bf97190 by Pavel Březina at 2022-11-01T17:37:24+01:00
ci: enable ci for sssd-2-8 branch

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 62458d49090ae94b1d65ac0642ec6e3b3cd75a05)

- - - - -
40ccfd6c by Pavel Březina at 2022-11-01T17:37:24+01:00
ci: switch to actions/checkout at v3

checkout at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit c526acbaea0b1cd1e0a554820f860e2e20e2ae6d)

- - - - -
9aee8164 by Pavel Březina at 2022-11-01T17:37:24+01:00
ci: use GITHUB_OUTPUT instead of set-output

https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 770bf7bf3afada064df8ed9d47445d912d5f0a4c)

- - - - -
a7853d51 by Pavel Březina at 2022-11-01T17:37:24+01:00
ci: switch to actions/upload-artifact at v3

upload-artifact at v3 runs on node16 so it will remove deprecation warning:
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit b2d193b9370eb7d2bd9ffb713e58cbd936f411b7)

- - - - -
2070000a by Alejandro López at 2022-11-02T15:58:35+01:00
CACHE_REQ: Do not use timestamp optimization on "files" provider.

Avoid requesting only the latest updates when using the "files"
provider as it only updates the cache if /etc/files or /etc/group
is touched.

Added a test for this situation.

Resolves: https://github.com/SSSD/sssd/issues/6398

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
6d7f1fba by Alejandro López at 2022-11-02T15:58:41+01:00
CACHE_REQ: Do not use timestamp optimization on "files" provider.

Avoid requesting only the latest updates when using the "files"
provider as it only updates the cache if /etc/files or /etc/group
is touched.

Added a test for this situation.

Resolves: https://github.com/SSSD/sssd/issues/6398

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2070000a3b80e2dc13bd19b3da99efaa08c34fac)

- - - - -
4c678cbb by Justin Stephenson at 2022-11-03T11:08:21+01:00
Analyzer: Optimize list verbose output

Modify the analyzer to parse the responder log file in one pass. This
avoids repeated parsing of a single log file. This operation will now
store log lines in a dictionary on a single pass then format and print
the output accordingly. Does not affect 'list' or 'show' output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c61e1098 by Justin Stephenson at 2022-11-03T11:08:27+01:00
Analyzer: Optimize list verbose output

Modify the analyzer to parse the responder log file in one pass. This
avoids repeated parsing of a single log file. This operation will now
store log lines in a dictionary on a single pass then format and print
the output accordingly. Does not affect 'list' or 'show' output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4c678cbb4ace4be413847fa297bce0c7c8cc42b6)

- - - - -
214540e7 by Alejandro López at 2022-11-03T11:15:35+01:00
Cache: String has to be duplicated instead of copied

input->name.attr has to be duplicated when not NULL.
Just copying the pointer is not a good thing.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
719c9253 by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Initialize domain with NULL

Variable domain is compared to NULL before checking sss_parse_inp_recv()'s
return value. Let's initialize it to NULL.

Warning: sss_parse_inp_recv() modifies domain's value when returning EOK
or ERR_DOMAIN_NOT_FOUND. The situation is not perfect but is better than
before.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
8f7c35ea by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Do not return duplicated values.

For each domain, a multi-domain search is done and all the results for
each domain are returned each time. This produces several copies of the
same results.
Function cache_req_input_parsed() decides whether to launch a multi- or
single-domain search based on the domain the user requested. If the user
didn’t request a domain (such as in a call to ListByName()), a
multi-domain search is launched, even if we are only looking for the
current domain. In that case a single-domain search is enough.

Resolves: https://github.com/SSSD/sssd/issues/6360

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
a9796282 by Alejandro López at 2022-11-03T11:15:35+01:00
TESTS: Correct ListByAttr()'s test

Now that ListByName() and ListBy Attr are fixed, the test needs to
be corrected as it was explicitly avoiding that case.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
569dca5f by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Consider the domain when looking names in the cache

Using a fully-qualified name based on the expresion the user provided,
when looking for names in the cache.

Resolves: https://github.com/SSSD/sssd/issues/6361

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
09895561 by Alejandro López at 2022-11-03T11:15:35+01:00
TESTS: New test for D-Bus' ListByName()

Added a test for the D-Bus function ListByName().

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
c3453e4e by Alejandro López at 2022-11-03T11:15:35+01:00
CACHE_REQ: Use a const struct in cache_req_data_create()

The structure data is not modified in the function. The const modifier
can be used.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
129979a3 by Alejandro López at 2022-11-03T11:15:43+01:00
Cache: String has to be duplicated instead of copied

input->name.attr has to be duplicated when not NULL.
Just copying the pointer is not a good thing.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 214540e72a6743e1112b35d562efc595594b1a82)

- - - - -
1377bca9 by Alejandro López at 2022-11-03T11:15:43+01:00
CACHE_REQ: Initialize domain with NULL

Variable domain is compared to NULL before checking sss_parse_inp_recv()'s
return value. Let's initialize it to NULL.

Warning: sss_parse_inp_recv() modifies domain's value when returning EOK
or ERR_DOMAIN_NOT_FOUND. The situation is not perfect but is better than
before.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 719c92533c52aad091c8b58e7a82b9e3b88f8e62)

- - - - -
1562df03 by Alejandro López at 2022-11-03T11:15:43+01:00
CACHE_REQ: Do not return duplicated values.

For each domain, a multi-domain search is done and all the results for
each domain are returned each time. This produces several copies of the
same results.
Function cache_req_input_parsed() decides whether to launch a multi- or
single-domain search based on the domain the user requested. If the user
didn’t request a domain (such as in a call to ListByName()), a
multi-domain search is launched, even if we are only looking for the
current domain. In that case a single-domain search is enough.

Resolves: https://github.com/SSSD/sssd/issues/6360

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 8f7c35eae22aaa9649db1cf2d07d17d8c4b92e82)

- - - - -
82c69b7f by Alejandro López at 2022-11-03T11:15:43+01:00
TESTS: Correct ListByAttr()'s test

Now that ListByName() and ListBy Attr are fixed, the test needs to
be corrected as it was explicitly avoiding that case.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a97962826efdf5c51fed7553e761a803c48f6675)

- - - - -
13e841de by Alejandro López at 2022-11-03T11:15:43+01:00
CACHE_REQ: Consider the domain when looking names in the cache

Using a fully-qualified name based on the expresion the user provided,
when looking for names in the cache.

Resolves: https://github.com/SSSD/sssd/issues/6361

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 569dca5f24e2e92aa86c7a2800f772e29211fc31)

- - - - -
7f583fad by Alejandro López at 2022-11-03T11:15:43+01:00
TESTS: New test for D-Bus' ListByName()

Added a test for the D-Bus function ListByName().

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 09895561a34592de1d58af211db1725388d86d5e)

- - - - -
0f670188 by Alejandro López at 2022-11-03T11:15:43+01:00
CACHE_REQ: Use a const struct in cache_req_data_create()

The structure data is not modified in the function. The const modifier
can be used.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit c3453e4e82796c5ae578671f25568c74919cad13)

- - - - -
ba5439c0 by Weblate at 2022-11-04T11:27:44+01:00
po: update translations

(Korean) currently translated at 51.0% (1331 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 50.6% (1320 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 49.9% (1302 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Polish) currently translated at 4.7% (126 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

po: update translations

(Polish) currently translated at 1.4% (39 of 2658 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Korean) currently translated at 49.2% (1283 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 100.0% (2686 of 2686 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Russian) currently translated at 100.0% (2686 of 2686 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Ukrainian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Russian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Ukrainian) currently translated at 99.3% (659 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Polish) currently translated at 1.4% (38 of 2662 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Korean) currently translated at 46.5% (1215 of 2609 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

- - - - -
92347d98 by Shridhar Gadekar at 2022-11-04T11:28:28+01:00
Tests: GSSAPI ssh login failing due to a missing directive

Adding the missing pxssh module import

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
cfa11294 by 김인수 at 2022-11-04T11:29:21+01:00
po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

po: update translations

(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/pl/

po: update translations

(Russian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ru/

po: update translations

(Ukrainian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/

po: update translations

(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/pl/

po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

- - - - -
59685cff by Shridhar Gadekar at 2022-11-04T11:29:24+01:00
Tests: GSSAPI ssh login failing due to a missing directive

Adding the missing pxssh module import

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 90f860b277074df1861ad4110df35eee7c83862d)

- - - - -
a22af6f0 by Pavel Březina at 2022-11-04T11:35:03+01:00
pot: update translations

- - - - -
59973c0b by Pavel Březina at 2022-11-04T11:37:10+01:00
pot: update translations

- - - - -
a18ef88e by Pavel Březina at 2022-11-04T12:02:30+01:00
Release sssd-2.8.1

- - - - -
955192b1 by Shridhar Gadekar at 2022-11-09T10:00:48+01:00
Tests: gssapi ssh login minor fix

Trivial fix, the kinit command was missing '@' after usename. It was
causing obvious failure to fetch krb ticket.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
de1d4636 by Shridhar Gadekar at 2022-11-09T10:00:54+01:00
Tests: gssapi ssh login minor fix

Trivial fix, the kinit command was missing '@' after usename. It was
causing obvious failure to fetch krb ticket.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 955192b12fafdb55daaa0b12381322031fd20816)

- - - - -
a3b30043 by aborah-sudo at 2022-11-09T18:37:37+01:00
Tests: Removing tests from gating pipe line

test_bz1368467 --- this one looks more perfomance than gatting
test_avoid_interlocking_among_threads --- feature not supported

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>
(cherry picked from commit dbf9198dc4d3516422a2256724c72317c1318211)

- - - - -
dab19a4d by aborah-sudo at 2022-11-09T20:25:30+01:00
Tests: Removing tests from gating pipe line

test_bz1368467 --- this one looks more perfomance than gatting
test_avoid_interlocking_among_threads --- feature not supported

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Steeve Goveas <sgoveas at redhat.com>

- - - - -
60772306 by Shridhar Gadekar at 2022-11-09T20:25:50+01:00
Tests: Use negative cache better for lookup by SIDs

Minor change, adding import of re module

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
25deb9e0 by Shridhar Gadekar at 2022-11-09T20:25:56+01:00
Tests: Use negative cache better for lookup by SIDs

Minor change, adding import of re module

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 6077230633849afb8f682333682a3353244951a0)

- - - - -
7c907a7c by aborah-sudo at 2022-11-10T14:04:18+05:30
Tests: Removing tests from gating pipe line

test_bz1368467 --- this one looks more perfomance than gatting

- - - - -
10641ea1 by aborah-sudo at 2022-11-10T10:51:15+01:00
Tests: Removing tests from gating pipe line

test_bz1368467 --- this one looks more perfomance than gatting

(cherry picked from commit 7c907a7c9725f0a00dab2ea20656434a2e1ed61f)

- - - - -
419b9b8f by Dan Lavu at 2022-11-10T09:22:52-05:00
Adding Ported DynDNS Testcases

This is merged branch of two following PRs, 6363 and 6344 which are now closed.

6344 Add the tests but are unreliable.

6363 contains the following changes, rewriting the suite.
* change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture
* disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests
* removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched
* created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache
* cleaned up the functions and code for readability

Signed-off-by: Dan Lavu <dlavu at redhat.com>

- - - - -
f24b6daa by Iker Pedrosa at 2022-11-11T10:30:19+01:00
passkey: replace erroneous description

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
28124cfb by Iker Pedrosa at 2022-11-11T10:30:19+01:00
passkey: print PEM formatted public key

When registering a key print the public key in PEM format.

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3e02de93 by Alexey Tikhonov at 2022-11-15T10:42:28+01:00
UTILS: socket connect: added missing new line and adjusted log level to more appropriate

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9258f0be by Alexey Tikhonov at 2022-11-15T10:42:34+01:00
UTILS: socket connect: added missing new line and adjusted log level to more appropriate

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 3e02de933d234e4039d096a9534cd282ce170548)

- - - - -
a21c6662 by Jakub Vavra at 2022-11-15T10:43:20+01:00
Tests: Add a test for bz1964121 override homedir to lowercase

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1964121
Verifies: #6210

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
8e82f3d4 by Jakub Vavra at 2022-11-15T10:43:25+01:00
Tests: Add a test for bz1964121 override homedir to lowercase

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1964121
Verifies: #6210

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit a21c666255c81a6da062d801a4c0d95c30bd2f66)

- - - - -
25eae1c0 by Alexey Tikhonov at 2022-11-18T14:47:12+01:00
SYSDB: use `sss_strerror()` to handle `ERR_GID_DUPLICATED`

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
93ed5e58 by Alexey Tikhonov at 2022-11-18T14:48:39+01:00
UTILS: got rid of deprecated `inet_netof()` to please 'rpminspect'.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2f885989 by Alexey Tikhonov at 2022-11-18T14:48:43+01:00
UTILS: got rid of deprecated `inet_netof()` to please 'rpminspect'.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 93ed5e58e0bfa9d67fc83ee2643687ed24151fb0)

- - - - -
6ef3aade by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
TOOLS: don't export internal helpers

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
7af46ba0 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
TOOLS: fixed handling of init error

Before execution of `tool_cmd_init()` `init_err` wasn't set,
so `sss_tools_handles_init_error()` check was a no-op.

Consequently, a proper check after `tool_cmd_init()` was missing.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
99791400 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
SSSCTL: don't require 'root' for "analyze" cmd

:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d4d9aa65 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00
SSSCTL: don't require 'root' for "passkey-exec" cmd

:relnote: `sssctl passkey-exec` tool doesn't require anymore to be run under root.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
a7759ab3 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Add the missing admisc pytest marker.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
bce2b0c8 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Wait a bit before collection log in test_0015_ad_parameters_ad_hostname_machine.

This test is unstable on other architectures (ppc64le, aarch64) and it seems that
adding a 15s wait before collecting the log gives it enough time to wtrite it properly.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d7e7efe9 by Jakub Vavra at 2022-11-18T15:59:52+01:00
Tests: Fix E126 in test_adparameters_ported.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
44717b82 by Jakub Vavra at 2022-11-18T15:59:57+01:00
Tests: Add the missing admisc pytest marker.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit a7759ab30b12b92c1a21aec5549f8a05dcc98947)

- - - - -
564af88d by Jakub Vavra at 2022-11-18T15:59:57+01:00
Tests: Wait a bit before collection log in test_0015_ad_parameters_ad_hostname_machine.

This test is unstable on other architectures (ppc64le, aarch64) and it seems that
adding a 15s wait before collecting the log gives it enough time to wtrite it properly.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit bce2b0c8037250ad2d8d817e747a78439bd6610c)

- - - - -
d2b5c789 by Jakub Vavra at 2022-11-18T15:59:57+01:00
Tests: Fix E126 in test_adparameters_ported.py

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit d7e7efe93deabbbfff24664799e1fdb60c5a2fbc)

- - - - -
36e5479b by Alejandro López at 2022-11-18T16:00:24+01:00
BUILD: Fix some warnings thrown while building

Some of them are not actually needed (false positives) but this
helps to have a clean build and identify real warnings.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
285f1703 by aborah-sudo at 2022-11-18T16:00:45+01:00
Tests: fix test_bz1368467

This test was failing due to login error.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
19fd96f1 by aborah-sudo at 2022-11-18T16:00:51+01:00
Tests: fix test_bz1368467

This test was failing due to login error.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 285f1703194fa260b4886133d9bcd79de70f24ff)

- - - - -
bfa8d50c by Justin Stephenson at 2022-11-18T16:01:58+01:00
Analyzer: Ensure parsed id contains digit

In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
Certain log messages need to be filtered out by ensuring the parsed field is
a digit, such as the last line below.

[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at domain-zflo.com
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119 at domain-zflo.com] from cache

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
7d0c70cc by Justin Stephenson at 2022-11-18T16:02:03+01:00
Analyzer: Ensure parsed id contains digit

In analyzer list verbose output, we parse the last field of cache_req_search_send() lines.
Certain log messages need to be filtered out by ensuring the parsed field is
a digit, such as the last line below.

[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test
[cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at domain-zflo.com
[cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119 at domain-zflo.com] from cache

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit bfa8d50c479cf8ef7b299eb5848309a3a9ea7f12)

- - - - -
541cd677 by Alexey Tikhonov at 2022-11-18T18:01:36+01:00
TOOLS: don't export internal helpers

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 6ef3aade0394e32540242f902c9f21bb8d6c41f2)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
bb97f89a by Alexey Tikhonov at 2022-11-18T18:01:36+01:00
TOOLS: fixed handling of init error

Before execution of `tool_cmd_init()` `init_err` wasn't set,
so `sss_tools_handles_init_error()` check was a no-op.

Consequently, a proper check after `tool_cmd_init()` was missing.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 7af46ba0e925da61b7b4003c3fa6d51c05c1116e)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
581617c0 by Alexey Tikhonov at 2022-11-18T18:01:37+01:00
SSSCTL: don't require 'root' for "analyze" cmd

:relnote: `sssctl analyze` tool doesn't require anymore to be run under root.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 99791400bec1054cf0081884e013a3cbed75fe8a)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
790e7a77 by Steeve Goveas at 2022-11-18T18:08:51+01:00
Tests: Cannot SSH with AD user to ipa-client with invalid keytab

`krb5_validate` and `pac_check` settings conflict. Setting krb5_validate
to false skips the pac_check enabling the login

Verifies:
  #6355
  https://bugzilla.redhat.com/show_bug.cgi?id=2127822
  https://bugzilla.redhat.com/show_bug.cgi?id=2128902

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a34b4f5e by Steeve Goveas at 2022-11-18T18:08:55+01:00
Tests: Cannot SSH with AD user to ipa-client with invalid keytab

`krb5_validate` and `pac_check` settings conflict. Setting krb5_validate
to false skips the pac_check enabling the login

Verifies:
  #6355
  https://bugzilla.redhat.com/show_bug.cgi?id=2127822
  https://bugzilla.redhat.com/show_bug.cgi?id=2128902

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 790e7a779f4385b8ad95878ee79a44fdaac46325)

- - - - -
14748ff9 by Jakub Vavra at 2022-11-22T18:36:33+01:00
Tests: Update fixture using adcli to handle password from stdin.

Adcli changed handling password dialog for bz2124030 so
the automation needs to be updated to work properly.

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e3be4597 by Jakub Vavra at 2022-11-22T18:36:39+01:00
Tests: Update fixture using adcli to handle password from stdin.

Adcli changed handling password dialog for bz2124030 so
the automation needs to be updated to work properly.

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 14748ff981ac5825a55c06350db05dce23732299)

- - - - -
2f99cd31 by Justin Stephenson at 2022-11-22T18:37:17+01:00
SSSCTL: Add debug option to help message

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
49b10717 by Justin Stephenson at 2022-11-22T18:37:22+01:00
SSSCTL: Add debug option to help message

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 2f99cd31bc43406a9d400129260654ebd6bccc15)

- - - - -
ab6910ae by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: verify assertion

Include the assertion verification in the passkey helper process. For
that purpose, prepare the assertion request data, select the device to
use, get the device options and compare them with the organization
policy, decode the public key, request the assert and verify it.

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2b0a8f27 by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: public key in PEM format

It helps us obtain the cryptographic algorithm used to generate the key.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
6b0d175f by Iker Pedrosa at 2022-11-22T18:37:41+01:00
passkey: input PIN via stdin

For the registration process add a new "quiet" option to suppress the
prompts and read the PIN from stdin. For the authentication process
always read the PIN from stdin.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d690c2c6 by Timo Aaltonen at 2022-11-23T10:07:24+02:00
Merge branch 'upstream'

- - - - -
1fa6693e by Timo Aaltonen at 2022-11-23T10:07:57+02:00
version bump

- - - - -
53508df4 by Timo Aaltonen at 2022-11-23T10:10:46+02:00
releasing package sssd version 2.8.1-1

- - - - -
f5c0e7b3 by Pavel Březina at 2022-11-25T13:25:11+01:00
ci: make /dev/shm writable

We build SSSD in /dev/shm which is mounted on read-only file system on
new podman version. We need to mount it as tmpfs to make it writable.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
ae614c17 by Pavel Březina at 2022-11-25T13:25:11+01:00
ci: install correct python development package

The package name has changed on new Ubuntu.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
dc71321f by Pavel Březina at 2022-11-25T13:25:17+01:00
ci: make /dev/shm writable

We build SSSD in /dev/shm which is mounted on read-only file system on
new podman version. We need to mount it as tmpfs to make it writable.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit f5c0e7b391879782b0e93fe02265c3bef7cb9edf)

- - - - -
8c4da493 by Pavel Březina at 2022-11-25T13:25:17+01:00
ci: install correct python development package

The package name has changed on new Ubuntu.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ae614c17b3874862200b78e57c158554b62a8273)

- - - - -
336b1fac by Iker Pedrosa at 2022-11-25T13:25:39+01:00
ci: fix codeql

libsemanage1-dev renamed to libsemanage-dev in debian and its
derivatives.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
77ef7b25 by Iker Pedrosa at 2022-11-25T13:25:45+01:00
ci: fix codeql

libsemanage1-dev renamed to libsemanage-dev in debian and its
derivatives.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 336b1facdc043f21aab7e67e46c3c736fa64d303)

- - - - -
4a6eb258 by Justin Stephenson at 2022-11-25T13:26:05+01:00
CI: Update core github actions

Update dependent actions to address:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0253f7c3 by Justin Stephenson at 2022-11-25T13:26:11+01:00
CI: Update core github actions

Update dependent actions to address:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4a6eb258c33c8adeb78c053aa8401729f0f6bbec)

- - - - -
fc3fad98 by Jakub Vavra at 2022-11-28T06:32:58+01:00
Tests: Fix automount OU removal from AD.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
765fe3de by Jakub Vavra at 2022-11-28T06:32:59+01:00
Tests: Fix automount OU removal from AD.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit fc3fad982e39d560a80c1a8b922455a190718cb7)

- - - - -
340691fa by Cole Robinson at 2022-11-30T16:48:06+01:00
MAN: Fix option typo on sssd-kcm.8

The option is called krb5_renewable_lifetime, not krb5_renew_lifetime

Signed-off-by: Cole Robinson <crobinso at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
ece94348 by Cole Robinson at 2022-11-30T16:48:11+01:00
MAN: Fix option typo on sssd-kcm.8

The option is called krb5_renewable_lifetime, not krb5_renew_lifetime

Signed-off-by: Cole Robinson <crobinso at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 340691fae95a2fc66c85d5da8db14f227b2c88a8)

- - - - -
91789449 by Sumit Bose at 2022-11-30T16:50:53+01:00
PAC: allow to disable UPN check

Currently it was not possible to skip the UPN check which checks if the
UPN in the PAC and the one stored in SSSD's cache are different.
Additionally the related debug message will show both principals if they
differ.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b3d7a4f6 by Sumit Bose at 2022-11-30T16:50:53+01:00
ipa: do not add guessed principal to the cache

Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.

Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
51b11db8 by Sumit Bose at 2022-11-30T16:50:53+01:00
pac: relax default check

To avoid issues with the UPN check during PAC validation  when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is
shown but the check will not fail.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b00c72d2 by Sumit Bose at 2022-11-30T16:50:57+01:00
PAC: allow to disable UPN check

Currently it was not possible to skip the UPN check which checks if the
UPN in the PAC and the one stored in SSSD's cache are different.
Additionally the related debug message will show both principals if they
differ.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a)

- - - - -
a3304cc6 by Sumit Bose at 2022-11-30T16:50:57+01:00
ipa: do not add guessed principal to the cache

Currently on IPA clients a calculated principal based on the user name
and the Kerberos realm is added to the cached user object. This code is
quite old and might have been necessary at times when sub-domain support
was added to SSSD. But since quite some time SSSD is capable of
generating the principal on the fly during authentication if nothing is
stored in the cache.

Removing the code makes the cache more consistent with other use-cases,
e.g. with the IPA server where this attribute is empty, and allows to
properly detect a missing UPN, e.g. during the PAC validation.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c)

- - - - -
35a28524 by Sumit Bose at 2022-11-30T16:50:57+01:00
pac: relax default check

To avoid issues with the UPN check during PAC validation  when
'ldap_user_principal' is set to a not existing attribute to skip reading
user principals a new 'pac_check' option, 'check_upn_allow_missing' is
added to the default options. With this option only a log message is
shown but the check will not fail.

Resolves: https://github.com/SSSD/sssd/issues/6451

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79)

- - - - -
ad0a8c6a by aborah-sudo at 2022-11-30T16:53:31+01:00
Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207

test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by
disable "implicit files provider"

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
65e944bd by aborah-sudo at 2022-11-30T16:53:35+01:00
Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207

test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by
disable "implicit files provider"

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit ad0a8c6a33ea5bbad8058112b95bef00bb76d5c9)

- - - - -
e4dd11f2 by Alexey Tikhonov at 2022-12-02T15:20:40+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error

Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cd1a94e5 by Alexey Tikhonov at 2022-12-02T15:20:45+01:00
SYSDB: pre-existence of MPG group in the cache isn't an error

Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e4dd11f2c2cd59031f904a1e30ed5b67edbdd54f)

- - - - -
3f8bc872 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add support for serial number

Read the serial number of the certificate and make it available.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
10d977a3 by Sumit Bose at 2022-12-02T15:24:14+01:00
certamp: add support for subject key id

Read the subject key id from the certificate and make it available.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
9e1b711b by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add support for SID extension

Check if the SID extension is available, read the SID and make it
available.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
f293507d by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: fix for SAN URI

The URI was not added to the list of subject alternative names.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c4085c9a by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add bin_to_hex() helper function

This patch adds a helper function to format hexadecimal strings of
binary data.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
11483f1e by Sumit Bose at 2022-12-02T15:24:14+01:00
sssctl: add cert-eval-rule sub-command

The new 'cert-eval-rule' sub-command of sssctl show the results of given
matching and mapping rules on a given certificate. This should help to
find suitable mapping and matching rules and to understand why given
certificate is matched or not.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
3676a4fb by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add get_digest_list() and get_hash()

Add support to calculate hash/digest values of binary data, e.g. of a
certificate.

Resolves: https://github.com/SSSD/sssd/issues/6404

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0a906107 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: dump new attributes in sss_cert_dump_content()

Add the newly discovered certificate values, i.e. serial number, subject
key id and SID to the output of sss_cert_dump_content() which is used
e.g. by 'sssctl cert-show'.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
1303c624 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add LDAPU1 mapping rules

Add mapping rule templates for the new discovered attributes, templates
for certificate hashes and templates to select individual DN components.
To avoid issues with older versions of the library the new templates
must use the prefix LDAPU1.

:feature: New mapping template for serial number, subject key id, SID,
          certificate hashes and DN components are added to
          libsss_certmap.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
4ac53fb5 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add tests for new attributes and LDAPU1 rules

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
882f560e by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: add LDAPU1 rules to man page

This patch adds the new LDAPU1 mapping rule templates to the sss-certmap
man page.

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
b0bdf712 by Sumit Bose at 2022-12-02T15:24:14+01:00
certmap: Add documentation for some internal functions

Resolves: https://github.com/SSSD/sssd/issues/6403

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
cca0233e by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add support for serial number

Read the serial number of the certificate and make it available.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 3f8bc8720ff871490c6a6233b1a21bc1d2018cf1)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a2bca35c by Sumit Bose at 2022-12-02T17:10:38+01:00
certamp: add support for subject key id

Read the subject key id from the certificate and make it available.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 10d977a3675a8145314edea0bebd7b9ac01eda89)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
47f3408e by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add support for SID extension

Check if the SID extension is available, read the SID and make it
available.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 9e1b711b2611e7390bcbcd4a9682dd18e71c3d72)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
8d8e3c7c by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: fix for SAN URI

The URI was not added to the list of subject alternative names.

(cherry picked from commit f293507d9f6efda9908a3ec971ce7f4eac284ae1)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
6ad29f99 by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add bin_to_hex() helper function

This patch adds a helper function to format hexadecimal strings of
binary data.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit c4085c9a7d1ec54c1b830583128148a0c7b807d8)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
9a45e616 by Sumit Bose at 2022-12-02T17:10:38+01:00
sssctl: add cert-eval-rule sub-command

The new 'cert-eval-rule' sub-command of sssctl show the results of given
matching and mapping rules on a given certificate. This should help to
find suitable mapping and matching rules and to understand why given
certificate is matched or not.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 11483f1ec046f1062df68f1544e49fd59473084e)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
3f336da4 by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add get_digest_list() and get_hash()

Add support to calculate hash/digest values of binary data, e.g. of a
certificate.

Resolves: https://github.com/SSSD/sssd/issues/6404

(cherry picked from commit 3676a4fba473b93df2b32fb143ef0b261d04d9f6)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
8a6a874b by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: dump new attributes in sss_cert_dump_content()

Add the newly discovered certificate values, i.e. serial number, subject
key id and SID to the output of sss_cert_dump_content() which is used
e.g. by 'sssctl cert-show'.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 0a906107322fffc17757480f9e540796f9f181ce)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
698d5688 by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add LDAPU1 mapping rules

Add mapping rule templates for the new discovered attributes, templates
for certificate hashes and templates to select individual DN components.
To avoid issues with older versions of the library the new templates
must use the prefix LDAPU1.

:feature: New mapping template for serial number, subject key id, SID,
          certificate hashes and DN components are added to
          libsss_certmap.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 1303c6241bb27ef902787dcd526aeaae3417063a)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
17142068 by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add tests for new attributes and LDAPU1 rules

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 4ac53fb5ef95cd2c94f076299aa4d3213c3c9be6)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
925d8a9f by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: add LDAPU1 rules to man page

This patch adds the new LDAPU1 mapping rule templates to the sss-certmap
man page.

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit 882f560e68a881a95d7f66745a3530176bdd0a66)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
12e39a45 by Sumit Bose at 2022-12-02T17:10:38+01:00
certmap: Add documentation for some internal functions

Resolves: https://github.com/SSSD/sssd/issues/6403

(cherry picked from commit b0bdf712eb632f94e9925d32fb703bdfd574e11d)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
72eed034 by 김인수 at 2022-12-02T17:35:32+01:00
po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

- - - - -
5bd2aa9b by Piotr Drąg at 2022-12-02T17:35:32+01:00
po: update translations

(Polish) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/pl/

- - - - -
8290b0e7 by Elena Mishina at 2022-12-02T17:35:32+01:00
po: update translations

(Russian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ru/

- - - - -
0909e8a1 by Yuri Chornoivan at 2022-12-02T17:35:32+01:00
po: update translations

(Ukrainian) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/

- - - - -
f1dc6cdd by Temuri Doghonadze at 2022-12-02T17:35:32+01:00
po: update translations

(Georgian) currently translated at 7.8% (52 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ka/

- - - - -
0b467961 by 김인수 at 2022-12-02T17:35:32+01:00
po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

- - - - -
80690213 by Weblate at 2022-12-02T18:27:01+01:00
po: update translations

(Korean) currently translated at 63.5% (1657 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 62.6% (1633 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 62.0% (1618 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Korean) currently translated at 62.0% (1618 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Georgian) currently translated at 7.8% (52 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 61.8% (1612 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

- - - - -
664a436e by Shridhar Gadekar at 2022-12-05T10:18:39+01:00
Test: gssapi test fix

minor flake8 fixes

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
464c78be by Shridhar Gadekar at 2022-12-05T10:18:41+01:00
Test: gssapi test fix

minor flake8 fixes

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 664a436e9ce758554938183d1475e7353020e495)

- - - - -
8b09c938 by Alexey Tikhonov at 2022-12-05T11:22:12+01:00
Translations: add missing `tools/sssctl/sssctl_cert.c` and macros

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
64c99055 by Alexey Tikhonov at 2022-12-05T11:22:17+01:00
Translations: add missing `tools/sssctl/sssctl_cert.c` and macros

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 8b09c9387e55b177d6b1ec65afe65e354e19b96b)

- - - - -
be569b0c by Alexey Tikhonov at 2022-12-05T11:25:36+01:00
Updated .pot/.po files

- - - - -
714ababe by Alexey Tikhonov at 2022-12-06T16:08:00+01:00
BUILD: deprecate `--enable-files-domain` build option

:relnote:`--enable-files-domain` configure option is deprecated and
will be removed in one of the next versions of SSSD.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f17bb003 by Alexey Tikhonov at 2022-12-06T16:08:04+01:00
BUILD: deprecate `--enable-files-domain` build option

:relnote:`--enable-files-domain` configure option is deprecated and
will be removed in one of the next versions of SSSD.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 714ababe8c96cd3a43d3c114cf853ce4a259fd0f)

- - - - -
2fda8e7b by Tomas Halman at 2022-12-06T16:08:47+01:00
RESOLV: Configuration option for DNS search

DNS search may increase the time of name resolution significantly.
Particularly when SSSD is misconfigured or the DNS server is
unreachable.

With this patch SSSD can avoid DNS search and the list
of domains from resolv.conf is ignored. To avoid DNS search in
kerberos library SSSD appends the dot to the server names before
they are written into KDC info file.

:relnote: SSSD can be configured not to perform a DNS search
during DNS name resolution. This behavior is governed by the
new dns_resolver_use_search_list. This parameter can
be used in the domain section. Default value is true - that
means that SSSD follows the system settings.

Resolves: https://github.com/SSSD/sssd/issues/5390

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
99d46b2f by Tomas Halman at 2022-12-06T16:08:52+01:00
RESOLV: Configuration option for DNS search

DNS search may increase the time of name resolution significantly.
Particularly when SSSD is misconfigured or the DNS server is
unreachable.

With this patch SSSD can avoid DNS search and the list
of domains from resolv.conf is ignored. To avoid DNS search in
kerberos library SSSD appends the dot to the server names before
they are written into KDC info file.

:relnote: SSSD can be configured not to perform a DNS search
during DNS name resolution. This behavior is governed by the
new dns_resolver_use_search_list. This parameter can
be used in the domain section. Default value is true - that
means that SSSD follows the system settings.

Resolves: https://github.com/SSSD/sssd/issues/5390

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2fda8e7b7e71dd5ebdc7297449d3afc52ac9eb03)

- - - - -
a8b6be40 by Dan Lavu at 2022-12-07T15:46:08-05:00
Adding Ported DynDNS Testcases

This is merged branch of two following PRs, 6363 and 6344 which are now closed.

6344 Add the tests but are unreliable.

6363 contains the following changes, rewriting the suite.
* change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture
* disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests
* removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched
* created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache
* cleaned up the functions and code for readability

Signed-off-by: Dan Lavu <dlavu at redhat.com>

- - - - -
aac303e8 by Sumit Bose at 2022-12-09T13:22:09+01:00
p11: fix size of argument array

Currently 19 options can be set for p11_child and the a NULL at the end
the array must have 20 elements.

Resolves: https://github.com/SSSD/sssd/issues/6479

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
20037ae5 by Sumit Bose at 2022-12-09T13:22:15+01:00
p11: fix size of argument array

Currently 19 options can be set for p11_child and the a NULL at the end
the array must have 20 elements.

Resolves: https://github.com/SSSD/sssd/issues/6479

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit aac303e84b71325d3c45fa7a22f83f7f54d4b7a2)

- - - - -
34d55884 by Alejandro López at 2022-12-09T13:22:39+01:00
BACKEND: Reload resolv.conf after initialization

Once the backend initialization is finished, in particular after D-Bus
is initialized, reload the resolv.conf file to retrieve any change
signaled through D-Bus before its initialization.

Resolves: https://github.com/SSSD/sssd/issues/6383

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
98412a4e by Alejandro López at 2022-12-09T13:22:45+01:00
BACKEND: Reload resolv.conf after initialization

Once the backend initialization is finished, in particular after D-Bus
is initialized, reload the resolv.conf file to retrieve any change
signaled through D-Bus before its initialization.

Resolves: https://github.com/SSSD/sssd/issues/6383

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 34d55884c6349d2c576a625bfbfcbfbc4f3c146f)

- - - - -
81eb0606 by Madhuri Upadhye at 2022-12-09T13:23:51+01:00
Tests: Minor fixes for alltests

Enable files domain.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
5b7a4b4f by Madhuri Upadhye at 2022-12-09T13:23:57+01:00
Tests: Minor fixes for alltests

Enable files domain.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 81eb0606d5ea1ce79c0fdd1d71784bb01a682e03)

- - - - -
4a658e6c by aborah-sudo at 2022-12-09T13:24:19+01:00
Tests: port proxy_provider/rfc2307bis

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
16c814ad by aborah-sudo at 2022-12-09T13:24:25+01:00
Tests: port proxy_provider/rfc2307bis

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4a658e6ccf7a3b2cd5fb9d1827d0caec6b8dc961)

- - - - -
7c5dd878 by Weblate at 2022-12-09T13:25:51+01:00
po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Japanese) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(French) currently translated at 100.0% (663 of 663 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

- - - - -
5d4f9dfd by Weblate at 2022-12-09T13:30:10+01:00
po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/zh_CN/

po: update translations

(Ukrainian) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/

po: update translations

(Korean) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

po: update translations

(Korean) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

po: update translations

(Japanese) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ja/

po: update translations

(French) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/fr/

po: update translations

(Ukrainian) currently translated at 100.0% (704 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/uk/

po: update translations

(Korean) currently translated at 96.4% (679 of 704 strings)
Translation: SSSD/SSSD-2-8
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-8/ko/

- - - - -
c6053c43 by Pavel Březina at 2022-12-09T13:35:31+01:00
pot: update pot files

- - - - -
37f934f2 by Pavel Březina at 2022-12-09T13:38:26+01:00
pot: update pot files

- - - - -
796b6dae by Pavel Březina at 2022-12-09T13:39:40+01:00
Release sssd-2.8.2

- - - - -
153b1c91 by Jakub Vavra at 2022-12-15T20:02:03+01:00
Tests: Add mark tier1_4 so pytest is not throwing warnings.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
f43d8c9a by Pavel Březina at 2022-12-15T21:13:31+01:00
ci: increase timeout for covscan

Covscan task started recently taking more then six hours to finish.
Six hours is the default timeout and maximum limit for github-hosted
runner but we can increase it for self-hosted runner.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
24a53663 by Shridhar Gadekar at 2022-12-15T21:15:21+01:00
Tests: port bash idmap testcase to pytest

Adding return messages and backup/restore of sssd

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
7e8b97c1 by Pavel Březina at 2022-12-16T12:10:55+01:00
ldap: update shadow last change in sysdb as well

Otherwise pam can use the changed information whe id chaching is
enabled, so next authentication that fits into the id timeout
(5 seconds by default) will still sees the password as expired.

Resolves: https://github.com/SSSD/sssd/issues/6477

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ddd85f95 by Shridhar Gadekar at 2022-12-20T13:15:52+01:00
Tests: change tier of dyndns tests

dropping dyndns from gating, till tests are
stable

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
02bdef7d by MCJ Vasseur at 2022-12-20T17:57:09+01:00
Fix typo (pasword -> password)

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
2fa80dbd by Shridhar Gadekar at 2022-12-23T14:25:10+05:30
Dropping idmap

Test is unstable, moving out of gating for
further investigation

- - - - -
08784536 by Tomas Halman at 2022-12-23T11:49:18+01:00
cfg_rules.ini update

The option kr5_realm was listed twice. The option krb5_kdcinfo_lookahead
was missing.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
c4ea2851 by Jakub Vavra at 2022-12-23T11:53:12+01:00
Tests: Move some less important scenarios from tier 1 to tier 2.

