[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 858 commits: Update version in version.m4 to track the next release
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Sun Jan 5 10:00:22 GMT 2025
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
650e8d0a by Pavel Březina at 2023-05-05T13:29:40+02:00
Update version in version.m4 to track the next release
- - - - -
b2a4ff2a by Alejandro López at 2023-05-15T11:21:50+02:00
FILE WATCH: Callback not executed on link or relative path
When the watched file was a symbolic link or was a relative path,
the calback was not executed because the filename comparison
was wrongly considering the files to be different.
The solution is to normalize the filenames before comparing them.
This cannot be easily done at setup because the file could not
exist at that moment.
The test was adapted to check this situation.
Resolves: https://github.com/SSSD/sssd/issues/6718
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
90c54907 by Alejandro López at 2023-05-15T11:21:50+02:00
TESTS: Fix doble slash comments
Use /* */ instead of //.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
01d02794 by Sumit Bose at 2023-05-15T11:22:44+02:00
sysdb: fix string comparison when checking for overrides
When checking if the input group-name is the original name from AD or an
overwritten one the comparison is currently done case sensitive. Since
AD handles names case-insensitive and hence SSSD should do this as well
this comparison might cause issues.
The patch replace the case sensitive comparison with a comparison with
respects the case_sensitive of the domain the object is coming from.
Resolves: https://github.com/SSSD/sssd/issues/6720
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
377ec31a by Madhuri Upadhye at 2023-05-15T11:23:24+02:00
Test: Test search filter specific user override or a specific group override
Add automation of BZ2096183.
verifies:
#6671
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
906a677c by Iker Pedrosa at 2023-05-15T11:25:30+02:00
passkey: write mapping data to file
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4dae6def by Dan Lavu at 2023-05-17T14:37:45+02:00
Adding testcase for bz2166627
add 'getsidbyusername()' and 'getsidbygroupname()' tests to ad_misc
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
df8472cc by Alexey Tikhonov at 2023-05-19T13:22:48+02:00
MAN: fix issue with multithread build
When 'make' runs using multiple threads it can build several man pages
in parallel, executing the same '.5.xml.5:' rule. This can result in
a race condition where multiple threads access the same 'sssd_user_name.include'
file.
To avoid this make 'sssd_user_name.include' file a rule dependency.
But "Suffix rules cannot have any prerequisites of their own", and suffix
rules are obsolete anyway, so change it to pattern rules.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2965db1c by Madhuri Upadhye at 2023-05-19T16:16:05+02:00
Tests: Gating fixes for RHEL8.9 and RHEL9.3
Following three minor changes are:
for test_config_validation.py,
1. 'sssctl config-check' returning retuncode as a 1 when
we dont have sssd.conf file.
2. Change the 'sssctl' command which only check the
non-default snippet directory with option -s.
for test_offline.py,
3. Add extra restart of sssd to get offline log message
using journalctl command.
for test_ssh_
4. Replace pexpect_ssh to auth_from_client method to login
the user.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
535a8c6a by Shridhar Gadekar at 2023-05-22T09:23:24+02:00
Tests: move unstable default_debug to tier2
moved default debug level tests to tier2
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
2096f455 by aborah at 2023-05-22T09:23:50+02:00
Tests: Fix gating tests for 9.3
It fixes test from tire1_2 that is failling in gating
1. src/tests/multihost/alltests/test_automount.py there is issue with autofs email thead: [CRASH] prep Package: autofs-1:5.1.7-36.el9
2. src/tests/multihost/alltests/test_automount_from_bash.py test did not rised error as last cd - command was successful, so i have remove cd - part(/folder1/folder2/projects does not exists)
3. src/tests/multihost/alltests/test_ldap_password_policy.py password provied was wrong.
4. src/tests/multihost/alltests/test_backtrace.py --- need to modify this test as per current log format
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
69f93bf8 by Dan Lavu at 2023-05-23T12:54:20+02:00
Updating ad_multihost test
* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
121b3bbf by Jakub Vavra at 2023-05-24T09:07:33+02:00
Tests: Modify expiring/expired password test for RHEL 8.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
fe751c31 by Justin Stephenson at 2023-05-25T10:20:20+02:00
Passkey: Adjust IPA passkey config error log level
IPA passkey configuration may not be retrieved if IPA
does not contain passkey support. Lower the error level of log
messages associated with this failure.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
fa326be9 by Justin Stephenson at 2023-05-25T10:20:20+02:00
IPA: Log missing IPA config data on default level
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
39b6337f by Sumit Bose at 2023-05-25T10:21:07+02:00
AD: add missing AD_AT_DOMAIN_NAME for sub-domain search
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
45561195 by Sumit Bose at 2023-05-26T12:53:48+02:00
krb5: make sure sockets are closed on timeouts
If krb5_child runs into a timeout the backend currently does not close
the I/O sockets because handle_child_done() is not called when the
timeout handlers are acting. To make sure the signal handler can close
the sockets the 'in_use' member of struct child_io_fds is set to
'false'.
Resolves: https://github.com/SSSD/sssd/issues/6744
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
11eef225 by Shridhar Gadekar at 2023-05-26T12:55:09+02:00
Tests: fix default debug level for typo
modified docstrings
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
1d69fdb7 by Alejandro López at 2023-05-26T12:58:24+02:00
SYSDB: Make enum sysdb_obj_type public
Make enum sysdb_obj_type usable outside of sysdb_ops.c.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
99d0ab82 by Alejandro López at 2023-05-26T12:58:24+02:00
IPA: Use a more specific filter when searching for BE_REQ_USER_AND_GROUP
The previous filter for overrides would sometimes find more than one entry
because it was looking for a uidNumber or gidNumber:
(&(objectClass=ipaOverrideAnchor)(|(uidNumber=XXXX)(gidNumber=XXXX)))
The new filter looks for a specific user override or a specific group
override:
(|(&(objectClass=ipaUserOverride)(uidNumber=XXXX))
(&(objectClass=ipaGroupOverride)(gidNumber=XXXX)))
This filter could return two override entries (one for a group and one
for a user). That case must be taken into consideration and discard the
user override in favor of the group override.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
469905bf by Jakub Vavra at 2023-05-29T06:54:00+02:00
Tests: Add conditional skip for simple ifp test.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
7f288164 by Alejandro López at 2023-06-05T11:27:51+02:00
PAM: Fix a possible segmentation fault
Calls to add_expired_warning(struct pam_data *pd, long exp_time) must
provide a non-NULL pd. In one of the cases this function is called
without checking that pd is not NULL. We here fix that.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8a886999 by Sumit Bose at 2023-06-05T11:28:54+02:00
fail_over: protect against a segmentation fault
A missing server name in struct fo_server will cause a segmentation
fault. Currently it is unclear why the server name is missing at this
point. To avoid the segmentation fault it is checked before if the
server name is missing. Additionally the state of some internal
structures is added to the debug logs to help debugging why the server
name is missing.
Resolves: https://github.com/SSSD/sssd/issues/6659
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
75ae9e87 by aborah at 2023-06-08T07:56:26+02:00
Tests: Netgroups do not honor entry cache nowait percentage
https://gitlab.cee.redhat.com/sssd/sssd-qe/-/blob/RHEL8.8/client/ldap_provider/ldap_id_ldap_auth/bugzilla-automation.sh#L280
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
587cd8dc by Shridhar Gadekar at 2023-06-08T07:58:24+02:00
Tests: move test_access_control.py to tier2
Tests moved to tier2, tests are failing to parse
the logs. gating is blocked. same testsuite is available
in bash
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
0588bd3b by Iker Pedrosa at 2023-06-08T13:48:14+02:00
passkey: fix two covscan issues
Fixes following covscan issues:
```
Error: CLANG_WARNING:
sssd-2.9.0/src/krb5_plugin/passkey/passkey_utils.c:562:5: warning[unix.Malloc]: Potential leak of memory pointed to by 'data'
# 560| }
# 561|
# 562|-> json_decref(jroot);
# 563| return message;
# 564| }
Error: UNREACHABLE (CWE-561):
sssd-2.9.0/src/responder/pam/pamsrv_passkey.c:1039: unreachable: This code cannot be reached: "if (!pctx->passkey_auth) {
...".
# 1037| #endif
# 1038|
# 1039|-> if (!pctx->passkey_auth) {
# 1040| return false;
# 1041| }
```
Resolves: https://github.com/SSSD/sssd/issues/6733
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
702f7c23 by Iker Pedrosa at 2023-06-08T13:48:14+02:00
passkey: rename function
Rename `sss_passkey_prefix_json_data()` to
`sss_passkey_message_from_reply_json()`.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
27dd3f50 by Shridhar Gadekar at 2023-06-12T09:34:01+02:00
Tests: Adding c-ares markers for related tests
removing flaky ones
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
076a1136 by Alexey Tikhonov at 2023-06-12T11:17:30+02:00
RESPONDER: avoid log backtrace in case access denined
Resolves: https://github.com/SSSD/sssd/issues/6442
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b033b0dd by Pavel Březina at 2023-06-12T11:49:23+02:00
ipa: correctly remove missing attributes on netgroup update
When a netgroup is updated, previously it did not remove the missing
attributes. This caused an issue especially when a member was removed.
Resolves: https://github.com/SSSD/sssd/issues/6652
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
fd3ed8af by Shridhar Gadekar at 2023-06-12T20:43:01+02:00
Test: drop c_ares tests from gating
These two tests need further investigation,
droppting them from gating
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
dc9466e7 by Alejandro López at 2023-06-12T20:43:20+02:00
AD: The shortcut must be used equally on _send() and _done()
The conditions to use the shortcut in sdap_ad_tokengroups_initgroups_send()
were modified without also changing sdap_ad_tokengroups_initgroups_done().
To avoid future problems like this, and because the condition is becoming
more complex to evaluate, we evaluate the condition in the _send() function
and keep the result in the state, for the _done() function to use it.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9c50b8ec by Madhuri Upadhye at 2023-06-13T12:13:57+02:00
Tests: Add package for tc command
Adding package iproute-tc to get tc command.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
6efb2779 by Shridhar Gadekar at 2023-06-13T12:18:41+02:00
Test: dropping unstable dyndns tests
Dropping unstable dyndns tests from c-ares gating
- - - - -
5ebf98a8 by Shridhar Gadekar at 2023-06-14T19:35:23+02:00
Tests: drop dyndns testcase from gating
test is under investigation. This is minor test
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
d14be798 by aborah at 2023-06-15T10:25:06+02:00
Tests: Skip test_0001_bz2021196
The test is unstable on other architectures so it is skipped for now.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
3e3d0986 by Jakub Vavra at 2023-06-15T10:26:52+02:00
Tests: Skip test_0016_ad_parameters_ad_hostname_valid on other architectures.
The test is unstable on other architectures so it is skipped for now.
Reordered the asserts so we can seed if the connection to AD works
as looking for log message has a lower priority.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
74d0f453 by Alexey Tikhonov at 2023-06-16T10:31:23+02:00
BUILD: Accept krb5 1.21 for building the PAC plugin
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
54903c0e by Jakub Vavra at 2023-06-16T13:22:06+02:00
Tests: Improve stability of test_0004_bz2110091
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
34dba5a3 by aborah at 2023-06-19T06:03:48+00:00
Tests: Add ssh module that is fast, reliable, accurate
Sssd tests seems to be failing with current ssh module without any reason.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
d99aa97d by Sumit Bose at 2023-06-19T20:41:05+02:00
ldap: return failure if there are no grace logins left
If a user's password is expired while changing the LDAP password SSSD
tries to change the password even if the initial bind of the user failed
due to exhausted grace logins.
With this patch the change password request will be aborted if the bind
fails indicating that there are no grace logins left.
Resolves: https://github.com/SSSD/sssd/issues/6768
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
67c11c2e by Sumit Bose at 2023-06-19T20:45:42+02:00
ad: use sAMAccountName to lookup hosts
To determine which GPOs apply to the host running SSSD the full DN of
the host object in AD is needed. To fine this object we use the NetBIOS
name of the host which is stored in AD in the sAMAccountName attribute.
Using other attributes, e.g. if ldap_user_name is set to a different
attribute, will most probably cause a failure since those attributes are
not managed as expected for host object. As a result sAMAccountName
should be hardcoded here to avoid issues.
Resolves: https://github.com/SSSD/sssd/issues/6766
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
8b014bf1 by Pavel Březina at 2023-06-19T20:47:58+02:00
cache_req: remove unused field cache_behavior from state
This field is not used anywhere. Instead, we use value from struct
cache_req.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
32f57822 by Pavel Březina at 2023-06-19T20:47:58+02:00
cache_req: fix propagation of offline status with cache_first = true
During the first iteration where the provider was not yet contacted,
we set state->dp_success to false and if the record was not found we
returned ERR_OFFLINE instead of ENOENT which causes the cache_req to
continue and search the provider.
Resolves: https://github.com/SSSD/sssd/issues/6739
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2fd5374f by Alexey Tikhonov at 2023-06-21T15:24:00+02:00
SYSDB: in case (ignore_group_members == true) group is actually complete
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs
user is a member of, and then partially resolves those groups and adds
it to the local cache as "incomplete" (i.e. 'expired')
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired")
this again results in LDAP search of this group.
But if `ignore_group_members = true` this search doesn't provide
new information. "Incomplete" groups could be used instead.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ca7c9f60 by Alejandro López at 2023-06-23T14:47:33+02:00
TEST: Fix pam-srv-tests to correctly treat the test name
Test suite pam-srv-tests accepts a test name as the last argument to
just run that test. However, this was failing because a pointer to the
name is retrieved but the poptContext is freed immediately after, making
pointer invalid.
The poptContext is now released after using the pointer.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dc508f03 by Alejandro López at 2023-06-23T14:47:33+02:00
IPA: Do not try to add duplicate values to the LDAP attributes
When using extra attributes, an attribute could be listed twice and
SSSD will try to add it twice to the cache. To handle this situation,
each instance will be added to a single attribute with multiple values,
but duplicated values will be dropped. This is done by calling
`sysdb_attrs_add_val_safe()` instead of `sysdb_attrs_add_val()`.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1b45f29f by Alejandro López at 2023-06-23T14:47:33+02:00
UTIL: New function string_in_list_size()
Similar to string_in_list() but instead of taking a NULL-terminated list
it take a list and its size.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2b8fed59 by Alejandro López at 2023-06-23T14:47:33+02:00
UTIL: add_strings_lists() becomes add_strings_lists_ex()
Old function add_strings_lists() copies any duplicate value.
New function add_strings_lists_ex() take an argument to decide
whether to discard duplicate values.
add_strings_lists() is now a wrapper on add_strings_lists_ex().
Both function now take a const char *** instead of char ** as
output parameter.
An existing test was adapted and an new one added.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
de258f01 by Alejandro López at 2023-06-23T14:47:33+02:00
RESPONDER: attr_in_list() is replaced by string_in_list_size()
Both functions do the same thing, so it is useless to have them both.
attr_in_list() has, however, a more descriptive name for its use in
this module, so we'll keep it as an inlined wrapper.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b5041597 by Alejandro López at 2023-06-23T14:47:33+02:00
IPA: Do not duplicate the entry attributes.
The extra attributes are concatenated to other required attributes for
some operations. In some cases the attribute list ends up having duplicate
attributes, either because accidentally the user added it twice to the
ldap_user_extra_attrs list, or one or more of those attributes are also
in the required list.
Removing the duplicates each time the lists are concatenated increases
the concatenation time. And this is done every time. So we try to
concatenate the attribute lists at start up, filtering duplicates, and
use that list.
To do that, we consider the two cases where the list concatenation is
done. In one of the cases, the added attributes are a subset of the other
list. So we factorized this list to add the common attributes to the list
at start up. Only the non-common attributes are added while serving a
request. The complete list is now stored in the `full_attribute_list`
field.
An existing test suite was adapted to this new situation as it now needs
to initialize the new field.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
57499ff6 by Madhuri Upadhye at 2023-06-23T14:49:37+02:00
Tests: When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working
When adding attributes ldap_user_extra_attrs with mail value in sssd.conf the cross-forest query stop working
Automation of BZ2170720
Verifies:
#6759
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
799e56d6 by Weblate at 2023-06-23T15:16:51+02:00
po: update translations
(Korean) currently translated at 65.3% (1693 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
po: update translations
(Japanese) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/
po: update translations
(French) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Korean) currently translated at 65.2% (1690 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 64.8% (1680 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 64.8% (1678 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Georgian) currently translated at 8.1% (58 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Turkish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Turkish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Korean) currently translated at 64.6% (1673 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Russian) currently translated at 100.0% (2752 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (2752 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Ukrainian) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Russian) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2752 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Polish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Hungarian) currently translated at 6.2% (44 of 706 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/hu/
- - - - -
06d6e270 by Pavel Březina at 2023-06-23T15:25:08+02:00
pot: update pot files
- - - - -
0171bcb0 by Shridhar Gadekar at 2023-06-27T09:48:02+02:00
Test: gating sssd after crash
Using new authentication module for ssh login
instead of existing one
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
56741208 by aborah at 2023-06-27T09:49:20+02:00
Tests: Fix alltest tier1_3 tests with new ssh module
Fix alltest tier1_3 tests with new ssh module
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
7f94e5ca by aborah at 2023-06-27T09:50:36+02:00
Tests: Fix IPA tire1_2 tests
Fix IPA tire1_2 tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
f6bbd591 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: avoid another attempt to free 'cc' in 'done:' section if first attempt failed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ff5096bb by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: use proper function to deallocate mem
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7f308c6f by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: avoid FORWARD_NULL
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b69ff375 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: fix memory leak
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
75822701 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: fix memory leak
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a83be8fb by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: avoid RESOURCE_LEAK
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
01f0d067 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
KRB5: fixed RESOURCE_LEAK
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fd7da517 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
LDAP: fixed RESOURCE_LEAK
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
eca00ef4 by Alexey Tikhonov at 2023-06-28T12:40:48+02:00
LDAP: fixed leak of `kprinc`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d02533ca by Alexey Tikhonov at 2023-06-28T12:40:49+02:00
UTILS: fixed USE_AFTER_FREE
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
476ba561 by aborah at 2023-07-04T07:53:50+02:00
Tests: Increase PAM_MISC_CONV_BUFSIZE to max at 4096 instead of 512 bytes
[RHEL8][RFE] Increase PAM_MISC_CONV_BUFSIZE to max at 4096 instead of 512 bytes
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
9240bca7 by Alexey Tikhonov at 2023-07-04T15:32:28+02:00
ENUMERATION: conditional build of enumeration support for providers other than LDAP
:relnote:Support of 'enumeration' feature (i.e. ability to list all
users/groups using 'getent passwd/group' without argument) for AD/IPA
providers is deprecated and might be removed in further releases.
Those who are interested to keep using it awhile should configure
its build explicitly using '--with-extended-enumeration-support'
./configure option.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
75f2b35a by Sumit Bose at 2023-07-04T15:36:28+02:00
watchdog: add arm_watchdog() and disarm_watchdog() calls
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
cca9361d by Sumit Bose at 2023-07-04T15:36:28+02:00
sbus: arm watchdog for sbus_connect_init_send()
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5e86af8a by aborah at 2023-07-10T10:10:58+02:00
Tests: Update test_ldap_password_policy.py::test_maxage as per the new sssd change
Update test_ldap_password_policy.py::test_maxage as per the new sssd change
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
2487c99c by aborah at 2023-07-11T15:38:25+02:00
Tests: Fix test_0002_bz1928648 with new ssh module
Fix test_0002_bz1928648 with new ssh module
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
fe99271b by aborah at 2023-07-11T15:39:04+02:00
Tests: sssd-be tends to run out of system resources, hitting the maximum number of open files
sssd-be tends to run out of system resources, hitting the maximum number of open files
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d8742c51 by aborah at 2023-07-12T12:15:27+02:00
Tests: Update tire1_2 test cases with new ssh module
Update tire1_2 test cases with new ssh module
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
66908221 by aborah at 2023-07-12T12:17:51+02:00
Tests: Update tier1 test cases with new ssh module
Update tier1 test cases with new ssh module
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
3ff79e28 by aborah at 2023-07-13T09:45:51+02:00
Tests: Fix test_0008_1636002
Fix test_0008_1636002
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
e91a90cf by Alexey Tikhonov at 2023-07-13T14:17:44+02:00
SPEC: sync with Fedora spec file
Bringing https://src.fedoraproject.org/rpms/sssd/c/d3ba8fb11abeefd2f817d58507e5ea3bdada2222
upstream
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8466f0e4 by Sumit Bose at 2023-07-13T14:19:02+02:00
sssct: allow cert-show and cert-eval-rule as non-root
The cert-show and cert-eval-rule sub-commands do not need root access and
do not require SSSD to be configured on the host.
Resolves: https://github.com/SSSD/sssd/issues/6802
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
0817ca3b by Sumit Bose at 2023-07-13T14:19:02+02:00
certmap: fix partial string comparison
If the formatting option of the certificate digest/hash function
contained and additional specifier separated with a '_' the comparison
of the provided digest name and the available ones was incomplete, the
last character was ignored and the comparison was successful if even if
there was only a partial match.
Resolves: https://github.com/SSSD/sssd/issues/6802
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2bc426fa by Sumit Bose at 2023-07-13T14:19:02+02:00
test: fix linking issue
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ac5480af by Madhuri Upadhye at 2023-07-13T14:19:32+02:00
Tests: Minor fix in test_adtrust
correct the variable name.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0f911c10 by Patrik Rosecky at 2023-07-13T14:19:57+02:00
Tests: converted multihost/test_config.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
34ef9c5f by aborah at 2023-07-14T20:01:58+02:00
Tests: Fix test_maxage
Fix test_maxage
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
0368c368 by François Cami at 2023-07-18T12:36:15+02:00
Fix typo: found => find
Fix typo in error message:
"waitpid did not found" => "waitpid did not find"
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
40e0592d by Iker Pedrosa at 2023-07-18T12:36:32+02:00
test: basic tests for ldap_user_extra_attrs
Conversion of test_0001_bz1362023(), test_0002_givenmail() and
test_0037_ad_parameters_extra_attrs_mail() in a system test using the
new framework.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
08aa08e0 by Shridhar Gadekar at 2023-07-19T09:00:51+02:00
Tests: moving duplicate backtrace from gating
duplicate backtrace is behaving differently on different
versions. Moving it out of gating.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
ea34b805 by Madhuri Upadhye at 2023-07-19T09:25:41+02:00
Test: Check case-insensitive while checking with group lookup for a overrideuser
Added automation for following bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2192708
https://bugzilla.redhat.com/show_bug.cgi?id=2196838
https://bugzilla.redhat.com/show_bug.cgi?id=2196816
https://bugzilla.redhat.com/show_bug.cgi?id=2196839
verify:
#6721
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b9bb35c1 by Pavel Březina at 2023-07-19T13:50:26+02:00
ci: move to new centos8 buildroot repository url
CentOS8 buildroot repo location has changed.
https://lists.centos.org/pipermail/centos-devel/2023-March/142831.html
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
5c72905e by Pavel Březina at 2023-07-19T13:50:32+02:00
ci: run workflows on sssd-2-9
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
755c2157 by aborah at 2023-07-21T07:04:11+02:00
Tests: Fix KCM::test_client_timeout
Fix KCM::test_client_timeout
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
01853a10 by Patrik Rosecky at 2023-07-21T07:17:06+02:00
Tests: convert intg/test_memory_cache.py to system tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4b83a68e by aborah at 2023-07-21T12:05:23+02:00
Tests: Update sssh module for tier 1_3, 1_4 and 2
Update sssh module for tier 1_3, 1_4 and 2
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
763106ff by aborah at 2023-07-24T07:21:57+02:00
Tests: Add sleep time to test_bz785908
Add sleep time to test_bz785908
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
6bed4b7b by Madhuri Upadhye at 2023-07-24T09:56:26+02:00
Tests: Package download
Add python3-libsss_nss_idmap package from utils.py
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
43dd400d by Pavel Březina at 2023-07-24T14:54:35+02:00
tests: add pytest-importance plugin to system tests
This plugin adds @pytest.mark.importance("low|medium|high|critical")
and --importance=xyz cli option.
Default importance is medium.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d3fd983b by Pavel Březina at 2023-07-24T14:54:35+02:00
tests: add pytest-output plugin to system tests
This plugin validates test metadata and generates Polarion import XMLs.
To generate the XMLs, call pytest with:
```
--polarion-config=./polarion.yaml --output-polarion-testcase=testcase.xml --output-polarion-testrun=testrun.xml
```
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
50df528c by Pavel Březina at 2023-07-24T14:54:35+02:00
tests: add requirements to system tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
03e39e19 by Pavel Březina at 2023-07-24T14:54:35+02:00
tests: drop tier from system tests
It is replaced by importance marker, which defaults to medium.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f8848028 by Pavel Březina at 2023-07-24T14:54:35+02:00
tests: fix doctring in test_config__add_remove_section
Number of steps did not match number of expected results.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f3793fc7 by Pavel Březina at 2023-07-24T14:54:35+02:00
ci: generate polarion xmls from system tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1d268bc1 by Pavel Březina at 2023-07-24T14:54:35+02:00
ci: run system test in collect only mode first
This will quickly catch issues in Polarion metadata/docstring without
waiting for the test run to finish.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bfab4907 by Iker Pedrosa at 2023-07-24T14:56:43+02:00
man: clarify passkey PIN prompt
If user_verification is enabled, then the PIN will always be requested.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit b87c5a6f11f8a584c10a3eb4b74b6084f259182e)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f3f7a4ce by Justin Stephenson at 2023-07-24T14:56:43+02:00
Change "non_kerberos" to "local" authentication
This is more clear, and aligns with smartcard authentication
verbiage.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d019132b by Justin Stephenson at 2023-07-24T14:56:43+02:00
Add local auth policy
local authentication methods policy - Some backends (i.e. LDAP, proxy provider)
only support a password base authentication, while others can handle PKINIT
based Smartcard authentication (AD, IPA), two-factor authentication (IPA),
or other methods against a central instance. By default in such cases
authentication is only performed with the methods supported by the backend.
To allow more convenient or secure authentication methods which are supported
by SSSD, but not by the backend in cases where a central authentication is
not strictly required the `local_auth_policy` option is added.
Ignore local auth policy when id_provider = files.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
43d89dd2 by Justin Stephenson at 2023-07-24T14:56:43+02:00
PAM: Fail empty password in passkey fallback
We can assume in this fallback chain that an empty password
is not allowed.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7f3431a7 by Pavel Březina at 2023-07-25T12:53:21+02:00
tests: fix doctring in test_memory_cache__invalidate_group_after_stop
- - - - -
e3dd7cf4 by Madhuri Upadhye at 2023-07-25T17:03:13+02:00
Tests: Add package for IPA tests
Add python3-libsss_nss_idmap package in common lib of ipa
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
5ced0157 by Patrik Rosecky at 2023-07-26T13:35:11+02:00
tests: multihost/basic/sssctl_config_check.py converted
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
28aeb13a by Patrik Rosecky at 2023-07-26T13:35:38+02:00
Tests: converted intg/test_memory_cache to test_id
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ed3726c3 by roy214 at 2023-07-26T13:38:53+02:00
sssctl: add error analyzer
Also removing unused variable and import.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4d171117 by Andre Boscatto at 2023-07-31T13:24:28+02:00
mans: fix typo in ldap_idmap_autorid_compat
Resolves: https://github.com/SSSD/sssd/issues/5198
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fe61c459 by Patrik Rosecky at 2023-07-31T13:25:17+02:00
tests: converted multihost/basic/test_ldap.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dd21de84 by Pavel Březina at 2023-08-07T12:04:52+02:00
readme: remove github actions badges
These badges stopped working due to breaking changes in the badge
provider:
https://github.com/badges/shields/issues/8671
I don't think we really use them and we did not even update from
sssd-2-7 branch to a newer one or with latest ci changes. Also it
is simple to see the green tick or red cross in github web ui so
these badges are redundant.
Covscan result is kept since you would need to check it on different
page.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
160d7c4f by aborah at 2023-08-07T12:05:31+02:00
Tests: Ldap referrals.
Ldap referrals.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
7902bd6e by Alexey Tikhonov at 2023-08-07T12:05:51+02:00
SPEC: make permissions of config folders consistent
It doesn't make sense to allow 'go+x' for sub-folders under
'/etc/sssd' since this folder itself doesn't have those permissions.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a540f914 by Alexey Tikhonov at 2023-08-07T12:05:51+02:00
TOOLS: get rid of strings duplications
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
91d32fee by Alexey Tikhonov at 2023-08-07T12:05:51+02:00
SPEC: make ownership of sssd.conf consistent with config folders.
