[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 353 commits: Update version in version.m4 to track the next release
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Sun Feb 8 16:17:43 GMT 2026
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
76bce06f by Pavel Březina at 2025-06-05T11:50:33+02:00
Update version in version.m4 to track the next release
- - - - -
2d0291da by Dan Lavu at 2025-06-05T12:14:32+02:00
adding pytest markers to help keep track of transformation status
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6f9aed5a by Dan Lavu at 2025-06-05T12:14:32+02:00
tests: skipping simple access control tests that have been rewritten.
* found a missing test scenario that has been planned
Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
e98a777e by Arda Gurcan at 2025-06-05T12:16:44+02:00
NSS: Reject empty name lookups in client library
Don't send a request to SSSD for lookups like getent passwd "", reject them locally in libnss_sss.so
Resolves: #7970
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
dab5ca5c by Gleb Popov at 2025-06-11T08:41:01+02:00
Introduce cli_creds_set_{u,g}id() macros and use them to fix the build on FreeBSD
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ead2e0e0 by Gleb Popov at 2025-06-11T08:41:01+02:00
Make use of ucred helpers in tests
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fbeba7ac by fossdd at 2025-06-13T11:12:33+02:00
sss_prctl: avoid redefinition of prctl_mm_map
prctl_mm_map is provided by linux's prctl.h and libc's prctl.h.
libc's headers should be preferred.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
713da134 by Jakub Vávra at 2025-06-19T10:35:30+02:00
Tests: Move test_ldap_referrals from gating (tier1)
The test is failing due to DS ldap bug RHEL-87352.
Moving it out from gating.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
93b041c9 by Gleb Popov at 2025-06-19T12:31:06+02:00
Provide the struct spwd definition if shadow.h isn't available
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2d308e2e by Jakub Vávra at 2025-06-19T14:57:48+02:00
Tests: Add missing markers for ticket plugin
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
34d01e74 by Américo Monteiro at 2025-06-19T15:39:04+02:00
po: update translations
(Portuguese) currently translated at 13.0% (98 of 749 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
63d82d9c by Américo Monteiro at 2025-06-19T15:39:04+02:00
po: update translations
(Portuguese) currently translated at 7.4% (208 of 2799 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
cd325f64 by Alexey Tikhonov at 2025-06-21T08:54:55+02:00
PAM: keep 'LISTEN_PID' and 'LISTEN_FDS'
env variables as those are used by `sd_listen_fds()`.
Resolves: https://github.com/SSSD/sssd/issues/8005
Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7acb8ef7 by Yuri Chornoivan at 2025-06-24T12:14:05+02:00
Fix typo in sssd-ldap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
791618a9 by Gleb Popov at 2025-06-24T12:16:02+02:00
Fall back to ftruncate in case of CoW file system
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ac9fd622 by Yuri Chornoivan at 2025-06-24T12:24:24+02:00
Fix typo in sssd-idp.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
417d32d0 by Yuri Chornoivan at 2025-06-27T16:56:47+02:00
Fix typos in sss-certmap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
7b829bcd by Yuri Chornoivan at 2025-06-27T16:56:47+02:00
Update sss-certmap.5.xml
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
6760771a by Gleb Popov at 2025-06-30T10:15:21+02:00
oidc_child: Use the sss_prctl wrapper
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
63976d82 by Alexey Tikhonov at 2025-07-02T11:03:56+02:00
'gemini-code-assist' config
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
44b6324e by Pavel Březina at 2025-07-03T12:36:56+02:00
spec: remove old Obsoletes
These obsoletes have been set for multiple Fedora versions already (some even
for years), we can safely remove them now.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ab6d6242 by Pavel Březina at 2025-07-03T12:36:56+02:00
spec: remove old Provides
libsss_sudo-devel package was removed 12 years ago and the files
are not even packaged in the rpm anymore.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9bdc2172 by Pavel Březina at 2025-07-03T12:36:56+02:00
spec: always build with sssd user
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cca79005 by Pavel Březina at 2025-07-03T12:36:56+02:00
spec: always use sysusers to create the sssd user
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
eefdd01a by Pavel Březina at 2025-07-03T12:36:56+02:00
spec: remove build_subid condition as it is always enabled
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9d83e67f by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: always build kcm renewals
This has been enabled for a long time. This also removes the
krb5_version variable as all current distribution ships compatible
version.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
538d745d by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: remove build_passkey as it is always enabled
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f9f1a809 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: build idp only on f43+ and rhel10+
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
88ad5193 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: remove _hardened_build
This is enabled by default since Fedora 23.
See: https://fedoraproject.org/wiki/Changes/Harden_All_Packages
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_pie
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0e3ceca1 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: remove ldb_version
All supported distributions have compatible version already.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6562eb88 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: add comment to samba_package_version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5b9b9ae4 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: move packages required for p11_child tests together
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
85f41f91 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: remove systemtap-sdt-dtrace version condition
The package is available on all supported distributions.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dde42a2c by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: use upstream_version variable when producing downstream_version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9e6f6a98 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: use autochangelog
We don't really care about change log in development RPMs, but we
will switch to rpmautospec in Fedora so let's do this change here
as well to keep the spec files in sync.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3a59deca by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: target f41+ and rhel10+
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5b342ca2 by Pavel Březina at 2025-07-03T12:36:57+02:00
spec: use version_no_tilde
Upstream version is using pre-release version with dash as a separator
since git does not support tilde in tag name. On the other side, Fedora and
RHEL requires tilde as a separator to correctly order builds.
For example: 2.10.0-beta1 vs 2.10.0~beta1.
The conversion can now be done by version_no_tilde macro. This is a
preparation for enabling packit, without this change we would need to
postprocess the spec file.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
16d61ee1 by Sumit Bose at 2025-07-04T14:33:55+02:00
sysdb: add sysdb_get_direct_parents_ex()
sysdb_get_direct_parents_ex() is similar to sysdb_get_direct_parents()
but allows to request a different attribute than SYSDB_NAME be returned
for the found groups.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2a19873c by Sumit Bose at 2025-07-04T14:33:55+02:00
ipa: improve handling of external group memberships
Currently add_ad_user_to_cached_groups() expects that all IPA
group-memberships of users from a trusted domain are removed when the
group-memberships from the trusted domain are updated. This is currently
only true for the code path where the tokenGroups request is used. The
code path without tokenGroups does not remove the IPA group-memberships.
Removing the IPA group-memberships is also not very efficient especially
if there are no changes to those at all. With this patch in
add_ad_user_to_cached_groups() it is checked which group-memberships
have to be added or removed. In this function the SYSDB_ORIG_MEMBEROF
attribute of the user is handled as well for the IPA group-memberships.
Since this attribute is removed in all code paths all IPA
group-memberships are added here again. But instead of doing it one by
one as in the previous version, the attribute is added for all groups in
a single operation which should help to improved the performance as
well.
Resolves: https://github.com/SSSD/sssd/issues/7921
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
297ecc46 by Sumit Bose at 2025-07-07T17:16:16+02:00
authtok: add IS_PW_OR_ST_AUTHTOK()
This patch adds a helper macro to determine if an authtok struct is of
type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is
useful if a password is expected but an authentication token forwarded
by an different PAM module, which is most probably a password, can be
used as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
3b106f18 by Sumit Bose at 2025-07-07T17:16:16+02:00
krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED
Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to
handle credentials forwarded by other PAM modules. Before it was
unconditionally assumed that it is a password and hence
SSS_AUTHTOK_TYPE_PASSWORD was used.
When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were
already handled but currently offline use-cases fail because here only
SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch
SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline
credentials as well.
Resolves: https://github.com/SSSD/sssd/issues/7968
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c7bf9064 by Pavel Březina at 2025-07-08T12:34:05+02:00
spec: use correct url for the tarball
The "archive" tarball is created by github by tarring the repository
content, it is not the same what we release.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
caeeaf7c by Pavel Březina at 2025-07-08T12:34:05+02:00
spec: support gpg verification
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1b884f05 by Pavel Březina at 2025-07-08T12:34:05+02:00
ci: add packit configuration
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8daa3e11 by Pavel Březina at 2025-07-08T12:34:05+02:00
ci: remove custom copr builds
COPR builds are now built by packit.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
94151af9 by Alexey Tikhonov at 2025-07-10T13:09:21+02:00
SPEC: add missing '\'
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6f448e1c by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
UTILS: removed stray declaration
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
78c14008 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
UTILS: moved code used only by 'monitor'
out of shared 'utils'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f9b226b0 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
Moved define used by ldap_child only out
of shared 'utils'.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
03da01d7 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
libkrb5 passkey plugin doesn't use 'libsss_util.so'
No need to use the same read buffer size. Especially taking
into account buffers are used differently.
Also clean up includes a bit.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0fb034b7 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
'libsss_cert' doesn't use 'libsss_child'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c00c6e21 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
CHILD_COMMON: unify structs 'response' and 'io_buffer'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
03f52633 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
UTILS: split child helpers code
into process handling and IPC
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
24e9f9b1 by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
UTILS: don't use shared 'IN_BUF_SIZE'
Size of a read buffer depends on child process semantic.
Some processes already had a local definition.
Make it consistent.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
91c528ac by Alexey Tikhonov at 2025-07-10T13:13:14+02:00
Helpers defined in 'child_utils.h' aren't really used in child processes.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
10ad5a0c by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
Rename 'sss_child_ctx_old' -> 'sss_child_ctx'
Maybe there were some plans to unify this struct with another one,
used by monitor, but it wasn't implemented.
Now there is no conflict and 'sss_child_ctx_old' looks weird.
Plus some cosmetic changes.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
81b2f204 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
New `sss_child_start()` helper
to be used instead of copy&pasted 'fork+exec' functions.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
47b544a3 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
KRB5: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
511b44b8 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
LDAP: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3b435ce3 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
Delete 'exec_child()'
It's not used in production code anymore.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
92f977a4 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
IDP: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
afffec38 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
CHILD HELPERS: make activate_child_timeout_handler() internal
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9324feb8 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
AD pw renewal: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ce528fd5 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
AD GPO: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5b72f114 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
responder/ifp: use sss_child_start() for p11_child certificate validation
NOTE: this patch is generated with the help of Cursor/claude-4-sonnet
under strict supervision.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9f2ac088 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
sss_child_start(): allow NULL output _io arg
for those users of this function that don't communicate with
child process via pipe.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e5f4348f by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
SSH: refactor ssh_cert_to_ssh_key.c to use sss_child_start()
Refactor the certificate to SSH key conversion code to use the new sss_child_start()
helper function instead of manual fork/pipe handling. This follows the same pattern
as other recent refactorings in the codebase.