Skip test_0015_ad_parameters_ad_hostname_machine on multiarch
as it is unstable there.
Move test_0002_improved_use_negative_sid_for_sid_lookup to tier 2
as it is unstable so it does not block gating.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
e1260728 by Sergio Durigan Junior at 2023-01-03T16:35:56-05:00
d/rules: Fix 'find' syntax to remove '*.egg-info' files/directories.

Closes: #1026490

- - - - -
edc62ebe by Sergio Durigan Junior at 2023-01-03T16:36:05-05:00
Update changelog for 2.8.1-2 release

- - - - -
42842c16 by Shridhar Gadekar at 2023-01-05T13:30:47+01:00
TESTS: bz2110091 sssd starting offline after reboot

changing tier. logs and cache are cleared.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
0da99b73 by Alejandro López at 2023-01-05T13:31:34+01:00
SDAP: Fixed header file

The sdap_access.h header file was not including the sdap_id_op.h
header file it depends on.
Build worked because sdap_id_op.h happened to be always included before
sdap_access.h.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
11dab864 by Alejandro López at 2023-01-05T13:31:34+01:00
PAM: Localize some forgotten words.

The units (days, hours, minutes) were not localized although they were
used in a localized sentence.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
475052a2 by Alejandro López at 2023-01-05T13:31:34+01:00
LDAP: Moved and renamed set_access_rules()

Function set_access_rules() was renamed to sdap_set_access_rules(),
moved from ldap_init.c to sdap_access.c and made public.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ae74a9d1 by Alejandro López at 2023-01-05T13:31:34+01:00
IPA: Add password expiration warning when using ssh keys

When using IPA as access provider, it now reads the ipa_access_order
parameters from the configuration and, between others, it can process
the pwd_expire_policy_warn.

The accepted values for ipa_access_order are:
- expire (default)
- pwd_expire_policy_reject
- pwd_expire_policy_warn
- pwd_expire_policy_renew

There is no ipa_pwd_policy parameter. Internally it is forced to the only
accepted value: mit-kerberos.

Resolves: https://github.com/SSSD/sssd/issues/5080

:config: ipa_access_order parameter introduced. It behaves much like
ldap_access_order but affecting IPA domains (id_provider = ipa) and
accepting limited values. Please see sssd-ipa(5) for more information.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
be84d6ee by Alejandro López at 2023-01-05T13:31:34+01:00
PAM: Warn that the password has expired when using ssh keys

When using ssh keys and the LDAP_ACCESS_EXPIRE_POLICY_WARN flag,
the user is notified is the password is about to expire, but
nothing was said if the password had already expired.
This patch introduces a message when the password has expired.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ede02a20 by Alejandro López at 2023-01-05T13:31:34+01:00
MAN: Cosmetic changes to sssd-ldap.5

Three values of ldap_access_order are presented as an itemized list.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
cfd71fec by Alejandro López at 2023-01-05T13:45:09+01:00
MONITOR: Move the file monitoring code to util.

Everything still works as before, but now the code used in sssd to
monitor resolv.conf is moved to a separate file (util/file_watch.c)
and everything is more loosely coupled.

This is in preparation to move the monitoring to the backends.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
d4e57447 by Alejandro López at 2023-01-05T13:45:09+01:00
TESTS: Add a test for file-watch

New tests using the file watching feature with both inotify and
polling.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e1c0af26 by Alejandro López at 2023-01-05T13:45:09+01:00
MAN PAGES: Make try_inotify dependent on HAVE_INOTIFY.

When HAVE_INOTIFY is not defined (inotify not present), the descrition
of try_inotify in sssd.conf.5 man page will only tell that this is not
used in systems without inotify.

If HAVE_INOTIFY is defined, the full description if provided.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
fadd8eb6 by Alejandro López at 2023-01-05T13:45:09+01:00
BACKEND: Move resolv.conf watching to the backends

Moved from the monitor, which no longer reads the file neither
notifies the backends they must read it.

The file is now monitored by the backends and read immediately
after start watching it.

Resolves: https://github.com/SSSD/sssd/issues/6383

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
2e3fa180 by Alejandro López at 2023-01-05T13:45:09+01:00
D-BUS: Remove resInit() method from sssd.services

This method was used by the monitor to tell the backends to reload
/etc/resolv.conf when it detected a change in the file. It is no longer
used as the backends now watch resolv.conf by themselves.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
c97d9275 by Alejandro López at 2023-01-05T13:45:09+01:00
FILE WATCH: Get rid of parent_ctx

parent_ctx pointed to the memory context to use for the timers.
It pointed to the file_watch_ctx which contained it, so better use
the file_watch_ctx and avoid having an extra field, and having to
pass the memory context as a parameter.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
729c1fc2 by Alejandro López at 2023-01-05T13:45:09+01:00
FILE WATCH: Simplify watching on missing files.

This code is needlessly repeated in fw_watch_file() and missing_file(),
and it's enough to simply call missing_file(). But since now this
function is used even before knowing whether the file exists, it is
better to rename it to set_file_watching().

A side effect of this is that watch_file() (which ends up calling
inotify_add_watch()) returns EOK even when the file is missing,
and thus the callback is invoked once. Considering that the flag
IN_CREATE was always passed to inotify_add_watch(), I think this
could have been hidden by the old code.

Polling for the file creation is no longuer used when inotify is used.
But because it is still required when inotify fails to initialize (not
installed) or use_inotify is set to false, this code cannot be removed.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
29326450 by Alexey Tikhonov at 2023-01-06T20:15:51+01:00
SBUS: don't call `dbus_server_get_address(NULL)`

Resolves: https://github.com/SSSD/sssd/issues/6465

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ffcadcd1 by Timo Aaltonen at 2023-01-10T16:43:04+02:00
Merge branch 'upstream'

- - - - -
b6953e55 by Timo Aaltonen at 2023-01-10T16:43:44+02:00
version bump

- - - - -
44da1a91 by Sam Morris at 2023-01-12T13:03:45+00:00
Ship libsubid_sss.so in sssd-common package

- - - - -
76c7fa46 by aborah at 2023-01-13T08:59:18+01:00
Tests: make corresponding tests capture SSSD logs

To capture sssd logs in IDM-CI incase of sssd test failure.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
8cda19e2 by Shridhar Gadekar at 2023-01-13T08:59:47+01:00
Tests: bz2128840 automation

minor indentation fix

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
2bd0c249 by Sargun Narula at 2023-01-13T09:00:14+01:00
Tests: Ported Bash-krb-access-provider to pytest

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a5176f4d by aborah at 2023-01-13T09:00:37+01:00
Tests: SSSD: `sssctl analyze` command shouldn't require 'root' privileged

`sssctl analyze` command shouldn't require 'root' privileged when run with `--logdir`
pointing to otherwise accessible files.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
067c550c by Jakub Vavra at 2023-01-13T09:00:55+01:00
Tests: Test for bz2144491 UPN mismatch

UPN check cannot be disabled explicitly but requires krb5_validate = false as a work-around
Bugzilla:
 - https://bugzilla.redhat.com/show_bug.cgi?id=2148737
 - https://bugzilla.redhat.com/show_bug.cgi?id=2144491
 - https://bugzilla.redhat.com/show_bug.cgi?id=2148989
 - https://bugzilla.redhat.com/show_bug.cgi?id=2148988

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4e600d9b by Alexey Tikhonov at 2023-01-13T18:20:54+01:00
Added a number of missing new lines.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
723872f3 by Iker Pedrosa at 2023-01-14T00:35:01+01:00
CI: remove flake8 action

When a new issue is found, the action is unable to report it properly in
the PR and it fails.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
b631c317 by Alexey Tikhonov at 2023-01-16T13:08:48+01:00
MAN: mention `attributes` in 'see also'

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
08ccd23f by Alexey Tikhonov at 2023-01-16T13:09:26+01:00
SSS_CLIENT: delete key in lib destructor

pthread_key_delete() disables thread at-exit destructors.
Otherwise an attempt to execute already unloaded `sss_at_thread_exit()`
would trigger segfault.

This doesn't solve an issue with leaking on `dlclose()` FDs initialized in
multiple threads, but better than crash.

Resolves: https://github.com/SSSD/sssd/issues/6505

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
927fa843 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: register discoverable credentials

Apart from server-side credentials passkey should also register
discoverable credentials. Thus, a new argument has been added to select
the credential type. Moreover, the user id is also printed. Example:
passkey:credentialId,pemPublicKey,userId

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
62654e25 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: user id for discoverable credentials

If the credential is discoverable, then print the user id.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bd02f637 by Iker Pedrosa at 2023-01-17T12:59:38+01:00
passkey: fix uninitialized variable

616 in authenticate()
610             goto done;
611         }
612     613         ret = FIDO_OK;
614     615     done:
>>>     CID 377752:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "pk_data.type" when calling "reset_public_key".
616         reset_public_key(&pk_data);
617         if (dev != NULL) {
618             fido_dev_close(dev);
619         }
620         fido_dev_free(&dev);
621         fido_assert_free(&assert);
622         fido_dev_info_free(&dev_list, dev_list_len);
623
624         return ret;

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7caf2da3 by Dan Lavu at 2023-01-17T11:17:12-05:00
Fixing dyndns tests

The server may not update DNS right away, updated the function to
perform a lookup up to 5 minutes, otherwise the test will have failed.

Signed-off-by: Dan Lavu <dlavu at redhat.com>

- - - - -
4e9c2fdb by Shridhar Gadekar at 2023-01-19T12:09:05+01:00
TESTS: clean up group delete fix

from correct 'ou' group object deletion fix

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
5021d239 by aborah at 2023-01-19T12:09:34+01:00
Tests: Fix minor error in root privilage test

mkdir: cannot create directory ‘/tmp/sssd’: File exists

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
718afc29 by Florence Blanc-Renaud at 2023-01-26T12:54:47+01:00
Passkey: flush stdout

IPA command "ipa user-add-passkey --register" reads the output
of passkey_child line by line in order to re-print the useful
messages and extract the generated passkey.
Flush stdout so that ipa gets the messages without delay.

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
501e05f4 by Alexey Tikhonov at 2023-01-26T12:55:06+01:00
BUILD: remove `--enable-files-domain` build option

:relnote:Previously deprecated `--enable-files-domain` configure option
was removed.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
6b048a6a by Alexey Tikhonov at 2023-01-26T12:55:06+01:00
INTG TESTS: make `get_call_output()` respect `check` arg for Python < 3.7

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
708a924a by Jakub Vavra at 2023-02-01T14:20:55+01:00
Tests: Changes to the version handling and fixture create_testdir.

Function package_mgmt was not handling RHEL 9 properly.
service_sssd was doing exactly nothing on RHEL 9.
Fixture create_testdir was needlessly iterating lists via indexes
and duplicating code.
Removed some useless elses after return.
Fixed import order.
Switched to f-strings.
Disabled some pylint warnings.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
32a8b953 by Jakub Vavra at 2023-02-01T14:20:55+01:00
Tests: Optimize winhost properties

QeWinHost class had properties that were repeatedly calling command line commands.
This was slow, inefficient and created mess in the test logs.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
7a68ed1f by aborah at 2023-02-02T11:50:22+01:00
Tests: Fix ipa tests wrong ipa_client_ip

Fix ipa tests wrong ipa_client_ip

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d249154c by Shridhar Gadekar at 2023-02-02T11:53:34+01:00
Test: porting of failing rfc2307bis testcase

change to tier1_4

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
c0b394ab by Pavel Březina at 2023-02-02T12:02:34+01:00
sudo: skip smart refresh if it happens inside full refresh

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
fc4f0399 by Jakub Vavra at 2023-02-02T14:40:11+01:00
Tests: Fix incorrect distro parsing in qe_class on Fedora.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
13d420ca by aborah at 2023-02-09T07:19:54+01:00
Tests: Fix test test_0017_filesldap

Logs string has changed.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
4138b0a7 by Justin Stephenson at 2023-02-09T13:11:10+01:00
MAN: ldap_group_name enhancement with nested groups

Resolves: https://github.com/SSSD/sssd/issues/6544

Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fe67123c by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: Extracted code checking 'inherit_from'

Extracted the code checking that 'inherit_from' is not present in a
domain section from custom_sssd_checks() to its own function named
check_domain_inherit_from().

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
1911ad64 by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: Function always returns EOK

The function custom_sssd_checks() ignored the error codes and always
returned EOK. Now it returns the corresponding error code.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
255d9f6e by Alejandro López at 2023-02-09T13:11:34+01:00
CHECK-CONFIG: id_provider is now mandatory

For domains, the presence of 'id_provider' was accepted but no other
check was done. In particular, this option is mandatory and has a
limited set of accepted values. These changes introduce those checks.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f604d033 by Alejandro López at 2023-02-09T13:11:34+01:00
TESTS: Test mandatory id_provider

Adapter the existing tests for the mandatory 'id_provider' and
created a test for the case when 'id_provider' is missing.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f283248f by Alejandro López at 2023-02-09T13:11:34+01:00
CONFIG-CHECK: inherit_from is not a typo

The error message asked the user if introducing `inherit_from`
in a domain was a typo. This is an error but not a typo.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
53c8e8f0 by Dan Lavu at 2023-02-13T12:54:46+01:00
Removing unnecessary restart unnecessary restart

This allows us to do minimal changes to run existing tests, not as
the root user. Testing the non root feature of SSSD. Adding an
ansible play that creates a stub configuration file in /etc/sssd/conf.d/
i.e. /etc/sssd/conf.d/nonroot.conf containing

[sssd]
user = sssd

This sssd restart happens before SSSD is configured and when it contains
the stub file, it is an invalid configuration.

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
3dfc82a0 by aborah at 2023-02-13T12:56:17+01:00
Tests: Fix subidranges test

Add removal of maps.sh and unshare.pid

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
6ffd46d1 by Alexey Tikhonov at 2023-02-13T12:57:05+01:00
MAN: remove "experimental" notice off LDAP access control based on NDS attributes.

It's there since 37e7e93f1996cf50677cf59fd8af6938dd5d85b2,
clearly not "experimental" anymore.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
aa5c0c9c by Alexey Tikhonov at 2023-02-13T12:57:05+01:00
BUILD: remove long time unused '--enable-all-experimental-features'

It haven't been used since b2f9e5b7d553172401a340eb4a9c3abda6b5db43

:relnote: Long time unused '--enable-all-experimental-features'
configure option was removed.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
0b8638d8 by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
SSS_CLIENT: fix error codes returned by common read/write/check helpers.

It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
Error code set by error condition should have a priority. This enables
users of this helper to retry attempt (as designed).

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ef93284b by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
SSS_CLIENT: if poll() returns POLLNVAL then socket is alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise there is a risk to close "foreign" socket opened in another thread.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bf3f73ea by Alexey Tikhonov at 2023-02-13T12:57:27+01:00
PAM_SSS: close(sss_cli_sd) should also be protected with mutex. Otherwise a thread calling pam_end() can close socket mid pam transaction in another thread.

Bug only manifested on platforms where "lockfree client"
feature wasn't built.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7fb89ab0 by Sumit Bose at 2023-02-13T12:58:31+01:00
passkey: do not copy more than received

Since buf is not initialized to 0 talloc_strdup() might actually copy
more data than was received.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
954554b9 by Timo Aaltonen at 2023-02-14T17:40:43+02:00
releasing package sssd version 2.8.2-1

- - - - -
88d5c204 by Timo Aaltonen at 2023-02-14T17:47:51+02:00
Merge remote-tracking branch 'origin/master'

- - - - -
083934b4 by Timo Aaltonen at 2023-02-14T17:48:30+02:00
releasing package sssd version 2.8.2-2

- - - - -
4e654005 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
PAM: removed outdated comment

Comment wasn't relevant since 5dccf76aff8ac5b4adf000c8b701a7a9fae506c2

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
c55bb397 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
Use `is_files_provider()` helper where possible.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
8e75bb61 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00
RESPONDERS: get rid of `NEED_CHECK_PROVIDER` helper

Since implementation of "local" provider was removed, the only
provider that doesn't need to "check provider" is "files provider".

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
6ba0187e by Sumit Bose at 2023-02-17T15:01:40+01:00
certmap: fix to handle ediPartyName

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
ced32c44 by Sumit Bose at 2023-02-17T15:01:40+01:00
certmap: Handle type change of x400Address

Due to CVE-2023-0286 the type of the x400Address member of the
GENERAL_NAME struct was changed from ASN1_TYPE to ASN1_STRING. The
following patch tries to make sure that the x400Address can be extracted
from the certificate in either case.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
d4f7ed69 by Alexey Tikhonov at 2023-02-17T15:02:26+01:00
MONITOR: fix `socket_activated` flag initialization

When socket activated service connects for the first time, it is added to
`mt_ctx->svc_list` by `socket_activated_service_not_found()` with a proper
`socket_activated = true`.
But when it reconnects again, `get_service_in_the_list()` finds it in
`mt_ctx->svc_list` and overwrites `socket_activated = false` unconditionally.
This patch moves `socket_activated = false` to `start_service()`.

Resolves: https://github.com/SSSD/sssd/issues/6324

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
59d2f945 by Pavel Březina at 2023-02-17T15:03:26+01:00
fix missing new line in sss_iface.c and docstrings.rst

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f44e5864 by Pavel Březina at 2023-02-17T15:04:28+01:00
tests: fix all flake8 issues

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
b08bfaa1 by Gioele Barabucci at 2023-02-18T01:06:31+01:00
d/libnss-sss.nss: Update to `database-add`

The `database` directive is called `database-add` since dh-nss 1.7.

- - - - -
becf043d by Gioele Barabucci at 2023-02-18T01:06:31+01:00
d/libsss-sudo.nss: Install `sss` service for sudoers via dh-nss

- - - - -
28b2b997 by Gioele Barabucci at 2023-02-18T01:06:31+01:00
d/libsss-sudo.post{inst,rm}: Remove now that the services are installed via dh-nss

- - - - -
5b72fb61 by Sam Morris at 2023-02-20T08:07:01+00:00
sssd-common: add lintian overrides for libsubid_sss.so

- - - - -
3f577855 by Gioele Barabucci at 2023-02-20T08:11:51+00:00
d/sssd-common.nss: Use new directive name `database-add`

The directive `database` has been renamed in dh-nss v1.7 to
`database-add`, with no semantic changes.

- - - - -
af30288c by Gioele Barabucci at 2023-02-20T08:13:18+00:00
Install dbus policy in /usr instead of /etc

sssd-dbus installs the `org.freedesktop.sssd.infopipe.conf` policy
in `/etc/dbus-1`. Since Debian 9 the standard directory for
package-installed dbus policies is `/usr/share/dbus-1`.