:packaging: sssd.conf should be owned by user specified
with '--with-sssd-user=' at build time. If SSSD runs under
'root' then 'root' ownership of this file will be also
allowed in runtime.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fcfffb5c by Alexey Tikhonov at 2023-08-09T17:27:59+02:00
UTILS: swap order of seteuid()/setegid()
Otherwise it fails with:
```
6906 16:40:32.455571 setresuid(-1, 996, -1) = 0
6906 16:40:32.455590 setresgid(-1, 993, -1) = -1 EPERM (Operation not permitted)
```
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
2f08f87b by Pavel Březina at 2023-08-10T13:54:02+02:00
git: add commit template for tests
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
9380c8ef by Alexey Tikhonov at 2023-08-11T15:48:24+02:00
SBUS: warn loudly if bus denies access
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
d91c944c by Alexey Tikhonov at 2023-08-11T15:48:24+02:00
IFP: add a comment to 'org.freedesktop.sssd.infopipe.service' to avoid potential confusion
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
16d3308b by Alexey Tikhonov at 2023-08-14T17:05:05+02:00
MAN: only mention 'files' provider if its support is built
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
348c8f53 by Justin Stephenson at 2023-08-17T17:26:04+02:00
Passkey: Warning display for fallback
Warn the user before and after login that Kerberos ticket may not have been granted.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a20dadc7 by Justin Stephenson at 2023-08-17T17:27:10+02:00
Makefile: Respect `BUILD_PASSKEY` conditional
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
eadee9a2 by Justin Stephenson at 2023-08-17T17:27:10+02:00
pam: Conditionalize passkey code
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
7cf9a1ff by Justin Stephenson at 2023-08-17T17:27:10+02:00
ipa: Add `BUILD_PASSKEY` conditional for passkey codepath
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
12762d62 by Justin Stephenson at 2023-08-17T17:27:10+02:00
pam: Remove unneeded passkey verification call
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
bec58bf4 by Justin Stephenson at 2023-08-21T16:26:11+02:00
CI: Add Fedora 40+ to install CI scripts
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
7f7cfc92 by Alexey Tikhonov at 2023-08-22T16:08:02+02:00
PROXY: missing `proxy_resolver_lib_name` isn't an error
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8079d93f by Alexey Tikhonov at 2023-08-22T16:08:33+02:00
Fix compilation warning ``` ../src/responder/pam/pamsrv_cmd.c: In function ‘pam_reply’: ../src/responder/pam/pamsrv_cmd.c:1188:10: warning: unused variable ‘pk_preauth_done’ [-Wunused-variable] 1188 | bool pk_preauth_done = false; ``` in case SSSD is built without 'passkey' support.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
ae3bac93 by Alexey Tikhonov at 2023-08-22T16:10:05+02:00
CONF: allow 'sssd:sssd' ownership for config snippets
Addition to 91d32fee16e37e46b7fc43d66f579ba088c45af3
Unfortunately, there is no easy way to implement "fallback" logic
for snippets, it should be either "root:root" or "sssd:sssd".
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9fe55940 by Alexey Tikhonov at 2023-08-24T11:04:11+02:00
DP: ENOTSUP isn't a fatal failure for target c-tor
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
41427f95 by Alexey Tikhonov at 2023-08-24T16:51:01+02:00
IFP: allow running under non-root user
:relnote: Infopipe responder (ifp) can now be run under non-privileged
'sssd' user if SSSD is configured and built `--with-sssd-user=sssd` option.
As with other components, for 'monitor' activated 'ifp' service feature is
enabled by setting `user=sssd` sssd.conf option.
For dbus-socket activated 'ifp' service it's a matter of User=/Group= in
'sssd-ifp.service' (configured to 'sssd' by default).
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
01131ba7 by wangcheng at 2023-08-25T11:15:02+02:00
IPA: Change sysdb_attrs_add_val to sysdb_attrs_add_val_safe in debug output
The pervious commit(dc508f032904f008714418509a13f79a17660659) modified the function `sysdb_attrs_add_val` to `sysdb_attrs_add_val_safe`, but did not modify the debug output information synchronously.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
15a22136 by Alexey Tikhonov at 2023-08-25T11:15:30+02:00
UTILS: remove unused code (files manipulations)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
641e5f73 by Pavel Březina at 2023-08-30T12:40:39+02:00
mc: recover from invalid memory cache size
If we access the mmap file outside its boundaries a SIGBUS is raised.
We can now safely recover if the file has unexpected size.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
eebb43de by Justin Stephenson at 2023-08-31T12:44:47+02:00
Proxy: Avoid ldb_modify failed error
Resolves the sysdb errors returned in the proxy provider
logs when proxy_fast_alias is True.
This extraneous memset call would overwrite the previously
returned pwd buffer, therefore an attempt was made to update
the user's SYSDB_PWD with an empty value causing the error.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b516f1e4 by Justin Stephenson at 2023-08-31T12:47:25+02:00
Passkey: Add child timeout handler
If passkey auth times out, the SIGCHLD handler needs to be
destroyed otherwise the SIGCHLD handler tries to access the tevent_req
which was already freed from the timeout.
Resolves: https://github.com/SSSD/sssd/issues/6889
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e32f899a by Patrik Rosecky at 2023-08-31T12:48:06+02:00
Tests: sssctl_config_check: test for incorrectly set value
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
12a2033e by Alexey Tikhonov at 2023-08-31T12:48:51+02:00
SPEC: restore proper ownership of `deskprofilepath` broken in d163a120b922a49b458dc9568d90c4066cee2d73
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
daf6096d by Alexey Tikhonov at 2023-08-31T12:48:51+02:00
SPEC: `gpocachepath` doesn't need public r-x access
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7d14e529 by Alexey Tikhonov at 2023-08-31T15:56:05+02:00
UTILS: include name of the file that failed perform_checks() in the debug log
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
24a08aca by Dan Lavu at 2023-09-01T13:33:57+02:00
TESTS: Porting sss_override test suite
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
053b6e14 by Justin Stephenson at 2023-09-04T14:48:39+02:00
Passkey: Conditional fixes
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1e5dfc18 by Pavel Březina at 2023-09-06T10:35:43+02:00
sss_iface: do not add cli_id to chain key
Otherwise we only chain identical requests from the same client
which effectively renders chaining not functional.
Resolves: https://github.com/SSSD/sssd/issues/6911
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c4b5fda5 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
Get rid of '--dbus-activated'.
Code makes no difference handling '--socket-activated' and
'--dbus-activated', it only makes things more obscure.
Moreover, on a systemd enabled system, dbus activation actually
starts systemd service anyway, so there is really no big difference.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
50e7891b by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
CONFDB: removed unneeded wrapper
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b639f335 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
CONF: there is no use for CONFDB_FALLBACK_CONFIG
since implicit files provider can't be enabled by default anymore.
Resolves: https://github.com/SSSD/sssd/issues/5022
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e0903de4 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SBUS: additional details in debug messages
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
abd91303 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
MONITOR: debug messages updates
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
49f59cd4 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SYSTEMD: removed unneeded capabilities
This patch removes capabilities that aren't needed at all.
Some (if not all) of remaining capabilities can be probably
avoided with proper code changes, but currently those are needed.
Examples (not limiting) of those caps usage:
- CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd,
to /var/lib/sss/pipes/private/* (sssd:sssd owned sbus-monitor/dp
sbus sockets)
- CAP_CHOWN: `chown_debug_file()` in case of monitor activation
- CAP_SETUID/CAP_SETGID: drop privs in case of monitor activation,
switch_creds (in particular, sssd_kcm executing krb5_child
for ticket renewal)
- CAP_FOWNER: chmod(mem-cache)
It's not that clear about 'CAP_KILL'. When 'sssd_be' terminates
child process, it either still runs under root (so uid matches and
no caps needed) or it dropped privs already and have lost CAP_KILL
anyway. Another thing is 'monitor' signalling responders and
providers that could be running under 'sssd' while 'monitor'
itself runs under 'root'.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
19c741c4 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SYSV/NSS: avoid chmod() in sssd_nss
This allows to remove CAP_FOWNER.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9cb39728 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SYSTEMD::IFP: don't restrict ExecStartPre=chown(log)
'PermissionsStartOnly' is deprecated but used for consistency
with other unit files.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8e1d2bb4 by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SYSTEMD: replace deprecated 'PermissionsStartOnly=true' with '+'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9d7dd81c by Alexey Tikhonov at 2023-09-06T10:36:30+02:00
SYSTEMD: several comments to service files
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
05889816 by Weblate at 2023-09-07T11:39:55+02:00
po: update translations
(Swedish) currently translated at 100.0% (2752 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.2% (2732 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 98.5% (2712 of 2752 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Chinese (Simplified) (zh_CN)) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/
po: update translations
(Korean) currently translated at 65.4% (1695 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 65.3% (1693 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (714 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
- - - - -
fdc8329e by Pavel Březina at 2023-09-07T11:42:49+02:00
pot: update pot files
- - - - -
725c5541 by Pavel Březina at 2023-09-07T12:20:22+02:00
tests: include passkey test code only if passkey is built
Otherwise `make check` fails.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
37653402 by Patrik Rosecky at 2023-09-08T14:41:24+02:00
tests: convert multihost/basic/test_basic to test_kcm and test_authentication
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6540a67c by Jakub Vavra at 2023-09-11T10:31:24+02:00
Tests: Print krb5.conf when joining realm.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
8fc5aadb by Jakub Vavra at 2023-09-11T10:31:24+02:00
Tests: Split package installation to different transactions.
When package is missing/broken the dnf does not install anything
on fedora this prevented automation working properly.
This way the "optional" packages are installed separately.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
e73efe15 by Jakub Vavra at 2023-09-11T10:31:24+02:00
Tests: Handle dns with systemd resolved.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
233a846e by Pavel Březina at 2023-09-15T10:49:56+02:00
tests: add sssd_test_framework.markers plugin
This loads additional markers defined in the sssd_test_framework.
Currently, there is only `builtwith` to check if SSSD was built with
particular feature (files-provider only at this moment).
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f05d4ec1 by Dan Lavu at 2023-09-25T13:41:50+02:00
tests: adding group and importance markers
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
39dde256 by Jakub Vavra at 2023-09-26T08:16:27+02:00
tests: Add missing pytest marker config.
Reviewed-by: Patrik Rosecky <prosecky at redhat.com>
- - - - -
9474e0f4 by Sumit Bose at 2023-09-26T16:14:22+02:00
ci: remove unused clang-analyzer from dependencies
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
57dac1e2 by Justin Stephenson at 2023-09-26T16:15:41+02:00
Passkey: Allow kerberos preauth for "false" UV
When IPA passkey configuration sets require-user-verification=false
then the user verification value will be 0. We need to allow this
configuration within the plugin.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2c05926e by Iker Pedrosa at 2023-09-26T16:15:41+02:00
passkey: omit user-verification
If user-verification is disabled and the key doesn't support it, then
omit it. Otherwise, the authentication will produce an error and the
user will be unable to authenticate.
I have also added a unit-test to check this condition.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a8daf9790906b7321024fef8e636f9c1b14343ab)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bcbc0b31 by aborah at 2023-09-26T16:18:40+02:00
Tests: Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.
Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
5f3c82d3 by aborah at 2023-09-26T16:19:37+02:00
Tests: Port rootdse test suit to new test framework.
Port rootdse test suit to new test framework.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
01bee47a by Alexey Tikhonov at 2023-09-26T16:21:05+02:00
SUDO service: ${DEBUG_LOGGER} was missed for 'sudo'
service in a7277fecf7a65ab6c83b36f009c558cdfbf997d2
Resolves: https://github.com/SSSD/sssd/issues/6920
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae920b9a by Justin Stephenson at 2023-09-27T19:39:19+02:00
tests: Improve read write pipe child tests
Add test for multiple reads with a large message, and
add tests for child read/write safe calls.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1f4fffdb by Justin Stephenson at 2023-09-27T19:39:19+02:00
util: Realloc buffer size for atomic safe read
Realloc and increase the buffer size when safe read returns more
than CHILD_MSG_CHUNK size bytes.
This handles multiple passkey mappings returned from the krb5 child
in kerberos pre-authentication.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b90021b8 by Alexey Tikhonov at 2023-09-27T19:39:58+02:00
CONFDB: get rid of "lastUpdate"
Don't bother, just always re-create ldb. Service restart doesn't
happen often.
It's broken since cca497b4cbbbf05c4f9181b7d8113cde81754831 anyway.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e5709306 by Alexey Tikhonov at 2023-09-27T19:39:58+02:00
CONFDB: get rid of 'config_file_version'.
'config_file_version' is expected to be '2' since 2009.
Having an option that can have only single hard defined value
is confusing.
Check of 'version' was performed in `confdb_test()`.
Practically it could only fail if 'version' was missing
(i.e. missing/empty file).
This patch replaces `confdb_test()` with `stat()` with
similar logic - execute confdb_create_base() if file is
missing/empty.
:config:Obsolete 'config_file_version' option was removed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9efd79b0 by Alexey Tikhonov at 2023-09-27T19:41:26+02:00
SSSDConfig: use 'setuptools' instead of 'distutils'
The Python standard library distutils module will be removed from Python 3.12+
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
61bf109a by Pavel Březina at 2023-09-27T19:41:26+02:00
SSSDConfig: set PYTHONPATH to make setuptools work on centos8
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0a254e43 by Alexey Tikhonov at 2023-10-02T09:50:59+02:00
BUILD: get rid of `--with-semanage` ./configure switch
:relnote:Explicit `--with-semanage` ./configure switch was removed,
going forward `--with-selinux` includes this.
Resolves: https://github.com/SSSD/sssd/issues/6647
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
88d8afbb by Alexey Tikhonov at 2023-10-02T09:51:21+02:00
MC: a couple of additions to 'recover from invalid memory cache size' patch
Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 :
- handle all invalidations consistently
- supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`,
not a pointer to a local var
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
086e46f1 by Alexey Tikhonov at 2023-10-02T09:51:54+02:00
Stop supporting libini older than 1.3
1.3 it out since 2016
:relnote: SSSD now requires libini not older than v1.3
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6f8f7c82 by Justin Stephenson at 2023-10-03T10:50:03+02:00
Passkey: Increase conv message size for prompting
Size needs to handle the prompts for interactive, touch, pin prompt, and
kerberos pre-auth warning message which could all be displayed.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
64422699 by Patrik Rosecky at 2023-10-03T10:50:29+02:00
Tests: converted alltests/test_pasword_policy.py to tests/test_ldap.py
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9dccf7ff by Pavel Březina at 2023-10-03T10:50:56+02:00
ci: install latest SSSD code on IPA server
This allows us to test changes to the server mode as well.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
620af3b3 by Patrik Rosecky at 2023-10-03T10:51:56+02:00
Tests: alltest/test_sssctl_local.py converted to system/tests/sssctl.py
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ea7273b3 by Patrik Rosecky at 2023-10-03T10:52:38+02:00
Tests: multihost/basic/test_files converted
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
66c0a2d0 by Madhuri Upadhye at 2023-10-03T10:54:43+02:00
tests: add passkey tests for sssctl and non-kerberos authentication
1. Register a key with sssctl
2. Register a key with IPA sssctl command
3. Check authentication of user with IPA, LDAP, AD and Samba
All tests cases automated with umockdev.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
2c59fd21 by Alejandro López at 2023-10-06T11:21:15+02:00
NSS: Replace notification message by a less scary one
Replace the message "Unable to find primary gid" by another one that
sounds less scary and is a little bit clearer for users.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8ecfe20e by Patrik Rosecky at 2023-10-06T11:21:57+02:00
Tests:alltests/test_rfc2307.py converted to test_ldap.py
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
b07a7552 by Patrik Rosecky at 2023-10-06T11:22:35+02:00
Tests: alltests/test_sss_cache.py converted to multihost/test_sssctl.py
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
a997ee7b by licunlong at 2023-10-06T14:04:01+02:00
cli: caculate the wait_time in milliseconds
The timeout we pass in is 300000ms, and we sleep 1s every
time we get a EAGAIN error, so we need to multiply 1000
for sleep_time.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1082f256 by Scott Poore at 2023-10-10T15:52:02+02:00
Tests: add follow-symlinks to sed for nsswitch
The multihost/alltests/test_automount_from_bash.py test module runs a
sed against /etc/nsswitch.conf which convers it from a link to a file.
This causes issues with authselect in later tests resulting in test
errors. This can be fixed by adding the --follow-symlinks option.
The restore() from the fixture should return the config to it's original
content.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
22f8eee9 by Alejandro López at 2023-10-10T18:47:51+02:00
UTILS: Create a macro for the --config option
Other common options already have their macro. I'm
creating the macro SSS_CONFIG_OPTS for this one.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
049edefe by Alejandro López at 2023-10-10T18:47:51+02:00
UTILS: Add the db file name to server_setup()'s parameters
The db file was forced to CONFDB_FILE and there was no possibility of
changing it. Now it is passed as an argument.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7cc28f32 by Alejandro López at 2023-10-10T18:47:51+02:00
CONFDB: Allow loading an empty configuration
Function confdb_setup() returns an error if the configuration file(s)
is(are) missing. In some cases it can be acceptable to have an empty
configuration and use the default values.
We are adding a parameter to confdb_setup() to allow empty files.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e6c1d3ab by Alejandro López at 2023-10-10T18:47:51+02:00
CONFDB: Fixed some missing dependencies in a header file
confdb_setup.h did not include all the header files it requires.
So far those files happened to be included before this file, so
no compilation error occurred, but the problem was hiding in the
shadows.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0485342f by Alejandro López at 2023-10-10T18:47:51+02:00
KCM: Handle its own configuration
KCM now uses the ${SSS_STATEDIR}/db/config_kcm.ldb database to store its
configuration. config.ldb is no longer used by KCM.
The configuration text file remains the same.
Resolves: https://github.com/SSSD/sssd/issues/6926
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
93ee0159 by Alejandro López at 2023-10-11T13:43:16+02:00
KCM: Remove the oldest expired credential if no more space.
:feature: When adding a new credential to KCM and the user has
already reached their limit, the oldest expired credential
will be removed to free some space.
If no expired credential is found to be removed, the operation
will fail as it happened in the previous versions.
Resolves: https://github.com/SSSD/sssd/issues/6667
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
96d8b77a by Alejandro López at 2023-10-11T13:43:16+02:00
KCM: Display in the log the limit as set by the user
max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
to create space for some internal entries. We cannot just show this
value as it is not what the user configured.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ad9bf1bb by Justin Stephenson at 2023-10-11T13:44:46+02:00
use systemd-sysusers
Signed-off-by: Jonathan <jonathan at knownhost.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
88a386e1 by Jakub Vavra at 2023-10-12T11:23:15+02:00
Tests: Skip tests unstable on other archs and tweak realm join.
Unify realm join for AD params tests to use code with timeout
to prevent suite freezing in sasl authid tests.
Set the whole suite as flaky to retry when realm join freezes.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
8264cb57 by Jakub Vavra at 2023-10-16T10:23:08+02:00
Tests: Fix AD param sasl tests.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
421a818f by Alexey Tikhonov at 2023-10-16T10:23:30+02:00
configure: use 'LDB_CFLAGS'
Also add all common *_CFLAGS to cwrap tests.
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4a9f8ebb by Jakub Vavra at 2023-10-16T11:19:08+02:00
Tests: adjoin in test_00015_authselect_cannot_validate_its_own_files
Switch test_00015_authselect_cannot_validate_its_own_files to use adjoin
fixture instead of joining manually.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
76019187 by Sumit Bose at 2023-10-16T13:34:42+02:00
utils: enable talloc null tracking
With this patch talloc_enable_null_tracking() is called during
`server_setup()` to make talloc memory usage reports more useful.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c3869923 by Sumit Bose at 2023-10-16T13:35:11+02:00
proxy: add support for certificate mapping rules
To be able to do local Smartcard authenticate the backend must be able
to map a certificate to a user based on the provided mapping rules.
With this patch the proxy provider is able to handle the certificate
mapping rules and users handled by the proxy provider can be configured
for Smartcard authentication. Besides the mapping rule local Smartcard
authentication should be enable with the 'local_auth_policy' option in
the backend and with 'pam_cert_auth' in the PAM responder.
:relnote: The proxy provider is now able to handle certificate mapping and
matching rules and users handled by the proxy provider can be
configured for local Smartcard authentication. Besides the mapping rule
local Smartcard authentication should be enable with the 'local_auth_policy'
option in the backend and with 'pam_cert_auth' in the PAM responder.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
ffd46743 by Sumit Bose at 2023-10-16T13:35:11+02:00
intg: add NSS module for nss-wrapper support
The main use case of this NSS module is to run proxy provider tests with
cwrap's nss-wrapper. The proxy provider loads the NSS modules directly
with dlopen() and is not using glibc's NSS mechanism. Since nss-wrapper
just wraps the standard glibc calls and does not provide an NSS module
on its own we have to use this workaround to make proxy provider work
with nss-wrapper.
DO NOT USE THIS IN /etc/nsswitch.conf, it will cause an infinite loop.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
54f55896 by Sumit Bose at 2023-10-16T13:35:11+02:00
intg: replace files with proxy provider in PAM responder test
This patch replaces the deprecated files provider in the PAM responder
tests with the proxy provider. The straight-forward replacement would be
'proxy_lib_name = files' to use libnss_files.so.2 with the proxy
provider. But the tests are using nss-wrapper which wraps the plain
glibc calls. Because of this the test is using a dedicated NSS module to
work with nss-wrapper.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
8952f6d8 by Sumit Bose at 2023-10-16T13:35:11+02:00
confdb: add new option for confdb_certmap_to_sysdb()
With this new boolean options the backends calling
confdb_certmap_to_sysdb() can indicate if the certificate mapping rules
should be applied for local users or not, which currently means LDAP
based mapping with a search filter string.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
f5f8030a by Sumit Bose at 2023-10-16T13:35:11+02:00
intg: use file and proxy provider in PAM responder test
All Smartcard authentication related tests are run now with the proxy
provider and the deprecated files provider. If the files provider will
be removed the tests can be removed by reverting this patch.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
4d475e41 by Sumit Bose at 2023-10-16T13:35:11+02:00
intg: add proxy auth with fallback test
SSSD currently assumed that PAM modules configured for the proxy auth
provider expect passwords as input. If a Smartcard is present during the
authentication, but local Smartcard authentication is not enabled, the
user should see a password prompt.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
45e06b77 by Justin Stephenson at 2023-10-18T15:29:41+02:00
man: Improve LDAP security wording
All communication, including the identity provided must be
encrypted to prevent attacks.
Resolves: #6681
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
847aa712 by Justin Stephenson at 2023-10-18T15:29:41+02:00
ldap: Switch ldap_id_use_start_tls default to True
:relnote: Default `ldap_id_use_start_tls` value changed from `false` to `true` for improved security.
Resolves: #6681
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f0bba9d5 by Tomas Halman at 2023-10-18T15:31:27+02:00
dyndns: PTR record updates separately
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.
It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.
With this patch PTR record updates are always sent separately.
Resolves: https://github.com/SSSD/sssd/issues/6956
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
bd839b85 by Dan Lavu at 2023-10-18T15:35:16+02:00
Updating ad_multihost test
* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
cb72984e by Dan Lavu at 2023-10-18T15:35:16+02:00
Updating ad_multihost test
* fixing raiseonerr=False to disjoin function
* cleaned up code since the line limit has increased
* added AD from forest1 to resolv.conf and /etc/hosts
* updating test case documentation to clarify the test
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
95678ad7 by Dan Lavu at 2023-10-18T15:35:16+02:00
Adding test case for bz2167728
* Cleaned up lines since the character count has increased
* Added test ids to existing tests
Signed-off-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
38d334ea by Iker Pedrosa at 2023-10-23T13:27:50+02:00
man: clarify user credentials for `cache_credentials`
It only applies to passwords, not other authentication mechanisms like
smartcards or passkeys.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ce117ae0 by Patrik Rosecky at 2023-10-23T13:30:50+02:00
TESTS: topology set to KnownTopologyGroup.AnyProvider
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6814b278 by Justin Stephenson at 2023-10-23T13:31:09+02:00
CI: Add dependabot to get updates of github actions
GitHub provides a bot called 'Dependabot' which can
be used to automate version updates to Github
actions. Adding this check monthly will trigger
dependabot to create PRs with updates to github
actions versions in use by SSSD.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7a3cc7a7 by Jakub Vavra at 2023-10-25T15:07:29+02:00
Tests: Fix autofs cleanups
Autofs tests were not cleaning properly leaving behind stuck/unresponsive
mounts. This was failing other tests that were executed after these suites.
Tests were stuck when trying to create a new local users or listing dirs.
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
e01378ae by Alejandro López at 2023-10-25T15:11:54+02:00
CI: Corrected the path to the logs
Logs were not included in the artifacts because the path was incorrect.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
58c7b647 by Alejandro López at 2023-10-25T15:11:54+02:00
KCM: Clean the pipe after the test has finished
Tests where sometimes failing because they were opening the pipe
while KCM was shutting down. This was happening because tests were
successfully opening the pipe because it was left over by the
previous instance of KCM. So to avoid this we immediately remove
the pipe during teardown. With this, tests will fail to open it
and keep trying until it is re-created by the new instance of KCM.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
54744f29 by Alejandro López at 2023-10-25T15:11:54+02:00
TESTS: Give KDC time to initialize
Some PAM tests sometimes fail because they starts before KDC has
finished its initialization. Adding a short delay to let it complete
its initialization before launching the actual tests.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a7b19bcb by Sumit Bose at 2023-10-25T15:15:23+02:00
ipa: reduce log level of some HBAC log messages
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5a211ec9 by Iker Pedrosa at 2023-10-25T15:59:23+02:00
CI: build passkey for centos-9
Also include RHEL9+ to build passkey in the spec file.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
0456ecad by dependabot[bot] at 2023-10-26T11:34:08+02:00
build(deps): bump DamianReeves/write-file-action
Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 41569a7dac64c252caacca7bceefe28b70b38db1 to 0a7fcbe1960c53fc08fe789fa4850d24885f4d84.
- [Release notes](https://github.com/damianreeves/write-file-action/releases)
- [Commits](https://github.com/damianreeves/write-file-action/compare/41569a7dac64c252caacca7bceefe28b70b38db1...0a7fcbe1960c53fc08fe789fa4850d24885f4d84)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2f5b2999 by dependabot[bot] at 2023-10-26T11:34:33+02:00
build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
ff42d889 by dependabot[bot] at 2023-10-26T11:34:56+02:00
build(deps): bump vapier/coverity-scan-action from 1.2.0 to 1.7.0
Bumps [vapier/coverity-scan-action](https://github.com/vapier/coverity-scan-action) from 1.2.0 to 1.7.0.
- [Release notes](https://github.com/vapier/coverity-scan-action/releases)
- [Commits](https://github.com/vapier/coverity-scan-action/compare/v1.2.0...v1.7.0)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
cbb10731 by dependabot[bot] at 2023-10-26T11:36:54+02:00
build(deps): bump linuxdeepin/action-cppcheck
Bumps [linuxdeepin/action-cppcheck](https://github.com/linuxdeepin/action-cppcheck) from 9ef62c4ec8cd5660952cd02c58b83fa57c16a42b to e63fb1d3f321e0467737aa9de7f691360fb1b8fb.
- [Release notes](https://github.com/linuxdeepin/action-cppcheck/releases)
- [Commits](https://github.com/linuxdeepin/action-cppcheck/compare/9ef62c4ec8cd5660952cd02c58b83fa57c16a42b...e63fb1d3f321e0467737aa9de7f691360fb1b8fb)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4f5b1a25 by Pavel Březina at 2023-10-27T13:15:28+02:00
intg: return status code for calls requiring it in fake nss module
To avoid gcc warning that a function is not returning value.
```
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:63:1: error: control reaches end of non-void function [-Werror=return-type]
63 | }
| ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endpwent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:77:1: error: control reaches end of non-void function [-Werror=return-type]
77 | }
| ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_setgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:98:1: error: control reaches end of non-void function [-Werror=return-type]
98 | }
| ^
/shared/workspace/sssd/src/tests/intg/nss_call.c: In function '_nss_call_endgrent':
/shared/workspace/sssd/src/tests/intg/nss_call.c:111:1: error: control reaches end of non-void function [-Werror=return-type]
111 | }
| ^
```
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
83eec363 by Dusan Uradnik at 2023-11-01T10:43:13+01:00
sbus: store dbus connection name in domain.conn_name
We're moving towards a single D-Bus server in monitor, therefore we
will be relying on connection names instead of connection addresses.
It makes sense to have the name easily available from the domain.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b9c1d7d6 by Pavel Březina at 2023-11-01T10:43:13+01:00
sbus: add destination to request key
We are moving to have a single dbus server, therefore we need to
consider the destination when chaining individual requests.
This actually revealed a bug in current implementation of provider
notifications from dp_resp_client.c. Since all requests were send
over single bus (the monitor), they were chained any only the first
request (to nss responder) reached the destination and other processes
were never notified.
With the destination added to the key, the requests are no longer
chained and all processes are notified, including PAM which suddenly
broke smartcards tests that were using the files provider. The files
domain were inconsistent and under refresh when the authentication
was attempted. We need to wait for the refresh to be finished so the
test can continue.