The refactoring:
- Replaces manual pipe creation, fork handling, and child setup with sss_child_start()
- Keeps the p11_child_timeout() function name and location unchanged
- Removes unnecessary fields and variables
- Maintains the same functionality for SSH certificate handling
This patch was generated using Claude Sonnet 4 AI model to follow the established
refactoring patterns from recent commits like:
- <hash removed>: introduces new helper function sss_child_start()
- <hash removed>: KRB5: make use of sss_child_start()
- <hash removed>: LDAP: make use of sss_child_start()
~~~~~
Notes:
- patch is a result of multiple iterations, pointing at specific
issues with the patch at every iteration
- `p11_child_timeout()` has lost `child_handler_destroy()` and thus
doesn't terminate child process anymore; to be addressed later
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
839a7309 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
CHILD HELPERS: extend `sss_child_start()`
to handle auto termination.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
96a7fc75 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
AD GPO: handle stuck 'gpo_child'
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bd6dfc2c by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
CHILD HELPERS: handle '--chain-id' as a basic arg
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
452f205e by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
IPA_SELINUX: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9be8b15b by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
PAM:CERT: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0e8f8876 by Alexey Tikhonov at 2025-07-10T13:13:15+02:00
PAM:PASSKEY: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5e2586bb by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
DYNDNS: make use of `sss_child_start()`
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
db8a601d by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
Cosmetics around close-fd helpers
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a831c000 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: make `child_io_destructor()` private
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cd3aac5 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: make `child_handler_setup()` and `child_handler_destroy()` kind of "private".
'ipa_subdomains_server.c' still uses those, but ideally
should be reworked to use `sss_child_start()` instead.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e4adf7e4 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: make `exec_child_ex()` private
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9f2e11ca by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: cosmetics around namings
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
301dc67a by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: check return code of `sss_fd_nonblocking()`
Issue spotted by 'o3' LLM:
```
sss_child_start builds a pipe pair,
marks non-blocking using sss_fd_nonblocking
but no error check of that helper.
```
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fd92f450 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
KRB5 PASSKEY PLUGIN: ensure space for NULL termination
Issue spotted by 'o3' LLM:
```
buf is allocated exactly PASSKEY_CHILD_MSG_CHUNK bytes; if the child writes
a full 1024-byte, the string may miss a terminating NUL (read does not append one).
Previously had the same flaw, but still worth fixing (allocate +1 or ensure NUL).
```
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
18cba6e7 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
Cosmetics: indentation fix
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8bddb6a5 by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
Renamed 'child_common.c' to 'child_handlers.c'
as it suits better.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b871b0cc by Alexey Tikhonov at 2025-07-10T13:13:16+02:00
CHILD HELPERS: make sure 'child_out_fd' isn't used
accidentally if 'io' isn't required.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2121f9b8 by Dan Lavu at 2025-07-11T15:06:42+02:00
removing deprecated pam_ldap pam_krb proxy provider multihost tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
2d6ef923 by Mark Johnston at 2025-07-14T11:49:35+02:00
find_uid.c: Add FreeBSD implementation
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
0ceb4487 by Jakub Vávra at 2025-07-24T07:08:25+02:00
Tests: Move test_sssctl__analyze_without_root_privileges from gating
Run the sssctl analyze under user1 using su instead of ssh.
Remove the test from gating as this is not a "core" functionality.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
e3551621 by André Boscatto at 2025-07-24T07:10:08+02:00
tests: Adding nested group test case for simple access control
While going through the multihost test we identified that this test case
was not covered, thus adding it now.
Relates to https://github.com/SSSD/sssd/pull/7984
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
30d6e9f1 by Gleb Popov at 2025-07-24T16:34:25+02:00
sbus_generate.sh: Use portable shebang
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
06bdffe0 by Gleb Popov at 2025-07-29T17:25:52+02:00
inotify.m4: Fix usage of $sss_extra_libdir
According to src/build_macros.m4 this variable is intended to be prepended
with -L. The same usage can be observed in, say, src/external/libpopt.mk
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c44491e7 by Gleb Popov at 2025-07-29T17:25:52+02:00
Link sss_util to INOTIFY_LIBS, this module calls into inotify API
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b6455e0f by Gleb Popov at 2025-07-29T17:25:52+02:00
Link test_inotify to INOTIFY_LIBS
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7e8b62e0 by Alexey Tikhonov at 2025-07-29T17:26:30+02:00
Make sure previously rotated logs are chown-ed as well.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d8ac4429 by Alexey Tikhonov at 2025-07-29T17:26:30+02:00
spec: don't dereference links while chown-ing in %post
Make it consistent with systemd service file.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
8c32d7fa by krishnavema at 2025-07-29T17:31:44+02:00
tests: adding user su smartcard login test
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fb00f470 by Tomas Halman at 2025-07-30T16:45:24+02:00
Exclude specific IP addresses from dynamic DNS updates
:config: A new option, `dyndns_address`, has been introduced to specify
network addresses that are allowed or excluded from dynamic DNS updates.
The `dyndns_iface` option has been extended to support the exclusion of
network interfaces.
Resolves: https://github.com/SSSD/sssd/issues/6439
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6c29c14a by Justin Stephenson at 2025-07-30T16:48:01+02:00
UTIL: Add string_ends_with utility function
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e7a3cace by Justin Stephenson at 2025-07-30T16:48:01+02:00
CONFDB: Store domain ID override templates
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f1768ba7 by Justin Stephenson at 2025-07-30T16:48:01+02:00
SYSDB: Support ID override templates
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
753c76f0 by Justin Stephenson at 2025-07-30T16:48:01+02:00
IPA: Support ID override templates
Retrieve ID override templates on subdomain
initialization. When overrides are checked
during IPA lookups, check for fallback template
values.
:relnote: SSSD now checks for existence of ID override templates
in an IPA provider configuration. ID override templates
supports overriding loginShell and homeDirectory values
for trusted AD, or upcoming IPA-IPA trusted users. This
behavior is enabled by default.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9856b6dd by shridhargadekar at 2025-07-31T11:06:45+02:00
Tests: cache_credentials = true not working
Tests for cache_credentials = true not working in sssd, with specified PAM
configuration in /etc/pam.d/system-auth and /etc/pam.d/password-auth
verifies #7968
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
878e5d62 by Alexey Tikhonov at 2025-08-01T10:14:34+02:00
SSS_CLIENT:MC: simplify logic and
fix potential race condition in `sss_nss_mc_get_ctx()`
Resolves: https://github.com/SSSD/sssd/issues/7967
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b33327ac by shridhargadekar at 2025-08-06T09:05:09+02:00
Tests: Adjusting priority of a test case
Setting a prority of a
test_authentication__user_login_with_modified_PAM_stack_provider_is_offline
to medium from critical
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
6d124aec by Gleb Popov at 2025-08-06T09:05:50+02:00
Include sys/wait.h where needed
All this code uses WIFEXITED() macro, which is defined in sys/wait.h according
to POSIX
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
87dae847 by Pavel Březina at 2025-08-06T16:36:44+02:00
packit: get version from version.m4 for upstream builds
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
ca0db6d5 by Jakub Vávra at 2025-08-07T12:18:29+02:00
Tests: Make multihost custom-log more resilient.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
0e66577e by Gleb Popov at 2025-08-11T10:19:19+02:00
Introduce FreeBSD CI
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3533bd5a by Justin Stephenson at 2025-08-11T10:19:57+02:00
tests: Stabilize analyze child logs
Use `with` block to close ssh connection
after initial successful login and remove `sleep`
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
a38790fc by Justin Stephenson at 2025-08-11T10:21:16+02:00
ipa: remove IPA dyndns legacy options
:config: ipa_dyndns_update, ipa_dyndns_ttl, and ipa_dyndns_iface
legacy options are now removed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b17c6c5e by Sumit Bose at 2025-08-13T17:41:21+02:00
ci: add missing intgcheck artifacts
If the integration tests fail during one of the initial steps 'install-deps'
or 'autoreconf.log' there are no logs to debug the issue. This patch
adds the related logs to the artifacts.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
576b8675 by aborah-sudo at 2025-08-13T17:42:05+02:00
Tests: Add additional Infopipe tests for untested interfaces
- Added tests for:
- Ping interface (`Ping` method)
- ListComponents and component property checks
- FindMonitor and monitor validation
- Users interface `FindByID` method
- Groups interface `FindByID` method
- UpdateGroupsList for refreshing user group memberships
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
f7ad10cf by Pavel Březina at 2025-08-15T10:46:53+02:00
SSSDConfig: allow last section to be empty
Previously, if the last section in the configuration file did not
contain any value and the configuration file did not contain last empty
line, the section was ignored.
This worked:
```
[pam]\n
\n
```
This was ignored:
```
[pam]\n
```
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
c92580bd by Pavel Březina at 2025-08-15T10:46:53+02:00
ci: add pre-commit configuration
pre-commit is a tool that can easily install configured git hooks
locally. It can be also used to run checks as part of PR CI on
GitHub.
You can install the git hooks locally by running `pre-commit install`
to automatically fix code on commit.
The current configuration takes care of white spaces.
See https://pre-commit.com and https://pre-commit.ci for more details.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
afd88cf0 by Pavel Březina at 2025-08-15T10:46:53+02:00
ci: add python-system-tests as requirement to the result job
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
c6d1d699 by Pavel Březina at 2025-08-15T10:46:53+02:00
whitespace: fix issues found by pre-commit
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
6924d678 by Pavel Březina at 2025-08-20T18:54:33+02:00
ci: add automation for creating new release
This automation can be manually triggered in "Actions" tab.
- update translations
- bump version number
- create signed commits and tag
- push the content to upstream repository
- create new github release with autogenerated release notes
Since release notes generated from out commit messages are not yet
supported, the release is created as a draft. When created, we need
to updated release notes manually and then publish the release.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f84bc333 by Justin Stephenson at 2025-08-21T13:25:00+02:00
tests: test_sssctl__analyze_child_logs handle timing issue
in IDM-CI a different request to SSSD can happen before the
failed login attempt provided in the test, making this other
request show as CID #1 in the logs causing this test to fail.