See: https://bugs.debian.org/1006631

Fixes: lintian: dbus-policy-in-etc

Closes: #1031547

- - - - -
61f1b893 by Sargun Narula at 2023-02-23T09:20:04+01:00
Tests: Ported Bash-krb-fast-principal to pytest

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
66687d8c by aborah at 2023-02-23T09:20:37+01:00
Tests: Port bz785908 and bz785898

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L424
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L300

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
173d0867 by aborah at 2023-02-23T09:21:04+01:00
Tests: Port Thread issue can cause the application to not get any identity information bz847043

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL9.2/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L774

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
a75557b7 by Shridhar Gadekar at 2023-02-23T09:23:27+01:00
Test: porting bash range_retrieval to pytest

removing unused import

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
bd803bf6 by Pavel Březina at 2023-02-23T15:28:01+01:00
nssidmap: add getsidbyusername and getsidbygroupname

:feature: NSS IDMAP has two new methods: `getsidbyusername` and
  `getsidbygroupname`

Resolves: https://github.com/SSSD/sssd/issues/6565

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b763f128 by Timo Aaltonen at 2023-02-26T16:35:54+02:00
releasing package sssd version 2.8.2-3

- - - - -
9f8e7115 by Alexey Tikhonov at 2023-02-28T21:47:32+01:00
MAN: describe security risk of `cache_credentials`

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2ce24d38 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00
UTILS: missing domain in `sss_parse_name()` input isn't SSSDBG_CONF_SETTINGS

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
f5787878 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00
NSS: empty result of `..._group_by_origgid()` isn't an error

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
e5fba8f9 by Alexey Tikhonov at 2023-02-28T22:05:43+01:00
TESTS: fix compilation issue with musl libc

Resolves: https://github.com/SSSD/sssd/issues/6487

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>

- - - - -
97c671e4 by aborah at 2023-03-02T13:41:47+01:00
Tests: Port automount bash tests to pytest

https://gitlab.cee.redhat.com/aborah/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/automount

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
97e040f9 by Jakub Vavra at 2023-03-03T12:51:04+01:00
Tests: Set cryptopolicy for master for AD fips tests.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
61d6030b by Sargun Narula at 2023-03-03T12:51:34+01:00
Added entry for krb_access_provider in readme.rst

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
fb5a300b by Justin Stephenson at 2023-03-03T12:52:04+01:00
passkey: Add configuration options

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
fbbe9ba3 by Justin Stephenson at 2023-03-03T12:52:04+01:00
authtok: Add Passkey type

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
57152761 by Justin Stephenson at 2023-03-03T12:52:04+01:00
Add new option ldap_user_passkey

Retrieve user passkey mapping data from the below LDAP attributes:

IPA: ipaPasskey
AD: altSecurityIdentities
LDAP: passkey

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3f24aa71 by Justin Stephenson at 2023-03-03T12:52:04+01:00
Extend IPA config search

Allow providing a custom search filter and search base, enabling this API to also
retrieve passkey configuration objects.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ec677493 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Add DNS Domain name to struct sss_domain_info

dns_name string will be populated for IPA and AD domains

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ea9bcab6 by Justin Stephenson at 2023-03-03T12:52:05+01:00
IPA Retrieve passkey configuration

Retrieve the require user verification value (on/off/default) from
the IPA passkey configuration.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b92ff263 by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Call the passkey helper binary

When passkey auth is enabled, call the passkey child to interact
with the passkey device.

Resolves: https://github.com/SSSD/sssd/issues/6558

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7f8fe399 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Support Passkey prompting config

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
64f98463 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Tests: Passkey (Pre)auth

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
938676a3 by Justin Stephenson at 2023-03-03T12:52:05+01:00
Tests: Passkey prompting config

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
64aa2672 by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Add destructor for passkey pin

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5a22aefb by Justin Stephenson at 2023-03-03T12:52:05+01:00
PAM: Covscan NULL check for cache req result domain

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7356881c by Alexey Tikhonov at 2023-03-07T20:49:52+01:00
SDAP: removed leftovers after 65bd6bf05d75c843e525f8bf89e9b75b02a2bfb7

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
a9bc94f0 by Alexey Tikhonov at 2023-03-07T20:50:17+01:00
INTG-TESTS: add missing files to Makefile.am

Resolves: https://github.com/SSSD/sssd/issues/6588

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
5c83deb5 by bluikko at 2023-03-07T20:50:47+01:00
src/util/domain_info_utils.c: fix typo

Typo in libdefaults typed as kibdefaults.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>

- - - - -
47f82a41 by Gioele Barabucci at 2023-03-07T20:51:17+01:00
Makefile: Install dbus policy in /usr, not /etc

>From <https://bugs.debian.org/1006631>:

> dbus supports policy files in both `/usr/share/dbus-1/system.d` and
> `/etc/dbus-1/systemd`. [The] recently released dbus 1.14.0, officially
> deprecates installing packages' default policies into `/etc/dbus-1/systemd`,
> instead reserving it for the sysadmin. This is the same idea as the
> difference between `/usr/lib/udev/rules.d` and `/etc/udev/rules.d`.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
067cc5cc by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
BUILD: make "files provider" build configurable

:relnote:"Files provider" (i.e. `id_provider = files`) is deprecated and
might be removed in further releases. Those who are interested to keep
using it awhile should configure its build explicitly using
`--with-files-provider` ./configure option. Or consider using "Proxy
provider" with "proxy_lib_name = files" instead.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
978ef179 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
UTILS: force inline `is_files_provider()`

This hopefully will ensure that compiler optimizer will remove unused
code that depends on `if (is_files_provider())` branch in case files
provider isn't built.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
c53390a8 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
DP: warn loudly if config uses 'files' when support wasn't built

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8962eaca by Alexey Tikhonov at 2023-03-07T20:51:49+01:00
INTG-TESTS: enable '--with-files-provider'

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e623fac7 by Timotej Lazar at 2023-03-09T11:25:21+01:00
tests: use echo instead of /bin/echo in Makefile

The binary might be somewhere else or not available at all during build.
No special features are needed so the shell builtin is enough.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9fd8da28 by Sargun Narula at 2023-03-09T11:25:59+01:00
Fixed domainname value in krb_ldap_connection

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
34f1c222 by SargunNarula at 2023-03-09T11:25:59+01:00
Reused sssdTools Instance

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
30daa0cc by Iker Pedrosa at 2023-03-09T11:27:30+01:00
spec: update to include passkey

Update the spec file to include the passkey feature. Made it
configurable so that it can be disabled, added the dependencies and the
passkey subpackage, and also include the passkey_child.

:feature: New passkey functionality, which will allow to use FIDO2
          compliant devices to authenticate a centrally managed user
          locally. Moreover, in the case of a FreeIPA user, it will also
          issue a Kerberos ticket automatically.
:packaging: Include passkey subpackage and dependency for libfido2.
:config: New options to enable and tune passkey behaviour:
         'pam_passkey_auth', 'passkey_verification',
         'passkey_child_timeout', 'interactive', 'interactive_prompt',
         'touch' and 'touch_prompt'.

Resolves: https://github.com/SSSD/sssd/issues/6228
Relates: https://github.com/SSSD/sssd/issues/6551

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
712377ea by Pavel Březina at 2023-03-09T11:28:34+01:00
tests: add system tests using pytest-mh framework

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
9145544f by Jakub Vavra at 2023-03-10T09:28:16+01:00
Tests: Add a remedy for a missing multihost_dir.

Move the create_testdir fixture to fixtures.py and make sure that it is used.
Extend it to create testdir and env.sh also on windows machines.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
50a3a191 by Justin Stephenson at 2023-03-10T09:29:17+01:00
Passkey: Use correct User verification comparison

IPA require user verification configuration value changed from
"on, off, omit" to a boolean value of "True" or "False".

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1c55f0d4 by Jakub Vavra at 2023-03-13T10:40:18+01:00
Tests: Refactor join ad.

Refactored  pieces for joing and leaving ad to reuse more code.
Changed realm join to use DC instead of realm to mitigate machines on different
networks that breaks auto-discovery.
Lock resolv.conf so it is not broken by cloud-init after machine reboot.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
80d28bab by Jakub Vavra at 2023-03-13T12:59:58+01:00
Tests: Make sure that session_multihost.ad is always available.

We need it to be defined at least as an empty list so we do not get an
AtributeError when we try to iterate over it.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
cc0545b4 by aborah at 2023-03-22T10:20:11+01:00
Tests: Port Bash Password Policy to pytest

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.7/client/ldap_provider/ldap_id_ldap_auth/password_policy.sh

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
96a0e9fb by David Härdeman at 2023-03-23T10:36:56+01:00
LDAP: Handle MIT LDAP KDB password expiry

Currently SSSD only treats a missing krbPasswordExpiration attribute as
an indication that a given password never expires (which is how the
FreeIPA KDB plugin handles the expiry). The MIT implementation, however,
treats *either* a missing attribute *or* a zero attribute as meaning that
the password doesn't expire.

$ kadmin getprinc bob
Principal: bob at EXAMPLE.COM
...
Password expiration date: [never]
...
$ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration
krbPasswordExpiration: 19700101000000Z

Note that 19700101000000Z == (time_t)0

Resolves: https://github.com/SSSD/sssd/issues/6612

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ce81f017 by Pavel Březina at 2023-03-23T10:37:21+01:00
tests: include requirements.txt in system tests documentation requirements

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
df7a5c33 by Pavel Březina at 2023-03-23T10:37:21+01:00
tests: build systen tests documentation in readthedocs

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
42594c37 by HelloCarry at 2023-03-23T10:37:57+01:00
fix sysvol_gpt_version may be used uninitialized

Resolves: https://github.com/SSSD/sssd/issues/6610

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9aece27d by Dan Lavu at 2023-03-23T10:38:21+01:00
Adding ptr zone creation to class setup

The AD server maybe provisioned onto a different subnet than the client,
adding a fixture to add both the AD server and client PTR zones to DNS.

In addition, cleaned up the find_a and find_ptr functions to remove
false positives.

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
92d1b469 by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: move select authenticator

Move select authenticator logic to its own function.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bccdc2af by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: obtain assertion data

New action to obtain the assertion data. For that purpose, prepare the
assertion request data, select the device to use, select the
authenticator, get the device options and compare them with the
organization policy, request the assert, get the authenticator data, get
the signature and print this all information.

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f77ec4f5 by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: verify assertion data

New action to verify the assertion data. To this end, prepare the
assertion data, including the authenticator data and the signature;
decode the public key and verify the assertion.

Resolves: https://github.com/SSSD/sssd/issues/6228

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
8218634d by Iker Pedrosa at 2023-03-23T11:16:07+01:00
passkey: replace printf by PRINT

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c6db359f by aborah at 2023-03-27T10:20:41+02:00
Tests: Fix restore work for ipa test

Fix restore work for ipa test

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
b3c681a7 by aborah at 2023-03-27T10:21:14+02:00
Tests: Port bash inmemory_cache test suit to pytest

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/inmemory_cache

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
132fb401 by Alexey Tikhonov at 2023-03-27T12:43:48+02:00
Deprecate 'sss_simpleifp' library.

:relnote:'sss_simpleifp' library is deprecated and might be
removed in further releases. Those who are interested to keep
using it awhile should configure its build explicitly using
`--with-libsifp` ./configure option.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c586b9a2 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
RESPONDERS: delete obsolete 'responder_sbus.h'

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
437dbe9e by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
MONITOR: currently only 'ifp' doesn't support running as non-root

This should be easier to read.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e2106c94 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
SUDO: fix mistype

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
5159992d by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
RESPONDER: use safe helper

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
64424963 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00
UTILS: sanitize `cli_creds_get_*` macro

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
55e27a42 by Alejandro López at 2023-03-27T12:44:34+02:00
KCM: Switch default caches only when there is no current default.

Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition should be negated so that the cache is switched when
there is no current default.

Resolves: https://github.com/SSSD/sssd/issues/6357

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
0e25f0d1 by answer9030 at 2023-03-27T12:45:04+02:00
Fixed pid wrapping in sss_cli_check_socket

Resolves: https://github.com/SSSD/sssd/issues/6592

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5c363bfb by answer9030 at 2023-03-27T12:45:04+02:00
Fixed the problem of calling getpid() and lstat() twice in sss_cli_check_socket()

the second call to getpid() and lstat() is redundant.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ae691f0b by Alexey Tikhonov at 2023-03-27T12:46:14+02:00
NSS: change default value of 'cache_first' to 'true'

Having 'cache_first' as 'false' is a performance degradation without a reason
in the multi-(sub)domains enviroments (typical case when AD is involved).

But there is a subtile issue that doesn't allow to switch default when
'files provider' is used.

:config: Default value of 'cache_first' option was changed to 'true' in case
SSSD is built without 'files provider'.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cfc591d6 by Alejandro López at 2023-03-27T12:47:50+02:00
SDAP: Include struct ldb_dn in struct sdap_search_base

struct sdap_search_base includes the DN as a string. To better
compare the DNs it is better to use a struct ldb_dn, in addition to
the string.

The struct ldb_dn also needs to keep the associated struct ldb_context,
so we are also storing it in the structure.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
84e7dbc9 by Alejandro López at 2023-03-27T12:47:50+02:00
SDAP: Ignore the cn=views entries in nested groups

When resolving the nested groups, ignore any entry in
cn=views,cn=accounts,$BASEDN (or whatever the user configured).

Resolves: https://github.com/SSSD/sssd/issues/6548

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
9e9d5825 by Alejandro López at 2023-03-27T12:47:50+02:00
Tests: Test that cn=views is ignored.

Add a new test to check the ignored search bases.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
62cb54dc by Pavel Březina at 2023-03-30T12:17:48+02:00
tests: make pytest-ldap aware of TLS options

OPT_X_TLS_NEWCTX must be set to create a new TLS context after
changing TLS options in order to actually use them in python-ldap.

This is required to run the tests inside idm-ci where the internal
hostname that is used in certificate does not match the external
hostname or IP address that is used to connect to the remote host.

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
745379bc by Justin Stephenson at 2023-03-31T12:30:44+02:00
SSSCTL: Switch passkey-exec to passkey-register

Users currently only need to call --register

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
f46fe473 by Jakub Vavra at 2023-04-03T09:37:32+02:00
Tests: Skip test_0002_ad_parameters_junk_domain on multiarch

The test does not work properly on multiarch due to beaker being
on a different network than openstack.
Fixed some misleading comments.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
9c17615a by aborah at 2023-04-04T12:12:38+02:00
Tests: don't fail if chattr file doesn't exist

error: DEBUG - chattr: Operation not supported while reading flags on /etc/resolv.conf

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
ad68d71c by Pavel Březina at 2023-04-04T12:13:16+02:00
passkey: add Kerberos plugins

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2a16c256 by Pavel Březina at 2023-04-04T12:13:16+02:00
idp: switch to common API for radius-style plugin

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
cdfe2c51 by Justin Stephenson at 2023-04-04T12:13:16+02:00
Authtok: Support SSS_AUTHTOK_TYPE_PASSKEY{_REPLY}

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5de070f9 by Justin Stephenson at 2023-04-04T12:13:16+02:00
pam_sss: Add passkey kerberos preauth support

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
7c34742c by Justin Stephenson at 2023-04-04T12:13:17+02:00
krb5_child: Add passkey kerberos preauth support

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c76ba343 by Justin Stephenson at 2023-04-04T12:13:17+02:00
PAM: Passkey kerberos preauth support

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9869e487 by Justin Stephenson at 2023-04-04T12:13:17+02:00
krb5_child: Increase child buffer and chunk size

Passkey data can be larger than 512 bytes.

Received passkey data from krb5 with multiple credentials
exceeds 256 bytes.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
88f4d3cf by Justin Stephenson at 2023-04-04T12:13:17+02:00
Passkey: Add util function to prefix passkey data

Allows converting passkey child --get-assert output to
the format which the passkey krb5 plugin expects.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
1032ca21 by Justin Stephenson at 2023-04-04T12:13:17+02:00
MAN: Clarify user_verification will be overwritten

The user_verification sssd.conf option for passkey will only be used
LDAP or AD, in the non-kerberos pre-auth case.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
bb21171b by Justin Stephenson at 2023-04-04T12:13:17+02:00
Passkey: Changes to debug_libfido2 option

Change debug_libfido2 to passkey_debug_libfido2 and
move from passkey verification options to PAM option

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
5744bad7 by Justin Stephenson at 2023-04-04T12:13:17+02:00
Tests: Amend PAM Preauth tests

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9e061fc0 by Jakub Vavra at 2023-04-04T14:58:56+02:00
Tests: Remove keytab on realm leave.

Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
a5efc5e6 by Pavel Březina at 2023-04-04T14:59:26+02:00
tests: fix type errors due to type enhancements in jc

The library we depend on `jc` made its typing more specific so we
need to check that we got the expected type.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
3d0fcca3 by Pavel Březina at 2023-04-04T14:59:26+02:00
tests: avoid list() and dict() as default parameter value

"Default parameter values are evaluated from left to right when the
function definition is executed." which means that the list or dict
is created only once and then the same reference is passed to the
function with each invokation, so the function calls can be affected
by the previous one.

See:
https://docs.python.org/3/reference/compound_stmts.html#function-definitions

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
a825b28b by Pavel Březina at 2023-04-11T10:06:35+02:00
passkey: fix copyrights and comments in krb plugin

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
576a1c19 by Madhuri Upadhye at 2023-04-11T10:07:00+02:00
Tests: Automation of bug, bz2100789, which test id_provider parameter from domain section

Add automation of bug which check id_provider parameter from
domain section.
Conatains following two test cases:
1. Test when domain section does not have id_provider
2. Test when id_provider's value is invalid

verify:
    #https://bugzilla.redhat.com/show_bug.cgi?id=2100789
    #https://github.com/SSSD/sssd/pull/6550

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
6ea20516 by Sam Morris at 2023-04-11T12:14:03+00:00
Don't add subid to /etc/nsswitch.conf

- - - - -
744b3e30 by Timo Aaltonen at 2023-04-11T15:19:42+03:00
releasing package sssd version 2.8.2-4

- - - - -
bc5de686 by Jakub Vavra at 2023-04-13T12:25:27+02:00
Tests: Add a timeout to realm join for AD, modify realm leave.

The realm join gets stuck on other architectures particularly on s390x.
This makes it fail and suite can continue running instead of waiting
for timeout for the whole suite.
Handle the edge case when realm leave fails for the machine and removal from AD
is also not done resulting in the following tests unable to join as the machine
is already present on AD.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
e794bfde by Pavel Březina at 2023-04-14T12:11:40+02:00
ci: prepend pr copr build with high version number

Currently, it is not possible to simply install the copr pull reques
package because number is considered to be higher then a string version,
therefore 2.8.0 > pr6286 and dnf considers it a potential installation
to be a downgrade which may cause conflicts.

Prepending 9 makes sure that the pull request copr build always wins.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
526aea3e by Tomas Halman at 2023-04-14T12:12:15+02:00
util: Improve re_expression defaults

The original defaults of re_expressions did not use "^" so they
may skip/ignore some leading character (@ and \).

The new defaults uses ^ and $ to be sure that all characters
are used.

Resolves: https://github.com/SSSD/sssd/issues/6635

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
b78b508b by Tomas Halman at 2023-04-14T12:12:15+02:00
responder: regexp cleanup

Update ifp and ssh responders to use regular expression
defined centrally.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
255c01a1 by Jakub Vavra at 2023-04-17T09:10:41+02:00
Tests: Fix error in cifs tests.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
c3a0b5f0 by Pavel Březina at 2023-04-17T11:57:59+02:00
tests: split system test framework into standalone repository

This change allows other project to use the framework as well.

https://github.com/SSSD/sssd-test-framework

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
08711256 by aborah at 2023-04-19T15:27:05+02:00
Tests: Add missing package

strace was missing from installed packages

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
821455c7 by Sargun Narula at 2023-04-19T15:34:45+02:00
Tests: Ported cache_performance testing cases to pytest

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
6d659e29 by Sargun Narula at 2023-04-19T15:34:45+02:00
Fixed docstring minor changes

Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
54aabca0 by Alejandro López at 2023-04-19T15:35:35+02:00
UTIL: Introduicing SPRItime

SPRItime can be used to printf() time_t values.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3463caa8 by Alejandro López at 2023-04-19T15:35:35+02:00
COVERITY: Remove several Y2K38_SAFETY warnings

Most of them are external function that receive a 32-bit integer but
SSSD provides a time_t value. For that we created the
sss_tevent_timeval_current_ofs_time_t(time_t t) wrapper function that
handles the conversion.

In another case, it was an internal function, so the function was
adapted to accept a time_t value.

Another case is a real problem caused by Kerberos storing times in the
32-bit signed krb5_timestamp, but time() returning a 64-bit value. It
seems Kerberos is planing on making unsigned this signed value. So the
recommended and adopted solution is to use the 32 lower bits.