Resolves: https://github.com/SSSD/sssd/issues/6286
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9f8551a1 by Pavel Březina at 2023-11-01T10:43:13+01:00
sbus: centralize communication to a single dbus server
Now there is only one dbus server in the monitor process instead of
having a server in each running process. This will simplify the
communication and allow us to use signals effectively.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a25b16ed by Pavel Březina at 2023-11-01T10:43:13+01:00
sbus: correctly handle reply on signal chaining
Signals do not support replies, however some of them can be chained.
If multiple parallel signals are chained into a single request, SSSD would
crash here because the code expected that a reply is already available.
In this case, we still need to finish all signals in the chain list, but
no reply is present.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ab486cbc by Pavel Březina at 2023-11-01T10:43:13+01:00
sbus: convert calls in dp_resp_client.c into signals
We do not require any reply from the destination so signals are
much better format for these calls.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
d9b2b8e5 by Pavel Březina at 2023-11-01T10:43:13+01:00
sbus: disable chaining for SetActive and SetInconsistent
Even in the unlikely case when multiple of these methods where
called in parallel, we must treat them as separate calls and
handle them individually to avoid situations like:
- SetInconsistent
- SetActive
- SetInconsistent
Here, if chained, it translates to SetInconsistent -> SetActive, which
is wrong. Therefore we can not chain these signals.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
529af409 by Pavel Březina at 2023-11-01T10:43:13+01:00
sss_iface: split connection to dbus server and service registration
This allows us to connect to the D-Bus server sooner and remove code
duplication in responders and backend.
Now we can connect to the bus when we are ready and register the process
in the monitor when the process is fully initialized.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
8b47a9a3 by Pavel Březina at 2023-11-01T10:43:13+01:00
backend: connect to private dbus in a blocking way
We used asynchronous connection because we were also creating
a dbus server. Now we do not create the server anymore so we
can switch back to a blocking call and simplify the code.
Blocking call is alright at this moment, since we can not serve
any requests anyway and the backend is not yet fully initialized.
Whole initialization was postponed until this call is finished
in non-blocking mode as well.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9a47e2b0 by Pavel Březina at 2023-11-01T10:43:13+01:00
dp: remove client registration code
Switching to single dbus server allows us to remove this code since
all clients can now be contacted via their own unique dbus name.
This code is no longer used since the switch.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
174fb9e0 by Pavel Březina at 2023-11-01T10:43:14+01:00
sbus: log sender of received message
So we are able to match the logged messages with particular sender.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
10c1942e by Pavel Březina at 2023-11-01T10:43:14+01:00
sbus: make sbus_connect_private_send static
Asynchronous connection to D-Bus is only needed when creating a server
and that is done by `sbus_server_create_and_connect_send`. Non-blocking
connection does not make sense on other places in SSSD because we use
D-Bus for IPC therefore if D-Bus connection is not functional, our
process can not function as well and therefore the blocking connection
actually makes more sense.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9ece4e13 by Pavel Březina at 2023-11-01T10:43:14+01:00
dp: build dp_sbus_domain_active/inconsistent only with files provider
These signals are only used by files provider, they are not completely
reliable because they are prone to race conditions and should not
really be used elsewhere.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
fbff0989 by Pavel Březina at 2023-11-01T11:16:36+01:00
dependapot: add ci prefix to commit messages
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
8804a2c6 by Masahiro Matsuya at 2023-11-02T12:06:58+01:00
TESTS: test_0017_filesldap is missing staticmethod
* @staticmethod is required for this method.
* setup_sssd_krb is added since krb configuration is required for this test.
* The first sssctl can make the pipe number increase (usually +2), so run
the first sssctl before collecting /tmp/before_count.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
17cf4bbb by Pavel Březina at 2023-11-02T13:59:29+01:00
ci: get frozen Fedora releases in the matrix
A Fedora release may be in a frozen state (beta freeze, final freeze),
in such case, it is not temporarily visible under "pending"
but under "frozen".
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
b0212b04 by Alexey Tikhonov at 2023-11-03T12:06:31+01:00
SSS_CLIENT: replace `__thread` with `pthread_*specific()`
in sss_client code to properly handle OOM condition (with `__thread`
glibc terminates process in this case).
Solution relies on the fact that `sss_cli_check_socket()` is always
executed first, before touching socket.
Nonetheless, there are sanity guards in setters/getters just in case.
It's possible to move context initialization code into a separate
function and call it in every getter/setter, but probably not worth it.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Carlos O'Donell <codonell at redhat.com>
- - - - -
26047f07 by Pavel Březina at 2023-11-09T12:23:14+01:00
ipa: do not go offline if group does not have SID
This happens during applying overrides on cached group
during initgroups of trusted user. If the group does not
have SID (it's GID is outside the sidgen range), SSSD goes
offline.
Only SSSD running in server_mode is affected.
This patch ignores error in single group and rather continues
processing the remaining groups.
Resolves: https://github.com/SSSD/sssd/issues/6942
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
962e9d05 by Sumit Bose at 2023-11-10T11:38:38+01:00
PAM: fix Smartcard offline authentication
Even if a Smartcard was inserted and proper certificates were found
offline authentication with the Smartcard was not possible because the
certificate information was accidentally removed from the reply send to
the PAM module.
Resolves: https://github.com/SSSD/sssd/issues/7009
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
96f568cb by Weblate at 2023-11-13T11:47:36+01:00
po: update translations
(Georgian) currently translated at 13.3% (95 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Korean) currently translated at 65.9% (1706 of 2585 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (713 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Russian) currently translated at 100.0% (2761 of 2761 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (713 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Georgian) currently translated at 13.0% (93 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Polish) currently translated at 100.0% (713 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Georgian) currently translated at 8.2% (59 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Ukrainian) currently translated at 100.0% (2761 of 2761 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (713 of 713 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Korean) currently translated at 65.9% (1705 of 2585 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Finnish) currently translated at 10.2% (73 of 714 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Korean) currently translated at 65.6% (1699 of 2589 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
a3ea7587 by Pavel Březina at 2023-11-13T11:50:40+01:00
pot: update pot files
- - - - -
ed4b1a5b by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
RESPONDER: remove unused code
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
afabbb95 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
BUILD: make support of 'ucred' a hard requirement
:relnote:Building SSSD now requires availability of 'ucred'/
'SO_PEERCRED' to enforce certain security checks at runtime.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
246ae449 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
RESPONDER: rely on SO_PEERCRED instead of socket path
to determine if connected client runs under root
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
62732b69 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
PAM: get rid of private socket as it's not used anymore
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
db1a919f by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
RESPONDER: get rid of "private pipes" completely.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8c870280 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
CLIENT:NSS: never resolve 'sssd' user/group
if built with non-root user support
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1451c6e0 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
CLIENT:PAM: trust peer if it runs under 0 or SSSD_USER uid
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b6f44f10 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
INTG-TESTS: fake SO_PEERCRED on responder side as well
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a3a37621 by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
RESPONDER: protection from (cctx->cmd_line == NULL)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4b0c58be by Alexey Tikhonov at 2023-11-14T12:44:24+01:00
RESPONDER: protection from failed `snprintf()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3edc04d1 by Iker Pedrosa at 2023-11-14T12:44:40+01:00
CI: clean configure.sh
Support for Fedora 36-, RHEL/CentOS 6 and 7 in master branch ended, so
let's remove them. In addition, Python2 support only exists in
RHEL/Centos 8, so make only those two dstributions use
`python2-bindings`. Finally, include RHEL/CentOS 10 for configurable
features.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
39a0de22 by Iker Pedrosa at 2023-11-14T12:44:40+01:00
CI: clean distro.sh
Support for Fedora 36- in master branch ended, so let's remove them.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
05ea3f1b by Iker Pedrosa at 2023-11-14T12:44:40+01:00
CI: clean deps.sh
Support for Fedora 36- in master branch ended, so let's remove them.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
292ef326 by Iker Pedrosa at 2023-11-14T12:44:40+01:00
CI: upload cwrap logs
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0f1a6e35 by Jakub Vavra at 2023-11-15T07:02:14+01:00
Tests: Add a test for bz1900973 kcm delete expired tickets
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
3eae4cc5 by Alexey Tikhonov at 2023-11-17T14:09:25+01:00
SPEC: 'sssd-proxy' requires 'libsss_certmap.so'
Resolves following rpminspect warning:
```
Subpackage sssd-proxy carries 'Requires: libsss_certmap.so.0()(64bit)' which comes from
subpackage libsss_certmap but does not carry an explicit package version requirement.
Please add 'Requires: libsss_certmap = %{version}-%{release}' to the spec file to avoid
the need to test interoperability between various combinations of old and new subpackages.
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2617dcfd by Alexey Tikhonov at 2023-11-17T14:10:31+01:00
UTIL: use proper specifier for 'DEBUG_CHAIN_ID_FMT_*'
Resolves: https://github.com/SSSD/sssd/issues/6790
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
098bf64a by Alexey Tikhonov at 2023-11-17T14:10:31+01:00
Don't provide 'uint64_t' as POPT_ARG_LONG.
Sizes might not match on some platforms.
Resolves: https://github.com/SSSD/sssd/issues/6790
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
92e85f1a by Dan Lavu at 2023-11-28T12:35:05+01:00
tests: consolidation, refactoring and organizing, renaming of some tests
- added markers to pytest.ini
- added markers to tests
- consolidated two sssctl test files into one, sssctl_config_check.py and sssctl.py
- renamed test_id.py, to test_identity.py, just to match the marker groups
- renamed the test cases in test_identity.py to be more readable
- renamed test_ldap_extra_attrs.py to test_schema.py , after looking at the tests, its testing the schema attributes
- appended test_shadow.py to test_ldap.py , tests shadowlastchange = 0 in LDAP
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
230e7757 by Alejandro López at 2023-11-28T13:23:12+01:00
LOGROTATE: logrotate should also signal sssd_kcm
sssd_kcm is not registered with SSSD's monitor, so it is not signaled
when it must restart the log. Adding this command will directly signal
sssd_kcm (in addition to the monitor).
If sssd_kcm is also running in one or more containers, they will also
receive the signal. Because only the log files in the host where rotated,
the instances in the containers will go on using the same log files.
Nothing will happen except for the "Received SIGHUP. Rotating logfiles."
message in the log files. If we want to avoid this, we should implement
a PID file.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c73b7eb8 by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: Replace a hard-coded constant by a macro
The per-UID quota is internally increased by 2. This value is no
longer hard-coded but replaced by the KCM_MAX_UID_EXTRA_SECRETS macro.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3cba6d11 by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: Fixed a wrong check
The pointer to the newly allocated iobuffer is stored into
state->op_ctx->reply but the check for NULL is done on state->reply,
which we already know is not NULL because it was checked before and
not modified after that.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
12692054 by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: Remove unused cc_be_type from struct kcm_ccdb
This field is never set and never used. Let's remove it.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2eb67afc by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: When freeing the client, check that it is not NULL.
`cc-> client` could be NULL.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
edb63cde by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: sss_iobuf_init_empty() shall not zero memory
sss_iobuf_init_empty() and related functions zero the allocated memory
even though it is not needed. Most of the time, all the fields in the
structures will be set to non-zero values. In these cases zeroing the
is useless and we stop doing it.
Only in two cases, some pointers were being left unmodified, so they
are now being manually set to NULL.
Resolves: https://github.com/SSSD/sssd/issues/7014
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fe6c35ad by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: Reduce the amount of memory allocated for the packages
Some packages are being allocated to their maximum size, even though all
that memory is not required. When the amount of memory needed is not know,
We reduce the amount of memory allocated to the initial size defined by
the KCM_PACKET_INITIAL_SIZE macro.
The existing KCM_REPLY_MAX was replaced by KCM_PACKET_MAX_SIZE.
Resolves: https://github.com/SSSD/sssd/issues/7014
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b4f9f63b by Alejandro López at 2023-11-28T13:23:46+01:00
KCM: Do not zero memory when not need.
A few more cases where memory is allocated and zeroed when it is not
required.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ae6b9163 by Petr Mikhalicin at 2023-11-28T14:08:58+01:00
pam_sss: fix passthrow of old authtok from another pam modules at PAM_PRELIM_CHECK
pam_sss ignored old authtoks passed from another pam modules
Resolves: https://github.com/SSSD/sssd/issues/7007
Resolves: https://github.com/SSSD/sssd/issues/5418
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e9189052 by Patrik Rosecky at 2023-11-29T08:30:54+01:00
Tests: converted alltests/test_default_debug_level
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
e9e6d80e by Sumit Bose at 2023-12-01T10:35:05+01:00
ci: make valgrind suppression more relaxed for test_ipa_subdomains_server
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cffe6e09 by Sumit Bose at 2023-12-01T10:35:34+01:00
nssidmap: fix sss_nss_getgrouplist_timeout() with empty secondary group list
sss_nss_getgrouplist_timeout() is intended as a replacement for
getgrouplist() which only gets secondary groups from SSSD. Currently it
returns an ENOENT error if there are no secondary groups returned by
SSSD. However, as with getgrouplist(), there is the second parameter
which expects a single GID which will be added to the result. This means
that sss_nss_getgrouplist_timeout() will always return at least this GID
as a result and an ENOENT error does not make sense.
With this patch sss_nss_getgrouplist_timeout() will not return an error
anymore if there are no secondary groups but just a result with the
single GID from the second parameter.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5e7cd889 by Sumit Bose at 2023-12-04T11:25:43+01:00
pam: fix Smartcard auth with files provider
It is expected that the files provider ignores the local_auth_policy
option and supports Smartcard authentication by default.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f4c9d6ef by Madhuri Upadhye at 2023-12-05T22:10:16+01:00
tests: add passkey tests for authentication failures
Test cases are as follows:
4. Check auth deny for incorrect pin for LDAP, IPA, Ad and Samba.
5. Check auth deny for incorrect passkey mapping for LDAP, IPA, AD and Samba.
6. Check auth of user when server is not resolvable for IPA, LDAP, AD and Samba.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
2a3e47af by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: move all socket paths checks to a single function
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
41f8a689 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: remove check for rw-rw-rw-
as it doesn't make much sense anyway.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4255a0fe by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
KRB5: a comment to explain the need for explicit `sss_pac_check_and_open()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
079f433d by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: reduce code duplication
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
57ed0de6 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: add an optional check of server credentials
to `sss_cli_make_request_with_checks()`
This requires to make sure 'sss_sssd_*id' are initialized in
`check_server_cred()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1f8ec39c by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: reduce code duplication
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4e1a794f by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: SUDO: force check of server credentials
as a general hardening
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
32b67e67 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: move sudo/autofs/ssh related code
out of common module
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8d0a88ee by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
SUDO: refuse to serve clients running under non-root
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ff2a7118 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
SUDO: make 'sssd_sudo' socket sssd:sssd owned
The only intended client of 'sssd_sudo' is 'sudo' that is suid
binary and thus still can access socket.
But if for whatever reason it's undesirable to make 'sudo' use
its CAP_DAC_OVERRIDE capability then socket mode can be changed
to rw-rw-rw -- previous patch will restrict access to the socket
for root only.
The reason for this change is to avoid the need for CAP_CHOWN for
SSSD itself.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4a01583f by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
PAM: no need for root:root owned socket
since 1451c6e034d20cd1d8947d53bd2da3aa75527ba8
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4d6551e8 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
RESPONDER: remove support for custom pipe_fd
from `sss_process_init()` as it's not used anymore
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8f58e22a by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
SUDO: don't overwrite major error code with minor one
The latter can be zero (example: socket closed during
`sss_cli_recv_rep()`)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ad70f159 by Alexey Tikhonov at 2023-12-06T14:36:24+01:00
CLIENT: fixed a mistype in `check_socket_cred()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8ff7fdc1 by Sumit Bose at 2023-12-06T17:55:08+01:00
sssctl: do not require root for user-checks
There is no requirement for root to run the test and if the user does
not has the needed privileges to access the related services this is
good as a test result as well. Additionally at least pam_chauthtok()
behaves differently when being called as root compared to an ordinary
user.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
38db355a by Jakub Vavra at 2023-12-06T17:56:00+01:00
Tests: Add a test for kcm log rotation SSSD-5687
Ticket: https://issues.redhat.com/browse/SSSD-5687
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
a5f636bb by Patrik Rosecky at 2023-12-06T17:56:32+01:00
Tests: alltests/test_autoprivategroup.py converted to system/test_auto_private_groups.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
736430aa by Pavel Březina at 2023-12-06T18:50:04+01:00
spec: use sysusers directly from sssd tarball
* sssd.sysusers does not have to be created by autoconf
* it is already present in the tarball so it does not have to be
added as another rpm source
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
76d3b5a4 by Pavel Březina at 2023-12-06T18:50:20+01:00
ad: do not print backtrace if SSSD domain name is not the same as DNS name
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3e976dc6 by Pavel Březina at 2023-12-06T18:50:20+01:00
ad: do not print backtrace if SOM is missing in GPO
This is expected on empty GPOs and we just skip the element.
Therefore we should not print backtrace.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0f9611cd by Pavel Březina at 2023-12-07T16:15:41+01:00
tests: adapt to new firewall API
The firewall API was redesigned in order to make it more flexible and
start supporting outbound rules as well. Blocking all communication
to given host using an outbound rules is less prone to errors since
it does not depend on specific ports.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
60fdacfd by Justin Stephenson at 2023-12-07T16:22:26+01:00
passkey: Add krb5 preauthentication prompt support
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
271bb6c7 by Alexey Tikhonov at 2023-12-08T12:12:28+01:00
CLIENT: fix covscan complain
that `sss_cli_sd_get()` can return negative value
but `check_server_cred()` can't handle it.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
39cd0baa by Alexey Tikhonov at 2023-12-08T12:14:11+01:00
DP: reduce log level in case a responder asks for unknown domain
Since 9358a74d3a56c738890353aaf6bc956bfe72df99 a domain might be
skipped by 'ad_enabled_domains' option
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c2360811 by Patrik Rosecky at 2023-12-08T13:22:33+01:00
Tests: alltests/test_ldap_extra_attrs.py converted to system/tests/test_schema.py
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5bbc1465 by Alexey Tikhonov at 2023-12-11T18:25:51+01:00
CI: don't run sssd-2.10+ on 'centos-8'
as it lacks required glibc functionality
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1980e2c4 by Stanisław Pitucha at 2023-12-11T18:26:35+01:00
LDAP: Allow ignoring the ppolicy extension
Introduce `ldap_use_ppolicy` and allow disabling it to interact with
providers that send broken ppolicy responses.
This fixes interaction with the Okta LDAP gateway.
Resolves: https://github.com/SSSD/sssd/issues/6666
:config: Add a ldap_use_ppolicy option for backends with broken ppolicy
extension handling.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
97c05c4e by Alexey Tikhonov at 2023-12-12T11:34:00+01:00
LOGS: added missing new line
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6ed1eff4 by Justin Stephenson at 2023-12-12T11:36:09+01:00
passkey: Skip processing non-passkey mapping data
In the AD case, the user altSecurityIdentities attribute can
store passkey, smartcard, or ssh public key mapping data. Check
to ensure we are handling passkey data before continuing in
PAM passkey processing.
:relnote: Fixes a crash when PAM passkey processing incorrectly
handles non-passkey data.
Resolves: https://github.com/SSSD/sssd/issues/7061
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ff8f248b by Jakub Vavra at 2023-12-12T15:37:09+01:00
Tests: Fix tokengroups tests.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
df1b7454 by Jakub Vavra at 2023-12-15T07:49:43+01:00
Tests: Retry realm join as it is flaky on multiarch setups
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
a5270f89 by Jakub Vavra at 2023-12-15T14:58:40+01:00
Tests: Change path to keytabs to reflect whole domain in them
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
5fb0a9dd by Jakub Vavra at 2023-12-20T06:53:24+01:00
Tests: Add importance and ticket to multihost
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
b66035f3 by Jakub Vavra at 2023-12-20T13:17:32+01:00
Tests: Revert change of retun type of realm_join
I looks like realm join return value was parsed in one place so I
am reverting the mishap change of the return type.
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
9abcaf90 by Andre Boscatto at 2023-12-20T16:50:42+01:00
man: fix wrong product name
Resolves: https://github.com/SSSD/sssd/issues/7094
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
1d33bde4 by Justin Stephenson at 2023-12-20T16:52:02+01:00
Passkey: Fix coverity memory overrun error
Fix for:
CID 336599: Memory - corruptions (OVERRUN)
Overrunning dynamic array "result_creds" by passing it to a
function that accesses it at byte "creds_len".
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a134074c by Justin Stephenson at 2023-12-20T16:52:02+01:00
Passkey: Fix coverity RESOURCE_LEAK
Fix for:
CID 470374: Resource leaks (RESOURCE_LEAK)
Variable "prompt_reply" going out of scope leaks the storage
it points to.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
22d35690 by Justin Stephenson at 2023-12-20T16:52:02+01:00
Passkey: Fix valgrind error and missing free
==367086== Conditional jump or move depends on uninitialised value(s)
==367086== at 0x12BF1A31: string_get (load.c:894)
==367086== by 0x12BF291D: stream_get.part.0 (load.c:158)
==367086== by 0x12BF3182: UnknownInlinedFun (load.c:154)
==367086== by 0x12BF3182: UnknownInlinedFun (load.c:227)
==367086== by 0x12BF3182: lex_scan.isra.0 (load.c:573)
==367086== by 0x12BF7F6A: parse_json (load.c:868)
==367086== by 0x12BF80C8: json_loads (load.c:920)
==367086== by 0x12BDDFD9: sss_passkey_message_from_reply_json (passkey_utils.c:544)
==367086== by 0x12BDCA76: sss_passkeycl_process (passkey_clpreauth.c:321)
==367086== by 0x4906215: UnknownInlinedFun (preauth2.c:352)
==367086== by 0x4906215: UnknownInlinedFun (preauth2.c:679)
==367086== by 0x4906215: k5_preauth (preauth2.c:1018)
==367086== by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1351)
==367086== by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1912)
==367086== by 0x48F9489: krb5_init_creds_step (get_in_tkt.c:1868)
==367086== by 0x48FA43A: k5_init_creds_get (get_in_tkt.c:564)
==367086== by 0x48FB3EB: k5_get_init_creds (get_in_tkt.c:1978)
==367086== by 0x48FB817: krb5_get_init_creds_password (gic_pwd.c:210)
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c4e80942 by Alexey Tikhonov at 2023-12-20T19:24:29+01:00
SYSTEM TESTS: run core set of tests against SSSD
running in two modes: under 'root' and under 'sssd' user
(where supported)
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
958a5e25 by Alexey Tikhonov at 2023-12-21T13:51:23+01:00
SSS_CLIENT: MC: in case mem-cache file validation fails,
don't return anything but EINVAL, because `_nss_sss_*()` functions
can have a special handling for other error codes (for ERANGE in
particular).
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0344c41a by Alexey Tikhonov at 2023-12-21T13:51:23+01:00
SSS_CLIENT: check if mem-cache fd was hijacked
Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
- TigerVNC unconditionally overwrites fd=3
Resolves: https://github.com/SSSD/sssd/issues/6986
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2bcfb7f9 by Alexey Tikhonov at 2023-12-21T13:51:23+01:00
SSS_CLIENT: check if reponder socket was hijacked
Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
- TigerVNC unconditionally overwrites fd=3
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2e75d735 by Pavel Březina at 2023-12-21T13:51:49+01:00
scripts: sign tarball with sssd project key
... also switch to gpg2.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c7a6e62d by Pavel Březina at 2023-12-21T13:51:49+01:00
scripts: create checksum file for release tarball
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
f6f83c48 by Mathias Olsson at 2023-12-21T16:15:24+01:00
check for protected authentication path
Resolves: https://github.com/SSSD/sssd/issues/7011
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d6940c6f by Alexey Tikhonov at 2023-12-21T16:15:24+01:00
P11_CHILD: reduce code duplication
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae2420af by Patrik Rosecky at 2023-12-22T10:59:57+01:00
Tests: fix flake8 issues
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
cbae6855 by Alejandro López at 2023-12-27T10:29:20+01:00
KCM: Fix a memory "leak"
When an operation is processed, a buffer is allocated for the reply
and its parent is the client context (struct cli_ctx). This buffer
is not explicitly freed but it is released when the client context is
freed. With each operation a new buffer is allocated and the
previous one gets "lost."
This is not an actual leak because the lost buffers are released by
talloc once the client context is freed, when the connection is closed.
But on long-lived connections this can consume a large amount of memory
before the connection is closed.
To solve this, the request context (struct kcm_req_ctx) is the new
parent of the buffer. The request is freed as soon as the operation is
completed and no buffer gets lost.
Resolves: https://github.com/SSSD/sssd/issues/7072
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
543eda19 by Patrik Rosecky at 2023-12-27T10:31:13+01:00
Tests: multihost/test_sssctl_analyzer.py converted to system/test_sssctl_analyze.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
9d6caaed by Jakub Vavra at 2024-01-05T14:27:26+01:00
Tests: Add a plugin for a per-test logging
Add a pytest plugin to remove / duplicate test log from console
and put it into a stand-alone per-test log files.
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
d3a2bd08 by Patrik Rosecky at 2024-01-05T14:43:24+01:00
Tests: alltests/test_config_validation converted
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ea7de588 by Patrik Rosecky at 2024-01-05T14:47:42+01:00
Tests: alltests/test_offline.py converted
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
54395cbe by Alejandro López at 2024-01-07T13:13:52+01:00
KCM: sss_iobuf_get_*() functions must take a const struct
The structure is not modified so it is logical to receive a
`const struct sss_iobuf`.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4c159b01 by Alejandro López at 2024-01-07T13:13:52+01:00
TESTS: Make the AS_STR() macro available in common.h
The macro was defined in a .c module and thus unavailable to
be used on any other modules.
It was moved to common.h so that it can be used in other tests.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
747c85f8 by Alejandro López at 2024-01-07T13:13:52+01:00
KCM: Securely erase memory used for secrets
Make sure all the memory blocks allocated dynamically or statically by
KCM to store credentials and messages (which might include credentials)
are erased by calling sss_erase_mem_securely() or
sss_erase_talloc_mem_securely() before being freed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
173f3114 by Madhuri Upadhye at 2024-01-08T12:12:42+01:00
Tests: Add passkey test cases for following scenario
Test cases are as follows:
7. Check offline authentication of a user with LDAP, IPA, AD and Samba
8. Fetch user from cache for LDAP, IPA, AD and Samba server
9. Check authentication of user when multiple keys added for same user with
LDAP, IPA, AD and Samba server.
10. Check authentication of user when same key added for multiple user with
LDAP, IPA, AD and Samba server.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
830a2e3d by Tomas Halman at 2024-01-08T14:20:23+01:00
Handle child-domain group membership
In AD, a user from a domain can be a member of a group that is
from a child of the domain.
The old code did not account for this and created a cache object
with incorrect DNs when ldap_use_tokengoups is set to False.
This patch looks up the correct domain before saving
group and membership attributes.
Resolves: https://github.com/SSSD/sssd/issues/7084
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cdb4175 by Alexey Tikhonov at 2024-01-09T17:10:20+01:00
DEBUG: added missing new line
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
- - - - -
9b73614c by Sumit Bose at 2024-01-09T17:13:45+01:00
LDAP: make groups_by_user_send/recv public
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c02e09af by Sumit Bose at 2024-01-09T17:13:45+01:00
ad: gpo evalute host groups
With this patch the group-memberships of the client running SSSD are
included in the evaluation of the security filtering. Similar as in AD
the host object is more or less handled as a user object which allows
to skip some code dedicated to computers only.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ff23e7e2 by Sumit Bose at 2024-01-09T17:13:45+01:00
sysdb: remove sysdb_computer.[ch]
The related calls are not needed anymore.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5f63d9bf by Sumit Bose at 2024-01-09T17:13:45+01:00
sdap: add set_non_posix parameter
This patch adds a new parameter set_non_posix to the user and group
lookup calls. Currently the domain type is used to determine if the
search should be restricted to POSIX objects or not. The new option
allows to drop this restriction explicitly to look up non-POSIX objects.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ecb0c637 by Tomas Halman at 2024-01-10T09:38:06+01:00
GPO evaluation of primary group
When we are evaluating GPO the SID of user's primary
group is not returned in the list. This patch converts
the value of origPrimaryGroupGidNumber attribute back to
SID and that SID is added to the list of SIDs before
evaluating the GPO rules.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
90eca38e by Dan Lavu at 2024-01-12T07:07:05+01:00
tests: updating poor assertion in dyndns
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
23087669 by aborah at 2024-01-12T12:07:48+01:00
Tests: Fix ipa test for gating.
Error: remote username contains invalid characters
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
9d1fccb5 by Dan Lavu at 2024-01-12T13:36:21+01:00
tests: adding background refresh tests to the new framework
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2b222dd3 by shridhargadekar at 2024-01-16T08:20:20+01:00
Test: Dropping the assertion of ssh from analyzer list
minor edit
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
684d18b4 by Jakub Vavra at 2024-01-16T10:07:19+01:00
Tests: Add single retry for realm leave
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
3922f4d7 by dependabot[bot] at 2024-01-16T13:21:29+01:00
build(deps): bump actions/download-artifact from 3 to 4
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v3...v4)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f5f5d83f by dependabot[bot] at 2024-01-16T13:21:57+01:00
build(deps): bump github/codeql-action from 2 to 3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2...v3)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
35ef26b6 by dependabot[bot] at 2024-01-16T13:22:26+01:00
build(deps): bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
44ec3e46 by Sumit Bose at 2024-01-19T16:35:48+01:00
pam: fix SC auth with multiple certs and missing login name
While introducing the local_auth_policy option a quite specific use-case
was not covered correctly. If there are multiple matching certificates
on the Smartcard, 'local_auth_policy = only' is set and GDM's Smartcard
mode was used for login, i.e. there is no user name given and the user
has to be derived from the certificate used for login, authentication
failed. The main reason for the failure is that in this case the
Smartcard interaction and the user mapping has to be done first to
determine the user before local_auth_policy is evaluated. As a result
when checking if the authentication can be finished the request was in
an unexpected state because the indicator for local Smartcard
authentication was not enabled.
Resolves: https://github.com/SSSD/sssd/issues/7109
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
0c1d11bc by Alexey Tikhonov at 2024-01-19T16:36:15+01:00
SERVER: `setpgid()`:
- don't set process group if FLAGS_DAEMON is set
( `become_daemon()` will later `setsid()` in this case anyway)
- don't set process group if it already matches process pid
This helps to avoid:
```
[server_setup] (0x0080): Failed setting process group: Operation not permitted[1]. We might leak processes in case of failure
```
that currently happens for 'monitor', 'sssd_kcm' (and probably
for other socket activated services).
Take a note that message is logged before log level is set
in the current code, so isn't visible without backtrace dump.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
dceb7df5 by Alexander Bokovoy at 2024-01-19T16:36:32+01:00
install udev rules to access security tokens by sssd-passkey
When SSSD runs unprivileged, passkey_child needs to be able to read and
write a hardware FIDO2 token. Add a udev rule that allows SSSD user
to do so in case SSSD runs under non-privileged account.
Both GROUP and OWNER variables in udev rules are singular and cannot be
used to extend permissions, thus use `setfacl` external utility to add
POSIX ACL for the SSSD user access.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
522b98c9 by Alexey Tikhonov at 2024-01-19T16:36:48+01:00
CLIENT:NSS: never resolve initgroups for 'sssd' user
if built with non-root user support
This is an addition to 8c8702803263d6dbf2c39f5bca8fb33036806f35
It allows to avoid systemd hang while starting socket activated
'sssd_nss' under 'sssd' user.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
059b58f7 by Alexey Tikhonov at 2024-01-19T16:36:48+01:00
SERVICES: allow to run socket activated sssd_nss under SSSD_USER
Since 'libnss_sss.so' doesn't resolve SSSD_USER anymore, it should
be safe to use it as "User=" (no NSS loop).
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7076c5bb by Pavel Březina at 2024-01-23T14:15:03+01:00
krb5_child: fix order of calloc arguments
```
/shared/workspace/sssd/src/providers/krb5/krb5_child.c: In function _create_empty_cred_:
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: error: _calloc_ sizes specified with _sizeof_ in the earlier argument and not in the later argument [-Werror=calloc-transposed-args]
1317 | cred = calloc(sizeof(krb5_creds), 1);
| ^~~~~~~~~~
/shared/workspace/sssd/src/providers/krb5/krb5_child.c:1317:26: note: earlier argument should specify number of elements, later size of each element
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b3124173 by Andre Boscatto at 2024-01-23T14:16:09+01:00
man: improving documentation about username and email
Resolves: https://github.com/SSSD/sssd/issues/7136
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2fa6ec2c by Jakub Vavra at 2024-01-24T11:33:58+01:00
Tests: Set ciphers for kerberos
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ef581c97 by Jakub Vavra at 2024-01-24T12:59:16+01:00
Tests: Add pytest.ini with marker converted to basic suite
Fix "PytestUnknownMarkWarning: Unknown pytest.mark.converted - is this a typo?"
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
99850321 by Jakub Vavra at 2024-01-24T13:44:10+01:00
Tests: Fix OsError in test_kcm_debug_level_set
Resolve "OSError: File '/var/log/sssd/sssd_kcm.log' could not be read"
ba catching and handling this exception as well.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
a7851156 by Alexey Tikhonov at 2024-01-29T20:38:59+01:00
PROXY: strip SUID bit off 'proxy_child'
'proxy' provider can be used to load arbitrary modules that might
(or might not) require specific capabilities.
Granting all capabilities unconditionally feels unjustified. One of
the widely used options is proxy around 'libnss_files' that doesn't
require any capabilities. Let administrator to set file capability
manually if required in esoteric use cases.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b4b72aac by Alexey Tikhonov at 2024-01-29T20:43:00+01:00
LDAP: move `select_principal_from_keytab()` to 'ldap_child'
Keytab access requires privileges on most systems and 'sssd_be' should
be able to run unprivileged.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
28068cdb by Alexey Tikhonov at 2024-01-29T20:43:00+01:00
MONITOR: remove MONITOR_DEF_FORCE_TIME
Cleanup after fa93cd0f0fc75a6d635079e67788f8a9fe183c3c and
5b0735876aa66464b24cb7736a74fafd8ec82128
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dd7aaaf2 by Alexey Tikhonov at 2024-01-29T20:43:00+01:00
MONITOR: switch user to configured before exec(service)
--uid / --gid args won't be used going forward.
This patch also removes all `chown_debug_file()`: running
user change should be exceptionally rare event. There is no
reason to strive to handle such change in "regular" runtime
code. And eventually SSSD service should be started without
CAP_CHOWN anyway.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ec77ec4e by Alexey Tikhonov at 2024-01-30T14:23:52+01:00
SPEC: clean up mem-cache files on uninstall
instead of tracking those files as a part of a package.
This will allow to get rid of `fchown()` in responder/nss/nsssrv_mmap_cache.c
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6dba6c4b by Alexey Tikhonov at 2024-01-30T17:50:18+01:00
MONITOR: proper error check of failed `prctl()`
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1358f417 by Jakub Vavra at 2024-01-30T18:04:19+01:00
CI: Add sssd testlib to pythonpath for prci multihost
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1bacf498 by Justin Stephenson at 2024-01-30T18:54:00+01:00
Tests: Python black formatting fixes
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c11734eb by Alexey Tikhonov at 2024-01-30T19:01:06+01:00
Fleet commander: store deskprofiles under user running SSSD
Integrated feature was never oficially released, but the latest
development status was:
```
org.freedesktop.FleetCommanderClient is run as root
```
and can read profiles doesn't matter files ownership
( https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/IG3MIET5MILWJZRS3JQWMTVOPGNY6XWI/ )
Actual status is that 'FleetCommanderClient' isn't really maintained.
Storing profiles under user that runs SSSD doesn't break anything
but removes the need for CAP_SET_?ID and CAP_CHOWN (in this code).
Resolves: https://github.com/SSSD/sssd/issues/4659
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1bf51929 by Günther Deschner at 2024-02-01T19:36:31+01:00
Fix the build with Samba 4.20
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2ef0f838 by Alexey Tikhonov at 2024-02-09T15:10:21+01:00
IFP: don't trigger backtrace in case of ACL check fail
Avoid
```
* (2024-02-03 17:39:37): [ifp] [ifp_access_check] (0x0080): User 1000 not in ACL
* (2024-02-03 17:39:37): [ifp] [sbus_check_access] (0x0400): org.freedesktop.sssd.infopipe.Users.FindByName: permission denied for sender :1.290 with uid 1000
* (2024-02-03 17:39:37): [ifp] [sbus_issue_request_done] (0x0040): org.freedesktop.sssd.infopipe.Users.FindByName: Error [13]: Permission denied
```
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
29a77c6e by Sumit Bose at 2024-02-09T15:10:54+01:00
sdap: add search_bases option to groups_by_user_send()
AD handles users and computer objects very similar and so does SSSD's
GPO code when lookup up the host's group-memberships. But users and
computers might be stored in different sub-tree of the AD LDAP tree and
if a dedicated user search base is given with the ldap_user_search_base
option in sssd.conf the host object might be in a different sub-tree. To
make sure the host can still be found this patch uses the base DN of
the LDAP tree when searching for hosts in the GPO code.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a153f13f by Sumit Bose at 2024-02-09T15:10:54+01:00
sdap: add naming_context as new member of struct sdap_domain
The naming_context could be a more reliable source than basedn for the
actual base DN because basedn is set very early from the domain name
given in sssd.conf. Although it is recommended to use the fully
qualified DNS domain name here it is not required. As a result basedn
might not reflect the actual based DN of the LDAP server. Also pure LDAP
server (i.e. not AD or FreeIPA) might use different schemes to set the
base DN which will not be based on the DNS domain of the LDAP server.
Resolves: https://github.com/SSSD/sssd/issues/5708
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
945cebcf by Andre Boscatto at 2024-02-09T19:10:43+01:00
sssd: adding mail as case insensitive
Resolves: https://github.com/SSSD/sssd/issues/7173
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
32b72c7c by Sebastian Andrzej Siewior at 2024-02-12T09:40:11+01:00
tests: Drop -extensions from openssl command if there is no -x509
The 'openssl req' ignores the '-extensions' option without '-x509'.
OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
an error is generated:
| /usr/bin/openssl req -batch -config
| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
| -new -nodes -key
| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
| Error adding request extensions from section v3_ca
| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
|
Remove the '-extensions' option.
Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
859f5811 by Alexey Tikhonov at 2024-02-12T15:02:38+01:00
TESTS: multihost: chown sssd.conf to service user
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
895b462d by Alexey Tikhonov at 2024-02-13T08:56:31+01:00
TESTS: multihost: make get_property() with older 'systemctl'
On centos-8 systemctl doesn't support '-P'
'--value --property' should work with both older and modern versions.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
2176b7d8 by shridhargadekar at 2024-02-13T13:07:56+01:00
Tests: sssctl_analyze diff location
Corrected the log assertions for 'id' command
passed to the sssctl analyze <>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
b439847b by Sumit Bose at 2024-02-14T11:30:34+01:00
sss-client: handle key value in destructor
When the pthread key destructor is called the key value is already set
to NULL by the caller. As a result the data stored in the value can only
be accessed by the first argument passed to the destructor and not by
pthread_getspecific() as the previous code did.
Resolves: https://github.com/SSSD/sssd/issues/7189
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
40279305 by Tomasz Kłoczko at 2024-02-14T11:31:04+01:00
Bump DocBook DTD version to latest stable 4.5
Signed-off-by: Tomasz Kłoczko <kloczek at github.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8fd2df73 by Madhuri Upadhye at 2024-02-14T11:36:35+01:00
Tests: Add method to detet the files provider
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
3caac5f7 by Jakub Vavra at 2024-02-16T13:21:52+01:00
Tests: Tweak per-test log to de-duplicate output
Deduplicate output between phases so it is not repeated.
(Previous phase output was repeated in the log.)
Fix isseu with "/" in test name.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
43e3cf1e by shridhargadekar at 2024-02-21T13:40:55+01:00
Test: files_provider replaced with proxy
fixing sssd.conf domain-section update action
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
e235afee by Patrik Rosecky at 2024-02-21T13:43:24+01:00
tests: multihost/basic/test_kcm converted
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e3af77c7 by Jakub Vavra at 2024-02-21T14:31:24+01:00
Tests: Per-test logging: Fix exception on missing call phase.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
9506b7b3 by lisa at 2024-02-21T14:33:43+01:00
Convert multihost/ad/test_idmap to test_identity
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
90e46836 by Madhuri Upadhye at 2024-02-21T14:36:58+01:00
Tests: tier1/test_service: Remove files provider
Tier1: for test_0002_1736796:
Replacing the files provider to proxy provider,
as here we are adding the local user and giving
sudo permission to user to switch to root without password.
Here, we are checking the authentication and also
checking the sudo access for local user.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
c6c333de by Alexey Tikhonov at 2024-02-22T16:30:43+01:00
UTILS: additional debug if `mkstemp()` fails
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
409f175f by Sumit Bose at 2024-02-22T16:32:05+01:00
krb5: lower log level in sss_krb5_get_init_creds_password()
sss_krb5_get_init_creds_password() is called only with AD to be able to
get more specific error details and does the basic steps also done by
krb5_get_init_creds_password() from libkrb5. In contrast to the libkrb5
function it will return debug output. Unfortunately the log level
is quite low, i.e. messages are shown with the default debug level, and
the messages are send to syslog, too. This can get annoying during
SSSD's pre-auth step to determine the available authentication types
since here, no credentials are provided and errors are somewhat expected
but will be ignored by the callers.
This patch increases the log level during SSSD's pre-auth and only sends
messages with the two lowest log levels to syslog.
Resolves: https://github.com/SSSD/sssd/issues/7197
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4f38fd10 by Sumit Bose at 2024-02-22T16:32:05+01:00
krb5: increase log level in map_krb5_error()
The purpose of map_krb5_error() is to translate error codes.
Additionally it will log the errors in case the caller has forgotten to
do it. While this in general make sense the log level was set to the
second lowest and the message was send to the system's log as well. This
is a bit too strong and might give a wrong impression about the nature
and importance of the log message. This patch increases the log level
which avoids sending to the syslog as well.
Resolves: https://github.com/SSSD/sssd/issues/7197
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e9253e0a by Pavel Březina at 2024-02-23T23:24:02+01:00
tests: fix isort, black and mypy errors
Introduced by https://github.com/SSSD/sssd/pull/7172.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
953c6bee by Alejandro López at 2024-02-26T11:37:20+01:00
SSH: Support ssh's KnownHostsCommand
This option is supported by delivering the tool sss_ssh_knownhosts.
This new tool displays the host public keys on STDOUT in the
knownhosts file format.
The corresponding man page was added and sss_ssh_knownhostsproxy's
man page displays a message stating that it is deprecated and
suggests using the new tool.
Resolves: https://github.com/SSSD/sssd/issues/5518
:relnote: sss_ssh_knownhostsproxy is deprecated. Consider using
the more reliable sss_ssh_knownhosts instead.
:feature: The new tool sss_ssh_knownhosts can be used with ssh's
KnownHostsCommand configuration option to retrieve the host's
public keys from a remote server (FreeIPA, LDAP, etc.). This new
tool, which is more reliable, replaces sss_ssh_knownhostsproxy.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9eea993b by Pavel Březina at 2024-02-26T11:37:20+01:00
tests: add tests for sss_ssh_knownhosts
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
11a77e8b by Denis Zlobin at 2024-02-26T11:49:31+01:00
sbus: Fix codegen template for async client
Double semicolon is generated, thus test src/tests/double_semicolon_test
fails for async client source code.
For example, we can generate code for IFP async client.
To do this, add new async interface to src/responder/ifp/ifp_iface/ifp_iface.xml file:
<interface name="org.freedesktop.sssd.infopipe.Tests.Test">
<annotation name="codegen.Test" value="ifp_test" />
<annotation name="codegen.AsyncCaller" value="true" />
<property name="name" type="s" access="read" />
</interface>
Then make check tests. Test fails with an error:
```
Double semicolon found:
../src/responder/ifp/ifp_iface/sbus_ifp_client_async.c:132: *_value = talloc_steal(mem_ctx, state->out->arg0);;
```
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
20175f41 by Jakub Vavra at 2024-02-28T11:56:35+01:00
Tests: Add oddjob package to master for multihost/alltests
The package is not pulled automatically as part of deps/packageset
on fedora resulting in subprocess.CalledProcessError: Command
'systemctl restart oddjobd.service' returned non-zero exit status 5.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
759d261c by Jakub Vavra at 2024-03-05T09:43:18+01:00
Tests: Refactor AD tests from files provider to proxy one.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
0a397c28 by Jakub Vavra at 2024-03-06T10:36:27+01:00
Tests: Fix ipa/conftest.py for fedora.
The installation of shadow-utils fails on fedora as it tries to enable CRB repos.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
4729ec07 by Thorsten Scherf at 2024-03-06T10:56:43+01:00
SSH: fix typo in sss_ssh_knownhosts man page
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b7da2450 by Jakub Jelen at 2024-03-06T10:57:17+01:00
doc: Fix configuration option pam_p11_allowed_services type
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
459d0989 by Jakub Jelen at 2024-03-06T10:57:57+01:00
Allow smart card authentication in vlock
Signed-off-by: Jakub Jelen <jjelen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c9a333c5 by Justin Stephenson at 2024-03-06T10:59:03+01:00
krb5: Allow fallback between responder questions
Add support to try the next Preauth type when answering
krb5 questions. Fixes an issue when an IPA user has
both authtype passkey and authtype password set at
the same time.
Resolves: https://github.com/SSSD/sssd/issues/7152
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
6c1272ed by Justin Stephenson at 2024-03-06T10:59:03+01:00
krb5: Add fallback password change support
handle password changes for IPA users with multiple auth types set
(passkey, password)
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
f860f10a by Justin Stephenson at 2024-03-06T11:00:10+01:00
PAM: Print PAM Data once on incoming requests
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a80e236b by Dan Lavu at 2024-03-06T11:00:40+01:00
tests: adding testcase for gh7174 email case insensitivity
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0935ce94 by Jakub Vavra at 2024-03-07T11:31:48+01:00
Tests: Fix hostmap tests not to depend on user-nsswitch.conf
The user-nsswitch.conf was removed in F36+. Tests using it therefore
need fixing to use /etc/nssswitch.conf on Fedora instead.
Fixed indentation of install_nslcd.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
018de1c0 by Alejandro López at 2024-03-12T10:00:10+01:00
MAN: sss_ssh_knownhosts.1 must also be translated
Resolves: https://github.com/SSSD/sssd/issues/7232
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2bb00e25 by Alejandro López at 2024-03-12T10:00:35+01:00
TESTS: Improvements to test_iobuf
The improvements were trigered by the test failing on certains
environments.
Normally, none of them is necessary, but without the first one the
test fails (under certains conditions) and the other two are more
of a "belt and suspenders" approach than anything else.
1) The memory buffer used to dump the heap to a file is cleaned
systematically before reading data into it. Normally this is not
needed because read data overwrites any prior data in the buffer,
and then that same data is writen to disk. But this solved the
problem. I cannot explain it.
2) When the file where the heap was dumped is mmapped for analysis,
that memory is cleaned before unmmaping it, to make sure nothing
remains in memory from the previous dump.
3) An extra dump is taken before doing anything with the memory.
This is done to make sure that the strings we are looking for are
not present in the heap before the test starts.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
43c5b944 by Jakub Vavra at 2024-03-13T13:34:55+01:00
Tests: refactor sssd.conf backup and restore
SSSD configuration backup and restore code was duplicated in multiple
places moved in one place so we can easier change rights and owership
of the file.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
603399a4 by Pavel Březina at 2024-03-13T15:40:25+01:00
pam: fix invalid #if condition
ifdef should be used as anywhere else, otherwise we hit a build
error if sssd is being built without passkey.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
41cafd63 by Pavel Březina at 2024-03-13T15:44:32+01:00
tests: fix isort issue
This issue was introduced in a80e236b8319f1f0931717debcb093802ba5e2ae.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3488b9e9 by Pavel Březina at 2024-03-15T13:03:42+01:00
tests: use different home dir then /tmp for local user
If sssd startup fails for some reason, teardown would call userdel
which would try to delete /tmp.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
5841348f by Iker Pedrosa at 2024-03-15T13:04:11+01:00
man: fix default value for pam_passkey_auth
The default was changed to true in
c76ba343b783718468a3a108346d424f9a70eb76 ("PAM: Passkey kerberos preauth
support"), but the man page wasn't updated.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2e1c2f35 by dependabot[bot] at 2024-03-15T13:04:40+01:00
build(deps): bump DamianReeves/write-file-action from 1.2 to 1.3
Bumps [DamianReeves/write-file-action](https://github.com/damianreeves/write-file-action) from 1.2 to 1.3.
- [Release notes](https://github.com/damianreeves/write-file-action/releases)
- [Commits](https://github.com/damianreeves/write-file-action/compare/0a7fcbe1960c53fc08fe789fa4850d24885f4d84...6929a9a6d1807689191dcc8bbe62b54d70a32b42)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c67e41d8 by Alejandro López at 2024-03-15T13:05:09+01:00
SSH: Make sss_ssh_knownhostsproxy build conditional
Because this tool will be removed, we start by building an alternative
version that just displays a warning.
To build the full working tool:
```
./configure --with-ssh-known-hosts-proxy
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e556bfd0 by Alejandro López at 2024-03-15T13:05:09+01:00
TESTS: Fix the ssh configuration
Until ipa-client-install is fixed to recognize the new tool
/usr/bin/sss_ssh_knownhosts, ssh's configuration must be manually
fixed.
Once the fixed FreeIPA is included in the container, this workaround
can be removed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fa503bcc by aborah at 2024-03-18T06:04:15+01:00
Tests: Drop files provider from tests test_sssctl_local.py
1. Test id: 9315c119-8c69-4685-836d-0f71b5d0684c: Does not work any more without files provider
2. Test id: b5ff4e8f-ce9f-4731-bbaa-bf2a8425dc15: Its purpose is currently unclear.
3. Test id: 8f2868d2-1ece-11ec-ac6d-845cf3eff344: shadow-utils' don't call 'sss_cache' starting F40/RHEL10
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
83f1ba78 by aborah at 2024-03-18T06:04:44+01:00
Tests: Drop files provider from tests test_sssctl_ldap.py
Review if any of "multihost tests" depend on "files provider".
Remove found dependencies.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
56280faa by aborah at 2024-03-18T06:05:03+01:00
Tests: Drop files provider from tests test_multidomain.py
Review if any of "multihost tests" depend on "files provider" and remove those dependencies
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
40e5309a by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: remove useless trailing '\'
Most probably it was copy-paste from macro definition.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
40cea81b by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: remove 'opt_netlinkoff' removal notice
It was given in 632fc5d8991d167eea20769c823163551c3f1d8c several years ago.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
419120f4 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: replace fprintf() with ERROR()
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d79e0e74 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MNITOR: cosmetics
Keep all checks of command line options together and slightly reorder
for a (hopefully) better readability.
Error exit codes updated to:
- 1 - bad command line options or config
- 2 - no mem
- 5 - all kinds of other issues
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
102c30a5 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: get rid of unsed FLAGS_GEN_CONF definition
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
47da0b6b by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
SPEC: make most folders group accessible
This will allow to avoid the need for CAP_DAC_OVERRIDE with single
addition of supplementary group.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
521f88ef by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
SPEC: make '%{pipepath}/private' sssd:sssd owned
Since db1a919ff5760119df3083f535e66d0e4470cad8 the only socket
in '/private' is an internal SBUS socket.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
52fa441b by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
Make all SSSD processes a member of sssd supplementary group.
Previously it was done only for 'sssd_nss' to allow it to write to
sssd:sssd owned mem-cache file while running under 'root'.
Let's use this approach for all other files to avoid using
CAP_DAC_OVERRIDE in run time (in following patches).
Primarily rely on systemd to set group, but try to set it manually
if (required and) missing at runtime.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
60853c6f by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
NSS: don't `fchown()` mem-cache files
Since ec77ec4e8b2f7ce80848f8840d7b9fa8403e297a mem-cache files aren't
tracked as a part of a package anymore so there is no need to keep
SSSD_USER ownership of those files.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f4ad8c2a by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
UTILS: add capabilities management helpers
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4a44cca4 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
Get rid of `--genconf` and `--genconf-section` monitor options.
The only usage was 'sssd-kcm.service', but it was wrong since 'sssd_kcm'
should be usable without other SSSD packages being installed (see #6926)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8d1b3ef7 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
SSS_INI: const correctness
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cff8e1f9 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
CONFDB: split confdb_setup() into 2 steps
It will be used by 'monitor' to first read 'sssd.conf' then
switch uid/gid before writing 'config.ldb'
This is required in case sssd.service::User and sssd.conf::user
do not match.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b1cbf5f5 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
CONFDB: always delete old ldb-file
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
87b77a01 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: no need to read domain list twice
It's already read in `get_monitor_config()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e306d93f by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: remove unused mt_ctx::conf_path
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
34f7c2ea by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: move keyring setup code to a function
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fd23a94f by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
MONITOR: move nscd check code to a function
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a05b0250 by Alexey Tikhonov at 2024-03-18T09:02:36+01:00
SSS_INI: remove 'const' specifier from getter
`sss_ini_get_string_config_value()` is a wrapper around
`ini_get_string_config_value()`, whose docs says
```
Returned value needs to be freed after use.
```
But an attempt to free 'const char *' results in discarded-qualifiers
warning.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d7042fed by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
DEBUG: a couple of message changes
Following changes were done:
- perform_checks(): log actual owner
- sss_confdb_create_ldif(): use SSSDBG_TRACE_LDB
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0d686b5d by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
TOOLS: remove the upgrade-cache command
552390afcc81af96ca201fa6c25ddefbbecbeb4e mentioned
```
might be useful e.g. in RPM %post scripts.
```
but it didn't happen.
SSSD performs cache upgrade at startup automatically, explicit
command doesn't have any use.
On the other hand, it can spoil cache files ownership if users used
to run 'sssctl' and SSSD do not match.
:relnote: sssct `cache-upgrade` command was removed. SSSD performs automatic
upgrade at startup when needed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5bd52025 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SYSTEMD: remove unused CAP_KILL
There are some known issues like #5536 but those have to be
solved differently. Having 'CAP_KILL' in sssd.service doesn't
help anyway (and currently isn't used anyhow).
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
304fe754 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SYSTEMD: responders do not need any capabilities
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1ea6965c by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
MONITOR: startup logic was changed
Startup logic was changed as follows:
(1) read sssd.conf (should be readable by user that is used to start monitor)
(2) switch user to sssd.conf::user (if configured), drop all capabilities
(3) write config.ldb
This ensures all SSSD components can read config.ldb without capabilities
even if (deprecated) sssd.conf::user is used.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0e2ed444 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
KRB5_/LDAP_CHILD: print capabilities at startup
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2a59991b by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
sssd.service: run under SSSD_USER by default
:relnote: *IMPORTANT note for downstream maintainers!*
This release features significant improvements of "running
with less privileges (under unprivileged service user)" feature.
There is still a ./configure option '--with-sssd-user=' available
that allows downstream package maintainers to choose if support of
non-root service user should be built.
In case such support is built, a preferred way to configure service
user is simply by starting SSSD under this user; for example, using
'User=/Group=' options of systemd sssd.service file.
Upstream defaults are to build "--with-sssd-user=sssd" and to install
systemd service with "User=/Group=sssd'. In this case, only several
helper processes - 'ldap_child', 'krb5_child' and 'selinux_child' -
are executed with elevated capabilities (that are now granted using
fine grained file capabilities instead of SUID bit). All other SSSD
components run without any capabilities.
In this scenario it's still possible to re-configure SSSD to run
under 'root' (if needed for some reason): besides changing "User/Group="
options, some other tweaks of systemd service files are required. Those
tweaks are described in the comments in service files.
If SSSD is built "--with-sssd-user=sssd" but configured to run under
"root", it's still possible to use a legacy sssd.conf::user option to
change a service user at runtime. This requires granting CAP_SET_UID/
CAP_SET_GID capabilities to sssd.service (again, read comments in the
service file). User will be changed and all capabilities dropped
immediately at startup. There should be no reason to prefer
sssd.conf::user option over sssd.service::User option, barring very
exotics setups where it's impossible to configure initial service user.
Take a note, that this release deprecates sssd.conf::user option and
its support might be removed in future releases.
Further, doesn't matter if SSSD is built "--with-sssd-user=sssd" or
"--with-sssd-user=root", when it's configured to run under "root" (in both
cases) it still runs without capabilities, the same way as when it's
configured to run under "sssd" user. The only difference is from DAC
perspective.
Important: owner of /etc/sssd/sssd.conf file (and snippets) should match
user configured to start SSSD service. Upstream spec file changes
ownership of existing sssd.conf to 'sssd' during package installation
for seamless upgrades.
Additionally, this release fixes a large number of issues with "socket
activation of responder" feature, making it operable out-of-the-box when
the package is built "--with-sssd-user=sssd". Please take a note,
that user configured to run main sssd.service and socket activated
responders (if used) should match (i.e. if sssd.service is re-configured
from upstream defaults to 'root' then responders services also should be
re-configured).
Downstream package maintainers are advised to carefully inspect changes
in contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options that
this release brings!