Concatenate the first three CID requests to address this. This
timing issue is unrelated to the functionality this test needs
to exercise (checking child logs of analyzer output).
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
17b9188f by Justin Stephenson at 2025-08-26T15:49:00+02:00
ci: Workaround pylibssh Failed to open session
Add constraints.txt file to specify version requirements separate
from installed packages
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5e16b0de by Justin Stephenson at 2025-08-26T15:49:00+02:00
ci: Install libssh-dev
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
38a6a4a7 by Patrick Bruenn at 2025-09-05T11:04:42+02:00
BUILD: Accept krb5 1.22 for building the PAC plugin
At least on FreeBSD 14.2 this fixes the build with krb5 1.22.
Signed-off-by: Patrick Bruenn <p.bruenn at beckhoff.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9cbb08da by Justin Stephenson at 2025-09-05T17:47:21+02:00
sysdb: Execute override code even if no templates exist
Fixes an issue where ID overrides were not applied properly
for the Default Trust View.
Resolves: https://github.com/SSSD/sssd/issues/8059
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5aa8c23a by Justin Stephenson at 2025-09-12T08:55:03+02:00
tests: update test_sudo network utilities
These were moved in
https://github.com/SSSD/sssd-test-framework/commit/bad71037feef3108578f32e9c4c25b5556eebffd
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
a73ea6eb by aborah-sudo at 2025-09-15T13:52:01+02:00
Tests: Refactor sssctl tests: consolidate and fix config-check
- Parameterized similar config-check and analyze tests
- Fixed domain section handling in config validation
- Improved error messages and assertions
- Maintained all original test coverage
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9c0ca193 by Justin Stephenson at 2025-09-17T10:31:55+02:00
ipa: additional IPA hosts/hostgroups debugging
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
74d3adb0 by Gleb Popov at 2025-09-18T18:43:54+02:00
SSSDConfig.py: Support running on FreeBSD
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
6be934a4 by Gleb Popov at 2025-09-18T18:43:54+02:00
FreeBSD CI: Put the job's output under logging groups
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
445d374b by Gleb Popov at 2025-09-18T18:43:54+02:00
FreeBSD CI: Install the softhsm2 dependency
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
caab178d by Gleb Popov at 2025-09-18T18:43:54+02:00
Fix building of test_pam_srv.c on FreeBSD
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
55c13ed9 by Gleb Popov at 2025-09-18T18:43:54+02:00
When running on FreeBSD skip tests that are using fget{pw,gr}ent
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
a6030b79 by Alexey Tikhonov at 2025-09-19T14:36:28+02:00
Drop support of 'ad_allow_remote_domain_local_groups'
:config: Support of previously deprecated 'ad_allow_remote_domain_local_groups'
config option was removed completely.
:packaging: '--with-allow-remote-domain-local-groups' ./configure option was
removed.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4fca9179 by Alexey Tikhonov at 2025-09-22T10:02:19+02:00
conf: support only bool value for 'enumerate' option
This is the only documented type for a long time.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e60fcddb by Alexey Tikhonov at 2025-09-22T10:02:19+02:00
ENUMERATION: drop support of enumeration for IPA/AD
:relnote: Previously deprecated '--with-extended-enumeration-support'
./configure option was removed.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
9f72fcd7 by Sumit Bose at 2025-09-23T16:00:06+02:00
ipa: improve handling of external group memberships
Recently add_ad_user_to_cached_groups() was modified to better handle
adding and removing group memberships of users from trusted domains in
groups of the local IPA domain. Before the change group members were
only added and with the change a removal was possible as well. This
caused an issues with an in-out parameter which contains the full list
of IPA group memberships at input and the list of group missing in the
cache as output. Since add_ad_user_to_cached_groups() is called twice,
the second time after the missing groups were read from the IPA server,
this caused and unexpected removal of group memberships since the second
call to add_ad_user_to_cached_groups() was done with the list of
missing groups and not with the full list.
With this patch a dedicated list is used for the missing groups to avoid
the described issues.
Resolves: https://github.com/SSSD/sssd/issues/7921
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2a388e75 by Sumit Bose at 2025-09-23T16:00:06+02:00
tests: test removal of external group membership
Resolves: https://github.com/SSSD/sssd/issues/7921
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
80ccb593 by shridhargadekar at 2025-09-23T16:00:06+02:00
Test: HBAC affecting AD-users ipa-group membership
In a IPA-AD trust environment, AD-user has membership of a
external-ipa group. This external-ipa-group is member of IPA-posix
group. When a HBAC rule is added and is the ipa-posix member is
added as member for that rule, AD-user misses that IPA-group-membership
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
901a6232 by Pavel Březina at 2025-09-24T13:03:34+02:00
ci: move build to standalone workflow
Jobs inside this workflow are skipped if pull request touches only
system tests and no other files, so it is not run when not needed
(system tests can not break make).
It is however run for all changes when pushed to the target branch to
always have the latest status available.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bab82018 by Pavel Březina at 2025-09-24T13:03:34+02:00
ci: only run changed tests for test only changes
Pull request that only modify test do not need to run the whole test
suite, only the test that were actually touched.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6958eecd by Pavel Březina at 2025-09-24T13:03:34+02:00
ci: use parallel build
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
481700d4 by Jakub Vávra at 2025-09-30T08:19:39+02:00
Tests: Update polarion team name
- - - - -
cf562deb by Justin Stephenson at 2025-10-01T13:33:44+02:00
ci: constraints - pin to branch for pylibssh workaround
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bab9aa34 by Alexey Tikhonov at 2025-10-02T19:48:44+02:00
KCM: corrected debug messages
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
07b720ee by Alexey Tikhonov at 2025-10-02T19:48:44+02:00
KCM: verbosity
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
b8b92dfe by Alexey Tikhonov at 2025-10-02T19:48:44+02:00
KCM: don't trigger backtrace if 'uuid_by_name' fails
It's up to users of this helper to decide on error severity.
In particular, for `SET_DEFAULT_CACHE` error code `ERR_NO_CREDS`
is pretty much normal.
The same with 'name_by_uuid' helper.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e6738a21 by Gleb Popov at 2025-10-06T10:16:38+02:00
util-tests.c: Properly bring back the value of TZ
In its previous form the code was ending up with setting TZ even if it wasn't
set before the test.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
2c2fd60d by Justin Stephenson at 2025-10-06T10:17:23+02:00
ipa: Handle auto private group lookup with login override
When a 'name' ID user override exists for IPA AD trusted users,
user resolution would fail as the auto private group could not
be resolved. Fix resolving the auto private group of
overwritten_name at ad.domain. In the IPA provider add a retry to
search and fetch the user object if no group override was
found.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1c64f1c5 by Justin Stephenson at 2025-10-06T10:17:23+02:00
tests: auto private group lookup with login override
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b301b1f5 by Jakub Vávra at 2025-10-07T07:03:04+02:00
Tests: Update keytab rotation tests.
Drop tests_samba_data as it mostly duplicates test from
test_hostkeytabrotation.
Drop test_hostkeytabrotation: test_003_delentry, test_005_deletespn
as it will not work due to samba not increasing kvnos according
to kerberos specification. Simplify test_001_rotation.
Update test_002_updatedkeytab and test_004_multiplespn.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
baeb2daa by Jakub Vávra at 2025-10-07T07:03:04+02:00
Tests: Drop failing ported test_idmap
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
be6359b8 by Justin Stephenson at 2025-10-08T18:44:33+02:00
ci: Remove intgcheck on debian-latest
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
520f9279 by Justin Stephenson at 2025-10-08T18:46:17+02:00
ci: Update python version to latest minor version
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
08a7195b by Justin Stephenson at 2025-10-08T19:03:03+02:00
ci: get changed script handle run for master push (non-PR)
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c5e64318 by Jakub Vávra at 2025-10-13T06:53:20+02:00
Tests: Skip tests unstable on other architectures.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
f3af8c89 by Alexey Tikhonov at 2025-10-13T10:06:40+02:00
CLIENT: fix thread unsafe access to autofs struct.
In case SSSD is built with lock-free client support, `sss_nss_lock()`
is a no-op, thus resulting in thread unsafe access.
This is a fix similar to 69fd828c1d5e92bc3b2e327a45dfed116f49d50a
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5e7f3680 by aborah-sudo at 2025-10-13T10:51:38+02:00
Tests: Add comprehensive sssctl functionality tests
- Implement tests for sssctl domain-status verification
- Add tests for user-checks authentication validation
- Implement log management tests (logs-remove, logs-fetch)
- Add debug-level modification tests
- Include user/group/netgroup show command tests
- Add invalid domain handling test for debug-level
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
9939c39d by Sumit Bose at 2025-10-16T20:05:25+02:00
krb5: disable Kerberos localauth an2ln plugin for AD/IPA
If a client is joined to AD or IPA SSSD's localauth plugin can handle
the mapping of Kerberos principals to local accounts. In case it cannot
map the Kerberos principals libkrb5 is currently configured to fall back
to the default localauth plugins 'default', 'rule', 'names',
'auth_to_local', 'k5login' and 'an2ln' (see man krb5.conf for details).
All plugins except 'an2ln' require some explicit configuration by either
the administrator or the local user. To avoid some unexpected mapping is
done by the 'an2ln' plugin this patch disables it in the configuration
snippets for SSSD's localauth plugin.
Resolves: https://github.com/SSSD/sssd/issues/8021
:relnote: After startup SSSD already creates a Kerberos configuration
snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
if the AD or IPA providers are used. This enables SSSD's localauth plugin.
