[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 92 commits: Test: Dropping the assertion of ssh from analyzer list

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Mon May 20 14:40:01 BST 2024 


Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd


Commits:
b1e8c210 by shridhargadekar at 2024-01-16T08:20:22+01:00
Test: Dropping the assertion of ssh from analyzer list

minor edit

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 2b222dd30f442d98bd1d9b308bdb60bf37a0b319)

- - - - -
9490f256 by Jakub Vavra at 2024-01-16T10:07:21+01:00
Tests: Add single retry for realm leave

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 684d18b4b6803e2e397d2c72f45cb860ef9c89bc)

- - - - -
bfcb2727 by dependabot[bot] at 2024-01-16T13:21:34+01:00
build(deps): bump actions/download-artifact from 3 to 4

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v3...v4)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 3922f4d79b2b3ab0c77ec89989dece896df67274)

- - - - -
32390d0b by dependabot[bot] at 2024-01-16T13:22:02+01:00
build(deps): bump github/codeql-action from 2 to 3

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit f5f5d83f78544785fbd11d39133ceedcb9f59f5d)

- - - - -
aa63f777 by dependabot[bot] at 2024-01-16T13:22:31+01:00
build(deps): bump actions/upload-artifact from 3 to 4

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 35ef26b627c8ec8737689ab4044fb6b2836e460f)

- - - - -
50077c32 by Sumit Bose at 2024-01-19T16:35:52+01:00
pam: fix SC auth with multiple certs and missing login name

While introducing the local_auth_policy option a quite specific use-case
was not covered correctly. If there are multiple matching certificates
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
mode was used for login, i.e. there is no user name given and the user
has to be derived from the certificate used for login, authentication
failed. The main reason for the failure is that in this case the
Smartcard interaction and the user mapping has to be done first to
determine the user before local_auth_policy is evaluated. As a result
when checking if the authentication can be finished the request was in
an unexpected state because the indicator for local Smartcard
authentication was not enabled.

Resolves: https://github.com/SSSD/sssd/issues/7109

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 44ec3e4638b0c6f7f45a3390a28c2e8745d52bc3)

- - - - -
18150374 by Pavel Březina at 2024-01-23T14:15:08+01:00
krb5_child: fix order of calloc arguments

```
/shared/workspace/sssd/src/providers/krb5/krb5_child.c: In function _create_empty_cred_:
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: error: _calloc_ sizes specified with _sizeof_ in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
 1317 |     cred = calloc(sizeof(krb5_creds), 1);
      |                          ^~~~~~~~~~
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: note: earlier argument should specify number of elements, later size of each element
```

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 7076c5bb2a8a8346a1094993179085a098bf67b6)

- - - - -
33bb96fe by Andre Boscatto at 2024-01-23T14:16:14+01:00
man: improving documentation about username and email

Resolves: https://github.com/SSSD/sssd/issues/7136

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit b3124173d8b33b3cea275f1cc08e1a202d7ba72c)

- - - - -
33cce291 by Jakub Vavra at 2024-01-24T11:34:02+01:00
Tests: Set ciphers for kerberos

Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2fa6ec2cc6f33db28397859b1d901c41be3194fe)

- - - - -
ae2f5e91 by Jakub Vavra at 2024-01-24T12:59:20+01:00
Tests: Add pytest.ini with marker converted to basic suite

Fix "PytestUnknownMarkWarning: Unknown pytest.mark.converted - is this a typo?"

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit ef581c971e04c7e7698a2f402ba7b961ccee9892)

- - - - -
28c41415 by Jakub Vavra at 2024-01-24T13:44:14+01:00
Tests: Fix OsError in test_kcm_debug_level_set

Resolve "OSError: File '/var/log/sssd/sssd_kcm.log' could not be read"
ba catching and handling this exception as well.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 998503210b2644dda35091ce87531d3ee31a94b4)

- - - - -
39ea88c2 by Jakub Vavra at 2024-01-30T18:04:28+01:00
CI: Add sssd testlib to pythonpath for prci multihost

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 1358f417ab26b4a825e99cc8e5566d21d3f37ccf)