Also de DEBUG() trace was dorrected to use the right size.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
3b65d7be by Alejandro López at 2023-04-19T15:35:35+02:00
COVERITY: Resolve a WRITE_CONST_FIELD warning

We are initializing the structure, so it is not a problem that we write
to const fields. In addition, using talloc_memdup() is better and avoids
the warning.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
c3d6cc9a by Alejandro López at 2023-04-19T15:40:10+02:00
AD: Do not use the shortcut when filter_groups is set.

When using 'id <user>', a shortcut avoids creating the proper group
object but, instead, one where the SID is the group name is created.
This prevents a proper filtering of groups which requires the actual
group name.

Not using the shortcut will retrieve the group names and the filtering
will work.

Resolves: https://github.com/SSSD/sssd/issues/6617

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
ebc1e460 by Sumit Bose at 2023-04-19T15:42:03+02:00
krb5: add joined/parent domain to [domain_realm]

So far only discovered sub-domains were adding to the [domain_realm]
section of one of the krb5 config snippets SSSD is generating. To fix
recent issues which were caused my missing entries of the joined domain
this domain is now added as well.

Resolves: https://github.com/SSSD/sssd/issues/6600

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
dae5367b by Iker Pedrosa at 2023-04-19T15:44:18+02:00
test: cast to `char *` assert_string_equal() args

CI build is reporting the following error several times:
```
error: pointer targets in passing argument 2 of '_assert_string_equal'
differ in signedness [-Werror=pointer-sign]
```

Casting the arguments of assert_string_equal() to `char *` fixes the
issue.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
325fc8e1 by Jakub Vavra at 2023-04-24T11:12:51+02:00
Tests: Improve stability of tests in TestADParamsPorted, remove un-needed backups.

There are some tests that are flaky in the suite, adding pytest.flaky
and moving them to tier2.
Made sure that flaky tests are only in one tier instead of failing in two suites.
Removed backup and restore of sssd.conf as it is done by adjoin now.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
def571ba by Sumit Bose at 2023-04-24T11:13:37+02:00
krb5: make sure realm is known when writing domain_realms

To make sure that no broken krb5.conf snippet is created it is checked
if the realm member is defined in the sss_domain_inof struct before
writing it to the output.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
a41810bd by Iker Pedrosa at 2023-04-24T11:14:25+02:00
CI: store CodeQL configuration artifacts

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
eb494154 by aborah at 2023-04-24T11:15:10+02:00
Tests: Add support for ldapi:// URLs

bz: https://bugzilla.redhat.com/show_bug.cgi?id=2152177

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
30e0b472 by Jakub Vavra at 2023-04-24T11:25:01+02:00
Tests: Add tests for BZ1765354

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1765354
Verifies: #5080

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>

- - - - -
9f2d8d69 by minfrin at 2023-04-24T13:12:31+02:00
Add support for ldapi:// URLs.

Make sssd aware of unix domain sockets, allowing connections to local
LDAP servers.

Make use of struct sockaddr and socklen_t consistent across the code.

:feature: Add support for ldapi:// URLs to allow connections to local
  LDAP servers

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
f2213418 by minfrin at 2023-04-24T13:12:31+02:00
Align sockaddr_storage to sockaddr for updated API.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
91b70123 by minfrin at 2023-04-24T13:12:31+02:00
Ensure we touch sockaddr_len in the success case only.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4ccd5b9a by minfrin at 2023-04-24T13:12:31+02:00
Do not set SO_KEEPALIVE on AF_UNIX.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
2d54cf5e by minfrin at 2023-04-24T13:12:31+02:00
Rename sdap_get_server_ip_str() to sdap_get_server_peer_str()

Add support for printing AF_UNIX paths.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
e004595a by minfrin at 2023-04-24T13:12:31+02:00
Don't force TLS on if we're a unix domain socket.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
559f29ff by Pavel Březina at 2023-04-26T10:13:58+02:00
tests: load fixtures from sssd-test-framework

This makes fixtures from sssd-test-framework available in our tests.
See tests.sssd.io to list the fixtures:

https://tests.sssd.io/en/latest/api/sssd_test_framework.fixtures.html

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
52c3d6c2 by Pavel Březina at 2023-04-26T10:13:58+02:00
tests: create data directory in system tests

The directory hierarchy is as follows:
* `data/`
  * files shared for all test modules
  * `test_module/` (directory for `test_module.py`)
    * files shared for all tests within the module `test_module.py`
      * `test_module__xyz/` (directory for single test from the module)
        * files relevant only for the test `test_module__xyz`

It can be accessed via datadir, moduledatadir and testdatadir fixtures.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
9358a74d by Sumit Bose at 2023-04-26T10:32:25+02:00
ad: skip filtering if ad_enabled_domains is set

The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.

Resolves: https://github.com/SSSD/sssd/issues/6626

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
1bf47514 by Sumit Bose at 2023-04-26T10:32:25+02:00
tests: fix typo in ldapi test

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
ddec8ae2 by Alexey Tikhonov at 2023-04-27T06:52:51+02:00
SPEC: obsolete libsss_simpleifp

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
9329c09d by Jakub Vavra at 2023-04-27T06:53:10+02:00
Tests: Fix pytest markers to remove warnings.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
04cc2f73 by Jakub Vavra at 2023-04-27T12:09:37+02:00
Tests: Install libsss_simpleifp conditionally based on release.

Package libsss_simpleifp is removed from fedora and a future
major version of RHEL, install it only on RHEL/Centos 7,8,9.
See https://github.com/SSSD/sssd/pull/6701.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d735fb1e by Jakub Vavra at 2023-04-27T12:15:22+02:00
Tests: Ignore chattr result on resolv.conf

The resolv.conf can be a symlink (because of systemd/resolved) so chattr will not work on it.
We ignore the result so error is not produced on fedora where systemd/resolved is in play.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
0bc80bdb by Timo Aaltonen at 2023-04-27T17:24:28+03:00
libnss-sss.postinst: Migrate to use 'case' like the other postinsts.

- - - - -
ed2510d9 by Jakub Vavra at 2023-04-28T11:00:41+02:00
Tests: Add test for bz1913839 gid of filtered group gid still present in id

Verifies
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1913839

Group id of a group that should have been filtered is visible in
the id command output.

Fixed test numbering, removed un-needed backups,
moved log collection to later part of code to make the test_0016 more reliable.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
265f6e02 by Shridhar Gadekar at 2023-04-28T11:03:00+02:00
Tests: sss allows extraneous @ characters prefixed to username

corrected typo

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2180981
Verifies:

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
c200fc01 by Madhuri Upadhye at 2023-05-03T18:53:27+02:00
Test: Test nested group in view based search

Automation of BZ2151403

Test nested group entry in i cn=views,cn=accounts,$BASEDN
with id command from client.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>

- - - - -
f97cd4d4 by Iker Pedrosa at 2023-05-03T18:53:46+02:00
passkey: don't print User ID

The User ID isn't part of any signed data, thus there isn't any
indication that it's related to the token. Moreover, the effort to store
it securely on the LDAP attribute is quite big. Taking that into account
the passkey child doesn't print it and this way we avoid storing it in
the LDAP server.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9724f871 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00
passkey: only accept the client realm as relaying party ID

FreeIPA expects relaying party ID for FIDO2 exchange to be the same as
the realm. If a rogue KDC attempted to inject another relaying party ID,
reject it.

We use server principal as opposed to the client one to allow use of
enterprise principals. Server principal in AS-REQ would be
krbtgt/REALM at REALM for the realm of the client.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
d0a6bf60 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00
passkey: implement realm check for the passkey challenge

A rogue KDC might respond to us with a passkey challenge that references
domain not associated with the realm we serve. In order to check that,
convert DNS domain from the challenge to the realm using hostrealm
interface provided by the krb5 library.

For a referral realm fall back to the explicit challenge domain check.

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
9bf55bf9 by Alexey Tikhonov at 2023-05-03T19:00:21+02:00
MONITOR: disable 'user' config option in case --with-sssd-user=root

In case SSSD was configured and built --with-sssd-user=root, no other
value of 'user' config option (besides default 'root') is supported.
Having it documented in the man page in this case only brings confusion.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
8b94af6e by Alexey Tikhonov at 2023-05-03T19:00:21+02:00
MONITOR: validate value of 'user' option.

Only 'root' and SSSD_USER are valid values.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
d4866940 by Luke Dickinson at 2023-05-04T10:39:33+02:00
Remove the need for a keytab when using fast with anonymous pkinit

Anonymous pkinit does rely on a keytab for authentication.
Removed unnecessary call to copy keytab into memory.

Resolves: https://github.com/SSSD/sssd/issues/6531

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
ede8c139 by Weblate at 2023-05-04T11:11:59+02:00
po: update translations

(Turkish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/

po: update translations

(Korean) currently translated at 64.3% (1676 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Czech) currently translated at 99.4% (702 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(Czech) currently translated at 99.1% (700 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/

po: update translations

(French) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Korean) currently translated at 64.3% (1676 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/

po: update translations

(Japanese) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(French) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/

po: update translations

(Japanese) currently translated at 94.0% (664 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/

po: update translations

(Finnish) currently translated at 10.0% (71 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Georgian) currently translated at 7.9% (56 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/

po: update translations

(Polish) currently translated at 4.9% (132 of 2656 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Korean) currently translated at 64.1% (1673 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 9.9% (70 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Swedish) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 98.8% (2692 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 98.1% (2672 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/

po: update translations

(Swedish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/

po: update translations

(Finnish) currently translated at 9.6% (68 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Korean) currently translated at 64.1% (1671 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 8.9% (63 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Korean) currently translated at 63.7% (1661 of 2606 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Finnish) currently translated at 7.3% (52 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Polish) currently translated at 4.9% (131 of 2656 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/

po: update translations

(Georgian) currently translated at 7.7% (55 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/

po: update translations

(Finnish) currently translated at 7.2% (51 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/

po: update translations

(Russian) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/

po: update translations

(Russian) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Ukrainian) currently translated at 100.0% (2722 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Russian) currently translated at 97.3% (687 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/

po: update translations

(Korean) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 99.1% (2700 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Korean) currently translated at 97.1% (686 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/

po: update translations

(Ukrainian) currently translated at 98.8% (2692 of 2722 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/

po: update translations

(Ukrainian) currently translated at 96.4% (681 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/

po: update translations

(Polish) currently translated at 100.0% (706 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 63.6% (1659 of 2607 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

- - - - -
619ecbbc by Iker Pedrosa at 2023-05-04T13:35:09+02:00
test: add conditional build for passkey functions

`make distcheck` is failing because two passkey functions are defined
but never used. Add conditional build for them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>

- - - - -
e91b5d4a by Pavel Březina at 2023-05-05T10:07:26+02:00
man: put sssd_user_name.include to builddir

Putting it to the source directory makes "make distcheck" fail when
run directly from source directory instead of different build dir.

It produces this error message:
```
/bin/sh: line 1: ../../../../src/man//sssd_user_name.include: Permission denied
```

Because the source directory copied by distcheck is not writable.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
6c184c47 by Pavel Březina at 2023-05-05T10:11:07+02:00
pot: update pot files

- - - - -
eb43c240 by Alejandro López at 2023-05-15T11:21:58+02:00
FILE WATCH: Callback not executed on link or relative path

When the watched file was a symbolic link or was a relative path,
the calback was not executed because the filename comparison
was wrongly considering the files to be different.

The solution is to normalize the filenames before comparing them.
This cannot be easily done at setup because the file could not
exist at that moment.

The test was adapted to check this situation.

Resolves: https://github.com/SSSD/sssd/issues/6718

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)

- - - - -
0c6f4926 by Alejandro López at 2023-05-15T11:21:58+02:00
TESTS: Fix doble slash comments

Use /* */ instead of //.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 90c5490723e82bdf633900f67a424b53cd50112f)

- - - - -
d104c01f by Sumit Bose at 2023-05-15T11:22:50+02:00
sysdb: fix string comparison when checking for overrides

When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.

The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.

Resolves: https://github.com/SSSD/sssd/issues/6720

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0)

- - - - -
425d88fa by Iker Pedrosa at 2023-05-15T11:25:39+02:00
passkey: write mapping data to file

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 906a677c959f4a28dd95775b0d9399dd9e48f1e0)

- - - - -
15dd3545 by Alexey Tikhonov at 2023-05-19T13:22:53+02:00
MAN: fix issue with multithread build

When 'make' runs using multiple threads it can build several man pages
in parallel, executing the same '.5.xml.5:' rule. This can result in
a race condition where multiple threads access the same 'sssd_user_name.include'
file.
To avoid this make 'sssd_user_name.include' file a rule dependency.
But "Suffix rules cannot have any prerequisites of their own", and suffix
rules are obsolete anyway, so change it to pattern rules.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit df8472ccb20e0b77573b5c3e8cc25803bc7b0022)

- - - - -
6d060818 by Madhuri Upadhye at 2023-05-19T16:16:09+02:00
Tests: Gating fixes for RHEL8.9 and RHEL9.3

Following three minor changes are:

for test_config_validation.py,
1. 'sssctl config-check' returning retuncode as a 1 when
   we dont have sssd.conf file.
2. Change the 'sssctl' command which only check the
   non-default snippet directory with option -s.

for test_offline.py,
3. Add extra restart of sssd to get offline log message
   using journalctl command.

for test_ssh_
4. Replace pexpect_ssh to auth_from_client method to login
the user.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 2965db1cce2d9c79e58626834f96f0283d26cfff)

- - - - -
60806f59 by Shridhar Gadekar at 2023-05-22T09:23:25+02:00
Tests: move unstable default_debug to tier2

moved default debug level tests to tier2

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 535a8c6a749a96e23510a26eceb5953b99f41cde)

- - - - -
de75ff3c by aborah at 2023-05-22T09:23:51+02:00
Tests: Fix gating tests for 9.3

It fixes test from tire1_2 that is failling in gating

1. src/tests/multihost/alltests/test_automount.py   there is issue with autofs email thead: [CRASH] prep Package: autofs-1:5.1.7-36.el9
2. src/tests/multihost/alltests/test_automount_from_bash.py test did not rised error as last cd - command was successful, so i have remove cd - part(/folder1/folder2/projects does not exists)
3. src/tests/multihost/alltests/test_ldap_password_policy.py  password provied was wrong.
4. src/tests/multihost/alltests/test_backtrace.py ---  need to modify this test as per current log format

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 2096f45527d4513ae52547fafd383bd2542d7f79)

- - - - -
33f10c4a by Dan Lavu at 2023-05-23T12:54:32+02:00
Updating ad_multihost test

* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 69f93bf817706acb7830428fd81d78dc207468c0)

- - - - -
270f0ba0 by Justin Stephenson at 2023-05-25T10:20:24+02:00
Passkey: Adjust IPA passkey config error log level

IPA passkey configuration may not be retrieved if IPA
does not contain passkey support. Lower the error level of log
messages associated with this failure.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit fe751c316c631240311fba62409f2b6a38be0d50)

- - - - -
16275d9b by Justin Stephenson at 2023-05-25T10:20:24+02:00
IPA: Log missing IPA config data on default level

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit fa326be9cb29d97d6000e783b02656f60f7f8fb2)

- - - - -
e5dfa2a8 by Sumit Bose at 2023-05-25T10:21:11+02:00
AD: add missing AD_AT_DOMAIN_NAME for sub-domain search

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 39b6337f32b76842be65802b0b0aa86050c8aa95)

- - - - -
2466310e by Jakub Vavra at 2023-05-25T16:12:26+02:00
Tests: Modify expiring/expired password test for RHEL 8.

Reviewed-by: Anuj Borah <aborah at redhat.com>

- - - - -
4d2cf0b6 by Sumit Bose at 2023-05-26T12:53:52+02:00
krb5: make sure sockets are closed on timeouts

If krb5_child runs into a timeout the backend currently does not close
the I/O sockets because handle_child_done() is not called when the
timeout handlers are acting. To make sure the signal handler can close
the sockets the 'in_use' member of struct child_io_fds is set to
'false'.

Resolves: https://github.com/SSSD/sssd/issues/6744

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 455611952f90ed0cefaff1e840623ea14ac06be1)

- - - - -
a74d42df by Shridhar Gadekar at 2023-05-26T12:55:14+02:00
Tests: fix default debug level for typo

modified docstrings

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 11eef225c452982877ff26b7984d0351de41da87)

- - - - -
58855b71 by Alejandro López at 2023-05-26T12:58:28+02:00
SYSDB: Make enum sysdb_obj_type public

Make enum sysdb_obj_type usable outside of sysdb_ops.c.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1)

- - - - -
3eb4c4a7 by Alejandro López at 2023-05-26T12:58:28+02:00
IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP

The previous filter for overrides would sometimes find more than one entry
because it was looking for a uidNumber or gidNumber:
(&(objectClass=ipaOverrideAnchor)(|(uidNumber=XXXX)(gidNumber=XXXX)))

The new filter looks for a specific user override or a specific group
override:
(|(&(objectClass=ipaUserOverride)(uidNumber=XXXX))
  (&(objectClass=ipaGroupOverride)(gidNumber=XXXX)))

This filter could return two override entries (one for a group and one
for a user). That case must be taken into consideration and discard the
user override in favor of the group override.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 99d0ab82e98a8f1e3cab23d871f36b9d890e034c)

- - - - -
0192c1c8 by Jakub Vavra at 2023-05-29T06:54:01+02:00
Tests: Add conditional skip for simple ifp test.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 469905bfabdda66555bd179eb7b6ac7b3cd875d1)

- - - - -
6239f50f by Alejandro López at 2023-06-05T11:27:57+02:00
PAM: Fix a possible segmentation fault

Calls to add_expired_warning(struct pam_data *pd, long exp_time) must
provide a non-NULL pd. In one of the cases this function is called
without checking that pd is not NULL. We here fix that.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 7f28816479c694ff95939e3becfbcd43423a5744)

- - - - -
f63a54c3 by Sumit Bose at 2023-06-05T11:28:59+02:00
fail_over: protect against a segmentation fault

A missing server name in struct fo_server will cause a segmentation
fault. Currently it is unclear why the server name is missing at this
point. To avoid the segmentation fault it is checked before if the
server name is missing. Additionally the state of some internal
structures is added to the debug logs to help debugging why the server
name is missing.

Resolves: https://github.com/SSSD/sssd/issues/6659

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 8a8869994745429b3f5535a5d0b91f1d0b2fa723)

- - - - -
e1195619 by Timo Aaltonen at 2023-06-06T21:18:34+03:00
Merge tag '2.8.2' into m

2.8.2

- - - - -
8706941f by Timo Aaltonen at 2023-06-06T21:18:38+03:00
Merge branch 'master' into m

- - - - -
4cfe8a54 by Timo Aaltonen at 2023-06-06T21:19:23+03:00
version bump

- - - - -
4eac205f by Timo Aaltonen at 2023-06-06T21:20:44+03:00
patches: Drop an upstreamed patch.

- - - - -
a2a6933b by Timo Aaltonen at 2023-06-06T22:03:11+03:00
Drop deprecated simple-ifp library and files provider.

- - - - -
ff5ca0bb by Timo Aaltonen at 2023-06-07T14:43:19+03:00
control, rules: Add sssd-passkey, and libfido2-dev to build-depends.

- - - - -
b9a0b424 by aborah at 2023-06-08T07:56:29+02:00
Tests: Netgroups do not honor entry cache nowait percentage

https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L280

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 75ae9e87a264b17dac45f798fb7b4ba7057fc494)

- - - - -
74c6fefe by Shridhar Gadekar at 2023-06-08T07:58:25+02:00
Tests: move test_access_control.py to tier2

Tests moved to tier2, tests are failing to parse
the logs. gating is blocked. same testsuite is available
in bash

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 587cd8dc2004adfd6c6aab4ef928ef2d89ae3f94)

- - - - -
6125efe1 by Shridhar Gadekar at 2023-06-12T09:34:04+02:00
Tests: Adding c-ares markers for related tests

removing flaky ones

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 27dd3f508b23ae61c757cce6c5b9ca303d7aaf09)

- - - - -
d9749ba1 by Alexey Tikhonov at 2023-06-12T11:17:37+02:00
RESPONDER: avoid log backtrace in case access denined

Resolves: https://github.com/SSSD/sssd/issues/6442

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 076a1136ab8650d962c5a462cbed82bd96ba176a)

- - - - -
640f4158 by Pavel Březina at 2023-06-12T11:49:29+02:00
ipa: correctly remove missing attributes on netgroup update

When a netgroup is updated, previously it did not remove the missing
attributes. This caused an issue especially when a member was removed.

Resolves: https://github.com/SSSD/sssd/issues/6652

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b033b0dda972e885f63234aa81dca317c8234c2c)

- - - - -
4b0683bd by Alejandro López at 2023-06-12T20:43:25+02:00
AD: The shortcut must be used equally on _send() and _done()

The conditions to use the shortcut in sdap_ad_tokengroups_initgroups_send()
were modified without also changing sdap_ad_tokengroups_initgroups_done().

To avoid future problems like this, and because the condition is becoming
more complex to evaluate, we evaluate the condition in the _send() function
and keep the result in the state, for the _done() function to use it.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit dc9466e7371b98bc972ae2b3521f163f31a59a84)

- - - - -
e4e8e344 by Madhuri Upadhye at 2023-06-13T12:13:58+02:00
Tests: Add package for tc command

Adding package iproute-tc to get tc command.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 9c50b8ec14f0e167c937446a64213ef59eaa96ef)

- - - - -
02b158ff by Shridhar Gadekar at 2023-06-13T12:18:44+02:00
Test: dropping unstable dyndns tests

Dropping unstable dyndns tests from c-ares gating

(cherry picked from commit 6efb2779b79b86121f50852416e3ae63feac31a0)

- - - - -
bb64f2cd by aborah at 2023-06-15T10:25:11+02:00
Tests: Skip test_0001_bz2021196

The test is unstable on other architectures so it is skipped for now.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit d14be798bdebcc3587769c2406ee025340cf5162)

- - - - -
58a007de by Jakub Vavra at 2023-06-15T10:26:56+02:00
Tests: Skip test_0016_ad_parameters_ad_hostname_valid on other architectures.

The test is unstable on other architectures so it is skipped for now.
Reordered the asserts so we can seed if the connection to AD works
as looking for log message has a lower priority.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 3e3d098646f7cae90857f9a92348aff14fd65429)

- - - - -
19fecbf1 by Jakub Vavra at 2023-06-16T13:22:09+02:00
Tests: Improve stability of test_0004_bz2110091

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 54903c0e38f534bd48f890658b55c626431dd6d5)

- - - - -
05bc18ce by aborah at 2023-06-19T06:03:54+00:00
Tests: Add ssh module that is fast, reliable, accurate

Sssd tests seems to be failing with current ssh module without any reason.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 34dba5a3836a121a6485ec71ffc7234cd5ec24c0)

- - - - -
895d194f by Sumit Bose at 2023-06-19T20:41:10+02:00
ldap: return failure if there are no grace logins left

If a user's password is expired while changing the LDAP password SSSD
tries to change the password even if the initial bind of the user failed
due to exhausted grace logins.

With this patch the change password request will be aborted if the bind
fails indicating that there are no grace logins left.

Resolves: https://github.com/SSSD/sssd/issues/6768

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit d99aa97dae7236fd056e21ea3d48997edf1b9823)

- - - - -
5008f0f9 by Sumit Bose at 2023-06-19T20:45:47+02:00
ad: use sAMAccountName to lookup hosts

To determine which GPOs apply to the host running SSSD the full DN of
the host object in AD is needed. To fine this object we use the NetBIOS
name of the host which is stored in AD in the sAMAccountName attribute.
Using other attributes, e.g. if ldap_user_name is set to a different
attribute, will most probably cause a failure since those attributes are
not managed as expected for host object. As a result sAMAccountName
should be hardcoded here to avoid issues.

Resolves: https://github.com/SSSD/sssd/issues/6766

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 67c11c2ebae843f7ddd6b857efa2e1f6449986f3)

- - - - -
5711bb25 by Pavel Březina at 2023-06-19T20:48:03+02:00
cache_req: remove unused field cache_behavior from state

This field is not used anywhere. Instead, we use value from struct
cache_req.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 8b014bf1592454520ef6d113be9a5f1fd02e1285)

- - - - -
bc5fe9eb by Pavel Březina at 2023-06-19T20:48:03+02:00
cache_req: fix propagation of offline status with cache_first = true

During the first iteration where the provider was not yet contacted,
we set state->dp_success to false and if the record was not found we
returned ERR_OFFLINE instead of ENOENT which causes the cache_req to
continue and search the provider.

Resolves: https://github.com/SSSD/sssd/issues/6739

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 32f578229d38766b208f33130e28317ca69001d2)

- - - - -
d3c3408e by Alexey Tikhonov at 2023-06-21T15:24:04+02:00
SYSDB: in case (ignore_group_members == true) group is actually complete

Example workflow:
 - SSSD client is enrolled into AD domain (Token-Groups are enabled)
 - `id $user` is executed
 - initgroups() is called for this user
 - during processing of initgroups() sssd_be obtains a list of group SIDs
   user is a member of, and then partially resolves those groups and adds
   it to the local cache as "incomplete" (i.e. 'expired')
 - as a next step `id` calls getgrnam() for every group in initgroups() list
 - since groups are saved into the cache as "incomplete" (technically - "expired")
   this again results in LDAP search of this group.
   But if `ignore_group_members = true` this search doesn't provide
   new information. "Incomplete" groups could be used instead.

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b)

- - - - -
50922242 by Alejandro López at 2023-06-23T14:47:38+02:00
TEST: Fix pam-srv-tests to correctly treat the test name

Test suite pam-srv-tests accepts a test name as the last argument to
just run that test. However, this was failing because a pointer to the
name is retrieved but the poptContext is freed immediately after, making
pointer invalid.

The poptContext is now released after using the pointer.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ca7c9f6066d150c1a88bda6bda2843f244e5289d)

- - - - -
228183bf by Alejandro López at 2023-06-23T14:47:38+02:00
IPA: Do not try to add duplicate values to the LDAP attributes

When using extra attributes, an attribute could be listed twice and
SSSD will try to add it twice to the cache. To handle this situation,
each instance will be added to a single attribute with multiple values,
but duplicated values will be dropped. This is done by calling
`sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit dc508f032904f008714418509a13f79a17660659)

- - - - -
42cf3c41 by Alejandro López at 2023-06-23T14:47:38+02:00
UTIL: New function string_in_list_size()

Similar to string_in_list() but instead of taking a NULL-terminated list
it take a list and its size.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1b45f29f459f13173af99e75b4bb43ed945680aa)

- - - - -
010e61ff by Alejandro López at 2023-06-23T14:47:38+02:00
UTIL: add_strings_lists() becomes add_strings_lists_ex()

Old function add_strings_lists() copies any duplicate value.
New function add_strings_lists_ex() take an argument to decide
whether to discard duplicate values.

add_strings_lists() is now a wrapper on add_strings_lists_ex().

Both function now take a const char *** instead of char ** as
output parameter.

An existing test was adapted and an new one added.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2b8fed59140e32f7a8fa9bafe9e84b8db96d1ae5)

- - - - -
bfc88dc3 by Alejandro López at 2023-06-23T14:47:38+02:00
RESPONDER: attr_in_list() is replaced by string_in_list_size()

Both functions do the same thing, so it is useless to have them both.
attr_in_list() has, however, a more descriptive name for its use in
this module, so we'll keep it as an inlined wrapper.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit de258f011b9c6fc97e9157435cd2845be1c5d0e0)

- - - - -
355b0c2e by Alejandro López at 2023-06-23T14:47:38+02:00
IPA: Do not duplicate the entry attributes.

The extra attributes are concatenated to other required attributes for
some operations. In some cases the attribute list ends up having duplicate
attributes, either because accidentally the user added it twice to the
ldap_user_extra_attrs list, or one or more of those attributes are also
in the required list.

Removing the duplicates each time the lists are concatenated increases
the concatenation time. And this is done every time. So we try to
concatenate the attribute lists at start up, filtering duplicates, and
use that list.

To do that, we consider the two cases where the list concatenation is
done. In one of the cases, the added attributes are a subset of the other
list. So we factorized this list to add the common attributes to the list
at start up. Only the non-common attributes are added while serving a
request. The complete list is now stored in the `full_attribute_list`
field.

An existing test suite was adapted to this new situation as it now needs
to initialize the new field.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b50415978d2f0fad3291d86e0a5340be7ab90528)

- - - - -
aa061594 by 김인수 at 2023-06-23T14:51:04+02:00
po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

- - - - -
abce376c by Yuri Chornoivan at 2023-06-23T14:51:04+02:00
po: update translations

(Ukrainian) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/uk/

- - - - -
a94f39f0 by Temuri Doghonadze at 2023-06-23T14:51:04+02:00
po: update translations

(Georgian) currently translated at 8.1% (58 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/

- - - - -
8e80798d by 김인수 at 2023-06-23T14:51:04+02:00
po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

- - - - -
d37d72f0 by Kemal Oktay Aktoğan at 2023-06-23T14:51:04+02:00
po: update translations

(Turkish) currently translated at 98.7% (705 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/tr/

- - - - -
f0d8f936 by Piotr Drąg at 2023-06-23T14:51:04+02:00
po: update translations

(Polish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/

- - - - -
8d3acd3b by Elena Mishina at 2023-06-23T14:51:04+02:00
po: update translations

(Russian) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/

- - - - -
d95212b2 by Ludek Janda at 2023-06-23T14:51:04+02:00
po: update translations

(French) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fr/

- - - - -
4f469c0b by Ludek Janda at 2023-06-23T14:51:04+02:00
po: update translations

(Japanese) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ja/

- - - - -
c40d183c by Ludek Janda at 2023-06-23T14:51:04+02:00
po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/zh_CN/

- - - - -
7f6c10dc by Pavel Březina at 2023-06-23T14:54:07+02:00
pot: update pot files

- - - - -
256e013a by Madhuri Upadhye at 2023-06-23T15:02:55+02:00
Test: Test search filter specific user override or a specific group override

      Add automation of BZ2096183.

verifies:
  #6671

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 377ec31a8cab5ecf33c216583e552ea5684157dc)

- - - - -
301e5b38 by Madhuri Upadhye at 2023-06-23T15:03:00+02:00
Tests: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working

When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working

Automation of BZ2170720

Verifies:
  #6759

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 57499ff6571a8ca3d8bf2b7d19ec6b14100504c0)

- - - - -
dc8d649b by Pavel Březina at 2023-06-23T15:26:13+02:00
Release sssd-2.9.1

- - - - -
47d04812 by Timo Aaltonen at 2023-06-26T23:37:54+03:00
Merge branch 'upstream'

- - - - -
dac9d5dc by Timo Aaltonen at 2023-06-26T23:38:16+03:00
version bump

- - - - -
b8ff5f1c by Shridhar Gadekar at 2023-06-27T09:48:04+02:00
Test: gating sssd after crash

Using new authentication module for ssh login
instead of existing one

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 0171bcb0663093b4d66774bf18404b76eaab9a85)

- - - - -
a8713989 by aborah at 2023-06-27T09:49:21+02:00
Tests: Fix alltest tier1_3 tests with new ssh module

Fix alltest tier1_3 tests with new ssh module

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 56741208742e54228570057eb0b85927f1f7edb8)

- - - - -
7eef9162 by aborah at 2023-06-27T09:50:37+02:00
Tests: Fix IPA tire1_2 tests

Fix IPA tire1_2 tests

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 7f94e5ca48a16270b0748d87719a807ab85c2ef0)

- - - - -
4e7cfe17 by Alexey Tikhonov at 2023-06-28T12:42:01+02:00
BUILD: Accept krb5 1.21 for building the PAC plugin

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 74d0f4538deb766592079b1abca0d949d6dea105)

Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
4e249125 by Timo Aaltonen at 2023-07-04T08:48:36+03:00
ci: Allow piuparts to fail, because handling of nsswitch.conf ownership is broken.

- - - - -
3a4ebcd2 by Timo Aaltonen at 2023-07-04T08:48:52+03:00
releasing package sssd version 2.9.1-1

- - - - -
f16e5708 by Sumit Bose at 2023-07-04T15:36:40+02:00
watchdog: add arm_watchdog() and disarm_watchdog() calls

Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.

Resolves: https://github.com/SSSD/sssd/issues/6803

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 75f2b35ad3b9256de905d05c5108400d35688554)

- - - - -
27987c79 by Sumit Bose at 2023-07-04T15:36:40+02:00
sbus: arm watchdog for sbus_connect_init_send()

There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.

To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.

Resolves: https://github.com/SSSD/sssd/issues/6803

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af)

- - - - -
e5741447 by aborah at 2023-07-10T10:11:00+02:00
Tests: Update test_ldap_password_policy.py::test_maxage as per the new sssd change

Update test_ldap_password_policy.py::test_maxage as per the new sssd change

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 5e86af8a30d1270dccc194f64c6c61229b21abf6)

- - - - -
140692c1 by aborah at 2023-07-11T15:38:26+02:00
Tests: Fix test_0002_bz1928648 with new ssh module

Fix test_0002_bz1928648 with new ssh module

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 2487c99c8d56d01cfc3832360d94e7309694521c)

- - - - -
a1e773df by aborah at 2023-07-12T12:17:52+02:00
Tests: Update tier1 test cases with new ssh module

Update tier1 test cases with new ssh module

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 66908221b51cb4c78a201db72e67ec1e341ef94e)

- - - - -
ddfc5e52 by aborah at 2023-07-13T07:12:25+02:00
Tests: Backport of https://github.com/SSSD/sssd/pull/6818

Backport of https://github.com/SSSD/sssd/pull/6818

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
7a635829 by aborah at 2023-07-13T09:45:14+02:00
Tests: Fix test_0008_1636002

Fix test_0008_1636002

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>

- - - - -
e6fbd1cb by Alexey Tikhonov at 2023-07-13T14:17:49+02:00
SPEC: sync with Fedora spec file

Bringing https://src.fedoraproject.org/rpms/sssd/c/d3ba8fb11abeefd2f817d58507e5ea3bdada2222
upstream

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e91a90cf052c382f9d3b0ac5ddee749c50ee6f36)

- - - - -
15d7d34b by Sumit Bose at 2023-07-13T14:19:07+02:00
sssct: allow cert-show and cert-eval-rule as non-root

The cert-show and cert-eval-rule sub-commands do not need root access and
do not require SSSD to be configured on the host.

Resolves: https://github.com/SSSD/sssd/issues/6802

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4)

- - - - -
11afa7a6 by Sumit Bose at 2023-07-13T14:19:07+02:00
certmap: fix partial string comparison

If the formatting option of the certificate digest/hash function
contained and additional specifier separated with a '_' the comparison
of the provided digest name and the available ones was incomplete, the
last character was ignored and the comparison was successful if even if
there was only a partial match.

Resolves: https://github.com/SSSD/sssd/issues/6802

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc)

- - - - -
aedef959 by Sumit Bose at 2023-07-13T14:19:08+02:00
test: fix linking issue

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 2bc426fa731f02e7a2307287ad122ac532e3589e)

- - - - -
89ff2549 by Madhuri Upadhye at 2023-07-13T14:19:37+02:00
Tests: Minor fix in test_adtrust

correct the variable name.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit ac5480af39c68f711292c4a6b6f9e16c1273eea8)

- - - - -
c26b6b5a by Patrik Rosecky at 2023-07-13T14:20:02+02:00
Tests: converted multihost/test_config.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 0f911c10d6ae16cba0b189bd16827f4b0fa674fa)

- - - - -
d8c18e11 by aborah at 2023-07-14T20:01:59+02:00
Tests: Fix test_maxage

Fix test_maxage

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 34ef9c5f3e90d5c50c7ac5161c39daa2840c92f2)

- - - - -
5bd218b4 by Iker Pedrosa at 2023-07-18T12:36:38+02:00
test: basic tests for ldap_user_extra_attrs

Conversion of test_0001_bz1362023(), test_0002_givenmail() and
test_0037_ad_parameters_extra_attrs_mail() in a system test using the
new framework.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 40e0592df3939f0e231d77d50ec2d11eb373ed7c)

- - - - -
e8c9f3df by Sergio Durigan Junior at 2023-07-18T18:40:11-04:00
Enable files provider.

SSSD 2.9.0 has deprecated "id_provider = files", but that's still
needed for smartcard authentication of local users.

- d/rules: Build with "--with-files-provider".

- d/sssd-common.install: Install libsss_files.so and sssd-files.5.

Closes: #1041438

LP: #2028084

- - - - -
6d4e3ef0 by Sergio Durigan Junior at 2023-07-18T18:40:18-04:00
d/rules: Remove deprecated options "--disable-files-domain".

- - - - -
752e0026 by Madhuri Upadhye at 2023-07-19T09:25:42+02:00
Test: Check case-insensitive while checking with group lookup for a overrideuser

      Added automation for following bugs:
        https://bugzilla.redhat.com/show_bug.cgi?id=2192708
        https://bugzilla.redhat.com/show_bug.cgi?id=2196838
        https://bugzilla.redhat.com/show_bug.cgi?id=2196816
        https://bugzilla.redhat.com/show_bug.cgi?id=2196839

verify:
  #6721

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ea34b805b346774462a18378b015c70b30c64199)

- - - - -
84e0aac4 by Pavel Březina at 2023-07-19T13:51:11+02:00
ci: move to new centos8 buildroot repository url

CentOS8 buildroot repo location has changed.

https://lists.centos.org/pipermail/centos-devel/2023-March/142831.html

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b9bb35c1affb8b0178a844955623211e99bbd457)

- - - - -
2f4a3fa8 by Pavel Březina at 2023-07-19T13:51:13+02:00
ci: run workflows on sssd-2-9

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 5c72905ec97a30abe3e5568c56d010279cc25548)

- - - - -
65abf057 by aborah at 2023-07-21T07:04:12+02:00
Tests: Fix KCM::test_client_timeout

Fix KCM::test_client_timeout

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 755c2157e372d6dbbdc94ba94777eaa426f2d2c4)

- - - - -
0b9bc877 by aborah at 2023-07-21T12:05:26+02:00
Tests: Update sssh module for tier 1_3, 1_4 and 2

Update sssh module for tier 1_3, 1_4 and 2

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 4b83a68e31aaac8a84462aec00250ea61aed14b1)

- - - - -
473e2b4c by aborah at 2023-07-24T07:22:01+02:00
Tests: Add sleep time to test_bz785908

Add sleep time to test_bz785908

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 763106ff582511d4f6f9c49ea84a2ac1e202303f)

- - - - -
e26215d6 by Madhuri Upadhye at 2023-07-24T09:56:28+02:00
Tests: Package download

Add python3-libsss_nss_idmap package from utils.py

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 6bed4b7bc14835114e4b0823164ea70a8d69b252)

- - - - -
fd80b421 by Pavel Březina at 2023-07-24T14:54:42+02:00
tests: add pytest-importance plugin to system tests

This plugin adds @pytest.mark.importance("low|medium|high|critical")
and --importance=xyz cli option.

Default importance is medium.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 43dd400dc109e962e7621d4b4045d918d4d9dfb1)

- - - - -
bb46f317 by Pavel Březina at 2023-07-24T14:54:42+02:00
tests: add pytest-output plugin to system tests

This plugin validates test metadata and generates Polarion import XMLs.