Starting with this release the an2ln plugin is disabled in the
configuration snippet as well. If this file or its content are included in
the Kerberos configuration it will fix CVE-2025-11561.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
16db74ca by Gleb Popov at 2025-10-17T10:06:00+02:00
util-tests.c: Use TMPDIR (or fall back to /tmp) to store test's temporary files
Otherwise it uses CWD, which might be readonly.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1c8958d1 by Gleb Popov at 2025-10-17T10:06:22+02:00
resolv-tests: Do not perform leak checking when running on FreeBSD
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
63639ecb by Justin Stephenson at 2025-10-17T11:05:57+02:00
ci: Override shell builtin bash options for get-changed script
When only system test files are touched in a PR, the get-changed.sh
script fails due to -o pipefail option being added by
GH action shell built-in.
https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defaultsrunshell
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e92df278 by Scott Poore at 2025-10-17T11:08:51+02:00
test: Add Passwordless GDM tests for External IdP
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
4e7ac3bb by Madhuri Upadhye at 2025-10-17T13:10:34+02:00
intg: Remove ldap_local_override_test.py
Review the test cases, most of them are already
automated, one needs to automate others are
partially covered.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
c3f3672a by Dan Lavu at 2025-10-21T11:30:02+02:00
tests: improving sss_override to adhere to new guidelines
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
a0383378 by dependabot[bot] at 2025-10-21T11:31:47+02:00
build(deps): bump actions/checkout from 4 to 5
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0d31ab57 by dependabot[bot] at 2025-10-21T11:32:06+02:00
build(deps): bump actions/setup-python from 5 to 6
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5...v6)
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
488e540d by Alexey Tikhonov at 2025-10-24T12:05:05+02:00
gpo_child: don't include 'util/signal.c'
It's not really needed.
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
14b285e5 by Gleb Popov at 2025-10-24T12:06:18+02:00
test_iobuf.c: Only run the test_sss_iobuf_secure subtest on Linux
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
e3290326 by Dan Lavu at 2025-10-31T16:41:42+01:00
removing intg resolver test.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
3f708bda by Dan Lavu at 2025-10-31T16:41:42+01:00
adding ldap resolver provider tests
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
bf23a6e9 by Jakub Vávra at 2025-11-03T10:34:40+01:00
Tests: Add umockdev and virtsmarcard as test dependencies
We want to skip these tests automatically if they do not have
the required environment available instead of manually
blacklisting them from test suites.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Vema Kudumala <vkudumal at redhat.com>
- - - - -
5a800d9c by Justin Stephenson at 2025-11-04T11:15:00+01:00
ci: remove pylibssh workaround
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
56b247db by Gleb Popov at 2025-11-04T11:15:52+01:00
strtonum.c: Clear errno if it was set to EINVAL to make behavior consistent
This fixes strtonum-tests.c test on FreeBSD.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
684e5683 by Ondrej Valousek at 2025-11-04T12:32:33+01:00
allow use machine credentials from trusted domain :relnote: SSSD now allows using machine credentials from a trusted AD domain or Kerberos realm if no suitable domain-local credentials are available
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2e5ad5b9 by Pavel Březina at 2025-11-04T15:27:12+01:00
ci: automatically add Reviewed-by trailer when Accepted label is set
This introduce new workflow that is run when Accepted label is set.
It appends Reviewed-by trailers to all commits in the pull request for
all reviewers that ack-ed it.
* It is skipped if Accepted label is missing/removed
* It is no-op success if PR was synchronized after label was set (this
is required to make it green as it is automatically re-run when the
job finishes as a side effect to pushing to this repository)
* It adds the trailers when Accepted label is added
It uses secrets.BOT_TOKEN and SSSD_AUTHORS variable that contains
mapping from github account to name and email.
Since PR CI is restarted when commits with Reviewed-by are pushed, the
job also submits comment with current PR CI status, so it is not lost
and we do not have to necessarily wait for new PR CI run to finish.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
b8546368 by Pavel Březina at 2025-11-04T15:27:12+01:00
ci: add autobackport workflow
This adds an autobackport workflow that will automatically backport
pull request with backport-to-$branch label. Backport pull request
is created upon mergin the original pull request for each requested
branch. It is also possible to create additional backport by labeling
the already merged pull request.
If there are any conflicts during cherry-picks, they are commited and
pull request is still opened. The author of the original pull request
can then fix them and push to the backport pull request (guide is
presented in the PR description).
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
424ae7c6 by Iker Pedrosa at 2025-11-04T15:28:56+01:00
ci: fix dependabot.yml schema validation
As specified in the documentation move prefix under commit-message
section.
Link: <https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference>
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7a903e83 by liberodark at 2025-11-05T10:24:48+01:00
confdb: Add --with-ldb-modules-path configure option
Add configure option to specify LDB modules path at build time.
This allows distributions to set the correct path when LDB modules
are installed in non-standard locations.
The path is set once during confdb initialization if configured,
respecting any pre-existing LDB_MODULES_PATH environment variable.
:packaging: Add --with-ldb-modules-path=PATH configure option to specify LDB modules path at build time.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
925c9d32 by dependabot[bot] at 2025-11-06T14:42:04+01:00
build(deps): bump github/codeql-action from 3 to 4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: '4'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support at github.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
2f3b3db8 by Alexey Tikhonov at 2025-11-06T16:24:47+01:00
OIDC_CHILD: fix compilation warning
This fixes
```
../src/oidc_child/oidc_child.c: In function ‘main’:
../src/oidc_child/oidc_child.c:682:17: warning: ‘client_secret_tmp’ may be used uninitialized [-Wmaybe-uninitialized]
682 | explicit_bzero(client_secret_tmp, strlen(client_secret_tmp));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/oidc_child/oidc_child.c:578:11: note: ‘client_secret_tmp’ was declared here
578 | char *client_secret_tmp;
| ^~~~~~~~~~~~~~~~~
```
Warning is a false positive but cheap to "fix".
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9c139765 by Alexey Tikhonov at 2025-11-06T16:24:47+01:00
OIDC_CHILD: use `sss_erase_mem_securely()` wrapper
instead of `explicit_bzero()` as the latter might be unavaialble.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0fb839ad by dependabot[bot] at 2025-11-12T13:30:01+01:00
build(deps): bump actions/upload-artifact from 4 to 5
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 5.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '5'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support at github.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
40ee0a5c by Justin Stephenson at 2025-11-12T17:24:44+01:00
SYSDB: Add sysdb_add_bool()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
85b632d1 by Justin Stephenson at 2025-11-12T17:24:44+01:00
SYSDB: Dont store gid 0 for non-posix groups
Remove logic to store 'gidNumber: 0' in the cache for
non-posix groups. Instead do not add a gidNumber at all,
this avoids performance hit due to huge GID=0 index
when a large number of non-posix groups are stored.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bedc2161 by Justin Stephenson at 2025-11-12T17:24:44+01:00
SDAP: Remove sdap_store_group_with_gid()
It is no longer needed as we no longer want to store
'gid: 0' for non-POSIX groups.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0d2b75f4 by krishnavema at 2025-11-13T10:58:40+05:30
tests:Added IPA Certificate Authority Tests
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fbf8ae71 by Sumit Bose at 2025-11-13T14:05:09+01:00
tests: add pysss_nss_idmap system test
The new system test is mostly a 1:1 replacement of the exisintg
integration test.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
399f7a27 by Sumit Bose at 2025-11-13T14:05:09+01:00
intg: remove test_pysss_nss_idmap.py
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e557ac75 by Pavel Březina at 2025-11-14T08:33:21+01:00
ci: remove final result job
The intention behind this job was to use it in a branch protection rule
to require it to be green. However, the intg tests still fails quite
often and even rawhide is red every now end then so this is unusable.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
af225a0e by Pavel Březina at 2025-11-14T08:33:21+01:00
ci: remove result job from analyze-target
There is only one job now so it does not make sense.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
f100cb6d by Pavel Březina at 2025-11-14T08:33:21+01:00
ci: remove result job from static-code-analysis
We do no not use it in the branch protection rules, so it is not needed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6f4e1f9a by Pavel Březina at 2025-11-14T08:33:21+01:00
ci: run long jobs only if Accepted label is not set
To avoid wasting resources on our new merge workflow.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
984d794a by Justin Stephenson at 2025-11-15T17:13:04+01:00
man: Clarify the user_attributes option
Resolves: #8134
Reviewed-by:
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e95d3fe0 by Sumit Bose at 2025-11-18T10:53:16+01:00
test: check is an2ln plugin is disabled or not
The Kerberos 'an2ln' localauth plugin should be disabled in AD and IPA
environments where SSSD's localauth plugin can handle the mapping. In a
plain Kerberos environment libkrb5 defaults should be used.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
c78855c1 by Sumit Bose at 2025-11-18T10:54:04+01:00
tests: add test_pac_responder.py
This new system test is a replacment of the integration test with the
same name. It depends on a test binary which was added to the SSSD CI
containers in https://github.com/SSSD/sssd-ci-containers/pull/150.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
be020a3c by Sumit Bose at 2025-11-18T10:54:04+01:00
intg: remove test_pac_responder.py
This test was replaced by a system test with the same name.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
e661b539 by Sumit Bose at 2025-11-18T16:49:51+01:00
ipa: filter DNs for ipa_add_trusted_memberships_send()
The ipa_add_trusted_memberships_send() request will use
groups_get_send() to lookup missing groups. groups_get_send() can
currently only lookup "proper" groups which besides other items means
that the group name must be stored under the LDAP attribute given by the
'ldap_group_name' option. So currently it does not make sense to try to
lookup other objects where the RDN attribute name is different than this
value because those will always be treated as missing in the cache and
always trigger an LDAP search which will fail. This will typically
happen for iPAAssociation objects which are used to connect users and
hosts with HBAC and sudo rules. If in future a more generic search is
used this filter can be removed.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
997ffd1a by Tomas Halman at 2025-11-18T18:20:37+01:00
tests: Migrate missing tests to new framework
This PR implements tests from integ/test_ldap.py to new system tests
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
0cae6821 by Dan Lavu at 2025-11-21T10:03:11+01:00
test_infopipe, standardizing the provider amongst all tests
- - - - -
f2ccc6e5 by Dan Lavu at 2025-11-21T10:03:11+01:00
updating some test logic and adding test cases
- - - - -
a276441f by Dan Lavu at 2025-11-21T10:03:11+01:00
removing intg ifp tests
- - - - -
acc75d16 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Get rid of useless `SSSD_MAIN_OPTS` define.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
21edc74d by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Makefile: tools do not need to link against 'sss_client' code
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2628fb92 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Makefile: get rid of useless 'SSSD_LCL_TOOLS_OBJ'
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
74b64062 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Move 'DEBUG_CHAIN_ID_FMT_*' from 'util.h'
to 'sss_chain_id.h' where it makes a better sense.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bfa052d2 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Include <libintl.h> in 'debug.h'
Since this header uses `gettext()`
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
c186e201 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
OIDC_CHILD: use DEBUG_CHAIN_ID_FMT_RID
instead of DEBUG_CHAIN_ID_FMT_CID since this process is invoked
by a provider.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
e97a2281 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
Helpers to do a basic setup of a child process.