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4c42ca7a by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC: make sure cache files are accessible
Since now SSSD starts and runs under %{sssd_user} by default,
make sure cache files left from previous version are %{sssd_user}:%{sssd_user}
owned.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
aa7cddfa by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC: make sure config files are accesible
Since now SSSD starts and runs under %{sssd_user} by default,
make sure config files left from previous version are %{sssd_user}:%{sssd_user}
owned.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b88d56a3 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SYSTEMD: KCM capabilities
'sssd_kcm' doesn't need CAP CHOWN/SET-ID itself but needs to have it in
bounding set so that 'krb5_child' run by 'sssd_kcm' can get those capabilities.
CAP_DAC_OVERRIDE is used to access sssd.conf and log folder.
The latter can be dropped once (if) 'sssd_kcm' is changed to run under
'sssd' user by default.
An approach to use 'SupplementaryGroups=' isn't practical here because
config files aren't readable by group and changing this in existing
setups might be cumbersome. It should be easier to make 'sssd_kcm'
to run under 'sssd' user.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9fbaf6d7 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SSS_INI: only check file ownership from 'sssd'
User used to run 'sssctl', 'sssd_kcm', etc (typically root) might
not match user configured to run SSSD service.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
583ea7f2 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SYSTEMD: remove "PIDFile="
See https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#PIDFile=
```
Note that PID files should be avoided in modern projects. Use Type=notify, Type=notify-reload
or Type=simple where possible, which does not require use of PID files to determine the main
process of a service and avoids needless forking.
```
SSSD uses "Type=notify"
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6ca4e472 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
CONF: store pid file in /run/sssd
instead of /var/run. SSSD run under non-privileged user can't write
to /var/run directly.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
29b1e474 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
UTILS: make pidfile readable by everyone
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e2c26e81 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC: replace SUID bit with more fine-grained capabilities
This will also allow to use "SecureBits=noroot" in sssd.service
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
84c3034d by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SYSTEMD: set "SecureBits=noroot noroot-locked"
in sssd.service to avoid processes gaining all capabilities
from bounding set during execv() with uid=0/gid=0 (so that, for
example, 'sssd_be' runs without capabilities even if "User=root")
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9eed3873 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC: make conf folder g+rx
so that SSSD built --with-sssd-user=sssd but run under 'root' can get
to sssd.conf without capabilities (using "SupplementaryGroups=sssd")
sssd.conf still needs to be chown'ed to 'root:root' manually in this
case.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
07f00135 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
TESTS: system: skip 'passkey' tests if SSSD runs under non-root
For a real device this is handled by udev rule that makes device
readable by SSSD. This rule doesn't work with mocked device.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
869ee965 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC: build Fedora >= 41 package with sssd user support
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d45b85b7 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SSSDConfig: chown() sssd.conf to SSSD service user
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
12877789 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
MONITOR: free 'tmp_ctx' in case of failure too
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e37a8c78 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
MAN: 'monitor' exit codes description
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cb4dbea6 by Alexey Tikhonov at 2024-03-18T09:02:37+01:00
SPEC/SYSTEMD: try harder making sure logs ownership matches service user
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3788f480 by Abhijit Roy at 2024-03-18T09:27:19+01:00
sssctl: Adding options for nss
Fixing the false positive error reported by config-check
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
0b26b6fd by Madhuri Upadhye at 2024-03-21T09:55:58+01:00
Tests: alltests/test_krb5: Replace files provider
Replace files provider with proxy provider.
This test case test authentication of local user using
kerberos and also update the authselect to select sssd only.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
4085ee07 by Alexey Tikhonov at 2024-03-21T10:30:13+01:00
UTILS: inotify: avoid potential NULL deref
Fixes following error:
```
Error: STRING_NULL (CWE-170):
sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.]
sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string.
# 325|
# 326| if (snctx->wctx->dir_wd == in_event->wd) {
# 327|-> ret = process_dir_event(snctx, in_event);
# 328| } else if (snctx->wctx->file_wd == in_event->wd) {
# 329| ret = process_file_event(snctx, in_event);
```
-- it might be unsafe to dereference `in_event->name`
if `in_event->len == 0`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c858d577 by Alejandro López at 2024-03-21T10:30:34+01:00
TESTS: Fix the ssh configuration - II
The previous patch fixed the environment for the multihost tests, but
system tests also need the fix.
This fix will become obsolete and should be removed when FreeIPA
adapts the ipa-client-install tool to use the sss_ssh_knownhosts tool.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bf6cb6dc by Sumit Bose at 2024-03-21T13:45:43+01:00
krb5: add OTP to krb5 response selection
Originally where there was only password and OTP authentication we
checked for password authentication and used OTP as a fallback. This was
continued as other (pre)-authentication types were added. But so far
only one authentication type was returned.
This changed recently to allow the user a better selection and as a
result OTP cannot be handled as a fallback anymore but has to be added
to the selection. In case there are no types (questions) available now
password is used as a fallback.
Resolves: https://github.com/SSSD/sssd/issues/7152
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7c33f9d5 by Sumit Bose at 2024-03-21T13:45:43+01:00
krb5: make sure answer_pkinit() use matching debug messages
Resolves: https://github.com/SSSD/sssd/issues/7152
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e26cc693 by Sumit Bose at 2024-03-21T13:45:43+01:00
krb5: make prompter and pre-auth debug message less irritating
Resolves: https://github.com/SSSD/sssd/issues/7152
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0d5e8f11 by Sumit Bose at 2024-03-21T13:45:43+01:00
pam_sss: prefer Smartcard authentication
The current behavior is that Smartcard authentication is preferred if
possible, i.e. if a Smartcard is present. Since the Smartcard (or
equivalent) must be inserted manually the assumption is that if the user
has inserted it they most probably want to use it for authentication.
With the latest patches pam_sss might receive multiple available
authentication methods. With this patch the checks for available
authentication types start Smartcard authentication to mimic the
existing behavior.
Resolves: https://github.com/SSSD/sssd/issues/7152
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
795b13c1 by Dan Lavu at 2024-04-02T16:14:47+02:00
tests: fixing typo in test_authentication.py
The assertion checks for user_3 but the user added is user-3. The value
is different than the others because we are trying to try different
combinations.
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
05df8167 by Sumit Bose at 2024-04-02T16:15:15+02:00
pam: fix storing auth types for offline auth
Before the recent patches which allow krb5_child to iterate over all
available authentication methods typically only one method was returned.
E.g. is Smartcard authentication (pkinit) was possible it was typically
the first method the in question list and the result of the
answer_pkinit() function was immediately returned. As a result only the
Smartcard authentication type was set and a missing password
authentication type while others were present might have been a
reasonable indicator for the online state.
With the recent patches, all available methods, including password
authentication if available, are return and a new indicator is needed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
79c384fb by Sumit Bose at 2024-04-02T16:15:15+02:00
test: set 'local_auth_policy = only' for all passkey test
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
1c2aa825 by Jakub Vavra at 2024-04-04T15:08:37+02:00
Tests: Fix test_kcm_ssh_login_creates_kerberos_ticket
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
7c6bc58a by Jakub Vavra at 2024-04-05T07:12:04+02:00
Tests: Move polarion.yaml to src/tests/
The path src/tests is more generic and would make more sense for other
components that share the same idmci automation.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
6dec9446 by Alexey Tikhonov at 2024-04-05T19:43:05+02:00
BUILD: only link SYSTEMD_DAEMON_LIBS if needed
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
de928a28 by Alexey Tikhonov at 2024-04-05T19:43:05+02:00
BUILD: only search for SYSTEMD libs if needed
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c3578ad6 by Alexey Tikhonov at 2024-04-05T19:43:05+02:00
BUILD: require initscript=systemd for syslog=journald
and don't build intg-tests with 'systemd'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4d29b915 by Alexey Tikhonov at 2024-04-05T19:43:05+02:00
BUILD: don't use '--disable-dbus-tests'
This ./configure option isn't available since 3d1b6458568f3df4d5c192f432e73d65e4a9d293
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
ce9488d6 by Alexey Tikhonov at 2024-04-05T19:43:05+02:00
INTG-TESTS: replace '--without-semanage' with '--without-selinux'
'--with[out]-semanage' was removed in 0a254e4341d886c68394019fa610a67492f14fce
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f30902fa by Jakub Vavra at 2024-04-08T08:21:02+02:00
Tests: Update reference to polarion.yaml
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
12e74323 by Alexey Tikhonov at 2024-04-09T11:47:39+02:00
BUILD: link 'krb5_child' against 'libsystemd' if needed
This is addition to #7268
If SSSD is configured with
```
--with-initscript=systemd
--with-syslog=syslog
```
then 'krb5_child' need to be linked against 'libsystemd' due to
`check_if_uid_is_active()` usage.
Resolves: https://github.com/SSSD/sssd/issues/7278
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2b5f1cc4 by Andreas Hasenack at 2024-04-10T12:49:04+02:00
Fix format string used for time values
When building for armhf with _TIME_BITS=64, the %lu format string used
to represent time_t values as strings is no longer correct. Switch to
SPRItime which takes into account the time_t size.
Fixes: #7276
Signed-off-by: Andreas Hasenack <andreas.hasenack at canonical.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
01d09bb8 by Alexey Tikhonov at 2024-04-11T15:12:02+02:00
SPEC: use sysusers as additional source
This partially reverts 736430aa0ed0f9c9e36315ea97de65908c29f590
The reason is that 'sysusers_create_compat' macro is evaluated after
the tar ball is extracted, after SSSD is built and after content of
the BUILD and BUILDROOT directories is removed, so otherwise there is
no extracted or built data available anymore.
See https://github.com/SSSD/sssd/pull/7267#discussion_r1549282574 for
details.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5045e434 by Alexey Tikhonov at 2024-04-11T15:12:02+02:00
SPEC: enabled 'sysusers' for f-41+
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5b9a2f81 by Alexey Tikhonov at 2024-04-11T15:12:02+02:00
SPEC: define a home dir for 'sssd' user
Set '/run/sssd/' as 'sssd' user home dir.
This is required to accomodate for needs of some Samba libraries that
create cache while fetching GPO files.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
03f68e81 by Dan Lavu at 2024-04-11T15:19:19+02:00
tests: test case audit and house keeping
- standardized all system test case names in the new framework
- test_ldap.py: moved tests from test_offline.py, and test_rootdse.py because they have one topology which only ldap. renamed test_rootdse.py test cases names
- test_authentication.py: updated non descripted docstrings.
- test_identity.py: moved tests from test_autoprivategroup.py, because it perfroms an identity lookup and is one test case.
- test_autofs.py: removed ldap from autofs requirement, because test cases are now generic.
- test_proxy.py: updated test case name to reflect what is being tested -- test case should be updated
- test_memory_cache.py: renamed test cases to make it more readable
- test_sssctl.py merged with test_sssctl_analyze.py
- test_default_debug_level.py renamed to logging.py
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
23afc3bb by Patrik Rosecky at 2024-04-11T14:09:56-04:00
Tests: convert multihost/alltests/test_cache_testing to system/test_sss_cache
- - - - -
b67a29ff by Alexey Tikhonov at 2024-04-15T07:13:18+02:00
SPEC: suppress `chown` errors
Files that package chown's during installation might not exist and
that's totally fine (clean install).
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fa9f6882 by shridhargadekar at 2024-04-15T07:13:40+02:00
Tests: sudo defaults rule
Changed doc-strings and steps for more clarity
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b164766a by Dan Lavu at 2024-04-16T08:54:59-04:00
tests: removing genconf, chown tests and updating passkey dirs
- - - - -
c25568fc by Alexey Tikhonov at 2024-04-16T15:13:53+02:00
SPEC: build RHEL9 `--with-libsifp`
'libsss_simpleifp' stays in RHEL9, let upstream copr match downstream
packaging.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
57c4ccdc by Alexey Tikhonov at 2024-04-16T19:05:18+02:00
BUILD: get rid of `--with-semanage` leftovers
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
- - - - -
d7db7971 by Sumit Bose at 2024-04-18T11:53:37+02:00
ad-gpo: use hash to store intermediate results
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ab2671c0 by Alexey Tikhonov at 2024-04-18T11:54:31+02:00
DEBUG: reduce log level in case a responder asks for unknown domain
Addition to 718fed9c53807b8502d6547bc0253b979d35e677
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
7293eeea by Pavel Březina at 2024-04-18T20:07:52+02:00
scripts: add sssd.sysusers to srpm generated by make_srpm.sh
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
aacb789b by Jakub Vávra at 2024-04-19T13:44:42+02:00
Tests: Split package installation transactions and add error logging.
Issues in package installation were silently ignored resulting
debugging failures elsewhere. This also resulted in false PASSED
in case that sssd was not updated due to some dependecy problem.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
bf99d606 by dependabot[bot] at 2024-04-22T18:02:39+02:00
build(deps): bump vapier/coverity-scan-action from 1.7.0 to 1.8.0
Bumps [vapier/coverity-scan-action](https://github.com/vapier/coverity-scan-action) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/vapier/coverity-scan-action/releases)
- [Commits](https://github.com/vapier/coverity-scan-action/compare/v1.7.0...v1.8.0)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
be8913eb by Abhijit Roy at 2024-04-22T18:02:59+02:00
sdap_idmap: Enabling further debugging for to understand the underlying reason for Could not convert objectSID.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
55bcb883 by Madhuri Upadhye at 2024-04-22T18:03:24+02:00
Tests: passkey: Add a ssh key as a passkey mapping
Here, added two test cases:
1. Check log message when we add ssh key as passkey
mapping.
2. Check log message when we add ssh key with
passkey token.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
0de6c330 by Sumit Bose at 2024-04-23T11:58:46+02:00
ad: refresh root domain when read directly
If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.
With this patch an unconditional refresh is triggered at the end of the
fallback code path.
Resolves: https://github.com/SSSD/sssd/issues/7250
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0515eac5 by Alexey Tikhonov at 2024-04-23T14:45:54+02:00
TESTS: 'config_file_version' option doesn't exist
since e57093067665bb15c76cb88269fae93d44499bd5
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
65ca6725 by Alexey Tikhonov at 2024-04-24T13:05:07+02:00
CI: remove unused stuff (lcov, ...)
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4b2553d4 by Dan Lavu at 2024-04-25T11:59:40+02:00
tests: updating makefile.am to include tests
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0f0aaa25 by Alexey Tikhonov at 2024-04-25T16:00:55+02:00
CI: drop support of centos-stream-8
Addition to 5bbc14658b54b083aa0da485073cde47b40c3396
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
61e7372c by Alexey Tikhonov at 2024-04-25T16:00:55+02:00
CI: enable centos-stream-10
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d8e83116 by Alexey Tikhonov at 2024-04-25T16:07:41+02:00
PAC: add 'sssd' user to the list of 'allowed_uids'
:config:SSSD service user was added to the default value of
PAC 'allowed_uids' in case corresponding support was built.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
92c902ab by Alexey Tikhonov at 2024-04-26T08:26:54+02:00
BUILD: make support of 'sssd.conf::user' option configurable
:relnote:Support of 'sssd.conf::user' option was made build time
configurable ('--with-conf-service-user-support') and disabled by
default. Take a note that this ./configure option only makes sense
if used together with '--with-sssd-user=...'
Support of this option is deprecated and might be removed in future
releases. Recommended way to configure SSSD service user is to simply
start main SSSD process under required user (made available at build
time using '--with-sssd-user=...')
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7239dd67 by Sumit Bose at 2024-04-26T08:57:00+02:00
dist: set capabilities during make install
Resolves: https://github.com/SSSD/sssd/issues/7284
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1199bd10 by Sumit Bose at 2024-04-26T08:57:00+02:00
conf: update path permissions
Use the same permissions as in the spec file during 'make install'.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
738bb533 by Samuel Cabrero at 2024-04-26T12:47:29+02:00
GPO: Defer SMB server choice until id connection established when processing referrals
Fixes referral processing when the connection to the referred domain has
not yet been initialized. This may happen when sssd has just started as
state->conn->service->uri of referred subdomain may not have been resolved
yet.
Defer the decision on which SMB server to download the GPO files from until
the id connection has been established as the user might have forced
the DC to use (ad_server parameter).
Related to: https://github.com/SSSD/sssd/issues/3686
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
98efb5ec by Samuel Cabrero at 2024-04-26T12:47:33+02:00
GPO: Remove unused local variable
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
99260671 by Samuel Cabrero at 2024-04-26T12:47:37+02:00
SYSDB: Add sysdb_gpos_base_dn()
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e1692772 by Samuel Cabrero at 2024-04-26T12:47:40+02:00
GPO: Fetch the GPO's displayName attribute
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
568ca5de by Samuel Cabrero at 2024-04-26T12:47:43+02:00
SYSDB: Store GPO's displayName in sysdb
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
35801347 by Samuel Cabrero at 2024-04-26T12:47:46+02:00
SYSDB: Store the GPO's filesystem path in sysdb entry
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
66fd8a04 by Samuel Cabrero at 2024-04-26T12:47:50+02:00
SYSDB: Always canonicalize GPO guid
Always store the guid uppercased and enclosed in curly brackets.
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cf59da1a by Samuel Cabrero at 2024-04-26T12:47:54+02:00
SYSDB: Add new index for gpoGUID and make searches on it case insensitive
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
095e31eb by Samuel Cabrero at 2024-04-26T12:47:57+02:00
SSSCTL: Prepare for extended help in subcommands
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
18a17bcd by Samuel Cabrero at 2024-04-26T12:48:00+02:00
SSSCTL: Add gpo-show command
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6dc9166c by Samuel Cabrero at 2024-04-26T12:48:02+02:00
SSSCTL: Add sssctl gpo-list command
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
be735999 by Samuel Cabrero at 2024-04-26T12:48:05+02:00
SYSDB: Add a function to delete GPO entry by GPO GUID
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
afee68b1 by Samuel Cabrero at 2024-04-26T12:48:08+02:00
SSSCTL: Add sssctl gpo-remove command
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c5b16eec by Samuel Cabrero at 2024-04-26T12:48:10+02:00
SSSCTL: Add gpo-purge command
Resolves: https://github.com/SSSD/sssd/issues/4523
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
54179a09 by Samuel Cabrero at 2024-04-26T12:49:13+02:00
SSSCTL: Add the new cached GPOs management commands to release notes
:relnote: The 'sssctl' command line tool has been extended to manage
the cached GPOs. It is now possible to list ('gpo-list') and show
('gpo-show') the cached GPOs, and the 'gpo-remove' and 'gpo-purge'
subcommands are particularly useful as they remove not only the entry
from the database but also the downloaded GPO files.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a226b245 by Alexey Tikhonov at 2024-04-30T13:39:30+02:00
SPEC: manage /run/sssd using tmpfiles.d
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b3a487a4 by Alexey Tikhonov at 2024-04-30T16:05:47+02:00
LDAP_CHILD: replace `become_user()` with `sss_drop_all_caps()`
Since e2c26e810c3635124255e7619272591eab143553 'ldap_child' always runs
under SSSD_USER and uses file capabilities instead. For this reason
it doesn't make sense to call `become_user()` - `sss_drop_all_caps()`
is enough.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2891e746 by Alexey Tikhonov at 2024-04-30T16:05:47+02:00
KRB5_CHILD: keep 'set-user-ID' in `k5c_become_user()`
Keep saved set-user-ID in `k5c_become_user()` so that 'sssd_be'
running under SSSD_USER could signal it.
Resolves: https://github.com/SSSD/sssd/issues/5536
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c15bd3ae by Justin Stephenson at 2024-05-01T15:33:38+02:00
krb5: Move soft_terminate_krb5_child to static
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
d42c5e7d by Madhuri Upadhye at 2024-05-01T15:35:51+02:00
Tests: Deleting coverted test cases
All of tests cases are coverted to new test
case framework, deleting them to avoid duplication
of work.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
dc637c97 by Alexey Tikhonov at 2024-05-02T15:11:24+02:00
RESPONDER: use proper context for getDomains()
Request was created on a long term responder context, but a callback
for this request tries to access memory that is allocated on a short
term client context. So if client disconnects before request is
completed, then callback dereferences already freed memory.
Resolves: https://github.com/SSSD/sssd/issues/7319
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9aaa7130 by Madhuri Upadhye at 2024-05-07T10:13:49+02:00
Tests: Add the test case passkey for fips enable
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b32f5960 by Justin Stephenson at 2024-05-07T14:20:31+02:00
man: Add local_auth_policy table
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
76ec4919 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Add extra debug to test_0003_gssapi_ssh.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
6319e427 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Switch test_0001_memcache_sid to reuse adjoin code.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
de5e22e2 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Add journalctl when systemctl sssd fails.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
8aa72b16 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Update ad parameters ported for non-root.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
59d19d90 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Add extra sssd restart on master for samba tests.
For non-root the sssd needs to be restarted after joining the AD
and fixing sssd.conf permissions, this was not done on master (smb).
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
f160242d by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Add fixing sssd.conf ownership after realm join.
Add journalctl info when service_ctrl call fails.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
bc1a8e96 by Jakub Vávra at 2024-05-07T14:24:03+02:00
Tests: Fix PEP8 on updated AD suites.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
31bd16f6 by Jakub Vávra at 2024-05-07T15:37:48+02:00
Tests: Update expect as passwd password change message changed.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
be42ada1 by Alejandro López at 2024-05-09T15:27:28+02:00
BACKENDS: Move the netlink watching to the backends
Network status changes were watched by the monitor and it would
signal through D-Bus the backends to check their online status.
This commit moves the network status change watching to the backends
themselves.
Configuration is still managed by the monitor's disable_netlink option.
The resetOffline d-bus method is still available although it is no
longer used by the monitor upon network status changes.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ce9924c3 by Alejandro López at 2024-05-09T15:27:28+02:00
TEST: Exclude libnl-3 from valgrind tests
Because tests are now linked to libnl-3, valgrind tests are failing.
We suppress error for this external library.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b821c77f by Alejandro López at 2024-05-09T15:27:28+02:00
MAN: Make disable_netlink in `man sssd.conf` conditional
The presence of the disable_netlink option in the sssd.conf man page
is now conditional to HAVE_LIBNL, that is, to the present of the library
and to value of the --with-libnl ./configure wasi executed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7f48c7c4 by Dan Lavu at 2024-05-09T15:27:55+02:00
tests: adding gpo system tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ef66a27a by Alexey Tikhonov at 2024-05-10T11:06:34+02:00
KCM: run under SSSD_USER by default
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
18aecfd4 by Alexey Tikhonov at 2024-05-10T11:06:34+02:00
make install: catch up with the spec-file
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f58be95c by Alexey Tikhonov at 2024-05-10T11:06:34+02:00
MAKE: only add 'AmbientCapabilities' template if
built '--with-conf-service-user-support'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ca684cd1 by Madhuri Upadhye at 2024-05-10T13:18:56+02:00
Tests: rename fips passkey test's recording files path
Rename fips testase passkey's recording file path.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7bab2361 by Alexey Tikhonov at 2024-05-13T10:29:29+02:00
SYSTEMD: chown() sssd.conf in service file
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5531e1de by Alexey Tikhonov at 2024-05-13T10:29:29+02:00
SYSTEMD: don't chown() logs
Reconfiguration of SSSD service user should be exceptionally rare event,
so it's reasonable to expect that administrator should also wipe artifacts
(logs, ldb-cache) manually in this case, so keeping chown()-s in service
file isn't justified.
:packaging: systemd service files for socket activated responders don't
chown() logs anymore. chown() happens once during package update. In case
of reconfiguration of SSSD service user after installation, logs files
and ldb-cache files should be deleted or chown()-ed manually.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f1c62181 by Sumit Bose at 2024-05-15T11:31:38+02:00
oidc_child: fix wrong usage of '%*s'
If it is not clear if a string is 0-terminated or not but the length is
known the '%.*s' template must be used to use only given numbers of
characters. '%*s' is a valid printf() template but only sets the minimal
width of the output.
This patch fixes an occurrence ion the sysdb code as well.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
7077328f by Lizhou Sha at 2024-05-15T11:32:02+02:00
SPEC: Add Requires: sssd-krb5-common for KCM ticket renewals
The KCM ticket-renewal feature relies on the /usr/libexec/ssd/krb5_child
binary for functionality. That binary is provided by the RPM package
sssd-krb5-common. This commit fixes the dependency of sssd-kcm in the
spec file.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
39f5b9ac by Andreas Schneider at 2024-05-16T10:11:17+02:00
ad_gpo_child: Improve libsmbclient code
We plan to get rid of smbc_setFunctionAuthData() in future, so already
move to the function using the context. Also tell libsmbclient we do not
want to fallback if Kerberos fails.
Signed-off-by: Andreas Schneider <asn at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
914ce094 by Justin Stephenson at 2024-05-16T10:53:01+02:00
passkey: Return error during passkey processing
Avoid retrying SSS_PAM_PREAUTH loop if an unexpected error
is encountered during passkey processing.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d7d51126 by Justin Stephenson at 2024-05-16T10:53:01+02:00
passkey: Improve passkey mapping handling
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f1351027 by Madhuri Upadhye at 2024-05-16T10:53:01+02:00
Test: Update tc when mapping and key are added
Update the passkey test case where we are now testing
su passkey auth of user when user is added with ssh-key
and passkey mapping for AD, Samba and LDAP server.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit b73994ff3ddf58b9363282b47ebe5ca2329462c2)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e9738e36 by Pavel Březina at 2024-05-16T11:13:25+02:00
failover: add failover_primary_timeout option
This was previously hardcoded to 31 seconds (hardcoded retry_timout +
1). This may be too short period under some circumstances.
When we retry primary server we drop connection to the backup server and
if the primary server is not yet available (and there are many
unavailable primary servers) we may go through a long timeout cycle
every half minute.
This patch makes the value configurable.
:config: Added `failover_primary_timout` configuration option. This
can be used to configure how often SSSD tries to reconnect to a
primary server after a successful connection to a backup server.
This was previously hardcoded to 31 seconds which is kept as
the default value.
Resolves: https://github.com/SSSD/sssd/issues/7375
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
d13dc329 by Weblate at 2024-05-16T13:31:23+02:00
po: update translations
(Finnish) currently translated at 10.1% (72 of 712 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Korean) currently translated at 66.3% (1711 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Swedish) currently translated at 100.0% (2761 of 2761 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (712 of 712 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Korean) currently translated at 66.2% (1708 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 66.2% (1707 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (712 of 712 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 66.0% (1701 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Korean) currently translated at 100.0% (712 of 712 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Polish) currently translated at 4.9% (130 of 2625 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pl/
po: update translations
(Korean) currently translated at 66.0% (1701 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Russian) currently translated at 100.0% (2761 of 2761 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
- - - - -
9a5a54cf by Jakub Vávra at 2024-05-20T14:03:16+02:00
Tests: Update password change expect to work
The message changed between RHEL 9 and RHEL 10.
From: "passwd: all authentication tokens updated successfully"
To: "passwd: password updated successfully"
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a008acce by Alexey Tikhonov at 2024-05-22T10:42:07+02:00
TOOLS: don't overwrite config.ldb
This partially reverts d2d8f342cd5e90bb9fd947c448492225f959aa86
There should be no reason for 'sssctl' to run if SSSD itself isn't
running (or wasn't run so 'config.ldb' is absent).
Enforced recreation of 'config.ldb', on the other hand, might spoil
file ownership, as 'sssct' is typically run under 'root', but SSSD
itself might running under 'sssd' user.
This also reverts f405a4a3694957b5a5cb45d0f7ea2854d876cbb6
` confdb_expand_app_domains()` in `sss_tool_domains_init()` isn't
needed anymore, because 'sssctl' now uses 'config.ldb' created by
'monitor' where this expansion was already done.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cbc44151 by Jakub Vávra at 2024-05-28T09:06:21+02:00
Tests: Add extra output in package_mgmt when operation fails.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
d7d2b967 by Jakub Vávra at 2024-05-28T09:06:21+02:00
Tests: Move logging settings change to test start
The custom log setting changes were done at the start of session
but we did not manage to grab session/class level fixtures
output a result. Moving the changes to tests start and restore to test end.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
5999e070 by aborah at 2024-05-28T09:08:41+02:00
Tests: Fix the test failures for tier-1-pytest-alltests-tier1-2 for non root configuration
Fix the test failures for tier-1-pytest-alltests-tier1-2 for non root configuration
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
b026d625 by Pavel Březina at 2024-05-28T14:49:04+02:00
ci: explicitly set which topologies are already provisioned
PRCI uses containers that already have multiple topologies provisioned
out of the box. pytest-mh and sssd-test-framework recently got the
ability to provision topology directly from pytest so in order to skip
this step in PRCI we need to set it explicitly.
Note that the client container is currently not enrolled in AD, so we
use topology setup there. Therefore if you run the tests locally with
AD running, you don't have to do a thing - client will automatically
join and leave the AD domain when AD/IPA-TRUST-AD topology is run.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
bf436377 by Pavel Březina at 2024-05-29T11:08:38+02:00
ci: use python 3.11 for system tests
pytest-mh and sssd-test-framework started to require python 3.11 which
is not available on ubuntu runners by default.
- - - - -
85a238c6 by Samuel Cabrero at 2024-05-29T11:09:24+02:00
TESTS: Extend sysdb-tests to check case-insensitive store operations
If the domain is case insensitive then users and groups must be
correctly stored regardless name capitalization.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d2b734b9 by Samuel Cabrero at 2024-05-29T11:09:24+02:00
SYSDB: Use SYSDB_NAME from cached entry when updating users and groups
The sysdb_store_user() and sysdb_store_group() functinos search for the
entry by name to check if it is already cached. This search considers
SYSDB_ALIAS, added when the domain is case insensitive. If a matching
entry is found use its SYSDB_NAME instead of the passed name.
It may happen the group is stored in uppercase, but later some server
returns a memberOf attribute in lowercase. When updating the group to
add the memberships the first search will find the entry, but the modify
operation will fail as the group name in the built DN will differ in case.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
19df6a5d by Alexey Tikhonov at 2024-05-29T14:32:02+02:00
SSH: sanity check to please coverity
Fixes:
```
Error: INTEGER_OVERFLOW (CWE-190):
sssd-2.10.0/src/util/sss_ssh.c:195:13: underflow: The decrement operator on the unsigned variable ""len"" might result in an underflow.
sssd-2.10.0/src/util/sss_ssh.c:204:9: overflow_sink: ""len"", which might have underflowed, is passed to ""memcpy(out, pubkey->data, len)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
# 202| }
# 203|
# 204|-> memcpy(out, pubkey->data, len);
# 205| out[len] = '\0';
# 206| }
```
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7c913edc by Alexey Tikhonov at 2024-05-29T14:32:29+02:00
CLIENT:idmap: fix coverity warning
Fixes following issue:
```
"Error: INTEGER_OVERFLOW (CWE-190):
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"".
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed.
sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"".
# 345| }
# 346|
# 347|-> str = malloc(sizeof(char) * data_len);
# 348| if (str == NULL) {
# 349| ret = ENOMEM;"
```
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
f32b021e by Alexey Tikhonov at 2024-05-29T14:32:52+02:00
MONITOR: increase 'services_startup_timeout'
so that it is aligned with MONITOR_MAX_SVC_RESTARTS & MONITOR_MAX_RESTART_DELAY
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6de231d7 by Alexey Tikhonov at 2024-05-29T14:32:52+02:00
MONITOR: quit if any of providers didn't start
This more or less cosmetic change in the sense that currently
this code / condition shouldn't be reachable (see comment in the
patch).
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
979c25f3 by Jakub Vávra at 2024-05-29T14:48:18+02:00
Tests: Update ad multiforest and multidomain suites.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ac6536d1 by Alexey Tikhonov at 2024-05-30T09:52:55+02:00
CI: remove http-parser dependency
It's not used since 10069b1d39e671b7502c5211883c94ceaa91aebb
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
d1428aac by Dominika Borges at 2024-06-03T11:56:35+02:00
doc: improve `failover_primary_timeout` option
Resolves: https://github.com/SSSD/sssd/issues/7375
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ecda21a4 by Samuel Cabrero at 2024-06-03T11:57:07+02:00
BUILD: Fix os detection
SUSE and openSUSE no longer ships /etc/SuSE-release [1], fallback to
/etc/os-release if autodetection fails.
[1] https://en.opensuse.org/Etc_SuSE-release
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d75727e6 by Samuel Cabrero at 2024-06-03T11:57:07+02:00
TOOLS: Adjust sssctl user-checks default PAM service for SUSE
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
46fbc499 by Gaël PORTAY at 2024-06-03T20:56:00+02:00
Add missing debian operation system in help string
The commit e6ae55d5423434d5dc6c236e8647b33610d30e2e has added the debian
operating system, but the help string does not reflect it yet.
This adds the missing debian entry in the help string.
See:
gportay at archlinux ~/src/sssd $ ./configure --help | grep -A1 with-os
--with-os=OS_TYPE Type of your operation system
(fedora|redhat|suse|debian|gentoo)
Signed-off-by: Gaël PORTAY <gael.portay at rtone.fr>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7b32dc0a by Gaël PORTAY at 2024-06-03T20:56:00+02:00
Allow unknown operation system build
There are various operating systems in the world, and there are even
more if considering the embedded world.
Trying to detect all of them is hardwork and unnecessary.
If the host operating system is uncaught, the configure succeeds with
the following incomplete output:
./configure
(...)
configure: Detected operating system type:
configure: Build with config
---------------------^^
This enables the operating system "unknown" to remove the error raised
and to allow setting a system that is the short list.
It allows the use for options --with-os=unknown or --with-os=arch that
are a often more representative if the operating system is not in the
short list.
It turns:
./configure --with-os=unknown
(...)
configure: error: Illegal value -unknown- for option --with-os
Into:
./configure --with-os=unknown
configure: Detected operating system type: unknown
configure: Build with unknown config
Also, it avoids the assumption the target operating system is the same
as host if cross-compiling, and leads to errors.
For example, the commit e6ae55d5423434d5dc6c236e8647b33610d30e2e passes
the downstream debian option --install-layout=deb to setup.py and raises
an error if targetting a non-debian world (such as openembedded).
Fixes:
error: option --install-layout not recognized
Signed-off-by: Gaël PORTAY <gael.portay at rtone.fr>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3dc8f692 by Alexey Tikhonov at 2024-06-04T14:27:18+02:00
KRB5: make sure `get_tgt_times()` always set `tgtt`
if it doesn't return error code
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2e3f1ab7 by Alexey Tikhonov at 2024-06-04T14:27:18+02:00
KRB5: TGT RENEWAL: try renew old ccaches immediately
Unprivileged 'sssd_be' can't read ccache, so just ask 'krb5_child' to do
the work.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
671a4de2 by Alexey Tikhonov at 2024-06-04T14:27:18+02:00
KRB5: TGT RENEWAL: avoid flooding KDC
There might be a large batch of tickets awaiting renew when SSSD
is started. Add a 100 msec delay between renewal requests.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
eb334ccd by Alexey Tikhonov at 2024-06-04T14:27:18+02:00
KRB5: make sure FILE: TGT is still renewable
before asking KDC.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5fc9590e by Alexey Tikhonov at 2024-06-04T18:18:49+02:00
CLIENT: a bit more accurate data type handling
Should resolve following coverity complain:
```
"Error: INTEGER_OVERFLOW (CWE-190):
sssd-2.10.0/src/sss_client/common.c:233:13: tainted_data_return: Called function ""send(sss_cli_sd_get(), (char *)header + datasent, 16UL - datasent, MSG_NOSIGNAL)"", and a possible return value may be less than zero.
sssd-2.10.0/src/sss_client/common.c:233:13: cast_overflow: An assign that casts to a different type, which might trigger an overflow.
sssd-2.10.0/src/sss_client/common.c:260:9: overflow: The expression ""datasent += res"" might be negative, but is used in a context that treats it as unsigned.
sssd-2.10.0/src/sss_client/common.c:233:13: overflow: The expression ""16UL - datasent"" is deemed underflowed because at least one of its arguments has underflowed.
sssd-2.10.0/src/sss_client/common.c:233:13: overflow_sink: ""16UL - datasent"", which might have underflowed, is passed to ""send(sss_cli_sd_get(), (char *)header + datasent, 16UL - datasent, MSG_NOSIGNAL)"".
# 231| errno = 0;
# 232| if (datasent < SSS_NSS_HEADER_SIZE) {
# 233|-> res = send(sss_cli_sd_get(),
# 234| (char *)header + datasent,
# 235| SSS_NSS_HEADER_SIZE - datasent,"
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1a3554b2 by dependabot[bot] at 2024-06-05T11:14:09+02:00
build(deps): bump actions/setup-python from 4 to 5
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4...v5)
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4cf9625b by Sumit Bose at 2024-06-05T11:17:44+02:00
sbus: retry Hello if ERR_SBUS_NO_REPLY was received
If the system is starting up it might happen that a time synchronisation
daemon changes the system time. If SSSD is starting at the same time and
one of the components is sending a D-Bus Hello message shortly before
the time change it might happen that libdbus will consider this request
as timed-out after the time change happened and returns
ERR_SBUS_NO_REPLY.
To avoid a complety startup failure under this condition this patch will
try to send the Hello message again.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
15ab9be5 by Pavel Březina at 2024-06-05T11:31:54+02:00
pot: update pot files
- - - - -
7c443ab4 by Pavel Březina at 2024-06-05T12:44:09+02:00
scripts: add support for beta and rc versions
- - - - -
6db9030f by Alexey Tikhonov at 2024-06-06T13:14:02+02:00
SPDX migration
- - - - -
5ae05315 by Pavel Březina at 2024-06-06T13:14:25+02:00
configure: use runstatedir for default pid path
make distcheck yields the following error because pidpath is currently hardcoded to
/run/sssd (with the run directory hardcoded) and prefix is not correctly applied.
```
autoreconf -if && ./configure && make distcheck/usr/bin/mkdir: cannot create directory '/run/sssd': Permission denied
make[5]: *** [Makefile:47801: installsssddirs] Error 1
```
```
2024-06-04T16:35:23.1627995Z /usr/bin/mkdir -p \
2024-06-04T16:35:23.1628921Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/include \
2024-06-04T16:35:23.1629987Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \
2024-06-04T16:35:23.1631024Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/bin \
2024-06-04T16:35:23.1632011Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/sbin \
2024-06-04T16:35:23.1632919Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/man \
2024-06-04T16:35:23.1633620Z /run/sssd \
2024-06-04T16:35:23.1634262Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1635121Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/ldb \
2024-06-04T16:35:23.1635921Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system.d \
2024-06-04T16:35:23.1636710Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system-services \
2024-06-04T16:35:23.1637387Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1637936Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1638495Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd \
2024-06-04T16:35:23.1639022Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \
2024-06-04T16:35:23.1639592Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd/modules \
2024-06-04T16:35:23.1640407Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/var/lib/sss/pipes/private \
2024-06-04T16:35:23.1641288Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd/krb5-snippets \
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
aefc8cea by Pavel Březina at 2024-06-06T13:36:01+02:00
Release sssd-2.10.0-beta1
- - - - -
0d60e3dc by aborah at 2024-06-07T17:26:07+02:00
Tests: Fix RHEL10 failures
sub_id_ranges needed to be fixed : This is because of ABI change in libsubid library.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
eadb8726 by Pavel Březina at 2024-06-07T18:06:20+02:00
version: replace dash with tilda
We released a new SSSD beta version as 2.10.0-beta1, unfortunately
this caused issues in the rpm build system as this value is set as
the Version field but dash is not allowed in this field therefore
`make rpms` was broken.
Fedora guidelines requires to use ~ as a prerelease separator so
two NVR versions compare correctly. For example:
* 2.10.0 < 2.10.0-beta1
* 2.10.0~beta1 < 2.10.0
We will follow this guideline to make `make rpms` work again and
to avoid any further rpm issues. Next GitHub release will also
follow this guideline.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fad092b0 by Pavel Březina at 2024-06-07T18:06:21+02:00
ci deps: do not use -- to denote positional arguments anymore
This does not work on Fedora 41, it looks like it is not supported
by dnf5.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4e0b648d by Madhuri Upadhye at 2024-06-07T18:23:45+02:00
Test: Check the TGT of user after auth for passkey
Add the test case of passkey where we are checking
TGT of user after successful auth with IPA server.
Also add the fixture to update the ipa-optd at .service
file from server to make sure umockdev-run authenticate
the user without showing data mis match error.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
60fa7305 by Jakub Vávra at 2024-06-11T06:57:16+02:00
Tests: Update code handling journald.conf
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
815d89f8 by aborah at 2024-06-11T08:28:42+02:00
Tests: Fix ipa tests for RHEL10
Sssd switched from sss_ssh_knownhostsproxy to sss_ssh_knownhosts
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9f791612 by Jakub Vávra at 2024-06-11T15:08:33+02:00
tests: Drop already ported tests from alltest
Drop duplicate tests that has fallen in disrepair on RHEL 10 instead
of maintaining them.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
15fe8a11 by aborah at 2024-06-11T15:09:27+02:00
Tests: Fix RHEL9.5 issue
authselect was not selected for sssd
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
1812aaf7 by Alexey Tikhonov at 2024-06-11T18:13:21+02:00
SPEC: strip public rx bits from 'proxy_child'
as a safety measure for a case where administrator could be tempted
to set SUID bit to support some legacy/3rd party PAM module.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f37aa466 by Jakub Vávra at 2024-06-12T07:39:43+02:00
tests: Add loading kernel module sch_netem for tc tool
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
f7c53d1f by aborah at 2024-06-12T09:59:17+02:00
Tests: Fix tier1_2 tests for rhel10
No of file descriptors should be same or close to same as before and after modifying krb5_child
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
48e68121 by Jakub Vávra at 2024-06-12T12:01:25+02:00
tests: Drop test_bz1221992 that is invalid on RHEL 10
"sbus-dp_example1" was a unix socket of DBUS server maintained
in every backend. Now we moved to single SBUS server in "monitor"
so backends don't create own DBUS servers anymore.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
5ed2e37c by shridhargadekar at 2024-06-12T15:01:23+02:00
Tests: automount segfault fix
C++ code compilation error due to the return value from void function
. Adding 'return NULL'
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
49904292 by Jakub Vávra at 2024-06-12T16:05:32+02:00
test: Do not overwrite /etc/nsswitch.conf by authselect
Should fix test_more_than_one_cn.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
fc5c1a1a by Alexey Tikhonov at 2024-06-13T11:16:01+02:00
UTILS: reduce log level if `sss_krb5_touch_config()` fails
due to missing privileges: `sssd_be` runs unprivileged and can't
touch config in /etc
Ideally it should be moved to privileged helper process. For a time
being just reduce log level to avoid backtraces in logs.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
9fe254f4 by Daniel Bershatsky at 2024-06-13T21:58:02+02:00
SSS_CLIENT: Follow API changes in libsubid
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
9f363f86 by Pavel Březina at 2024-06-13T21:58:46+02:00
ci: do not collect pytest-mh logs in separate file
pytest-mh logs will be collected automatically per test on failure
so there is no reason to collect everything in single file. Having
logs per test will be easier to debug.
The test log is stored in:
artifacts/tests/$testname/test.log
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
b7a47ffa by Pavel Březina at 2024-06-13T21:58:46+02:00
ci: disable show-capture in system tests
In case of failure, show-capture=yes (default) also prints all caputured
pytest-mh logs. Showing these logs in pytest output just makes it more
difficult to locate the failed assertion. The logs are stored in file
for each failed test so we do not need to see them in pytest output
to debug the issue.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
27995f5d by Jakub Vávra at 2024-06-14T10:53:16+02:00
Tests: Drop tests converted to system from basic to save resources in prci
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
f9c0c6d8 by Dan Lavu at 2024-06-14T10:54:07+02:00
tests: adding proper requirement for sss_ssh_knownhosts
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
b25e510a by Sumit Bose at 2024-06-14T11:07:18+02:00
ad: use right memory context in GPO code
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.
Resolves: https://github.com/SSSD/sssd/issues/7411
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7e547770 by Jakub Vávra at 2024-06-18T09:12:47+02:00
Tests: Handle missing ldap_child.log in AD parameters
Handle possibly missing ldap_child log.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
bb72b53d by Iker Pedrosa at 2024-06-18T17:36:55+02:00
spec: change passkey_child owner
passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when
it should be root:root. Correcting it.
Fixes: 30daa0ccdae5 ("spec: update to include passkey")
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
58da100d by Alexey Tikhonov at 2024-06-20T13:28:51+02:00
ENUMERATION: enable support for 'proxy' provider
even when built without '--with-extended-enumeration-support'
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4e345cc4 by Christopher Byrne at 2024-06-21T14:53:59+02:00
initscripts: Allow Gentoo initscripts to work with sssd user
Current the sssd initscripts always start as root. Non-systemd users
cannot use non-root mode. This allows the initscripts to run with
--with-sssd-user option
Signed-off-by: Christopher Byrne <salah.coronya at gmail.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
48c0607b by Sumit Bose at 2024-06-21T14:54:19+02:00
configure: use prefix for systemd paths if needed
'make distcheck' fails because those paths didn't respect the prefix. To
avoid issues with standard prefixes like e.g. /usr, the prefix is only
added if it does not match the start of the systemd path.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
12150fcb by Sumit Bose at 2024-06-21T14:54:19+02:00
configure: user ${datadir} in polkitdir
Instead of using the absolute path name '/usr/share' ${datadir} is used
to respect configure options and to make 'make distcheck' pass.
'polkitdir' is only used if SSSD was configured to run as 'sssd' user.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4d517740 by Justin Stephenson at 2024-06-21T15:04:58+02:00
configure: use RUNDIR macro for config_pidpath
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
986bb726 by Sumit Bose at 2024-06-21T17:46:15+02:00
sysdb: do not fail to add non-posix user to MPG domain
SSSD does not handle the root user (UID==0) and treats all accounts with
UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
well and as a result for those accounts in MPG domains the check for a
collisions of the primary GID should be skipped. The current code might
e.g. cause issues during GPO evaluation when adding a host account into
the cache which does not have any UID or GID set in AD and SSSD is
configured to read UID and GID from AD.
Resolves: https://github.com/SSSD/sssd/issues/7451
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
77f22467 by Alejandro López at 2024-06-25T13:15:36+02:00
MAN PAGES: Fix broken man pages
In Makefile.am:79 the CONDS variable is set in several lines for
readablity. These new line add a space that breaks the conditions
and thus some features do not match their conditions. For instance
"with_ssh" becomes "with_ssh ."
Solving this by reuniting them all in a single line as it was before
the line was splitted.
Resolves: https://github.com/SSSD/sssd/issues/7449
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
3d1bf5d8 by Alejandro López at 2024-06-25T13:15:36+02:00
SSH: Remove two unused configuration options
The 'ssh_hash_known_hosts' and 'ssh_hash_known_hosts' are not used
when sss_ssh_knownhostsproxy is not built. In that case, their
declarations and the code reading them from the configuration file
must be removed.
They are still kept on cfg_rules.ini, but a comment was added to their
declaration reminding the person that will removed them that that file
must also be updated.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
4dc96622 by Sumit Bose at 2024-06-25T13:16:01+02:00
p11_child: enhance 'soft_crl' option
Currently, if the 'soft_crl' verification option is set and the CRL is
"expired", there will be no CRL check at all. "Expired" is here used in
the sense that a new CRL should have already been issues by the CA
according to the 'nextupdate' information form the CRL file.
This means that a revoked certificate which was rejected when the CRL
was valid is allowed if the CRL is expired and 'soft_crl' is set. This
is inconsistent especially if the "expired" CRL is still available and
could at least be used to check for revoked certificates from the time
the CRL was issued.
With this patch, if 'soft_crl' is set and the CRL is expired the CRL
will still be used to check for revoked certificates and a message will
be send to the system log for every valid certificate indicating that
the CRL file is expired and should be renewed as soon as possible.
This patch introduces a change in behavior and a revoked certificate
will now be rejected if the CRL is expired even if 'soft_crl' is set but
given the inconsistency described above the new behavior would be nearer
to an expected behavior than the original one.
Resolves: https://github.com/SSSD/sssd/issues/7404
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0562646c by Alexey Tikhonov at 2024-06-25T13:16:33+02:00
PAM: grant 'cap_dac_read_search=p' to sssd_pam
to allow `gss_acquire_cred_from()` and `gss_accept_sec_context()`
that need to read a keytab.
:packaging: 'sssd_pam' binary lost public rx bits and got
'cap_dac_read_search=p' file capability to be able to use GSS API
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3bac8c9c by Madhuri Upadhye at 2024-06-25T13:18:41+02:00
Test: Passkey test cases
Add following test cases:
1. Check the auth of user after destroying the TGT
and ipa service is not reachable.
2. Check the auth and TGT of user when 12 mapping are
added for a user.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
78684473 by Weblate at 2024-06-25T13:19:35+02:00
po: update translations
(Czech) currently translated at 93.4% (699 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Russian) currently translated at 100.0% (2789 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Czech) currently translated at 92.9% (695 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 91.9% (688 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Georgian) currently translated at 14.0% (105 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Georgian) currently translated at 13.7% (103 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Georgian) currently translated at 13.7% (103 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Czech) currently translated at 91.7% (686 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Korean) currently translated at 94.7% (709 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2789 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Korean) currently translated at 66.6% (1712 of 2569 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Ukrainian) currently translated at 99.8% (2784 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Korean) currently translated at 66.4% (1712 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
6de89309 by Pavel Březina at 2024-06-25T13:28:05+02:00
pot: update pot files
- - - - -
fce2d97d by Christopher Byrne at 2024-06-26T11:10:53+02:00
BUILD: Wire up sysusers, udev and tmpfiles config for optional install
Gentoo needs the generated tmpfiles, however, due to the way sssd is
built, it can't just be copied that easily. Gentoo doesn't currently
the udev rules, but they might be needed later if support is added.
On the other hand, Gentoo does not use the sysusers file as that's
handled by a different package, so those need to be excluded. The
default behavior is maintained if none of the option are specified.
Signed-off-by: Christopher Byrne <salah.coronya at gmail.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
28239d6c by Pavel Březina at 2024-06-26T11:11:39+02:00
scripts: switch back to dash for pre-releases
It turns out that git does not allow tilde in tag name
therefore we need to keep using dash for upstream releases
and tilde in downstream.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b44cb576 by Pavel Březina at 2024-06-26T11:11:39+02:00
Release sssd-2.10.0-beta2
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a3ecd25a by aborah at 2024-07-01T11:49:34+02:00
Tests: Fix tier2 tests for RHEL10
Fix tier2 tests for RHEL10
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
252f3652 by Dan Lavu at 2024-07-01T11:52:54+02:00
tests: updating gpo auto private group test case
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
4e95d6f6 by Jakub Vávra at 2024-07-03T15:14:26+02:00
tests: Skip tests dependend on ldap_use_ppolicy when not available.
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
30a9f4f3 by John Veitch at 2024-07-04T12:22:04+02:00
Update sssd.in to remove -f option from sysv init script
fee3883 removed the -f option from the sssd but the init script was
not updated accordingly at that time.
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4e486018 by John Veitch at 2024-07-04T12:22:04+02:00
Add --logger=files option to sysv init script
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e299525e by Samuel Cabrero at 2024-07-04T12:22:20+02:00
LDAP: New option to trigger password change in case of grace login with expired password
If LDAP server enforces password policies and the extended control is
returned in the bind response, trigger a password change in the case of
grace login when the remaining grace logins go below the configured
threshold.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6c1d2aac by Alejandro López at 2024-07-04T12:24:01+02:00
TESTS: Add example tests for D-Bus
Based on the current integration test on src/tests/intg/test_infopipe.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
af799964 by Sumit Bose at 2024-07-04T12:25:25+02:00
krb5_child: do not try passwords with OTP
During two-factor authentication (OTP) krb5_child should use use the
dedicated OTP auth types SSS_AUTHTOK_TYPE_2FA and
SSS_AUTHTOK_TYPE_2FA_SINGLE exclusively and should not try password or
other types.
The special handling needed of ssh under certain conditions are
documented in the code and the man page.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
88ac37d9 by Dan Lavu at 2024-07-04T12:27:04+02:00
tests: housekeeping - test_kcm.py
* added assert error messages
* fixed some typos and grammer
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
c19cac20 by Dan Lavu at 2024-07-08T15:22:58+02:00
tests: fixing gpo test case
auto_private_groups require users with posix attributes enabled
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9a852565 by Dan Lavu at 2024-07-11T09:44:56+02:00
tests: housekeeping - test_gpo.py
* added assertion error messages
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 0319412201805049cca3a20248b57c7c5415bb1d)
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
9808b698 by Dan Lavu at 2024-07-11T09:44:56+02:00
tests: test_autofs.py - adding error messages
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d336ad18ad049470685ff9d7c1b6ddfdc4e9db89)
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
b1ce55a9 by Alexey Tikhonov at 2024-07-18T16:41:40+02:00
DEBUG: added missing newline
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc2a26c3 by Alexey Tikhonov at 2024-07-18T16:41:40+02:00
TS_CACHE: never try to upgrade timestamps cache
It's easier and more consistent to recreate it instead.
This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f0d45464 by Alexey Tikhonov at 2024-07-18T16:41:40+02:00
SYSDB: remove index on `dataExpireTimestamp`
This index was only used in cleanup tasks that don't run often.
On the other hand, this index is huge and degrades performance of libldb
in general.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
077d2993 by Sumit Bose at 2024-07-18T16:46:26+02:00
pam_sss: add missing optional 2nd factor handling
This is a follow up to pull-request #7462 and adds the proper handling of
an optional second factor in case the prompting is configured.
Resolves: https://github.com/SSSD/sssd/issues/7456
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f5f00f40 by Dan Lavu at 2024-07-23T16:05:41+02:00
tests: fixing auto_private_group test cases
two issues seemed like one, but they were actually different. added
another test to check the evaluation of auto_private_groups with posix
attributes while the other existing test was about missing groups.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5e77d3d4 by Alexey Tikhonov at 2024-07-23T16:11:01+02:00
sssd.supp: remove outdated entries
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6283742c by Alexey Tikhonov at 2024-07-23T16:11:01+02:00
sssd.supp: suppress invalid read in dlopen
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
415fa416 by Dan Lavu at 2024-07-23T16:14:49+02:00
test: housekeeping - sudo
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
* added error messages to assertions
noteable changes:
* removed authorization pytest marker, it's no longer used
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
8421f34d by Christopher Byrne at 2024-07-23T16:18:51+02:00
cfg_rules.ini: Add missing ldap_user_passkey entry.
This fixes the following message when using sssctl config-check and using
the ldap_user_passkey config option:
[rule/allowed_domain_options]: Attribute 'ldap_user_passkey' is not allowed
in section 'domain/EXAMPLE.COM'. Check for typos.
Signed-off-by: Christopher Byrne <salah.coronya at gmail.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
30d394d6 by Dan Lavu at 2024-07-23T16:20:06+02:00
tests: housekeeping - test_cache.py
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
noteable changes:
* created test_tools.py to move sss_cache test to
* renamed test_sss_cache.py to test_cache.py
* renamed test_memory_cache.py to test_memcache.py
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
0717974b by spinningTops at 2024-07-23T16:21:17+02:00
Expose flat_name for use in homedir path
Let the use of the domain flatname (%F palceholder) in homedir path also for AD subdomains.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
55db5db1 by Madhuri Upadhye at 2024-07-23T16:27:51+02:00
Tests: housekeeping: Description in passkey tests
Added the detail description about passkey,
how to register the passkey and test with umockdev.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
447deb03 by Dan Lavu at 2024-07-23T16:29:27+02:00
tests: housekeeping, test_proxy.py
* added test to authenticate using pam and nslcd
* updated setup code with sssd.common function
* fixed the language and added importance markers
* added description giving a quick overview of the bz in the docstring
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
71160e35 by Sumit Bose at 2024-07-23T16:39:34+02:00
man: add details for ad_access_filter
Mentioned explicitly that GPO based access control must be disabled if
ad_access_filter based access control should be the only access control.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
f43dcc30 by Dan Lavu at 2024-07-24T16:40:21+02:00
tests: housekeeping - test_trusts.py -> test_ipa_trusts.py
* renamed file to test_ipa_trusts.py
* added assertion error messages
* removed redundant assertion
* clarified steps and results
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
f70411aa by Dan Lavu at 2024-07-24T16:55:51+02:00
tests: housekeeping, test_files.py
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* added pytest.mark.importance to test cases
* the tests are simple, removed the error messages
* root lookup test updated with an additional assertion
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8c19d7b6 by Dan Lavu at 2024-07-24T16:58:52+02:00
tests: housekeeping, test_ldap.py
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
noteable changes:
* removed lookup_user_default_naming_context_and_no_search_base because it is already covered by another test scenario
added description to ppolicy tests, providing an explanation
* removed enumeration configuration from tests where enumeration is not being tested
* removed test case checking log messages for timeout
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
7716d13c by Dan Lavu at 2024-07-24T17:42:47+02:00
tests: housekeeping, test_authenticaiton.py
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
noteable changes:
* big rename on the test case names, after discussing that some cases
will have the positive and negative test, it no longers to be
specified
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7c83a760 by Alexey Tikhonov at 2024-07-27T13:39:39+02:00
SPEC: add new systemtap-sdt-dtrace to build deps
This is to upstream
https://src.fedoraproject.org/rpms/sssd/c/7e881a77172944535eb20a1f3ba1c5b4441d18d4
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc000fa6 by Jakub Vávra at 2024-07-29T11:29:39+02:00
tests: Add fallback log directory for custom_log.py
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
4d1c4d7f by Dan Lavu at 2024-07-29T16:12:05+02:00
tests: housekeeping - test_failover.py
* extended the test to the generic provider
* added assertion error messages
* improved some grammar and word choice
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
e4ae4d61 by Alexey Tikhonov at 2024-07-30T19:31:30+02:00
BUILD: configure logrotate to work with non-root-group writable folder
Otherwise logrotate complains:
```
error: skipping "/var/log/sssd/sssd_kcm.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
```
See https://bugzilla.redhat.com/show_bug.cgi?id=2299733 for details
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a7d0bbeb by Alexey Tikhonov at 2024-08-01T17:15:48+02:00
SPEC: merge 'sssd-polkit-rules' into 'sssd-common'
'p11_child' runs under non-privileged user and thus requires
polkit-rules by default.
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c3ce4bc1 by Dan Lavu at 2024-08-02T11:55:59+02:00
tests: remove multihost basic tests
* test_ifp.py test are now convered in system/test_infopipe.py
* test_kcm.py test are now covered in system/test_kdm.py and
authselect/system/test_sssd.py , the functional credential delegation
** a functional test has been added to the test plan
* test_ldapapi.py tests are low priority with a larger effort to move.
** test configures ldap, using the 389 slapd file for it's URI, this
test can only be performed on a server and does not offer much value.
this test has been added to the test plan and will be re-implemented if
approved.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
d213e59c by Pavel Březina at 2024-08-02T14:55:04+02:00
tests: update the tests to work with latest pytest-mh
Latest version added an option to replace SSH connections with podman
or docker, therefore a generic interface was created. Most notably,
`host.ssh` was replaced with `host.conn`.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8e59f770 by Pavel Březina at 2024-08-02T14:55:04+02:00
tests: use podman instead of ssh to speed up in PR CI
We can now use podman instead of ssh run commands on the host. This
is quite faster so we can benefit from it in PR CI.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
21623177 by Madhuri Upadhye at 2024-08-02T15:42:28+02:00
Test: housekeeping: test_sss_ssh_knownhosts.py => test_ipa.py
Update the docstring of each test.
Update the test case method name.
Added assertion error messages on failures.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
ec7a80f9 by Alexey Tikhonov at 2024-08-06T13:44:21+02:00
CI: capture full 'config.log' from ./configure
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
ccdee004 by Pavel Březina at 2024-08-08T16:19:45+02:00
tests: stabilize test_sudo__refresh_random_offset
This test was previously unstable, since it is possible that the
contents of the log file were not yet fully written to the disk.
We need to stop SSSD to ensure that all logs are flushed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b9a279b4 by Pavel Březina at 2024-08-08T16:19:45+02:00
ci: switch back to ssh connections in system tests
We have switched to podman connection to run the tests faster.
However, even though podman is approximately twice as fast in
local run with recent podman version, it is quite slower in
PR CI.
Further, the podman and related components available in
Github Ubuntu runners are quite outdated and they still have some
issues. We were often hitting a bug where `podman exec` would yield
incomplete stdout.
See: https://github.com/containers/podman/issues/9096
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
fcda45b0 by Dan Lavu at 2024-08-08T20:38:55+02:00
tests: housekeeping - schema
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
* added error messages to assertions
Notable changes:
* added integration marker
* moved schema tests to cache
* renamed schema test names
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
33fdf759 by Jakub Vávra at 2024-08-19T07:42:00+02:00
tests: change parameters for pytest.mark.flaky to max_runs
Old python automation was using pytest-rerunfailures plugin
providing pytest.mark.flaky with different parameters than flaky.
Now we got both in idmci and flaky takes precendence so we need
to use max_runs instead of reruns.
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
3bc526eb by Dominika Borges at 2024-08-19T09:31:21+02:00
doc: improve ad_access_filter option
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
78cf0cf2 by Alexey Tikhonov at 2024-08-19T15:17:14+02:00
TESTS: don't use deprecated 'sssd.conf::user' option
Use 'sssd.service::User' option instead.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
0728b2fd by Alexey Tikhonov at 2024-08-19T15:17:14+02:00
TESTS: passkey: force 'root' service user
Passkey tests still don't work when SSSD runs under 'sssd' user.
Configure SSSD to run under 'root' explicitly instead of skipping tests.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4fc351ca by Dan Lavu at 2024-08-20T08:04:13+02:00
tests: fixing test step language
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
edb35afc by Dan Lavu at 2024-08-20T12:51:15+02:00
tests: housekeeping, test_identity.py
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
noteable changes:
* auto_private_group tests reworked, adding two more test cases
Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
34cd828d by Dan Lavu at 2024-08-20T19:19:30+02:00
tests: updating gpo test case to test all auto_private_group values
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5339573f by Jakub Vavra at 2024-08-22T07:35:08+02:00
Tests: Add test for bz 1913284 keytab permission denied
sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
b26b32de by Alexey Tikhonov at 2024-08-22T12:06:59+02:00
Unit tests: use ".invalid" domain name for OCSP responder
to make DNS lookup fail faster.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
72232cc1 by Pavel Březina at 2024-08-26T10:48:40+02:00
tests: add topology marker back to test_ldap__password_change_using_ppolicy
This was accidentally removed by
8c19d7b6f0cf392cb4fa266a5933d4eebbb17090
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c006b88d by Pavel Březina at 2024-08-26T10:48:40+02:00
tests: avoid skipif in the system tests for feature detection
@pytest.mark.skipif condition parameter only takes expressions that
evaluates to boolean or string that is eval'd by pytest. This happens
way before the role objects are instantiated and it does not work.
These lambda functions are not executed at all (and can not be
executed because pytest does not support that). The reference to a
function is just evaluated to True therefore the test is always skipped.
This was broken by
4e95d6f6c1bdd90bd1ca666fa2989bcda443f0a4
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0d07b498 by Jakub Vávra at 2024-08-27T10:22:55+02:00
tests: Update code handling systemd-resolved for F42.
Systemd-resolved changed configuration file location we need to handle both
file locations. We need to set AD as nameserver for client to join realm.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
6f8bc2be by Jakub Vávra at 2024-08-27T10:22:55+02:00
tests: Addd sssd.log when sssd does not start.
The sssd.log might come useful when debugging why sssd did not start.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
6dec9f7c by aborah at 2024-08-27T14:52:23+02:00
Tests: Port ipa/test_authentication_indicators to new test framework
https://github.com/SSSD/sssd/blob/master/src/tests/multihost/ipa/test_misc.py#L258
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9e6ca53a by Madhuri Upadhye at 2024-08-28T12:06:46+02:00
Tests: Remove converted test cases
Delete the already converted test cases to new test case
framework.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
f4bf66d0 by Madhuri Upadhye at 2024-08-28T12:06:46+02:00
Tests: Force delete to local user
Add -f to force delete the local user.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
0f351c2b by Kaushik Banerjee at 2024-09-02T06:53:56+02:00
Tests: Restart systemd-journald instead of stop/start
systemd-journald service by default is in running state.
The tests should restart the service after modifying configurations.
Signed-off-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
7067b579 by Kaushik Banerjee at 2024-09-02T11:47:42+02:00
Tests: Disable journald rate limiting during alltests pytest session
Logging was paused as the journald rate limit was reached.
Disable rate limiting during the alltests pytest session.
Signed-off-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
39ecf47a by Kaushik Banerjee at 2024-09-03T09:03:36+02:00
Tests: Move journald rate disable to common/fixtures.py
Disabling journald rate limit was limited to alltests/conftest.py
Moving it to common/fixtures.py will cover all the tests.
Signed-off-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
e5140ab0 by Alexey Tikhonov at 2024-09-03T10:02:40+02:00
BUILD: drop suppot of '--without-infopipe' ./configure option
:relnote: Support of '--without-infopipe' ./configure option was dropped.
Feature is long time out of experimental state. Since building it doesn't
require any additional dependencies, there is not much sense to keep
option available. Those who not interested in feature can skip installing
sssd-ifp sub-package.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c58f071b by Kaushik Banerjee at 2024-09-04T10:47:36+02:00
man: Use c_rehash instead of deprecated cacertdir_rehash
cacertdir_rehash was deprecated when authconfig was migrated to
authselect. Use openssl rehash or c_rehash instead.
Signed-off-by: Kaushik Banerjee <kbanerje at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f05bd34e by Ondrej Valousek at 2024-09-04T10:48:22+02:00
AD provider: Read sAMAccountName attribute unconditionally
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7a27e539 by Ondrej Valousek at 2024-09-04T10:48:22+02:00
AD: Construct UPN from the sAMAccountName
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
14d7796a by Dan Lavu at 2024-09-04T10:48:56+02:00
tests: housekeeping - sss_override
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
noteable changes:
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
77c913f7 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS/LOGS: remove redundant check
Check for 'root' is performed in sss_tool_main() -> ... -> tool_cmd_init()
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
54a1e917 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
SYSDB: mistype fix
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c65d99ca by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
sssctl: remove unneded include
Not needed since 5b93634c7f0e34f69b4cf8fb9b2e77b9179024a7
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
dbbdd039 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
sssctl: mark internal function as static
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e6cf9e4b by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: removed `sss_route_cmd::handles_init_err`
It's not used since 0d686b5d71848dce7757cadc4e67ad6b95b34355
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f825fecb by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: cache-expire: skip init and root-check
This is merely a wrapper around `sss_cache` that performs needed
operations / checks internally.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
61813cdf by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: cache-remove: skip init
`sssctl_cache_remove()` doesn't use `sss_tool_ctx` so no need to
initialize it.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
620fed16 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: client-data-backup: skip init and root-check
This is merely a wrapper around `sss_override` that performs needed
operations / checks internally.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0d099538 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: client-data-restore: skip init
`sssctl_client_data_restore()` doesn't use `sss_tool_ctx` so no need to
initialize it.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3621a587 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: mistype fix
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3dcc17bb by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: logs-fetch: skip init
`sssctl_logs_fetch()` doesn't use `sss_tool_ctx` so no need to
initialize it.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
59e5037d by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: logs-remove: skip init
`sssctl_logs_remove()` doesn't use `sss_tool_ctx` so no need to
initialize it.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
09cf1a9a by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: sssctl_wrap_command(): remove unneeded args
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a5897933 by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: get rid of unused `void *pvt`
in the chain `sss_tool_main()` -> ... -> end functions.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
97a8d9ff by Alexey Tikhonov at 2024-09-05T10:00:13+02:00
TOOLS: cache-index: skip init
`sssctl_cache_index()` doesn't use `sss_tool_ctx` so no need to
initialize it.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f86fb707 by Alexey Tikhonov at 2024-09-05T20:47:28+02:00
sss_cache: remove a crutch
- this thing is clumsy and just doesn't work (as reported by bootc project);
- shadow-utils/SSSD integration goes away anyway on those rare platforms where
it was enabled because 'files provider' went away;
- finally, in general it's weird to condition sss_cache operability on a variable
that sounds like "systemd doesn't run". There is no guarantee that this variable
is only set by 'rpm-ostree' and won't break things in other situations.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
432f280a by Alexey Tikhonov at 2024-09-05T20:48:04+02:00
TOOLS: skip confdb_init if no context ptr provided
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
14d4e01d by Alexey Tikhonov at 2024-09-05T20:48:04+02:00
TOOLS: get rid of code duplication
Take a note this also enforces check for existance of config.ldb in additional
code paths (this is intentional side effect, see a008accecd6d0b35e8d57d738ee3d05863aa7d0f)
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
50b45794 by Alexey Tikhonov at 2024-09-05T20:48:04+02:00
TOOLS: use `sss_tool_confdb_init()` everywhere
Take a note this also enforces check for existance of config.ldb in additional
code paths (this is intentional side effect, see a008accecd6d0b35e8d57d738ee3d05863aa7d0f)
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
604be8d1 by Alexey Tikhonov at 2024-09-05T20:48:04+02:00
CONFDB: move sanity check
closer to a place where argument is really used
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0be58a26 by Dan Lavu at 2024-09-11T11:32:14+02:00
tests - housekeeping - logging
housekeeping, the following is looked at and may have been done:
* fixed typos and standardized formatting
* renamed test cases to improve the clarity of what the test does
* improved docstring language, setup, steps and expected results
* synced code with the docstring order
* removed necessary configuration relevant to the test
* added pytest.mark.importance to test cases
* added error messages to assertions
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
f22c966f by Sumit Bose at 2024-09-13T14:01:58+02:00
LDAP: read ldap_use_ppolicy as boolean
This patch fixes a typo where the ldap_use_ppolicy option is read as int
instead of boolean. This will avoid debug messages like e.g. "Requested
type 'Number' for option 'ldap_use_ppolicy' but value is of type
'Boolean'!"
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
c0c46bf6 by Alexey Tikhonov at 2024-09-13T14:03:12+02:00
SPEC: don't fail uninstallation if 'alternatives' fails
This is seen on rpm-ostree based system during uninstall:
```
Running scriptlet: sssd-client-2.9.5-4.el9.x86_64 9/9
admindir /var/lib/alternatives invalid
error: %preun(sssd-client-2.9.5-4.el9.x86_64) scriptlet failed, exit status 2
```
This should be fixed by https://github.com/fedora-sysv/chkconfig/pull/135
but let's avoid hard failing here anyway.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2dae1f64 by Alexey Tikhonov at 2024-09-13T14:03:12+02:00
SYSTEMD: chown all artifacts at startup
Main reason for this is compatibility with rpm-ostree based
systems where rpm post install scriplets aren't run on an
actual system.
In general this looks like an unneeded overhead since ownership
can be only wrong after upgrade from sssd-2.9- to sssd-2.10+
But this appears to be most simple solution atm and from practical
point of view the main issue is merely a clutter in service files.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a3311402 by Sumit Bose at 2024-09-13T14:23:34+02:00
oidc_child: use CURLOPT_PROTOCOLS_STR if available
Since curl version 7.85.0 CURLOPT_PROTOCOLS is deprecated and should be
replaced by CURLOPT_PROTOCOLS_STR.
Resolves: https://github.com/SSSD/sssd/issues/6922
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fb8aa35f by Alexey Tikhonov at 2024-09-16T13:28:54+02:00
SYSDB: drop the code that upgrades from v < 15
It's reasonable to expect that nobody will attempt an upgrade
from DB version older than "0.16" (sssd-1.12) to "0.25"+
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
842dbbbb by Alexey Tikhonov at 2024-09-16T13:28:54+02:00
SYSDB: only monitor (and tests) should create cache files
Everything else (providers, responders, tools) should only connect to.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0aab0b18 by Alexey Tikhonov at 2024-09-16T13:28:54+02:00
SYSDB: removed unused define
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
97571b16 by Dan Lavu at 2024-09-17T10:03:24+02:00
tests: removing intg/test_confdb.py
These test are covered test_sssctl.py
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
e442fdf7 by Dan Lavu at 2024-09-17T12:03:17+02:00
tests: removing intg/test_files_ops.py
These tests the user/remove functions and can be dropped.
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f83ea91a by Alexey Tikhonov at 2024-09-17T17:03:09+02:00
SYSTEMD: shell expansion of * doesn't work in ExecStartPre
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
43cfcfee by Alexey Tikhonov at 2024-09-18T16:33:44+02:00
SPEC: build C9S '--with-files-provider'
to match downstream
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ff1d8b76 by Alexey Tikhonov at 2024-09-18T16:33:44+02:00
SPEC: build C9S '--with-extended-enumeration-support'
to match downstream
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c6298682 by Alexey Tikhonov at 2024-09-18T16:33:44+02:00
SPEC: build C9S '--with-ssh-known-hosts-proxy'
to match downstream
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
41dfdccc by Alexey Tikhonov at 2024-09-18T16:35:06+02:00
RESOLV: removed unused argument
`resolv_gethostbyname_dns_parse()` didn't use `status` and it was
always set to `ARES_SUCCESS` anyway.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8227599e by Alexey Tikhonov at 2024-09-18T16:35:06+02:00
RESOLV: supress deprecation warnings
In theory new API might be somewhat better.
But:
1) it's fairly new: `ares_search_dnsrec()` and `ares_query_dnsrec()`
were introduced in c-ares-1.28 while even CentOS Stream 10 has
c-ares-1.25, so SSSD would need to support (fallback) old API anyway.
2) SSSD doesn't make heavy use of DNS, so potential performance
improvements are really negligible.
On the other hand, old API/ABI will be available for a long time:
https://github.com/c-ares/c-ares/pull/732#issuecomment-2028454381
For those reasons it's not worth the effort to port code to new API
right now.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0e836edc by Sumit Bose at 2024-09-18T16:37:34+02:00
cert util: replace deprecated OpenSSL calls
In OpenSSL 3.0 some of the calls we currently use in the utility
functions to covert the public key from a X.509 certificate into an ssh
public key got deprecated. This patch replaces them if OpenSSL 3.0 or
newer is used.
In contrast to the older calls which just returned references the new
calls return the requested data in freshly allocated memory. To keep
it consistent the data referenced by the old calls are copied into
allocated memory as well.
Resolves: https://github.com/SSSD/sssd/issues/5861
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a86ee649 by Alexey Tikhonov at 2024-09-20T11:13:26+02:00
Require OpenSSL >= 1.0.1
:packaging:Support of OpenSSL older than 1.0.1 was dropped
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
67ba42c4 by Sumit Bose at 2024-09-20T11:15:57+02:00
pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'.
The krb5 backend will only returns that Smartcard authentication is
available if a Smartcard is present. That means if the user
authenticates with a different method and a Smartcard is not present at
this time 'sc_allow' will be 'false' and might overwrite a 'true' value
written during a previous authentication attempt where a Smartcard was
present. To avoid this we only write 'true' values. Since the default if
SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
authentication (offline) will still only be enabled if online Smartcard
authentication was detected.
Resolves: https://github.com/SSSD/sssd/issues/7532
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
69f63f1f by Sumit Bose at 2024-09-24T10:32:03+02:00
sdap: allow to provide user_map when looking up group memberships
To allow to lookup group memberships of other objects similar to user
objects but with different attribute mappings, e.g. host objects in AD,
a new option to provide an alternative attribute map is added.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5f5077ac by Sumit Bose at 2024-09-24T10:32:03+02:00
ad: use default user_map when looking of host groups for GPO
Use the default AD user attribute map to lookup the group membership of
the AD host object. This should help to avoid issues if user attributes
are overwritten in the user attribute map.
Resolves: https://github.com/SSSD/sssd/issues/7590
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f6ad1828 by Alexey Tikhonov at 2024-09-25T15:13:11+02:00
SYSTEMD: chown gpo-cache as well
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
823d7870 by Alejandro López at 2024-09-25T15:15:45+02:00
SSH: sss_ssh_knownhosts must accept port numbers
sss_ssh_knownhosts was only accepting a hostname or IP address, but no
port number. Because token %H of ssh(1) could pass a port number, it
must be accepted.
The %H token can provide the hostname and port number in the
following format:
hostname
canonical.host.name
IP-address
[hostname]:port
[canonical.host.name]:port
[IP-address]:port
The port is specified only when a non-default port is used.
Identifiers without the brackets are also recognized in case a user
invokes the tool directly.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0330ebeb by Alexey Tikhonov at 2024-09-27T13:33:14+02:00
CLIENT:PAM: replace deprecated `_pam_overwrite`
with `sss_erase_mem_securely()`
Resolves: https://github.com/SSSD/sssd/issues/7606
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
312e0eba by Alexey Tikhonov at 2024-09-27T13:33:14+02:00
Revert "ci: allow deprecated functions during build"
This reverts commit ef014b8b293ca7859dc8c30db4cdcfa343c3c477.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
10bf7ab4 by Alexey Tikhonov at 2024-09-27T17:38:01+02:00
SPEC: use '/run/sssd' as a home dir for 'sssd' user
even if 'sssd.sysusers' aren't used.
Practically this is only important for C9S, since C10S and
modern Fedora versions do use 'sssd.sysusers'
Also use `usermod` to update home dir in case user already exists.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ef2a6185 by Dan Lavu at 2024-09-30T12:18:21+02:00
tests: improving gpo tests to be run against ad and samba
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
39856247 by Alexey Tikhonov at 2024-10-01T09:13:53+02:00
CLIENT:PAM: avoid NULL deref
This is hardly possible in the wild but should fix Coverity
complain.
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
60f282d2 by Alexey Tikhonov at 2024-10-01T19:09:57+02:00
SPEC: keep 'sssd-polkit-rules' on RHEL9
this partially reverts a7d0bbeb5a8a41e80fec91d7d38b5dcb35eebe8f
- RHEL9 will keep default value of service user set to 'root',
so polkit rules shouldn't be needed by default
- it's undesirable to remove sub-package within a major release
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cb931967 by xuraoqing at 2024-10-01T19:15:19+02:00
fixed memory leak due to use popt incorrectly
Signed-off-by: xuraoqing <xuraoqing at huawei.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3a644161 by Justin Stephenson at 2024-10-01T20:26:17+02:00
sdap: Log hint for ignore unreadable references
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b1bee78d by Dan Lavu at 2024-10-01T20:28:21+02:00
tests: removing intg/test_sudo.py
These two tests are covered by system/tests/test_sudo.py
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4295e003 by Dan Lavu at 2024-10-01T20:30:01+02:00
tests: removing intg/test_kcm.py
These tests are covered by system/test_kcm.py
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
b4bca982 by Pavel Březina at 2024-10-04T13:55:42+02:00
make_srpm: fallback to tar if git archive fails
All copr builds are currently failing due to:
https://github.com/fedora-copr/copr/issues/3421
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8be21725 by Pavel Březina at 2024-10-07T20:06:51+02:00
conf: remove unused reconnection_retries
This option is no longer used since 9f8551a195cddc9ac898b90610be5fb30a16f4e4
Resolves: https://github.com/SSSD/sssd/issues/7502
:config: Option `reconnection_retries` was removed since it is no longer
used. SSSD switch to a new architecte of internal IPC between SSSD
processes where responders do not connect to backend anymore and
therefore this option is no longer used.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
1c91ea05 by Alejandro López at 2024-10-09T10:04:02+02:00
MONITOR: Link DbusConnection and sbus_connection
Although related, the DbusConnection and its associated sbus_connection
had no link in the logs. We had this:
```
[sbus_server_new_connection] (0x0200): Adding connection 0x11fe700.
...
[sbus_server_bus_hello] (0x4000): Assigning unique name :1.3 to connection 0x11e4a90
```
Now we have:
```
[sbus_server_new_connection] (0x0200): New dbus connection 0x11fe700.
...
[sbus_server_new_connection] (0x0200): Adding sbus connection 0x11e4a90.
...
[sbus_server_bus_hello] (0x4000): Assigning unique name :1.3 to connection 0x11e4a90
```
Which allows to establish the relationship between them: the new
sbus connection is associated to the preceding dbus connection. Both
messages are logged by the same function.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e0ec488c by Alejandro López at 2024-10-09T10:04:02+02:00
MONITOR: Set destructor for the right connection
When the monitor receives a `sssd.monitor.RegisterService` D-Bus method,
it is received on the listening connection and not on the client's
connection. Because of this, the destructor is set for to the listening
connection (taken from the sbus_request) and instead of the client
connection.
The client connection can be retrieved searching it by the sender's
name in the `sbus_server` accessible from the `mt_ctx`, to set the
destructor to the correct connection in the function
`monitor_sbus_RegisterService()`.
Resolves: https://github.com/SSSD/sssd/issues/6897
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
263cb2e7 by Pavel Březina at 2024-10-09T10:05:33+02:00
sbus: terminate ongoing chained requests if backend is restarted
If there is an outgoing request already chained and backend is
restarted, a new outgoing request is chained but not processed,
it waits for a timeout.
This patch makes sure that all outgoing requests are gracefully
terminated if backend restarts.
Resolves: https://github.com/SSSD/sssd/issues/7503
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
c1434c1a by Pavel Raiskup at 2024-10-14T11:24:43+02:00
rpm: drop the --remote argument from git-archive call
It seems that current (autumn 2024) git releases somehow dislike
the use of `--remote=file://` when it applies the [safe] directory
checks. The option doesn't seem to be useful though, so let's drop
it to fix the Copr builds.
Relates: https://github.com/fedora-copr/copr/issues/3421
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
17c37e44 by Jakub Vávra at 2024-10-14T11:25:47+02:00
tests: Update ldap test to use journal utility.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
36d82892 by Samuel Cabrero at 2024-10-14T11:26:24+02:00
BE: Maintain the list of periodic tasks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
423e5b93 by Samuel Cabrero at 2024-10-14T11:26:24+02:00
WATCHDOG: Use a constant instead of the signal name
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fae131ad by Samuel Cabrero at 2024-10-14T11:26:24+02:00
WATCHDOG: Send SIGRTMIN+1 signal when clock shift is detected
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
07ce89e1 by Samuel Cabrero at 2024-10-14T11:26:24+02:00
BE: Handle SIGRTMIN+1 signal to reschedule periodic tasks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fdf7e75c by Samuel Cabrero at 2024-10-14T11:26:25+02:00
MAN: Document SIGRTMIN+1 signal usage
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c9026bf0 by Alexey Tikhonov at 2024-10-14T11:47:32+02:00
Move 'nscd' helper functions out of 'utils'
as it's not used anywhere outside 'monitor'.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7f0f5a6c by Alexey Tikhonov at 2024-10-14T11:47:32+02:00
CONFDB: introduce helper to read a full list of configured services,
including implicitly configured
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
28bb1467 by Alexey Tikhonov at 2024-10-14T11:47:32+02:00
IFP: use new helper to retrieve services list
This still won't handle socket activated services, but should
take care of implicitly configured services at least.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
59c48f7d by Alexey Tikhonov at 2024-10-14T11:47:32+02:00
socket_activated_responders: check confdb
(instead of sssd.conf) using new helper to take into
account implictly configured services.
Resolves: https://github.com/SSSD/sssd/issues/5013
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
32e7616e by Alexey Tikhonov at 2024-10-14T11:47:32+02:00
socket_activated_responders: log to syslog instead of stdout
Otherwise logs of 'ExecStartPre' command are lost.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
272ee81b by Alexey Tikhonov at 2024-10-14T11:47:33+02:00
TESTS:INTG: 'implicit files domain' not supported
since 501e05f46252ba6e097983a871c92b3896b596f2
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dbf47635 by Alexey Tikhonov at 2024-10-14T11:47:33+02:00
CONFDB: don't hard fail in add_implicit_services()
if no explicitly configured domains found.
There are might be 'enable_files_domain = true' or app domains that
are expanded later.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9bb7b920 by Alexey Tikhonov at 2024-10-14T11:47:33+02:00
CONFDB: mistype fix
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c265745f by Weblate at 2024-10-15T11:25:03+02:00
po: update translations
(Swedish) currently translated at 100.0% (2790 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Czech) currently translated at 6.3% (177 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(French) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Swedish) currently translated at 99.5% (2777 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.5% (2777 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.4% (2775 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.4% (2775 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.0% (2764 of 2790 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Swedish) currently translated at 94.5% (707 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Swedish) currently translated at 94.5% (707 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(French) currently translated at 93.7% (701 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Russian) currently translated at 100.0% (2792 of 2792 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (2792 of 2792 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Spanish) currently translated at 82.3% (616 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Ukrainian) currently translated at 100.0% (2792 of 2792 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Russian) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(French) currently translated at 93.1% (697 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
po: update translations
(Turkish) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Czech) currently translated at 93.4% (699 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Russian) currently translated at 100.0% (2789 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (748 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Czech) currently translated at 92.9% (695 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 91.9% (688 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Georgian) currently translated at 14.0% (105 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Georgian) currently translated at 13.7% (103 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Georgian) currently translated at 13.7% (103 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ka/
po: update translations
(Czech) currently translated at 91.7% (686 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Korean) currently translated at 94.7% (709 of 748 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Ukrainian) currently translated at 100.0% (2789 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Korean) currently translated at 66.6% (1712 of 2569 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Ukrainian) currently translated at 99.8% (2784 of 2789 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Korean) currently translated at 66.4% (1712 of 2577 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
- - - - -
f09a66ca by Elena Mishina at 2024-10-15T11:25:03+02:00
po: update translations
(Russian) currently translated at 100.0% (2792 of 2792 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
- - - - -
2eef90a0 by Pavel Březina at 2024-10-15T11:46:02+02:00
po: fix sv language
- - - - -
6ec5aa0d by Pavel Březina at 2024-10-15T11:46:02+02:00
pot: update pot files
- - - - -
217b3fad by Pavel Březina at 2024-10-15T11:46:02+02:00
Release sssd-2.10.0
- - - - -
f990b0ff by Dan Lavu at 2024-10-15T15:22:03+02:00
tests: rm intg/test_sss_cache.py
* this test is indirectly tested by several tests
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 934ae04e1387043fc0ac673ec6cf853724e15394)
- - - - -
d523261c by Sumit Bose at 2024-10-15T15:24:11+02:00
ldap: add 'exop_force' value for ldap_pwmodify_mode
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.