- - - - -
1c3664d3 by Justin Stephenson at 2024-01-30T18:54:05+01:00
Tests: Python black formatting fixes

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 1bacf49850c482de44269db86d25d3b0161e69a7)

- - - - -
343ff2de by Günther Deschner at 2024-02-01T19:36:36+01:00
Fix the build with Samba 4.20

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1bf51929a48b84d62ac54f2a42f17e7fbffe1612)

- - - - -
e3d0f0d7 by Alexey Tikhonov at 2024-02-09T15:10:26+01:00
IFP: don't trigger backtrace in case of ACL check fail

Avoid
```
   *  (2024-02-03 17:39:37): [ifp] [ifp_access_check] (0x0080): User 1000 not in ACL
   *  (2024-02-03 17:39:37): [ifp] [sbus_check_access] (0x0400): org.freedesktop.sssd.infopipe.Users.FindByName: permission denied for sender :1.290 with uid 1000
   *  (2024-02-03 17:39:37): [ifp] [sbus_issue_request_done] (0x0040): org.freedesktop.sssd.infopipe.Users.FindByName: Error [13]: Permission denied
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2ef0f838e189c4dfe666a3b1c61692e8e2c35e45)

- - - - -
a7621a5b by Sumit Bose at 2024-02-09T15:11:05+01:00
sdap: add search_bases option to groups_by_user_send()

AD handles users and computer objects very similar and so does SSSD's
GPO code when lookup up the host's group-memberships. But users and
computers might be stored in different sub-tree of the AD LDAP tree and
if a dedicated user search base is given with the ldap_user_search_base
option in sssd.conf the host object might be in a different sub-tree. To
make sure the host can still be found this patch uses the base DN of
the LDAP tree when searching for hosts in the GPO code.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 29a77c6e79020d7e8cb474b4d3b394d390eba196)

- - - - -
6a8e60df by Sumit Bose at 2024-02-09T15:11:05+01:00
sdap: add naming_context as new member of struct sdap_domain

The naming_context could be a more reliable source than basedn for the
actual base DN because basedn is set very early from the domain name
given in sssd.conf. Although it is recommended to use the fully
qualified DNS domain name here it is not required. As a result basedn
might not reflect the actual based DN of the LDAP server. Also pure LDAP
server (i.e. not AD or FreeIPA) might use different schemes to set the
base DN which will not be based on the DNS domain of the LDAP server.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)

- - - - -
dd0f6324 by Andre Boscatto at 2024-02-09T19:10:48+01:00
sssd: adding mail as case insensitive

Resolves: https://github.com/SSSD/sssd/issues/7173

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 945cebcf72ef53ea0368f19c09e710f7fff11b51)

- - - - -
a453f962 by Sebastian Andrzej Siewior at 2024-02-12T09:40:16+01:00
tests: Drop -extensions from openssl command if there is no -x509

The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated:

| /usr/bin/openssl req -batch -config
| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
| -new -nodes -key
| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
| Error adding request extensions from section v3_ca
| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
|

Remove the '-extensions' option.

Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 32b72c7c3303edb2bf55ae9a22e8db7855f3d7d1)

- - - - -
631c599b by shridhargadekar at 2024-02-13T13:07:58+01:00
Tests: sssctl_analyze diff location

Corrected the log assertions for 'id' command
passed to the sssctl analyze <>

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 2176b7d84aee0be58d018862cfa08c00cd6a1aac)

- - - - -
8bf31924 by Sumit Bose at 2024-02-14T11:30:39+01:00
sss-client: handle key value in destructor

When the pthread key destructor is called the key value is already set
to NULL by the caller. As a result the data stored in the value can only
be accessed by the first argument passed to the destructor and not by
pthread_getspecific() as the previous code did.

Resolves: https://github.com/SSSD/sssd/issues/7189

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b439847bc88ad7b89f0596af822c0ffbf2a579df)

- - - - -
37025a19 by Tomasz Kłoczko at 2024-02-14T11:31:09+01:00
Bump DocBook DTD version to latest stable 4.5

Signed-off-by: Tomasz Kłoczko <kloczek at github.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4027930598457940e750ec08a27c44bb718e279b)

- - - - -
e1bc03b1 by Jakub Vavra at 2024-02-16T13:21:56+01:00
Tests: Tweak per-test log to de-duplicate output

Deduplicate output between phases so it is not repeated.
(Previous phase output was repeated in the log.)
Fix isseu with "/" in test name.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 3caac5f7b0d1e21f9ae578f1da5324dc272aa441)

- - - - -
566ebfbb by Patrik Rosecky at 2024-02-21T13:43:26+01:00
tests: multihost/basic/test_kcm converted

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e235afee2d5948b268d958374114b60293b101fd)

- - - - -
dd921afa by Jakub Vavra at 2024-02-21T14:31:28+01:00
Tests: Per-test logging: Fix exception on missing call phase.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit e3af77c734242b00ee69e43f0ed6a62ee29bd02e)

- - - - -
2422af6c by lisa at 2024-02-21T14:33:45+01:00
Convert multihost/ad/test_idmap to test_identity

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 9506b7b30e6a39820503f6b778976e64d5e5871c)

- - - - -
31ee5ecc by Sumit Bose at 2024-02-22T16:32:10+01:00
krb5: lower log level in sss_krb5_get_init_creds_password()

sss_krb5_get_init_creds_password() is called only with AD to be able to
get more specific error details and does the basic steps also done by
krb5_get_init_creds_password() from libkrb5. In contrast to the libkrb5
function it will return debug output. Unfortunately the log level
is quite low, i.e. messages are shown with the default debug level, and
the messages are send to syslog, too. This can get annoying during
SSSD's pre-auth step to determine the available authentication types
since here, no credentials are provided and errors are somewhat expected
but will be ignored by the callers.

This patch increases the log level during SSSD's pre-auth and only sends
messages with the two lowest log levels to syslog.

Resolves: https://github.com/SSSD/sssd/issues/7197

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 409f175f0b38e46991419c67c0aac59284c67cee)

- - - - -
923cb398 by Sumit Bose at 2024-02-22T16:32:10+01:00
krb5: increase log level in map_krb5_error()

The purpose of map_krb5_error() is to translate error codes.
Additionally it will log the errors in case the caller has forgotten to
do it. While this in general make sense the log level was set to the
second lowest and the message was send to the system's log as well. This
is a bit too strong and might give a wrong impression about the nature
and importance of the log message. This patch increases the log level
which avoids sending to the syslog as well.

Resolves: https://github.com/SSSD/sssd/issues/7197

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 4f38fd10c85e16dbca3887347499823143a29316)

- - - - -
ee06f2fe by Pavel Březina at 2024-02-23T23:24:10+01:00
tests: fix isort, black and mypy errors

Introduced by https://github.com/SSSD/sssd/pull/7172.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit e9253e0a7008e4146178be4b4914bb1175318424)

- - - - -
f3d96061 by Denis Zlobin at 2024-02-26T11:49:37+01:00
sbus: Fix codegen template for async client

Double semicolon is generated, thus test src/tests/double_semicolon_test
fails for async client source code.

For example, we can generate code for IFP async client.
To do this, add new async interface to src/responder/ifp/ifp_iface/ifp_iface.xml file:

    <interface name="org.freedesktop.sssd.infopipe.Tests.Test">
        <annotation name="codegen.Test" value="ifp_test" />
        <annotation name="codegen.AsyncCaller" value="true" />
        <property name="name" type="s" access="read" />
    </interface>

Then make check tests. Test fails with an error:
```
Double semicolon found:
../src/responder/ifp/ifp_iface/sbus_ifp_client_async.c:132:    *_value = talloc_steal(mem_ctx, state->out->arg0);;
```

Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 11a77e8b887691c4f6fad30b4512ba79bd668ba9)

- - - - -
fa7536d1 by Jakub Vavra at 2024-02-28T11:56:37+01:00
Tests: Add oddjob package to master for multihost/alltests

The package is not pulled automatically as part of deps/packageset
on fedora resulting in subprocess.CalledProcessError: Command
'systemctl restart oddjobd.service' returned non-zero exit status 5.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 20175f4136c664777cefad03a6e62ed726191fea)

- - - - -
a61cc9c9 by Jakub Vavra at 2024-03-06T10:36:31+01:00
Tests: Fix ipa/conftest.py for fedora.

The installation of shadow-utils fails on fedora as it tries to enable CRB repos.

Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 0a397c28ddf34da2f7dd6800a4e22bcbe80b646d)

- - - - -
70be3583 by Jakub Jelen at 2024-03-06T10:57:22+01:00
doc: Fix configuration option pam_p11_allowed_services type

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b7da2450a856d25f8332ea0696520c2ddf7aed7f)

- - - - -
23849f75 by Justin Stephenson at 2024-03-06T10:59:08+01:00
krb5: Allow fallback between responder questions

Add support to try the next Preauth type when answering
krb5 questions. Fixes an issue when an IPA user has
both authtype passkey and authtype password set at
the same time.

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit c9a333c5215b9ee6080038881a249c329141d0cf)

- - - - -
8d9ae754 by Justin Stephenson at 2024-03-06T10:59:08+01:00
krb5: Add fallback password change support

handle password changes for IPA users with multiple auth types set
(passkey, password)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 6c1272edf174eb4bdf236dc1ffd4287b71a43392)

- - - - -
55e641fb by Dan Lavu at 2024-03-06T11:00:45+01:00
tests: adding testcase for gh7174 email case insensitivity

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a80e236b8319f1f0931717debcb093802ba5e2ae)

- - - - -
afe7d8d8 by Jakub Vavra at 2024-03-07T11:31:50+01:00
Tests: Fix hostmap tests not to depend on user-nsswitch.conf

The user-nsswitch.conf was removed in F36+. Tests using it therefore
need fixing to use /etc/nssswitch.conf on Fedora instead.
Fixed indentation of install_nslcd.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 0935ce945253a5888e5e2b0c5509b926786d7362)

- - - - -
c6dda0ef by Jakub Vavra at 2024-03-13T14:30:39+01:00
Tests: refactor sssd.conf backup and restore

SSSD configuration backup and restore code was duplicated in multiple
places moved in one place so we can easier change rights and owership
of the file.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
bebb1507 by Pavel Březina at 2024-03-13T15:40:30+01:00
pam: fix invalid #if condition

ifdef should be used as anywhere else, otherwise we hit a build
error if sssd is being built without passkey.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 603399a43d7bd0b8b6de3b512388b08abb9521ed)

- - - - -
786a4ebf by Pavel Březina at 2024-03-13T15:44:38+01:00
tests: fix isort issue

This issue was introduced in a80e236b8319f1f0931717debcb093802ba5e2ae.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 41cafd63e98e77f326d9bee256eae1b6be1333b0)

- - - - -
16e4b5d4 by Pavel Březina at 2024-03-15T13:03:48+01:00
tests: use different home dir then /tmp for local user

If sssd startup fails for some reason, teardown would call userdel
which would try to delete /tmp.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 3488b9e955057333a965b6d620144d7aaa2ec869)

- - - - -
10c49b1a by Iker Pedrosa at 2024-03-15T13:04:17+01:00
man: fix default value for pam_passkey_auth

The default was changed to true in
c76ba343b783718468a3a108346d424f9a70eb76 ("PAM: Passkey kerberos preauth
support"), but the man page wasn't updated.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5841348faad8937698bd697fb637ae5dfe9dc2b6)

- - - - -
87a46c32 by dependabot[bot] at 2024-03-15T13:04:47+01:00
build(deps): bump DamianReeves/write-file-action from 1.2 to 1.3

Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 1.2 to 1.3.
- [Release notes](https://github.com/damianreeves/write-file-action/releases)
- [Commits](https://github.com/damianreeves/write-file-action/compare/0a7fcbe1960c53fc08fe789fa4850d24885f4d84...6929a9a6d1807689191dcc8bbe62b54d70a32b42)

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2e1c2f35427c02baf4f9cf521e29552c64dfb4ae)

- - - - -
c1ba9da7 by Abhijit Roy at 2024-03-18T09:27:24+01:00
sssctl: Adding options for nss

Fixing the false positive error reported by config-check

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 3788f48008390194dcd562ba3203c39deb34056a)

- - - - -
57a8fffa by Madhuri Upadhye at 2024-03-21T09:56:00+01:00
Tests: alltests/test_krb5: Replace files provider

Replace files provider with proxy provider.
This test case test authentication of local user using
kerberos and also update the authselect to select sssd only.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 0b26b6fd1272a825ff537bcb7848a9a687e994c9)

- - - - -
182b6c62 by Alexey Tikhonov at 2024-03-21T10:30:18+01:00
UTILS: inotify: avoid potential NULL deref

Fixes following error:
```
Error: STRING_NULL (CWE-170):
sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.]
sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string.
 #  325|
 #  326|               if (snctx->wctx->dir_wd == in_event->wd) {
 #  327|->                 ret = process_dir_event(snctx, in_event);
 #  328|               } else if (snctx->wctx->file_wd == in_event->wd) {
 #  329|                   ret = process_file_event(snctx, in_event);
```
  --  it might be unsafe to dereference `in_event->name`
if `in_event->len == 0`

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4085ee07926303aa26e46dfcc6dec87776432c62)

- - - - -
5b9bc0a1 by Sumit Bose at 2024-03-21T13:45:48+01:00
krb5: add OTP to krb5 response selection

Originally where there was only password and OTP authentication we
checked for password authentication and used OTP as a fallback. This was
continued as other (pre)-authentication types were added. But so far
only one authentication type was returned.

This changed recently to allow the user a better selection and as a
result OTP cannot be handled as a fallback anymore but has to be added
to the selection. In case there are no types (questions) available now
password is used as a fallback.

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit bf6cb6dcdd94d9f47e4e74acd51e30f86b488943)

- - - - -
c3725a13 by Sumit Bose at 2024-03-21T13:45:48+01:00
krb5: make sure answer_pkinit() use matching debug messages

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 7c33f9d57cebfff80778f930ff0cc3144a7cc261)

- - - - -
87b54bd8 by Sumit Bose at 2024-03-21T13:45:48+01:00
krb5: make prompter and pre-auth debug message less irritating

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit e26cc69341bcfd2bbc758eca30df296431c70a28)

- - - - -
d06b4a3e by Sumit Bose at 2024-03-21T13:45:48+01:00
pam_sss: prefer Smartcard authentication

The current behavior is that Smartcard authentication is preferred if
possible, i.e. if a Smartcard is present. Since the Smartcard (or
equivalent) must be inserted manually the assumption is that if the user
has inserted it they most probably want to use it for authentication.

With the latest patches pam_sss might receive multiple available
authentication methods. With this patch the checks for available
authentication types start Smartcard authentication to mimic the
existing behavior.

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0d5e8f11714e8e6cc0ad28e03fecf0f5732528b3)

- - - - -
ea2d0aab by Alexey Tikhonov at 2024-03-25T16:59:30+01:00
INTG-TESTS: backport `sync_files_provider()` from b9c1d7d667d49080c27641fb4a800bd4c2612d43

Reviewed-by: Justin Stephenson <jstephen at redhat.com>

- - - - -
829e868f by Dan Lavu at 2024-04-02T16:14:52+02:00
tests: fixing typo in test_authentication.py

The assertion checks for user_3 but the user added is user-3. The value
is different than the others because we are trying to try different
combinations.

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 795b13c1853a4c402ead5470de29d0f8f68b367a)

- - - - -
b6eae6f0 by Sumit Bose at 2024-04-02T16:15:20+02:00
pam: fix storing auth types for offline auth

Before the recent patches which allow krb5_child to iterate over all
available authentication methods typically only one method was returned.
E.g. is Smartcard authentication (pkinit) was possible it was typically
the first method the in question list and the result of the
answer_pkinit() function was immediately returned. As a result only the
Smartcard authentication type was set and a missing password
authentication type while others were present might have been a
reasonable indicator for the online state.

With the recent patches, all available methods, including password
authentication if available, are return and a new indicator is needed.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 05df8167963f2e93c1c460b43264ad8050cd4461)

- - - - -
5a1e1526 by Sumit Bose at 2024-04-02T16:15:20+02:00
test: set 'local_auth_policy = only' for all passkey test

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 79c384fb0c41a205b8119f86ef23860c223c853e)

- - - - -
9e62e660 by Jakub Vavra at 2024-04-04T15:08:39+02:00
Tests: Fix test_kcm_ssh_login_creates_kerberos_ticket

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 1c2aa825062dcf2da2e886c3211be90c22db1750)

- - - - -
b87fe4fb by Jakub Vavra at 2024-04-05T07:12:06+02:00
Tests: Move polarion.yaml to src/tests/

The path src/tests is more generic and would make more sense for other
components that share the same idmci automation.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 7c6bc58a10022c6cc0ed516bc0ac5422705cfc91)

- - - - -
c8f78399 by Jakub Vavra at 2024-04-08T08:21:04+02:00
Tests: Update reference to polarion.yaml

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit f30902faa0dcaa857422d48ed85a50abb3928a33)

- - - - -
ed4c9b00 by Andreas Hasenack at 2024-04-10T12:49:09+02:00
Fix format string used for time values

When building for armhf with _TIME_BITS=64, the %lu format string used
to represent time_t values as strings is no longer correct. Switch to
SPRItime which takes into account the time_t size.

Fixes: #7276

Signed-off-by: Andreas Hasenack <andreas.hasenack at canonical.com>

Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2b5f1cc4777ba350e8160e970715d1f3d9cd75c2)

- - - - -
925cb2a9 by shridhargadekar at 2024-04-15T07:13:42+02:00
Tests: sudo defaults rule

Changed doc-strings and steps for more clarity

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit fa9f6882bc5181edc404ebedf1ddaf5c92b917a5)

- - - - -
7c57e0f0 by Dan Lavu at 2024-04-16T19:43:44+02:00
tests: audit and rename test cases

manual rebase of 03f68e81d0c7e4ff57f73fdf6e3739389991e446

Reviewed-by: Scott Poore <spoore at redhat.com>

- - - - -
e1bfbc24 by Sumit Bose at 2024-04-18T11:53:47+02:00
ad-gpo: use hash to store intermediate results

Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.

If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.

To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)

- - - - -
8dcf23f2 by Alexey Tikhonov at 2024-04-18T11:54:36+02:00
DEBUG: reduce log level in case a responder asks for unknown domain

Addition to 718fed9c53807b8502d6547bc0253b979d35e677

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ab2671c00866d917f3e737a007ae64753f8440aa)

- - - - -
d55bc6f2 by Jakub Vávra at 2024-04-19T13:44:44+02:00
Tests: Split package installation transactions and add error logging.

Issues in package installation were silently ignored resulting
debugging failures elsewhere. This also resulted in false PASSED
in case that sssd was not updated due to some dependecy problem.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit aacb789b7036946fe5b5c0a971af0122f7528d84)

- - - - -
c0416576 by Abhijit Roy at 2024-04-22T18:03:04+02:00
sdap_idmap: Enabling further debugging for to understand the underlying reason for Could not convert objectSID.

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit be8913eb8dc774516beeaaa2306243fce4db14ef)

- - - - -
c9977caf by Madhuri Upadhye at 2024-04-22T18:03:29+02:00
Tests: passkey: Add a ssh key as a passkey mapping

Here, added two test cases:
1. Check log message when we add ssh key as passkey
mapping.
2. Check log message when we add ssh key with
passkey token.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 55bcb883eb627a91b954d9ba643bac940bdca7dc)

- - - - -
db27a51f by Sumit Bose at 2024-04-23T11:58:52+02:00
ad: refresh root domain when read directly

If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.

With this patch an unconditional refresh is triggered at the end of the
fallback code path.

Resolves: https://github.com/SSSD/sssd/issues/7250

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 0de6c33047ac7a2b5316ec5ec936d6b675671c53)

- - - - -
06e10708 by Alexey Tikhonov at 2024-04-24T13:05:12+02:00
CI: remove unused stuff (lcov, ...)

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 65ca6725f6326481b7bb98c2a762c462f12cc8a8)

- - - - -
1602052c by Timo Aaltonen at 2024-04-25T15:40:58+03:00
patches: Fix build on armel, armhf. (Closes: #1068063)

- - - - -
6d6bc3c4 by Justin Stephenson at 2024-05-01T15:33:44+02:00
krb5: Move soft_terminate_krb5_child to static

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit c15bd3aeb3bdc0af23b69bf277c2177a69c92bc3)

- - - - -
b0fda92e by Alexey Tikhonov at 2024-05-02T15:11:29+02:00
RESPONDER: use proper context for getDomains()

Request was created on a long term responder context, but a callback
for this request tries to access memory that is allocated on a short
term client context. So if client disconnects before request is
completed, then callback dereferences already freed memory.

Resolves: https://github.com/SSSD/sssd/issues/7319

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit dc637c9730d0ba04a0d8aa2645ee537224cd4b19)

- - - - -
f36ecd2c by Justin Stephenson at 2024-05-07T14:20:33+02:00
man: Add local_auth_policy table

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b32f59603e707e130135c6f29a7332aa2b337b41)

- - - - -
540bf393 by Jakub Vávra at 2024-05-07T15:37:50+02:00
Tests: Update expect as passwd password change message changed.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 31bd16f65a1add408d108767bdaa9fe86df2bc7f)

- - - - -
80f87d17 by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Add extra debug to test_0003_gssapi_ssh.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
cc52f6f3 by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Switch test_0001_memcache_sid to reuse adjoin code.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
d17f7ffd by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Add journalctl when systemctl sssd fails.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
87e3edf2 by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Update ad parameters ported for non-root.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
0911ffcd by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Add extra sssd restart on master for samba tests.

For non-root the sssd needs to be restarted after joining the AD
and fixing sssd.conf permissions, this was not done on master (smb).

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
0deb3f62 by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Add fixing sssd.conf ownership after realm join.

Add journalctl info when service_ctrl call fails.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
6afc435e by Jakub Vávra at 2024-05-07T15:47:22+02:00
Tests: Fix PEP8 on updated AD suites.

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>

- - - - -
7d260f7d by Dan Lavu at 2024-05-09T15:28:09+02:00
tests: adding gpo system tests

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 7f48c7c448124dea68f2835c7e10742f48f8bc6c)

- - - - -
a2bd4344 by Sumit Bose at 2024-05-15T11:31:43+02:00
oidc_child: fix wrong usage of '%*s'

If it is not clear if a string is 0-terminated or not but the length is
known the '%.*s' template must be used to use only given numbers of
characters. '%*s' is a valid printf() template but only sets the minimal
width of the output.

This patch fixes an occurrence ion the sysdb code as well.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit f1c6218164bbcfba1698d416e248b7a9de4ddcf9)

- - - - -
bca6c4ef by Andreas Schneider at 2024-05-16T10:11:22+02:00
ad_gpo_child: Improve libsmbclient code

We plan to get rid of smbc_setFunctionAuthData() in future, so already
move to the function using the context. Also tell libsmbclient we do not
want to fallback if Kerberos fails.

Signed-off-by: Andreas Schneider <asn at redhat.com>

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 39f5b9ac21d167991591f6873b34f722d4bdd2bc)

- - - - -
b363fa86 by Justin Stephenson at 2024-05-16T10:53:09+02:00
passkey: Return error during passkey processing

Avoid retrying SSS_PAM_PREAUTH loop if an unexpected error
is encountered during passkey processing.

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 914ce094735d759e162fa885087789dcfc8c89f8)

- - - - -
f0fba6cd by Justin Stephenson at 2024-05-16T10:53:09+02:00
passkey: Improve passkey mapping handling

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d7d51126a35b375a5a11cd290cf3c011c713afe4)

- - - - -
83e2e6be by Madhuri Upadhye at 2024-05-16T10:53:09+02:00
Test: Update tc when mapping and key are added

Update the passkey test case where we are now testing
su passkey auth of user when user is added with ssh-key
and passkey mapping for AD, Samba and LDAP server.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit b73994ff3ddf58b9363282b47ebe5ca2329462c2)

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit f135102765c781f1f9e9e76d16d30a51c776d473)

- - - - -
14f32f68 by Pavel Březina at 2024-05-16T11:13:30+02:00
failover: add failover_primary_timeout option

This was previously hardcoded to 31 seconds (hardcoded retry_timout +
1). This may be too short period under some circumstances.

When we retry primary server we drop connection to the backup server and
if the primary server is not yet available (and there are many
unavailable primary servers) we may go through a long timeout cycle
every half minute.

This patch makes the value configurable.

:config: Added `failover_primary_timout` configuration option. This
  can be used to configure how often SSSD tries to reconnect to a
  primary server after a successful connection to a backup server.
  This was previously hardcoded to 31 seconds which is kept as
  the default value.

Resolves: https://github.com/SSSD/sssd/issues/7375

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit e9738e36937e78f80bb2772c48cffbddf39bd5fe)

- - - - -
a2fbe044 by Pavel Březina at 2024-05-16T13:14:57+02:00
tests: remove passkey_requires_root from passkey tests

This is not available in sssd-2-9 branch and it was accidentally
pushed when cherry-picking f135102765c781f1f9e9e76d16d30a51c776d473.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>

- - - - -
26c9dc6f by Weblate at 2024-05-16T13:25:21+02:00
po: update translations

(Swedish) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/sv/

po: update translations

(Korean) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/

po: update translations

(Korean) currently translated at 100.0% (717 of 717 strings)
Translation: SSSD/SSSD-2-9
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-2-9/ko/

- - - - -
595c4c6d by Pavel Březina at 2024-05-16T13:35:27+02:00
Release sssd-2.9.5

- - - - -
b8ca3926 by Timo Aaltonen at 2024-05-20T14:40:35+03:00
Merge branch 'upstream'

- - - - -
77c58af0 by Timo Aaltonen at 2024-05-20T16:20:58+03:00
bump version, drop patches

- - - - -
467ae4d6 by Timo Aaltonen at 2024-05-20T16:36:56+03:00
releasing package sssd version 2.9.5-1

- - - - -


30 changed files:

- .github/workflows/analyze-target.yml
- .github/workflows/ci.yml
- .github/workflows/copr_build.yml
- .github/workflows/static-code-analysis.yml
- contrib/ci/deps.sh
- contrib/ci/misc.sh
- debian/changelog
- debian/patches/series
- po/ko.po
- po/sv.po
- src/config/SSSDConfig/sssdoptions.py
- src/config/SSSDConfigTest.py
- src/config/cfg_rules.ini
- src/config/etc/sssd.api.conf
- src/db/sysdb_gpo.c
- src/db/sysdb_init.c
- src/db/sysdb_ops.c
- src/db/sysdb_private.h
- src/db/sysdb_upgrade.c
- src/external/samba.m4
- src/krb5_plugin/passkey/passkey_clpreauth.c
- src/man/idmap_sss.8.xml
- src/man/pam_sss.8.xml
- src/man/pam_sss_gss.8.xml
- src/man/sss-certmap.5.xml
- src/man/sss_cache.8.xml
- src/man/sss_debuglevel.8.xml
- src/man/sss_obfuscate.8.xml
- src/man/sss_override.8.xml
- src/man/sss_rpcidmapd.5.xml


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/aebdd782782a3bc9bd809a948a987f474ca4c6b2...467ae4d6b1de69f983384e589b1f34457fb7ea31

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/aebdd782782a3bc9bd809a948a987f474ca4c6b2...467ae4d6b1de69f983384e589b1f34457fb7ea31
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20240520/b52cd785/attachment-0001.htm>

More information about the Pkg-sssd-devel mailing list