Plus an application in 'ldap_child'.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
9e9c4200 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
KRB5_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1f9c1444 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
OIDC_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5ae5837f by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
AD_GPO_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ac5d345e by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
P11_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
03a5279e by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
PASSKEY_CHILD: use new helper to setup a process
This also makes 'passkey_child' to use '--chain-id' if supplied.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
300a9621 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
SELINUX_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7ad2aa8f by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
SELINUX_CHILD: fix includes
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
16730195 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
DUMMY_CHILD TEST: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
cbfba4ed by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
DEBUG: use 'debug_prg_name' if 'debug_log_file' isn't set
This avoids using 'sssd' potentially by multiple binaries.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
6aa7c9a0 by Alexey Tikhonov at 2025-11-21T14:38:22+01:00
PROXY_CHILD: use new helper to setup a process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a9f9c5c4 by Dan Lavu at 2025-11-21T19:08:48+01:00
Replacing provider conditionals with set_server method
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7ddb51fd by Sumit Bose at 2025-11-24T10:06:48+01:00
utils: add new error code ERR_CHECK_NEXT_AUTH_TYPE
This error code should be used if another authentication type should be
checked.
Resolves: https://github.com/SSSD/sssd/issues/8108
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
0adc2e77 by Sumit Bose at 2025-11-24T10:06:48+01:00
krb5_child: use ERR_CHECK_NEXT_AUTH_TYPE instead of EAGAIN
This patch used the new error code ERR_CHECK_NEXT_AUTH_TYPE while
processing different authentication types instead of EAGAIN because
EAGAIN might have side effects when returned to the callers.
Resolves: https://github.com/SSSD/sssd/issues/8108
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
da82d1d5 by Sumit Bose at 2025-11-24T10:06:48+01:00
krb5_child: clarify EAGAIN returned by krb5_get_init_creds_password()
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fc159ed2 by Dan Lavu at 2025-11-24T21:00:13+01:00
fixing and making automatic kcm renewal test more foriving
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
- - - - -
b01df9a4 by Tomas Halman at 2025-11-25T10:50:44+01:00
tests: Remove obsolete sssctl tests
Those tests are now covered in new testing framework.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
cf974c66 by Tomas Halman at 2025-11-25T10:50:44+01:00
tests: migrate sssctl tests to new framework
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
a881e10d by Gleb Popov at 2025-11-25T13:56:12+01:00
file_watch.c: Do not pass IN_IGNORED to inotify_add_watch
This is an output flag and it doesn't make sense to pass it as input.
FreeBSD implementation is more finicky, so passing this flag makes the call
fail.
Fixes the file-watch-tests test on FreeBSD.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
0511cc27 by Scott Poore at 2025-11-26T13:05:07+01:00
system tests: add bare topologies to mhc.yaml
The new "bare" topologies are missing from the system tests' mhc.yaml
file in provisioned_topologies. These need to be there for upstream CI
tests to work with tests using those topologies.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
05fa421b by Scott Poore at 2025-11-26T13:05:07+01:00
Tests: Adding GDM Passkey tests
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
bbbd1504 by Alexey Tikhonov at 2025-11-26T14:08:37+01:00
SPEC: require reasonably up to date 'libldb' version
Since 'libldb' is built from Samba sources, it uses the same version.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ec81ea23 by shridhargadekar at 2025-11-27T13:03:09+01:00
Tests: ADuser external group cache update
AD user in external group is not cleared when expiring the cache
In IPA-AD trust, a ADuser is member of large number of IPA groups.
When ADuser is removed from one external-group, and cache of ADuser
is expired, subsequent look up should update the cache correctly.
verifies #7938
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b1d425a5 by Tomas Halman at 2025-11-27T15:21:05+01:00
Filter IPv6 addresses not suitable for DNS updates
IPv6 brings a concept of address states defined in several
RFCs (RFC 2462, RFC 3041, RFC 4862). Adresses that are marked
as temporary, deprecated or tentative should not be used in
DNS updates.
This PR reads those flags via netlink interface and it
excludes addresses with those flags.
Resolves: https://github.com/SSSD/sssd/issues/8089
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
637b7bcb by Tomas Halman at 2025-11-27T15:21:05+01:00
test: check temporary address exclusion
IPv6 address can be marked as temporary, deprecated or
tentative. We should exclude them from DNS updates.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1d488d53 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
CONTRIB:fedconfig: enable '--with-subid'
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
fcbf23d4 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
MAN: fix missing `with_subid` condition
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6fcf7c3a by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID:IPA: correct OC
Proper STRUCTURAL objectClass is 'ipaSubordinateIdEntry'.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9901ed36 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID: deprecate `ipa_subid_ranges_search_base`
in favor of `ldap_subid_ranges_search_base`.
:config:Option `ipa_subid_ranges_search_base` was deprecated in favor
of `ldap_subid_ranges_search_base`.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae98d8e3 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
LDAP: add subid ranges support
Resolves: https://github.com/SSSD/sssd/issues/8030
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7a516505 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID: don't require search bases to be set in advance
It can be read from rootDSE upon first connection.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9014ced6 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
man: document subid LDAP attributes
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0edeb89c by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
DEBUG: lower debug level of several messages
related to attributes presence/manipulation.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
79028eff by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID: resolve owner DN instead of guessing
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
f255e37f by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID: sanitize range owner dn
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
95994dd9 by Alexey Tikhonov at 2025-12-02T11:17:32+01:00
SUBID: trusted subdomains aren't currently supported
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b0af250c by Gleb Popov at 2025-12-02T15:07:18+01:00
config/cfg_rules.ini: Make regexp's more POSIX compliant
According to section 9.3.2 BRE Ordinary Characters [1], the '\+' sequence may
work as a plain character or like ERE special character. It is the latter for
Linux, but it is the former for FreeBSD.
Instead, use '{1,}' as a portable way of expressing "one or many".
This fixes most of config validation tests on FreeBSD.
[1] https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/basedefs/V1_chap09.html#tag_09_03_02
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d865ac34 by Sumit Bose at 2025-12-02T16:02:02+01:00
ipa: check for empty trusts in ipa_get_trust_type()
Similar as ipa_get_ad_id_ctx() or ipa_get_ipa_id_ctx()
ipa_get_trust_type() should be aware that the 'trusts' member of
'server_mode' might be NULL.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
407eda3e by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
IFP: use correct error code for timeout
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
4f3b98a8 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
CHILD HANDLERS: add standard timeout handler
and make use of it in gpo/ifp/ssh code.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
b384d1f1 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
ad_machine_pw_renewal: remove unused variables
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
86367372 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
ad_machine_pw_renewal: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d57290a0 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PAM/P11: get rid of unused 'pam_check_cert_state::child_status'
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1019f9a8 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PAM/P11: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
d97d14f2 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PAM/PASSKEY: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
7f3e0dcc by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
CHILD HELPERS: let generic timeout handler set 'io->in_use'
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
bee13359 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
KRB5_CHILD: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
a326df49 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
OIDC_CHILD: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
87b8e506 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
DYNDNS: use a proper 'timeout_handler'
'nsupdate_child_state::timeout_handler' wasn't really used.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
55c63c3d by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
DYNDNS: use sss_child_handle_timeout()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
10f9eb29 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PROXY: provide 'dumpable' and 'backtrace' args to child process
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ed230fc9 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PROXY: delete unused define
Unused since c7e2d7a56d8969f26921811e5122f78b257fb51e
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2ad8cbf9 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PROXY: use `sss_child_handle_timeout()`
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ec3e9747 by Alexey Tikhonov at 2025-12-03T11:11:21+01:00
PAM/P11: debug message fixed
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
2a1048b5 by Alexey Tikhonov at 2025-12-03T11:49:01+01:00
CONFIG: disable 'session_provider' by default
:config: Default value of 'session_provider' option was changed to 'none'
(i.e. disabled) doesn't matter what 'id_provider' used. Previously
'session_provider' was enabled by default for 'id_provider = ipa' case.
But this didn't make sense because 'Fleet Commander', that is being
integrated in this case, is long time obsolete.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
47b38f17 by Gleb Popov at 2025-12-03T17:56:46+01:00
sss_unique_file: Ensure correct group ownership on the created file
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9a776480 by Gleb Popov at 2025-12-03T17:56:46+01:00
check_file-tests: Ensure correct group ownership on the created file
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d6ea5555 by Pavel Březina at 2025-12-04T11:16:09+01:00
sbus: defer notification callbacks
Otherwise, it is possible to incorrectly chain nested requests since the
chain id is still present in the hash table.
Resolves: https://github.com/SSSD/sssd/issues/8194
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
816eb1e2 by Pavel Březina at 2025-12-04T11:16:09+01:00
cache_req: allow cache_first mode only if there is more than one domain
Otherwise we will perform unnecessary data provider lookups.
Resolves: https://github.com/SSSD/sssd/issues/8194
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
00547f67 by Pavel Březina at 2025-12-04T11:16:09+01:00
tests: filter_groups by name and lookup by id with expired cache
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
fb4d5ad2 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
util: implement pam_get_response_data()
This API gets the selected response type data from the response_data
linked list. Includes unit tests.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Signed-off-by: Ray Strode <halfline at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bc4bfcd9 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
sss_client: add EIdP to prompt_config structure
Integration with GDM requests two prompts for EIdP so adding them to
prompt_config structure. In addition, implement all the functions needed
to manipulate the structure for these new prompts. Finally, add
unit-tests for the new functions.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
af9459e1 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: tune prompts in the GUI
Return `prompt_config` structure in `pam_eval_prompting_config` to tune
the prompts from the SSSD config in the GUI.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
316579af by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: generate JSON message for GUI
Implement a set of functions to check the available authentication
mechanisms and their associated data, and generate a JSON message with
it. This JSON formatted message will be consumed by apps that provide
GUI login (i.e. GDM). Currently, the implementation only takes into
account password and OAUTH2 mechanisms.
Include unit tests to check the implemented functions.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b0480345 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: unpack JSON reply from GUI
Implement a set of functions to unpack the JSON reply from the GUI.
Include unit tests to check the implemented functions.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2fda8e08 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: check PAM service file for JSON protocol
Implement a function to check whether the PAM service file in use is
enabled for the JSON procotol. This helps us filter which applications
are compatible with this protocol.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b3dc37aa by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: new option `pam_json_services`
This new option is used to enable the JSON protocol in the PAM responder
based on the PAM service file in use.
