From tjaalton at debian.org Thu Jun 1 10:21:27 2023 From: tjaalton at debian.org (Timo Aaltonen) Date: Thu, 1 Jun 2023 12:21:27 +0300 Subject: [Pkg-sssd-devel] Bug#1036993: Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486) In-Reply-To: <168555809257.5279.8892145677767012964.reportbug@alpha8.centauri.home> References: <168555809257.5279.8892145677767012964.reportbug@alpha8.centauri.home> <168555809257.5279.8892145677767012964.reportbug@alpha8.centauri.home> Message-ID: <9609fcbc-6694-6578-4967-5ecb08f581d1@debian.org> J. Pfennig kirjoitti 31.5.2023 klo 21.34: > Package: libpam-sss > Version: 2.8.2-4 > Severity: normal > File: /lib/x86_64-linux-gnu/security/pam_sss.so > > Dear Maintainer, > > * What led up to the situation? > > using kerberos, AD/DC, sssd and its pam module > > * What exactly did you do (or not do) that was effective (or > ineffective)? > > kinit ... # to get a kerberos ticket > echo $KRB5CCNAME # path to creditial cache > > sudo -i user2 > echo $KRB5CCNAME # ORIGINAL path to creditial cache > > * What was the outcome of this action? > > kinit, klist et al fail, wrong credential cache > echo $KRB5CCNAME # path from original user > > * What outcome did you expect instead? > > KRB5CCNAME must not be passed > > the case is described better than I can do at: > > https://bugzilla.redhat.com/show_bug.cgi?id=1324486 > > Bug fixed there in 2017. Could Debian fix it too? > The default value for pam_response_filter should already be 'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not happen since 2.5.1. -- t From gitlab at salsa.debian.org Wed Jun 7 12:44:16 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 11:44:16 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd][master] 306 commits: Update version in version.m4 to track the next release Message-ID: <64806d90acf3f_136f8847284241664@godard.mail> Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd Commits: 6a2de710 by Pavel B?ezina at 2022-10-07T12:58:06+02:00 Update version in version.m4 to track the next release - - - - - 7a1976c9 by Iker Pedrosa at 2022-10-10T13:07:02+02:00 fido2: register key with helper process Create a helper process to handle the FIDO2 key registration. In order to do that the helper process will parse the command line arguments, list the connected devices, select the first one in the list, prepare the user credentials, generate the key credentials, verify them to ensure that everything has worked correctly and print the credentials. FIDO U2F fallback has been disabled to force a PIN usage, thus increasing the security as a lost or stolen key would be unusable with it. Moreover, include the libfido2 dependency in the configuration and the spec file. Finally, several test cases have been added to the unit tests. Most of them just check the happy path but some error handling is also tested. :packaging: include libfido2 dependency :config: New config to build passkey authentication Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5b27a353 by Justin Stephenson at 2022-10-10T13:07:02+02:00 Fido2 child: Add missing options Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9a2548ea by Iker Pedrosa at 2022-10-10T13:07:02+02:00 fido2: make the build conditional Add a condition to build the FIDO2 support. Resolves: SSSD#6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f800471e by Iker Pedrosa at 2022-10-10T13:07:02+02:00 sssd.supp: suppress leak errors The suppression rule for popt malloc needs to be more generic. Moreover, create a new suppression rule for sssd debug initialization when being executed twice: from the production code and from the unit-tests. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8bdcc028 by Iker Pedrosa at 2022-10-10T13:07:02+02:00 passkey: change fido2 to passkey Passkey is a more general term that the industry is using currently. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ab89455b by Justin Stephenson at 2022-10-12T14:22:14+02:00 CI: Build srpm fix for illegal version tag '-' error: line 45: Illegal char '-' (0x2d) in: Version: sssd-2-7 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a5403f78 by Alexey Tikhonov at 2022-10-13T21:00:10+02:00 IPA: "trusted user not found" isn't an error Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b38fdc81 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 confdb: avoid syslog message when no domains are enabled This syslog message would also appear when calling other tools like sss_cache which is confusing. We return specific error code instead and let the error be syslogged in the monitor in monitor.c:main (this is already implemented). Resolves: https://github.com/SSSD/sssd/issues/6387 :fixes: A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4da86136 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 monitor: read all enabled domains in add_implicit_services Reading sssd/domains option is no longer sufficient since domains can be enabled through domain/enabled. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64c22dd1 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - df55b1f1 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 confdb: chande debug level when no domain are found in confdb_get_domains We print the error as fatal error in the monitor to make sure the message is correctly visible. However, the error is not fatal for tools like sss_cache and it should not be printed there by default. Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it is sufficient to just drop the level to critical. Resolves: https://github.com/SSSD/sssd/issues/6387 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - a05719fa by Shridhar Gadekar at 2022-10-13T21:01:45+02:00 Tests: Porting the AD-Access-control test-suite to pytest Minor docstring modifcations. Adding detailed expectedresults instead of 'should succeed' in docstrings of testcases Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6c0ae779 by aborah-sudo at 2022-10-20T11:04:07+02:00 Tests: port proxy_provider/rfc2307 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307 Reviewed-by: Steeve Goveas <sgoveas at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8a2fd06b by Alexey Tikhonov at 2022-11-01T17:15:46+01:00 CFG RULES: allow 'fallback_to_nss' option Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 71466a8d by Alexey Tikhonov at 2022-11-01T17:19:07+01:00 SYSDB: pre-existence of MPG group in the cache isn't an error Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 103a4888 by Pavel B?ezina at 2022-11-01T17:19:35+01:00 autofs: do not yield warning on default configuratoin This warning has been there for a long time now (since 1.14, 7 years, see 999d6066c7a96f102b692d31435d76114478e874) and it was intended to be removed eventually. :relnote: SSSD will no longer warn about changed defaults when using `ldap_schema = rfc2307` and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 6d87af5e by Justin Stephenson at 2022-11-01T17:19:56+01:00 SSSCTL: Add passkey exec command Simple wrapper which calls the passkey_child process, planned to be used with passkey_child --register and also for troubleshooting. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ee0d73a2 by Justin Stephenson at 2022-11-01T17:19:56+01:00 SSSCTL: Use wrapper function for analyze Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 62458d49 by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: enable ci for sssd-2-8 branch Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c526acba by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: switch to actions/checkout at v3 checkout at v3 runs on node16 so it will remove deprecation warning: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 770bf7bf by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: use GITHUB_OUTPUT instead of set-output https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - b2d193b9 by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: switch to actions/upload-artifact at v3 upload-artifact at v3 runs on node16 so it will remove deprecation warning: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 2070000a by Alejandro L?pez at 2022-11-02T15:58:35+01:00 CACHE_REQ: Do not use timestamp optimization on "files" provider. Avoid requesting only the latest updates when using the "files" provider as it only updates the cache if /etc/files or /etc/group is touched. Added a test for this situation. Resolves: https://github.com/SSSD/sssd/issues/6398 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 4c678cbb by Justin Stephenson at 2022-11-03T11:08:21+01:00 Analyzer: Optimize list verbose output Modify the analyzer to parse the responder log file in one pass. This avoids repeated parsing of a single log file. This operation will now store log lines in a dictionary on a single pass then format and print the output accordingly. Does not affect 'list' or 'show' output. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 214540e7 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 Cache: String has to be duplicated instead of copied input->name.attr has to be duplicated when not NULL. Just copying the pointer is not a good thing. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 719c9253 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Initialize domain with NULL Variable domain is compared to NULL before checking sss_parse_inp_recv()'s return value. Let's initialize it to NULL. Warning: sss_parse_inp_recv() modifies domain's value when returning EOK or ERR_DOMAIN_NOT_FOUND. The situation is not perfect but is better than before. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 8f7c35ea by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Do not return duplicated values. For each domain, a multi-domain search is done and all the results for each domain are returned each time. This produces several copies of the same results. Function cache_req_input_parsed() decides whether to launch a multi- or single-domain search based on the domain the user requested. If the user didn?t request a domain (such as in a call to ListByName()), a multi-domain search is launched, even if we are only looking for the current domain. In that case a single-domain search is enough. Resolves: https://github.com/SSSD/sssd/issues/6360 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - a9796282 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 TESTS: Correct ListByAttr()'s test Now that ListByName() and ListBy Attr are fixed, the test needs to be corrected as it was explicitly avoiding that case. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 569dca5f by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Consider the domain when looking names in the cache Using a fully-qualified name based on the expresion the user provided, when looking for names in the cache. Resolves: https://github.com/SSSD/sssd/issues/6361 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 09895561 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 TESTS: New test for D-Bus' ListByName() Added a test for the D-Bus function ListByName(). Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c3453e4e by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Use a const struct in cache_req_data_create() The structure data is not modified in the function. The const modifier can be used. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ba5439c0 by Weblate at 2022-11-04T11:27:44+01:00 po: update translations (Korean) currently translated at 51.0% (1331 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 50.6% (1320 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Korean) currently translated at 49.9% (1302 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Polish) currently translated at 4.7% (126 of 2658 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Polish) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ po: update translations (Polish) currently translated at 1.4% (39 of 2658 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 49.2% (1283 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 100.0% (2686 of 2686 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Russian) currently translated at 100.0% (2686 of 2686 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Ukrainian) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Russian) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Ukrainian) currently translated at 99.3% (659 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Polish) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Polish) currently translated at 1.4% (38 of 2662 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 46.5% (1215 of 2609 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 92347d98 by Shridhar Gadekar at 2022-11-04T11:28:28+01:00 Tests: GSSAPI ssh login failing due to a missing directive Adding the missing pxssh module import Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - a22af6f0 by Pavel B?ezina at 2022-11-04T11:35:03+01:00 pot: update translations - - - - - 955192b1 by Shridhar Gadekar at 2022-11-09T10:00:48+01:00 Tests: gssapi ssh login minor fix Trivial fix, the kinit command was missing '@' after usename. It was causing obvious failure to fetch krb ticket. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - dab19a4d by aborah-sudo at 2022-11-09T20:25:30+01:00 Tests: Removing tests from gating pipe line test_bz1368467 --- this one looks more perfomance than gatting test_avoid_interlocking_among_threads --- feature not supported Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Steeve Goveas <sgoveas at redhat.com> - - - - - 60772306 by Shridhar Gadekar at 2022-11-09T20:25:50+01:00 Tests: Use negative cache better for lookup by SIDs Minor change, adding import of re module Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 7c907a7c by aborah-sudo at 2022-11-10T14:04:18+05:30 Tests: Removing tests from gating pipe line test_bz1368467 --- this one looks more perfomance than gatting - - - - - 419b9b8f by Dan Lavu at 2022-11-10T09:22:52-05:00 Adding Ported DynDNS Testcases This is merged branch of two following PRs, 6363 and 6344 which are now closed. 6344 Add the tests but are unreliable. 6363 contains the following changes, rewriting the suite. * change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture * disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests * removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched * created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache * cleaned up the functions and code for readability Signed-off-by: Dan Lavu <dlavu at redhat.com> - - - - - f24b6daa by Iker Pedrosa at 2022-11-11T10:30:19+01:00 passkey: replace erroneous description Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 28124cfb by Iker Pedrosa at 2022-11-11T10:30:19+01:00 passkey: print PEM formatted public key When registering a key print the public key in PEM format. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3e02de93 by Alexey Tikhonov at 2022-11-15T10:42:28+01:00 UTILS: socket connect: added missing new line and adjusted log level to more appropriate Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a21c6662 by Jakub Vavra at 2022-11-15T10:43:20+01:00 Tests: Add a test for bz1964121 override homedir to lowercase Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1964121 Verifies: #6210 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 25eae1c0 by Alexey Tikhonov at 2022-11-18T14:47:12+01:00 SYSDB: use `sss_strerror()` to handle `ERR_GID_DUPLICATED` Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 93ed5e58 by Alexey Tikhonov at 2022-11-18T14:48:39+01:00 UTILS: got rid of deprecated `inet_netof()` to please 'rpminspect'. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 6ef3aade by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 TOOLS: don't export internal helpers Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 7af46ba0 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 TOOLS: fixed handling of init error Before execution of `tool_cmd_init()` `init_err` wasn't set, so `sss_tools_handles_init_error()` check was a no-op. Consequently, a proper check after `tool_cmd_init()` was missing. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 99791400 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 SSSCTL: don't require 'root' for "analyze" cmd :relnote: `sssctl analyze` tool doesn't require anymore to be run under root. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - d4d9aa65 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 SSSCTL: don't require 'root' for "passkey-exec" cmd :relnote: `sssctl passkey-exec` tool doesn't require anymore to be run under root. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a7759ab3 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Add the missing admisc pytest marker. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - bce2b0c8 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Wait a bit before collection log in test_0015_ad_parameters_ad_hostname_machine. This test is unstable on other architectures (ppc64le, aarch64) and it seems that adding a 15s wait before collecting the log gives it enough time to wtrite it properly. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d7e7efe9 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Fix E126 in test_adparameters_ported.py Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 36e5479b by Alejandro L?pez at 2022-11-18T16:00:24+01:00 BUILD: Fix some warnings thrown while building Some of them are not actually needed (false positives) but this helps to have a clean build and identify real warnings. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 285f1703 by aborah-sudo at 2022-11-18T16:00:45+01:00 Tests: fix test_bz1368467 This test was failing due to login error. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - bfa8d50c by Justin Stephenson at 2022-11-18T16:01:58+01:00 Analyzer: Ensure parsed id contains digit In analyzer list verbose output, we parse the last field of cache_req_search_send() lines. Certain log messages need to be filtered out by ensuring the parsed field is a digit, such as the last line below. [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at domain-zflo.com [cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119 at domain-zflo.com] from cache Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 790e7a77 by Steeve Goveas at 2022-11-18T18:08:51+01:00 Tests: Cannot SSH with AD user to ipa-client with invalid keytab `krb5_validate` and `pac_check` settings conflict. Setting krb5_validate to false skips the pac_check enabling the login Verifies: #6355 https://bugzilla.redhat.com/show_bug.cgi?id=2127822 https://bugzilla.redhat.com/show_bug.cgi?id=2128902 Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 14748ff9 by Jakub Vavra at 2022-11-22T18:36:33+01:00 Tests: Update fixture using adcli to handle password from stdin. Adcli changed handling password dialog for bz2124030 so the automation needs to be updated to work properly. Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2f99cd31 by Justin Stephenson at 2022-11-22T18:37:17+01:00 SSSCTL: Add debug option to help message Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ab6910ae by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: verify assertion Include the assertion verification in the passkey helper process. For that purpose, prepare the assertion request data, select the device to use, get the device options and compare them with the organization policy, decode the public key, request the assert and verify it. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2b0a8f27 by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: public key in PEM format It helps us obtain the cryptographic algorithm used to generate the key. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 6b0d175f by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: input PIN via stdin For the registration process add a new "quiet" option to suppress the prompts and read the PIN from stdin. For the authentication process always read the PIN from stdin. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f5c0e7b3 by Pavel B?ezina at 2022-11-25T13:25:11+01:00 ci: make /dev/shm writable We build SSSD in /dev/shm which is mounted on read-only file system on new podman version. We need to mount it as tmpfs to make it writable. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ae614c17 by Pavel B?ezina at 2022-11-25T13:25:11+01:00 ci: install correct python development package The package name has changed on new Ubuntu. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 336b1fac by Iker Pedrosa at 2022-11-25T13:25:39+01:00 ci: fix codeql libsemanage1-dev renamed to libsemanage-dev in debian and its derivatives. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 4a6eb258 by Justin Stephenson at 2022-11-25T13:26:05+01:00 CI: Update core github actions Update dependent actions to address: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - fc3fad98 by Jakub Vavra at 2022-11-28T06:32:58+01:00 Tests: Fix automount OU removal from AD. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 340691fa by Cole Robinson at 2022-11-30T16:48:06+01:00 MAN: Fix option typo on sssd-kcm.8 The option is called krb5_renewable_lifetime, not krb5_renew_lifetime Signed-off-by: Cole Robinson <crobinso at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 91789449 by Sumit Bose at 2022-11-30T16:50:53+01:00 PAC: allow to disable UPN check Currently it was not possible to skip the UPN check which checks if the UPN in the PAC and the one stored in SSSD's cache are different. Additionally the related debug message will show both principals if they differ. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - b3d7a4f6 by Sumit Bose at 2022-11-30T16:50:53+01:00 ipa: do not add guessed principal to the cache Currently on IPA clients a calculated principal based on the user name and the Kerberos realm is added to the cached user object. This code is quite old and might have been necessary at times when sub-domain support was added to SSSD. But since quite some time SSSD is capable of generating the principal on the fly during authentication if nothing is stored in the cache. Removing the code makes the cache more consistent with other use-cases, e.g. with the IPA server where this attribute is empty, and allows to properly detect a missing UPN, e.g. during the PAC validation. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 51b11db8 by Sumit Bose at 2022-11-30T16:50:53+01:00 pac: relax default check To avoid issues with the UPN check during PAC validation when 'ldap_user_principal' is set to a not existing attribute to skip reading user principals a new 'pac_check' option, 'check_upn_allow_missing' is added to the default options. With this option only a log message is shown but the check will not fail. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ad0a8c6a by aborah-sudo at 2022-11-30T16:53:31+01:00 Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207 test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by disable "implicit files provider" Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - e4dd11f2 by Alexey Tikhonov at 2022-12-02T15:20:40+01:00 SYSDB: pre-existence of MPG group in the cache isn't an error Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 3f8bc872 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add support for serial number Read the serial number of the certificate and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 10d977a3 by Sumit Bose at 2022-12-02T15:24:14+01:00 certamp: add support for subject key id Read the subject key id from the certificate and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 9e1b711b by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add support for SID extension Check if the SID extension is available, read the SID and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - f293507d by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: fix for SAN URI The URI was not added to the list of subject alternative names. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c4085c9a by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add bin_to_hex() helper function This patch adds a helper function to format hexadecimal strings of binary data. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 11483f1e by Sumit Bose at 2022-12-02T15:24:14+01:00 sssctl: add cert-eval-rule sub-command The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 3676a4fb by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add get_digest_list() and get_hash() Add support to calculate hash/digest values of binary data, e.g. of a certificate. Resolves: https://github.com/SSSD/sssd/issues/6404 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 0a906107 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: dump new attributes in sss_cert_dump_content() Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 1303c624 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add LDAPU1 mapping rules Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 4ac53fb5 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add tests for new attributes and LDAPU1 rules Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 882f560e by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add LDAPU1 rules to man page This patch adds the new LDAPU1 mapping rule templates to the sss-certmap man page. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - b0bdf712 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: Add documentation for some internal functions Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 80690213 by Weblate at 2022-12-02T18:27:01+01:00 po: update translations (Korean) currently translated at 63.5% (1657 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 62.6% (1633 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 62.0% (1618 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Korean) currently translated at 62.0% (1618 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Georgian) currently translated at 7.8% (52 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Korean) currently translated at 61.8% (1612 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 664a436e by Shridhar Gadekar at 2022-12-05T10:18:39+01:00 Test: gssapi test fix minor flake8 fixes Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 8b09c938 by Alexey Tikhonov at 2022-12-05T11:22:12+01:00 Translations: add missing `tools/sssctl/sssctl_cert.c` and macros Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 714ababe by Alexey Tikhonov at 2022-12-06T16:08:00+01:00 BUILD: deprecate `--enable-files-domain` build option :relnote:`--enable-files-domain` configure option is deprecated and will be removed in one of the next versions of SSSD. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2fda8e7b by Tomas Halman at 2022-12-06T16:08:47+01:00 RESOLV: Configuration option for DNS search DNS search may increase the time of name resolution significantly. Particularly when SSSD is misconfigured or the DNS server is unreachable. With this patch SSSD can avoid DNS search and the list of domains from resolv.conf is ignored. To avoid DNS search in kerberos library SSSD appends the dot to the server names before they are written into KDC info file. :relnote: SSSD can be configured not to perform a DNS search during DNS name resolution. This behavior is governed by the new dns_resolver_use_search_list. This parameter can be used in the domain section. Default value is true - that means that SSSD follows the system settings. Resolves: https://github.com/SSSD/sssd/issues/5390 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - aac303e8 by Sumit Bose at 2022-12-09T13:22:09+01:00 p11: fix size of argument array Currently 19 options can be set for p11_child and the a NULL at the end the array must have 20 elements. Resolves: https://github.com/SSSD/sssd/issues/6479 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 34d55884 by Alejandro L?pez at 2022-12-09T13:22:39+01:00 BACKEND: Reload resolv.conf after initialization Once the backend initialization is finished, in particular after D-Bus is initialized, reload the resolv.conf file to retrieve any change signaled through D-Bus before its initialization. Resolves: https://github.com/SSSD/sssd/issues/6383 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 81eb0606 by Madhuri Upadhye at 2022-12-09T13:23:51+01:00 Tests: Minor fixes for alltests Enable files domain. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 4a658e6c by aborah-sudo at 2022-12-09T13:24:19+01:00 Tests: port proxy_provider/rfc2307bis https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7c5dd878 by Weblate at 2022-12-09T13:25:51+01:00 po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ po: update translations (Japanese) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (French) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - - - - - c6053c43 by Pavel B?ezina at 2022-12-09T13:35:31+01:00 pot: update pot files - - - - - 153b1c91 by Jakub Vavra at 2022-12-15T20:02:03+01:00 Tests: Add mark tier1_4 so pytest is not throwing warnings. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - f43d8c9a by Pavel B?ezina at 2022-12-15T21:13:31+01:00 ci: increase timeout for covscan Covscan task started recently taking more then six hours to finish. Six hours is the default timeout and maximum limit for github-hosted runner but we can increase it for self-hosted runner. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 24a53663 by Shridhar Gadekar at 2022-12-15T21:15:21+01:00 Tests: port bash idmap testcase to pytest Adding return messages and backup/restore of sssd Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 7e8b97c1 by Pavel B?ezina at 2022-12-16T12:10:55+01:00 ldap: update shadow last change in sysdb as well Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: https://github.com/SSSD/sssd/issues/6477 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ddd85f95 by Shridhar Gadekar at 2022-12-20T13:15:52+01:00 Tests: change tier of dyndns tests dropping dyndns from gating, till tests are stable Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 02bdef7d by MCJ Vasseur at 2022-12-20T17:57:09+01:00 Fix typo (pasword -> password) Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - 2fa80dbd by Shridhar Gadekar at 2022-12-23T14:25:10+05:30 Dropping idmap Test is unstable, moving out of gating for further investigation - - - - - 08784536 by Tomas Halman at 2022-12-23T11:49:18+01:00 cfg_rules.ini update The option kr5_realm was listed twice. The option krb5_kdcinfo_lookahead was missing. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c4ea2851 by Jakub Vavra at 2022-12-23T11:53:12+01:00 Tests: Move some less important scenarios from tier 1 to tier 2. Skip test_0015_ad_parameters_ad_hostname_machine on multiarch as it is unstable there. Move test_0002_improved_use_negative_sid_for_sid_lookup to tier 2 as it is unstable so it does not block gating. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 42842c16 by Shridhar Gadekar at 2023-01-05T13:30:47+01:00 TESTS: bz2110091 sssd starting offline after reboot changing tier. logs and cache are cleared. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 0da99b73 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 SDAP: Fixed header file The sdap_access.h header file was not including the sdap_id_op.h header file it depends on. Build worked because sdap_id_op.h happened to be always included before sdap_access.h. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 11dab864 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 PAM: Localize some forgotten words. The units (days, hours, minutes) were not localized although they were used in a localized sentence. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 475052a2 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 LDAP: Moved and renamed set_access_rules() Function set_access_rules() was renamed to sdap_set_access_rules(), moved from ldap_init.c to sdap_access.c and made public. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ae74a9d1 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 IPA: Add password expiration warning when using ssh keys When using IPA as access provider, it now reads the ipa_access_order parameters from the configuration and, between others, it can process the pwd_expire_policy_warn. The accepted values for ipa_access_order are: - expire (default) - pwd_expire_policy_reject - pwd_expire_policy_warn - pwd_expire_policy_renew There is no ipa_pwd_policy parameter. Internally it is forced to the only accepted value: mit-kerberos. Resolves: https://github.com/SSSD/sssd/issues/5080 :config: ipa_access_order parameter introduced. It behaves much like ldap_access_order but affecting IPA domains (id_provider = ipa) and accepting limited values. Please see sssd-ipa(5) for more information. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - be84d6ee by Alejandro L?pez at 2023-01-05T13:31:34+01:00 PAM: Warn that the password has expired when using ssh keys When using ssh keys and the LDAP_ACCESS_EXPIRE_POLICY_WARN flag, the user is notified is the password is about to expire, but nothing was said if the password had already expired. This patch introduces a message when the password has expired. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ede02a20 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 MAN: Cosmetic changes to sssd-ldap.5 Three values of ldap_access_order are presented as an itemized list. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - cfd71fec by Alejandro L?pez at 2023-01-05T13:45:09+01:00 MONITOR: Move the file monitoring code to util. Everything still works as before, but now the code used in sssd to monitor resolv.conf is moved to a separate file (util/file_watch.c) and everything is more loosely coupled. This is in preparation to move the monitoring to the backends. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - d4e57447 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 TESTS: Add a test for file-watch New tests using the file watching feature with both inotify and polling. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - e1c0af26 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 MAN PAGES: Make try_inotify dependent on HAVE_INOTIFY. When HAVE_INOTIFY is not defined (inotify not present), the descrition of try_inotify in sssd.conf.5 man page will only tell that this is not used in systems without inotify. If HAVE_INOTIFY is defined, the full description if provided. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - fadd8eb6 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 BACKEND: Move resolv.conf watching to the backends Moved from the monitor, which no longer reads the file neither notifies the backends they must read it. The file is now monitored by the backends and read immediately after start watching it. Resolves: https://github.com/SSSD/sssd/issues/6383 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 2e3fa180 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 D-BUS: Remove resInit() method from sssd.services This method was used by the monitor to tell the backends to reload /etc/resolv.conf when it detected a change in the file. It is no longer used as the backends now watch resolv.conf by themselves. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c97d9275 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 FILE WATCH: Get rid of parent_ctx parent_ctx pointed to the memory context to use for the timers. It pointed to the file_watch_ctx which contained it, so better use the file_watch_ctx and avoid having an extra field, and having to pass the memory context as a parameter. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 729c1fc2 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 FILE WATCH: Simplify watching on missing files. This code is needlessly repeated in fw_watch_file() and missing_file(), and it's enough to simply call missing_file(). But since now this function is used even before knowing whether the file exists, it is better to rename it to set_file_watching(). A side effect of this is that watch_file() (which ends up calling inotify_add_watch()) returns EOK even when the file is missing, and thus the callback is invoked once. Considering that the flag IN_CREATE was always passed to inotify_add_watch(), I think this could have been hidden by the old code. Polling for the file creation is no longuer used when inotify is used. But because it is still required when inotify fails to initialize (not installed) or use_inotify is set to false, this code cannot be removed. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 29326450 by Alexey Tikhonov at 2023-01-06T20:15:51+01:00 SBUS: don't call `dbus_server_get_address(NULL)` Resolves: https://github.com/SSSD/sssd/issues/6465 Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 76c7fa46 by aborah at 2023-01-13T08:59:18+01:00 Tests: make corresponding tests capture SSSD logs To capture sssd logs in IDM-CI incase of sssd test failure. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 8cda19e2 by Shridhar Gadekar at 2023-01-13T08:59:47+01:00 Tests: bz2128840 automation minor indentation fix Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 2bd0c249 by Sargun Narula at 2023-01-13T09:00:14+01:00 Tests: Ported Bash-krb-access-provider to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - a5176f4d by aborah at 2023-01-13T09:00:37+01:00 Tests: SSSD: `sssctl analyze` command shouldn't require 'root' privileged `sssctl analyze` command shouldn't require 'root' privileged when run with `--logdir` pointing to otherwise accessible files. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 067c550c by Jakub Vavra at 2023-01-13T09:00:55+01:00 Tests: Test for bz2144491 UPN mismatch UPN check cannot be disabled explicitly but requires krb5_validate = false as a work-around Bugzilla: - https://bugzilla.redhat.com/show_bug.cgi?id=2148737 - https://bugzilla.redhat.com/show_bug.cgi?id=2144491 - https://bugzilla.redhat.com/show_bug.cgi?id=2148989 - https://bugzilla.redhat.com/show_bug.cgi?id=2148988 Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4e600d9b by Alexey Tikhonov at 2023-01-13T18:20:54+01:00 Added a number of missing new lines. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 723872f3 by Iker Pedrosa at 2023-01-14T00:35:01+01:00 CI: remove flake8 action When a new issue is found, the action is unable to report it properly in the PR and it fails. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - b631c317 by Alexey Tikhonov at 2023-01-16T13:08:48+01:00 MAN: mention `attributes` in 'see also' Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 08ccd23f by Alexey Tikhonov at 2023-01-16T13:09:26+01:00 SSS_CLIENT: delete key in lib destructor pthread_key_delete() disables thread at-exit destructors. Otherwise an attempt to execute already unloaded `sss_at_thread_exit()` would trigger segfault. This doesn't solve an issue with leaking on `dlclose()` FDs initialized in multiple threads, but better than crash. Resolves: https://github.com/SSSD/sssd/issues/6505 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 927fa843 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: register discoverable credentials Apart from server-side credentials passkey should also register discoverable credentials. Thus, a new argument has been added to select the credential type. Moreover, the user id is also printed. Example: passkey:credentialId,pemPublicKey,userId Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 62654e25 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: user id for discoverable credentials If the credential is discoverable, then print the user id. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bd02f637 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: fix uninitialized variable 616 in authenticate() 610 goto done; 611 } 612 613 ret = FIDO_OK; 614 615 done: >>> CID 377752: Uninitialized variables (UNINIT) >>> Using uninitialized value "pk_data.type" when calling "reset_public_key". 616 reset_public_key(&pk_data); 617 if (dev != NULL) { 618 fido_dev_close(dev); 619 } 620 fido_dev_free(&dev); 621 fido_assert_free(&assert); 622 fido_dev_info_free(&dev_list, dev_list_len); 623 624 return ret; Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7caf2da3 by Dan Lavu at 2023-01-17T11:17:12-05:00 Fixing dyndns tests The server may not update DNS right away, updated the function to perform a lookup up to 5 minutes, otherwise the test will have failed. Signed-off-by: Dan Lavu <dlavu at redhat.com> - - - - - 4e9c2fdb by Shridhar Gadekar at 2023-01-19T12:09:05+01:00 TESTS: clean up group delete fix from correct 'ou' group object deletion fix Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 5021d239 by aborah at 2023-01-19T12:09:34+01:00 Tests: Fix minor error in root privilage test mkdir: cannot create directory ?/tmp/sssd?: File exists Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 718afc29 by Florence Blanc-Renaud at 2023-01-26T12:54:47+01:00 Passkey: flush stdout IPA command "ipa user-add-passkey --register" reads the output of passkey_child line by line in order to re-print the useful messages and extract the generated passkey. Flush stdout so that ipa gets the messages without delay. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 501e05f4 by Alexey Tikhonov at 2023-01-26T12:55:06+01:00 BUILD: remove `--enable-files-domain` build option :relnote:Previously deprecated `--enable-files-domain` configure option was removed. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 6b048a6a by Alexey Tikhonov at 2023-01-26T12:55:06+01:00 INTG TESTS: make `get_call_output()` respect `check` arg for Python < 3.7 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 708a924a by Jakub Vavra at 2023-02-01T14:20:55+01:00 Tests: Changes to the version handling and fixture create_testdir. Function package_mgmt was not handling RHEL 9 properly. service_sssd was doing exactly nothing on RHEL 9. Fixture create_testdir was needlessly iterating lists via indexes and duplicating code. Removed some useless elses after return. Fixed import order. Switched to f-strings. Disabled some pylint warnings. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 32a8b953 by Jakub Vavra at 2023-02-01T14:20:55+01:00 Tests: Optimize winhost properties QeWinHost class had properties that were repeatedly calling command line commands. This was slow, inefficient and created mess in the test logs. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 7a68ed1f by aborah at 2023-02-02T11:50:22+01:00 Tests: Fix ipa tests wrong ipa_client_ip Fix ipa tests wrong ipa_client_ip Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d249154c by Shridhar Gadekar at 2023-02-02T11:53:34+01:00 Test: porting of failing rfc2307bis testcase change to tier1_4 Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - c0b394ab by Pavel B?ezina at 2023-02-02T12:02:34+01:00 sudo: skip smart refresh if it happens inside full refresh Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - fc4f0399 by Jakub Vavra at 2023-02-02T14:40:11+01:00 Tests: Fix incorrect distro parsing in qe_class on Fedora. Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 13d420ca by aborah at 2023-02-09T07:19:54+01:00 Tests: Fix test test_0017_filesldap Logs string has changed. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 4138b0a7 by Justin Stephenson at 2023-02-09T13:11:10+01:00 MAN: ldap_group_name enhancement with nested groups Resolves: https://github.com/SSSD/sssd/issues/6544 Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - fe67123c by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: Extracted code checking 'inherit_from' Extracted the code checking that 'inherit_from' is not present in a domain section from custom_sssd_checks() to its own function named check_domain_inherit_from(). Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 1911ad64 by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: Function always returns EOK The function custom_sssd_checks() ignored the error codes and always returned EOK. Now it returns the corresponding error code. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 255d9f6e by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CHECK-CONFIG: id_provider is now mandatory For domains, the presence of 'id_provider' was accepted but no other check was done. In particular, this option is mandatory and has a limited set of accepted values. These changes introduce those checks. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - f604d033 by Alejandro L?pez at 2023-02-09T13:11:34+01:00 TESTS: Test mandatory id_provider Adapter the existing tests for the mandatory 'id_provider' and created a test for the case when 'id_provider' is missing. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - f283248f by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: inherit_from is not a typo The error message asked the user if introducing `inherit_from` in a domain was a typo. This is an error but not a typo. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 53c8e8f0 by Dan Lavu at 2023-02-13T12:54:46+01:00 Removing unnecessary restart unnecessary restart This allows us to do minimal changes to run existing tests, not as the root user. Testing the non root feature of SSSD. Adding an ansible play that creates a stub configuration file in /etc/sssd/conf.d/ i.e. /etc/sssd/conf.d/nonroot.conf containing [sssd] user = sssd This sssd restart happens before SSSD is configured and when it contains the stub file, it is an invalid configuration. Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> - - - - - 3dfc82a0 by aborah at 2023-02-13T12:56:17+01:00 Tests: Fix subidranges test Add removal of maps.sh and unshare.pid Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6ffd46d1 by Alexey Tikhonov at 2023-02-13T12:57:05+01:00 MAN: remove "experimental" notice off LDAP access control based on NDS attributes. It's there since 37e7e93f1996cf50677cf59fd8af6938dd5d85b2, clearly not "experimental" anymore. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - aa5c0c9c by Alexey Tikhonov at 2023-02-13T12:57:05+01:00 BUILD: remove long time unused '--enable-all-experimental-features' It haven't been used since b2f9e5b7d553172401a340eb4a9c3abda6b5db43 :relnote: Long time unused '--enable-all-experimental-features' configure option was removed. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 0b8638d8 by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 SSS_CLIENT: fix error codes returned by common read/write/check helpers. It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` error condition is detected, regular `POLLIN/POLLOUT` won't be set. Error code set by error condition should have a priority. This enables users of this helper to retry attempt (as designed). Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ef93284b by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 SSS_CLIENT: if poll() returns POLLNVAL then socket is alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise there is a risk to close "foreign" socket opened in another thread. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bf3f73ea by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 PAM_SSS: close(sss_cli_sd) should also be protected with mutex. Otherwise a thread calling pam_end() can close socket mid pam transaction in another thread. Bug only manifested on platforms where "lockfree client" feature wasn't built. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7fb89ab0 by Sumit Bose at 2023-02-13T12:58:31+01:00 passkey: do not copy more than received Since buf is not initialized to 0 talloc_strdup() might actually copy more data than was received. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 4e654005 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 PAM: removed outdated comment Comment wasn't relevant since 5dccf76aff8ac5b4adf000c8b701a7a9fae506c2 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c55bb397 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 Use `is_files_provider()` helper where possible. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 8e75bb61 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 RESPONDERS: get rid of `NEED_CHECK_PROVIDER` helper Since implementation of "local" provider was removed, the only provider that doesn't need to "check provider" is "files provider". Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 6ba0187e by Sumit Bose at 2023-02-17T15:01:40+01:00 certmap: fix to handle ediPartyName Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ced32c44 by Sumit Bose at 2023-02-17T15:01:40+01:00 certmap: Handle type change of x400Address Due to CVE-2023-0286 the type of the x400Address member of the GENERAL_NAME struct was changed from ASN1_TYPE to ASN1_STRING. The following patch tries to make sure that the x400Address can be extracted from the certificate in either case. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - d4f7ed69 by Alexey Tikhonov at 2023-02-17T15:02:26+01:00 MONITOR: fix `socket_activated` flag initialization When socket activated service connects for the first time, it is added to `mt_ctx->svc_list` by `socket_activated_service_not_found()` with a proper `socket_activated = true`. But when it reconnects again, `get_service_in_the_list()` finds it in `mt_ctx->svc_list` and overwrites `socket_activated = false` unconditionally. This patch moves `socket_activated = false` to `start_service()`. Resolves: https://github.com/SSSD/sssd/issues/6324 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 59d2f945 by Pavel B?ezina at 2023-02-17T15:03:26+01:00 fix missing new line in sss_iface.c and docstrings.rst Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f44e5864 by Pavel B?ezina at 2023-02-17T15:04:28+01:00 tests: fix all flake8 issues Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 61f1b893 by Sargun Narula at 2023-02-23T09:20:04+01:00 Tests: Ported Bash-krb-fast-principal to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 66687d8c by aborah at 2023-02-23T09:20:37+01:00 Tests: Port bz785908 and bz785898 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L424 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L300 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 173d0867 by aborah at 2023-02-23T09:21:04+01:00 Tests: Port Thread issue can cause the application to not get any identity information bz847043 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL9.2/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L774 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - a75557b7 by Shridhar Gadekar at 2023-02-23T09:23:27+01:00 Test: porting bash range_retrieval to pytest removing unused import Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - bd803bf6 by Pavel B?ezina at 2023-02-23T15:28:01+01:00 nssidmap: add getsidbyusername and getsidbygroupname :feature: NSS IDMAP has two new methods: `getsidbyusername` and `getsidbygroupname` Resolves: https://github.com/SSSD/sssd/issues/6565 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 9f8e7115 by Alexey Tikhonov at 2023-02-28T21:47:32+01:00 MAN: describe security risk of `cache_credentials` Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 2ce24d38 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00 UTILS: missing domain in `sss_parse_name()` input isn't SSSDBG_CONF_SETTINGS Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - f5787878 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00 NSS: empty result of `..._group_by_origgid()` isn't an error Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - e5fba8f9 by Alexey Tikhonov at 2023-02-28T22:05:43+01:00 TESTS: fix compilation issue with musl libc Resolves: https://github.com/SSSD/sssd/issues/6487 Reviewed-by: Andre Boscatto <aboscatt at redhat.com> - - - - - 97c671e4 by aborah at 2023-03-02T13:41:47+01:00 Tests: Port automount bash tests to pytest https://gitlab.cee.redhat.com/aborah/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/automount Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 97e040f9 by Jakub Vavra at 2023-03-03T12:51:04+01:00 Tests: Set cryptopolicy for master for AD fips tests. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 61d6030b by Sargun Narula at 2023-03-03T12:51:34+01:00 Added entry for krb_access_provider in readme.rst Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - fb5a300b by Justin Stephenson at 2023-03-03T12:52:04+01:00 passkey: Add configuration options Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - fbbe9ba3 by Justin Stephenson at 2023-03-03T12:52:04+01:00 authtok: Add Passkey type Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 57152761 by Justin Stephenson at 2023-03-03T12:52:04+01:00 Add new option ldap_user_passkey Retrieve user passkey mapping data from the below LDAP attributes: IPA: ipaPasskey AD: altSecurityIdentities LDAP: passkey Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3f24aa71 by Justin Stephenson at 2023-03-03T12:52:04+01:00 Extend IPA config search Allow providing a custom search filter and search base, enabling this API to also retrieve passkey configuration objects. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ec677493 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Add DNS Domain name to struct sss_domain_info dns_name string will be populated for IPA and AD domains Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ea9bcab6 by Justin Stephenson at 2023-03-03T12:52:05+01:00 IPA Retrieve passkey configuration Retrieve the require user verification value (on/off/default) from the IPA passkey configuration. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b92ff263 by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Call the passkey helper binary When passkey auth is enabled, call the passkey child to interact with the passkey device. Resolves: https://github.com/SSSD/sssd/issues/6558 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7f8fe399 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Support Passkey prompting config Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64f98463 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Tests: Passkey (Pre)auth Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 938676a3 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Tests: Passkey prompting config Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64aa2672 by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Add destructor for passkey pin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5a22aefb by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Covscan NULL check for cache req result domain Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7356881c by Alexey Tikhonov at 2023-03-07T20:49:52+01:00 SDAP: removed leftovers after 65bd6bf05d75c843e525f8bf89e9b75b02a2bfb7 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - a9bc94f0 by Alexey Tikhonov at 2023-03-07T20:50:17+01:00 INTG-TESTS: add missing files to Makefile.am Resolves: https://github.com/SSSD/sssd/issues/6588 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 5c83deb5 by bluikko at 2023-03-07T20:50:47+01:00 src/util/domain_info_utils.c: fix typo Typo in libdefaults typed as kibdefaults. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Andre Boscatto <aboscatt at redhat.com> - - - - - 47f82a41 by Gioele Barabucci at 2023-03-07T20:51:17+01:00 Makefile: Install dbus policy in /usr, not /etc >From <https://bugs.debian.org/1006631>: > dbus supports policy files in both `/usr/share/dbus-1/system.d` and > `/etc/dbus-1/systemd`. [The] recently released dbus 1.14.0, officially > deprecates installing packages' default policies into `/etc/dbus-1/systemd`, > instead reserving it for the sysadmin. This is the same idea as the > difference between `/usr/lib/udev/rules.d` and `/etc/udev/rules.d`. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 067cc5cc by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 BUILD: make "files provider" build configurable :relnote:"Files provider" (i.e. `id_provider = files`) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using `--with-files-provider` ./configure option. Or consider using "Proxy provider" with "proxy_lib_name = files" instead. Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 978ef179 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 UTILS: force inline `is_files_provider()` This hopefully will ensure that compiler optimizer will remove unused code that depends on `if (is_files_provider())` branch in case files provider isn't built. Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - c53390a8 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 DP: warn loudly if config uses 'files' when support wasn't built Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 8962eaca by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 INTG-TESTS: enable '--with-files-provider' Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - e623fac7 by Timotej Lazar at 2023-03-09T11:25:21+01:00 tests: use echo instead of /bin/echo in Makefile The binary might be somewhere else or not available at all during build. No special features are needed so the shell builtin is enough. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9fd8da28 by Sargun Narula at 2023-03-09T11:25:59+01:00 Fixed domainname value in krb_ldap_connection Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 34f1c222 by SargunNarula at 2023-03-09T11:25:59+01:00 Reused sssdTools Instance Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 30daa0cc by Iker Pedrosa at 2023-03-09T11:27:30+01:00 spec: update to include passkey Update the spec file to include the passkey feature. Made it configurable so that it can be disabled, added the dependencies and the passkey subpackage, and also include the passkey_child. :feature: New passkey functionality, which will allow to use FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it will also issue a Kerberos ticket automatically. :packaging: Include passkey subpackage and dependency for libfido2. :config: New options to enable and tune passkey behaviour: 'pam_passkey_auth', 'passkey_verification', 'passkey_child_timeout', 'interactive', 'interactive_prompt', 'touch' and 'touch_prompt'. Resolves: https://github.com/SSSD/sssd/issues/6228 Relates: https://github.com/SSSD/sssd/issues/6551 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 712377ea by Pavel B?ezina at 2023-03-09T11:28:34+01:00 tests: add system tests using pytest-mh framework Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 9145544f by Jakub Vavra at 2023-03-10T09:28:16+01:00 Tests: Add a remedy for a missing multihost_dir. Move the create_testdir fixture to fixtures.py and make sure that it is used. Extend it to create testdir and env.sh also on windows machines. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 50a3a191 by Justin Stephenson at 2023-03-10T09:29:17+01:00 Passkey: Use correct User verification comparison IPA require user verification configuration value changed from "on, off, omit" to a boolean value of "True" or "False". Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 1c55f0d4 by Jakub Vavra at 2023-03-13T10:40:18+01:00 Tests: Refactor join ad. Refactored pieces for joing and leaving ad to reuse more code. Changed realm join to use DC instead of realm to mitigate machines on different networks that breaks auto-discovery. Lock resolv.conf so it is not broken by cloud-init after machine reboot. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 80d28bab by Jakub Vavra at 2023-03-13T12:59:58+01:00 Tests: Make sure that session_multihost.ad is always available. We need it to be defined at least as an empty list so we do not get an AtributeError when we try to iterate over it. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - cc0545b4 by aborah at 2023-03-22T10:20:11+01:00 Tests: Port Bash Password Policy to pytest https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.7/client/ldap_provider/ldap_id_ldap_auth/password_policy.sh Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 96a0e9fb by David H?rdeman at 2023-03-23T10:36:56+01:00 LDAP: Handle MIT LDAP KDB password expiry Currently SSSD only treats a missing krbPasswordExpiration attribute as an indication that a given password never expires (which is how the FreeIPA KDB plugin handles the expiry). The MIT implementation, however, treats *either* a missing attribute *or* a zero attribute as meaning that the password doesn't expire. $ kadmin getprinc bob Principal: bob at EXAMPLE.COM ... Password expiration date: [never] ... $ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration krbPasswordExpiration: 19700101000000Z Note that 19700101000000Z == (time_t)0 Resolves: https://github.com/SSSD/sssd/issues/6612 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ce81f017 by Pavel B?ezina at 2023-03-23T10:37:21+01:00 tests: include requirements.txt in system tests documentation requirements Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - df7a5c33 by Pavel B?ezina at 2023-03-23T10:37:21+01:00 tests: build systen tests documentation in readthedocs Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 42594c37 by HelloCarry at 2023-03-23T10:37:57+01:00 fix sysvol_gpt_version may be used uninitialized Resolves: https://github.com/SSSD/sssd/issues/6610 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9aece27d by Dan Lavu at 2023-03-23T10:38:21+01:00 Adding ptr zone creation to class setup The AD server maybe provisioned onto a different subnet than the client, adding a fixture to add both the AD server and client PTR zones to DNS. In addition, cleaned up the find_a and find_ptr functions to remove false positives. Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> - - - - - 92d1b469 by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: move select authenticator Move select authenticator logic to its own function. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bccdc2af by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: obtain assertion data New action to obtain the assertion data. For that purpose, prepare the assertion request data, select the device to use, select the authenticator, get the device options and compare them with the organization policy, request the assert, get the authenticator data, get the signature and print this all information. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f77ec4f5 by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: verify assertion data New action to verify the assertion data. To this end, prepare the assertion data, including the authenticator data and the signature; decode the public key and verify the assertion. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8218634d by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: replace printf by PRINT Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c6db359f by aborah at 2023-03-27T10:20:41+02:00 Tests: Fix restore work for ipa test Fix restore work for ipa test Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - b3c681a7 by aborah at 2023-03-27T10:21:14+02:00 Tests: Port bash inmemory_cache test suit to pytest https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/inmemory_cache Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 132fb401 by Alexey Tikhonov at 2023-03-27T12:43:48+02:00 Deprecate 'sss_simpleifp' library. :relnote:'sss_simpleifp' library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using `--with-libsifp` ./configure option. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - c586b9a2 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 RESPONDERS: delete obsolete 'responder_sbus.h' Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 437dbe9e by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 MONITOR: currently only 'ifp' doesn't support running as non-root This should be easier to read. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - e2106c94 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 SUDO: fix mistype Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 5159992d by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 RESPONDER: use safe helper Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 64424963 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 UTILS: sanitize `cli_creds_get_*` macro Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 55e27a42 by Alejandro L?pez at 2023-03-27T12:44:34+02:00 KCM: Switch default caches only when there is no current default. Only when there was a current default cache (uuid_is_null(old_dfl_uuid) == false), the default cache was switched. This condition should be negated so that the cache is switched when there is no current default. Resolves: https://github.com/SSSD/sssd/issues/6357 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 0e25f0d1 by answer9030 at 2023-03-27T12:45:04+02:00 Fixed pid wrapping in sss_cli_check_socket Resolves: https://github.com/SSSD/sssd/issues/6592 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5c363bfb by answer9030 at 2023-03-27T12:45:04+02:00 Fixed the problem of calling getpid() and lstat() twice in sss_cli_check_socket() the second call to getpid() and lstat() is redundant. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ae691f0b by Alexey Tikhonov at 2023-03-27T12:46:14+02:00 NSS: change default value of 'cache_first' to 'true' Having 'cache_first' as 'false' is a performance degradation without a reason in the multi-(sub)domains enviroments (typical case when AD is involved). But there is a subtile issue that doesn't allow to switch default when 'files provider' is used. :config: Default value of 'cache_first' option was changed to 'true' in case SSSD is built without 'files provider'. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - cfc591d6 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 SDAP: Include struct ldb_dn in struct sdap_search_base struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 84e7dbc9 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 SDAP: Ignore the cn=views entries in nested groups When resolving the nested groups, ignore any entry in cn=views,cn=accounts,$BASEDN (or whatever the user configured). Resolves: https://github.com/SSSD/sssd/issues/6548 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 9e9d5825 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 Tests: Test that cn=views is ignored. Add a new test to check the ignored search bases. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 62cb54dc by Pavel B?ezina at 2023-03-30T12:17:48+02:00 tests: make pytest-ldap aware of TLS options OPT_X_TLS_NEWCTX must be set to create a new TLS context after changing TLS options in order to actually use them in python-ldap. This is required to run the tests inside idm-ci where the internal hostname that is used in certificate does not match the external hostname or IP address that is used to connect to the remote host. Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 745379bc by Justin Stephenson at 2023-03-31T12:30:44+02:00 SSSCTL: Switch passkey-exec to passkey-register Users currently only need to call --register Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - f46fe473 by Jakub Vavra at 2023-04-03T09:37:32+02:00 Tests: Skip test_0002_ad_parameters_junk_domain on multiarch The test does not work properly on multiarch due to beaker being on a different network than openstack. Fixed some misleading comments. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 9c17615a by aborah at 2023-04-04T12:12:38+02:00 Tests: don't fail if chattr file doesn't exist error: DEBUG - chattr: Operation not supported while reading flags on /etc/resolv.conf Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ad68d71c by Pavel B?ezina at 2023-04-04T12:13:16+02:00 passkey: add Kerberos plugins Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2a16c256 by Pavel B?ezina at 2023-04-04T12:13:16+02:00 idp: switch to common API for radius-style plugin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - cdfe2c51 by Justin Stephenson at 2023-04-04T12:13:16+02:00 Authtok: Support SSS_AUTHTOK_TYPE_PASSKEY{_REPLY} Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5de070f9 by Justin Stephenson at 2023-04-04T12:13:16+02:00 pam_sss: Add passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7c34742c by Justin Stephenson at 2023-04-04T12:13:17+02:00 krb5_child: Add passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c76ba343 by Justin Stephenson at 2023-04-04T12:13:17+02:00 PAM: Passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9869e487 by Justin Stephenson at 2023-04-04T12:13:17+02:00 krb5_child: Increase child buffer and chunk size Passkey data can be larger than 512 bytes. Received passkey data from krb5 with multiple credentials exceeds 256 bytes. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 88f4d3cf by Justin Stephenson at 2023-04-04T12:13:17+02:00 Passkey: Add util function to prefix passkey data Allows converting passkey child --get-assert output to the format which the passkey krb5 plugin expects. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 1032ca21 by Justin Stephenson at 2023-04-04T12:13:17+02:00 MAN: Clarify user_verification will be overwritten The user_verification sssd.conf option for passkey will only be used LDAP or AD, in the non-kerberos pre-auth case. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bb21171b by Justin Stephenson at 2023-04-04T12:13:17+02:00 Passkey: Changes to debug_libfido2 option Change debug_libfido2 to passkey_debug_libfido2 and move from passkey verification options to PAM option Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5744bad7 by Justin Stephenson at 2023-04-04T12:13:17+02:00 Tests: Amend PAM Preauth tests Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9e061fc0 by Jakub Vavra at 2023-04-04T14:58:56+02:00 Tests: Remove keytab on realm leave. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - a5efc5e6 by Pavel B?ezina at 2023-04-04T14:59:26+02:00 tests: fix type errors due to type enhancements in jc The library we depend on `jc` made its typing more specific so we need to check that we got the expected type. Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 3d0fcca3 by Pavel B?ezina at 2023-04-04T14:59:26+02:00 tests: avoid list() and dict() as default parameter value "Default parameter values are evaluated from left to right when the function definition is executed." which means that the list or dict is created only once and then the same reference is passed to the function with each invokation, so the function calls can be affected by the previous one. See: https://docs.python.org/3/reference/compound_stmts.html#function-definitions Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - a825b28b by Pavel B?ezina at 2023-04-11T10:06:35+02:00 passkey: fix copyrights and comments in krb plugin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 576a1c19 by Madhuri Upadhye at 2023-04-11T10:07:00+02:00 Tests: Automation of bug, bz2100789, which test id_provider parameter from domain section Add automation of bug which check id_provider parameter from domain section. Conatains following two test cases: 1. Test when domain section does not have id_provider 2. Test when id_provider's value is invalid verify: #https://bugzilla.redhat.com/show_bug.cgi?id=2100789 #https://github.com/SSSD/sssd/pull/6550 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - bc5de686 by Jakub Vavra at 2023-04-13T12:25:27+02:00 Tests: Add a timeout to realm join for AD, modify realm leave. The realm join gets stuck on other architectures particularly on s390x. This makes it fail and suite can continue running instead of waiting for timeout for the whole suite. Handle the edge case when realm leave fails for the machine and removal from AD is also not done resulting in the following tests unable to join as the machine is already present on AD. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - e794bfde by Pavel B?ezina at 2023-04-14T12:11:40+02:00 ci: prepend pr copr build with high version number Currently, it is not possible to simply install the copr pull reques package because number is considered to be higher then a string version, therefore 2.8.0 > pr6286 and dnf considers it a potential installation to be a downgrade which may cause conflicts. Prepending 9 makes sure that the pull request copr build always wins. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 526aea3e by Tomas Halman at 2023-04-14T12:12:15+02:00 util: Improve re_expression defaults The original defaults of re_expressions did not use "^" so they may skip/ignore some leading character (@ and \). The new defaults uses ^ and $ to be sure that all characters are used. Resolves: https://github.com/SSSD/sssd/issues/6635 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b78b508b by Tomas Halman at 2023-04-14T12:12:15+02:00 responder: regexp cleanup Update ifp and ssh responders to use regular expression defined centrally. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 255c01a1 by Jakub Vavra at 2023-04-17T09:10:41+02:00 Tests: Fix error in cifs tests. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - c3a0b5f0 by Pavel B?ezina at 2023-04-17T11:57:59+02:00 tests: split system test framework into standalone repository This change allows other project to use the framework as well. https://github.com/SSSD/sssd-test-framework Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 08711256 by aborah at 2023-04-19T15:27:05+02:00 Tests: Add missing package strace was missing from installed packages Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 821455c7 by Sargun Narula at 2023-04-19T15:34:45+02:00 Tests: Ported cache_performance testing cases to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6d659e29 by Sargun Narula at 2023-04-19T15:34:45+02:00 Fixed docstring minor changes Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 54aabca0 by Alejandro L?pez at 2023-04-19T15:35:35+02:00 UTIL: Introduicing SPRItime SPRItime can be used to printf() time_t values. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3463caa8 by Alejandro L?pez at 2023-04-19T15:35:35+02:00 COVERITY: Remove several Y2K38_SAFETY warnings Most of them are external function that receive a 32-bit integer but SSSD provides a time_t value. For that we created the sss_tevent_timeval_current_ofs_time_t(time_t t) wrapper function that handles the conversion. In another case, it was an internal function, so the function was adapted to accept a time_t value. Another case is a real problem caused by Kerberos storing times in the 32-bit signed krb5_timestamp, but time() returning a 64-bit value. It seems Kerberos is planing on making unsigned this signed value. So the recommended and adopted solution is to use the 32 lower bits. Also de DEBUG() trace was dorrected to use the right size. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3b65d7be by Alejandro L?pez at 2023-04-19T15:35:35+02:00 COVERITY: Resolve a WRITE_CONST_FIELD warning We are initializing the structure, so it is not a problem that we write to const fields. In addition, using talloc_memdup() is better and avoids the warning. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c3d6cc9a by Alejandro L?pez at 2023-04-19T15:40:10+02:00 AD: Do not use the shortcut when filter_groups is set. When using 'id <user>', a shortcut avoids creating the proper group object but, instead, one where the SID is the group name is created. This prevents a proper filtering of groups which requires the actual group name. Not using the shortcut will retrieve the group names and the filtering will work. Resolves: https://github.com/SSSD/sssd/issues/6617 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ebc1e460 by Sumit Bose at 2023-04-19T15:42:03+02:00 krb5: add joined/parent domain to [domain_realm] So far only discovered sub-domains were adding to the [domain_realm] section of one of the krb5 config snippets SSSD is generating. To fix recent issues which were caused my missing entries of the joined domain this domain is now added as well. Resolves: https://github.com/SSSD/sssd/issues/6600 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - dae5367b by Iker Pedrosa at 2023-04-19T15:44:18+02:00 test: cast to `char *` assert_string_equal() args CI build is reporting the following error several times: ``` error: pointer targets in passing argument 2 of '_assert_string_equal' differ in signedness [-Werror=pointer-sign] ``` Casting the arguments of assert_string_equal() to `char *` fixes the issue. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - 325fc8e1 by Jakub Vavra at 2023-04-24T11:12:51+02:00 Tests: Improve stability of tests in TestADParamsPorted, remove un-needed backups. There are some tests that are flaky in the suite, adding pytest.flaky and moving them to tier2. Made sure that flaky tests are only in one tier instead of failing in two suites. Removed backup and restore of sssd.conf as it is done by adjoin now. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - def571ba by Sumit Bose at 2023-04-24T11:13:37+02:00 krb5: make sure realm is known when writing domain_realms To make sure that no broken krb5.conf snippet is created it is checked if the realm member is defined in the sss_domain_inof struct before writing it to the output. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - a41810bd by Iker Pedrosa at 2023-04-24T11:14:25+02:00 CI: store CodeQL configuration artifacts Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - eb494154 by aborah at 2023-04-24T11:15:10+02:00 Tests: Add support for ldapi:// URLs bz: https://bugzilla.redhat.com/show_bug.cgi?id=2152177 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 30e0b472 by Jakub Vavra at 2023-04-24T11:25:01+02:00 Tests: Add tests for BZ1765354 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1765354 Verifies: #5080 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 9f2d8d69 by minfrin at 2023-04-24T13:12:31+02:00 Add support for ldapi:// URLs. Make sssd aware of unix domain sockets, allowing connections to local LDAP servers. Make use of struct sockaddr and socklen_t consistent across the code. :feature: Add support for ldapi:// URLs to allow connections to local LDAP servers Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f2213418 by minfrin at 2023-04-24T13:12:31+02:00 Align sockaddr_storage to sockaddr for updated API. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 91b70123 by minfrin at 2023-04-24T13:12:31+02:00 Ensure we touch sockaddr_len in the success case only. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4ccd5b9a by minfrin at 2023-04-24T13:12:31+02:00 Do not set SO_KEEPALIVE on AF_UNIX. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2d54cf5e by minfrin at 2023-04-24T13:12:31+02:00 Rename sdap_get_server_ip_str() to sdap_get_server_peer_str() Add support for printing AF_UNIX paths. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - e004595a by minfrin at 2023-04-24T13:12:31+02:00 Don't force TLS on if we're a unix domain socket. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 559f29ff by Pavel B?ezina at 2023-04-26T10:13:58+02:00 tests: load fixtures from sssd-test-framework This makes fixtures from sssd-test-framework available in our tests. See tests.sssd.io to list the fixtures: https://tests.sssd.io/en/latest/api/sssd_test_framework.fixtures.html Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 52c3d6c2 by Pavel B?ezina at 2023-04-26T10:13:58+02:00 tests: create data directory in system tests The directory hierarchy is as follows: * `data/` * files shared for all test modules * `test_module/` (directory for `test_module.py`) * files shared for all tests within the module `test_module.py` * `test_module__xyz/` (directory for single test from the module) * files relevant only for the test `test_module__xyz` It can be accessed via datadir, moduledatadir and testdatadir fixtures. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 9358a74d by Sumit Bose at 2023-04-26T10:32:25+02:00 ad: skip filtering if ad_enabled_domains is set The domain filtering based on LDAP attributes might be too strict in forests which have a long and complex history where not all attributes might be updated to reflect the current state, e.g. membership to the local forest. To skip the filtering the ad_enabled_domains attribute can be set to the list of expected domains. Resolves: https://github.com/SSSD/sssd/issues/6626 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 1bf47514 by Sumit Bose at 2023-04-26T10:32:25+02:00 tests: fix typo in ldapi test Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ddec8ae2 by Alexey Tikhonov at 2023-04-27T06:52:51+02:00 SPEC: obsolete libsss_simpleifp Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 9329c09d by Jakub Vavra at 2023-04-27T06:53:10+02:00 Tests: Fix pytest markers to remove warnings. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 04cc2f73 by Jakub Vavra at 2023-04-27T12:09:37+02:00 Tests: Install libsss_simpleifp conditionally based on release. Package libsss_simpleifp is removed from fedora and a future major version of RHEL, install it only on RHEL/Centos 7,8,9. See https://github.com/SSSD/sssd/pull/6701. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d735fb1e by Jakub Vavra at 2023-04-27T12:15:22+02:00 Tests: Ignore chattr result on resolv.conf The resolv.conf can be a symlink (because of systemd/resolved) so chattr will not work on it. We ignore the result so error is not produced on fedora where systemd/resolved is in play. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - ed2510d9 by Jakub Vavra at 2023-04-28T11:00:41+02:00 Tests: Add test for bz1913839 gid of filtered group gid still present in id Verifies Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1913839 Group id of a group that should have been filtered is visible in the id command output. Fixed test numbering, removed un-needed backups, moved log collection to later part of code to make the test_0016 more reliable. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 265f6e02 by Shridhar Gadekar at 2023-04-28T11:03:00+02:00 Tests: sss allows extraneous @ characters prefixed to username corrected typo Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2180981 Verifies: Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - c200fc01 by Madhuri Upadhye at 2023-05-03T18:53:27+02:00 Test: Test nested group in view based search Automation of BZ2151403 Test nested group entry in i cn=views,cn=accounts,$BASEDN with id command from client. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - f97cd4d4 by Iker Pedrosa at 2023-05-03T18:53:46+02:00 passkey: don't print User ID The User ID isn't part of any signed data, thus there isn't any indication that it's related to the token. Moreover, the effort to store it securely on the LDAP attribute is quite big. Taking that into account the passkey child doesn't print it and this way we avoid storing it in the LDAP server. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9724f871 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00 passkey: only accept the client realm as relaying party ID FreeIPA expects relaying party ID for FIDO2 exchange to be the same as the realm. If a rogue KDC attempted to inject another relaying party ID, reject it. We use server principal as opposed to the client one to allow use of enterprise principals. Server principal in AS-REQ would be krbtgt/REALM at REALM for the realm of the client. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - d0a6bf60 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00 passkey: implement realm check for the passkey challenge A rogue KDC might respond to us with a passkey challenge that references domain not associated with the realm we serve. In order to check that, convert DNS domain from the challenge to the realm using hostrealm interface provided by the krb5 library. For a referral realm fall back to the explicit challenge domain check. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9bf55bf9 by Alexey Tikhonov at 2023-05-03T19:00:21+02:00 MONITOR: disable 'user' config option in case --with-sssd-user=root In case SSSD was configured and built --with-sssd-user=root, no other value of 'user' config option (besides default 'root') is supported. Having it documented in the man page in this case only brings confusion. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 8b94af6e by Alexey Tikhonov at 2023-05-03T19:00:21+02:00 MONITOR: validate value of 'user' option. Only 'root' and SSSD_USER are valid values. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - d4866940 by Luke Dickinson at 2023-05-04T10:39:33+02:00 Remove the need for a keytab when using fast with anonymous pkinit Anonymous pkinit does rely on a keytab for authentication. Removed unnecessary call to copy keytab into memory. Resolves: https://github.com/SSSD/sssd/issues/6531 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ede8c139 by Weblate at 2023-05-04T11:11:59+02:00 po: update translations (Turkish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ po: update translations (Korean) currently translated at 64.3% (1676 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Czech) currently translated at 99.4% (702 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ po: update translations (Czech) currently translated at 99.1% (700 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ po: update translations (French) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ po: update translations (Korean) currently translated at 64.3% (1676 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ po: update translations (Japanese) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (French) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ po: update translations (Japanese) currently translated at 94.0% (664 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (Finnish) currently translated at 10.0% (71 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Georgian) currently translated at 7.9% (56 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ po: update translations (Polish) currently translated at 4.9% (132 of 2656 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 64.1% (1673 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 9.9% (70 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Swedish) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 98.8% (2692 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 98.1% (2672 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ po: update translations (Finnish) currently translated at 9.6% (68 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Korean) currently translated at 64.1% (1671 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 8.9% (63 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Korean) currently translated at 63.7% (1661 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 7.3% (52 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Polish) currently translated at 4.9% (131 of 2656 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Georgian) currently translated at 7.7% (55 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ po: update translations (Finnish) currently translated at 7.2% (51 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Russian) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Russian) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Ukrainian) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Russian) currently translated at 97.3% (687 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Korean) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 99.1% (2700 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Ukrainian) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Korean) currently translated at 97.1% (686 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 98.8% (2692 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Ukrainian) currently translated at 96.4% (681 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Polish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Korean) currently translated at 63.6% (1659 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 619ecbbc by Iker Pedrosa at 2023-05-04T13:35:09+02:00 test: add conditional build for passkey functions `make distcheck` is failing because two passkey functions are defined but never used. Add conditional build for them. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - e91b5d4a by Pavel B?ezina at 2023-05-05T10:07:26+02:00 man: put sssd_user_name.include to builddir Putting it to the source directory makes "make distcheck" fail when run directly from source directory instead of different build dir. It produces this error message: ``` /bin/sh: line 1: ../../../../src/man//sssd_user_name.include: Permission denied ``` Because the source directory copied by distcheck is not writable. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 6c184c47 by Pavel B?ezina at 2023-05-05T10:11:07+02:00 pot: update pot files - - - - - e1195619 by Timo Aaltonen at 2023-06-06T21:18:34+03:00 Merge tag '2.8.2' into m 2.8.2 - - - - - 8706941f by Timo Aaltonen at 2023-06-06T21:18:38+03:00 Merge branch 'master' into m - - - - - 4cfe8a54 by Timo Aaltonen at 2023-06-06T21:19:23+03:00 version bump - - - - - 4eac205f by Timo Aaltonen at 2023-06-06T21:20:44+03:00 patches: Drop an upstreamed patch. - - - - - a2a6933b by Timo Aaltonen at 2023-06-06T22:03:11+03:00 Drop deprecated simple-ifp library and files provider. - - - - - ff5ca0bb by Timo Aaltonen at 2023-06-07T14:43:19+03:00 control, rules: Add sssd-passkey, and libfido2-dev to build-depends. - - - - - 22 changed files: - .github/workflows/analyze-target.yml - .github/workflows/ci.yml - .github/workflows/copr_build.yml - .github/workflows/static-code-analysis.yml - .gitignore - Makefile.am - configure.ac - contrib/ci/configure.sh - contrib/ci/deps.sh - contrib/ci/sssd.supp - contrib/fedora/bashrc_sssd - contrib/sssd.spec.in - debian/changelog - debian/control - ? debian/libsss-simpleifp-dev.install - ? debian/libsss-simpleifp0.install - ? debian/patches/0004-Makefile-Install-dbus-policy-in-usr-not-etc.patch - debian/patches/series - debian/rules - debian/sssd-common.install - + debian/sssd-passkey.install - po/bg.po The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/0bc80bdb887aa850b98f2b356cecf5fcc07a87d4...ff5ca0bb7153fc824e5ec649252137b1faa0a043 -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/0bc80bdb887aa850b98f2b356cecf5fcc07a87d4...ff5ca0bb7153fc824e5ec649252137b1faa0a043 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 12:44:23 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 11:44:23 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 300 commits: Update version in version.m4 to track the next release Message-ID: <64806d97e6528_136f88472842418d5@godard.mail> Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd Commits: 6a2de710 by Pavel B?ezina at 2022-10-07T12:58:06+02:00 Update version in version.m4 to track the next release - - - - - 7a1976c9 by Iker Pedrosa at 2022-10-10T13:07:02+02:00 fido2: register key with helper process Create a helper process to handle the FIDO2 key registration. In order to do that the helper process will parse the command line arguments, list the connected devices, select the first one in the list, prepare the user credentials, generate the key credentials, verify them to ensure that everything has worked correctly and print the credentials. FIDO U2F fallback has been disabled to force a PIN usage, thus increasing the security as a lost or stolen key would be unusable with it. Moreover, include the libfido2 dependency in the configuration and the spec file. Finally, several test cases have been added to the unit tests. Most of them just check the happy path but some error handling is also tested. :packaging: include libfido2 dependency :config: New config to build passkey authentication Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5b27a353 by Justin Stephenson at 2022-10-10T13:07:02+02:00 Fido2 child: Add missing options Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9a2548ea by Iker Pedrosa at 2022-10-10T13:07:02+02:00 fido2: make the build conditional Add a condition to build the FIDO2 support. Resolves: SSSD#6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f800471e by Iker Pedrosa at 2022-10-10T13:07:02+02:00 sssd.supp: suppress leak errors The suppression rule for popt malloc needs to be more generic. Moreover, create a new suppression rule for sssd debug initialization when being executed twice: from the production code and from the unit-tests. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8bdcc028 by Iker Pedrosa at 2022-10-10T13:07:02+02:00 passkey: change fido2 to passkey Passkey is a more general term that the industry is using currently. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ab89455b by Justin Stephenson at 2022-10-12T14:22:14+02:00 CI: Build srpm fix for illegal version tag '-' error: line 45: Illegal char '-' (0x2d) in: Version: sssd-2-7 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a5403f78 by Alexey Tikhonov at 2022-10-13T21:00:10+02:00 IPA: "trusted user not found" isn't an error Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b38fdc81 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 confdb: avoid syslog message when no domains are enabled This syslog message would also appear when calling other tools like sss_cache which is confusing. We return specific error code instead and let the error be syslogged in the monitor in monitor.c:main (this is already implemented). Resolves: https://github.com/SSSD/sssd/issues/6387 :fixes: A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4da86136 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 monitor: read all enabled domains in add_implicit_services Reading sssd/domains option is no longer sufficient since domains can be enabled through domain/enabled. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64c22dd1 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 sss_cache: use ERR_NO_DOMAIN_ENABLED instead of ENOENT Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - df55b1f1 by Pavel B?ezina at 2022-10-13T21:00:38+02:00 confdb: chande debug level when no domain are found in confdb_get_domains We print the error as fatal error in the monitor to make sure the message is correctly visible. However, the error is not fatal for tools like sss_cache and it should not be printed there by default. Since the tools have default debug level set to SSSDBG_FATAL_FAILURE, it is sufficient to just drop the level to critical. Resolves: https://github.com/SSSD/sssd/issues/6387 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - a05719fa by Shridhar Gadekar at 2022-10-13T21:01:45+02:00 Tests: Porting the AD-Access-control test-suite to pytest Minor docstring modifcations. Adding detailed expectedresults instead of 'should succeed' in docstrings of testcases Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6c0ae779 by aborah-sudo at 2022-10-20T11:04:07+02:00 Tests: port proxy_provider/rfc2307 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307 Reviewed-by: Steeve Goveas <sgoveas at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8a2fd06b by Alexey Tikhonov at 2022-11-01T17:15:46+01:00 CFG RULES: allow 'fallback_to_nss' option Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 71466a8d by Alexey Tikhonov at 2022-11-01T17:19:07+01:00 SYSDB: pre-existence of MPG group in the cache isn't an error Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 103a4888 by Pavel B?ezina at 2022-11-01T17:19:35+01:00 autofs: do not yield warning on default configuratoin This warning has been there for a long time now (since 1.14, 7 years, see 999d6066c7a96f102b692d31435d76114478e874) and it was intended to be removed eventually. :relnote: SSSD will no longer warn about changed defaults when using `ldap_schema = rfc2307` and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 6d87af5e by Justin Stephenson at 2022-11-01T17:19:56+01:00 SSSCTL: Add passkey exec command Simple wrapper which calls the passkey_child process, planned to be used with passkey_child --register and also for troubleshooting. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ee0d73a2 by Justin Stephenson at 2022-11-01T17:19:56+01:00 SSSCTL: Use wrapper function for analyze Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 62458d49 by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: enable ci for sssd-2-8 branch Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c526acba by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: switch to actions/checkout at v3 checkout at v3 runs on node16 so it will remove deprecation warning: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 770bf7bf by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: use GITHUB_OUTPUT instead of set-output https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - b2d193b9 by Pavel B?ezina at 2022-11-01T17:37:18+01:00 ci: switch to actions/upload-artifact at v3 upload-artifact at v3 runs on node16 so it will remove deprecation warning: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 2070000a by Alejandro L?pez at 2022-11-02T15:58:35+01:00 CACHE_REQ: Do not use timestamp optimization on "files" provider. Avoid requesting only the latest updates when using the "files" provider as it only updates the cache if /etc/files or /etc/group is touched. Added a test for this situation. Resolves: https://github.com/SSSD/sssd/issues/6398 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 4c678cbb by Justin Stephenson at 2022-11-03T11:08:21+01:00 Analyzer: Optimize list verbose output Modify the analyzer to parse the responder log file in one pass. This avoids repeated parsing of a single log file. This operation will now store log lines in a dictionary on a single pass then format and print the output accordingly. Does not affect 'list' or 'show' output. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 214540e7 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 Cache: String has to be duplicated instead of copied input->name.attr has to be duplicated when not NULL. Just copying the pointer is not a good thing. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 719c9253 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Initialize domain with NULL Variable domain is compared to NULL before checking sss_parse_inp_recv()'s return value. Let's initialize it to NULL. Warning: sss_parse_inp_recv() modifies domain's value when returning EOK or ERR_DOMAIN_NOT_FOUND. The situation is not perfect but is better than before. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 8f7c35ea by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Do not return duplicated values. For each domain, a multi-domain search is done and all the results for each domain are returned each time. This produces several copies of the same results. Function cache_req_input_parsed() decides whether to launch a multi- or single-domain search based on the domain the user requested. If the user didn?t request a domain (such as in a call to ListByName()), a multi-domain search is launched, even if we are only looking for the current domain. In that case a single-domain search is enough. Resolves: https://github.com/SSSD/sssd/issues/6360 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - a9796282 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 TESTS: Correct ListByAttr()'s test Now that ListByName() and ListBy Attr are fixed, the test needs to be corrected as it was explicitly avoiding that case. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 569dca5f by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Consider the domain when looking names in the cache Using a fully-qualified name based on the expresion the user provided, when looking for names in the cache. Resolves: https://github.com/SSSD/sssd/issues/6361 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 09895561 by Alejandro L?pez at 2022-11-03T11:15:35+01:00 TESTS: New test for D-Bus' ListByName() Added a test for the D-Bus function ListByName(). Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c3453e4e by Alejandro L?pez at 2022-11-03T11:15:35+01:00 CACHE_REQ: Use a const struct in cache_req_data_create() The structure data is not modified in the function. The const modifier can be used. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ba5439c0 by Weblate at 2022-11-04T11:27:44+01:00 po: update translations (Korean) currently translated at 51.0% (1331 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 50.6% (1320 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Korean) currently translated at 49.9% (1302 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Polish) currently translated at 4.7% (126 of 2658 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Polish) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ po: update translations (Polish) currently translated at 1.4% (39 of 2658 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 49.2% (1283 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 100.0% (2686 of 2686 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Russian) currently translated at 100.0% (2686 of 2686 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Ukrainian) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Russian) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Ukrainian) currently translated at 99.3% (659 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Polish) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Polish) currently translated at 1.4% (38 of 2662 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 46.5% (1215 of 2609 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 92347d98 by Shridhar Gadekar at 2022-11-04T11:28:28+01:00 Tests: GSSAPI ssh login failing due to a missing directive Adding the missing pxssh module import Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - a22af6f0 by Pavel B?ezina at 2022-11-04T11:35:03+01:00 pot: update translations - - - - - 955192b1 by Shridhar Gadekar at 2022-11-09T10:00:48+01:00 Tests: gssapi ssh login minor fix Trivial fix, the kinit command was missing '@' after usename. It was causing obvious failure to fetch krb ticket. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - dab19a4d by aborah-sudo at 2022-11-09T20:25:30+01:00 Tests: Removing tests from gating pipe line test_bz1368467 --- this one looks more perfomance than gatting test_avoid_interlocking_among_threads --- feature not supported Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Steeve Goveas <sgoveas at redhat.com> - - - - - 60772306 by Shridhar Gadekar at 2022-11-09T20:25:50+01:00 Tests: Use negative cache better for lookup by SIDs Minor change, adding import of re module Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 7c907a7c by aborah-sudo at 2022-11-10T14:04:18+05:30 Tests: Removing tests from gating pipe line test_bz1368467 --- this one looks more perfomance than gatting - - - - - 419b9b8f by Dan Lavu at 2022-11-10T09:22:52-05:00 Adding Ported DynDNS Testcases This is merged branch of two following PRs, 6363 and 6344 which are now closed. 6344 Add the tests but are unreliable. 6363 contains the following changes, rewriting the suite. * change_hostname fixture would revert back to the hostname in /etc/hostname, updated fixture * disabled DNS recursion, lookups were being forwarded to authoritative servers resulting in false passing tests * removed ipv6 address about part of the del_record, would result in passing but the wrong thing be searched * created a DNSAD object to search for records directly on the DNS server, stabling results and skipping any cache * cleaned up the functions and code for readability Signed-off-by: Dan Lavu <dlavu at redhat.com> - - - - - f24b6daa by Iker Pedrosa at 2022-11-11T10:30:19+01:00 passkey: replace erroneous description Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 28124cfb by Iker Pedrosa at 2022-11-11T10:30:19+01:00 passkey: print PEM formatted public key When registering a key print the public key in PEM format. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3e02de93 by Alexey Tikhonov at 2022-11-15T10:42:28+01:00 UTILS: socket connect: added missing new line and adjusted log level to more appropriate Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a21c6662 by Jakub Vavra at 2022-11-15T10:43:20+01:00 Tests: Add a test for bz1964121 override homedir to lowercase Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1964121 Verifies: #6210 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 25eae1c0 by Alexey Tikhonov at 2022-11-18T14:47:12+01:00 SYSDB: use `sss_strerror()` to handle `ERR_GID_DUPLICATED` Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 93ed5e58 by Alexey Tikhonov at 2022-11-18T14:48:39+01:00 UTILS: got rid of deprecated `inet_netof()` to please 'rpminspect'. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 6ef3aade by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 TOOLS: don't export internal helpers Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 7af46ba0 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 TOOLS: fixed handling of init error Before execution of `tool_cmd_init()` `init_err` wasn't set, so `sss_tools_handles_init_error()` check was a no-op. Consequently, a proper check after `tool_cmd_init()` was missing. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 99791400 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 SSSCTL: don't require 'root' for "analyze" cmd :relnote: `sssctl analyze` tool doesn't require anymore to be run under root. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - d4d9aa65 by Alexey Tikhonov at 2022-11-18T15:48:22+01:00 SSSCTL: don't require 'root' for "passkey-exec" cmd :relnote: `sssctl passkey-exec` tool doesn't require anymore to be run under root. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - a7759ab3 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Add the missing admisc pytest marker. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - bce2b0c8 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Wait a bit before collection log in test_0015_ad_parameters_ad_hostname_machine. This test is unstable on other architectures (ppc64le, aarch64) and it seems that adding a 15s wait before collecting the log gives it enough time to wtrite it properly. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d7e7efe9 by Jakub Vavra at 2022-11-18T15:59:52+01:00 Tests: Fix E126 in test_adparameters_ported.py Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 36e5479b by Alejandro L?pez at 2022-11-18T16:00:24+01:00 BUILD: Fix some warnings thrown while building Some of them are not actually needed (false positives) but this helps to have a clean build and identify real warnings. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 285f1703 by aborah-sudo at 2022-11-18T16:00:45+01:00 Tests: fix test_bz1368467 This test was failing due to login error. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - bfa8d50c by Justin Stephenson at 2022-11-18T16:01:58+01:00 Analyzer: Ensure parsed id contains digit In analyzer list verbose output, we parse the last field of cache_req_search_send() lines. Certain log messages need to be filtered out by ensuring the parsed field is a digit, such as the last line below. [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at testrealm.test [cache_req_search_send] (0x0400): [CID#1] CR #1: Looking up GID:1031401119 at domain-zflo.com [cache_req_search_send] (0x0400): [CID#1] CR #1: Returning [GID:1031401119 at domain-zflo.com] from cache Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 790e7a77 by Steeve Goveas at 2022-11-18T18:08:51+01:00 Tests: Cannot SSH with AD user to ipa-client with invalid keytab `krb5_validate` and `pac_check` settings conflict. Setting krb5_validate to false skips the pac_check enabling the login Verifies: #6355 https://bugzilla.redhat.com/show_bug.cgi?id=2127822 https://bugzilla.redhat.com/show_bug.cgi?id=2128902 Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 14748ff9 by Jakub Vavra at 2022-11-22T18:36:33+01:00 Tests: Update fixture using adcli to handle password from stdin. Adcli changed handling password dialog for bz2124030 so the automation needs to be updated to work properly. Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2f99cd31 by Justin Stephenson at 2022-11-22T18:37:17+01:00 SSSCTL: Add debug option to help message Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ab6910ae by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: verify assertion Include the assertion verification in the passkey helper process. For that purpose, prepare the assertion request data, select the device to use, get the device options and compare them with the organization policy, decode the public key, request the assert and verify it. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2b0a8f27 by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: public key in PEM format It helps us obtain the cryptographic algorithm used to generate the key. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 6b0d175f by Iker Pedrosa at 2022-11-22T18:37:41+01:00 passkey: input PIN via stdin For the registration process add a new "quiet" option to suppress the prompts and read the PIN from stdin. For the authentication process always read the PIN from stdin. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f5c0e7b3 by Pavel B?ezina at 2022-11-25T13:25:11+01:00 ci: make /dev/shm writable We build SSSD in /dev/shm which is mounted on read-only file system on new podman version. We need to mount it as tmpfs to make it writable. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ae614c17 by Pavel B?ezina at 2022-11-25T13:25:11+01:00 ci: install correct python development package The package name has changed on new Ubuntu. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 336b1fac by Iker Pedrosa at 2022-11-25T13:25:39+01:00 ci: fix codeql libsemanage1-dev renamed to libsemanage-dev in debian and its derivatives. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 4a6eb258 by Justin Stephenson at 2022-11-25T13:26:05+01:00 CI: Update core github actions Update dependent actions to address: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - fc3fad98 by Jakub Vavra at 2022-11-28T06:32:58+01:00 Tests: Fix automount OU removal from AD. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 340691fa by Cole Robinson at 2022-11-30T16:48:06+01:00 MAN: Fix option typo on sssd-kcm.8 The option is called krb5_renewable_lifetime, not krb5_renew_lifetime Signed-off-by: Cole Robinson <crobinso at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 91789449 by Sumit Bose at 2022-11-30T16:50:53+01:00 PAC: allow to disable UPN check Currently it was not possible to skip the UPN check which checks if the UPN in the PAC and the one stored in SSSD's cache are different. Additionally the related debug message will show both principals if they differ. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - b3d7a4f6 by Sumit Bose at 2022-11-30T16:50:53+01:00 ipa: do not add guessed principal to the cache Currently on IPA clients a calculated principal based on the user name and the Kerberos realm is added to the cached user object. This code is quite old and might have been necessary at times when sub-domain support was added to SSSD. But since quite some time SSSD is capable of generating the principal on the fly during authentication if nothing is stored in the cache. Removing the code makes the cache more consistent with other use-cases, e.g. with the IPA server where this attribute is empty, and allows to properly detect a missing UPN, e.g. during the PAC validation. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 51b11db8 by Sumit Bose at 2022-11-30T16:50:53+01:00 pac: relax default check To avoid issues with the UPN check during PAC validation when 'ldap_user_principal' is set to a not existing attribute to skip reading user principals a new 'pac_check' option, 'check_upn_allow_missing' is added to the default options. With this option only a log message is shown but the check will not fail. Resolves: https://github.com/SSSD/sssd/issues/6451 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ad0a8c6a by aborah-sudo at 2022-11-30T16:53:31+01:00 Tests: fix test_sssctl_local.py::Testsssctl::test_0002_bz1599207 test_sssctl_local.py::Testsssctl::test_0002_bz1599207 is affcted by disable "implicit files provider" Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - e4dd11f2 by Alexey Tikhonov at 2022-12-02T15:20:40+01:00 SYSDB: pre-existence of MPG group in the cache isn't an error Addition to 71466a8dbdb1d755ace15680cc2b4b11b68a0573 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 3f8bc872 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add support for serial number Read the serial number of the certificate and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 10d977a3 by Sumit Bose at 2022-12-02T15:24:14+01:00 certamp: add support for subject key id Read the subject key id from the certificate and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 9e1b711b by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add support for SID extension Check if the SID extension is available, read the SID and make it available. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - f293507d by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: fix for SAN URI The URI was not added to the list of subject alternative names. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c4085c9a by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add bin_to_hex() helper function This patch adds a helper function to format hexadecimal strings of binary data. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 11483f1e by Sumit Bose at 2022-12-02T15:24:14+01:00 sssctl: add cert-eval-rule sub-command The new 'cert-eval-rule' sub-command of sssctl show the results of given matching and mapping rules on a given certificate. This should help to find suitable mapping and matching rules and to understand why given certificate is matched or not. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 3676a4fb by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add get_digest_list() and get_hash() Add support to calculate hash/digest values of binary data, e.g. of a certificate. Resolves: https://github.com/SSSD/sssd/issues/6404 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 0a906107 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: dump new attributes in sss_cert_dump_content() Add the newly discovered certificate values, i.e. serial number, subject key id and SID to the output of sss_cert_dump_content() which is used e.g. by 'sssctl cert-show'. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 1303c624 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add LDAPU1 mapping rules Add mapping rule templates for the new discovered attributes, templates for certificate hashes and templates to select individual DN components. To avoid issues with older versions of the library the new templates must use the prefix LDAPU1. :feature: New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 4ac53fb5 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add tests for new attributes and LDAPU1 rules Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 882f560e by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: add LDAPU1 rules to man page This patch adds the new LDAPU1 mapping rule templates to the sss-certmap man page. Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - b0bdf712 by Sumit Bose at 2022-12-02T15:24:14+01:00 certmap: Add documentation for some internal functions Resolves: https://github.com/SSSD/sssd/issues/6403 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 80690213 by Weblate at 2022-12-02T18:27:01+01:00 po: update translations (Korean) currently translated at 63.5% (1657 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 62.6% (1633 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 62.0% (1618 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Korean) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Korean) currently translated at 62.0% (1618 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Georgian) currently translated at 7.8% (52 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Korean) currently translated at 61.8% (1612 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 664a436e by Shridhar Gadekar at 2022-12-05T10:18:39+01:00 Test: gssapi test fix minor flake8 fixes Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 8b09c938 by Alexey Tikhonov at 2022-12-05T11:22:12+01:00 Translations: add missing `tools/sssctl/sssctl_cert.c` and macros Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 714ababe by Alexey Tikhonov at 2022-12-06T16:08:00+01:00 BUILD: deprecate `--enable-files-domain` build option :relnote:`--enable-files-domain` configure option is deprecated and will be removed in one of the next versions of SSSD. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2fda8e7b by Tomas Halman at 2022-12-06T16:08:47+01:00 RESOLV: Configuration option for DNS search DNS search may increase the time of name resolution significantly. Particularly when SSSD is misconfigured or the DNS server is unreachable. With this patch SSSD can avoid DNS search and the list of domains from resolv.conf is ignored. To avoid DNS search in kerberos library SSSD appends the dot to the server names before they are written into KDC info file. :relnote: SSSD can be configured not to perform a DNS search during DNS name resolution. This behavior is governed by the new dns_resolver_use_search_list. This parameter can be used in the domain section. Default value is true - that means that SSSD follows the system settings. Resolves: https://github.com/SSSD/sssd/issues/5390 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - aac303e8 by Sumit Bose at 2022-12-09T13:22:09+01:00 p11: fix size of argument array Currently 19 options can be set for p11_child and the a NULL at the end the array must have 20 elements. Resolves: https://github.com/SSSD/sssd/issues/6479 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 34d55884 by Alejandro L?pez at 2022-12-09T13:22:39+01:00 BACKEND: Reload resolv.conf after initialization Once the backend initialization is finished, in particular after D-Bus is initialized, reload the resolv.conf file to retrieve any change signaled through D-Bus before its initialization. Resolves: https://github.com/SSSD/sssd/issues/6383 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 81eb0606 by Madhuri Upadhye at 2022-12-09T13:23:51+01:00 Tests: Minor fixes for alltests Enable files domain. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 4a658e6c by aborah-sudo at 2022-12-09T13:24:19+01:00 Tests: port proxy_provider/rfc2307bis https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.6/client/proxy_provider/rfc2307bis Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7c5dd878 by Weblate at 2022-12-09T13:25:51+01:00 po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ po: update translations (Japanese) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (French) currently translated at 100.0% (663 of 663 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ - - - - - c6053c43 by Pavel B?ezina at 2022-12-09T13:35:31+01:00 pot: update pot files - - - - - 153b1c91 by Jakub Vavra at 2022-12-15T20:02:03+01:00 Tests: Add mark tier1_4 so pytest is not throwing warnings. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - f43d8c9a by Pavel B?ezina at 2022-12-15T21:13:31+01:00 ci: increase timeout for covscan Covscan task started recently taking more then six hours to finish. Six hours is the default timeout and maximum limit for github-hosted runner but we can increase it for self-hosted runner. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 24a53663 by Shridhar Gadekar at 2022-12-15T21:15:21+01:00 Tests: port bash idmap testcase to pytest Adding return messages and backup/restore of sssd Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 7e8b97c1 by Pavel B?ezina at 2022-12-16T12:10:55+01:00 ldap: update shadow last change in sysdb as well Otherwise pam can use the changed information whe id chaching is enabled, so next authentication that fits into the id timeout (5 seconds by default) will still sees the password as expired. Resolves: https://github.com/SSSD/sssd/issues/6477 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ddd85f95 by Shridhar Gadekar at 2022-12-20T13:15:52+01:00 Tests: change tier of dyndns tests dropping dyndns from gating, till tests are stable Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 02bdef7d by MCJ Vasseur at 2022-12-20T17:57:09+01:00 Fix typo (pasword -> password) Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - 2fa80dbd by Shridhar Gadekar at 2022-12-23T14:25:10+05:30 Dropping idmap Test is unstable, moving out of gating for further investigation - - - - - 08784536 by Tomas Halman at 2022-12-23T11:49:18+01:00 cfg_rules.ini update The option kr5_realm was listed twice. The option krb5_kdcinfo_lookahead was missing. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c4ea2851 by Jakub Vavra at 2022-12-23T11:53:12+01:00 Tests: Move some less important scenarios from tier 1 to tier 2. Skip test_0015_ad_parameters_ad_hostname_machine on multiarch as it is unstable there. Move test_0002_improved_use_negative_sid_for_sid_lookup to tier 2 as it is unstable so it does not block gating. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 42842c16 by Shridhar Gadekar at 2023-01-05T13:30:47+01:00 TESTS: bz2110091 sssd starting offline after reboot changing tier. logs and cache are cleared. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 0da99b73 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 SDAP: Fixed header file The sdap_access.h header file was not including the sdap_id_op.h header file it depends on. Build worked because sdap_id_op.h happened to be always included before sdap_access.h. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 11dab864 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 PAM: Localize some forgotten words. The units (days, hours, minutes) were not localized although they were used in a localized sentence. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 475052a2 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 LDAP: Moved and renamed set_access_rules() Function set_access_rules() was renamed to sdap_set_access_rules(), moved from ldap_init.c to sdap_access.c and made public. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ae74a9d1 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 IPA: Add password expiration warning when using ssh keys When using IPA as access provider, it now reads the ipa_access_order parameters from the configuration and, between others, it can process the pwd_expire_policy_warn. The accepted values for ipa_access_order are: - expire (default) - pwd_expire_policy_reject - pwd_expire_policy_warn - pwd_expire_policy_renew There is no ipa_pwd_policy parameter. Internally it is forced to the only accepted value: mit-kerberos. Resolves: https://github.com/SSSD/sssd/issues/5080 :config: ipa_access_order parameter introduced. It behaves much like ldap_access_order but affecting IPA domains (id_provider = ipa) and accepting limited values. Please see sssd-ipa(5) for more information. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - be84d6ee by Alejandro L?pez at 2023-01-05T13:31:34+01:00 PAM: Warn that the password has expired when using ssh keys When using ssh keys and the LDAP_ACCESS_EXPIRE_POLICY_WARN flag, the user is notified is the password is about to expire, but nothing was said if the password had already expired. This patch introduces a message when the password has expired. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ede02a20 by Alejandro L?pez at 2023-01-05T13:31:34+01:00 MAN: Cosmetic changes to sssd-ldap.5 Three values of ldap_access_order are presented as an itemized list. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - cfd71fec by Alejandro L?pez at 2023-01-05T13:45:09+01:00 MONITOR: Move the file monitoring code to util. Everything still works as before, but now the code used in sssd to monitor resolv.conf is moved to a separate file (util/file_watch.c) and everything is more loosely coupled. This is in preparation to move the monitoring to the backends. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - d4e57447 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 TESTS: Add a test for file-watch New tests using the file watching feature with both inotify and polling. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - e1c0af26 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 MAN PAGES: Make try_inotify dependent on HAVE_INOTIFY. When HAVE_INOTIFY is not defined (inotify not present), the descrition of try_inotify in sssd.conf.5 man page will only tell that this is not used in systems without inotify. If HAVE_INOTIFY is defined, the full description if provided. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - fadd8eb6 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 BACKEND: Move resolv.conf watching to the backends Moved from the monitor, which no longer reads the file neither notifies the backends they must read it. The file is now monitored by the backends and read immediately after start watching it. Resolves: https://github.com/SSSD/sssd/issues/6383 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 2e3fa180 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 D-BUS: Remove resInit() method from sssd.services This method was used by the monitor to tell the backends to reload /etc/resolv.conf when it detected a change in the file. It is no longer used as the backends now watch resolv.conf by themselves. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - c97d9275 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 FILE WATCH: Get rid of parent_ctx parent_ctx pointed to the memory context to use for the timers. It pointed to the file_watch_ctx which contained it, so better use the file_watch_ctx and avoid having an extra field, and having to pass the memory context as a parameter. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 729c1fc2 by Alejandro L?pez at 2023-01-05T13:45:09+01:00 FILE WATCH: Simplify watching on missing files. This code is needlessly repeated in fw_watch_file() and missing_file(), and it's enough to simply call missing_file(). But since now this function is used even before knowing whether the file exists, it is better to rename it to set_file_watching(). A side effect of this is that watch_file() (which ends up calling inotify_add_watch()) returns EOK even when the file is missing, and thus the callback is invoked once. Considering that the flag IN_CREATE was always passed to inotify_add_watch(), I think this could have been hidden by the old code. Polling for the file creation is no longuer used when inotify is used. But because it is still required when inotify fails to initialize (not installed) or use_inotify is set to false, this code cannot be removed. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 29326450 by Alexey Tikhonov at 2023-01-06T20:15:51+01:00 SBUS: don't call `dbus_server_get_address(NULL)` Resolves: https://github.com/SSSD/sssd/issues/6465 Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 76c7fa46 by aborah at 2023-01-13T08:59:18+01:00 Tests: make corresponding tests capture SSSD logs To capture sssd logs in IDM-CI incase of sssd test failure. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 8cda19e2 by Shridhar Gadekar at 2023-01-13T08:59:47+01:00 Tests: bz2128840 automation minor indentation fix Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 2bd0c249 by Sargun Narula at 2023-01-13T09:00:14+01:00 Tests: Ported Bash-krb-access-provider to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - a5176f4d by aborah at 2023-01-13T09:00:37+01:00 Tests: SSSD: `sssctl analyze` command shouldn't require 'root' privileged `sssctl analyze` command shouldn't require 'root' privileged when run with `--logdir` pointing to otherwise accessible files. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 067c550c by Jakub Vavra at 2023-01-13T09:00:55+01:00 Tests: Test for bz2144491 UPN mismatch UPN check cannot be disabled explicitly but requires krb5_validate = false as a work-around Bugzilla: - https://bugzilla.redhat.com/show_bug.cgi?id=2148737 - https://bugzilla.redhat.com/show_bug.cgi?id=2144491 - https://bugzilla.redhat.com/show_bug.cgi?id=2148989 - https://bugzilla.redhat.com/show_bug.cgi?id=2148988 Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4e600d9b by Alexey Tikhonov at 2023-01-13T18:20:54+01:00 Added a number of missing new lines. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 723872f3 by Iker Pedrosa at 2023-01-14T00:35:01+01:00 CI: remove flake8 action When a new issue is found, the action is unable to report it properly in the PR and it fails. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - b631c317 by Alexey Tikhonov at 2023-01-16T13:08:48+01:00 MAN: mention `attributes` in 'see also' Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 08ccd23f by Alexey Tikhonov at 2023-01-16T13:09:26+01:00 SSS_CLIENT: delete key in lib destructor pthread_key_delete() disables thread at-exit destructors. Otherwise an attempt to execute already unloaded `sss_at_thread_exit()` would trigger segfault. This doesn't solve an issue with leaking on `dlclose()` FDs initialized in multiple threads, but better than crash. Resolves: https://github.com/SSSD/sssd/issues/6505 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 927fa843 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: register discoverable credentials Apart from server-side credentials passkey should also register discoverable credentials. Thus, a new argument has been added to select the credential type. Moreover, the user id is also printed. Example: passkey:credentialId,pemPublicKey,userId Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 62654e25 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: user id for discoverable credentials If the credential is discoverable, then print the user id. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bd02f637 by Iker Pedrosa at 2023-01-17T12:59:38+01:00 passkey: fix uninitialized variable 616 in authenticate() 610 goto done; 611 } 612 613 ret = FIDO_OK; 614 615 done: >>> CID 377752: Uninitialized variables (UNINIT) >>> Using uninitialized value "pk_data.type" when calling "reset_public_key". 616 reset_public_key(&pk_data); 617 if (dev != NULL) { 618 fido_dev_close(dev); 619 } 620 fido_dev_free(&dev); 621 fido_assert_free(&assert); 622 fido_dev_info_free(&dev_list, dev_list_len); 623 624 return ret; Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7caf2da3 by Dan Lavu at 2023-01-17T11:17:12-05:00 Fixing dyndns tests The server may not update DNS right away, updated the function to perform a lookup up to 5 minutes, otherwise the test will have failed. Signed-off-by: Dan Lavu <dlavu at redhat.com> - - - - - 4e9c2fdb by Shridhar Gadekar at 2023-01-19T12:09:05+01:00 TESTS: clean up group delete fix from correct 'ou' group object deletion fix Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 5021d239 by aborah at 2023-01-19T12:09:34+01:00 Tests: Fix minor error in root privilage test mkdir: cannot create directory ?/tmp/sssd?: File exists Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 718afc29 by Florence Blanc-Renaud at 2023-01-26T12:54:47+01:00 Passkey: flush stdout IPA command "ipa user-add-passkey --register" reads the output of passkey_child line by line in order to re-print the useful messages and extract the generated passkey. Flush stdout so that ipa gets the messages without delay. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 501e05f4 by Alexey Tikhonov at 2023-01-26T12:55:06+01:00 BUILD: remove `--enable-files-domain` build option :relnote:Previously deprecated `--enable-files-domain` configure option was removed. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 6b048a6a by Alexey Tikhonov at 2023-01-26T12:55:06+01:00 INTG TESTS: make `get_call_output()` respect `check` arg for Python < 3.7 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 708a924a by Jakub Vavra at 2023-02-01T14:20:55+01:00 Tests: Changes to the version handling and fixture create_testdir. Function package_mgmt was not handling RHEL 9 properly. service_sssd was doing exactly nothing on RHEL 9. Fixture create_testdir was needlessly iterating lists via indexes and duplicating code. Removed some useless elses after return. Fixed import order. Switched to f-strings. Disabled some pylint warnings. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 32a8b953 by Jakub Vavra at 2023-02-01T14:20:55+01:00 Tests: Optimize winhost properties QeWinHost class had properties that were repeatedly calling command line commands. This was slow, inefficient and created mess in the test logs. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 7a68ed1f by aborah at 2023-02-02T11:50:22+01:00 Tests: Fix ipa tests wrong ipa_client_ip Fix ipa tests wrong ipa_client_ip Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d249154c by Shridhar Gadekar at 2023-02-02T11:53:34+01:00 Test: porting of failing rfc2307bis testcase change to tier1_4 Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - c0b394ab by Pavel B?ezina at 2023-02-02T12:02:34+01:00 sudo: skip smart refresh if it happens inside full refresh Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - fc4f0399 by Jakub Vavra at 2023-02-02T14:40:11+01:00 Tests: Fix incorrect distro parsing in qe_class on Fedora. Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 13d420ca by aborah at 2023-02-09T07:19:54+01:00 Tests: Fix test test_0017_filesldap Logs string has changed. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 4138b0a7 by Justin Stephenson at 2023-02-09T13:11:10+01:00 MAN: ldap_group_name enhancement with nested groups Resolves: https://github.com/SSSD/sssd/issues/6544 Reviewed-by: Scott Poore <spoore at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - fe67123c by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: Extracted code checking 'inherit_from' Extracted the code checking that 'inherit_from' is not present in a domain section from custom_sssd_checks() to its own function named check_domain_inherit_from(). Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 1911ad64 by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: Function always returns EOK The function custom_sssd_checks() ignored the error codes and always returned EOK. Now it returns the corresponding error code. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 255d9f6e by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CHECK-CONFIG: id_provider is now mandatory For domains, the presence of 'id_provider' was accepted but no other check was done. In particular, this option is mandatory and has a limited set of accepted values. These changes introduce those checks. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - f604d033 by Alejandro L?pez at 2023-02-09T13:11:34+01:00 TESTS: Test mandatory id_provider Adapter the existing tests for the mandatory 'id_provider' and created a test for the case when 'id_provider' is missing. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - f283248f by Alejandro L?pez at 2023-02-09T13:11:34+01:00 CONFIG-CHECK: inherit_from is not a typo The error message asked the user if introducing `inherit_from` in a domain was a typo. This is an error but not a typo. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 53c8e8f0 by Dan Lavu at 2023-02-13T12:54:46+01:00 Removing unnecessary restart unnecessary restart This allows us to do minimal changes to run existing tests, not as the root user. Testing the non root feature of SSSD. Adding an ansible play that creates a stub configuration file in /etc/sssd/conf.d/ i.e. /etc/sssd/conf.d/nonroot.conf containing [sssd] user = sssd This sssd restart happens before SSSD is configured and when it contains the stub file, it is an invalid configuration. Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> - - - - - 3dfc82a0 by aborah at 2023-02-13T12:56:17+01:00 Tests: Fix subidranges test Add removal of maps.sh and unshare.pid Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6ffd46d1 by Alexey Tikhonov at 2023-02-13T12:57:05+01:00 MAN: remove "experimental" notice off LDAP access control based on NDS attributes. It's there since 37e7e93f1996cf50677cf59fd8af6938dd5d85b2, clearly not "experimental" anymore. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - aa5c0c9c by Alexey Tikhonov at 2023-02-13T12:57:05+01:00 BUILD: remove long time unused '--enable-all-experimental-features' It haven't been used since b2f9e5b7d553172401a340eb4a9c3abda6b5db43 :relnote: Long time unused '--enable-all-experimental-features' configure option was removed. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 0b8638d8 by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 SSS_CLIENT: fix error codes returned by common read/write/check helpers. It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` error condition is detected, regular `POLLIN/POLLOUT` won't be set. Error code set by error condition should have a priority. This enables users of this helper to retry attempt (as designed). Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ef93284b by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 SSS_CLIENT: if poll() returns POLLNVAL then socket is alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise there is a risk to close "foreign" socket opened in another thread. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bf3f73ea by Alexey Tikhonov at 2023-02-13T12:57:27+01:00 PAM_SSS: close(sss_cli_sd) should also be protected with mutex. Otherwise a thread calling pam_end() can close socket mid pam transaction in another thread. Bug only manifested on platforms where "lockfree client" feature wasn't built. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7fb89ab0 by Sumit Bose at 2023-02-13T12:58:31+01:00 passkey: do not copy more than received Since buf is not initialized to 0 talloc_strdup() might actually copy more data than was received. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 4e654005 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 PAM: removed outdated comment Comment wasn't relevant since 5dccf76aff8ac5b4adf000c8b701a7a9fae506c2 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - c55bb397 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 Use `is_files_provider()` helper where possible. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 8e75bb61 by Alexey Tikhonov at 2023-02-15T15:41:03+01:00 RESPONDERS: get rid of `NEED_CHECK_PROVIDER` helper Since implementation of "local" provider was removed, the only provider that doesn't need to "check provider" is "files provider". Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 6ba0187e by Sumit Bose at 2023-02-17T15:01:40+01:00 certmap: fix to handle ediPartyName Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ced32c44 by Sumit Bose at 2023-02-17T15:01:40+01:00 certmap: Handle type change of x400Address Due to CVE-2023-0286 the type of the x400Address member of the GENERAL_NAME struct was changed from ASN1_TYPE to ASN1_STRING. The following patch tries to make sure that the x400Address can be extracted from the certificate in either case. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - d4f7ed69 by Alexey Tikhonov at 2023-02-17T15:02:26+01:00 MONITOR: fix `socket_activated` flag initialization When socket activated service connects for the first time, it is added to `mt_ctx->svc_list` by `socket_activated_service_not_found()` with a proper `socket_activated = true`. But when it reconnects again, `get_service_in_the_list()` finds it in `mt_ctx->svc_list` and overwrites `socket_activated = false` unconditionally. This patch moves `socket_activated = false` to `start_service()`. Resolves: https://github.com/SSSD/sssd/issues/6324 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 59d2f945 by Pavel B?ezina at 2023-02-17T15:03:26+01:00 fix missing new line in sss_iface.c and docstrings.rst Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f44e5864 by Pavel B?ezina at 2023-02-17T15:04:28+01:00 tests: fix all flake8 issues Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 61f1b893 by Sargun Narula at 2023-02-23T09:20:04+01:00 Tests: Ported Bash-krb-fast-principal to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 66687d8c by aborah at 2023-02-23T09:20:37+01:00 Tests: Port bz785908 and bz785898 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L424 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L300 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 173d0867 by aborah at 2023-02-23T09:21:04+01:00 Tests: Port Thread issue can cause the application to not get any identity information bz847043 https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL9.2/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L774 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - a75557b7 by Shridhar Gadekar at 2023-02-23T09:23:27+01:00 Test: porting bash range_retrieval to pytest removing unused import Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - bd803bf6 by Pavel B?ezina at 2023-02-23T15:28:01+01:00 nssidmap: add getsidbyusername and getsidbygroupname :feature: NSS IDMAP has two new methods: `getsidbyusername` and `getsidbygroupname` Resolves: https://github.com/SSSD/sssd/issues/6565 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 9f8e7115 by Alexey Tikhonov at 2023-02-28T21:47:32+01:00 MAN: describe security risk of `cache_credentials` Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 2ce24d38 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00 UTILS: missing domain in `sss_parse_name()` input isn't SSSDBG_CONF_SETTINGS Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - f5787878 by Alexey Tikhonov at 2023-02-28T21:54:35+01:00 NSS: empty result of `..._group_by_origgid()` isn't an error Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - e5fba8f9 by Alexey Tikhonov at 2023-02-28T22:05:43+01:00 TESTS: fix compilation issue with musl libc Resolves: https://github.com/SSSD/sssd/issues/6487 Reviewed-by: Andre Boscatto <aboscatt at redhat.com> - - - - - 97c671e4 by aborah at 2023-03-02T13:41:47+01:00 Tests: Port automount bash tests to pytest https://gitlab.cee.redhat.com/aborah/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/automount Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 97e040f9 by Jakub Vavra at 2023-03-03T12:51:04+01:00 Tests: Set cryptopolicy for master for AD fips tests. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 61d6030b by Sargun Narula at 2023-03-03T12:51:34+01:00 Added entry for krb_access_provider in readme.rst Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - fb5a300b by Justin Stephenson at 2023-03-03T12:52:04+01:00 passkey: Add configuration options Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - fbbe9ba3 by Justin Stephenson at 2023-03-03T12:52:04+01:00 authtok: Add Passkey type Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 57152761 by Justin Stephenson at 2023-03-03T12:52:04+01:00 Add new option ldap_user_passkey Retrieve user passkey mapping data from the below LDAP attributes: IPA: ipaPasskey AD: altSecurityIdentities LDAP: passkey Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3f24aa71 by Justin Stephenson at 2023-03-03T12:52:04+01:00 Extend IPA config search Allow providing a custom search filter and search base, enabling this API to also retrieve passkey configuration objects. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ec677493 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Add DNS Domain name to struct sss_domain_info dns_name string will be populated for IPA and AD domains Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ea9bcab6 by Justin Stephenson at 2023-03-03T12:52:05+01:00 IPA Retrieve passkey configuration Retrieve the require user verification value (on/off/default) from the IPA passkey configuration. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b92ff263 by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Call the passkey helper binary When passkey auth is enabled, call the passkey child to interact with the passkey device. Resolves: https://github.com/SSSD/sssd/issues/6558 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7f8fe399 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Support Passkey prompting config Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64f98463 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Tests: Passkey (Pre)auth Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 938676a3 by Justin Stephenson at 2023-03-03T12:52:05+01:00 Tests: Passkey prompting config Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 64aa2672 by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Add destructor for passkey pin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5a22aefb by Justin Stephenson at 2023-03-03T12:52:05+01:00 PAM: Covscan NULL check for cache req result domain Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7356881c by Alexey Tikhonov at 2023-03-07T20:49:52+01:00 SDAP: removed leftovers after 65bd6bf05d75c843e525f8bf89e9b75b02a2bfb7 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - a9bc94f0 by Alexey Tikhonov at 2023-03-07T20:50:17+01:00 INTG-TESTS: add missing files to Makefile.am Resolves: https://github.com/SSSD/sssd/issues/6588 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 5c83deb5 by bluikko at 2023-03-07T20:50:47+01:00 src/util/domain_info_utils.c: fix typo Typo in libdefaults typed as kibdefaults. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Andre Boscatto <aboscatt at redhat.com> - - - - - 47f82a41 by Gioele Barabucci at 2023-03-07T20:51:17+01:00 Makefile: Install dbus policy in /usr, not /etc >From <https://bugs.debian.org/1006631>: > dbus supports policy files in both `/usr/share/dbus-1/system.d` and > `/etc/dbus-1/systemd`. [The] recently released dbus 1.14.0, officially > deprecates installing packages' default policies into `/etc/dbus-1/systemd`, > instead reserving it for the sysadmin. This is the same idea as the > difference between `/usr/lib/udev/rules.d` and `/etc/udev/rules.d`. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 067cc5cc by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 BUILD: make "files provider" build configurable :relnote:"Files provider" (i.e. `id_provider = files`) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using `--with-files-provider` ./configure option. Or consider using "Proxy provider" with "proxy_lib_name = files" instead. Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 978ef179 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 UTILS: force inline `is_files_provider()` This hopefully will ensure that compiler optimizer will remove unused code that depends on `if (is_files_provider())` branch in case files provider isn't built. Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - c53390a8 by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 DP: warn loudly if config uses 'files' when support wasn't built Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 8962eaca by Alexey Tikhonov at 2023-03-07T20:51:49+01:00 INTG-TESTS: enable '--with-files-provider' Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - e623fac7 by Timotej Lazar at 2023-03-09T11:25:21+01:00 tests: use echo instead of /bin/echo in Makefile The binary might be somewhere else or not available at all during build. No special features are needed so the shell builtin is enough. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9fd8da28 by Sargun Narula at 2023-03-09T11:25:59+01:00 Fixed domainname value in krb_ldap_connection Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 34f1c222 by SargunNarula at 2023-03-09T11:25:59+01:00 Reused sssdTools Instance Reviewed-by: Anuj Borah <aborah at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 30daa0cc by Iker Pedrosa at 2023-03-09T11:27:30+01:00 spec: update to include passkey Update the spec file to include the passkey feature. Made it configurable so that it can be disabled, added the dependencies and the passkey subpackage, and also include the passkey_child. :feature: New passkey functionality, which will allow to use FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it will also issue a Kerberos ticket automatically. :packaging: Include passkey subpackage and dependency for libfido2. :config: New options to enable and tune passkey behaviour: 'pam_passkey_auth', 'passkey_verification', 'passkey_child_timeout', 'interactive', 'interactive_prompt', 'touch' and 'touch_prompt'. Resolves: https://github.com/SSSD/sssd/issues/6228 Relates: https://github.com/SSSD/sssd/issues/6551 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 712377ea by Pavel B?ezina at 2023-03-09T11:28:34+01:00 tests: add system tests using pytest-mh framework Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 9145544f by Jakub Vavra at 2023-03-10T09:28:16+01:00 Tests: Add a remedy for a missing multihost_dir. Move the create_testdir fixture to fixtures.py and make sure that it is used. Extend it to create testdir and env.sh also on windows machines. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 50a3a191 by Justin Stephenson at 2023-03-10T09:29:17+01:00 Passkey: Use correct User verification comparison IPA require user verification configuration value changed from "on, off, omit" to a boolean value of "True" or "False". Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 1c55f0d4 by Jakub Vavra at 2023-03-13T10:40:18+01:00 Tests: Refactor join ad. Refactored pieces for joing and leaving ad to reuse more code. Changed realm join to use DC instead of realm to mitigate machines on different networks that breaks auto-discovery. Lock resolv.conf so it is not broken by cloud-init after machine reboot. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 80d28bab by Jakub Vavra at 2023-03-13T12:59:58+01:00 Tests: Make sure that session_multihost.ad is always available. We need it to be defined at least as an empty list so we do not get an AtributeError when we try to iterate over it. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - cc0545b4 by aborah at 2023-03-22T10:20:11+01:00 Tests: Port Bash Password Policy to pytest https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.7/client/ldap_provider/ldap_id_ldap_auth/password_policy.sh Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 96a0e9fb by David H?rdeman at 2023-03-23T10:36:56+01:00 LDAP: Handle MIT LDAP KDB password expiry Currently SSSD only treats a missing krbPasswordExpiration attribute as an indication that a given password never expires (which is how the FreeIPA KDB plugin handles the expiry). The MIT implementation, however, treats *either* a missing attribute *or* a zero attribute as meaning that the password doesn't expire. $ kadmin getprinc bob Principal: bob at EXAMPLE.COM ... Password expiration date: [never] ... $ ldapsearch -Z -x -LLL "(uid=bob)" | grep krbPasswordExpiration krbPasswordExpiration: 19700101000000Z Note that 19700101000000Z == (time_t)0 Resolves: https://github.com/SSSD/sssd/issues/6612 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ce81f017 by Pavel B?ezina at 2023-03-23T10:37:21+01:00 tests: include requirements.txt in system tests documentation requirements Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - df7a5c33 by Pavel B?ezina at 2023-03-23T10:37:21+01:00 tests: build systen tests documentation in readthedocs Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 42594c37 by HelloCarry at 2023-03-23T10:37:57+01:00 fix sysvol_gpt_version may be used uninitialized Resolves: https://github.com/SSSD/sssd/issues/6610 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9aece27d by Dan Lavu at 2023-03-23T10:38:21+01:00 Adding ptr zone creation to class setup The AD server maybe provisioned onto a different subnet than the client, adding a fixture to add both the AD server and client PTR zones to DNS. In addition, cleaned up the find_a and find_ptr functions to remove false positives. Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> - - - - - 92d1b469 by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: move select authenticator Move select authenticator logic to its own function. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bccdc2af by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: obtain assertion data New action to obtain the assertion data. For that purpose, prepare the assertion request data, select the device to use, select the authenticator, get the device options and compare them with the organization policy, request the assert, get the authenticator data, get the signature and print this all information. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f77ec4f5 by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: verify assertion data New action to verify the assertion data. To this end, prepare the assertion data, including the authenticator data and the signature; decode the public key and verify the assertion. Resolves: https://github.com/SSSD/sssd/issues/6228 Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 8218634d by Iker Pedrosa at 2023-03-23T11:16:07+01:00 passkey: replace printf by PRINT Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c6db359f by aborah at 2023-03-27T10:20:41+02:00 Tests: Fix restore work for ipa test Fix restore work for ipa test Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - b3c681a7 by aborah at 2023-03-27T10:21:14+02:00 Tests: Port bash inmemory_cache test suit to pytest https://gitlab.cee.redhat.com/sssd/sssd-qe/-/tree/RHEL8.7/client/ldap_provider/inmemory_cache Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 132fb401 by Alexey Tikhonov at 2023-03-27T12:43:48+02:00 Deprecate 'sss_simpleifp' library. :relnote:'sss_simpleifp' library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using `--with-libsifp` ./configure option. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - c586b9a2 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 RESPONDERS: delete obsolete 'responder_sbus.h' Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 437dbe9e by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 MONITOR: currently only 'ifp' doesn't support running as non-root This should be easier to read. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - e2106c94 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 SUDO: fix mistype Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 5159992d by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 RESPONDER: use safe helper Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 64424963 by Alexey Tikhonov at 2023-03-27T12:44:08+02:00 UTILS: sanitize `cli_creds_get_*` macro Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 55e27a42 by Alejandro L?pez at 2023-03-27T12:44:34+02:00 KCM: Switch default caches only when there is no current default. Only when there was a current default cache (uuid_is_null(old_dfl_uuid) == false), the default cache was switched. This condition should be negated so that the cache is switched when there is no current default. Resolves: https://github.com/SSSD/sssd/issues/6357 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 0e25f0d1 by answer9030 at 2023-03-27T12:45:04+02:00 Fixed pid wrapping in sss_cli_check_socket Resolves: https://github.com/SSSD/sssd/issues/6592 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5c363bfb by answer9030 at 2023-03-27T12:45:04+02:00 Fixed the problem of calling getpid() and lstat() twice in sss_cli_check_socket() the second call to getpid() and lstat() is redundant. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ae691f0b by Alexey Tikhonov at 2023-03-27T12:46:14+02:00 NSS: change default value of 'cache_first' to 'true' Having 'cache_first' as 'false' is a performance degradation without a reason in the multi-(sub)domains enviroments (typical case when AD is involved). But there is a subtile issue that doesn't allow to switch default when 'files provider' is used. :config: Default value of 'cache_first' option was changed to 'true' in case SSSD is built without 'files provider'. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - cfc591d6 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 SDAP: Include struct ldb_dn in struct sdap_search_base struct sdap_search_base includes the DN as a string. To better compare the DNs it is better to use a struct ldb_dn, in addition to the string. The struct ldb_dn also needs to keep the associated struct ldb_context, so we are also storing it in the structure. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 84e7dbc9 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 SDAP: Ignore the cn=views entries in nested groups When resolving the nested groups, ignore any entry in cn=views,cn=accounts,$BASEDN (or whatever the user configured). Resolves: https://github.com/SSSD/sssd/issues/6548 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 9e9d5825 by Alejandro L?pez at 2023-03-27T12:47:50+02:00 Tests: Test that cn=views is ignored. Add a new test to check the ignored search bases. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 62cb54dc by Pavel B?ezina at 2023-03-30T12:17:48+02:00 tests: make pytest-ldap aware of TLS options OPT_X_TLS_NEWCTX must be set to create a new TLS context after changing TLS options in order to actually use them in python-ldap. This is required to run the tests inside idm-ci where the internal hostname that is used in certificate does not match the external hostname or IP address that is used to connect to the remote host. Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - 745379bc by Justin Stephenson at 2023-03-31T12:30:44+02:00 SSSCTL: Switch passkey-exec to passkey-register Users currently only need to call --register Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - f46fe473 by Jakub Vavra at 2023-04-03T09:37:32+02:00 Tests: Skip test_0002_ad_parameters_junk_domain on multiarch The test does not work properly on multiarch due to beaker being on a different network than openstack. Fixed some misleading comments. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - 9c17615a by aborah at 2023-04-04T12:12:38+02:00 Tests: don't fail if chattr file doesn't exist error: DEBUG - chattr: Operation not supported while reading flags on /etc/resolv.conf Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ad68d71c by Pavel B?ezina at 2023-04-04T12:13:16+02:00 passkey: add Kerberos plugins Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2a16c256 by Pavel B?ezina at 2023-04-04T12:13:16+02:00 idp: switch to common API for radius-style plugin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - cdfe2c51 by Justin Stephenson at 2023-04-04T12:13:16+02:00 Authtok: Support SSS_AUTHTOK_TYPE_PASSKEY{_REPLY} Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5de070f9 by Justin Stephenson at 2023-04-04T12:13:16+02:00 pam_sss: Add passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 7c34742c by Justin Stephenson at 2023-04-04T12:13:17+02:00 krb5_child: Add passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c76ba343 by Justin Stephenson at 2023-04-04T12:13:17+02:00 PAM: Passkey kerberos preauth support Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9869e487 by Justin Stephenson at 2023-04-04T12:13:17+02:00 krb5_child: Increase child buffer and chunk size Passkey data can be larger than 512 bytes. Received passkey data from krb5 with multiple credentials exceeds 256 bytes. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 88f4d3cf by Justin Stephenson at 2023-04-04T12:13:17+02:00 Passkey: Add util function to prefix passkey data Allows converting passkey child --get-assert output to the format which the passkey krb5 plugin expects. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 1032ca21 by Justin Stephenson at 2023-04-04T12:13:17+02:00 MAN: Clarify user_verification will be overwritten The user_verification sssd.conf option for passkey will only be used LDAP or AD, in the non-kerberos pre-auth case. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - bb21171b by Justin Stephenson at 2023-04-04T12:13:17+02:00 Passkey: Changes to debug_libfido2 option Change debug_libfido2 to passkey_debug_libfido2 and move from passkey verification options to PAM option Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 5744bad7 by Justin Stephenson at 2023-04-04T12:13:17+02:00 Tests: Amend PAM Preauth tests Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9e061fc0 by Jakub Vavra at 2023-04-04T14:58:56+02:00 Tests: Remove keytab on realm leave. Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - a5efc5e6 by Pavel B?ezina at 2023-04-04T14:59:26+02:00 tests: fix type errors due to type enhancements in jc The library we depend on `jc` made its typing more specific so we need to check that we got the expected type. Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 3d0fcca3 by Pavel B?ezina at 2023-04-04T14:59:26+02:00 tests: avoid list() and dict() as default parameter value "Default parameter values are evaluated from left to right when the function definition is executed." which means that the list or dict is created only once and then the same reference is passed to the function with each invokation, so the function calls can be affected by the previous one. See: https://docs.python.org/3/reference/compound_stmts.html#function-definitions Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - a825b28b by Pavel B?ezina at 2023-04-11T10:06:35+02:00 passkey: fix copyrights and comments in krb plugin Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 576a1c19 by Madhuri Upadhye at 2023-04-11T10:07:00+02:00 Tests: Automation of bug, bz2100789, which test id_provider parameter from domain section Add automation of bug which check id_provider parameter from domain section. Conatains following two test cases: 1. Test when domain section does not have id_provider 2. Test when id_provider's value is invalid verify: #https://bugzilla.redhat.com/show_bug.cgi?id=2100789 #https://github.com/SSSD/sssd/pull/6550 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - bc5de686 by Jakub Vavra at 2023-04-13T12:25:27+02:00 Tests: Add a timeout to realm join for AD, modify realm leave. The realm join gets stuck on other architectures particularly on s390x. This makes it fail and suite can continue running instead of waiting for timeout for the whole suite. Handle the edge case when realm leave fails for the machine and removal from AD is also not done resulting in the following tests unable to join as the machine is already present on AD. Reviewed-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - e794bfde by Pavel B?ezina at 2023-04-14T12:11:40+02:00 ci: prepend pr copr build with high version number Currently, it is not possible to simply install the copr pull reques package because number is considered to be higher then a string version, therefore 2.8.0 > pr6286 and dnf considers it a potential installation to be a downgrade which may cause conflicts. Prepending 9 makes sure that the pull request copr build always wins. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 526aea3e by Tomas Halman at 2023-04-14T12:12:15+02:00 util: Improve re_expression defaults The original defaults of re_expressions did not use "^" so they may skip/ignore some leading character (@ and \). The new defaults uses ^ and $ to be sure that all characters are used. Resolves: https://github.com/SSSD/sssd/issues/6635 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - b78b508b by Tomas Halman at 2023-04-14T12:12:15+02:00 responder: regexp cleanup Update ifp and ssh responders to use regular expression defined centrally. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 255c01a1 by Jakub Vavra at 2023-04-17T09:10:41+02:00 Tests: Fix error in cifs tests. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - c3a0b5f0 by Pavel B?ezina at 2023-04-17T11:57:59+02:00 tests: split system test framework into standalone repository This change allows other project to use the framework as well. https://github.com/SSSD/sssd-test-framework Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 08711256 by aborah at 2023-04-19T15:27:05+02:00 Tests: Add missing package strace was missing from installed packages Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 821455c7 by Sargun Narula at 2023-04-19T15:34:45+02:00 Tests: Ported cache_performance testing cases to pytest Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 6d659e29 by Sargun Narula at 2023-04-19T15:34:45+02:00 Fixed docstring minor changes Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - 54aabca0 by Alejandro L?pez at 2023-04-19T15:35:35+02:00 UTIL: Introduicing SPRItime SPRItime can be used to printf() time_t values. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3463caa8 by Alejandro L?pez at 2023-04-19T15:35:35+02:00 COVERITY: Remove several Y2K38_SAFETY warnings Most of them are external function that receive a 32-bit integer but SSSD provides a time_t value. For that we created the sss_tevent_timeval_current_ofs_time_t(time_t t) wrapper function that handles the conversion. In another case, it was an internal function, so the function was adapted to accept a time_t value. Another case is a real problem caused by Kerberos storing times in the 32-bit signed krb5_timestamp, but time() returning a 64-bit value. It seems Kerberos is planing on making unsigned this signed value. So the recommended and adopted solution is to use the 32 lower bits. Also de DEBUG() trace was dorrected to use the right size. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 3b65d7be by Alejandro L?pez at 2023-04-19T15:35:35+02:00 COVERITY: Resolve a WRITE_CONST_FIELD warning We are initializing the structure, so it is not a problem that we write to const fields. In addition, using talloc_memdup() is better and avoids the warning. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - c3d6cc9a by Alejandro L?pez at 2023-04-19T15:40:10+02:00 AD: Do not use the shortcut when filter_groups is set. When using 'id <user>', a shortcut avoids creating the proper group object but, instead, one where the SID is the group name is created. This prevents a proper filtering of groups which requires the actual group name. Not using the shortcut will retrieve the group names and the filtering will work. Resolves: https://github.com/SSSD/sssd/issues/6617 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - ebc1e460 by Sumit Bose at 2023-04-19T15:42:03+02:00 krb5: add joined/parent domain to [domain_realm] So far only discovered sub-domains were adding to the [domain_realm] section of one of the krb5 config snippets SSSD is generating. To fix recent issues which were caused my missing entries of the joined domain this domain is now added as well. Resolves: https://github.com/SSSD/sssd/issues/6600 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - dae5367b by Iker Pedrosa at 2023-04-19T15:44:18+02:00 test: cast to `char *` assert_string_equal() args CI build is reporting the following error several times: ``` error: pointer targets in passing argument 2 of '_assert_string_equal' differ in signedness [-Werror=pointer-sign] ``` Casting the arguments of assert_string_equal() to `char *` fixes the issue. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> - - - - - 325fc8e1 by Jakub Vavra at 2023-04-24T11:12:51+02:00 Tests: Improve stability of tests in TestADParamsPorted, remove un-needed backups. There are some tests that are flaky in the suite, adding pytest.flaky and moving them to tier2. Made sure that flaky tests are only in one tier instead of failing in two suites. Removed backup and restore of sssd.conf as it is done by adjoin now. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - def571ba by Sumit Bose at 2023-04-24T11:13:37+02:00 krb5: make sure realm is known when writing domain_realms To make sure that no broken krb5.conf snippet is created it is checked if the realm member is defined in the sss_domain_inof struct before writing it to the output. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - a41810bd by Iker Pedrosa at 2023-04-24T11:14:25+02:00 CI: store CodeQL configuration artifacts Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - eb494154 by aborah at 2023-04-24T11:15:10+02:00 Tests: Add support for ldapi:// URLs bz: https://bugzilla.redhat.com/show_bug.cgi?id=2152177 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 30e0b472 by Jakub Vavra at 2023-04-24T11:25:01+02:00 Tests: Add tests for BZ1765354 Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1765354 Verifies: #5080 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Dan Lavu <dlavu at redhat.com> - - - - - 9f2d8d69 by minfrin at 2023-04-24T13:12:31+02:00 Add support for ldapi:// URLs. Make sssd aware of unix domain sockets, allowing connections to local LDAP servers. Make use of struct sockaddr and socklen_t consistent across the code. :feature: Add support for ldapi:// URLs to allow connections to local LDAP servers Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - f2213418 by minfrin at 2023-04-24T13:12:31+02:00 Align sockaddr_storage to sockaddr for updated API. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 91b70123 by minfrin at 2023-04-24T13:12:31+02:00 Ensure we touch sockaddr_len in the success case only. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 4ccd5b9a by minfrin at 2023-04-24T13:12:31+02:00 Do not set SO_KEEPALIVE on AF_UNIX. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 2d54cf5e by minfrin at 2023-04-24T13:12:31+02:00 Rename sdap_get_server_ip_str() to sdap_get_server_peer_str() Add support for printing AF_UNIX paths. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - e004595a by minfrin at 2023-04-24T13:12:31+02:00 Don't force TLS on if we're a unix domain socket. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 559f29ff by Pavel B?ezina at 2023-04-26T10:13:58+02:00 tests: load fixtures from sssd-test-framework This makes fixtures from sssd-test-framework available in our tests. See tests.sssd.io to list the fixtures: https://tests.sssd.io/en/latest/api/sssd_test_framework.fixtures.html Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 52c3d6c2 by Pavel B?ezina at 2023-04-26T10:13:58+02:00 tests: create data directory in system tests The directory hierarchy is as follows: * `data/` * files shared for all test modules * `test_module/` (directory for `test_module.py`) * files shared for all tests within the module `test_module.py` * `test_module__xyz/` (directory for single test from the module) * files relevant only for the test `test_module__xyz` It can be accessed via datadir, moduledatadir and testdatadir fixtures. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 9358a74d by Sumit Bose at 2023-04-26T10:32:25+02:00 ad: skip filtering if ad_enabled_domains is set The domain filtering based on LDAP attributes might be too strict in forests which have a long and complex history where not all attributes might be updated to reflect the current state, e.g. membership to the local forest. To skip the filtering the ad_enabled_domains attribute can be set to the list of expected domains. Resolves: https://github.com/SSSD/sssd/issues/6626 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - 1bf47514 by Sumit Bose at 2023-04-26T10:32:25+02:00 tests: fix typo in ldapi test Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> - - - - - ddec8ae2 by Alexey Tikhonov at 2023-04-27T06:52:51+02:00 SPEC: obsolete libsss_simpleifp Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 9329c09d by Jakub Vavra at 2023-04-27T06:53:10+02:00 Tests: Fix pytest markers to remove warnings. Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 04cc2f73 by Jakub Vavra at 2023-04-27T12:09:37+02:00 Tests: Install libsss_simpleifp conditionally based on release. Package libsss_simpleifp is removed from fedora and a future major version of RHEL, install it only on RHEL/Centos 7,8,9. See https://github.com/SSSD/sssd/pull/6701. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - d735fb1e by Jakub Vavra at 2023-04-27T12:15:22+02:00 Tests: Ignore chattr result on resolv.conf The resolv.conf can be a symlink (because of systemd/resolved) so chattr will not work on it. We ignore the result so error is not produced on fedora where systemd/resolved is in play. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> - - - - - ed2510d9 by Jakub Vavra at 2023-04-28T11:00:41+02:00 Tests: Add test for bz1913839 gid of filtered group gid still present in id Verifies Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1913839 Group id of a group that should have been filtered is visible in the id command output. Fixed test numbering, removed un-needed backups, moved log collection to later part of code to make the test_0016 more reliable. Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> - - - - - 265f6e02 by Shridhar Gadekar at 2023-04-28T11:03:00+02:00 Tests: sss allows extraneous @ characters prefixed to username corrected typo Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2180981 Verifies: Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> - - - - - c200fc01 by Madhuri Upadhye at 2023-05-03T18:53:27+02:00 Test: Test nested group in view based search Automation of BZ2151403 Test nested group entry in i cn=views,cn=accounts,$BASEDN with id command from client. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> - - - - - f97cd4d4 by Iker Pedrosa at 2023-05-03T18:53:46+02:00 passkey: don't print User ID The User ID isn't part of any signed data, thus there isn't any indication that it's related to the token. Moreover, the effort to store it securely on the LDAP attribute is quite big. Taking that into account the passkey child doesn't print it and this way we avoid storing it in the LDAP server. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9724f871 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00 passkey: only accept the client realm as relaying party ID FreeIPA expects relaying party ID for FIDO2 exchange to be the same as the realm. If a rogue KDC attempted to inject another relaying party ID, reject it. We use server principal as opposed to the client one to allow use of enterprise principals. Server principal in AS-REQ would be krbtgt/REALM at REALM for the realm of the client. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - d0a6bf60 by Alexander Bokovoy at 2023-05-03T18:54:06+02:00 passkey: implement realm check for the passkey challenge A rogue KDC might respond to us with a passkey challenge that references domain not associated with the realm we serve. In order to check that, convert DNS domain from the challenge to the realm using hostrealm interface provided by the krb5 library. For a referral realm fall back to the explicit challenge domain check. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - 9bf55bf9 by Alexey Tikhonov at 2023-05-03T19:00:21+02:00 MONITOR: disable 'user' config option in case --with-sssd-user=root In case SSSD was configured and built --with-sssd-user=root, no other value of 'user' config option (besides default 'root') is supported. Having it documented in the man page in this case only brings confusion. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - 8b94af6e by Alexey Tikhonov at 2023-05-03T19:00:21+02:00 MONITOR: validate value of 'user' option. Only 'root' and SSSD_USER are valid values. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - d4866940 by Luke Dickinson at 2023-05-04T10:39:33+02:00 Remove the need for a keytab when using fast with anonymous pkinit Anonymous pkinit does rely on a keytab for authentication. Removed unnecessary call to copy keytab into memory. Resolves: https://github.com/SSSD/sssd/issues/6531 Reviewed-by: Alejandro Lopez <allopez at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> - - - - - ede8c139 by Weblate at 2023-05-04T11:11:59+02:00 po: update translations (Turkish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/ po: update translations (Korean) currently translated at 64.3% (1676 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Czech) currently translated at 99.4% (702 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ po: update translations (Czech) currently translated at 99.1% (700 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/ po: update translations (French) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ po: update translations (Korean) currently translated at 64.3% (1676 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ po: update translations (Japanese) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (French) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ po: update translations (Japanese) currently translated at 94.0% (664 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ po: update translations (Finnish) currently translated at 10.0% (71 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Georgian) currently translated at 7.9% (56 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ po: update translations (Polish) currently translated at 4.9% (132 of 2656 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Korean) currently translated at 64.1% (1673 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 9.9% (70 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Swedish) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 98.8% (2692 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 98.1% (2672 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/ po: update translations (Swedish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/ po: update translations (Finnish) currently translated at 9.6% (68 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Korean) currently translated at 64.1% (1671 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 8.9% (63 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Korean) currently translated at 63.7% (1661 of 2606 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ po: update translations (Finnish) currently translated at 7.3% (52 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Polish) currently translated at 4.9% (131 of 2656 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/ po: update translations (Georgian) currently translated at 7.7% (55 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/ po: update translations (Finnish) currently translated at 7.2% (51 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ po: update translations (Russian) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/ po: update translations (Russian) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Ukrainian) currently translated at 100.0% (2722 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Russian) currently translated at 97.3% (687 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/ po: update translations (Korean) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 99.1% (2700 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Ukrainian) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Korean) currently translated at 97.1% (686 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/ po: update translations (Ukrainian) currently translated at 98.8% (2692 of 2722 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/ po: update translations (Ukrainian) currently translated at 96.4% (681 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ po: update translations (Polish) currently translated at 100.0% (706 of 706 strings) Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: SSSD/sssd Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ po: update translations (Korean) currently translated at 63.6% (1659 of 2607 strings) Translation: SSSD/sssd-manpage Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/ - - - - - 619ecbbc by Iker Pedrosa at 2023-05-04T13:35:09+02:00 test: add conditional build for passkey functions `make distcheck` is failing because two passkey functions are defined but never used. Add conditional build for them. Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> - - - - - e91b5d4a by Pavel B?ezina at 2023-05-05T10:07:26+02:00 man: put sssd_user_name.include to builddir Putting it to the source directory makes "make distcheck" fail when run directly from source directory instead of different build dir. It produces this error message: ``` /bin/sh: line 1: ../../../../src/man//sssd_user_name.include: Permission denied ``` Because the source directory copied by distcheck is not writable. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> - - - - - 6c184c47 by Pavel B?ezina at 2023-05-05T10:11:07+02:00 pot: update pot files - - - - - 19 changed files: - .github/actions/build-sssd-srpm/action.yml - .github/workflows/analyze-target.yml - .github/workflows/ci.yml - .github/workflows/copr_build.yml - .github/workflows/copr_cleanup.yml - .github/workflows/coverity.yml - .github/workflows/static-code-analysis.yml - .gitignore - Makefile.am - configure.ac - contrib/ci/configure.sh - contrib/ci/deps.sh - contrib/ci/get-matrix.py - contrib/ci/sssd.supp - contrib/fedora/bashrc_sssd - contrib/sssd.spec.in - po/Makevars - po/POTFILES.in - po/bg.po The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/796b6daee338bc600e5757d4804a17687106a7e1...6c184c476e9ef189752a07961523ce4968b922e6 -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/796b6daee338bc600e5757d4804a17687106a7e1...6c184c476e9ef189752a07961523ce4968b922e6 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at j-pfennig.de Thu Jun 8 16:36:24 2023 From: info at j-pfennig.de (=?UTF-8?Q?J=C3=BCrgen?= Pfennig) Date: Thu, 08 Jun 2023 17:36:24 +0200 Subject: [Pkg-sssd-devel] Bug#1036993: Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486) In-Reply-To: <9609fcbc-6694-6578-4967-5ecb08f581d1@debian.org> References: <9609fcbc-6694-6578-4967-5ecb08f581d1@debian.org> <168555809257.5279.8892145677767012964.reportbug@alpha8.centauri.home> <168555809257.5279.8892145677767012964.reportbug@alpha8.centauri.home> Message-ID: <2688417.mvXUDI8C0e@alpha8> June 2, 2023 12:44 AM, "Timo Aaltonen" schrieb: > J. Pfennig kirjoitti 31.5.2023 klo 21.34: > >> Package: libpam-sss >> Version: 2.8.2-4 >> Severity: normal >> File: /lib/x86_64-linux-gnu/security/pam_sss.so >> Dear Maintainer, >> * What led up to the situation? >> using kerberos, AD/DC, sssd and its pam module >> * What exactly did you do (or not do) that was effective (or >> ineffective)? >> kinit ... # to get a kerberos ticket >> echo $KRB5CCNAME # path to creditial cache >> sudo -i user2 >> echo $KRB5CCNAME # ORIGINAL path to creditial cache >> * What was the outcome of this action? >> kinit, klist et al fail, wrong credential cache >> echo $KRB5CCNAME # path from original user >> * What outcome did you expect instead? >> KRB5CCNAME must not be passed >> the case is described better than I can do at: >> https://bugzilla.redhat.com/show_bug.cgi?id=1324486 >> Bug fixed there in 2017. Could Debian fix it too? > > The default value for pam_response_filter should already be > 'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not happen since 2.5.1. > > -- t But the still shows up in bookworm. I didn't know that a simple sudo is also affected, making things much worse. For sudo -i we can put a 'unset KRB5CCNAME' into .profile. Here some more details: ############ ENVIRONMENTS ############ login jpf # a samba AD/DC user env # output follows ... SHELL=/bin/bash XDG_SEAT=seat0 PWD=/home/jpf KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd LOGNAME=jpf XDG_SESSION_TYPE=tty SYSTEMD_EXEC_PID=5152 MOTD_SHOWN=pam LINES=60 HOME=/home/jpf LANG=de_DE.UTF-8 COLUMNS=192 TMPDIR=/run/user/30010 INVOCATION_ID=0aef719acd824994b41aded975d5743f LESSCLOSE=/usr/bin/lesspipe %s %s XDG_SESSION_CLASS=user TERM=linux LESSOPEN=| /usr/bin/lesspipe %s USER=jpf SHLVL=1 XDG_VTNR=2 XDG_SESSION_ID=5 XDG_RUNTIME_DIR=/run/user/30010 XDG_DATA_DIRS=/home/jpf/.local/share/flatpak/exports/share:/var/lib/flatpak/ exports/share:/usr/local share/:/usr/share/ HUSHLOGIN=FALSE TMP=/run/user/30010 PATH=/shared/python/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/ games GDK_DPI_SCALE_FIREFOX=0.8 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/30010/bus MAIL=/var/mail/jpf sudo -u local env # a local /etc/passwd user # output follows... _=/usr/bin/env KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd HOME=/home/jpf LANG=de_DE.UTF-8 TERM=linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin MAIL=/var/mail/local LOGNAME=local USER=local SUDO_COMMAND=/usr/bin/env SUDO_USER=jpf SUDO_UID=30010 SUDO_GID=1001 /etc/sudoers ############ Defaults env_reset Defaults env_keep += "DISPLAY HOME GTK_RC_FILES GTK2_RC_FILES GDK_DPI_SCALE KDE_FULL_SESSION" Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ sbin:/bin" root ALL=(ALL:ALL) NOPASSWD: ALL local ALL=(ALL:ALL) NOPASSWD: ALL %wheel ALL=(ALL:ALL) NOPASSWD: ALL %sudo ALL=(ALL:ALL) NOPASSWD: ALL %centauri ALL=NOPASSWD: /sbin/shutdown %centauri ALL=NOPASSWD: /sbin/reboot %vboxusers ALL=NOPASSWD: /usr/bin/systemctl start virtualbox %vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/lib/virtualbox/* %vboxusers ALL=NOPASSWD: /usr/bin/mount -l -- /var/centauri/vbox/* %vboxusers ALL=NOPASSWD: /usr/bin/umount -- /var/centauri/vbox/* %vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/bin/bash * %users ALL=NOPASSWD: /var/centauri/tools/centauridata update %users ALL=NOPASSWD: /var/centauri/tools/centauriusers -q passwd - /etc/sssd/sssd.conf ################### [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 domains = centauri.home [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 offline_credentials_expiration = 365 offline_failed_login_attempts = 32 offline_failed_login_delay = 5 [domain/centauri.home] id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true krb5_store_password_if_offline = True fallback_homedir = /home/%u default_shell = /bin/bash ldap_id_mapping = false dyndns_update = false ad_gpo_access_control = permissive ad_maximum_machine_account_password_age = 0 From acecile at le-vert.net Wed Jun 14 14:27:28 2023 From: acecile at le-vert.net (Adam Cecile) Date: Wed, 14 Jun 2023 15:27:28 +0200 Subject: [Pkg-sssd-devel] Bug#1037930: sssd-pac.service fails to start after Debian 12 upgrade (fatal error setting up backend connector) Message-ID: <168674924803.25457.13344380259499780259.reportbug@lattitude.metz.levert> Package: sssd Version: 2.8.2-4 Severity: normal Dear Maintainer, I am not sure to understand what is going on but all my servers being upgraded from Debian 11 to Debian 12 with MS Active Directory integration using SSSD starts reporting systemctl issues with sssd-pac service/socket failing to start. When being started manually with "/usr/libexec/sssd/sssd_pac --logger=stderr --socket-activated --debug-level=8": [pac] [ldb] (0x0400): server_sort:Unable to register control with rootdse! (2023-06-14 15:21:20): [pac] [server_setup] (0x3f7c0): Starting with debug level = 0x37f0 (2023-06-14 15:21:20): [pac] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (2023-06-14 15:21:20): [pac] [schedule_responder_idle_timer] (0x2000): Re- scheduling the idle timeout [responder_idle_timeout] for the responder [0x55892f921550] (2023-06-14 15:21:20): [pac] [setup_responder_idle_timer] (0x2000): Setting up the idle timeout [responder_idle_timeout] for the responder [0x55892f921550] (2023-06-14 15:21:20): [pac] [confdb_init_domain_provider_and_enum] (0x0400): No enumeration for [ad.domain.com]! (2023-06-14 15:21:20): [pac] [confdb_init_domain_provider_and_enum] (0x0400): Please note that when enumeration is disabled `getent passwd` does not return all users by design. See sssd.conf man page for more detailed information (2023-06-14 15:21:20): [pac] [confdb_init_domain_pwd_expire] (0x1000): pwd_expiration_warning is 21 (2023-06-14 15:21:20): [pac] [confdb_init_domain_pwd_expire] (0x0100): Setting domain password expiration warning to 21 days (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/bash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /bin/rbash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/rbash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/dash in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/screen in /etc/shells (2023-06-14 15:21:20): [pac] [sss_get_etc_shells] (0x0400): Found shell /usr/bin/sh in /etc/shells (2023-06-14 15:21:20): [pac] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\\]+)\\(?P.+$))|((?P.+)@(?P[^@]+$))|(^(?P[^@\\]+)$))]. (2023-06-14 15:21:20): [pac] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (2023-06-14 15:21:20): [pac] [sbus_dbus_request_name] (0x0020): Unable to request name on the system bus [3] (2023-06-14 15:21:20): [pac] [sss_dp_init] (0x0010): Failed to connect to backend server. (2023-06-14 15:21:20): [pac] [sss_process_init] (0x0010): fatal error setting up backend connector (2023-06-14 15:21:20): [pac] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (2023-06-14 15:21:20): [pac] [pac_process_init] (0x0010): sss_process_init() failed Such error does not occurs on Debian 11. Sadly Internet is not really helping on this one so I have no idea of what to look for. Everything seems to be working correctly despite the failing service. Any idea ? Best regards, Adam. From gitlab at salsa.debian.org Mon Jun 26 21:39:13 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 26 Jun 2023 20:39:13 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd][master] 59 commits: FILE WATCH: Callback not executed on link or relative path Message-ID: <6499f77117d1_136f8837db7a2c4523172@godard.mail> Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd Commits: eb43c240 by Alejandro L?pez at 2023-05-15T11:21:58+02:00 FILE WATCH: Callback not executed on link or relative path When the watched file was a symbolic link or was a relative path, the calback was not executed because the filename comparison was wrongly considering the files to be different. The solution is to normalize the filenames before comparing them. This cannot be easily done at setup because the file could not exist at that moment. The test was adapted to check this situation. Resolves: https://github.com/SSSD/sssd/issues/6718 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3) - - - - - 0c6f4926 by Alejandro L?pez at 2023-05-15T11:21:58+02:00 TESTS: Fix doble slash comments Use /* */ instead of //. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit 90c5490723e82bdf633900f67a424b53cd50112f) - - - - - d104c01f by Sumit Bose at 2023-05-15T11:22:50+02:00 sysdb: fix string comparison when checking for overrides When checking if the input group-name is the original name from AD or an overwritten one the comparison is currently done case sensitive. Since AD handles names case-insensitive and hence SSSD should do this as well this comparison might cause issues. The patch replace the case sensitive comparison with a comparison with respects the case_sensitive of the domain the object is coming from. Resolves: https://github.com/SSSD/sssd/issues/6720 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0) - - - - - 425d88fa by Iker Pedrosa at 2023-05-15T11:25:39+02:00 passkey: write mapping data to file Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Andre Boscatto <aboscatt at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit 906a677c959f4a28dd95775b0d9399dd9e48f1e0) - - - - - 15dd3545 by Alexey Tikhonov at 2023-05-19T13:22:53+02:00 MAN: fix issue with multithread build When 'make' runs using multiple threads it can build several man pages in parallel, executing the same '.5.xml.5:' rule. This can result in a race condition where multiple threads access the same 'sssd_user_name.include' file. To avoid this make 'sssd_user_name.include' file a rule dependency. But "Suffix rules cannot have any prerequisites of their own", and suffix rules are obsolete anyway, so change it to pattern rules. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit df8472ccb20e0b77573b5c3e8cc25803bc7b0022) - - - - - 6d060818 by Madhuri Upadhye at 2023-05-19T16:16:09+02:00 Tests: Gating fixes for RHEL8.9 and RHEL9.3 Following three minor changes are: for test_config_validation.py, 1. 'sssctl config-check' returning retuncode as a 1 when we dont have sssd.conf file. 2. Change the 'sssctl' command which only check the non-default snippet directory with option -s. for test_offline.py, 3. Add extra restart of sssd to get offline log message using journalctl command. for test_ssh_ 4. Replace pexpect_ssh to auth_from_client method to login the user. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 2965db1cce2d9c79e58626834f96f0283d26cfff) - - - - - 60806f59 by Shridhar Gadekar at 2023-05-22T09:23:25+02:00 Tests: move unstable default_debug to tier2 moved default debug level tests to tier2 Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 535a8c6a749a96e23510a26eceb5953b99f41cde) - - - - - de75ff3c by aborah at 2023-05-22T09:23:51+02:00 Tests: Fix gating tests for 9.3 It fixes test from tire1_2 that is failling in gating 1. src/tests/multihost/alltests/test_automount.py there is issue with autofs email thead: [CRASH] prep Package: autofs-1:5.1.7-36.el9 2. src/tests/multihost/alltests/test_automount_from_bash.py test did not rised error as last cd - command was successful, so i have remove cd - part(/folder1/folder2/projects does not exists) 3. src/tests/multihost/alltests/test_ldap_password_policy.py password provied was wrong. 4. src/tests/multihost/alltests/test_backtrace.py --- need to modify this test as per current log format Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 2096f45527d4513ae52547fafd383bd2542d7f79) - - - - - 33f10c4a by Dan Lavu at 2023-05-23T12:54:32+02:00 Updating ad_multihost test * fixing raiseonerr=False to disjoin function * cleaned up code since the line limit has increased * added AD from forest1 to resolv.conf and /etc/hosts * updating test case documentation to clarify the test Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> (cherry picked from commit 69f93bf817706acb7830428fd81d78dc207468c0) - - - - - 270f0ba0 by Justin Stephenson at 2023-05-25T10:20:24+02:00 Passkey: Adjust IPA passkey config error log level IPA passkey configuration may not be retrieved if IPA does not contain passkey support. Lower the error level of log messages associated with this failure. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit fe751c316c631240311fba62409f2b6a38be0d50) - - - - - 16275d9b by Justin Stephenson at 2023-05-25T10:20:24+02:00 IPA: Log missing IPA config data on default level Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit fa326be9cb29d97d6000e783b02656f60f7f8fb2) - - - - - e5dfa2a8 by Sumit Bose at 2023-05-25T10:21:11+02:00 AD: add missing AD_AT_DOMAIN_NAME for sub-domain search Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit 39b6337f32b76842be65802b0b0aa86050c8aa95) - - - - - 2466310e by Jakub Vavra at 2023-05-25T16:12:26+02:00 Tests: Modify expiring/expired password test for RHEL 8. Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 4d2cf0b6 by Sumit Bose at 2023-05-26T12:53:52+02:00 krb5: make sure sockets are closed on timeouts If krb5_child runs into a timeout the backend currently does not close the I/O sockets because handle_child_done() is not called when the timeout handlers are acting. To make sure the signal handler can close the sockets the 'in_use' member of struct child_io_fds is set to 'false'. Resolves: https://github.com/SSSD/sssd/issues/6744 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> (cherry picked from commit 455611952f90ed0cefaff1e840623ea14ac06be1) - - - - - a74d42df by Shridhar Gadekar at 2023-05-26T12:55:14+02:00 Tests: fix default debug level for typo modified docstrings Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 11eef225c452982877ff26b7984d0351de41da87) - - - - - 58855b71 by Alejandro L?pez at 2023-05-26T12:58:28+02:00 SYSDB: Make enum sysdb_obj_type public Make enum sysdb_obj_type usable outside of sysdb_ops.c. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1) - - - - - 3eb4c4a7 by Alejandro L?pez at 2023-05-26T12:58:28+02:00 IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP The previous filter for overrides would sometimes find more than one entry because it was looking for a uidNumber or gidNumber: (&(objectClass=ipaOverrideAnchor)(|(uidNumber=XXXX)(gidNumber=XXXX))) The new filter looks for a specific user override or a specific group override: (|(&(objectClass=ipaUserOverride)(uidNumber=XXXX)) (&(objectClass=ipaGroupOverride)(gidNumber=XXXX))) This filter could return two override entries (one for a group and one for a user). That case must be taken into consideration and discard the user override in favor of the group override. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 99d0ab82e98a8f1e3cab23d871f36b9d890e034c) - - - - - 0192c1c8 by Jakub Vavra at 2023-05-29T06:54:01+02:00 Tests: Add conditional skip for simple ifp test. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 469905bfabdda66555bd179eb7b6ac7b3cd875d1) - - - - - 6239f50f by Alejandro L?pez at 2023-06-05T11:27:57+02:00 PAM: Fix a possible segmentation fault Calls to add_expired_warning(struct pam_data *pd, long exp_time) must provide a non-NULL pd. In one of the cases this function is called without checking that pd is not NULL. We here fix that. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 7f28816479c694ff95939e3becfbcd43423a5744) - - - - - f63a54c3 by Sumit Bose at 2023-06-05T11:28:59+02:00 fail_over: protect against a segmentation fault A missing server name in struct fo_server will cause a segmentation fault. Currently it is unclear why the server name is missing at this point. To avoid the segmentation fault it is checked before if the server name is missing. Additionally the state of some internal structures is added to the debug logs to help debugging why the server name is missing. Resolves: https://github.com/SSSD/sssd/issues/6659 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> (cherry picked from commit 8a8869994745429b3f5535a5d0b91f1d0b2fa723) - - - - - b9a0b424 by aborah at 2023-06-08T07:56:29+02:00 Tests: Netgroups do not honor entry cache nowait percentage https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L280 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 75ae9e87a264b17dac45f798fb7b4ba7057fc494) - - - - - 74c6fefe by Shridhar Gadekar at 2023-06-08T07:58:25+02:00 Tests: move test_access_control.py to tier2 Tests moved to tier2, tests are failing to parse the logs. gating is blocked. same testsuite is available in bash Reviewed-by: Dan Lavu <dlavu at redhat.com> (cherry picked from commit 587cd8dc2004adfd6c6aab4ef928ef2d89ae3f94) - - - - - 6125efe1 by Shridhar Gadekar at 2023-06-12T09:34:04+02:00 Tests: Adding c-ares markers for related tests removing flaky ones Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 27dd3f508b23ae61c757cce6c5b9ca303d7aaf09) - - - - - d9749ba1 by Alexey Tikhonov at 2023-06-12T11:17:37+02:00 RESPONDER: avoid log backtrace in case access denined Resolves: https://github.com/SSSD/sssd/issues/6442 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 076a1136ab8650d962c5a462cbed82bd96ba176a) - - - - - 640f4158 by Pavel B?ezina at 2023-06-12T11:49:29+02:00 ipa: correctly remove missing attributes on netgroup update When a netgroup is updated, previously it did not remove the missing attributes. This caused an issue especially when a member was removed. Resolves: https://github.com/SSSD/sssd/issues/6652 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit b033b0dda972e885f63234aa81dca317c8234c2c) - - - - - 4b0683bd by Alejandro L?pez at 2023-06-12T20:43:25+02:00 AD: The shortcut must be used equally on _send() and _done() The conditions to use the shortcut in sdap_ad_tokengroups_initgroups_send() were modified without also changing sdap_ad_tokengroups_initgroups_done(). To avoid future problems like this, and because the condition is becoming more complex to evaluate, we evaluate the condition in the _send() function and keep the result in the state, for the _done() function to use it. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit dc9466e7371b98bc972ae2b3521f163f31a59a84) - - - - - e4e8e344 by Madhuri Upadhye at 2023-06-13T12:13:58+02:00 Tests: Add package for tc command Adding package iproute-tc to get tc command. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 9c50b8ec14f0e167c937446a64213ef59eaa96ef) - - - - - 02b158ff by Shridhar Gadekar at 2023-06-13T12:18:44+02:00 Test: dropping unstable dyndns tests Dropping unstable dyndns tests from c-ares gating (cherry picked from commit 6efb2779b79b86121f50852416e3ae63feac31a0) - - - - - bb64f2cd by aborah at 2023-06-15T10:25:11+02:00 Tests: Skip test_0001_bz2021196 The test is unstable on other architectures so it is skipped for now. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit d14be798bdebcc3587769c2406ee025340cf5162) - - - - - 58a007de by Jakub Vavra at 2023-06-15T10:26:56+02:00 Tests: Skip test_0016_ad_parameters_ad_hostname_valid on other architectures. The test is unstable on other architectures so it is skipped for now. Reordered the asserts so we can seed if the connection to AD works as looking for log message has a lower priority. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 3e3d098646f7cae90857f9a92348aff14fd65429) - - - - - 19fecbf1 by Jakub Vavra at 2023-06-16T13:22:09+02:00 Tests: Improve stability of test_0004_bz2110091 Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 54903c0e38f534bd48f890658b55c626431dd6d5) - - - - - 05bc18ce by aborah at 2023-06-19T06:03:54+00:00 Tests: Add ssh module that is fast, reliable, accurate Sssd tests seems to be failing with current ssh module without any reason. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> (cherry picked from commit 34dba5a3836a121a6485ec71ffc7234cd5ec24c0) - - - - - 895d194f by Sumit Bose at 2023-06-19T20:41:10+02:00 ldap: return failure if there are no grace logins left If a user's password is expired while changing the LDAP password SSSD tries to change the password even if the initial bind of the user failed due to exhausted grace logins. With this patch the change password request will be aborted if the bind fails indicating that there are no grace logins left. Resolves: https://github.com/SSSD/sssd/issues/6768 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit d99aa97dae7236fd056e21ea3d48997edf1b9823) - - - - - 5008f0f9 by Sumit Bose at 2023-06-19T20:45:47+02:00 ad: use sAMAccountName to lookup hosts To determine which GPOs apply to the host running SSSD the full DN of the host object in AD is needed. To fine this object we use the NetBIOS name of the host which is stored in AD in the sAMAccountName attribute. Using other attributes, e.g. if ldap_user_name is set to a different attribute, will most probably cause a failure since those attributes are not managed as expected for host object. As a result sAMAccountName should be hardcoded here to avoid issues. Resolves: https://github.com/SSSD/sssd/issues/6766 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit 67c11c2ebae843f7ddd6b857efa2e1f6449986f3) - - - - - 5711bb25 by Pavel B?ezina at 2023-06-19T20:48:03+02:00 cache_req: remove unused field cache_behavior from state This field is not used anywhere. Instead, we use value from struct cache_req. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 8b014bf1592454520ef6d113be9a5f1fd02e1285) - - - - - bc5fe9eb by Pavel B?ezina at 2023-06-19T20:48:03+02:00 cache_req: fix propagation of offline status with cache_first = true During the first iteration where the provider was not yet contacted, we set state->dp_success to false and if the record was not found we returned ERR_OFFLINE instead of ENOENT which causes the cache_req to continue and search the provider. Resolves: https://github.com/SSSD/sssd/issues/6739 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 32f578229d38766b208f33130e28317ca69001d2) - - - - - d3c3408e by Alexey Tikhonov at 2023-06-21T15:24:04+02:00 SYSDB: in case (ignore_group_members == true) group is actually complete Example workflow: - SSSD client is enrolled into AD domain (Token-Groups are enabled) - `id $user` is executed - initgroups() is called for this user - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete" (i.e. 'expired') - as a next step `id` calls getgrnam() for every group in initgroups() list - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide new information. "Incomplete" groups could be used instead. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b) - - - - - 50922242 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 TEST: Fix pam-srv-tests to correctly treat the test name Test suite pam-srv-tests accepts a test name as the last argument to just run that test. However, this was failing because a pointer to the name is retrieved but the poptContext is freed immediately after, making pointer invalid. The poptContext is now released after using the pointer. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit ca7c9f6066d150c1a88bda6bda2843f244e5289d) - - - - - 228183bf by Alejandro L?pez at 2023-06-23T14:47:38+02:00 IPA: Do not try to add duplicate values to the LDAP attributes When using extra attributes, an attribute could be listed twice and SSSD will try to add it twice to the cache. To handle this situation, each instance will be added to a single attribute with multiple values, but duplicated values will be dropped. This is done by calling `sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit dc508f032904f008714418509a13f79a17660659) - - - - - 42cf3c41 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 UTIL: New function string_in_list_size() Similar to string_in_list() but instead of taking a NULL-terminated list it take a list and its size. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 1b45f29f459f13173af99e75b4bb43ed945680aa) - - - - - 010e61ff by Alejandro L?pez at 2023-06-23T14:47:38+02:00 UTIL: add_strings_lists() becomes add_strings_lists_ex() Old function add_strings_lists() copies any duplicate value. New function add_strings_lists_ex() take an argument to decide whether to discard duplicate values. add_strings_lists() is now a wrapper on add_strings_lists_ex(). Both function now take a const char *** instead of char ** as output parameter. An existing test was adapted and an new one added. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 2b8fed59140e32f7a8fa9bafe9e84b8db96d1ae5) - - - - - bfc88dc3 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 RESPONDER: attr_in_list() is replaced by string_in_list_size() Both functions do the same thing, so it is useless to have them both. attr_in_list() has, however, a more descriptive name for its use in this module, so we'll keep it as an inlined wrapper. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit de258f011b9c6fc97e9157435cd2845be1c5d0e0) - - - - - 355b0c2e by Alejandro L?pez at 2023-06-23T14:47:38+02:00 IPA: Do not duplicate the entry attributes. The extra attributes are concatenated to other required attributes for some operations. In some cases the attribute list ends up having duplicate attributes, either because accidentally the user added it twice to the ldap_user_extra_attrs list, or one or more of those attributes are also in the required list. Removing the duplicates each time the lists are concatenated increases the concatenation time. And this is done every time. So we try to concatenate the attribute lists at start up, filtering duplicates, and use that list. To do that, we consider the two cases where the list concatenation is done. In one of the cases, the added attributes are a subset of the other list. So we factorized this list to add the common attributes to the list at start up. Only the non-common attributes are added while serving a request. The complete list is now stored in the `full_attribute_list` field. An existing test suite was adapted to this new situation as it now needs to initialize the new field. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit b50415978d2f0fad3291d86e0a5340be7ab90528) - - - - - aa061594 by ??? at 2023-06-23T14:51:04+02:00 po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/ - - - - - abce376c by Yuri Chornoivan at 2023-06-23T14:51:04+02:00 po: update translations (Ukrainian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/uk/ - - - - - a94f39f0 by Temuri Doghonadze at 2023-06-23T14:51:04+02:00 po: update translations (Georgian) currently translated at 8.1% (58 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/ - - - - - 8e80798d by ??? at 2023-06-23T14:51:04+02:00 po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/ - - - - - d37d72f0 by Kemal Oktay Akto?an at 2023-06-23T14:51:04+02:00 po: update translations (Turkish) currently translated at 98.7% (705 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/tr/ - - - - - f0d8f936 by Piotr Dr?g at 2023-06-23T14:51:04+02:00 po: update translations (Polish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/ - - - - - 8d3acd3b by Elena Mishina at 2023-06-23T14:51:04+02:00 po: update translations (Russian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/ - - - - - d95212b2 by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (French) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fr/ - - - - - 4f469c0b by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (Japanese) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ja/ - - - - - c40d183c by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/zh_CN/ - - - - - 7f6c10dc by Pavel B?ezina at 2023-06-23T14:54:07+02:00 pot: update pot files - - - - - 256e013a by Madhuri Upadhye at 2023-06-23T15:02:55+02:00 Test: Test search filter specific user override or a specific group override Add automation of BZ2096183. verifies: #6671 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 377ec31a8cab5ecf33c216583e552ea5684157dc) - - - - - 301e5b38 by Madhuri Upadhye at 2023-06-23T15:03:00+02:00 Tests: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working Automation of BZ2170720 Verifies: #6759 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 57499ff6571a8ca3d8bf2b7d19ec6b14100504c0) - - - - - dc8d649b by Pavel B?ezina at 2023-06-23T15:26:13+02:00 Release sssd-2.9.1 - - - - - 47d04812 by Timo Aaltonen at 2023-06-26T23:37:54+03:00 Merge branch 'upstream' - - - - - dac9d5dc by Timo Aaltonen at 2023-06-26T23:38:16+03:00 version bump - - - - - 30 changed files: - debian/changelog - po/fr.po - po/ja.po - po/ka.po - po/ko.po - po/pl.po - po/ru.po - po/tr.po - po/uk.po - po/zh_CN.po - src/db/sysdb.c - src/db/sysdb.h - src/db/sysdb_ops.c - src/db/sysdb_search.c - src/man/Makefile.am - src/man/po/sssd-docs.pot - src/passkey_child/passkey_child.h - src/passkey_child/passkey_child_common.c - src/passkey_child/passkey_child_credentials.c - src/providers/ad/ad_gpo.c - src/providers/ad/ad_subdomains.c - src/providers/data_provider_fo.c - src/providers/fail_over.c - src/providers/fail_over.h - src/providers/ipa/ipa_auth.c - src/providers/ipa/ipa_common.h - src/providers/ipa/ipa_config.c - src/providers/ipa/ipa_netgroups.c - src/providers/ipa/ipa_opts.c - src/providers/ipa/ipa_s2n_exop.c The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ff5ca0bb7153fc824e5ec649252137b1faa0a043...dac9d5dcbfa7a9cffe3e8c22854d358625a4b8eb -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ff5ca0bb7153fc824e5ec649252137b1faa0a043...dac9d5dcbfa7a9cffe3e8c22854d358625a4b8eb You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Jun 26 21:39:17 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 26 Jun 2023 20:39:17 +0000 Subject: [Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 57 commits: FILE WATCH: Callback not executed on link or relative path Message-ID: <6499f775250df_136f8837dcbcac4523363@godard.mail> Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd Commits: eb43c240 by Alejandro L?pez at 2023-05-15T11:21:58+02:00 FILE WATCH: Callback not executed on link or relative path When the watched file was a symbolic link or was a relative path, the calback was not executed because the filename comparison was wrongly considering the files to be different. The solution is to normalize the filenames before comparing them. This cannot be easily done at setup because the file could not exist at that moment. The test was adapted to check this situation. Resolves: https://github.com/SSSD/sssd/issues/6718 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3) - - - - - 0c6f4926 by Alejandro L?pez at 2023-05-15T11:21:58+02:00 TESTS: Fix doble slash comments Use /* */ instead of //. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit 90c5490723e82bdf633900f67a424b53cd50112f) - - - - - d104c01f by Sumit Bose at 2023-05-15T11:22:50+02:00 sysdb: fix string comparison when checking for overrides When checking if the input group-name is the original name from AD or an overwritten one the comparison is currently done case sensitive. Since AD handles names case-insensitive and hence SSSD should do this as well this comparison might cause issues. The patch replace the case sensitive comparison with a comparison with respects the case_sensitive of the domain the object is coming from. Resolves: https://github.com/SSSD/sssd/issues/6720 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0) - - - - - 425d88fa by Iker Pedrosa at 2023-05-15T11:25:39+02:00 passkey: write mapping data to file Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Andre Boscatto <aboscatt at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit 906a677c959f4a28dd95775b0d9399dd9e48f1e0) - - - - - 15dd3545 by Alexey Tikhonov at 2023-05-19T13:22:53+02:00 MAN: fix issue with multithread build When 'make' runs using multiple threads it can build several man pages in parallel, executing the same '.5.xml.5:' rule. This can result in a race condition where multiple threads access the same 'sssd_user_name.include' file. To avoid this make 'sssd_user_name.include' file a rule dependency. But "Suffix rules cannot have any prerequisites of their own", and suffix rules are obsolete anyway, so change it to pattern rules. Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit df8472ccb20e0b77573b5c3e8cc25803bc7b0022) - - - - - 6d060818 by Madhuri Upadhye at 2023-05-19T16:16:09+02:00 Tests: Gating fixes for RHEL8.9 and RHEL9.3 Following three minor changes are: for test_config_validation.py, 1. 'sssctl config-check' returning retuncode as a 1 when we dont have sssd.conf file. 2. Change the 'sssctl' command which only check the non-default snippet directory with option -s. for test_offline.py, 3. Add extra restart of sssd to get offline log message using journalctl command. for test_ssh_ 4. Replace pexpect_ssh to auth_from_client method to login the user. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 2965db1cce2d9c79e58626834f96f0283d26cfff) - - - - - 60806f59 by Shridhar Gadekar at 2023-05-22T09:23:25+02:00 Tests: move unstable default_debug to tier2 moved default debug level tests to tier2 Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 535a8c6a749a96e23510a26eceb5953b99f41cde) - - - - - de75ff3c by aborah at 2023-05-22T09:23:51+02:00 Tests: Fix gating tests for 9.3 It fixes test from tire1_2 that is failling in gating 1. src/tests/multihost/alltests/test_automount.py there is issue with autofs email thead: [CRASH] prep Package: autofs-1:5.1.7-36.el9 2. src/tests/multihost/alltests/test_automount_from_bash.py test did not rised error as last cd - command was successful, so i have remove cd - part(/folder1/folder2/projects does not exists) 3. src/tests/multihost/alltests/test_ldap_password_policy.py password provied was wrong. 4. src/tests/multihost/alltests/test_backtrace.py --- need to modify this test as per current log format Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 2096f45527d4513ae52547fafd383bd2542d7f79) - - - - - 33f10c4a by Dan Lavu at 2023-05-23T12:54:32+02:00 Updating ad_multihost test * fixing raiseonerr=False to disjoin function * cleaned up code since the line limit has increased * added AD from forest1 to resolv.conf and /etc/hosts * updating test case documentation to clarify the test Signed-off-by: Dan Lavu <dlavu at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> (cherry picked from commit 69f93bf817706acb7830428fd81d78dc207468c0) - - - - - 270f0ba0 by Justin Stephenson at 2023-05-25T10:20:24+02:00 Passkey: Adjust IPA passkey config error log level IPA passkey configuration may not be retrieved if IPA does not contain passkey support. Lower the error level of log messages associated with this failure. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit fe751c316c631240311fba62409f2b6a38be0d50) - - - - - 16275d9b by Justin Stephenson at 2023-05-25T10:20:24+02:00 IPA: Log missing IPA config data on default level Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit fa326be9cb29d97d6000e783b02656f60f7f8fb2) - - - - - e5dfa2a8 by Sumit Bose at 2023-05-25T10:21:11+02:00 AD: add missing AD_AT_DOMAIN_NAME for sub-domain search Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit 39b6337f32b76842be65802b0b0aa86050c8aa95) - - - - - 2466310e by Jakub Vavra at 2023-05-25T16:12:26+02:00 Tests: Modify expiring/expired password test for RHEL 8. Reviewed-by: Anuj Borah <aborah at redhat.com> - - - - - 4d2cf0b6 by Sumit Bose at 2023-05-26T12:53:52+02:00 krb5: make sure sockets are closed on timeouts If krb5_child runs into a timeout the backend currently does not close the I/O sockets because handle_child_done() is not called when the timeout handlers are acting. To make sure the signal handler can close the sockets the 'in_use' member of struct child_io_fds is set to 'false'. Resolves: https://github.com/SSSD/sssd/issues/6744 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> (cherry picked from commit 455611952f90ed0cefaff1e840623ea14ac06be1) - - - - - a74d42df by Shridhar Gadekar at 2023-05-26T12:55:14+02:00 Tests: fix default debug level for typo modified docstrings Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 11eef225c452982877ff26b7984d0351de41da87) - - - - - 58855b71 by Alejandro L?pez at 2023-05-26T12:58:28+02:00 SYSDB: Make enum sysdb_obj_type public Make enum sysdb_obj_type usable outside of sysdb_ops.c. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 1d69fdb73e5cbaf9789fbb153fa2bc55644e5ec1) - - - - - 3eb4c4a7 by Alejandro L?pez at 2023-05-26T12:58:28+02:00 IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP The previous filter for overrides would sometimes find more than one entry because it was looking for a uidNumber or gidNumber: (&(objectClass=ipaOverrideAnchor)(|(uidNumber=XXXX)(gidNumber=XXXX))) The new filter looks for a specific user override or a specific group override: (|(&(objectClass=ipaUserOverride)(uidNumber=XXXX)) (&(objectClass=ipaGroupOverride)(gidNumber=XXXX))) This filter could return two override entries (one for a group and one for a user). That case must be taken into consideration and discard the user override in favor of the group override. Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 99d0ab82e98a8f1e3cab23d871f36b9d890e034c) - - - - - 0192c1c8 by Jakub Vavra at 2023-05-29T06:54:01+02:00 Tests: Add conditional skip for simple ifp test. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 469905bfabdda66555bd179eb7b6ac7b3cd875d1) - - - - - 6239f50f by Alejandro L?pez at 2023-06-05T11:27:57+02:00 PAM: Fix a possible segmentation fault Calls to add_expired_warning(struct pam_data *pd, long exp_time) must provide a non-NULL pd. In one of the cases this function is called without checking that pd is not NULL. We here fix that. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 7f28816479c694ff95939e3becfbcd43423a5744) - - - - - f63a54c3 by Sumit Bose at 2023-06-05T11:28:59+02:00 fail_over: protect against a segmentation fault A missing server name in struct fo_server will cause a segmentation fault. Currently it is unclear why the server name is missing at this point. To avoid the segmentation fault it is checked before if the server name is missing. Additionally the state of some internal structures is added to the debug logs to help debugging why the server name is missing. Resolves: https://github.com/SSSD/sssd/issues/6659 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> (cherry picked from commit 8a8869994745429b3f5535a5d0b91f1d0b2fa723) - - - - - b9a0b424 by aborah at 2023-06-08T07:56:29+02:00 Tests: Netgroups do not honor entry cache nowait percentage https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L280 Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 75ae9e87a264b17dac45f798fb7b4ba7057fc494) - - - - - 74c6fefe by Shridhar Gadekar at 2023-06-08T07:58:25+02:00 Tests: move test_access_control.py to tier2 Tests moved to tier2, tests are failing to parse the logs. gating is blocked. same testsuite is available in bash Reviewed-by: Dan Lavu <dlavu at redhat.com> (cherry picked from commit 587cd8dc2004adfd6c6aab4ef928ef2d89ae3f94) - - - - - 6125efe1 by Shridhar Gadekar at 2023-06-12T09:34:04+02:00 Tests: Adding c-ares markers for related tests removing flaky ones Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 27dd3f508b23ae61c757cce6c5b9ca303d7aaf09) - - - - - d9749ba1 by Alexey Tikhonov at 2023-06-12T11:17:37+02:00 RESPONDER: avoid log backtrace in case access denined Resolves: https://github.com/SSSD/sssd/issues/6442 Reviewed-by: Sumit Bose <sbose at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 076a1136ab8650d962c5a462cbed82bd96ba176a) - - - - - 640f4158 by Pavel B?ezina at 2023-06-12T11:49:29+02:00 ipa: correctly remove missing attributes on netgroup update When a netgroup is updated, previously it did not remove the missing attributes. This caused an issue especially when a member was removed. Resolves: https://github.com/SSSD/sssd/issues/6652 Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> (cherry picked from commit b033b0dda972e885f63234aa81dca317c8234c2c) - - - - - 4b0683bd by Alejandro L?pez at 2023-06-12T20:43:25+02:00 AD: The shortcut must be used equally on _send() and _done() The conditions to use the shortcut in sdap_ad_tokengroups_initgroups_send() were modified without also changing sdap_ad_tokengroups_initgroups_done(). To avoid future problems like this, and because the condition is becoming more complex to evaluate, we evaluate the condition in the _send() function and keep the result in the state, for the _done() function to use it. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit dc9466e7371b98bc972ae2b3521f163f31a59a84) - - - - - e4e8e344 by Madhuri Upadhye at 2023-06-13T12:13:58+02:00 Tests: Add package for tc command Adding package iproute-tc to get tc command. Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 9c50b8ec14f0e167c937446a64213ef59eaa96ef) - - - - - 02b158ff by Shridhar Gadekar at 2023-06-13T12:18:44+02:00 Test: dropping unstable dyndns tests Dropping unstable dyndns tests from c-ares gating (cherry picked from commit 6efb2779b79b86121f50852416e3ae63feac31a0) - - - - - bb64f2cd by aborah at 2023-06-15T10:25:11+02:00 Tests: Skip test_0001_bz2021196 The test is unstable on other architectures so it is skipped for now. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit d14be798bdebcc3587769c2406ee025340cf5162) - - - - - 58a007de by Jakub Vavra at 2023-06-15T10:26:56+02:00 Tests: Skip test_0016_ad_parameters_ad_hostname_valid on other architectures. The test is unstable on other architectures so it is skipped for now. Reordered the asserts so we can seed if the connection to AD works as looking for log message has a lower priority. Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com> (cherry picked from commit 3e3d098646f7cae90857f9a92348aff14fd65429) - - - - - 19fecbf1 by Jakub Vavra at 2023-06-16T13:22:09+02:00 Tests: Improve stability of test_0004_bz2110091 Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com> (cherry picked from commit 54903c0e38f534bd48f890658b55c626431dd6d5) - - - - - 05bc18ce by aborah at 2023-06-19T06:03:54+00:00 Tests: Add ssh module that is fast, reliable, accurate Sssd tests seems to be failing with current ssh module without any reason. Reviewed-by: Jakub V?vra <jvavra at redhat.com> Reviewed-by: Scott Poore <spoore at redhat.com> (cherry picked from commit 34dba5a3836a121a6485ec71ffc7234cd5ec24c0) - - - - - 895d194f by Sumit Bose at 2023-06-19T20:41:10+02:00 ldap: return failure if there are no grace logins left If a user's password is expired while changing the LDAP password SSSD tries to change the password even if the initial bind of the user failed due to exhausted grace logins. With this patch the change password request will be aborted if the bind fails indicating that there are no grace logins left. Resolves: https://github.com/SSSD/sssd/issues/6768 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> (cherry picked from commit d99aa97dae7236fd056e21ea3d48997edf1b9823) - - - - - 5008f0f9 by Sumit Bose at 2023-06-19T20:45:47+02:00 ad: use sAMAccountName to lookup hosts To determine which GPOs apply to the host running SSSD the full DN of the host object in AD is needed. To fine this object we use the NetBIOS name of the host which is stored in AD in the sAMAccountName attribute. Using other attributes, e.g. if ldap_user_name is set to a different attribute, will most probably cause a failure since those attributes are not managed as expected for host object. As a result sAMAccountName should be hardcoded here to avoid issues. Resolves: https://github.com/SSSD/sssd/issues/6766 Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Justin Stephenson <jstephen at redhat.com> (cherry picked from commit 67c11c2ebae843f7ddd6b857efa2e1f6449986f3) - - - - - 5711bb25 by Pavel B?ezina at 2023-06-19T20:48:03+02:00 cache_req: remove unused field cache_behavior from state This field is not used anywhere. Instead, we use value from struct cache_req. Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 8b014bf1592454520ef6d113be9a5f1fd02e1285) - - - - - bc5fe9eb by Pavel B?ezina at 2023-06-19T20:48:03+02:00 cache_req: fix propagation of offline status with cache_first = true During the first iteration where the provider was not yet contacted, we set state->dp_success to false and if the record was not found we returned ERR_OFFLINE instead of ENOENT which causes the cache_req to continue and search the provider. Resolves: https://github.com/SSSD/sssd/issues/6739 Reviewed-by: Alexey Tikhonov <atikhono at redhat.com> Reviewed-by: Tom?? Halman <thalman at redhat.com> (cherry picked from commit 32f578229d38766b208f33130e28317ca69001d2) - - - - - d3c3408e by Alexey Tikhonov at 2023-06-21T15:24:04+02:00 SYSDB: in case (ignore_group_members == true) group is actually complete Example workflow: - SSSD client is enrolled into AD domain (Token-Groups are enabled) - `id $user` is executed - initgroups() is called for this user - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete" (i.e. 'expired') - as a next step `id` calls getgrnam() for every group in initgroups() list - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide new information. "Incomplete" groups could be used instead. Reviewed-by: Pavel B?ezina <pbrezina at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b) - - - - - 50922242 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 TEST: Fix pam-srv-tests to correctly treat the test name Test suite pam-srv-tests accepts a test name as the last argument to just run that test. However, this was failing because a pointer to the name is retrieved but the poptContext is freed immediately after, making pointer invalid. The poptContext is now released after using the pointer. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit ca7c9f6066d150c1a88bda6bda2843f244e5289d) - - - - - 228183bf by Alejandro L?pez at 2023-06-23T14:47:38+02:00 IPA: Do not try to add duplicate values to the LDAP attributes When using extra attributes, an attribute could be listed twice and SSSD will try to add it twice to the cache. To handle this situation, each instance will be added to a single attribute with multiple values, but duplicated values will be dropped. This is done by calling `sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit dc508f032904f008714418509a13f79a17660659) - - - - - 42cf3c41 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 UTIL: New function string_in_list_size() Similar to string_in_list() but instead of taking a NULL-terminated list it take a list and its size. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 1b45f29f459f13173af99e75b4bb43ed945680aa) - - - - - 010e61ff by Alejandro L?pez at 2023-06-23T14:47:38+02:00 UTIL: add_strings_lists() becomes add_strings_lists_ex() Old function add_strings_lists() copies any duplicate value. New function add_strings_lists_ex() take an argument to decide whether to discard duplicate values. add_strings_lists() is now a wrapper on add_strings_lists_ex(). Both function now take a const char *** instead of char ** as output parameter. An existing test was adapted and an new one added. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit 2b8fed59140e32f7a8fa9bafe9e84b8db96d1ae5) - - - - - bfc88dc3 by Alejandro L?pez at 2023-06-23T14:47:38+02:00 RESPONDER: attr_in_list() is replaced by string_in_list_size() Both functions do the same thing, so it is useless to have them both. attr_in_list() has, however, a more descriptive name for its use in this module, so we'll keep it as an inlined wrapper. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit de258f011b9c6fc97e9157435cd2845be1c5d0e0) - - - - - 355b0c2e by Alejandro L?pez at 2023-06-23T14:47:38+02:00 IPA: Do not duplicate the entry attributes. The extra attributes are concatenated to other required attributes for some operations. In some cases the attribute list ends up having duplicate attributes, either because accidentally the user added it twice to the ldap_user_extra_attrs list, or one or more of those attributes are also in the required list. Removing the duplicates each time the lists are concatenated increases the concatenation time. And this is done every time. So we try to concatenate the attribute lists at start up, filtering duplicates, and use that list. To do that, we consider the two cases where the list concatenation is done. In one of the cases, the added attributes are a subset of the other list. So we factorized this list to add the common attributes to the list at start up. Only the non-common attributes are added while serving a request. The complete list is now stored in the `full_attribute_list` field. An existing test suite was adapted to this new situation as it now needs to initialize the new field. Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com> Reviewed-by: Sumit Bose <sbose at redhat.com> (cherry picked from commit b50415978d2f0fad3291d86e0a5340be7ab90528) - - - - - aa061594 by ??? at 2023-06-23T14:51:04+02:00 po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/ - - - - - abce376c by Yuri Chornoivan at 2023-06-23T14:51:04+02:00 po: update translations (Ukrainian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/uk/ - - - - - a94f39f0 by Temuri Doghonadze at 2023-06-23T14:51:04+02:00 po: update translations (Georgian) currently translated at 8.1% (58 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ka/ - - - - - 8e80798d by ??? at 2023-06-23T14:51:04+02:00 po: update translations (Korean) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/ - - - - - d37d72f0 by Kemal Oktay Akto?an at 2023-06-23T14:51:04+02:00 po: update translations (Turkish) currently translated at 98.7% (705 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/tr/ - - - - - f0d8f936 by Piotr Dr?g at 2023-06-23T14:51:04+02:00 po: update translations (Polish) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/pl/ - - - - - 8d3acd3b by Elena Mishina at 2023-06-23T14:51:04+02:00 po: update translations (Russian) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ru/ - - - - - d95212b2 by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (French) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/fr/ - - - - - 4f469c0b by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (Japanese) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ja/ - - - - - c40d183c by Ludek Janda at 2023-06-23T14:51:04+02:00 po: update translations (Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings) Translation: SSSD/SSSD-2-9 Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/zh_CN/ - - - - - 7f6c10dc by Pavel B?ezina at 2023-06-23T14:54:07+02:00 pot: update pot files - - - - - 256e013a by Madhuri Upadhye at 2023-06-23T15:02:55+02:00 Test: Test search filter specific user override or a specific group override Add automation of BZ2096183. verifies: #6671 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 377ec31a8cab5ecf33c216583e552ea5684157dc) - - - - - 301e5b38 by Madhuri Upadhye at 2023-06-23T15:03:00+02:00 Tests: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working Automation of BZ2170720 Verifies: #6759 Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com> Reviewed-by: Alejandro L?pez <allopez at redhat.com> Reviewed-by: Jakub V?vra <jvavra at redhat.com> (cherry picked from commit 57499ff6571a8ca3d8bf2b7d19ec6b14100504c0) - - - - - dc8d649b by Pavel B?ezina at 2023-06-23T15:26:13+02:00 Release sssd-2.9.1 - - - - - 30 changed files: - po/fr.po - po/ja.po - po/ka.po - po/ko.po - po/pl.po - po/ru.po - po/tr.po - po/uk.po - po/zh_CN.po - src/db/sysdb.c - src/db/sysdb.h - src/db/sysdb_ops.c - src/db/sysdb_search.c - src/man/Makefile.am - src/man/po/sssd-docs.pot - src/passkey_child/passkey_child.h - src/passkey_child/passkey_child_common.c - src/passkey_child/passkey_child_credentials.c - src/providers/ad/ad_gpo.c - src/providers/ad/ad_subdomains.c - src/providers/data_provider_fo.c - src/providers/fail_over.c - src/providers/fail_over.h - src/providers/ipa/ipa_auth.c - src/providers/ipa/ipa_common.h - src/providers/ipa/ipa_config.c - src/providers/ipa/ipa_netgroups.c - src/providers/ipa/ipa_opts.c - src/providers/ipa/ipa_s2n_exop.c - src/providers/ipa/ipa_selinux.c The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/6c184c476e9ef189752a07961523ce4968b922e6...dc8d649bc1a79886a22a059f2618d985ab8c7931 -- View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/6c184c476e9ef189752a07961523ce4968b922e6...dc8d649bc1a79886a22a059f2618d985ab8c7931 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner at bugs.debian.org Wed Jun 28 07:39:06 2023 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Wed, 28 Jun 2023 06:39:06 +0000 Subject: [Pkg-sssd-devel] Bug#1032055: marked as done (sssd: dtrace temp file makes build unreproducbile) References: <3780139d-4346-e5e0-4f0d-5cd269163e19@svario.it> <6af2ac7b-a35a-acc3-5265-807ee6f7cffe@svario.it> Message-ID: Your message dated Wed, 28 Jun 2023 08:28:05 +0200 with message-id <3780139d-4346-e5e0-4f0d-5cd269163e19 at svario.it> and subject line Re: Bug#1032055: sssd: dtrace temp file makes build unreproducbile has caused the Debian Bug report #1032055, regarding sssd: dtrace temp file makes build unreproducbile to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 1032055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032055 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Gioele Barabucci Subject: sssd: dtrace temp file makes build unreproducbile Date: Mon, 27 Feb 2023 08:18:27 +0100 Size: 3198 URL: -------------- next part -------------- An embedded message was scrubbed... From: Gioele Barabucci Subject: Re: Bug#1032055: sssd: dtrace temp file makes build unreproducbile Date: Wed, 28 Jun 2023 08:28:05 +0200 Size: 2663 URL: