[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 356 commits: Update version in version.m4 to track the next release
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Mon Nov 10 14:35:54 GMT 2025
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
0e8e6946 by Pavel Březina at 2024-10-15T11:58:35+02:00
Update version in version.m4 to track the next release
- - - - -
247797b2 by Madhuri Upadhye at 2024-10-15T15:19:30+02:00
Tests: sss_ssh_knownhosts with port number
Add tests cases with port numbers
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
163b1e31 by Madhuri Upadhye at 2024-10-15T15:19:31+02:00
Tests: Mark builtwith for knownhosts tests
Mark builtwith for sss_ssh_knownhosts tests.
Update the marker of test to high to have basic
coverage in gating.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
934ae04e by Dan Lavu at 2024-10-15T15:21:58+02:00
tests: rm intg/test_sss_cache.py
* this test is indirectly tested by several tests
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
71845419 by Sumit Bose at 2024-10-15T15:24:06+02:00
ldap: add 'exop_force' value for ldap_pwmodify_mode
In case the LDAP server allows to run the extended operation to change a
password even if an authenticated bind fails due to missing grace logins
the new option 'exop_force' can be used to run the extended operation to
change the password anyways.
:config: Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This can be used to force a password change even
if no grace logins are left. Depending on the configuration of the
LDAP server it might be expected that the password change will fail.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
deefe9ad by Sumit Bose at 2024-10-15T15:24:06+02:00
tests: add 'expo_force' tests
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
94e47c5c by Madhuri Upadhye at 2024-10-15T15:29:03+02:00
Test: Passkey test cases with diffferent auth_methods
Added following test cases
1. Check authentication of user with IPA server when
no pin set for the Passkey.
2. Check authentication of user with updated prompting
options
3. Check password authentication of user with IPA server
when sssd fall back to password authentication
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4a7ab02d by Jakub Vávra at 2024-10-17T11:16:44+02:00
Tests: Add missing returncode to test_0004_bz1638295
Reviewed-by: Anuj Borah <aborah at redhat.com>
- - - - -
cbe3b034 by Alexey Tikhonov at 2024-10-17T17:35:56+02:00
When using SPDX expression the booleans must be in all caps.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b928dbe1 by Alexey Tikhonov at 2024-10-17T17:40:55+02:00
Get rid of on-house MIN/MAX definitions
This matches approach already taken in sss_client/idmap/sss_nss_ex.c
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ed666e9f by Jakub Vávra at 2024-10-18T09:22:45+02:00
tests: Unify packages available on client for ipa suites
This is needed to detect sssd NVR for idmci.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a2e91d20 by Jan Engelhardt at 2024-10-21T18:40:51+02:00
build: remove superfluous WITH_IFP leftover
```
$ autoreconf && configure
...
./configure: line 18674: WITH_IFP: command not found
```
Fixes: 2.10.0-beta2-63-ge5140ab08
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
510130e8 by Scott Poore at 2024-10-21T18:41:42+02:00
man: sssd.conf update defaults for certmap maprule
The sssd.conf man page lists that the maprule RULE_NAME is used to match
a username. However, this is conditional when built with the files
provider. This change states that unconditionally in the maprule
defaults and states that it applies to both the files and proxy
providers.
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2b7915dd by Jan Engelhardt at 2024-10-21T18:42:51+02:00
sssd: always print path when config object is rejected
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
d004e7b4 by santeri3700 at 2024-10-21T18:44:30+02:00
ad: honor ad_use_ldaps setting with ad_machine_pw_renewal
The value of ad_use_ldaps was not passed as `--use-ldaps`
argument to the adcli update command which handles
the automatic renewal of AD machine account password.
Resolves: https://github.com/SSSD/sssd/issues/7642
Signed-off-by: santeri3700 <santeri.pikarinen at gmail.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6b221901 by Yaakov Selkowitz at 2024-10-23T14:34:51+02:00
SPEC: require systemtap-sdt-dtrace on ELN
ELN (the future RHEL 11) tracks rawhide and therefore also includes a systemtap with a separate dtrace subpackage.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a822206c by Tomas Halman at 2024-10-23T14:35:21+02:00
Missing 'dns_update_per_family' option
This update fixes missing 'dns_update_per_family' option in python code
and config files.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
42d1837a by Jan Engelhardt at 2024-10-23T14:36:02+02:00
build: unbreak detection for x400Address
Observed:
```
./configure CFLAGS="-O0 -D_FORTIFY_SOURCE=3"
…
checking whether OpenSSL's x400Address is ASN1_STRING... no
configure: WARNING: OpenSSL's x400Address is not of ASN1_STRING type
```
Expected:
```
checking whether OpenSSL's x400Address is ASN1_STRING... yes
```
Relying on warnings alone is terrible; rewrite the C code to provoke compile
error in all cases. [N.B.: I just noticed that the use of the subtraction
operator is conveniently portable, and one need not use typeof(), which is
merely a language extension prior to C23.]
Fixes: 2.8.0-164-gced32c44e
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b84ced06 by Alexey Tikhonov at 2024-10-23T14:37:08+02:00
DEBUG: add 'debug_backtrace_enable' getter
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2300abba by Alexey Tikhonov at 2024-10-23T14:37:08+02:00
UTILS: simplify / comment a bit better
`prepare_child_argv()`
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
88b55de2 by Alexey Tikhonov at 2024-10-23T14:37:08+02:00
DEBUG: propagate debug_backtrace_enabled to child processes
Resolves: https://github.com/SSSD/sssd/issues/7510
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8cdebfcf by Jan Engelhardt at 2024-10-25T10:57:22+02:00
build: stop overriding CFLAGS
CFLAGS is reserved for the user. configure must finish in an
idempotent state and not touch it, pursuant to automake.info §3.6
"Variables reserved for the user".
Observed:
```
$ ./configure && make CFLAGS=-O1
…
libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I..
-I./src/sss_client -I./src -I. -I/usr/include/samba-4.0
-I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include
-I/usr/include/libnl3 -DLIBDIR=\"/usr/local/lib\"
-DVARDIR=\"/usr/local/var\" -DRUNDIR=\"/usr/local/var/run\"
-DSSS_STATEDIR=\"/usr/local/var/lib/sss\"
-DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\"
-DSSSDDATADIR=\"/usr/local/share/sssd\"
-DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\"
-DSSSD_CONF_DIR=\"/usr/local/etc/sssd\"
-DSSS_NSS_MCACHE_DIR=\"/usr/local/var/lib/sss/mc\"
-DSSS_NSS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/nss\"
-DSSS_PAM_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pam\"
-DSSS_PAC_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pac\"
-DSSS_SUDO_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/sudo\"
-DSSS_AUTOFS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/autofs\"
-DSSS_SSH_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/ssh\"
-DLOCALEDIR=\"/usr/local/share/locale\"
-DBASE_FILE_STEM=\"libsss_util_la-sysdb_ops\" -Wall -Wshadow
-Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wundef -Werror-implicit-function-declaration
-Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99
-O1 -MT src/db/libsss_util_la-sysdb_ops.lo -MD -MP -MF
src/db/.deps/libsss_util_la-sysdb_ops.Tpo -c src/db/sysdb_ops.c -fPIC
-DPIC -o src/db/.libs/libsss_util_la-sysdb_ops.o
```
Expected:
```
libtool: compile: gcc -DHAVE_CONFIG_H -I. -Wall -I..
-I./src/sss_client -I./src -I. -I/usr/include/samba-4.0
-I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include
-I/usr/include/libnl3 -DLIBDIR=\"/usr/local/lib\"
-DVARDIR=\"/usr/local/var\" -DRUNDIR=\"/usr/local/var/run\"
-DSSS_STATEDIR=\"/usr/local/var/lib/sss\"
-DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\"
-DSSSDDATADIR=\"/usr/local/share/sssd\"
-DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\"
-DSSSD_CONF_DIR=\"/usr/local/etc/sssd\"
-DSSS_NSS_MCACHE_DIR=\"/usr/local/var/lib/sss/mc\"
-DSSS_NSS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/nss\"
-DSSS_PAM_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pam\"
-DSSS_PAC_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/pac\"
-DSSS_SUDO_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/sudo\"
-DSSS_AUTOFS_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/autofs\"
-DSSS_SSH_SOCKET_NAME=\"/usr/local/var/lib/sss/pipes/ssh\"
-DLOCALEDIR=\"/usr/local/share/locale\"
-DBASE_FILE_STEM=\"libsss_util_la-sysdb_ops\" -Wall -Wshadow
-Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align
-Wwrite-strings -Wundef -Werror-implicit-function-declaration
-Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99
-O1 -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-MT src/db/libsss_util_la-sysdb_ops.lo -MD -MP -MF
src/db/.deps/libsss_util_la-sysdb_ops.Tpo -c
```
Fixes: sssd-1_3_0-3-g551aa6c36
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
30a98038 by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
INI: remove unused helpers
Btw, `sss_ini_get_mtime()` could access uninitialized 'self->cstat'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1d19b8ad by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
INI: stop using 'libini_config' for access check
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8472777e by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
INI: relax config files checks
Only make sure:
- user is root or sssd
- group is root or sssd
- other can't access it
Don't make any assumptions wrt user/group read/write-ability.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
518db322 by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
Configuration: make sure /etc/sssd and everything
beneath is owned by 'sssd' group and readable by group.
This should allow for reasonable rw-r----- root:sssd
At some points those chown/chmod can be removed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d7c97709 by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
INI: don't report used snippets in `sss_ini_add_snippets()`
This ends up in system journal because logger isn't initialized
yet at this point.
Snippets still can be verified via 'sssctl config-check'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cc62d45 by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
SSSCTL: change error message to be more accurate
To avoid misleading reports like in this case:
```
# sssctl config-check --debug 9
[sssd] [access_check_file] (0x0020): Unexpected user owner of '/etc/sssd/conf.d/pam.conf': 65534
Failed to read '/etc/sssd/sssd.conf': File ownership and permissions check failed
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
60d369c0 by Alexey Tikhonov at 2024-11-01T17:40:25+01:00
INI: add verbose error messages
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
93eb0736 by Jan Engelhardt at 2024-11-01T17:40:59+01:00
build: fix spellos in configure.ac
"safe" is the antonym to "unsafe", but it's not like CFLAGS is unsafe.
You really want "saved" here.
Fixes: sssd-1_13_1-169-g6b01dae73
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
2d0f0480 by Alexey Tikhonov at 2024-11-01T20:29:48+01:00
chown() gpo cache recursively.
If there is something in @gpocachepath@ it will be a directory with the
domain name and in this directory will be the GPO directory hierarchy
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
76682050 by Alejandro López at 2024-11-07T11:06:36+01:00
SSH: sss_ssh_knownhosts must ignore DNS errors
When the DNS cannot resolve the provided hostname, sss_ssh_knownhosts
must not fail.
Instead it should try its best to find it. It will now try to find
the host account in IPA using both the fqdn and serverHostName
attributes (the later contains the shortname); and using the name and
nameAlias when looking for the host in the cache.
However, the IP address is not (and must not be) stored in the cache
or IPA entries, so this case will not work if the DNS fails to associate
a hostname to the provided IP address. In such a situtation, not key
will be retrieved and provided to `ssh`.
Resolves: https://github.com/SSSD/sssd/issues/7664
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3054970e by Dan Lavu at 2024-11-07T11:08:59+01:00
tests: adding gpo customer test scenario to use the ldap attribute name
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7a8da276 by Justin Stephenson at 2024-11-09T10:44:58+01:00
ipa: Check sudo command threshold correctly
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2d85f89f by Alexey Tikhonov at 2024-11-09T10:45:38+01:00
MAN: mistypes fixes
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2d408edd by Sumit Bose at 2024-11-09T10:46:16+01:00
pam_sss: add some missing cleanup calls.
This patch should avoid Coverity warnings like:
./src/sss_client/pam_sss.c:3075:17: alloc_arg: "get_authtok_for_password_change" allocates memory that is stored into "pi.first_factor".
./src/sss_client/pam_sss.c:3090:25: leaked_storage: Variable "pi" going out of scope leaks the storage "pi.first_factor" points to.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8571d45b by Sumit Bose at 2024-11-12T12:21:15+01:00
subdomains: check when going online
With this patch SSSD will run the sub-domains request, if any, when
switching from offline to online state. Currently only the AD and the
IPA provider provide a sub-domains request. Besides trying to discover
the sub-domains the request will also refresh other domain wide
configurations, e.g. certificate mapping rules in the IPA provider case.
Given that it might not be clear how long the client was offline,
refreshing this data when going online makes sense.
Resolves: https://github.com/SSSD/sssd/issues/7612
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
be0c232b by Dan Lavu at 2024-11-12T12:23:47+01:00
tests: removing intg/ts_cache.py
the following test cases are now covered in system/test_cache.py and
this can be removed.
* fixed assertion writes_to_both_databases tests
* added test detecting modification and deletion for groups
** test is a common user story and functional, changed priority to
critical
* added "integration" test invalidating user, group, netgroup objects
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
d5b64849 by Dan Lavu at 2024-11-12T12:23:47+01:00
tests: converting all the ldb cache tests to use one provider
There is minimal benefit to run these tests against all providers.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
56438ec7 by Ondrej Valousek at 2024-11-12T15:41:21+01:00
Fix bug in objectclass_matched()
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
71430f77 by Alexey Tikhonov at 2024-11-14T17:31:02+01:00
SPEC: require OpenSSL >= 1.0.1
This is required since a86ee649ac7cd80cfb3c1b50ae728fbf12d1b92a
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
ffec45bd by Sumit Bose at 2024-11-14T17:31:48+01:00
ssh: do not use default_domain_suffix
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.
With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().
Resolves: https://github.com/SSSD/sssd/issues/7671
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
fb91349c by Sumit Bose at 2024-11-14T17:31:48+01:00
responders: deprecate default_domain_suffix option
:relnote: The option default_domain_suffix is deprecated. Consider using
the more flexible domain_resolution_order instead.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
9ee10f98 by Alejandro López at 2024-11-18T14:45:55+01:00
OPTS: Add the option for DP_OPT_DYNDNS_REFRESH_OFFSET
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55
but the corresponding option is missing in
https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200
This error was introduced by
https://github.com/SSSD/sssd/commit/35c35de42012481a6bd2690d12d5d11a4ae23ea5
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2c72834e by Alejandro López at 2024-11-18T14:45:55+01:00
TESTS: Also test default_dyndns_opts
Compare this structure to ipa_dyndns_opts, which is already compared
to ad_dyndns_opts.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b74fe65b by Alexey Tikhonov at 2024-11-18T17:13:55+01:00
SPEC: untie capabilities of different binaries
as those do not have to be the same
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7ce14e7f by Alexey Tikhonov at 2024-11-18T17:13:55+01:00
LDAP_CHILD: replace 'cap_dac_override' with 'cap_dac_read_search'
'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override'
(that allows to bypass file write permission checks) shouldn't be required.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
942799d5 by Alexey Tikhonov at 2024-11-18T17:13:55+01:00
LDAP_CHILD: don't require any capabilities besides 'cap_dac_read_search'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5ef1efc5 by Alexey Tikhonov at 2024-11-18T17:13:55+01:00
LDAP_CHILD: require only 'cap_dac_read_search=permitted'
and raise to 'effective' when needed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
23d9c93b by Alexey Tikhonov at 2024-11-18T17:13:55+01:00
Describe current capabilities usage.
Take a note that usage of cap_dac_override + chown to create cache path
components could be changed to use cap_dac_override + (granted anyway) setuid,
but not sure if it's worth the trouble.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
507d2daa by Alexey Tikhonov at 2024-11-19T11:28:13+01:00
CLIENT: don't try to lookup `getservbyport(0, ...)`
'sssd_nss' won't handle this request anyway.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1f8040de by Alexey Tikhonov at 2024-11-19T11:29:51+01:00
SSSDConfig: chown file to root:sssd
This is an addition to https://github.com/SSSD/sssd/pull/7667
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9c4a51fa by aborah-sudo at 2024-11-19T11:32:18+01:00
Tests: Test transformation of bash-ldap-id-ldap-auth netgroup
Test transformation of bash-ldap-id-ldap-auth netgroup
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
3294cdb0 by Alexey Tikhonov at 2024-11-19T16:31:46+01:00
CI: COPR: add c10s buildroot
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
21c62805 by Alexey Tikhonov at 2024-11-19T18:28:49+01:00
'dtrace' was moved to a separate package on C10S as well
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a926f43a by aborah-sudo at 2024-11-21T16:27:58+01:00
Tests: Reverse the condition and fail
Currently, the test will blindly fail if someone carelessly adds IPA to the topologies.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fce94aec by Sumit Bose at 2024-11-22T12:19:50+01:00
ldap_child: make sure invalid krb5 context is not used
Resolves: https://github.com/SSSD/sssd/issues/7715
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
7514309b by Jakub Vávra at 2024-11-26T10:01:27+01:00
Tests: Update sst to rhel-sst-idm-sssd for polarion.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
0bb13645 by Justin Stephenson at 2024-11-26T20:54:15+01:00
analyzer: fix two crashes
OSError from 'sss_analyze error list'
PermissionError from 'sss_analyze request list' run without sudo
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e4b26042 by Sumit Bose at 2024-11-27T10:37:05+01:00
dyndns: collect nsupdate debug output
It looks like in current code the assumption is that the nsupdate
command can just send its debug output into the backend log by
duplicating the file descriptor. This won't work since the logs file is
opened with O_CLOEXEC so that it is closed when nsupdate is started.
Additionally it is questionable if this approach is a good idea because
it would lead to a random intermixing of debug information. This patch
collects the output on strderr of nsupdate separately and adds it into
the backend log similar to the input send to nsupdate.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
58a2fee5 by Dan Lavu at 2024-11-27T10:37:39+01:00
tests: adding system/tests/readme.rst as a quick primer
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
60405108 by aborah-sudo at 2024-12-02T12:26:20+01:00
Tests: SSSD fails to store users if any of the requested attribute is empty
SSSD fails to store users if any of the requested attribute is empty
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
09810548 by Jakub Vávra at 2024-12-02T12:27:38+01:00
Tests: Add ssh to services for authentication with ssh tests.
This fixes mh critical tests that are failing.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
7b855ab9 by aborah-sudo at 2024-12-03T18:45:10+01:00
Tests: Fix python black formation error
Would reformat system/tests/test_ldap.py
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
fe26a930 by Tomas Halman at 2024-12-04T12:03:50+01:00
Add DoT support for DNS updates
DNS-over-TLS is a new standard for encrypting DNS traffic.
SSSD does not implement the DoT itself but relies on other
components of the system. This modification allows as to set
a DoT for dynamic DNS updates
:config: the `dyndns_server` option is extended so it can
be in form of URI (dns+tls://1.2.3.4:853#servername).
New set of options `dyndns_dot_cacert`,
`dyndns_dot_cert` and `dyndns_dot_key` allows to configure
DNS-over-TLS communication.
:relnote: The DoT for dynamic DNS updates is supported now.
It requires new version of `nsupdate` from BIND 9.19+.
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1ef3cf52 by Alexey Tikhonov at 2024-12-05T16:36:30+01:00
KRB5: verbosity around ccname handling
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5e17bc22 by Alexey Tikhonov at 2024-12-05T16:36:30+01:00
KRB5: don't pre-create parent dir(s) of wanted DIR:/FILE:
to match 'kinit' behavior and avoid the need for cap_chown and
cap_dac_override.
:relnote:SSSD doesn't create anymore missing path components of DIR:/FILE:
ccache types while acquiring user's TGT. The parent directory of requested
ccache directory must exist and the user trying to log in must have 'rwx'
access to this directory. This matches behavior of 'kinit'.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
541c42ba by Alexey Tikhonov at 2024-12-05T16:36:30+01:00
KRB5: skip `switch_creds()` in PKINIT case
Since 'krb5_child' has lost set-id bit and is run under uid/gid of
the backend, it was a no-op.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
947f791d by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: 'fast-ccache-uid/gid' args aren't used anymore
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
19dd6432 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: don't require effective CAP_DAC_READ_SEARCH
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
89d61e66 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: verbosity
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
65538771 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: drop cap_set*id as soon as possible
Set user uid/gid as real IDs as a first step in `privileged_krb5_setup()`
and drop cap_set*id afterwards.
Having real_ids == user_ids and set_ids == service_ids should be
enough to switch thru and back.
:relnote:`krb5-child-test` was removed. Corresponding tests under
'src/tests/system/' are aimed to provide a comprehensive test coverage
of 'krb5_child' functionality.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
19a871a9 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: 'krb5_child' doesn't require effective capabilities
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
988e5fa8 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
become_user() moved to src/monitor
Monitor is the only user of this function and only if built
with support of deprecated 'sssd.conf::user' option.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a406c1b2 by Alexey Tikhonov at 2024-12-05T16:36:31+01:00
KRB5: cosmetics
Remove non existent / private functions from a header.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
20d658bf by Alexey Tikhonov at 2024-12-06T13:28:54+01:00
Deprecate and make support of 'ad_allow_remote_domain_local_groups'
sssd.conf option conditional
:config: 'ad_allow_remote_domain_local_groups' option is deprecated
and will be removed in future releases.
:packaging: Support of deprecated 'ad_allow_remote_domain_local_groups'
sssd.conf option isn't built by default. It can be enabled using
'--with-allow-remote-domain-local-groups' ./configure option.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
110c4aea by Alexey Tikhonov at 2024-12-06T15:24:43+01:00
KRB5: mistype fix
Fixes:
```
*** CID 515655: Uninitialized variables (UNINIT)
/home/runner/work/sssd/sssd/src/providers/krb5/krb5_child.c: 2435 in
get_and_save_tgt()
2429 goto done;
2430 }
2431
2432 /* Make sure ccache is created and written as the user */
2433 kerr = switch_to_user();
2434 if (kerr != EOK) {
>>> CID 515655: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret" when calling "sss_debug_fn".
2435 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to switch to user
IDs: %d\n", ret);
2436 goto done;
2437 }
2438
2439 log_process_caps("Saving ccache");
2440
```
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
8c86abd6 by Sumit Bose at 2024-12-10T09:40:18+01:00
ldap: make sure realm is set
In general the canonical principal will be only set in the cache after a
successful authentication because in general it is not know what the
canonical principal might be.
For Active Directory it is known that the canonical principal is build
with the sAMAccountName attribute and the Kerberos realm which is used
in the patch "AD: Construct UPN from the sAMAccountName" (7a27e539). If
'id_provider = ldap' is used to access Active Directory the realm might
not be set in the internal domain data and as a result a wrong principal
might be created. This patch makes sure the realm is set before creating
the canonical principal.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
ef535319 by Madhuri Upadhye at 2024-12-10T09:40:18+01:00
Test: Add the test when we replace id_provider
With AD/Samba check the authentication of user
by replacing id_provider = ldap
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
c357838d by Alexey Tikhonov at 2024-12-10T11:10:51+01:00
sss_semanage code is only used by 'selinux_child'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
75f1b2ba by Alexey Tikhonov at 2024-12-10T11:10:52+01:00
sss_selinux code is only used by 'ipa_selinux'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5f276926 by Alexey Tikhonov at 2024-12-10T11:10:52+01:00
UTILS: shared helper to print current process credentials
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
84baae4b by Alexey Tikhonov at 2024-12-10T11:10:52+01:00
SELINUX_CHILD: only cap_set*id is required
:packaging:*Important note for downstream maintainers.*
A set of capabilities required by privileged binaries
was further reduced to:
```
krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p
```
Keep in mind that even with limited set of fine graned capabilities,
usual precautions still should be taken while packaging binaries with
file capabilities: it's very important to make sure that those are
executable only by root/sssd service user. For this reason upstream
spec file packages it as:
```
-rwxr-x---. 1 root sssd
```
Failing to do so (i.e. allowing non-privileged users to execute those
binaries) can impose systems installing the package to a security risk.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
548fdb31 by Alexey Tikhonov at 2024-12-10T14:07:04+01:00
Ignore '--dumpable' argument in 'krb5_child' and 'ldap_child' to avoid leaking host keytab accidentially.
Take a note that this is rather a general precaution than a fix
of a real threat since normally those coredumps wouldn't be
accessible to non-privileged user anyway.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bf99c163 by Justin Stephenson at 2024-12-11T10:49:58+01:00
DEBUG: lower missing passkey data debug level
- - - - -
b060ed50 by Dan Lavu at 2024-12-11T10:52:27+01:00
tests: moved ad specific authentication test and created test_ad.py
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
132d2088 by Dan Lavu at 2024-12-11T10:52:27+01:00
tests: adding override_homedir test
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5094a3d9 by Alexey Tikhonov at 2024-12-12T21:21:21+01:00
UTILS: reduce log level if `sss_krb5_touch_config()` fails
This is a fix of fc5c1a1af5d868a34a687550af1e31a17576ad25 -
when `times` argument is 'NULL' return code in case of failing
DAC checks is 'EACCESS', not 'EPERM'
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
af65c00b by Alexey Tikhonov at 2024-12-17T15:21:08+01:00
SPEC: conf files are owned by 'root:sssd'
518db322fdd5a4de41813fbe5bc35fc20392ce67 updated service files
but missed spec-file.
This results in
```
$ rpm --verify sssd-common-0:2.10.1-1.el10.x86_64
.....U... /etc/sssd
.....U... /etc/sssd/conf.d
.....U... /etc/sssd/pki
```
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a20fa0ff by Alexey Tikhonov at 2024-12-18T16:50:39+01:00
SYSTEMD SERVICE: use "--no-dereference" for 'chown'
to avoid following accidential symbolic links in those dirs.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
39f9ff85 by Krzesimir Nowak at 2024-12-19T14:09:24+01:00
Assume that callbacks are not broken in OpenLDAP when cross-compiling
If we do cross-compiling against a known broken version of OpenLDAP,
we can do `export ac_cv_member_struct_ldap_conncb_lc_arg=no` before
running configure. This is rather unlikely now, as the test was done
to detect a bug that was fixed 16 years ago.
This allows the project to be configured successfully when
cross-compiling, without disabling connection callbacks.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b7d4a806 by Evgeny Sinelnikov at 2024-12-19T14:10:37+01:00
cert util: add support build with OpenSSL older than 3.0
Don't include <openssl/core_names.h> header if OpenSSL older 3.0 is
used. Fix compile typos for build with OpenSSL 1.1.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
befc4b66 by aborah-sudo at 2024-12-20T18:06:15+01:00
Tests: Fix the permission of snippet file
Fix the permission of snippet file
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
ae6a0ff6 by Iker Pedrosa at 2024-12-27T12:56:07+01:00
tests: add feature presence automation
The test case can be further extended to cover other features by using
the parametrization that is already in place.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
ffd5d0e1 by Dan Lavu at 2025-01-06T15:21:47+01:00
tests: test_kcm.py fixing confusing error message
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
4fbf9635 by Justin Stephenson at 2025-01-06T15:28:54+01:00
tests: have analyzer request child parse child log
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
91d8199d by fossdd at 2025-01-06T15:34:53+01:00
Fix missing include sys/types.h
ino_t is provided by <sys/types.h>, see sys_types.h(0p). And therefore
build fails on musl libc and probably other libcs.
src/sss_client/nss_mc.h:56:5: error: unknown type name 'ino_t';
fixes commit 0344c41aca0d (SSS_CLIENT: check if mem-cache fd was hijacked)
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
10c753e1 by Sumit Bose at 2025-01-06T17:27:13+01:00
krb5_child: ignore Smartcard identifiers with a ':'
libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.
Resolves: https://github.com/SSSD/sssd/issues/7746
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4b35ac30 by Alexey Tikhonov at 2025-01-08T16:28:26+01:00
SYSTEMD: traverse 'sssdconfdir' symlink while chown-ing
to support use case where /etc/sssd is a symlink.
'-H' only allows following a command line argument itself,
everything else encountered due to '-R' isn't followed.
This is an update to a20fa0ffd6cb61bc164f52403f396cce6de8b2ea
Resolves: https://github.com/SSSD/sssd/issues/7781
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
561c51bd by Alexey Tikhonov at 2025-01-08T16:28:26+01:00
SYSTEMD: fix missing 'g+x' on /etc/sssd and subdirs
for rpm-ostree based systems
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6bd231cd by Alexey Tikhonov at 2025-01-08T19:14:22+01:00
LOGROTATE: fix path to pid file
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
067dbf61 by Iker Pedrosa at 2025-01-13T16:18:46+01:00
tests: improve feature presence automation
`files-provider` stopped being shipped in Fedora 40 in sssd-2.9. Thus,
the detection matrix need to be updated to take this into account.
In addition, the assertion messages weren't clear enough, so I've
improved them to understand them at a first glance.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
c2d95a3b by Alejandro López at 2025-01-13T16:20:00+01:00
SSH: sss_ssh_knownhost must succeed if the responder is stopped
sss_ssh_knownhosts requires that SSSD's 'ssh' service is launched to
work properly. But if it is not launched or it is anyhow stopped, the
tool MUST NOT fail and let the ssh client continue its job.
:fixes: If the ssh responder is not running, `sss_ssh_knownhosts` will
not fail (but it will not return the keys).
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e58cf803 by Justin Stephenson at 2025-01-13T16:21:07+01:00
ci: Remove internal covscan workflow
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c6294f5f by Justin Stephenson at 2025-01-13T16:21:07+01:00
ci: Add workflow for 'coverity' label in PRs
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
85784e76 by Alexey Tikhonov at 2025-01-16T11:57:06+01:00
PAM: don't set PR_SET_DUMPABLE
to avoid leaking host keytab accidentially.
Take a note that this is rather a general precaution than a fix of a real threat
since normally those coredumps wouldn't be accessible to non-privileged user anyway.
This is an addition to https://github.com/SSSD/sssd/pull/7755
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7ff2e486 by Alexey Tikhonov at 2025-01-17T20:29:19+01:00
SELINUX_CHILD: fail immediately if set-id fails
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
95160058 by Alexey Tikhonov at 2025-01-17T20:29:19+01:00
SELINUX_CHILD: 'ret' argument of `prepare_response()` is always 0
both in current and pre- sssd-2.10.1 code. Let's make it explicit.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6e66cbb1 by Alexey Tikhonov at 2025-01-17T20:29:19+01:00
SELINUX: get rid of response as it was redundant and
rely solely on exit code.
This also fixes a bug that exit code wasn't handled before.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6cb2de5d by Alexey Tikhonov at 2025-01-20T14:51:41+01:00
Clear env of privileged 'sssd_pam' as a security hardening measure.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
50892b6b by Alexey Tikhonov at 2025-01-20T14:51:41+01:00
Don't clear 'sssd_pam' env when built for intg-tests
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2e6fdb65 by Samuel Cabrero at 2025-01-20T15:12:41+01:00
CACHE_REQ: always return the first result in service by port lookups
RFC6335 Section 5 allows more than one service associated with a
particular port.
In this case always return the first result returned by
sysdb_getservbyport().
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f911e386 by Samuel Cabrero at 2025-01-20T15:12:41+01:00
SYSDB: Use temporary memory context to allocate the results
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b1c16494 by Samuel Cabrero at 2025-01-20T15:12:41+01:00
SYSDB: Allow multiple services associated to the same port
RFC6335 section 5 allow multiple services associated to the same
transport and port. This commit allows storing multiple service entries
in the cache for the same port and the lookup functions will return all
matching entries. The cache_req plugin will pick the first result.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
56ef896e by Samuel Cabrero at 2025-01-20T15:12:41+01:00
INTG-TESTS: Add Tests for service by name and by port lookups
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e76849ba by aborah-sudo at 2025-01-20T18:05:44+01:00
Tests: ldap search base does not fully limit the Netgroup search base
ldap search base does not fully limit the Netgroup search base
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
d2232139 by Justin Stephenson at 2025-01-22T13:29:11+01:00
CI: Fix coverity label multiline conditional
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
afc643dd by Samuel Cabrero at 2025-01-23T16:21:15+01:00
IFP: Restrict destination
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Domains"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Domains.Domain"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Users"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Users.User"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Groups"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Groups.Group"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Cache"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Cache.Object"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> sssd-dbus.x86_64: E: dbus-policy-allow-without-destination <allow send_interface="org.freedesktop.sssd.infopipe.Components"/> /usr/share/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
> 'allow' directives must always specify a 'send_destination'.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
51bf6673 by SATOH Fumiyasu at 2025-01-24T10:51:23+01:00
SPEC: sssd.conf file is owned by 'root:sssd' and mode is 0640
Additional fix for commit af65c00b9ca518a7769c05a41d5fc8208a2d133c
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9c65b89f by Dominika Borges at 2025-01-24T10:55:19+01:00
doc: improve description of ldap_disable_range_retrieval
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8e8342a2 by Alexey Tikhonov at 2025-01-27T12:32:18+01:00
certmap: remove stray export declaration
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a3ed676c by aborah-sudo at 2025-01-27T12:34:05+01:00
Tests: Test trasformation for netgroup with generic provider
Test trasformation for netgroup with generic provider
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9c0c9770 by Alexey Tikhonov at 2025-01-29T15:16:37+01:00
Delete 'lib/sifp'.
:relnote:Previously deprecated `--with-libsifp` configure option and
'sss_simpleifp' library were removed.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e50d0fa4 by Alexey Tikhonov at 2025-01-29T15:16:37+01:00
CI: remove C9S from platforms list.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
36b1d97b by Denis Karpelevich at 2025-01-31T14:10:27+01:00
Parametrize sssctl tests 3.
- Combine various sssctl tests to the single parametrized tests.
test_sssctl__check_attribute_not_allowed_in_sssd merges tests:
test_sssctl__check_misplaced_option
test_sssctl__check_ldap_host_object_class_not_allowed_in_sssd
Signed-off-by: Denis Karpelevich <dkarpele at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
cf650328 by Alexey Tikhonov at 2025-02-04T12:00:18+01:00
Get rid of 'local_negative_timeout' config option
since 'files provider' is being removed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
827a9bff by Alexey Tikhonov at 2025-02-04T12:00:18+01:00
Delete 'files provider'
:relnote:Previously deprecated `--with-files-provider` configure option
and thus support of 'id_provider = files' were removed.
For those who still were building SSSD with this feature: see
https://sssd.io/docs/files-provider-deprecation.html for replacement
details.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a71f9a6c by Alexey Tikhonov at 2025-02-04T12:00:18+01:00
IPA: verbosity
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
003c699b by Alexey Tikhonov at 2025-02-04T12:00:18+01:00
TESTS: fix issue reported by 'black'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
196ad92a by Alexey Tikhonov at 2025-02-04T12:00:18+01:00
Fixed a mistype
CONFDB_RESPONDER_CACHE_FIRST_DEFAILT -> CONFDB_RESPONDER_CACHE_FIRST_DEFAULT
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7f1b7c96 by Alexey Tikhonov at 2025-02-07T11:26:38+01:00
KCM: fix memory leak
The copy of 'secret' argument - `secret_val.data` - was left hanging
on `sss_sec_ctx`, effectively resulting in a memory leak.
But this copy isn't actually required as this data isn't modified in
below operations.
Skipping alloc+memcpy+erase is also beneficial performance wise.
:fixes:'sssd_kcm' memory leak was fixed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
fdf0b500 by aborah-sudo at 2025-02-09T13:24:16+01:00
Tests: Fix test_008_wildcardsearch for RHEL10
Communication between client and master is encripted we have to set "ldap_start_tls = Failse" to make the communication human readable
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
2a40db33 by Alexey Tikhonov at 2025-02-10T20:46:57+01:00
RESPONDER: remove unreachable code
At 'immediately:' when condition (ret == EOK) is met,
'refresh_timeout' can't be 'true', so code can't be reached.
It was different before 827a9bffacc500fbfc71c6454285298dc99982a3
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5e16c957 by Alexey Tikhonov at 2025-02-11T14:54:04+01:00
MONITOR: remove nscd conf check
:packaging:'--with-nscd-conf' ./configure option was removed.
:relnote:During startup SSSD won't check NSCD configuration to issue
a warning in a case of potential conflict.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
062e8ab6 by Denis Karpelevich at 2025-02-12T11:27:02+01:00
Parametrize sssctl tests 2.
- Combine various sssctl tests to the single parametrized tests.
test_sssctl__check_invalid_semantic_in_section_name merges tests:
test_sssctl__check_missing_id_provider
test_sssctl__check_invalid_id_provider
test_sssctl__check_special_character_in_option_name
test_sssctl__check_special_character_in_domain_name
test_sssctl__check_invalid_sssd_section_name
test_sssctl__check_invalid_syntax_in_section_name merges tests:
test_sssctl__check_missing_equal_sign
test_sssctl__check_missing_closing_bracket
test_sssctl__check_missing_opening_bracket
Dropped tests:
test_sssctl__check_special_character_in_section_name
test_sssctl__check_forward_slash_missing_in_domain_section
test_sssctl__check_invalid_pam_section_name
test_sssctl__check_invalid_nss_section_name
Signed-off-by: Denis Karpelevich <dkarpele at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
9e72bc24 by Alexey Tikhonov at 2025-02-12T15:19:34+01:00
KCM: another memory leak fixed
```
...
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabc0a0
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaa84f90
talloc_new: src/responder/kcm/kcmsrv_ccache.c:405 contains 0 bytes in 1 blocks (ref 0) 0x563feaabf520
...
```
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
164df110 by Alexey Tikhonov at 2025-02-13T13:41:54+01:00
BUILD: introduce "--with-syslog=stderr" option
to be used in containers-like environments where
no system wide logger is available.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4ed56e58 by aborah-sudo at 2025-02-13T15:37:58+01:00
Tests: Rename test_misc.py to test_all_misc.py
Individual test suite `test_misc.py` is green but need to troubleshoot why getting failures once we run with alltests.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
463bf25a by Justin Stephenson at 2025-02-13T15:38:31+01:00
ci: Have coverity workflow run against PR code
Checkout the head of the pull request code instead of the
target branch, this is needed when using `pull_request_target`
workflow.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
537e586b by Tomas Halman at 2025-02-14T11:46:14+01:00
failover: Make failover work over IP families
Originally the option ipv4_first and ipv6_first was taken into account
when resolving IP address.
When both families are resolvable but the primary is blocked on
firewall, the SSSD should try the secondary family before giving up.
:relnote:SSSD now attempts to connect to the server using a secondary
protocol if the server is not reachable using the primary one.
See the lookup_family_order option.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
894971b6 by Tomas Halman at 2025-02-14T11:46:14+01:00
tests: Check failover to secondary IP family
Test that IPA server is still reachable when primary
address family is blocked but secondary is working.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
c36c320d by Alexey Tikhonov at 2025-02-14T19:35:22+01:00
PAM: fix issue found by Coverity
```
1614 D(("Illegal task [%#x]", task));
9. out_of_scope: Variable buf goes out of scope.
CID 530049: (#1 of 1): Resource leak (RESOURCE_LEAK)
10. leaked_storage: Variable rd going out of scope leaks the storage rd.data points to.
1615 return PAM_SYSTEM_ERR;
1616 }
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e87cc2c2 by Justin Stephenson at 2025-02-17T12:37:22+01:00
SYSDB: Store IPA trust type
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8879cf88 by Justin Stephenson at 2025-02-17T12:37:22+01:00
Rename struct ipa_ad_server_ctx, and add id_ctx union member
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
70daa009 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa: Make ipa_service_init() like ad_failover_init()
Similar to AD server/service discovery initialization,
Allows callers to provide a service, and not just use "IPA"
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1b0c6203 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ad: Combine 1+2way trust options creation functions
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0862fcb8 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa: Make ipa server ad* functions generic
IPA subdomain functions often include ad in the name, these functions
will now handle IPA and AD subdomains, not only AD.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
dc7e2806 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa: Add ipa subdomain provider initialization
:feature:SSSD IPA provider now supports IPA subdomains, not only
Active Directory. This IPA subdomain support will enable SSSD
support of IPA-IPA Trust feature, the full usable feature coming
in a later FreeIPA release. Trusted domain configuration options
are specified in the 'sssd-ipa' man page.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4378ea62 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa: Support ipa subdomain account info requests
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f085fe0d by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa s2n: Remove check for SYSDB_UPN
After b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c we no longer use
the 'upn' variable. During certain codepaths to ipa_s2n_save_objects()
SYSDB_UPN is expected to be missing, so no need to check for it.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4eb75cc3 by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa: Rename ipa_create_ad_1way_trust_ctx()
This gets executed when a one-way or two-way trust ipa
is added. Rename this to avoid confusion.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b63321cc by Justin Stephenson at 2025-02-17T12:37:22+01:00
Handle missing SID for user private group
SSSD goes offline in IPA trusted user look due to the IPA user private group:
[ipa_get_ad_acct_ad_part_done] (0x0020): [RID#7] Cannot find a SID.
In IPA-IPA trust, user private groups do not contain a SID. Lookup the
equivalent user object of the same name in IPA and use this SID instead.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
de4cea5c by Justin Stephenson at 2025-02-17T12:37:22+01:00
ipa s2n: Ignore trusted IPA user private group
Don't fail when processing the IPA user private group retrieved
from the IPA server in a trusted user lookup. It is expected
this object will have no SID.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
129b5496 by Justin Stephenson at 2025-02-17T12:37:22+01:00
AD: Remove unused AD_AT_TRUST_TYPE attribute
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3c87b811 by Justin Stephenson at 2025-02-17T12:37:22+01:00
man: IPA subdomain changes to sssd-ipa
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e2408c24 by Alexey Tikhonov at 2025-02-20T10:18:25+01:00
SPEC: suppress stderr of usermod
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
8477aa06 by Andrea Bolognani at 2025-02-27T14:21:31+01:00
configure: Require valgrind-devel when valgrind is enabled
Currently we include <valgrind/valgrind.h> unconditionally to
access the RUNNING_ON_VALGRIND macro, which allows us to skip
one of the tests which is known not to work correctly under
valgrind.
However, if only the runtime part of valgrind in installed on
the system and the devel part is missing, this will result in
a very late compilation error. Checking for the header's
presence at configure time allows us to provide better
diagnostics, earlier.
More importantly, this makes it possible to build sssd at all
on architectures where valgrind is not yet available, such as
riscv64.
Signed-off-by: Andrea Bolognani <abologna at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
f3fdb429 by David Abdurachmanov at 2025-02-27T20:40:56+01:00
Properly check valgrind arches
Signed-off-by: David Abdurachmanov <davidlt at rivosinc.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
f65d0eaa by Alexey Tikhonov at 2025-03-03T12:46:19+01:00
IPA: fixed misleading messages
`ipa_check_keytab()` doesn't check keytab content / principal.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
22807210 by Alexey Tikhonov at 2025-03-03T12:46:19+01:00
IPA: cosmetics
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9b6d8fe7 by Alexey Tikhonov at 2025-03-03T12:46:19+01:00
IPA: don't bother checking keytab ownership
Consumers (ldap_/krb5_child) use 'cap_dac_read_search' anyway.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
95caf1aa by Tomas Halman at 2025-03-05T09:52:12+01:00
Pattern support for dyndns_iface option
:config:Until now dyndns_iface option supported only "*" for all
interfaces or exact names. With this update it is possible to use
shell wildcard patterns (e. g. eth*, eth[01], ...).
Resolves: https://github.com/SSSD/sssd/issues/6910
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8bfc88e4 by Alexey Tikhonov at 2025-03-05T09:53:22+01:00
Get rid of '--with-conf-service-user-support' ./configure option
:relnote:Support of previously deprecated 'sssd.conf::user' option
('--with-conf-service-user-support' ./configure option) was removed.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3392a857 by Georgij Krajnyukov at 2025-03-06T13:51:59+01:00
P11_CHILD: Invert if statement to reduce code nesting
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8311d3cc by Georgij Krajnyukov at 2025-03-06T13:51:59+01:00
P11_CHILD: Implement passing const args to get_pkcs11_uri
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1b3d5d82 by Georgij Krajnyukov at 2025-03-06T13:52:00+01:00
P11_CHILD: Extract slot processing into separate function
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
782a6dd5 by Georgij Krajnyukov at 2025-03-06T13:52:00+01:00
P11_CHILD: Make p11_child iterate over all slots
Resolves: https://github.com/SSSD/sssd/issues/5905
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
281d9c3e by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: don't add group members if 'ignore_group_members == true'
Resolves: https://github.com/SSSD/sssd/issues/7793
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5e882b36 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Reorder checks in a more logical way.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
501663f2 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Avoid DN->str->DN conversion for a most common code path (i.e. "no overrides")
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6e01e412 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Don't bother with 'override_dn' in case (!expect_override_dn) at all.
It wasn't actually used in this case anyway, because condition
```
(ldb_dn_compare(res_members->msgs[c]->dn, override_dn) != 0)
```
naturally was false.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6c50506c by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: fix sysdb_add_group_member_overrides()
Skip only one member missing override, not all remaining.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a58aa915 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Don't trace DN of every member - `ldb_dn_get_linearized()`
is heavy and is calculated even if debug level isn't set.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
108800dc by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Move code that adds a missing domain name to override name to
a separate function to make `sysdb_add_group_member_overrides()`
easier to read.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6aae3572 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Only search original name if it is really needed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0a9ae2c2 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in sysdb_add_group_member_overrides()
No need to make a copy of override name.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f61b9bbb by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: make `sysdb_get_user_members_recursively()` static
as it is only used in `sysdb_add_group_member_overrides()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ed6956e9 by Alexey Tikhonov at 2025-03-06T18:12:13+01:00
SYSDB: update in get_user_members_recursively()
Don't read unneeded attributes.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
af5e0b70 by Alexey Tikhonov at 2025-03-11T15:10:26+01:00
capabilities: check if cap is supported
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9f5636f7 by Alexey Tikhonov at 2025-03-11T15:10:26+01:00
capabilities: don't rely on hardcoded set of supported capabilities
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0f011849 by Dan Lavu at 2025-03-11T15:10:58+01:00
tests: rm intg ssh_pubkey
* multihost/ipa/test_misc.py functionally covers this scenario
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
764798d7 by Alexey Tikhonov at 2025-03-14T17:35:41+01:00
SPEC: package 'enable_sssd_conf_dir' as a part of 'sssd-krb5-common'
This is needed by sssd-ad/sssd-ipa that do not pull 'sssd-krb5'
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
add0ed17 by Gleb Popov at 2025-03-14T17:37:32+01:00
platform.m4: Teach to look for struct xucred in addition to struct ucred
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
843aa089 by Gleb Popov at 2025-03-14T17:37:32+01:00
Extend util_creds.h with xucred case
Use it to fix build of sss_client/common.c on FreeBSD.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
38fe14ab by Gleb Popov at 2025-03-14T17:37:32+01:00
Use LOCAL_PEERCRED option instead SO_PEERCRED where appropriate
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
150d2ee0 by Alexey Tikhonov at 2025-03-14T17:37:32+01:00
Move 'STRUCT_CRED' definition into standalone header
so that sss_client code doesn't pull selinux headers.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8edb14fa by fossdd at 2025-03-14T17:39:06+01:00
MC: Use useconds_t instead of their reserved type
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8886a27b by fossdd at 2025-03-14T17:39:06+01:00
failover: Clarify message for local hosts file resolution failure
Remove usage of _PATH_HOSTS, which only exists in glibc
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
459cc6b1 by fossdd at 2025-03-14T17:39:06+01:00
CLIENT: Define NETDB_INTERNAL if not already
NETDB_INTERNAL is a glibc quirk and doesnt exist in POSIX
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5c69acc9 by Ivan Korytov at 2025-03-21T13:12:18+01:00
tests: Update mock date to postpone timezone related failures
Because timezones can change throughout the years, mktime calculates timestamp according to a timezone valid at that date, but tzset uses current timezone and that can lead to an incorrect result.
Resolves: https://github.com/SSSD/sssd/issues/7209
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a7b3255f by Justin Stephenson at 2025-03-21T13:48:25+01:00
ipa: Set proper domain basedn for subdomain options
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
655cd72a by Tomas Halman at 2025-03-24T12:40:36+01:00
man: clarify %o and %h homedir substitution
Describe in more deteil how %o and %h homedir
override should be used in IPA-AD trust.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
39f37c93 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Skip function if group->memberUid is empty.
In this case there are no user objects in the cache that would have
memberOf == group->dn anyway.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b80deaeb by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Ensure that `get_user_members_recursively()` returns only POSIX users
via search filter. This avoids the need to populate and later check
SYSDB_UIDNUM attr.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9bc6dc57 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
SYSDB: debug message fixed
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c7a979dc by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
SYSDB: update in sysdb_add_group_member_overrides()
Don't read unneeded attributes from override_dn.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6b46b7a7 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
SYSDB: update in get_user_members_recursively()
Replaced `sysdb_search_entry()` with `sysdb_cache_search_entry()`
to avoid `sysdb_merge_msg_list_ts_attrs()` that isn't needed here
(timestamps aren't used anyway).
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ca76b7c8 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
DEBUG: a new helper that skips backtrace
if requested debug level isn't set. Meant to be used in hot (performance sensitive)
code paths only.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
47b25f06 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
Avoid logging to the backtrace unconditionally in hot paths.
In case of reading a large group (comparable to entire cache) it accounts
for some non trivial CPU time (cca ~6..7%)
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
331908d1 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
UTIL: sss_parse_internal_fqname() optimization
'tmp_ctx' was removed as it wasn't really used anyway.
Code could be changed to make a real use of 'tmp_ctx': to avoid
touching '_dom_name' output arg if update of '_shortname' fails.
But this is quite unrealistic case and function is in a hot path,
so better to avoid unneeded memory manipulations.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6aa4b1e0 by Alexey Tikhonov at 2025-03-24T12:44:29+01:00
UTIL: sss_parse_internal_fqname() optimization
Avoid unneeded strlen()'s
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
70782567 by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
UTIL: sized_domain_name() optimization
Don't use sss_parse_internal_fqname() as domain name copy
isn't needed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5cdfc54b by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
RESPONDER: sized_output_name() optimization
Avoid alloc/free tmp_ctx. Not much benefits but a function
is in a hot path.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f101c1bb by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
UTIL: sss_output_name() optimization
Avoid unnecessary string copy.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0267cd97 by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
RESPONDER: delete sss_resp_create_fqname()
Function wasn't used since ed891c0c55985cd25de05f65e82debf4452987e1
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
83c0217c by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
UTIL: remake sss_*replace_space() to inplace version
There were no users of those functions that would need a new copy.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1641dfd5 by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
UTIL: delete sss_fqname()
Function is unused since 26c722d568b0061e0f1edb8d07093bf051d76083
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
804b22cf by Alexey Tikhonov at 2025-03-24T12:44:30+01:00
UTIL: sss_tc_fqname2() optimization
Scan format and alloc string once instead of talloc_strndup_append()
for every chunk.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cb65932 by Tomas Halman at 2025-03-24T12:46:58+01:00
test: enumeration with # in the group name
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
158b4cdb by Tomas Halman at 2025-03-24T12:46:58+01:00
Enumerate object with escaped characters in name
This patch fixes enumeration when DN in LDAP server
contains special characters.
The libldb expects that '\' is followed by two hex digits
in filter. Strings like '\#' must be sanitized into '\5c#'
before they are used for searching.
Resolves: https://github.com/SSSD/sssd/issues/7876
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
fcc10871 by Tomas Halman at 2025-03-24T14:21:40+01:00
Configure how SSSD should access RootDSE.
:config:New 'ldap_read_rootdse' option allows you to specify how
SSSD will read RootDSE from the LDAP server. Allowed values are
"anonymous", "authenticated" and "never"
Resolves: https://github.com/SSSD/sssd/issues/6665
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
5cb26ed6 by Justin Stephenson at 2025-03-24T16:22:54+01:00
ci: include build description for covscan
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
36148c97 by André Boscatto at 2025-03-24T20:41:34+01:00
man: Updating sssd-simple(5) man page
After some tests and clarifying a few rules, there is an improvement in
the documentation to cover better the option and its impacts. Exploring
some rules together (allow and deny). Improving the example.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
aebb4e13 by Dan Lavu at 2025-03-26T10:18:29+01:00
tests: extending sss_override testcase to assert overridden user group memberships
* moving importance from medium to high
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
4ef4241c by Alejandro López at 2025-03-26T11:20:27+01:00
SSH: Remove sss_ssh_knownhostsproxy and keep the stub
The --with-ssh-known-host-proxy option is removed from ./configure.
The tool sss_ssh_knownhostproxy is removed along with all the code
specific to it and its man page.
The stub displaying an error message is kept, and is the only thing
that is now built.
The RPM's post-install script deletes any remaining
/var/lib/sss/pubconf/known_hosts file.
:relnote: The deprecated tool 'sss_ssh_knownhostsproxy' was finally
removed, together with the './configure' option
'--with-ssh-known-host-proxy' used to built it. It is now
replaced by a stub which displays an error message.
Instead of this tool, you must now use 'sss_ssh_knownhosts`.
Please check the sss_ssh_knownhosts(1) man page for detailed
information.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
26119113 by Justin Stephenson at 2025-04-01T11:21:36+02:00
ci: Use pull_request_target for conditional
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ed0af81a by Gleb Popov at 2025-04-01T11:22:07+02:00
configure.ac: Check for the availability of the procctl() function
It is a FreeBSD analog for Linux' prctl()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
9bb4cf15 by Gleb Popov at 2025-04-01T11:22:07+02:00
Introduce util/sss_prctl module to abstract out process controlling API
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
3d4d9c48 by Gleb Popov at 2025-04-01T11:22:07+02:00
Make use of sss_prctl_* throughout the codebase
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
cc48ad5b by Gleb Popov at 2025-04-01T11:22:07+02:00
Add a reference to FreeBSD procctl into sssd.conf(5) manpage
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a3ad066c by Tomas Halman at 2025-04-03T15:25:00+02:00
failover: fix fo_is_ip_address check
For checking IPv6 address we need sockaddr_in6 structure.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
4deee59a by Alexey Tikhonov at 2025-04-07T11:46:15+02:00
SPEC: relax Samba version req a bit
Samba version check is there to avoid cases when users upgrade
SSSD but do not upgrade samba-libs. Sometimes this can result in
difficult-to-debug issues when the gap is too wide.
On the other hand, too strict check often bites: when a buildroot
has a new Samba that isn't yet available otherwise, it becomes
impossible to install SSSD due to unsatisfied deps.
Requiring for %{version} part only looks like a reasonable compromise.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
08a3c410 by Dan Lavu at 2025-04-09T16:25:51+02:00
tests: adding generic password change tests
* user is forced to changed password at login
* user logins and issues a password change
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
f8f7f843 by Dan Lavu at 2025-04-09T16:25:51+02:00
tests: removed overlapping test scenarios from authentication tests
* few scenarios have been removed
* ppolicy tests have been made into ppolicy tests only, since normal ldap is covered by the generic provider now
* renamed some of the test cases
* removed su from a password change test
* removed some test cases that are now covered by the new test cases
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
53b26af6 by Jakub Vávra at 2025-04-10T11:27:54+02:00
tests: Update mhc.yaml for relocated /data and /enrollment
For RHEL image mode we need to move these dirs from root as it
is read only to /var.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
536f7fcd by Jakub Vávra at 2025-04-10T11:27:54+02:00
tests: Move /exports to /var/exports for autofs tests
We need to move the directory from read only root to make it
work in RHEL Image Mode.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dbe82004 by Gleb Popov at 2025-04-10T13:20:49+02:00
Fix build on FreeBSD by including sys/socket.h
According to POSIX standard [1] it is sys/socket.h header that defines
AF_UNSPEC and SOCK_STREAM.
[1] https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_socket.h.html
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
dfceb68d by Gleb Popov at 2025-04-10T13:20:49+02:00
Use cli_creds_get_*() helpers wherever possible
While there, fix typo in the definition of cli_creds_get_gid()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
481fa1bf by Madhuri Upadhye at 2025-04-10T19:53:44+02:00
Test: Add IPA ID view override test cases
Added following test cases:
1. Verify an IPA ID view can override a user attribute on the client
2. Verify an IPA ID view can override a group attribute on the client
3. Verify members of a group and membership of user with override attributes
4. Verify that an ID view can append a user certificate
5. Verify ID view apply on server
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
923ec509 by Alexey Tikhonov at 2025-04-11T17:38:18+02:00
DB: skip sysdb_add_group_member_overrides() completely
if no view defined and this is not IPA domain.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
60f38443 by Alexey Tikhonov at 2025-04-11T17:38:18+02:00
DB: don't provide 'expect_override_dn' to `sysdb_add_group_member_overrides()`
since it can be deduced from 'domain' argument.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ee1c2d17 by Alexey Tikhonov at 2025-04-14T10:40:45+02:00
UTIL: mark non string array properly
Fixes:
```
../src/util/crypto/libcrypto/crypto_sha512crypt.c:48:5: error: initializer-string
for array of 'char' truncates NUL terminator but destination lacks 'nonstring'
attribute (65 chars into 64 available) [-Werror=unterminated-string-initialization]
48 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4f9a7dcd by Gleb Popov at 2025-04-14T16:57:05+02:00
pam: Add option to allow changing auth token when running as root
:config: The pam_sss.so module gained a new option named "allow_chauthtok_by_root".
It allows changing realm password for an arbitrary user via PAM when invoked by root.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d61ba818 by André Boscatto at 2025-04-15T11:20:39+02:00
TESTS: Add access control simple filter tests
Added 4 tests for access control simple filter using the new testing framework
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fd562676 by Alexey Tikhonov at 2025-04-16T09:38:31+02:00
IPA: return ENOENT if `ipa_get_config` yields nothing
and handle this error code properly.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae59f299 by Justin Stephenson at 2025-04-16T09:38:31+02:00
IPA: ipa_get_config_send() was updated
to require list of attrs explicitly.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
70ab0c0d by Sumit Bose at 2025-04-22T15:05:44+02:00
man: add missing third option of ad_machine_account_password_renewal_opts
Resolves: https://github.com/SSSD/sssd/issues/4646
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
92697d46 by Sumit Bose at 2025-04-22T15:05:44+02:00
ad: use realm renew for keytab renewal
Currently SSSD is using adcli to refresh a keytab. Sine adcli is
directly started by an SSSD process this process must have the
permissions/capabilities to update the keytab file. With SSSD running as
unprivileged user the attempt to update the keytab might fail.
With this patch SSSD can use the realm command as well to update the
keytab which will send the request to the realmd daemon which has
permissions to update the keytab.
:config: New optional fourth value for AD provider configuration option
ad_machine_account_password_renewal_opts to select the command to
update the keytab, currently 'adcli' and 'realm' are allowed values
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4c183b1f by Sumit Bose at 2025-04-22T15:05:44+02:00
utils: add non-blocking read from child processes
When calling 3rd party child processes we have no control about how the
child sends its output and if the child might trigger a call to SSSD. To
avoid a deadlock, SSSD backend waiting for I/O from the child and child
waiting for responds from SSSD, SSSD should use non-blocking calls when
reading from the child.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
44ecd452 by Sumit Bose at 2025-04-22T15:05:44+02:00
configure.ac: add option for realm and adcli paths
To be able to change the paths for the adcli and realm helper utilities
for keytab renewal the options --with-adcli-path and --with-realm-path
are added
packaging: --with-adcli-path and --with-realm-path configure options are
added for platform where those tools are installed in dedicated paths.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
596bc5fb by Sumit Bose at 2025-04-23T10:33:13+02:00
sdap: include sub-domain memberships in updates
While looking up group memberships from the cache only groups from the
user's domain were taken into account because of the cache search base.
As a result memberships in other domains were not updated.
With this patch the whole cache is searched and hence memberships from
all domains will be updated.
Resolves: https://github.com/SSSD/sssd/issues/7921
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
bf79a159 by Gleb Popov at 2025-04-24T09:48:20+02:00
configure.ac: Introduce --disable-linux-caps arg to make capabilities optional
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8008a2a8 by Gleb Popov at 2025-04-24T09:48:20+02:00
Only include <sys/capability.h> if the header is present
Otherwise add stub defines to allow the code consuming this header to compile.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f566a3a8 by Gleb Popov at 2025-04-24T09:48:20+02:00
Add stub implementations for functions from capabilities.c if caps aren't available
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0b4a68a1 by Gleb Popov at 2025-04-24T09:48:20+02:00
Properly check the returning value of sss_set_cap_effective() calls
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a0f19feb by Pavel Březina at 2025-04-24T09:48:43+02:00
ci: grab ipa logs from ipa host
...to allow debugging IPA failures.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
d0bfa08d by Pavel Březina at 2025-04-24T09:48:44+02:00
ci: print duration of each test case
We recently stumbled on very slow test runs on Fedora 42 where it
finished hours later then other distrubitions or timed out completely.
Pytest with --durations=0 prints duration of each test case which can
help us identify problematic test in the future, if the slow down is
caused by specific test cases.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
215a0534 by Sumit Bose at 2025-04-29T17:24:29+02:00
sss-idmap: add support for more general POSIX id-mapping
Add new calls to libsss_idmap which should allow POSIX id-mapping for
more general sources like IdPs as well and not only Active Directory
based sources.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a27154b7 by Sumit Bose at 2025-04-29T17:24:29+02:00
sss-idmap: add normalize and casefold options
If for id-mapping from a general source a string is used as input for
the murmurhash based offset calculation it might be important that
different UTF8 representations of the same string will lead to the same
ID (normalize) or that the case of the string does not matter for the ID
calculation (casefold).
By default normalization is enabled while casefolding is not.
:packaging: A new dependency to libutf8proc is added
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
0dfd0579 by Sumit Bose at 2025-04-29T17:24:29+02:00
idmap: rename comp_id() to compute_id()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
5b4f9466 by Sumit Bose at 2025-04-29T17:24:29+02:00
idmap: update doxygen config
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
8c3074a9 by Sumit Bose at 2025-04-29T17:24:29+02:00
sss-idmap: update library version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
2cf2e83a by Tomas Halman at 2025-05-02T21:03:27+02:00
p11_child: Add timeout parameter
p11_child communication with OCSP server may take a long time
because of network issues. Then p11_child is killed after
`p11_child_timeout` and the authentication fails.
This is not desirable when `certificate_verification` is
set to `soft_ocsp`. This update will pass the timeout to the
child process so it can cancel the OCSP verification
before it is terminated.
Resolves: https://github.com/SSSD/sssd/issues/6601
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
606cf44f by Gleb Popov at 2025-05-06T17:49:55+02:00
Use MAXHOSTNAMELEN as HOST_NAME_MAX if available
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
e13ca3ab by Gleb Popov at 2025-05-06T17:49:55+02:00
Don't do setsockopt(TCP_USER_TIMEOUT) on systems that don't have it
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
2f6c83a2 by Gleb Popov at 2025-05-06T17:49:55+02:00
Include <sys/socket.h> because the code uses AF_INET
Fixes build on FreeBSD
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
d6da04d8 by Gleb Popov at 2025-05-06T17:49:55+02:00
Fix build on systems that do not have pam_ext.h
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
8672fba0 by Gleb Popov at 2025-05-06T17:49:55+02:00
Use cross-platform pthread_self() instead of Linux-specific SYS_gettid()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
fe10f5e6 by Gleb Popov at 2025-05-06T17:49:55+02:00
Add an implementation for pam_modutil_getlogin() for systems that do not have it
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
c85ab24a by Sumit Bose at 2025-05-07T11:36:03+02:00
certmap: allow prefix in rule in sssd.conf
The current check for certificate mapping rules coming from sssd.conf is
too strict. Only rules which starts and ends with '(' and ')'
respectively are allowed. As a result new mapping templates with the
LDAPU1 prefix cannot be used.
With this patch prefixes are allowed as well. An existing integration
was was updated to cover this.
Resolves: https://github.com/SSSD/sssd/issues/7931
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
ad7dc210 by Alexey Tikhonov at 2025-05-09T11:13:04+02:00
PAM: fixes following issue:
```
Error: RESOURCE_LEAK (CWE-772):
sssd-2.9.1/src/responder/pam/pamsrv_gssapi.c:750: alloc_arg: ""gss_accept_sec_context"" allocates memory that is stored into ""client_name"".
sssd-2.9.1/src/responder/pam/pamsrv_gssapi.c:806: leaked_storage: Variable ""client_name"" going out of scope leaks the storage it points to.
# 804| gss_release_buffer(&minor, &output);
# 805|
# 806|-> return ret;
# 807| }
# 808|
```
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6ee49e61 by shridhargadekar at 2025-05-14T13:11:42+02:00
Tests: add importance marker for sssctl analyze
Adding marker for the sssctl analyze tests.
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
e50533d6 by Justin Stephenson at 2025-05-14T13:13:55+02:00
Workaround PTR record lookup failure
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
81a377de by Alexey Tikhonov at 2025-05-16T08:33:36+02:00
Consolidate utf8 strings operations to libunistring
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cc856ee by Alexey Tikhonov at 2025-05-16T15:15:36+02:00
SBUS: use ENETUNREACH instead of ENONET
- it looks a better fit for
```
No network access (probably ENETUNREACH on a socket).
```
(see https://dbus.freedesktop.org/doc/api/html/group__DBusProtocol.html)
- it is more portable (for example, FreeBSD doesn't have ENONET)
Currently this specific error code isn't handled anywhere, so
replacement should be ok.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
180bf1fc by Alexey Tikhonov at 2025-05-16T15:15:36+02:00
CLIENT: use ETIMEDOUT instead of ETIME
```
ETIMEDOUT 110 /* Connection timed out */
ETIME 62 /* Timer expired */
```
`ETIMEDOUT` fits better and is more portable.
Wrt different codes returned by 'idmap' -
https://github.com/freeipa/freeipa/blob/master/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
doesn't make any difference between ETIMEDOUT and ETIME anyway.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8accd047 by Alexander Bokovoy at 2025-05-16T16:32:46+02:00
oidc_child: fallback to ID and access tokens when looking up configured user identity
Some IdPs do not provide all attributes as requested by the claims in
userinfo response. They, however, provide them in either ID or access
tokens. Fall back to one of those if possible, in order to find the user
identity based on the attribute specified by the caller.
One example of such behavior is Entra ID:
https://learn.microsoft.com/en-us/entra/identity-platform/userinfo#userinfo-response
> You can't add to or customize the information returned by the UserInfo endpoint.
Make sure we put the right token description when producing debug
information as well, to help seeing where the user identifier is coming
from.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
95f1a9c5 by Sumit Bose at 2025-05-16T16:32:46+02:00
oidc_child: change verify_token() to decode_token()
Signed-off-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5f7df399 by Michael Stone at 2025-05-17T11:14:36+02:00
return here so MINOR_FAILURE isn't auto-promoted to FATAL_FAILURE
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9553c78f by Michael Stone at 2025-05-17T11:14:36+02:00
make log line match preceeding function name
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
93f9db57 by Michael Stone at 2025-05-17T11:14:36+02:00
add SSS_AUTHTOK_TYPE_PAM_STACKED
Makes explicit the fact that a credential obtained by use_first_pass from the
pam stack is neither an SSS_AUTHTOK_TYPE_PASSWORD nor an
SSS_AUTHTOK_TYPE_2FA_SINGLE, but rather a Schrodinger's cat whose status can't
be determined until it is used.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b4baf8ad by aborah-sudo at 2025-05-19T08:08:06+02:00
Tests: Add proxy provider test cases for SSSD
1. Domain separation with nslcd restart:
- Verifies proper user isolation when switching nslcd configurations
- Tests that users are only visible in their configured domain
- Validates the workaround for nslcd's lack of multi-instance support
2. Offline authentication with cached credentials:
- Tests credential caching functionality
- Verifies authentication works when backend is unavailable
- Validates SSSD's offline mode behavior
3. Case preserving username handling:
- Tests case preservation with case_sensitive=Preserving
- Verifies all case variants match but preserve original case
- Validates authentication works across case variants
4. Case insensitive username handling:
- Tests case normalization with case_sensitive=false
- Verifies all case variants return lowercase usernames
- Validates authentication works across case variants
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dc3165c3 by Sumit Bose at 2025-05-20T10:32:14+02:00
Revert "sdap: include sub-domain memberships in updates"
The reverted patch causes performance issues for AD users with a large
number of IPA group memberships.
This reverts commit 596bc5fb8e0760c26293304f404069c0e986f534.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ad30eb74 by Alexey Tikhonov at 2025-05-22T10:46:29+02:00
CI: drop "missingInclude" from cppcheck
This check doesn't provide much value (really missing headers will
make build to fail anyway), but generates a lot of noise, giving
tons of false positive complains.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
0c2fef80 by Gleb Popov at 2025-05-22T10:47:15+02:00
Define ENODATA if it isn't available
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
58cced88 by Gleb Popov at 2025-05-22T10:47:15+02:00
Include config.h before checking for HAVE_ERRNO_T
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
641ef482 by Gleb Popov at 2025-05-22T10:47:15+02:00
Define ELIBACC and ELIBBAD if they aren't available
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
889b1cdd by Gleb Popov at 2025-05-22T10:47:15+02:00
Include pam_appl.h due to pam_get_item() usage
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
dc252b72 by Gleb Popov at 2025-05-22T10:47:15+02:00
Fix the in-house pam_modutil_getlogin() implementation
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
3d278ec5 by aborah-sudo at 2025-05-23T12:56:32+02:00
Tests: Add Infopipe tests for group properties, membership changes, and user attributes
- Implement test_infopipe__lookup_group_and_properties to verify group name, GID, and members via Infopipe.
- Add test_infopipe__lookup_returns_latest_group_membership to validate dynamic group membership updates.
- Introduce test_infopipe__lookup_user_attributes to check retrieval of custom user attributes.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
8d7e5056 by Alexey Tikhonov at 2025-05-28T16:54:09+02:00
Move 'sss_python.*' under 'src/python'
as it's not used outside.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3a7776b8 by Alexey Tikhonov at 2025-05-28T16:54:09+02:00
Consolidate all Python related includes to 'sss_python.h'
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
11e388e8 by Alexey Tikhonov at 2025-05-28T16:54:09+02:00
Make sure "Python.h" is included last.
Otherwise Python headers set _POSIX_C_SOURCE=200809 thus leaving 'errno_t'
undefined on FreeBSD.
Resolves: https://github.com/SSSD/sssd/issues/4997
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ab834277 by Dan Lavu at 2025-05-28T16:57:23+02:00
tests: adding preferred topology markers to select tests
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6f09d3f0 by Sumit Bose at 2025-05-30T13:04:21+02:00
oidc_child: add more JSON helpers
Some helpers are added to extra values from JSON strings returned by
IdPs while looking up user and group information via a REST API.
Resolves: https://github.com/SSSD/sssd/issues/7229
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
133a13b7 by Sumit Bose at 2025-05-30T13:04:21+02:00
oidc_child: add user and group lookup
oidc_child can now lookup user and group attributes from Keycloak and
Entra ID.
Resolves: https://github.com/SSSD/sssd/issues/7229
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
9a2b031a by Sumit Bose at 2025-05-30T13:04:21+02:00
oidc_child: inital tests for user and group lookups
This patch should just illustrate how the user and group lookups of
oidc_child can be tested.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
ae32bbcd by Alexey Tikhonov at 2025-05-30T17:57:19+02:00
MAN: remove mention of a 'local domain'.
'local domain' was removed in 3e94b64daa7638fb53e3f527d4308d9d1875c517
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
8be40557 by Sumit Bose at 2025-05-31T11:06:40+02:00
oidc_child: fix issues found by Coverity
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
41a0df2d by André Boscatto at 2025-05-31T11:08:41+02:00
TESTS: Add tests to cover access control access_filter (AD/LDAP)
Added 5 test cases to cover AD and LDAP access_filter conditions using
the new testing framework
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
449f4c1a by Alexey Tikhonov at 2025-06-03T15:39:57+02:00
UTIL: add a helper to print libldap diagnostics
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7eee7154 by Alexey Tikhonov at 2025-06-03T15:39:57+02:00
LDAP: debug fail of ldap_set_option(LDAP_OPT_X_SASL_NOCANON)
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6d115a7a by Alexey Tikhonov at 2025-06-03T15:39:58+02:00
Replaces usage of 'sss_ldap_get_diagnostic_msg()'
with 'sss_ldap_error_debug()'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6d5b6504 by Alexey Tikhonov at 2025-06-03T15:39:58+02:00
UTILS: removed ununsed 'sss_ldap_get_diagnostic_msg()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0fc6768c by Alexey Tikhonov at 2025-06-04T10:01:37+02:00
RESPONDER: skip mem-cache invalidation
if mem-cache is explicitly disabled
Resolves: https://github.com/SSSD/sssd/issues/7981
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
7a2f9395 by Sumit Bose at 2025-06-04T10:46:40+02:00
krb5 idp: make sss_idp_oauth2_decode public
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
578ae63b by Sumit Bose at 2025-06-04T10:46:40+02:00
krb5: make k5c_attach_oauth2_info_msg() shareable
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
810d41e0 by Sumit Bose at 2025-06-04T10:46:40+02:00
utils: make child_exited() public
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9be8604e by Sumit Bose at 2025-06-04T10:46:40+02:00
utils: make child_terminate() public
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ed68410d by Sumit Bose at 2025-06-04T10:46:40+02:00
utils: make activate_child_timeout_handler() public
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cf3a1d85 by Sumit Bose at 2025-06-04T10:46:40+02:00
idp: initial implementation of IdP id provider
This patch implements an id and auth provider for SSSD for generic REST
and OIDC/OAuth 2.0 based Identity Providers (IdPs). This initial
implementation supports Keycloak and Entra ID as IdPs. In both cases an
IdP client and its credentials are required to allow user authentication
and provide access to the IdP's REST based user and group management.
:relnote: New generic id and auth provider for Identity Providers
(IdPs), as a start Keycloak and Entra ID are supported. Given suitable
credentials this provider can read users and groups from IdPs and can
authenticate IdP users with the help of the OAUTH 2.0 Device
Authorization Grant (RFC 8628)
:config: The id_provider and auth_provider options support a new value
'idp'. Details about how to configure the IdP provider can be found in
the sssd-idp man page.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b1cc4da8 by Sumit Bose at 2025-06-04T10:46:40+02:00
confdb: idp provider uses MPGs by default
By default IdPs do not support POSIX attributes so it makes sense to use
user-private groups by default.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
66b062f7 by Sumit Bose at 2025-06-04T10:46:40+02:00
idp: man page for SSSD's IdP id provider
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c16c13c5 by Sumit Bose at 2025-06-04T10:46:40+02:00
idp: add configure option to disable IdP provider
If the IdP id provider is not needed in an environment its build can be
disabled with the new configure option '--with-id-provider-idp=no'
:packaging: new configure option '--with-id-provider-idp' to enable and
disable building SSSD's IdP id provider, default is enabled.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d8842a70 by Sumit Bose at 2025-06-04T10:46:40+02:00
idp: add basic options to tune id-mapping
The options idmap_range_min, idmap_range_max and idmap_range_size are
added to modify the default for the POSIX ID-mapping.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f5298863 by Sumit Bose at 2025-06-04T10:46:40+02:00
tests: initial IdP provider tests
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2f6c9b04 by Sumit Bose at 2025-06-04T10:46:40+02:00
idp: add support and test for ignore_group_members option
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0c5c7538 by Weblate at 2025-06-04T16:16:37+02:00
po: update translations
(Spanish) currently translated at 97.8% (733 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Chinese (Traditional) (zh_TW)) currently translated at 0.2% (6 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/zh_TW/
po: update translations
(Chinese (Traditional) (zh_TW)) currently translated at 6.8% (51 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_TW/
Added translation using Weblate (Chinese (Traditional) (zh_TW))
po: update translations
(Italian) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/
po: update translations
(Spanish) currently translated at 97.8% (733 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 97.4% (730 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 65.0% (1822 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 96.6% (724 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 82.1% (615 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Swedish) currently translated at 100.0% (2799 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (2799 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (2799 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.7% (2792 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.7% (2792 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 99.6% (2789 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Czech) currently translated at 9.2% (260 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 6.8% (192 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 6.8% (192 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 6.7% (190 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 6.7% (190 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 6.7% (190 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/cs/
po: update translations
(Czech) currently translated at 97.0% (727 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 96.6% (724 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 96.5% (723 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Czech) currently translated at 96.5% (723 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/cs/
po: update translations
(Polish) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Italian) currently translated at 15.7% (118 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/it/
po: update translations
(Finnish) currently translated at 10.4% (78 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Finnish) currently translated at 3.5% (99 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Finnish) currently translated at 3.5% (98 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/
po: update translations
(Ukrainian) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Ukrainian) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Turkish) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Russian) currently translated at 100.0% (2799 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Ukrainian) currently translated at 100.0% (2799 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(French) currently translated at 100.0% (749 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
- - - - -
de84e572 by Pavel Březina at 2025-06-04T16:27:46+02:00
idp: add sssd-idp.5.xml to po4a configuration
- - - - -
b9cdd65b by Pavel Březina at 2025-06-04T16:29:43+02:00
pot: update pot files
- - - - -
c5eb5b14 by Dan Lavu at 2025-06-05T12:14:43+02:00
adding pytest markers to help keep track of transformation status
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 2d0291da7dbf3dda274e3921c61511b9293b13f3)
- - - - -
c34e24cc by Dan Lavu at 2025-06-05T12:14:43+02:00
tests: skipping simple access control tests that have been rewritten.
* found a missing test scenario that has been planned
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 6f9aed5a3ea6534ebe279806e0ef6da795c38354)
- - - - -
4c3ce677 by fossdd at 2025-06-13T11:12:38+02:00
sss_prctl: avoid redefinition of prctl_mm_map
prctl_mm_map is provided by linux's prctl.h and libc's prctl.h.
libc's headers should be preferred.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit fbeba7ac257ae9c04f932e58e6fff6e30a41fb78)
- - - - -
963e3160 by Jakub Vávra at 2025-06-19T10:35:33+02:00
Tests: Move test_ldap_referrals from gating (tier1)
The test is failing due to DS ldap bug RHEL-87352.
Moving it out from gating.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 713da134126b84a6da11dcb2ac043efc6915e61b)
- - - - -
7d4affed by Jakub Vávra at 2025-06-19T14:57:52+02:00
Tests: Add missing markers for ticket plugin
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 2d308e2e9a9ae19f8e8a9d5efb9e43b13872337b)
- - - - -
e2384435 by Alexey Tikhonov at 2025-06-21T08:55:01+02:00
PAM: keep 'LISTEN_PID' and 'LISTEN_FDS'
env variables as those are used by `sd_listen_fds()`.
Resolves: https://github.com/SSSD/sssd/issues/8005
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit cd325f645256d1f5fd0c6821edad666029575b2e)
- - - - -
e0ca338d by Yuri Chornoivan at 2025-06-24T12:14:10+02:00
Fix typo in sssd-ldap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 7acb8ef776dfedf17bde77f82432a2bfb769f055)
- - - - -
2024de50 by Yuri Chornoivan at 2025-06-24T12:24:29+02:00
Fix typo in sssd-idp.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit ac9fd622bbcc1034b771eda4607e5bd8917812f6)
- - - - -
03bff005 by Yuri Chornoivan at 2025-06-27T16:56:52+02:00
Fix typos in sss-certmap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 417d32d0192df6c1bbe9911c8bc5884a664ea4fa)
- - - - -
2c9a3d44 by Yuri Chornoivan at 2025-06-27T16:56:52+02:00
Update sss-certmap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 7b829bcd14aa2fc3c674699ef0be5486f5b7db2b)
- - - - -
76b160e3 by Alexey Tikhonov at 2025-07-02T11:04:16+02:00
'gemini-code-assist' config
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 63976d8271529f461cada3d8db187d8786d95bef)
- - - - -
cd54cd0f by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove old Obsoletes
These obsoletes have been set for multiple Fedora versions already (some even
for years), we can safely remove them now.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 44b6324e0b310c5cbcd6af73f658e231ad562253)
- - - - -
0e6e3c27 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove old Provides
libsss_sudo-devel package was removed 12 years ago and the files
are not even packaged in the rpm anymore.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ab6d62423d532f42496a1be9f5bc5ad1362d371a)
- - - - -
18dbf893 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: always build with sssd user
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9bdc2172931de953e7547045394080d2f655a8de)
- - - - -
13d05a9b by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: always use sysusers to create the sssd user
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit cca790052c38c2c786da48c25766c48ea904670c)
- - - - -
aea12fed by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove build_subid condition as it is always enabled
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit eefdd01a2e92523d5797fa0aeaf792d6c6bcd6de)
- - - - -
2faa4c3f by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: always build kcm renewals
This has been enabled for a long time. This also removes the
krb5_version variable as all current distribution ships compatible
version.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9d83e67f2b5bf43ef6dd2c4f7f4fe3f5d45b9a4d)
- - - - -
d941f86d by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove build_passkey as it is always enabled
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 538d745d355028fc1f3ad8d173ab1157cc8d2612)
- - - - -
d2c8841e by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: build idp only on f43+ and rhel10+
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit f9f1a809783c7b6cb0671019b26b9c58758b7f3a)
- - - - -
31e9170b by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove _hardened_build
This is enabled by default since Fedora 23.
See: https://fedoraproject.org/wiki/Changes/Harden_All_Packages
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_pie
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 88ad51932027a8832fb7a950d3aec045ac8d97e7)
- - - - -
32d80c52 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove ldb_version
All supported distributions have compatible version already.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 0e3ceca17196c4a4379b41f13976c2d82132312e)
- - - - -
7fa5f5d1 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: add comment to samba_package_version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6562eb881a75fedcd7501ef51bd44bd0a5feeca2)
- - - - -
131c97f1 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: move packages required for p11_child tests together
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5b9b9ae4b39044020a6b88352c61a7ec249f3d3d)
- - - - -
fd5e2b32 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: remove systemtap-sdt-dtrace version condition
The package is available on all supported distributions.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 85f41f91e76b292922b42ea8e87be184fe24ac25)
- - - - -
096a59fd by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: use upstream_version variable when producing downstream_version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit dde42a2c7cfa20aae93532b7685f7714e99a0eeb)
- - - - -
60f13397 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: use autochangelog
We don't really care about change log in development RPMs, but we
will switch to rpmautospec in Fedora so let's do this change here
as well to keep the spec files in sync.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9e6f6a988bb6c418cba43ae5f2219c981734b00f)
- - - - -
710f4ff8 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: target f41+ and rhel10+
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 3a59decab5771f6d7bb96de7efe3b41801cddec0)
- - - - -
ba905e82 by Pavel Březina at 2025-07-03T12:37:04+02:00
spec: use version_no_tilde
Upstream version is using pre-release version with dash as a separator
since git does not support tilde in tag name. On the other side, Fedora and
RHEL requires tilde as a separator to correctly order builds.
For example: 2.10.0-beta1 vs 2.10.0~beta1.
The conversion can now be done by version_no_tilde macro. This is a
preparation for enabling packit, without this change we would need to
postprocess the spec file.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 5b342ca2eee285b0446c4c02e259aae8248c04d0)
- - - - -
2ace6155 by Sumit Bose at 2025-07-04T14:34:12+02:00
sysdb: add sysdb_get_direct_parents_ex()
sysdb_get_direct_parents_ex() is similar to sysdb_get_direct_parents()
but allows to request a different attribute than SYSDB_NAME be returned
for the found groups.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 16d61ee1acdeb73d22a756a1c68c3dfc08d9b94d)
- - - - -
63a6f510 by Sumit Bose at 2025-07-04T14:34:12+02:00
ipa: improve handling of external group memberships
Currently add_ad_user_to_cached_groups() expects that all IPA
group-memberships of users from a trusted domain are removed when the
group-memberships from the trusted domain are updated. This is currently
only true for the code path where the tokenGroups request is used. The
code path without tokenGroups does not remove the IPA group-memberships.
Removing the IPA group-memberships is also not very efficient especially
if there are no changes to those at all. With this patch in
add_ad_user_to_cached_groups() it is checked which group-memberships
have to be added or removed. In this function the SYSDB_ORIG_MEMBEROF
attribute of the user is handled as well for the IPA group-memberships.
Since this attribute is removed in all code paths all IPA
group-memberships are added here again. But instead of doing it one by
one as in the previous version, the attribute is added for all groups in
a single operation which should help to improved the performance as
well.
Resolves: https://github.com/SSSD/sssd/issues/7921
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 2a19873c84948a6451da80e6c8d3f689c8228c04)
- - - - -
706a673a by Sumit Bose at 2025-07-07T17:16:28+02:00
authtok: add IS_PW_OR_ST_AUTHTOK()
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050)
- - - - -
856d20a3 by Sumit Bose at 2025-07-07T17:16:28+02:00
krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48)
- - - - -
d06f9b5f by Pavel Březina at 2025-07-08T12:34:12+02:00
spec: use correct url for the tarball
The "archive" tarball is created by github by tarring the repository
content, it is not the same what we release.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit c7bf90643aee429de40a5ed795ba3483b40ae0d2)
- - - - -
1e1cfc4c by Pavel Březina at 2025-07-08T12:34:12+02:00
spec: support gpg verification
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit caeeaf7c120f36914415dbe1a9030c477033490e)
- - - - -
a7b96f0e by Pavel Březina at 2025-07-08T12:34:12+02:00
ci: add packit configuration
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 1b884f056ba460c1e3990cd3c31829b70ddf6182)
- - - - -
5698d605 by Pavel Březina at 2025-07-08T12:34:12+02:00
ci: remove custom copr builds
COPR builds are now built by packit.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 8daa3e11a6e09938780ea5ee864dd50e62b490ac)
- - - - -
4e7ae242 by Alexey Tikhonov at 2025-07-10T13:09:32+02:00
SPEC: add missing '\'
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 94151af9e3465262137c3a877953335c92c27c8c)
- - - - -
f0e6650d by Dan Lavu at 2025-07-11T15:06:46+02:00
removing deprecated pam_ldap pam_krb proxy provider multihost tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit 2121f9b8d53ae35959e589561ce7e70a7efe7f81)
- - - - -
e013f959 by Jakub Vávra at 2025-07-24T07:08:29+02:00
Tests: Move test_sssctl__analyze_without_root_privileges from gating
Run the sssctl analyze under user1 using su instead of ssh.
Remove the test from gating as this is not a "core" functionality.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 0ceb448745473917cd9cdff3a0f6334684e2a77c)
- - - - -
9129d890 by André Boscatto at 2025-07-24T07:10:11+02:00
tests: Adding nested group test case for simple access control
While going through the multihost test we identified that this test case
was not covered, thus adding it now.
Relates to https://github.com/SSSD/sssd/pull/7984
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit e35516214944cb0b4f3928bef20a27cfd3f3be44)
- - - - -
f5106591 by Alexey Tikhonov at 2025-07-29T17:26:36+02:00
Make sure previously rotated logs are chown-ed as well.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 7e8b62e0a98b7dba1b11798da73992bb5478da35)
- - - - -
30f03098 by Alexey Tikhonov at 2025-07-29T17:26:36+02:00
spec: don't dereference links while chown-ing in %post
Make it consistent with systemd service file.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d8ac442973e3304c951d42126eea6248b7dc8d2a)
- - - - -
5757dfdb by krishnavema at 2025-07-29T17:31:55+02:00
tests: adding user su smartcard login test
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 8c32d7fae0b00c3802ff861040e69bcfc7639a11)
- - - - -
61a5ab6c by shridhargadekar at 2025-07-31T11:06:51+02:00
Tests: cache_credentials = true not working
Tests for cache_credentials = true not working in sssd, with specified PAM
configuration in /etc/pam.d/system-auth and /etc/pam.d/password-auth
verifies #7968
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9856b6dda23ca565475cceb7897f7117a3880ab1)
- - - - -
6fd3415e by Pavel Březina at 2025-07-31T13:05:46+02:00
pot: update pot files
- - - - -
ced937c9 by Pavel Březina at 2025-07-31T13:06:15+02:00
Release sssd-2.11.1
- - - - -
403 changed files:
- + .gemini/config.yaml
- .github/workflows/analyze-target.yml
- .github/workflows/ci.yml
- − .github/workflows/copr_build.yml
- − .github/workflows/copr_cleanup.yml
- .github/workflows/coverity.yml
- + .packit.yaml
- Makefile.am
- configure.ac
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/get-matrix.py
- + contrib/sssd-realmd.rules.in
- contrib/sssd.spec.in
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fi.po
- po/fr.po
- po/hu.po
- po/id.po
- po/it.po
- po/ja.po
- po/ka.po
- po/ko.po
- po/nb.po
- po/nl.po
- po/pl.po
- po/pt.po
- po/pt_BR.po
- po/ru.po
- po/sssd.pot
- po/sv.po
- po/tg.po
- po/tr.po
- po/uk.po
- po/zh_CN.po
- po/zh_TW.po
- src/conf_macros.m4
- src/confdb/confdb.c
- src/confdb/confdb.h
- src/config/SSSDConfig/__init__.py.in
- src/config/SSSDConfig/sssdoptions.py
- src/config/SSSDConfigTest.py
- src/config/cfg_rules.ini
- src/config/etc/sssd.api.conf
- − src/config/etc/sssd.api.d/sssd-files.conf
- src/db/sysdb.h
- src/db/sysdb_ops.c
- src/db/sysdb_search.c
- src/db/sysdb_selinux.c
- src/db/sysdb_services.c
- src/db/sysdb_ssh.c
- src/db/sysdb_subdomains.c
- src/db/sysdb_views.c
- src/examples/logrotate.in
- src/external/crypto.m4
- src/external/ldap.m4
- src/external/pam.m4
- src/external/platform.m4
- src/external/signal.m4
- src/krb5_plugin/idp/idp.h
- src/krb5_plugin/idp/idp_utils.c
- src/ldb_modules/memberof.c
- src/lib/certmap/sss_certmap.exports
- src/lib/idmap/sss_idmap.c
- src/lib/idmap/sss_idmap.doxy.in
- src/lib/idmap/sss_idmap.exports
- src/lib/idmap/sss_idmap.h
- − src/lib/sifp/sss_sifp.c
- − src/lib/sifp/sss_sifp.h
- − src/lib/sifp/sss_sifp_attrs.c
- − src/lib/sifp/sss_sifp_common.c
- − src/lib/sifp/sss_sifp_dbus.c
- − src/lib/sifp/sss_sifp_dbus.h
- − src/lib/sifp/sss_sifp_parser.c
- − src/lib/sifp/sss_sifp_private.h
- − src/lib/sifp/sss_simpleifp.doxy.in
- − src/lib/sifp/sss_simpleifp.exports
- − src/lib/sifp/sss_simpleifp.pc.in
- src/man/Makefile.am
- src/man/include/ldap_id_mapping.xml
- src/man/include/override_homedir.xml
- src/man/include/seealso.xml
- src/man/pam_sss.8.xml
- src/man/po/br.po
- src/man/po/ca.po
- src/man/po/cs.po
- src/man/po/de.po
- src/man/po/es.po
- src/man/po/eu.po
- src/man/po/fi.po
- src/man/po/fr.po
- src/man/po/ja.po
- src/man/po/lv.po
- src/man/po/nl.po
- src/man/po/po4a.cfg
- src/man/po/pt.po
- src/man/po/pt_BR.po
- src/man/po/ru.po
- src/man/po/sssd-docs.pot
- src/man/po/sv.po
- src/man/po/tg.po
- src/man/po/uk.po
- src/man/po/zh_CN.po
- + src/man/po/zh_TW.po
- src/man/sss-certmap.5.xml
- src/man/sss_ssh_knownhosts.1.xml
- − src/man/sss_ssh_knownhostsproxy.1.xml
- src/man/sssd-ad.5.xml
- − src/man/sssd-files.5.xml
- + src/man/sssd-idp.5.xml
- src/man/sssd-ipa.5.xml
- src/man/sssd-ldap.5.xml
- src/man/sssd-simple.5.xml
- src/man/sssd.conf.5.xml
- src/monitor/monitor.c
- src/monitor/monitor_bootstrap.c
- − src/monitor/nscd.c
- src/oidc_child/oidc_child.c
- src/oidc_child/oidc_child_curl.c
- + src/oidc_child/oidc_child_id.c
- src/oidc_child/oidc_child_json.c
- src/oidc_child/oidc_child_util.h
- src/p11_child/p11_child.h
- src/p11_child/p11_child_common.c
- src/p11_child/p11_child_openssl.c
- src/passkey_child/passkey_child_common.c
- src/providers/ad/ad_common.c
- src/providers/ad/ad_common.h
- src/providers/ad/ad_gpo_child.c
- src/providers/ad/ad_machine_pw_renewal.c
- src/providers/ad/ad_opts.c
- src/providers/ad/ad_subdomains.c
- src/providers/backend.h
- src/providers/be_dyndns.c
- src/providers/be_dyndns.h
- src/providers/data_provider.h
- src/providers/data_provider/dp.h
- src/providers/data_provider/dp_resp_client.c
- src/providers/data_provider/dp_targets.c
- src/providers/data_provider_be.c
- src/providers/data_provider_fo.c
- src/providers/fail_over.c
- src/providers/fail_over.h
- src/providers/fail_over_srv.c
- − src/providers/files/files_certmap.c
- − src/providers/files/files_id.c
- − src/providers/files/files_init.c
- − src/providers/files/files_ops.c
- − src/providers/files/files_private.h
- + src/providers/idp/idp_auth.c
- + src/providers/idp/idp_auth.h
- + src/providers/idp/idp_auth_eval.c
- + src/providers/idp/idp_common.h
- + src/providers/idp/idp_id.c
- + src/providers/idp/idp_id.h
- + src/providers/idp/idp_id_eval.c
- + src/providers/idp/idp_init.c
- src/providers/files/files_auth.c → src/providers/idp/idp_online_check.c
- + src/providers/idp/idp_opts.c
- + src/providers/idp/idp_opts.h
- + src/providers/idp/idp_private.h
- + src/providers/idp/oidc_child_handler.c
- src/providers/ipa/ipa_auth.c
- src/providers/ipa/ipa_common.c
- src/providers/ipa/ipa_common.h
- src/providers/ipa/ipa_config.c
- src/providers/ipa/ipa_id.c
- src/providers/ipa/ipa_id.h
- src/providers/ipa/ipa_init.c
- src/providers/ipa/ipa_opts.c
- src/providers/ipa/ipa_s2n_exop.c
- src/providers/ipa/ipa_selinux.c
- src/util/sss_selinux.c → src/providers/ipa/ipa_selinux_helpers.c
- src/util/sss_selinux.h → src/providers/ipa/ipa_selinux_helpers.h
- src/providers/ipa/ipa_subdomains.c
- src/providers/ipa/ipa_subdomains.h
- src/providers/ipa/ipa_subdomains_ext_groups.c
- src/providers/ipa/ipa_subdomains_id.c
- src/providers/ipa/ipa_subdomains_passkey.c
- src/providers/ipa/ipa_subdomains_server.c
- src/providers/ipa/ipa_sudo_conversion.c
- src/providers/ipa/ipa_views.c
- src/providers/ipa/selinux_child.c
- src/util/sss_semanage.c → src/providers/ipa/selinux_child_semanage.c
- src/providers/krb5/krb5_auth.c
- src/providers/krb5/krb5_auth.h
- src/providers/krb5/krb5_ccache.c
- src/providers/krb5/krb5_ccache.h
- src/providers/krb5/krb5_child.c
- src/providers/krb5/krb5_child_handler.c
- + src/providers/krb5/krb5_child_share.c
- src/providers/krb5/krb5_delayed_online_authentication.c
- src/providers/krb5/krb5_utils.h
- src/providers/ldap/ldap_auth.c
- src/providers/ldap/ldap_child.c
- src/providers/ldap/ldap_options.c
- src/providers/ldap/ldap_opts.c
- src/providers/ldap/sdap.c
- src/providers/ldap/sdap.h
- src/providers/ldap/sdap_async.c
- src/providers/ldap/sdap_async.h
- src/providers/ldap/sdap_async_connection.c
- src/providers/ldap/sdap_async_hosts.c
- src/providers/ldap/sdap_async_users.c
- src/providers/ldap/sdap_dyndns.c
- src/providers/ldap/sdap_online_check.c
- src/python/pyhbac.c
- src/python/pysss.c
- src/python/pysss_murmur.c
- src/python/pysss_nss_idmap.c
- src/util/sss_python.c → src/python/sss_python.c
- src/util/sss_python.h → src/python/sss_python.h
- src/responder/common/cache_req/cache_req_domain.c
- src/responder/common/cache_req/cache_req_search.c
- src/responder/common/cache_req/plugins/cache_req_group_by_filter.c
- src/responder/common/cache_req/plugins/cache_req_group_by_name.c
- src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c
- src/responder/common/cache_req/plugins/cache_req_ip_host_by_addr.c
- src/responder/common/cache_req/plugins/cache_req_ip_network_by_addr.c
- src/responder/common/cache_req/plugins/cache_req_object_by_name.c
- src/responder/common/cache_req/plugins/cache_req_subid_ranges_by_name.c
- src/responder/common/cache_req/plugins/cache_req_svc_by_port.c
- src/responder/common/cache_req/plugins/cache_req_user_by_filter.c
- src/responder/common/cache_req/plugins/cache_req_user_by_name.c
- src/responder/common/negcache.c
- src/responder/common/negcache.h
- − src/responder/common/negcache_files.c
- − src/responder/common/negcache_files.h
- src/responder/common/responder.h
- src/responder/common/responder_common.c
- src/responder/common/responder_dp.c
- src/responder/common/responder_get_domains.c
- src/responder/common/responder_iface.c
- src/responder/common/responder_utils.c
- src/responder/ifp/ifp_users.c
- src/responder/ifp/org.freedesktop.sssd.infopipe.conf.in
- src/responder/kcm/kcmsrv_ccache.c
- src/responder/kcm/secrets/secrets.c
- src/responder/nss/nss_get_object.c
- src/responder/nss/nss_protocol_grent.c
- src/responder/nss/nss_protocol_pwent.c
- src/responder/pam/pamsrv.c
- src/responder/pam/pamsrv_cmd.c
- src/responder/pam/pamsrv_gssapi.c
- src/responder/pam/pamsrv_p11.c
- src/responder/pam/pamsrv_passkey.c
- src/responder/ssh/ssh_cert_to_ssh_key.c
- src/responder/ssh/ssh_cmd.c
- − src/responder/ssh/ssh_known_hosts.c
- src/responder/ssh/ssh_private.h
- src/responder/ssh/ssh_protocol.c
- src/responder/ssh/sshsrv.c
- src/responder/sudo/sudosrv_dp.c
- src/sbus/sbus_errors.c
- + src/shared/cred.h
- src/sss_client/common.c
- src/sss_client/idmap/sss_nss_idmap.h
- src/sss_client/nss_mc.h
- src/sss_client/nss_services.c
- src/sss_client/pam_sss.c
- src/sss_client/pam_sss_gss.c
- src/sss_client/ssh/sss_ssh_knownhosts.c
- src/sss_client/ssh/sss_ssh_knownhostsproxy.c
- src/sss_client/sss_cli.h
- src/sss_client/sss_pac_responder_client.c
- src/sss_client/sss_pam_compat.h
- src/sysv/systemd/sssd-kcm.service.in
- src/sysv/systemd/sssd.service.in
- src/tests/cmocka/common_mock_resp.c
- src/tests/cmocka/dummy_child.c
- src/tests/cmocka/test_ad_common.c
- src/tests/cmocka/test_config_check.c
- src/tests/cmocka/test_domain_resolution_order.c
- src/tests/cmocka/test_dyndns.c
- src/tests/cmocka/test_fqnames.c
- src/tests/cmocka/test_iobuf.c
- src/tests/cmocka/test_ipa_subdomains_server.c
- src/tests/cmocka/test_krb5_common.c
- src/tests/cmocka/test_negcache.c
- src/tests/cmocka/test_negcache_2.c
- src/tests/cmocka/test_nss_srv.c
- src/tests/cmocka/test_responder_cache_req.c
- src/tests/cmocka/test_sss_idmap.c
- − src/tests/cmocka/test_sss_sifp.c
- src/tests/cmocka/test_string_utils.c
- src/tests/cmocka/test_sysdb_subdomains.c
- src/tests/cmocka/test_sysdb_ts_cache.c
- src/tests/cmocka/test_utils.c
- src/tests/cwrap/Makefile.am
- − src/tests/cwrap/test_become_user.c
- src/tests/dlopen-tests.c
- src/tests/intg/Makefile.am
- src/tests/intg/ldap_ent.py
- + src/tests/intg/sssd_services.py
- − src/tests/intg/test_files_provider.py
- src/tests/intg/test_ldap.py
- src/tests/intg/test_pam_responder.py
- src/tests/intg/test_resolver.py
- − src/tests/intg/test_ssh_pubkey.py
- − src/tests/intg/test_sss_cache.py
- − src/tests/intg/test_ts_cache.py
- src/tests/ipa_ldap_opt-tests.c
- − src/tests/krb5_child-test.c
- src/tests/krb5_utils-tests.c
- src/tests/multihost/ad/pytest.ini
- src/tests/multihost/ad/test_access_control.py
- src/tests/multihost/ad/test_adparameters.py
- src/tests/multihost/admultidomain/pytest.ini
- src/tests/multihost/adsites/pytest.ini
- src/tests/multihost/alltests/pytest.ini
- src/tests/multihost/alltests/test_misc.py → src/tests/multihost/alltests/test_all_misc.py
- src/tests/multihost/alltests/test_automount.py
- src/tests/multihost/alltests/test_config_merging.py
- − src/tests/multihost/alltests/test_misc_proxy.py
- src/tests/multihost/alltests/test_multidomain.py
- − src/tests/multihost/alltests/test_proxy_provider_krb_auth.py
- − src/tests/multihost/alltests/test_proxy_rfc2307.py
- − src/tests/multihost/alltests/test_proxy_rfc2307bis.py
- src/tests/multihost/alltests/test_services.py
- src/tests/multihost/alltests/test_sssctl_ldap.py
- − src/tests/multihost/alltests/test_sssctl_local.py
- src/tests/multihost/ipa/conftest.py
- src/tests/multihost/ipa/pytest.ini
- src/tests/multihost/sssd/testlib/common/qe_class.py
- src/tests/multihost/sssd/testlib/common/utils.py
- src/tests/polarion.yaml
- src/tests/sysdb-tests.c
- + src/tests/system/data/test_ipa/certificate
- + src/tests/system/data/test_passkey/test_passkey__prompt_options/passkey-mapping.ipa
- + src/tests/system/data/test_passkey/test_passkey__prompt_options/umockdev.script.ipa
- + src/tests/system/data/test_passkey/test_passkey__su_fallback_to_password/passkey-mapping.ipa
- + src/tests/system/data/test_passkey/test_passkey__su_fallback_to_password/umockdev.script.ipa
- + src/tests/system/data/test_passkey/test_passkey__su_no_pin_set/passkey-mapping.ipa
- + src/tests/system/data/test_passkey/test_passkey__su_no_pin_set/umockdev.script.ipa
- src/tests/system/mhc.yaml
- src/tests/system/pytest.ini
- + src/tests/system/tests/readme.rst
- + src/tests/system/tests/test_access_control_ldap_filter.py
- + src/tests/system/tests/test_access_control_simple.py
- + src/tests/system/tests/test_ad.py
- src/tests/system/tests/test_authentication.py
- src/tests/system/tests/test_autofs.py
- src/tests/system/tests/test_cache.py
- src/tests/system/tests/test_failover.py
- + src/tests/system/tests/test_feature.py
- − src/tests/system/tests/test_files.py
- src/tests/system/tests/test_gpo.py
- + src/tests/system/tests/test_idp.py
- src/tests/system/tests/test_infopipe.py
- src/tests/system/tests/test_ipa.py
- src/tests/system/tests/test_kcm.py
- src/tests/system/tests/test_ldap.py
- src/tests/system/tests/test_memcache.py
- src/tests/system/tests/test_netgroups.py
- + src/tests/system/tests/test_oidc_child.py
- src/tests/system/tests/test_passkey.py
- src/tests/system/tests/test_proxy.py
- src/tests/system/tests/test_schema.py
- + src/tests/system/tests/test_smartcard.py
- src/tests/system/tests/test_sss_override.py
- src/tests/system/tests/test_sssctl.py
- src/tests/util-tests.c
- src/tools/analyzer/source_files.py
- src/tools/sss_override.c
- src/tools/sssctl/sssctl_cache.c
- src/tools/sssctl/sssctl_config.c
- src/tools/tools_mc_util.c
- src/util/atomic_io.h
- src/util/authtok.c
- src/util/authtok.h
- − src/util/become_user.c
- src/util/capabilities.c
- src/util/cert/libcrypto/cert.c
- src/util/child_common.c
- src/util/child_common.h
- src/util/crypto/libcrypto/crypto_sha512crypt.c
- src/util/debug.h
- src/util/debug_backtrace.c
- src/util/domain_info_utils.c
- src/util/safe-format-string.c
- src/util/server.c
- src/util/sss_ini.c
- src/util/sss_ini.h
- src/util/sss_krb5.c
- src/util/sss_ldap.c
- src/util/sss_ldap.h
- src/util/sss_log.c
- src/lib/sifp/sss_sifp_utils.c → src/util/sss_prctl.c
- + src/util/sss_prctl.h
- src/util/sss_sockets.c
- src/util/sss_tc_utf8.c
- src/util/string_utils.c
- src/util/usertools.c
- src/util/util.c
- src/util/util.h
- src/util/util_creds.h
- src/util/util_errors.h
- version.m4
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/7de1c5f4df612d6ee9572905f6d4cb365bc38609...ced937c9d3818567c59f624379e61be0004edf2f
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/7de1c5f4df612d6ee9572905f6d4cb365bc38609...ced937c9d3818567c59f624379e61be0004edf2f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20251110/2ab581be/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list