:config: A new option `pam_json_services` is now available to enable
JSON protocol to communicate the available authentication
mechanisms.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c5af066c by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: call JSON message generation
Call JSON message generation function and fill the data structure
containing the response_data linked list.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
12325218 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
SSS_CLIENT: forward available auth JSON message
Forward the available authentication mechanisms and their associated
data message to the GUI login using a PAM conversation. Then, obtain the
reply and forward it to the responder, so that it can parse it.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Signed-off-by: Ray Strode <halfline at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
48381a3f by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: parse GUI reply
Parse GUI reply and set the appropriate data in `sss_auth_token`
structure.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e327f0d7 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Test: adapt test_pam_srv to JSON message
Include JSON message where applies.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8d24366e by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: check return value for json_string()
It returns NULL on error, but this wasn't checked.
Fixes: ceeffa9e1 ("Responder: generate JSON message for GUI")
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7c70f1dc by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: update JSON message format
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6c38800b by Iker Pedrosa at 2025-12-04T15:16:04+01:00
sss_client: modify smartcard in prompt_config structure
Integration with GDM requests two prompts for smartcard so modifying the
prompt_config structure. In addition, implement all the functions needed
to manipulate the structure for these new prompts. Finally, add
unit-tests for the new functions.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5f2fc24c by Iker Pedrosa at 2025-12-04T15:16:04+01:00
util: implement pam_get_response_data_all_same_type()
This API gets all the elements with the selected response type data from
the response_data linked list. Includes unit tests.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b4699ddb by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: generate JSON message for smartcard
Implement a set of functions to retrieve the smartcard data and generate
the JSON message with it.
Implement new unit test and adapt the existing ones to take into account
the new data.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0640200f by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: parse reply for smartcard
Parse GUI reply for smartcard and set the appropriate data in
`sss_auth_token` structure.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6011466b by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: refactor JSON functions to reduce args
Several of the functions in `pamsrv_json` had lots of arguments and I'm
about to add more for the passkey authentication mechanism. Reduce these
arguments by creating a structure that will contain all these data.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
18dd5264 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: extend smartcard JSON request message
Include the certificate data in the JSON messages to set it in the
authtok structure more easily.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
78ec10f2 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: extend smartcard JSON reply message
Include the certificate data in the JSON message to set it in the
authtok structure more easily.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
be9164f2 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: make `decode_pam_passkey_msg()` public
This is needed by `pamsrv_json.c`, so let's make it public.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7e9e18e9 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: generate JSON message for passkey
Implement a set of functions to retrieve the passkey data and generate
the JSON message with it.
Implement new unit test and adapt the existing ones to take into account
the new data.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
efaa9c1d by Iker Pedrosa at 2025-12-04T15:16:04+01:00
util: implement function to set passkey PIN
`sss_authtok_set_local_passkey_pin` provides a way to set the passkey
PIN in the authtok structure for local passkey authentication.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3cbf1aaa by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: parse reply for passkey
Parse GUI reply for passkey and set the appropriate data in
`sss_auth_token` structure.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4cb99a24 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
krb5_child: advertise authentication methods
During the `preauthentication` phase krb5_child checks for the available
authentication methods for the given user, advertises them and the
process is kept alive. Once the state is change to `authentication` the
same krb5_child process processes the credentials and proceeds with the
authentication itself.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bc1460c3 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: fix passkey auth when user-verification is off
When authenticating with a passkey, different PAM code paths within SSSD
can result in the `authtok` containing data even when the user did not
enter a PIN. Depending on the flow (e.g., triggered by `gdm` vs. `su`),
this data might be an empty string or non-printable characters like `^L`
(form feed).
The previous code had two issues:
1. It only checked if the `authtok` was non-empty
(`sss_authtok_get_type(...) != SSS_AUTHTOK_TYPE_EMPTY`). If user
verification was disabled, this check would incorrectly pass for
these 'junk' `authtok` values. This caused SSSD to prepare and send
an erroneous PIN to the passkey helper.
2. In the case where the `authtok` *was* correctly empty, the check
would fail, `write_buf_len` would remain 0, and the `if
(write_buf_len != 0)` block containing the `write_pipe_send` call
would be skipped. This stalled the authentication flow, as the
callback to continue the process was never set.
This patch fixes both issues:
1. The `user_verification` setting is now stored in the state struct.
The logic is updated to only prepare the PIN buffer if the `authtok`
is non-empty *and* user verification is required
(`state->user_verification != PAM_PASSKEY_VERIFICATION_OFF`).
2. The `write_pipe_send` call is moved outside the conditional block so
it always runs. This ensures that the asynchronous child
communication (via `passkey_child_write_done`) is always triggered,
even if the write buffer is empty (0-length).
This resolves both failure modes: junk PINs are no longer sent when
verification is off, and the auth flow no longer stalls when no PIN is
present.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6b40318a by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: add `gdm-switchable-auth` to `pam_p11_allowed_services`
defaults
The `pam_p11_allowed_services` option now includes `gdm-switchable-auth`
as one of the default allowed PAM services for smartcard authentication.
The service was added alongside the other GDM-related services
(gdm-smartcard and gdm-password) for logical grouping.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
78498226 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
sss_client: prevent JSON auth during password change preauth
When a user's password expires after successful JSON authentication, the
fallback to traditional password change fails. Add
PAM_CLI_FLAGS_CHAUTHTOK_PREAUTH flag to distinguish password change
preauth from normal authentication preauth. When this flag is set, the
PAM responder skips JSON message generation and returns traditional
preauth data instead.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
aa2ac83f by Iker Pedrosa at 2025-12-04T15:16:04+01:00
Responder: change authentication mechanism detection
Use `pam_get_auth_types()` to detect the available mechanisms for a
user.
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
811ecc1f by Iker Pedrosa at 2025-12-04T15:16:04+01:00
man: clarify and fix `pam_json_services` compilation
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.
:feature: Unified passwordless login in the GUI. SSSD now supports a
rich authentication selection interface. Users can login with
smartcards, passkey, External IdPs and passwords directly
within the graphical user interface.
:packaging: SSSD now supports authentication mechanism selection through
PAM using a JSON-based protocol. This feature enables
passwordless authentication mechanisms in GUI login
environments that support the protocol.
Feature will be supported by GNOME Display Manager (GDM)
starting with GNOME 50. While currently optimized for GNOME,
the JSON protocol design allows for future support in other
display managers.
authselect is the recommended approach and will handle the
necessary PAM stack modifications automatically starting
with version 1.7 through the new option `with-switch-auth`
which provides a new PAM service called `switchable-auth`.
Manual PAM configuration is also possible.
For more technical details and implementation specifications,
see the design documentation:
https://github.com/SSSD/sssd.io/pull/79
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
cc1b9e02 by Iker Pedrosa at 2025-12-04T15:16:04+01:00
krb5: port pre-authentication retry logic
Port the pre-authentication retry logic from the IPA provider to the
krb5 provider, making it available to all krb5-based authentication
flows.
Relates: 6c1272edf1 ("krb5: Add fallback password change support")
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
50239165 by Scott Poore at 2025-12-04T10:37:46-06:00
intg: remove test_session_recording.py
Removing intg session recording test file and removing from Makefile.
Reviewed-by: Dan Lavu <dlavu at redhat.com>
- - - - -
a0574f78 by shridhargadekar at 2025-12-05T10:25:13+01:00
Tests: Rectify the docstring n testcode
Modifying the doc-string to reflect correct group number.
Added verification of number of groups the user is part of initially.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
40710412 by Alexey Tikhonov at 2025-12-05T16:41:19+01:00
IPA: remove 'ipa_enable_dns_sites' option
It never worked as intended due to missing server side implementation.
:config: An option `ipa_enable_dns_sites`, that never worked due to missing
server side implementation, was removed.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
f2e8e51a by Justin Stephenson at 2025-12-05T17:23:38+01:00
ipa: Fix typo in trust type conditional
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
50527dc9 by Justin Stephenson at 2025-12-05T17:23:38+01:00
ipa: improve unknown trust type error return
If trust type is unknown for an IPA subdomain request, return
EINVAL instead of ENOMEM, and improve the logged error message.
Trust type should always be IPA_TRUST_IPA, or IPA_TRUST_AD, if
trust discovery and initialization fails early on we can reach this
codepath however.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e9216fc1 by Justin Stephenson at 2025-12-05T11:34:20-05:00
pam: Remove PAM_PASSKEY_VERIFICATION_OMIT mode
Remove support of ambiguous "unset" state of passkey user verification.
pam_sss prompting is binary, either on or off. The use of 'unset' passkey
user verification state allows for ambiguous behavior in SSSD. For
example, passkey_child may perform undefined behavior when '--user-verification'
argument is not set, now SSSD will always send '--user-verification=false/true'
to passkey_child.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
304f298c by Justin Stephenson at 2025-12-05T11:34:20-05:00
pam: Skip passkey_local() in Kerberos auth flow
Local auth functions should only be reached in AD/LDAP auth flows.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
879d0731 by Justin Stephenson at 2025-12-05T11:34:20-05:00
passkey: Remove SYSDB_PASSKEY_USER_VERIFICATION
Remove SYSDB_PASSKEY_USER_VERIFICATION and related functions. In
phase 1 of passkey implementation we read passkey user verification
from IPA LDAP tree, however now user verification is sent to the
SSSD krb5 plugin from ipa-otpd.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
be5df341 by Justin Stephenson at 2025-12-05T11:34:20-05:00
authtok: Set Kerberos passkey PIN to NULL when UV is false
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1e3464a0 by Madhuri Upadhye at 2025-12-08T20:22:36+05:30
Tests: Add IPA HBAC Test Cases for Validating Access Control Rules and Group Membership Refresh
A comprehensive set of IPA HBAC (Host-Based Access Control)
test cases to validate HBAC rule creation, modification,
conflict resolution, and access permission enforcement.
The tests cover scenarios including user and group-based
access, nested groups, service and host-specific rules,
category-based access, and authorization priority resolution.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
790228c8 by Madhuri Upadhye at 2025-12-08T22:26:43+05:30
tests: standardize HBAC test name format
Rename test_ipa_hbac_user_host_service_category_equals_all
to test_ipa__hbac_user_host_service_category_equals_all to
match the double-underscore naming convention used for
IPA HBAC tests and improve test discoverability.