To generate the XMLs, call pytest with:

```
--polarion-config=./polarion.yaml --output-polarion-testcase=testcase.xml --output-polarion-testrun=testrun.xml
```

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d3fd983be4358ddde0af58c96a38f561a56b2a25)

- - - - -
b9d3ad10 by Pavel Březina at 2023-07-24T14:54:42+02:00
tests: add requirements to system tests

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 50df528cc9b8eddf24034d289e754e3fa3d7f5f5)

- - - - -
cc99fdd8 by Pavel Březina at 2023-07-24T14:54:42+02:00
tests: drop tier from system tests

It is replaced by importance marker, which defaults to medium.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 03e39e1969a923889f8179ac34f94a0e0436c9e0)

- - - - -
df727cbb by Pavel Březina at 2023-07-24T14:54:42+02:00
tests: fix doctring in test_config__add_remove_section

Number of steps did not match number of expected results.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit f8848028afef03f68e4893b48002b2c5c1579921)

- - - - -
71876d6c by Pavel Březina at 2023-07-24T14:54:42+02:00
ci: generate polarion xmls from system tests

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit f3793fc7ca28fb8fdf2b6d8f21d00bdf7c5100a4)

- - - - -
13373ea3 by Pavel Březina at 2023-07-24T14:54:42+02:00
ci: run system test in collect only mode first

This will quickly catch issues in Polarion metadata/docstring without
waiting for the test run to finish.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 1d268bc197eb142264a62c1221fcc3bd8a5ed212)

- - - - -
8c1b5c47 by Iker Pedrosa at 2023-07-24T14:56:50+02:00
man: clarify passkey PIN prompt

If user_verification is enabled, then the PIN will always be requested.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b87c5a6f11f8a584c10a3eb4b74b6084f259182e)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit bfab4907535742128d7140ba1ad858565f70fe3a)

- - - - -
b8b75abe by Justin Stephenson at 2023-07-24T14:56:50+02:00
Change "non_kerberos" to "local" authentication

This is more clear, and aligns with smartcard authentication
verbiage.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit f3f7a4ce11a91f723d4f729858ebb946fdd6c5e2)

- - - - -
5b575fcb by Justin Stephenson at 2023-07-24T14:56:50+02:00
Add local auth policy

local authentication methods policy - Some backends (i.e. LDAP, proxy provider)
only support a password base authentication, while others can handle PKINIT
based Smartcard authentication (AD, IPA), two-factor authentication (IPA),
or other methods against a central instance. By default in such cases
authentication is only performed with the methods supported by the backend.

To allow more convenient or secure authentication methods which are supported
by SSSD, but not by the backend in cases where a central authentication is
not strictly required the `local_auth_policy` option is added.

Ignore local auth policy when id_provider = files.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit d019132bd44e25b841e0917c034140be67de9a77)

- - - - -
16f12efd by Justin Stephenson at 2023-07-24T14:56:50+02:00
PAM: Fail empty password in passkey fallback

We can assume in this fallback chain that an empty password
is not allowed.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 43d89dd2d9d9c86ecd487067a6bbdf1fbf1513bb)

- - - - -
9cecdc1b by Patrik Rosecky at 2023-07-25T12:51:31+02:00
Tests: convert intg/test_memory_cache.py to system tests

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 01853a10f5495b2d1ae77b60f714ed077a947940)

- - - - -
3734714f by Pavel Březina at 2023-07-25T12:53:26+02:00
tests: fix doctring in test_memory_cache__invalidate_group_after_stop

(cherry picked from commit 7f3431a77fd45eab8bc001cc006027e484294ca3)

- - - - -
346770d6 by Sergio Durigan Junior at 2023-07-25T15:01:09+03:00
Update changelog for 2.9.1-2 release

- - - - -
bedeeb76 by Timo Aaltonen at 2023-07-25T15:01:26+03:00
releasing package sssd version 2.9.1-2

- - - - -
e8bd99ef by Madhuri Upadhye at 2023-07-25T17:03:17+02:00
Tests: Add package for IPA tests

Add python3-libsss_nss_idmap package in common lib of ipa

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit e3dd7cf472f9766f76c2ac449e856061ac587cb8)

- - - - -
fe6be47d by Patrik Rosecky at 2023-07-26T13:35:17+02:00
tests: multihost/basic/sssctl_config_check.py converted

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 5ced015701038bf1d28b91be78ac6d0582871b7c)

- - - - -
be42e37b by Patrik Rosecky at 2023-07-26T13:35:43+02:00
Tests: converted intg/test_memory_cache to test_id

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 28aeb13a284dd4521452a2e18d040338147f265c)

- - - - -
7fbb9a0d by Andre Boscatto at 2023-07-31T13:24:33+02:00
mans: fix typo in ldap_idmap_autorid_compat

Resolves: https://github.com/SSSD/sssd/issues/5198

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 4d1711178dc5c7e5fcef62a49e8a6e861ed68b5b)

- - - - -
83352849 by Patrik Rosecky at 2023-07-31T13:25:22+02:00
tests: converted multihost/basic/test_ldap.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit fe61c459a9c91a46c013384831b777cd2c0b90b5)

- - - - -
0b5d3abd by Pavel Březina at 2023-08-07T12:05:05+02:00
readme: remove github actions badges

These badges stopped working due to breaking changes in the badge
provider:
https://github.com/badges/shields/issues/8671

I don't think we really use them and we did not even update from
sssd-2-7 branch to a newer one or with latest ci changes. Also it
is simple to see the green tick or red cross in github web ui so
these badges are redundant.

Covscan result is kept since you would need to check it on different
page.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit dd21de8433fa54f9cd5ca38227426986d9570e55)

- - - - -
f79ce534 by Iker Pedrosa at 2023-08-14T16:53:21+02:00
passkey: fix two covscan issues

Fixes following covscan issues:
```
Error: CLANG_WARNING:
sssd-2.9.0/src/krb5_plugin/passkey/passkey_utils.c:562:5: warning[unix.Malloc]: Potential leak of memory pointed to by 'data'
 #  560|       }
 #  561|
 #  562|->     json_decref(jroot);
 #  563|       return message;
 #  564|   }

Error: UNREACHABLE (CWE-561):
sssd-2.9.0/src/responder/pam/pamsrv_passkey.c:1039: unreachable: This code cannot be reached: "if (!pctx->passkey_auth) {
...".
 # 1037|   #endif
 # 1038|
 # 1039|->     if (!pctx->passkey_auth) {
 # 1040|           return false;
 # 1041|       }
```

Resolves: https://github.com/SSSD/sssd/issues/6733

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
aba98a49 by Iker Pedrosa at 2023-08-14T16:53:21+02:00
passkey: rename function

Rename `sss_passkey_prefix_json_data()` to
`sss_passkey_message_from_reply_json()`.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
9c9a8dee by Alexey Tikhonov at 2023-08-14T17:05:09+02:00
MAN: only mention 'files' provider if its support is built

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 16d3308b4b938a782b43e50b8041e02b8c683e9a)

- - - - -
e19570ef by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: avoid another attempt to free 'cc' in 'done:' section if first attempt failed.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit f6bbd591d636e4309ec37659f825b0f9c53d4b6b)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
e124370f by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: use proper function to deallocate mem

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit ff5096bb766765e45aaad156285a603a21aa1bc8)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f745621e by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: avoid FORWARD_NULL

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 7f308c6fe01408fa6beb48b9f7627068968da771)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
b9fa1af6 by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: fix memory leak

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit b69ff375a2b185219bae91c48aa7bfb3138b98f2)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
2ed6aa8d by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: fix memory leak

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 75822701770179582c344960603cce8bd54a7890)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
afbf087d by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: avoid RESOURCE_LEAK

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a83be8fb51172d4e1a282a0a078d81ee93afdcb5)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
996affcf by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
KRB5: fixed RESOURCE_LEAK

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 01f0d067f1e4ba8ec3710f515d21631a53c9c9ef)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4d128367 by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
LDAP: fixed RESOURCE_LEAK

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
f7f9f6e5 by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
LDAP: fixed leak of `kprinc`

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit eca00ef4719c44c4e68ead3346a16229b6471d13)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
50e2fd24 by Alexey Tikhonov at 2023-08-17T17:24:02+02:00
UTILS: fixed USE_AFTER_FREE

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d02533caca667b51f29fa02ee9ed48c8b3896c69)

Reviewed-by: Tomáš Halman <thalman at redhat.com>

- - - - -
4b2dbc2d by François Cami at 2023-08-17T17:24:24+02:00
Fix typo: found => find

Fix typo in error message:
"waitpid did not found" => "waitpid did not find"

Signed-off-by: François Cami <fcami at redhat.com>

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0368c368ad4d05a6e8e1b9b16fe78c8d3c24c978)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
d479b28d by Alexey Tikhonov at 2023-08-17T17:24:38+02:00
UTILS: swap order of seteuid()/setegid()

Otherwise it fails with:
```
6906  16:40:32.455571 setresuid(-1, 996, -1) = 0
6906  16:40:32.455590 setresgid(-1, 993, -1) = -1 EPERM (Operation not permitted)
```

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit fcfffb5cf14ddd2ff28873e2274bca226441b40b)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>

- - - - -
358e6d18 by Alexey Tikhonov at 2023-08-17T17:24:51+02:00
SBUS: warn loudly if bus denies access

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 9380c8eff6c4abccb4ac9484a2d0eb3d5427546c)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
1c417baf by Alexey Tikhonov at 2023-08-17T17:24:51+02:00
IFP: add a comment to 'org.freedesktop.sssd.infopipe.service' to avoid potential confusion

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit d91c944c9f481ee1c78acab686d06452cbe9b81a)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
e57b8e77 by Justin Stephenson at 2023-08-17T17:26:08+02:00
Passkey: Warning display for fallback

Warn the user before and after login that Kerberos ticket may not have been granted.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 348c8f535b7b63cda07f45274fdfe4cdb033490b)

- - - - -
ccbeb647 by Justin Stephenson at 2023-08-17T17:27:15+02:00
Makefile: Respect `BUILD_PASSKEY` conditional

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a20dadc7ec9b21687356d1b0b0218db89f438c67)

- - - - -
1508225a by Justin Stephenson at 2023-08-17T17:27:15+02:00
pam: Conditionalize passkey code

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit eadee9a2a8f0dfe4f22c460537d6c87c493fa622)

- - - - -
f72763ab by Justin Stephenson at 2023-08-17T17:27:15+02:00
ipa: Add `BUILD_PASSKEY` conditional for passkey codepath

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 7cf9a1ff0e876ea0970a3f0b3c389b87be834b4f)

- - - - -
d0359db1 by Justin Stephenson at 2023-08-17T17:27:15+02:00
pam: Remove unneeded passkey verification call

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 12762d629a9e001d159b14c84ae0bf8e5c5c5280)

- - - - -
19b43cc0 by Justin Stephenson at 2023-08-21T16:26:15+02:00
CI: Add Fedora 40+ to install CI scripts

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit bec58bf451a3b810100cf6bf4b477b40375e49d2)

- - - - -
3d22dcad by Alexey Tikhonov at 2023-08-22T16:08:07+02:00
PROXY: missing `proxy_resolver_lib_name` isn't an error

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 7f7cfc92c8106e08960c5afba63279147ece0a14)

- - - - -
78fba725 by Alexey Tikhonov at 2023-08-22T16:08:37+02:00
Fix compilation warning ``` ../src/responder/pam/pamsrv_cmd.c: In function ‘pam_reply’: ../src/responder/pam/pamsrv_cmd.c:1188:10: warning: unused variable ‘pk_preauth_done’ [-Wunused-variable] 1188 | bool pk_preauth_done = false; ``` in case SSSD is built without 'passkey' support.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 8079d93ffcd778daf7b381e4032a363e52126f79)

- - - - -
cb86a5ce by Alexey Tikhonov at 2023-08-24T11:04:15+02:00
DP: ENOTSUP isn't a fatal failure for target c-tor

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9fe559402277515c1138fed0ef1f7d06a3deee0a)

- - - - -
d08af4bd by wangcheng at 2023-08-25T11:15:06+02:00
IPA: Change sysdb_attrs_add_val to sysdb_attrs_add_val_safe in debug output

The pervious commit(dc508f032904f008714418509a13f79a17660659) modified the function `sysdb_attrs_add_val` to `sysdb_attrs_add_val_safe`, but did not modify the debug output information synchronously.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 01131ba7cea3600dfb54dc163ba1df71eb815931)

- - - - -
e32239d2 by Timo Aaltonen at 2023-08-30T10:44:01+03:00
control, rules: Add bc to build-depends, enable tests again.

- - - - -
9c4ac1bd by Pavel Březina at 2023-08-30T12:40:44+02:00
mc: recover from invalid memory cache size

If we access the mmap file outside its boundaries a SIGBUS is raised.
We can now safely recover if the file has unexpected size.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 641e5f73d3bd5b3d32cafd551013d3bfd2a52732)

- - - - -
0919c921 by Justin Stephenson at 2023-08-31T12:44:55+02:00
Proxy: Avoid ldb_modify failed error

Resolves the sysdb errors returned in the proxy provider
logs when proxy_fast_alias is True.

This extraneous memset call would overwrite the previously
returned pwd buffer, therefore an attempt was made to update
the user's SYSDB_PWD with an empty value causing the error.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit eebb43def9e93c039203993c67148bfdc72c18ad)

- - - - -
e71a3539 by Justin Stephenson at 2023-08-31T12:47:31+02:00
Passkey: Add child timeout handler

If passkey auth times out, the SIGCHLD handler needs to be
destroyed otherwise the SIGCHLD handler tries to access the tevent_req
which was already freed from the timeout.

Resolves: https://github.com/SSSD/sssd/issues/6889

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b516f1e4f2442a18fb4a873e6431ac7a28873dc7)

- - - - -
e2cb4d55 by Patrik Rosecky at 2023-08-31T12:48:11+02:00
Tests: sssctl_config_check: test for incorrectly set value

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e32f899a12a8e5c8ee9919a77c0fbe6a0e30b039)

- - - - -
d935fa6b by Alexey Tikhonov at 2023-08-31T15:56:09+02:00
UTILS: include name of the file that failed perform_checks() in the debug log

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 7d14e529c6ec4d059ae9b3bf9f0576d6d561ca18)

- - - - -
ee8f50f2 by Dan Lavu at 2023-09-01T13:34:09+02:00
TESTS: Porting sss_override test suite

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 24a08aca85cd5dd703edb2a6193b391bfad52cd9)

- - - - -
2a3a132c by Justin Stephenson at 2023-09-04T14:48:44+02:00
Passkey: Conditional fixes

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 053b6e14cea245f59704bbdc7acd30596c6d76f1)

- - - - -
45ed619e by Pavel Březina at 2023-09-06T10:35:47+02:00
sss_iface: do not add cli_id to chain key

Otherwise we only chain identical requests from the same client
which effectively renders chaining not functional.

Resolves: https://github.com/SSSD/sssd/issues/6911

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 1e5dfc187c7659cca567d2f7d5592e72794ef13c)

- - - - -
9d6ab77c by Weblate at 2023-09-07T11:39:59+02:00
po: update translations

(Swedish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/sv/

po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

po: update translations

(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/zh_CN/

po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

po: update translations

(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

- - - - -
c84689d7 by Pavel Březina at 2023-09-07T11:48:05+02:00
pot: update pot files

- - - - -
a62efb76 by Pavel Březina at 2023-09-07T12:20:59+02:00
tests: include passkey test code only if passkey is built

Otherwise `make check` fails.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 725c5541d4ee8b47b3877ede2599cf60d7de21d3)

- - - - -
644cd599 by Pavel Březina at 2023-09-07T12:23:33+02:00
Release sssd-2.9.2

- - - - -
6ce6472a by Timo Aaltonen at 2023-09-08T09:09:34+03:00
Merge branch 'upstream'

- - - - -
8cb92c88 by Timo Aaltonen at 2023-09-08T09:10:05+03:00
version bump

- - - - -
0a429107 by Patrik Rosecky at 2023-09-08T14:41:29+02:00
tests: convert multihost/basic/test_basic to test_kcm and test_authentication

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 376534022aebf11d23ee2b70ef13d17ca3842aea)

- - - - -
f1a11708 by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Print krb5.conf when joining realm.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 6540a67c9dac1c4b1c313797b169a32d94702819)

- - - - -
cb1c59c7 by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Split package installation to different transactions.

When package is missing/broken the dnf does not install anything
on fedora this prevented automation working properly.
This way the "optional" packages are installed separately.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 8fc5aadb1fbdf3ae1fdacc9dc9855db87f521650)

- - - - -
f117da5a by Jakub Vavra at 2023-09-11T10:31:26+02:00
Tests: Handle dns with systemd resolved.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit e73efe153dd2e9ee753cf416030e135700434a67)

- - - - -
18d2eb09 by Marco Trevisan (Treviño) at 2023-09-14T11:45:30+02:00
debian: Add pam-auth-update SSSD Smart card configurations

Make it easier to use smart card authentication via pam_sss.so, adding
profiles that can be used for the common authentication.

The required and optional modes are conflicting each other, while the
priority is higher than unix authentication so that user password access
has lower priority.

- - - - -
38380c03 by Marco Trevisan (Treviño) at 2023-09-14T12:34:26+02:00
debian/tests: Add tests for smart card verification

Add integration tests verifying how smart card authentication can be
used and configured using pam-auth-update

- - - - -
b5ab8ee7 by Timo Aaltonen at 2023-09-15T11:18:51+03:00
releasing package sssd version 2.9.2-1

- - - - -
71ca2053 by Pavel Březina at 2023-09-15T10:50:01+02:00
tests: add sssd_test_framework.markers plugin

This loads additional markers defined in the sssd_test_framework.

Currently, there is only `builtwith` to check if SSSD was built with
particular feature (files-provider only at this moment).

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 233a846e864fe2a364e05d08c3ae91475b5916d1)

- - - - -
674ee267 by Dan Lavu at 2023-09-25T13:41:52+02:00
tests: adding group and importance markers

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit f05d4ec1ecdaef90f3272504dbd9ac6c2e7aa8d8)

- - - - -
ec8f0269 by Jakub Vavra at 2023-09-26T08:16:28+02:00
tests: Add missing pytest marker config.

Reviewed-by: Patrik Rosecky <prosecky at redhat.com>
(cherry picked from commit 39dde256e5e9d226e63898e910b8ffda4428f933)

- - - - -
a4de653f by Sumit Bose at 2023-09-26T16:14:26+02:00
ci: remove unused clang-analyzer from dependencies

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9474e0f4f42375b40e302da727401b9a5e28c2f5)

- - - - -
02bd1d7e by Justin Stephenson at 2023-09-26T16:15:45+02:00
Passkey: Allow kerberos preauth for "false" UV

When IPA passkey configuration sets require-user-verification=false
then the user verification value will be 0. We need to allow this
configuration within the plugin.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 57dac1e29f040a8c65ff815b15b1a8c9b70c276c)

- - - - -
a3111338 by Iker Pedrosa at 2023-09-26T16:15:45+02:00
passkey: omit user-verification

If user-verification is disabled and the key doesn't support it, then
omit it. Otherwise, the authentication will produce an error and the
user will be unable to authenticate.

I have also added a unit-test to check this condition.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a8daf9790906b7321024fef8e636f9c1b14343ab)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2c05926ed1fa4deab74b80d9faf6e4c26f31f46f)

- - - - -
45fbcd93 by aborah at 2023-09-26T16:18:44+02:00
Tests: Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.

Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit bcbc0b3190e01895ccdce48c60b4966d204bd2f0)

- - - - -
7e45b32a by aborah at 2023-09-26T16:19:42+02:00
Tests: Port rootdse test suit to new test framework.