:config: Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This can be used to force a password change even
if no grace logins are left. Depending on the configuration of the
LDAP server it might be expected that the password change will fail.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 7184541976608d357a5da48d09a7fa08862477d8)
- - - - -
e609bb6d by Sumit Bose at 2024-10-15T15:24:11+02:00
tests: add 'expo_force' tests
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit deefe9ad82e8e0057aa77ea5be60a86d223900da)
- - - - -
2eec5ebb by Madhuri Upadhye at 2024-10-15T15:29:07+02:00
Test: Passkey test cases with diffferent auth_methods
Added following test cases
1. Check authentication of user with IPA server when
no pin set for the Passkey.
2. Check authentication of user with updated prompting
options
3. Check password authentication of user with IPA server
when sssd fall back to password authentication
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 94e47c5ce9b06b0ce8e527607c3e1e221e823841)
- - - - -
f3c985ca by Jakub Vávra at 2024-10-17T11:16:46+02:00
Tests: Add missing returncode to test_0004_bz1638295
Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 4a7ab02d893a0e98b72bf711db126abfb4324ee9)
- - - - -
78b1081e by Alexey Tikhonov at 2024-10-17T17:36:02+02:00
When using SPDX expression the booleans must be in all caps.
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit cbe3b03472a678b9a8470b3e3a0e08655808e06d)
- - - - -
d75d2fe9 by Alexey Tikhonov at 2024-10-17T17:41:00+02:00
Get rid of on-house MIN/MAX definitions
This matches approach already taken in sss_client/idmap/sss_nss_ex.c
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b928dbe1fcb6cf4b7acbd97d3df9514d5c554953)
- - - - -
8a085c52 by Jakub Vávra at 2024-10-18T09:22:46+02:00
tests: Unify packages available on client for ipa suites
This is needed to detect sssd NVR for idmci.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ed666e9fa8d5be66700d69186c2edb350df5816f)
- - - - -
1984036b by Jan Engelhardt at 2024-10-21T18:40:57+02:00
build: remove superfluous WITH_IFP leftover
```
$ autoreconf && configure
...
./configure: line 18674: WITH_IFP: command not found
```
Fixes: 2.10.0-beta2-63-ge5140ab08
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a2e91d20fc876f7c976623ecd6f6fb282c2d406c)
- - - - -
0229f419 by Scott Poore at 2024-10-21T18:41:47+02:00
man: sssd.conf update defaults for certmap maprule
The sssd.conf man page lists that the maprule RULE_NAME is used to match
a username. However, this is conditional when built with the files
provider. This change states that unconditionally in the maprule
defaults and states that it applies to both the files and proxy
providers.
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 510130e844785b5ab7cb8415b1eb326d85360feb)
- - - - -
1a743a41 by Jan Engelhardt at 2024-10-21T18:42:56+02:00
sssd: always print path when config object is rejected
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
- - - - -
8adf0cc4 by santeri3700 at 2024-10-21T18:44:35+02:00
ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
The value of ad_use_ldaps was not passed as `--use-ldaps`
argument to the adcli update command which handles
the automatic renewal of AD machine account password.
Resolves: https://github.com/SSSD/sssd/issues/7642
Signed-off-by: santeri3700 <santeri.pikarinen at gmail.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit d004e7b4b977da3dd9f1d3de910c28c093a6fb26)
- - - - -
05ceef32 by Yaakov Selkowitz at 2024-10-23T14:34:57+02:00
SPEC: require systemtap-sdt-dtrace on ELN
ELN (the future RHEL 11) tracks rawhide and therefore also includes a systemtap with a separate dtrace subpackage.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 6b2219015f6b9ea547e7a2a4ff57d0c06a66f47d)
- - - - -
6b0f92b6 by Tomas Halman at 2024-10-23T14:35:26+02:00
Missing 'dns_update_per_family' option
This update fixes missing 'dns_update_per_family' option in python code
and config files.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit a822206c7859b5f39af2b2ea1b117850a0589e3c)
- - - - -
62fac0be by Jan Engelhardt at 2024-10-23T14:36:07+02:00
build: unbreak detection for x400Address
Observed:
```
./configure CFLAGS="-O0 -D_FORTIFY_SOURCE=3"
…
checking whether OpenSSL's x400Address is ASN1_STRING... no
configure: WARNING: OpenSSL's x400Address is not of ASN1_STRING type
```
Expected:
```
checking whether OpenSSL's x400Address is ASN1_STRING... yes
```
Relying on warnings alone is terrible; rewrite the C code to provoke compile
error in all cases. [N.B.: I just noticed that the use of the subtraction
operator is conveniently portable, and one need not use typeof(), which is
merely a language extension prior to C23.]
Fixes: 2.8.0-164-gced32c44e
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 42d1837a87cddfcbeb111cb7a0410e53e1b46cf7)
- - - - -
74b0c4ee by Alexey Tikhonov at 2024-10-23T14:37:13+02:00
DEBUG: add 'debug_backtrace_enable' getter
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b84ced06c14cd1226f830c6de28ef552f9118385)
- - - - -
8ddfe87d by Alexey Tikhonov at 2024-10-23T14:37:13+02:00
UTILS: simplify / comment a bit better
`prepare_child_argv()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2300abbaa148293189ef037e13db37e3d40b3123)
- - - - -
3451786d by Alexey Tikhonov at 2024-10-23T14:37:13+02:00
DEBUG: propagate debug_backtrace_enabled to child processes
Resolves: https://github.com/SSSD/sssd/issues/7510
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 88b55de2805bea63ed384800ff2681374b6d06b7)
- - - - -
09f6d72b by Jan Engelhardt at 2024-10-25T10:57:27+02:00
build: stop overriding CFLAGS
CFLAGS is reserved for the user. configure must finish in an
idempotent state and not touch it, pursuant to automake.info §3.6
"Variables reserved for the user".
Observed:
```
$ ./configure && make CFLAGS=-O1
…
libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I..
-I./src/sss_client -I./src -I. -I/usr/include/samba-4.0
-I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include
-I/usr/include/libnl3 -DLIBDIR=\"/usr/local/lib\"
-DVARDIR=\"/usr/local/var\" -DRUNDIR=\"/usr/local/var/run\"
-DSSS_STATEDIR=\"/usr/local/var/lib/sss\"
-DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\"
-DSSSDDATADIR=\"/usr/local/share/sssd\"
-DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\"
-DSSSD_CONF_DIR=\"/usr/local/etc/sssd\"
-DSSS_NSS_MCACHE_DIR=\"/usr/local/var/lib/sss/mc\"
-DSSS_NSS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/nss\"
-DSSS_PAM_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pam\"
-DSSS_PAC_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pac\"
-DSSS_SUDO_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/sudo\"
-DSSS_AUTOFS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/autofs\"
-DSSS_SSH_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/ssh\"
-DLOCALEDIR=\"/usr/local/share/locale\"
-DBASE_FILE_STEM=\"libsss_util_la-sysdb_ops\" -Wall -Wshadow
-Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wundef -Werror-implicit-function-declaration
-Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99
-O1 -MT src/db/libsss_util_la-sysdb_ops.lo -MD -MP -MF
src/db/.deps/libsss_util_la-sysdb_ops.Tpo -c src/db/sysdb_ops.c -fPIC
-DPIC -o src/db/.libs/libsss_util_la-sysdb_ops.o
```
Expected:
```
libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I..
-I./src/sss_client -I./src -I. -I/usr/include/samba-4.0
-I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include
-I/usr/include/libnl3 -DLIBDIR=\"/usr/local/lib\"
-DVARDIR=\"/usr/local/var\" -DRUNDIR=\"/usr/local/var/run\"
-DSSS_STATEDIR=\"/usr/local/var/lib/sss\"
-DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\"
-DSSSDDATADIR=\"/usr/local/share/sssd\"
-DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\"
-DSSSD_CONF_DIR=\"/usr/local/etc/sssd\"
-DSSS_NSS_MCACHE_DIR=\"/usr/local/var/lib/sss/mc\"
-DSSS_NSS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/nss\"
-DSSS_PAM_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pam\"
-DSSS_PAC_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pac\"
-DSSS_SUDO_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/sudo\"
-DSSS_AUTOFS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/autofs\"
-DSSS_SSH_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/ssh\"
-DLOCALEDIR=\"/usr/local/share/locale\"
-DBASE_FILE_STEM=\"libsss_util_la-sysdb_ops\" -Wall -Wshadow
-Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wundef -Werror-implicit-function-declaration
-Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99
-O1 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-MT src/db/libsss_util_la-sysdb_ops.lo -MD -MP -MF
src/db/.deps/libsss_util_la-sysdb_ops.Tpo -c
```
Fixes: sssd-1_3_0-3-g551aa6c36
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 8cdebfcfea58a0a4cb6d1a62b05ce843cde832a2)
- - - - -
90c50928 by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
INI: remove unused helpers
Btw, `sss_ini_get_mtime()` could access uninitialized 'self->cstat'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 30a980384a59c2ddc8fc256502bb02b64775873c)
- - - - -
9007c859 by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
INI: stop using 'libini_config' for access check
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad)
- - - - -
340671f1 by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
INI: relax config files checks
Only make sure:
- user is root or sssd
- group is root or sssd
- other can't access it
Don't make any assumptions wrt user/group read/write-ability.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
- - - - -
8db2df4f by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
Configuration: make sure /etc/sssd and everything
beneath is owned by 'sssd' group and readable by group.
This should allow for reasonable rw-r----- root:sssd
At some points those chown/chmod can be removed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
- - - - -
dfaf15b1 by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
INI: don't report used snippets in `sss_ini_add_snippets()`
This ends up in system journal because logger isn't initialized
yet at this point.
Snippets still can be verified via 'sssctl config-check'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit d7c977092c7a0df60ec627da50c207b07b333228)
- - - - -
65d6e03e by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
SSSCTL: change error message to be more accurate
To avoid misleading reports like in this case:
```
# sssctl config-check --debug 9
[sssd] [access_check_file] (0x0020): Unexpected user owner of '/etc/sssd/conf.d/pam.conf': 65534
Failed to read '/etc/sssd/sssd.conf': File ownership and permissions check failed
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 4cc62d457fd38a34bdfc986a620020c98e549cae)
- - - - -
537ce34e by Alexey Tikhonov at 2024-11-01T17:40:31+01:00
INI: add verbose error messages
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 60d369c00528fd0cea257f7720d3d8da252116ce)
- - - - -
42e800e1 by Jan Engelhardt at 2024-11-01T17:41:05+01:00
build: fix spellos in configure.ac
"safe" is the antonym to "unsafe", but it's not like CFLAGS is unsafe.
You really want "saved" here.
Fixes: sssd-1_13_1-169-g6b01dae73
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 93eb0736ecffb77a077a2e9d0879e67d34173c15)
- - - - -
4acd8a3c by Alexey Tikhonov at 2024-11-01T20:29:55+01:00
chown() gpo cache recursively.
If there is something in @gpocachepath@ it will be a directory with the
domain name and in this directory will be the GPO directory hierarchy
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2d0f0480a18aacd35a51b1854736d984d378d84e)
- - - - -
fe729793 by Alejandro López at 2024-11-07T11:06:41+01:00
SSH: sss_ssh_knownhosts must ignore DNS errors
When the DNS cannot resolve the provided hostname, sss_ssh_knownhosts
must not fail.
Instead it should try its best to find it. It will now try to find
the host account in IPA using both the fqdn and serverHostName
attributes (the later contains the shortname); and using the name and
nameAlias when looking for the host in the cache.
However, the IP address is not (and must not be) stored in the cache
or IPA entries, so this case will not work if the DNS fails to associate
a hostname to the provided IP address. In such a situtation, not key
will be retrieved and provided to `ssh`.
Resolves: https://github.com/SSSD/sssd/issues/7664
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 76682050022cba204ec5450f274a6e10a3726943)
- - - - -
be90cc62 by Dan Lavu at 2024-11-07T11:09:05+01:00
tests: adding gpo customer test scenario to use the ldap attribute name
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3054970e441d4e3a8888922f7ccba30d985a9ce4)
- - - - -
a7196c75 by Justin Stephenson at 2024-11-09T10:45:04+01:00
ipa: Check sudo command threshold correctly
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 7a8da2762897005d854cb91eaf5024986c31f8e7)
- - - - -
cb0a8688 by Alexey Tikhonov at 2024-11-09T10:45:43+01:00
MAN: mistypes fixes
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2d85f89f9505abdb79f2054586a8854672a832e4)
- - - - -
ee47dbca by Sumit Bose at 2024-11-09T10:46:22+01:00
pam_sss: add some missing cleanup calls.
This patch should avoid Coverity warnings like:
./src/sss_client/pam_sss.c:3075:17: alloc_arg: "get_authtok_for_password_change" allocates memory that is stored into "pi.first_factor".
./src/sss_client/pam_sss.c:3090:25: leaked_storage: Variable "pi" going out of scope leaks the storage "pi.first_factor" points to.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2d408edd97342b30761775e84108d605e423f2d3)
- - - - -
cac2e40a by Sumit Bose at 2024-11-12T12:21:20+01:00
subdomains: check when going online
With this patch SSSD will run the sub-domains request, if any, when
switching from offline to online state. Currently only the AD and the
IPA provider provide a sub-domains request. Besides trying to discover
the sub-domains the request will also refresh other domain wide
configurations, e.g. certificate mapping rules in the IPA provider case.
Given that it might not be clear how long the client was offline,
refreshing this data when going online makes sense.
Resolves: https://github.com/SSSD/sssd/issues/7612
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 8571d45b66622b152e1bf04517d573d125895d5a)
- - - - -
c6b9e264 by Dan Lavu at 2024-11-12T12:23:52+01:00
tests: removing intg/ts_cache.py
the following test cases are now covered in system/test_cache.py and
this can be removed.
* fixed assertion writes_to_both_databases tests
* added test detecting modification and deletion for groups
** test is a common user story and functional, changed priority to
critical
* added "integration" test invalidating user, group, netgroup objects
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit be0c232be01b5fe2ffcaecae84980fb1b67ab916)
- - - - -
0ceefae8 by Dan Lavu at 2024-11-12T12:23:52+01:00
tests: converting all the ldb cache tests to use one provider
There is minimal benefit to run these tests against all providers.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit d5b648498a712db4287c0c1050a0bc415ff49948)
- - - - -
65272cfd by Alexey Tikhonov at 2024-11-14T17:31:10+01:00
SPEC: require OpenSSL >= 1.0.1
This is required since a86ee649ac7cd80cfb3c1b50ae728fbf12d1b92a
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 71430f77727fc2262f6c54a453aca587f9d76597)
- - - - -
76ce51d4 by Sumit Bose at 2024-11-14T17:31:54+01:00
ssh: do not use default_domain_suffix
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.
With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().
Resolves: https://github.com/SSSD/sssd/issues/7671
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ffec45bdbbf9d0e37077a37cba20dcf45b6d7749)
- - - - -
d89edf89 by Sumit Bose at 2024-11-14T17:31:54+01:00
responders: deprecate default_domain_suffix option
:relnote: The option default_domain_suffix is deprecated. Consider using
the more flexible domain_resolution_order instead.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit fb91349cfeba653942b32141f890e3de78b3fb13)
- - - - -
ad5747ac by Alejandro López at 2024-11-18T14:46:01+01:00
OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
but the corresponding option is missing in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
This error was introduced by
https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9ee10f98e0070774e0e7f0794bc296ef06a671e4)
- - - - -
6eb7683e by Alejandro López at 2024-11-18T14:46:01+01:00
TESTS: Also test default_dyndns_opts
Compare this structure to ipa_dyndns_opts, which is already compared
to ad_dyndns_opts.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 2c72834e657197012b3a32207ffe307e8ba5f9e2)
- - - - -
afd7754f by Alexey Tikhonov at 2024-11-18T17:14:01+01:00
SPEC: untie capabilities of different binaries
as those do not have to be the same
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit b74fe65b65c02a1470b731b012ad5b4723ce03b3)
- - - - -
53431f93 by Alexey Tikhonov at 2024-11-18T17:14:01+01:00
LDAP_CHILD: replace 'cap_dac_override' with 'cap_dac_read_search'
'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override'
(that allows to bypass file write permission checks) shouldn't be required.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 7ce14e7f73af9c531a1034fcb315b167f02e21e3)
- - - - -
b81a266b by Alexey Tikhonov at 2024-11-18T17:14:01+01:00
LDAP_CHILD: don't require any capabilities besides 'cap_dac_read_search'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 942799d5e7d9f30ad8aa4bdf3cccac8e954a9d8e)
- - - - -
f344f3a4 by Alexey Tikhonov at 2024-11-18T17:14:01+01:00
LDAP_CHILD: require only 'cap_dac_read_search=permitted'
and raise to 'effective' when needed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 5ef1efc52d6902ddfc1abe12a375655c2b8f90b2)
- - - - -
a9023c77 by Alexey Tikhonov at 2024-11-18T17:14:01+01:00
Describe current capabilities usage.
Take a note that usage of cap_dac_override + chown to create cache path
components could be changed to use cap_dac_override + (granted anyway) setuid,
but not sure if it's worth the trouble.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 23d9c93b971c60b5535444e6782b5970f56ce24e)
- - - - -
59ccf3e0 by Alexey Tikhonov at 2024-11-19T11:28:18+01:00
CLIENT: don't try to lookup `getservbyport(0, ...)`
'sssd_nss' won't handle this request anyway.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 507d2daa86e15e8252e248ef522b6bcae958193c)
- - - - -
35909fdf by Alexey Tikhonov at 2024-11-19T11:29:56+01:00
SSSDConfig: chown file to root:sssd
This is an addition to https://github.com/SSSD/sssd/pull/7667
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1f8040de29a4d7c73521134a9faeca4e6767178b)
- - - - -
c2d10011 by aborah-sudo at 2024-11-19T11:32:23+01:00
Tests: Test transformation of bash-ldap-id-ldap-auth netgroup
Test transformation of bash-ldap-id-ldap-auth netgroup
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 9c4a51fa1031b49a4d45c69a46719d2a398924ff)
- - - - -
963e0c6d by Alexey Tikhonov at 2024-11-21T16:27:34+01:00
'dtrace' was moved to a separate package on C10S as well
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 21c6280556f4c8e035d1e78e6a51e1068d3ec92c)
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f2f1ee8b by Alexey Tikhonov at 2024-11-21T16:27:34+01:00
Enable CI for 'sssd-2-10' branch
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a7cc6cbf by aborah-sudo at 2024-11-21T16:28:03+01:00
Tests: Reverse the condition and fail
Currently, the test will blindly fail if someone carelessly adds IPA to the topologies.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit a926f43ac17e46dd37b3ecc545f09c903651b327)
- - - - -
5e020485 by Sumit Bose at 2024-11-22T12:19:55+01:00
ldap_child: make sure invalid krb5 context is not used
Resolves: https://github.com/SSSD/sssd/issues/7715
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
- - - - -
ba2b247c by Jakub Vávra at 2024-11-26T10:01:30+01:00
Tests: Update sst to rhel-sst-idm-sssd for polarion.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 7514309bb361c8aea4f5ac8fef68f1a50f1a3fe1)
- - - - -
9e3fbbc6 by Justin Stephenson at 2024-11-26T20:54:20+01:00
analyzer: fix two crashes
OSError from 'sss_analyze error list'
PermissionError from 'sss_analyze request list' run without sudo
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 0bb13645168864ca9eb7097cad063e1bfa4834cf)
- - - - -
d2d229d2 by Sumit Bose at 2024-11-27T10:37:11+01:00
dyndns: collect nsupdate debug output
It looks like in current code the assumption is that the nsupdate
command can just send its debug output into the backend log by
duplicating the file descriptor. This won't work since the logs file is
opened with O_CLOEXEC so that it is closed when nsupdate is started.
Additionally it is questionable if this approach is a good idea because
it would lead to a random intermixing of debug information. This patch
collects the output on strderr of nsupdate separately and adds it into
the backend log similar to the input send to nsupdate.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e4b26042a5696c10ee0616a34c39f3539ca5ae34)
- - - - -
195c6a66 by Dan Lavu at 2024-11-27T10:37:45+01:00
tests: adding system/tests/readme.rst as a quick primer
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 58a2fee59914eea5130fd995315149f1b15fd5a8)
- - - - -
0f9074e2 by Jakub Vávra at 2024-12-02T12:27:39+01:00
Tests: Add ssh to services for authentication with ssh tests.
This fixes mh critical tests that are failing.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit 098105486cd014717cbb055195b9f879dbce63ee)
- - - - -
c228b79e by Tomas Halman at 2024-12-04T12:03:56+01:00
Add DoT support for DNS updates
DNS-over-TLS is a new standard for encrypting DNS traffic.
SSSD does not implement the DoT itself but relies on other
components of the system. This modification allows as to set
a DoT for dynamic DNS updates
:config: the `dyndns_server` option is extended so it can
be in form of URI (dns+tls://1.2.3.4:853#servername).
New set of options `dyndns_dot_cacert`,
`dyndns_dot_cert` and `dyndns_dot_key` allows to configure
DNS-over-TLS communication.
:relnote: The DoT for dynamic DNS updates is supported now.
It requires new version of `nsupdate` from BIND 9.19+.
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit fe26a930852b85b128ca8e3fbf9dfa72536969ea)
- - - - -
1e4bb218 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: verbosity around ccname handling
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1ef3cf525b5646329cf0b11ec14e20378f55c4c4)
- - - - -
ce85278b by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: don't pre-create parent dir(s) of wanted DIR:/FILE:
to match 'kinit' behavior and avoid the need for cap_chown and
cap_dac_override.
:relnote:SSSD doesn't create anymore missing path components of DIR:/FILE:
ccache types while acquiring user's TGT. The parent directory of requested
ccache directory must exist and the user trying to log in must have 'rwx'
access to this directory. This matches behavior of 'kinit'.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5e17bc22f6c0ad74ba3ddb198db94acc96cc90a4)
- - - - -
f0957bc0 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: skip `switch_creds()` in PKINIT case
Since 'krb5_child' has lost set-id bit and is run under uid/gid of
the backend, it was a no-op.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 541c42ba73b782e696979e90a925a03816c376e8)
- - - - -
f21107a2 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: 'fast-ccache-uid/gid' args aren't used anymore
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 947f791d8e3e07413b77d1b3782608af1645ca2b)
- - - - -
cfbb36e2 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: don't require effective CAP_DAC_READ_SEARCH
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 19dd64322857fba3eea2dd3855a79ba4f663d849)
- - - - -
d2892fe5 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: verbosity
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 89d61e66b8753935ca9b2b017575e93055350d5e)
- - - - -
29a8a22d by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: drop cap_set*id as soon as possible
Set user uid/gid as real IDs as a first step in `privileged_krb5_setup()`
and drop cap_set*id afterwards.
Having real_ids == user_ids and set_ids == service_ids should be
enough to switch thru and back.
:relnote:`krb5-child-test` was removed. Corresponding tests under
'src/tests/system/' are aimed to provide a comprehensive test coverage
of 'krb5_child' functionality.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 65538771154c49fd2541f3d17dbccf85f986e4e8)
- - - - -
be5174d9 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: 'krb5_child' doesn't require effective capabilities
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 19a871a9e9f426c8be0c6760a8653a057d05b5fb)
- - - - -
0890828d by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
become_user() moved to src/monitor
Monitor is the only user of this function and only if built
with support of deprecated 'sssd.conf::user' option.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 988e5fa846e928508cbcda3dee9f21943ad4949d)
- - - - -
01bc3708 by Alexey Tikhonov at 2024-12-05T16:36:36+01:00
KRB5: cosmetics
Remove non existent / private functions from a header.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit a406c1b2890b37ac640eef681519087bb2aa27b8)
- - - - -
dcef16bb by Alexey Tikhonov at 2024-12-06T13:29:00+01:00
Deprecate and make support of 'ad_allow_remote_domain_local_groups'
sssd.conf option conditional
:config: 'ad_allow_remote_domain_local_groups' option is deprecated
and will be removed in future releases.
:packaging: Support of deprecated 'ad_allow_remote_domain_local_groups'
sssd.conf option isn't built by default. It can be enabled using
'--with-allow-remote-domain-local-groups' ./configure option.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 20d658bfbadb47b9393142a9eb607d99bfda92f4)
- - - - -
0ab5ce32 by Alexey Tikhonov at 2024-12-06T15:24:48+01:00
KRB5: mistype fix
Fixes:
```
*** CID 515655: Uninitialized variables (UNINIT)
/home/runner/work/sssd/sssd/src/providers/krb5/krb5_child.c: 2435 in
get_and_save_tgt()
2429 goto done;
2430 }
2431
2432 /* Make sure ccache is created and written as the user */
2433 kerr = switch_to_user();
2434 if (kerr != EOK) {
>>> CID 515655: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret" when calling "sss_debug_fn".
2435 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to switch to user
IDs: %d\n", ret);
2436 goto done;
2437 }
2438
2439 log_process_caps("Saving ccache");
2440
```
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 110c4aead0d6f1f147bd3dc741528ce2cba5bedc)
- - - - -
9c87e6e7 by Sumit Bose at 2024-12-10T09:40:24+01:00
ldap: make sure realm is set
In general the canonical principal will be only set in the cache after a
successful authentication because in general it is not know what the
canonical principal might be.
For Active Directory it is known that the canonical principal is build
with the sAMAccountName attribute and the Kerberos realm which is used
in the patch "AD: Construct UPN from the sAMAccountName" (7a27e539). If
'id_provider = ldap' is used to access Active Directory the realm might
not be set in the internal domain data and as a result a wrong principal
might be created. This patch makes sure the realm is set before creating
the canonical principal.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 8c86abd6d6fb1456bb743e031e27802cd7aea490)
- - - - -
46ec31c6 by Madhuri Upadhye at 2024-12-10T09:40:24+01:00
Test: Add the test when we replace id_provider
With AD/Samba check the authentication of user
by replacing id_provider = ldap
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit ef535319cc90797464a99e99e7b9d86533b76db8)
- - - - -
8e5864d5 by Alexey Tikhonov at 2024-12-10T11:10:57+01:00
sss_semanage code is only used by 'selinux_child'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit c357838d81f2d061f016a1797fc330d64ee6d1ae)
- - - - -
b853b20c by Alexey Tikhonov at 2024-12-10T11:10:57+01:00
sss_selinux code is only used by 'ipa_selinux'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 75f1b2bae590d0978e1d645b59ff7011f37d5651)
- - - - -
89627db1 by Alexey Tikhonov at 2024-12-10T11:10:57+01:00
UTILS: shared helper to print current process credentials
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5f2769267dde9f8d00f478f886bb5e6980291a1f)
- - - - -
1614c5e5 by Alexey Tikhonov at 2024-12-10T11:10:57+01:00
SELINUX_CHILD: only cap_set*id is required
:packaging:*Important note for downstream maintainers.*
A set of capabilities required by privileged binaries
was further reduced to:
```
krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p
```
Keep in mind that even with limited set of fine graned capabilities,
usual precautions still should be taken while packaging binaries with
file capabilities: it's very important to make sure that those are
executable only by root/sssd service user. For this reason upstream
spec file packages it as:
```
-rwxr-x---. 1 root sssd
```
Failing to do so (i.e. allowing non-privileged users to execute those
binaries) can impose systems installing the package to a security risk.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 84baae4b4ad02d486b5b2344f9202fb264da75f4)
- - - - -
3c0c33d5 by Alexey Tikhonov at 2024-12-10T14:07:09+01:00
Ignore '--dumpable' argument in 'krb5_child' and 'ldap_child' to avoid leaking host keytab accidentially.
Take a note that this is rather a general precaution than a fix
of a real threat since normally those coredumps wouldn't be
accessible to non-privileged user anyway.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 548fdb317d4418b760041fe8ecbf4d7b03641ac9)
- - - - -
9bfa366a by Pavel Březina at 2024-12-10T14:36:25+01:00
po: update pot files
- - - - -
7de1c5f4 by Pavel Březina at 2024-12-10T14:36:49+01:00
Release sssd-2.10.1
- - - - -
24 changed files:
- + .git-commit-template-tests
- .github/actions/build-sssd-srpm/action.yml
- + .github/dependabot.yml
- .github/workflows/analyze-target.yml
- .github/workflows/ci.yml
- .github/workflows/copr_build.yml
- .github/workflows/copr_cleanup.yml
- .github/workflows/coverity.yml
- .github/workflows/static-code-analysis.yml
- Makefile.am
- README.md
- configure.ac
- + contrib/90-sssd-token-access.rules.in
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/distro.sh
- contrib/ci/get-matrix.py
- contrib/ci/misc.sh
- contrib/ci/sssd.supp
- contrib/fedora/bashrc_sssd
- contrib/fedora/make_srpm.sh
- + contrib/sssd-tmpfiles.conf.in
- contrib/sssd.spec.in
- + contrib/sssd.sysusers
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/595c4c6d2bcee3f88818813585eccda80546e0ab...7de1c5f4df612d6ee9572905f6d4cb365bc38609
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/595c4c6d2bcee3f88818813585eccda80546e0ab...7de1c5f4df612d6ee9572905f6d4cb365bc38609
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20250105/ce523444/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list