Port rootdse test suit to new test framework.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 5f3c82d3c9e7ef999ebc2e754be64c81194d68a4)

- - - - -
b86d301c by Alexey Tikhonov at 2023-09-26T16:40:12+02:00
SUDO service: ${DEBUG_LOGGER} was missed for 'sudo'

service in a7277fecf7a65ab6c83b36f009c558cdfbf997d2

Resolves: https://github.com/SSSD/sssd/issues/6920

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 01bee47a1557c0d21c9f35384c53758c70cf97c5)

Reviewed-by: Alejandro López <allopez at redhat.com>

- - - - -
5469de2f by Justin Stephenson at 2023-09-27T19:39:23+02:00
tests: Improve read write pipe child tests

Add test for multiple reads with a large message, and
add tests for child read/write safe calls.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ae920b9ab3ddb107611f21b842bfddb6077290f1)

- - - - -
00479693 by Justin Stephenson at 2023-09-27T19:39:23+02:00
util: Realloc buffer size for atomic safe read

Realloc and increase the buffer size when safe read returns more
than CHILD_MSG_CHUNK size bytes.

This handles multiple passkey mappings returned from the krb5 child
in kerberos pre-authentication.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1f4fffdb7f57d70151741ea7d844d020250fd309)

- - - - -
0705145c by Alexey Tikhonov at 2023-10-02T09:51:25+02:00
MC: a couple of additions to 'recover from invalid memory cache size' patch

Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 :

 - handle all invalidations consistently
 - supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`,
   not a pointer to a local var

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 88d8afbb115f18007dcc11f7ebac1b238c3ebd98)

- - - - -
ede391c2 by Justin Stephenson at 2023-10-03T10:50:09+02:00
Passkey: Increase conv message size for prompting

Size needs to handle the prompts for interactive, touch, pin prompt, and
kerberos pre-auth warning message which could all be displayed.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6f8f7c82b2b38220d99395d5d2732281b3cf1867)

- - - - -
583daff7 by Patrik Rosecky at 2023-10-03T10:50:35+02:00
Tests: converted alltests/test_pasword_policy.py to tests/test_ldap.py

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 64422699aed9a0024d39af00462c22dc47a8dfac)

- - - - -
6bba653c by Pavel Březina at 2023-10-03T10:51:01+02:00
ci: install latest SSSD code on IPA server

This allows us to test changes to the server mode as well.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 9dccf7ff61c6dda89300cd36c62830dfff1687ad)

- - - - -
b8b2bfaf by Patrik Rosecky at 2023-10-03T10:52:02+02:00
Tests: alltest/test_sssctl_local.py converted to system/tests/sssctl.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 620af3b3fe160199fa92f49bd03abc91a37a04d7)

- - - - -
7a53c7ac by Patrik Rosecky at 2023-10-03T10:52:44+02:00
Tests: multihost/basic/test_files converted

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ea7273b3d4e93f7cdf5bb6f5defcf1bd38659f8d)

- - - - -
df709da5 by Madhuri Upadhye at 2023-10-03T10:56:39+02:00
tests: add passkey tests for sssctl and non-kerberos authentication

1. Register a key with sssctl
2. Register a key with IPA sssctl command
3. Check authentication of user with IPA, LDAP, AD and Samba

All tests cases automated with umockdev.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 66c0a2d00b872db77d59efb41bac66df0cf04c26)

- - - - -
c6ea805e by Alejandro López at 2023-10-06T11:21:19+02:00
NSS: Replace notification message by a less scary one

Replace the message "Unable to find primary gid" by another one that
sounds less scary and is a little bit clearer for users.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2c59fd211a6b35022fb2a4683918d77610f76660)

- - - - -
a9617cff by Patrik Rosecky at 2023-10-06T11:22:02+02:00
Tests:alltests/test_rfc2307.py converted to test_ldap.py

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 8ecfe20efca6696e94f64fbd2a024f6bcd7bb26d)

- - - - -
8d5752f4 by Patrik Rosecky at 2023-10-06T11:22:39+02:00
Tests: alltests/test_sss_cache.py converted to multihost/test_sssctl.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit b07a7552aac1a1bb4985c31e6005771032d9cad6)

- - - - -
129ceaed by licunlong at 2023-10-06T14:04:07+02:00
cli: caculate the wait_time in milliseconds

The timeout we pass in is 300000ms, and we sleep 1s every
time we get a EAGAIN error, so we need to multiply 1000
for sleep_time.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a997ee7bd9d259e7faf654cb94145c0135df02f8)

- - - - -
3b939ce9 by Scott Poore at 2023-10-10T15:52:06+02:00
Tests: add follow-symlinks to sed for nsswitch

The multihost/alltests/test_automount_from_bash.py test module runs a
sed against /etc/nsswitch.conf which convers it from a link to a file.
This causes issues with authselect in later tests resulting in test
errors.  This can be fixed by adding the --follow-symlinks option.

The restore() from the fixture should return the config to it's original
content.

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 1082f2563f5cdc7d4f019c3a85bd0c717fc6fd16)

- - - - -
1fa72109 by Alejandro López at 2023-10-11T13:43:21+02:00
KCM: Remove the oldest expired credential if no more space.

:feature: When adding a new credential to KCM and the user has
          already reached their limit, the oldest expired credential
          will be removed to free some space.
          If no expired credential is found to be removed, the operation
          will fail as it happened in the previous versions.

Resolves: https://github.com/SSSD/sssd/issues/6667

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 93ee0159a0f467ced3412d034ec706dd3508901e)

- - - - -
834b5369 by Alejandro López at 2023-10-11T13:43:21+02:00
KCM: Display in the log the limit as set by the user

max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
to create space for some internal entries. We cannot just show this
value as it is not what the user configured.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5)

- - - - -
6218b40f by Jakub Vavra at 2023-10-12T11:23:19+02:00
Tests: Skip tests unstable on other archs and tweak realm join.

Unify realm join for AD params tests to use code with timeout
to prevent suite freezing in sasl authid tests.
Set the whole suite as flaky to retry when realm join freezes.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 88a386e12a11287771d5429b11b066bf6e75e42f)

- - - - -
c799b75d by Jakub Vavra at 2023-10-16T10:23:12+02:00
Tests: Fix AD param sasl tests.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 8264cb573637c08b26c4ff8abcc44e09fd77fec0)

- - - - -
5e35a695 by Alexey Tikhonov at 2023-10-16T10:23:31+02:00
configure: use 'LDB_CFLAGS'

Also add all common *_CFLAGS to cwrap tests.

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 421a818f8be269a72c1d78653885ee171ac7c5f5)

- - - - -
c99f684c by Jakub Vavra at 2023-10-16T11:19:12+02:00
Tests: adjoin in test_00015_authselect_cannot_validate_its_own_files

Switch test_00015_authselect_cannot_validate_its_own_files to use adjoin
fixture instead of joining manually.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 4a9f8ebb8032df4b2e8dffb2be80fbd6575b0e7b)

- - - - -
7d73571e by Sumit Bose at 2023-10-16T13:34:48+02:00
utils: enable talloc null tracking

With this patch talloc_enable_null_tracking() is called during
`server_setup()` to make talloc memory usage reports more useful.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 7601918757910994894b9547647602b8c2ac806c)

- - - - -
42face74 by Sumit Bose at 2023-10-16T13:35:17+02:00
proxy: add support for certificate mapping rules

To be able to do local Smartcard authenticate the backend must be able
to map a certificate to a user based on the provided mapping rules.

With this patch the proxy provider is able to handle the certificate
mapping rules and users handled by the proxy provider can be configured
for Smartcard authentication. Besides the mapping rule local Smartcard
authentication should be enable with the 'local_auth_policy' option in
the backend and with 'pam_cert_auth' in the PAM responder.

:relnote: The proxy provider is now able to handle certificate mapping and
  matching rules and users handled by the proxy provider can be
  configured for local Smartcard authentication. Besides the mapping rule
  local Smartcard authentication should be enable with the 'local_auth_policy'
  option in the backend and with 'pam_cert_auth' in the PAM responder.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit c38699232594b8bdd79dbeed36b7afa5ba9b0512)

- - - - -
351aab97 by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: add NSS module for nss-wrapper support

The main use case of this NSS module is to run proxy provider tests with
cwrap's nss-wrapper.  The proxy provider loads the NSS modules directly
with dlopen() and is not using glibc's NSS mechanism. Since nss-wrapper
just wraps the standard glibc calls and does not provide an NSS module
on its own we have to use this workaround to make proxy provider work
with nss-wrapper.

DO NOT USE THIS IN /etc/nsswitch.conf, it will cause an infinite loop.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit ffd467430310f0671ba78fa0ef0385426f37d51f)

- - - - -
d3649143 by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: replace files with proxy provider in PAM responder test

This patch replaces the deprecated files provider in the PAM responder
tests with the proxy provider. The straight-forward replacement would be
'proxy_lib_name = files' to use libnss_files.so.2 with the proxy
provider. But the tests are using nss-wrapper which wraps the plain
glibc calls. Because of this the test is using a dedicated NSS module to
work with nss-wrapper.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 54f558966aa515370ee6218793a36d4148c80a73)

- - - - -
25a913ea by Sumit Bose at 2023-10-16T13:35:17+02:00
confdb: add new option for confdb_certmap_to_sysdb()

With this new boolean options the backends calling
confdb_certmap_to_sysdb() can indicate if the certificate mapping rules
should be applied for local users or not, which currently means LDAP
based mapping with a search filter string.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 8952f6d8fea4a0e7e18eebf9e6a9f35d32de93bd)

- - - - -
7668ed6e by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: use file and proxy provider in PAM responder test

All Smartcard authentication related tests are run now with the proxy
provider and the deprecated files provider. If the files provider will
be removed the tests can be removed by reverting this patch.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit f5f8030ad7bc469130ed69abec4c2563eca52e17)

- - - - -
04b6a22b by Sumit Bose at 2023-10-16T13:35:17+02:00
intg: add proxy auth with fallback test

SSSD currently assumed that PAM modules configured for the proxy auth
provider expect passwords as input. If a Smartcard is present during the
authentication, but local Smartcard authentication is not enabled, the
user should see a password prompt.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 4d475e41a5223f4bdabc1465bad4d4f87a911064)

- - - - -
793284ab by Justin Stephenson at 2023-10-18T15:29:20+02:00
man: Improve LDAP security wording

All communication, including the identity provided must be
encrypted to prevent attacks.

Resolves: https://github.com/SSSD/sssd/issues/6681

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>

- - - - -
a48c7445 by Tomas Halman at 2023-10-18T15:31:33+02:00
dyndns: PTR record updates separately

DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.

It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.

With this patch PTR record updates are always sent separately.

Resolves: https://github.com/SSSD/sssd/issues/6956

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit f0bba9d5178d18e7b08aaa58375916d111dfeb59)

- - - - -
aa3616b3 by Dan Lavu at 2023-10-18T15:35:22+02:00
Updating ad_multihost test

* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit bd839b85e25701116cb8453e142014973a9c6de9)

- - - - -
c866b531 by Dan Lavu at 2023-10-18T15:35:22+02:00
Updating ad_multihost test

* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit cb72984e2d533306489c6161678443ce2fe48661)

- - - - -
3fd19c80 by Dan Lavu at 2023-10-18T15:35:22+02:00
Adding test case for bz2167728

* Cleaned up lines since the character count has increased
* Added test ids to existing tests

Signed-off-by: Dan Lavu <dlavu at redhat.com>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 95678ad7e4f18e47cd67aabe660e0c26c07a2ffa)

- - - - -
9c4f7281 by Iker Pedrosa at 2023-10-23T13:27:56+02:00
man: clarify user credentials for `cache_credentials`

It only applies to passwords, not other authentication mechanisms like
smartcards or passkeys.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 38d334ea040e2f5b0da4a3a37618215658b2c3a8)

- - - - -
9e7a08a8 by Patrik Rosecky at 2023-10-23T13:32:53+02:00
TESTS: topology set to KnownTopologyGroup.AnyProvider

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ce117ae0c25305a5109d0f663d677a9ccae3b68a)

- - - - -
a9498b12 by Jakub Vavra at 2023-10-25T15:07:33+02:00
Tests: Fix autofs cleanups

Autofs tests were not cleaning properly leaving behind stuck/unresponsive
mounts. This was failing other tests that were executed after these suites.
Tests were stuck when trying to create a new local users or listing dirs.

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 7a3cc7a7be5eb8215709d5074d91567f7b7b60e1)

- - - - -
2bbc8754 by Sumit Bose at 2023-10-25T15:15:27+02:00
ipa: reduce log level of some HBAC log messages

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a7b19bcb47ddaaaa745a32571b444ee185e79b4c)

- - - - -
fa33c997 by Iker Pedrosa at 2023-10-25T15:59:27+02:00
CI: build passkey for centos-9

Also include RHEL9+ to build passkey in the spec file.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 5a211ec941acde206d52092f5547fc46737f30e5)

- - - - -
9ebaee77 by dependabot[bot] at 2023-10-26T11:34:13+02:00
build(deps): bump DamianReeves/write-file-action

Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84.
- [Release notes](https://github.com/damianreeves/write-file-action/releases)
- [Commits](https://github.com/damianreeves/write-file-action/compare/41569a7dac64c252caacca7bceefe28b70b38db1...0a7fcbe1960c53fc08fe789fa4850d24885f4d84)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0456ecad643428b2ac28c932cb7435c8b914529a)

- - - - -
d154f72d by dependabot[bot] at 2023-10-26T11:34:38+02:00
build(deps): bump actions/checkout from 3 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2f5b299996ea8e4d0bdded3eb0b020ed311209f9)

- - - - -
66d115cc by dependabot[bot] at 2023-10-26T11:35:01+02:00
build(deps): bump vapier/coverity-scan-action from 1.2.0 to 1.7.0

Bumps [vapier/coverity-scan-action](https://github.com/vapier/coverity-scan-action) from 1.2.0 to 1.7.0.
- [Release notes](https://github.com/vapier/coverity-scan-action/releases)
- [Commits](https://github.com/vapier/coverity-scan-action/compare/v1.2.0...v1.7.0)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ff42d88994a13c9f130741a13ee7fe4dac63a5df)

- - - - -
155584ee by dependabot[bot] at 2023-10-26T11:36:59+02:00
build(deps): bump linuxdeepin/action-cppcheck

Bumps [linuxdeepin/action-cppcheck](https://github.com/linuxdeepin/action-cppcheck) from 9ef62c4ec8cd5660952cd02c58b83fa57c16a42b to e63fb1d3f321e0467737aa9de7f691360fb1b8fb.
- [Release notes](https://github.com/linuxdeepin/action-cppcheck/releases)
- [Commits](https://github.com/linuxdeepin/action-cppcheck/compare/9ef62c4ec8cd5660952cd02c58b83fa57c16a42b...e63fb1d3f321e0467737aa9de7f691360fb1b8fb)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit cbb107314100bf2be9f55aa2b967a60d149440ca)

- - - - -
380eafa5 by Pavel Březina at 2023-10-27T13:15:33+02:00
intg: return status code for calls requiring it in fake nss module

To avoid gcc warning that a function is not returning value.

```
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:63:1: error: control reaches end of non-void function [-Werror=return-type]
   63 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:77:1: error: control reaches end of non-void function [-Werror=return-type]
   77 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:98:1: error: control reaches end of non-void function [-Werror=return-type]
   98 | }
      | ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:111:1: error: control reaches end of non-void function [-Werror=return-type]
  111 | }
      | ^
```

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4f5b1a25a0bd108cbba77a63dfe50f64f2249764)

- - - - -
e217fa82 by Pavel Březina at 2023-11-02T13:59:45+01:00
ci: get frozen Fedora releases in the matrix

A Fedora release may be in a frozen state (beta freeze, final freeze),
in such case, it is not temporarily visible under "pending"
but under "frozen".

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 17cf4bbb7e7969d6cba4e1a61ef2bb7b6a879c50)

- - - - -
ef5370e9 by Alexey Tikhonov at 2023-11-03T12:07:18+01:00
SSS_CLIENT: replace `__thread` with `pthread_*specific()`

in sss_client code to properly handle OOM condition (with `__thread`
glibc terminates process in this case).

Solution relies on the fact that `sss_cli_check_socket()` is always
executed first, before touching socket.
Nonetheless, there are sanity guards in setters/getters just in case.

It's possible to move context initialization code into a separate
function and call it in every getter/setter, but probably not worth it.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Carlos O'Donell <codonell at redhat.com>
(cherry picked from commit b0212b04f109875936612a52a7b30a80e5a85ee5)

- - - - -
5a546c84 by Pavel Březina at 2023-11-09T12:23:19+01:00
ipa: do not go offline if group does not have SID

This happens during applying overrides on cached group
during initgroups of trusted user. If the group does not
have SID (it's GID is outside the sidgen range), SSSD goes
offline.

Only SSSD running in server_mode is affected.

This patch ignores error in single group and rather continues
processing the remaining groups.

Resolves: https://github.com/SSSD/sssd/issues/6942

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 26047f07c0f7aa61a44543de8674ec7d0904812e)

- - - - -
3da54579 by Sumit Bose at 2023-11-10T11:38:43+01:00
PAM: fix Smartcard offline authentication

Even if a Smartcard was inserted and proper certificates were found
offline authentication with the Smartcard was not possible because the
certificate information was accidentally removed from the reply send to
the PAM module.

Resolves: https://github.com/SSSD/sssd/issues/7009

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 962e9d0529c5ffd4e9b3c342b038daa5dbaa75e9)

- - - - -
2eae8ab4 by Weblate at 2023-11-13T11:47:40+01:00
po: update translations

(Russian) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/

po: update translations

(Polish) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/

po: update translations

(Korean) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

po: update translations

(Georgian) currently translated at 13.2% (95 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/

po: update translations

(Polish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/

po: update translations

(Georgian) currently translated at 13.0% (93 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/

po: update translations

(Finnish) currently translated at 10.2% (73 of 714 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fi/

- - - - -
d380342b by Pavel Březina at 2023-11-13T11:54:22+01:00
pot: update pot files

- - - - -
ee2e0cd9 by Pavel Březina at 2023-11-13T11:55:21+01:00
Release sssd-2.9.3

- - - - -
952f22df by Simon Josefsson at 2023-12-18T09:13:01+01:00
Merge branch 'upstream' into experimental

- - - - -
5e8e5761 by Simon Josefsson at 2023-12-18T09:13:20+01:00
New upstream release.

- - - - -


30 changed files:

- .copr/Makefile
- .git-commit-template
- + .github/actions/build-sssd-srpm/action.yml
- + .github/actions/configure/action.yml
- + .github/actions/install-dependencies/action.yml
- + .github/workflows/analyze-target.yml
- + .github/workflows/ci.yml
- + .github/workflows/copr_build.yml
- + .github/workflows/copr_cleanup.yml
- + .github/workflows/coverity.yml
- + .github/workflows/static-code-analysis.yml
- .gitignore
- − .travis.yml
- − .travis/travis-docker-build.sh
- − .travis/travis-tasks.sh
- − .tx/config
- BUILD.txt
- − Dockerfile
- − Dockerfile.deps
- − Jenkinsfile
- Makefile.am
- README.md
- configure.ac
- contrib/ci/README.md
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/distro.sh
- + contrib/ci/get-matrix.py
- contrib/ci/rpm-spec-builddeps
- contrib/ci/run


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/74e0e0d4142b7fc7645c0f7a4bb32268a43db689...5e8e5761dd190d2e91af6c472f89de4e87a1fd24

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/74e0e0d4142b7fc7645c0f7a4bb32268a43db689...5e8e5761dd190d2e91af6c472f89de4e87a1fd24
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20231218/c36566f9/attachment-0001.htm>


More information about the Pkg-sssd-devel mailing list