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
- - - - -
90fd8024 by Madhuri Upadhye at 2025-12-09T11:06:04+01:00
tests: Remove hardcoded domain and fix type errors in netgroup tests
Replace hardcoded "ldap.test" domain strings with dynamic `provider.domain`
and fix type checking errors in netgroup tests.
Changes:
- Remove `raise ValueError` and `pytest.skip` isinstance checks since
topology markers already restrict tests to LDAP, AD, and Samba providers
- Change function signatures from `GenericProvider` to `AD | LDAP | Samba`
to match the topology decorators
- Replace all hardcoded "ldap.test" with `provider.domain` for dynamic
domain resolution across different provider topologies
- Rework parametrized test to use boolean flag and format string with
`{domain}` placeholder for runtime substitution
- Fix type errors by passing netgroup names as strings instead of objects
to `add_member(ng=...)` calls
- Fix type conflict by using separate variable names (`passwd_result`,
`group_result`) for different entry types
Affected tests:
- test_netgroup__user_attribute_membernisnetgroup_uses_group_dn
- test_netgroup__lookup_nested_groups
- test_netgroup__lookup_nested_groups_with_host_and_domain_values_present
- test_netgroup__uid_gt_2147483647
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
63771a1a by Madhuri Upadhye at 2025-12-09T11:06:04+01:00
tests: Add netgroup tests for incomplete triples and complex hierarchy
Add new test cases to verify netgroup functionality with incomplete
triples and complex nested hierarchies.
New tests:
- test_netgroup__incomplete_triples: Verify netgroups with various
incomplete triple combinations (empty, only host, only user, only
domain, missing host, missing user, missing domain)
- test_netgroups__complex_hierarchy: Verify netgroups with multiple
levels of nesting (base -> mid -> top) work correctly and return
the expected combination of direct triples and inherited members
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
- - - - -
97fa9e77 by Pavel Březina at 2025-12-09T18:08:08+01:00
intg: remove ent_test.py
These tests randomly fails, making CI red. They do not test SSSD, just
internal intg tests tooling and since the intg tests are going away,
it does not make sense to spend time on it or even mark it as flaky.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
- - - - -
b0146aef by Justin Stephenson at 2025-12-10T10:25:20-05:00
util: Add string_begins_with() helper
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
358a708f by Justin Stephenson at 2025-12-10T10:25:20-05:00
simple: Resolve group names in SID format
After changes from 'Dont store GID for non-posix groups', the simple
access provider was not identifying group with names in SID format as
group that needs to be resolved because they are no longer stored
temporarily as non-POSIX.
Add code to check for, and resolve any group names which are SIDs
returned from initgroups (AD provider).
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4482fac2 by Justin Stephenson at 2025-12-10T10:25:20-05:00
tests: Remove preferred topology from simple access test
The changes from Dont store GID for non-posix groups commit 85b632d have
resulted in the test test_access_control_simple__permits_user_login_based_on_group
to fail, specifically when run against samba (ipa and ldap succeed).
Drop the preferred LDAP topology, to ensure this test runs against
all providers to catch potential issues like this.
- - - - -
449913a8 by Dan Lavu at 2025-12-10T12:10:29-05:00
adding subid test
- - - - -
60ba493e by Sumit Bose at 2025-12-11T12:24:23-05:00
krb5: fix OTP authentication
Resolves: https://github.com/SSSD/sssd/issues/8292
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
df15165d by Iker Pedrosa at 2025-12-11T12:24:23-05:00
krb5_child: fix OTP authentication for PAM stacked tokens
The `tokeninfo_matches()` function already handles PAM stacked tokens
correctly by processing them through the 2FA single path, so the
`answer_otp()` function should allow this token type to proceed.
Add SSS_AUTHTOK_TYPE_PAM_STACKED to the allowed authentication token
types in `answer_otp()` to restore previous functionality.
Fixes: 4cb99a248 ("krb5_child: advertise authentication methods").
Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1b711043 by Tomas Halman at 2025-12-15T14:16:53+01:00
IPA: Fail with short names
SSSD in server mode on IPA server is not allowed to use
short names.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
48160965 by Tomas Halman at 2025-12-15T14:16:53+01:00
IPA: remove re-declaration of `ipa_trusted_subdom_init`
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
09f574f0 by Tomas Halman at 2025-12-15T14:16:53+01:00
IPA: remove CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL
This format is not used anywhere except in unnecessary check.
This update removes it.
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
83604245 by Tomas Halman at 2025-12-15T14:16:53+01:00
tests: SSSD must refuse to start on IPA with short names
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2b43681d by Madhuri Upadhye at 2025-12-15T14:31:03+01:00
tests: Add netgroup offline and nested hierarchy
Add new system tests for netgroup functionality:
- test_netgroup__offline: Verify netgroups remain
accessible from cache when backend goes offline
- test_netgroups__step_by_step_removal: Test removing
netgroups from hierarchy and deleting them with proper cache invalidation
- test_netgroups__nested_modification: Test that adding/removing
members in nested netgroups (3-level deep) propagates correctly through the hierarchy
Related: https://fedorahosted.org/sssd/ticket/2841
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
698f9920 by Samuel Cabrero at 2025-12-17T13:53:01-05:00
SSSCTL: config-check: do not return an error if snippets directory does not exists
There is a discrepancy between sssd and sssctl config-check regarding
the absence of the snippets directory.
The sssctl config-check command exits with code 1, but sssd does not
consider it a hard error, it just logs a warning and then runs fine.
Signed-off-by: Samuel Cabrero <scabrero at suse.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
be842170 by Justin Stephenson at 2025-12-17T13:53:01-05:00
tests: Update sssctl config-check tests
Tests using non-default config specified a full path, which
--config argument does not handle. The --snippet argument needs
to be provided because it defaults to conf.d if not specified.
Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
87e72fd0 by Alexey Tikhonov at 2025-12-19T09:38:52+01:00
KCM: root can't access arbitrary KCM cache
so remove confusing traces suggesting otherwise
See: https://github.com/SSSD/sssd/issues/7274#issuecomment-2063499790
Resolves: https://github.com/SSSD/sssd/issues/7274
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
9579e08c by Sumit Bose at 2025-12-23T08:55:15+00:00
spec: clarify description of sssd-idp package
Make clean the the sssd-idp package now contains SSSD's IdP provider as
well.
Resolves: https://github.com/SSSD/sssd/issues/8022
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
794e80f4 by Sumit Bose at 2026-01-02T11:46:53+00:00
sysdb: add sysdb_search_user_by_upn_with_view_res()
The new call will apply overrides to a user object which was searched by
UPN or email address before returning it.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
43f22b96 by Sumit Bose at 2026-01-02T11:46:53+00:00
cache_req: use sysdb_search_user_by_upn_with_view_res()
To make sure any overrides are applied to the user even when searched by
UPN or email address sysdb_search_user_by_upn_with_view_res() is now
used in the cache request code.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fe61b85b by Sumit Bose at 2026-01-02T11:46:53+00:00
sysdb:: remove sysdb_getpwupn()
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6d8f9d7e by Sumit Bose at 2026-01-02T11:46:53+00:00
tests: lookup user with overrides with email
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6413f60b by Madhuri Upadhye at 2026-01-02T11:46:53+00:00
tests: add IPA ID view test for user lookup by email
Add a system test to verify that IPA ID view overrides are correctly
applied when looking up a user by email address.
The test creates a user with an email, applies ID view overrides
(login, uid, gid, home), and verifies that the overridden values are
returned when looking up the user by:
- original name
- overridden name
- email address
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d9ab8a8a by Alexey Tikhonov at 2026-01-05T14:42:09+01:00
KRB5: let 'krb5_child' tolerate missing cap-set-id
If CAP_SETUID and/or CAP_SETGID are missing, 'krb5_child' will
skip operation that require those capabilities, namely any manipulations
with user ccache.
:packaging:This update makes it possible to not grant CAP_SETUID and CAP_SETGID
to 'krb5_child' binary in a situation where it is not required to store acquired
TGT after user authentication. Taking into account that it is already possible
to avoid using CAP_DAC_READ_SEARCH if keytab is readable by SSSD service user,
and usage of 'selinux_child' isn't always required, this allows to build a setup
with completely privilege-less SSSD to serve certain use cases. In particular,
this might be used to build a container running SSSD on OCP with a restricted
profile.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c1232010 by Sumit Bose at 2026-01-05T16:30:09+01:00
pac: fix issue with pac_check=no_check
So far SSSD expected that the PAC contains the logon_info buffer even if
PAC checks are disabled with the 'no_check' option. This causes issues
with PACs issues by MIT Kerberos KDCs which do not contain this buffer.
This patches makes sure that the logon_info is not expected if
'no_check' is set and adds some clarifications to the man page.
Resolves: https://github.com/SSSD/sssd/issues/8300
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
72a42d5c by Sumit Bose at 2026-01-06T08:18:11+00:00
sysdb: do not treat missing id-override as an error
In sysdb_search_user_by_upn_with_view_res()
sysdb_add_overrides_to_object() can return ENOENT if there is no
id-override for the given user. This is expected and should not be
treated as an error.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
8942d300 by dependabot[bot] at 2026-01-08T09:22:20-05:00
ci: bump cross-platform-actions/action from 0.29.0 to 0.32.0
Bumps [cross-platform-actions/action](https://github.com/cross-platform-actions/action) from 0.29.0 to 0.32.0.
- [Release notes](https://github.com/cross-platform-actions/action/releases)
- [Changelog](https://github.com/cross-platform-actions/action/blob/master/changelog.md)
- [Commits](https://github.com/cross-platform-actions/action/compare/v0.29.0...v0.32.0)
---
updated-dependencies:
- dependency-name: cross-platform-actions/action
dependency-version: 0.32.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
4d68ca71 by dependabot[bot] at 2026-01-08T09:28:33-05:00
ci: bump actions/checkout from 4 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support at github.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
1280ffe0 by dependabot[bot] at 2026-01-08T10:03:18-05:00
ci: bump actions/upload-artifact from 5 to 6
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support at github.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
160bbb3f by Dan Lavu at 2026-01-09T14:52:15-05:00
adding parametrized enumeration enabled tests
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
5b5dce2f by Dan Lavu at 2026-01-09T14:52:15-05:00
removing intg enumeration tests.
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
1a8c3025 by Sumit Bose at 2026-01-10T16:59:38+00:00
ipa s2n: do not try to update user-private-group
When an IPA client requests the details about a trusted user from the
IPA server including its memberships the server will return the name of
all groups including the user-private-group. Since this group is not a
cached object on its own it is not needed to try to update it as a group
but it will be updated when the user object is updated.
This has to be taken into account especially after a client is assigned
to a new id-view because now the SYSDB_OVERRIDE_DN attribute is required
and all cached objects which are missing it must be updated. If the
user-private-group was found for update it should be skipped because the
calls to update group objects in the cache cannot handle
user-private-groups. This is expected behavior as user-private-groups
are not objects on their own.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
08c2ccf5 by Sumit Bose at 2026-01-10T16:59:38+00:00
tests: check user lookup after view change
After a new view is applied to a client SSSD should make sure that the
cache entries are updated properly and all cached users can still be
resolved properly.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Alejandro López <allopez at redhat.com>
- - - - -
116f10e9 by Alexey Tikhonov at 2026-01-13T11:27:29+00:00
DP: use 'SSSDBG_CONF_SETTINGS' to log options
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
16099f24 by Alexey Tikhonov at 2026-01-13T11:27:29+00:00
IDP: avoid logging value of 'idp_client_secret'
Note that 'ldap_default_authtok' doesn't require special handling
because it is of DP_OPT_BLOB type and isn't logged.
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
44b938a2 by Alexey Tikhonov at 2026-01-13T11:27:29+00:00
OIDC_CHILD: don't log 'post_data' content
as it might contain 'secret'
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9ed92624 by Jakub Vávra at 2026-01-13T16:29:02+01:00
Tests: Update test_0003_ad_parameters_junk_domain_invalid_keytab
Change 684e5683d115b67fb9ad53d7138108a7154f5d95 added a code path
that sets the realm to the AD domain name if the keytab is invalid.
This changes the expected log message "Selected realm:" on sssd 2.12+.
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
- - - - -
c3dc228b by Alexey Tikhonov at 2026-01-13T19:01:08+00:00
KRB5_CHILD: comment fixed
'krb5_child' doesn't precreate path to FILE:/DIR: ccache since
5e17bc22f6c0ad74ba3ddb198db94acc96cc90a4
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6378238b by Alexey Tikhonov at 2026-01-13T19:01:08+00:00
KRB5_CHILD: only setup/check ccache if can later use it
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2a991f2f by Alexey Tikhonov at 2026-01-13T19:01:08+00:00
KRB5_CHILD: use ruid/rgid instead of CAP_DAC_READ_SEARCH
to check FILE:/DIR: ccache path.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e2273e09 by Alexey Tikhonov at 2026-01-13T19:01:08+00:00
KRB5_CHILD: allow `k5c_ccache_check()` during SSS_PAM_PREAUTH
This should cover a case when a single execution of 'krb5_child'
handles both PREAUTH and AUTH
Resolves: https://github.com/SSSD/sssd/issues/8331
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
735fe23a by Alexey Tikhonov at 2026-01-13T19:01:08+00:00
KRB5_CHILD: don't check if FILE:/DIR: path accessible in advance
Inaccessible FILE:/DIR: path is a system configuration error that
needs to be fixed anyway. It doesn't make much difference to fail
before or after credentials check in this case.
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4617eb2a by Hosted Weblate at 2026-01-14T14:10:57+01:00
po: update translations
(Georgian) currently translated at 0.5% (15 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ka/
Added translation using Weblate (Georgian)
po: update translations
(Swedish) currently translated at 97.2% (2747 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Spanish) currently translated at 100.0% (2824 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 100.0% (2824 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 89.1% (2519 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 88.5% (2500 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 87.3% (2467 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Swedish) currently translated at 96.3% (2721 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 96.3% (2720 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Swedish) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/sv/
po: update translations
(Portuguese (Brazil)) currently translated at 0.3% (10 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt_BR/
po: update translations
(Portuguese (Brazil)) currently translated at 1.0% (8 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt_BR/
po: update translations
(Spanish) currently translated at 85.9% (2428 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 85.9% (2428 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 84.2% (2378 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 83.9% (2371 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 83.9% (2371 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Finnish) currently translated at 10.2% (76 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/
po: update translations
(Spanish) currently translated at 82.7% (2337 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 82.6% (2335 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Turkish) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/tr/
po: update translations
(Spanish) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 77.8% (2198 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 77.8% (2198 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 77.8% (2198 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 69.3% (1959 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 97.4% (723 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 67.0% (1893 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 97.4% (723 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Korean) currently translated at 67.5% (1680 of 2486 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Spanish) currently translated at 64.3% (1817 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 97.4% (723 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Korean) currently translated at 67.2% (1671 of 2486 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/
po: update translations
(Spanish) currently translated at 62.6% (1768 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Spanish) currently translated at 97.4% (723 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 97.4% (723 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Spanish) currently translated at 62.5% (1767 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/es/
po: update translations
(Swedish) currently translated at 95.9% (2709 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/sv/
po: update translations
(Korean) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 99.3% (737 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Korean) currently translated at 95.1% (706 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Portuguese) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 89.3% (663 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 85.4% (634 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 83.0% (616 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 79.3% (589 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 77.7% (577 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 73.3% (544 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 69.0% (512 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 63.3% (470 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 62.2% (462 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 60.6% (450 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 59.8% (444 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 56.4% (419 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 54.9% (408 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 52.1% (387 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 46.4% (345 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 44.8% (333 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 41.9% (311 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 40.0% (297 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 33.2% (247 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 27.8% (207 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 27.3% (203 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 25.4% (189 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 23.7% (176 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 22.5% (167 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 21.1% (157 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 18.0% (134 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 18.0% (134 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 16.0% (119 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 15.7% (117 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 15.6% (116 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 100.0% (2824 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 99.8% (2819 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 99.7% (2818 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(French) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/
po: update translations
(Portuguese) currently translated at 99.4% (2808 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 99.3% (2807 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 99.2% (2803 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 99.2% (2802 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 98.9% (2795 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 98.9% (2794 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 98.8% (2792 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 98.6% (2786 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 98.3% (2776 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Korean) currently translated at 94.3% (700 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Russian) currently translated at 100.0% (2824 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 98.9% (2795 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Russian) currently translated at 98.1% (2771 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Portuguese) currently translated at 98.2% (2774 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Russian) currently translated at 97.8% (2763 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Portuguese) currently translated at 98.0% (2769 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 95.6% (2702 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 93.6% (2646 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 93.6% (2645 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 93.3% (2635 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Russian) currently translated at 97.2% (2747 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ru/
po: update translations
(Portuguese) currently translated at 93.0% (2629 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Russian) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ru/
po: update translations
(Portuguese) currently translated at 92.9% (2625 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 92.2% (2604 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 92.0% (2599 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 91.9% (2598 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 91.9% (2597 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 91.9% (2596 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 89.4% (2525 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 15.4% (115 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 84.8% (2397 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 84.4% (2385 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 83.6% (2363 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 83.2% (2351 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Korean) currently translated at 93.8% (696 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
po: update translations
(Portuguese) currently translated at 82.6% (2335 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 82.4% (2327 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 82.1% (2319 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 81.6% (2305 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 14.8% (110 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 77.8% (2199 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 77.7% (2195 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Ukrainian) currently translated at 100.0% (2824 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Portuguese) currently translated at 77.2% (2182 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Spanish) currently translated at 97.3% (722 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/es/
po: update translations
(Ukrainian) currently translated at 99.3% (2806 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Portuguese) currently translated at 77.2% (2181 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 70.6% (1996 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 68.7% (1942 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 68.2% (1926 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 67.8% (1916 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 67.3% (1902 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 66.0% (1864 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 59.4% (1679 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 58.6% (1655 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 53.5% (1513 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 53.2% (1505 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 53.0% (1499 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 52.7% (1490 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 51.8% (1464 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 50.8% (1436 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 50.7% (1432 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 14.6% (109 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 48.1% (1359 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 47.6% (1346 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 47.4% (1340 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 47.4% (1340 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 47.4% (1340 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 43.1% (1219 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 40.5% (1144 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 40.1% (1133 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 39.5% (1116 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 39.4% (1115 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 38.7% (1094 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Ukrainian) currently translated at 98.9% (2795 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Portuguese) currently translated at 35.9% (1016 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Ukrainian) currently translated at 98.9% (2794 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Portuguese) currently translated at 33.6% (950 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 14.5% (108 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 31.0% (878 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 30.7% (869 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 30.0% (848 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 27.4% (776 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 25.5% (722 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 14.4% (107 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Polish) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/
po: update translations
(Portuguese) currently translated at 24.3% (688 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Ukrainian) currently translated at 100.0% (742 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/
po: update translations
(Ukrainian) currently translated at 96.0% (2713 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/uk/
po: update translations
(Portuguese) currently translated at 23.4% (661 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 14.2% (106 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 10.1% (287 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 13.4% (100 of 742 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pt/
po: update translations
(Portuguese) currently translated at 8.3% (237 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 8.1% (231 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 8.1% (231 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
po: update translations
(Portuguese) currently translated at 8.1% (231 of 2824 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/pt/
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
47575276 by Pavel Březina at 2026-01-14T15:40:41+01:00
scripts: authenticate git push for release
actions/checkout at v6 changed behavior and the credentials can be reused
only if it is run from the same directory. But we copy the repository to
a temporary location to prepare the release, so we need to
re-authenticate in the tmp folder.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
e6927eb9 by Pavel Březina at 2026-01-14T15:57:52+01:00
scripts: use sssd-bot token for release script
In order to bypass branch protection rules.
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
- - - - -
6749ec8b by sssd-bot at 2026-01-14T15:01:41+00:00
pot: update pot files
- - - - -
1a1cf163 by sssd-bot at 2026-01-14T15:01:42+00:00
Release sssd-2.12.0
- - - - -
378 changed files:
- + .gemini/config.yaml
- .github/actions/install-dependencies/action.yml
- .github/dependabot.yml
- + .github/workflows/accepted.yml
- .github/workflows/analyze-target.yml
- + .github/workflows/backport.yml
- + .github/workflows/build.yml
- .github/workflows/ci.yml
- − .github/workflows/copr_build.yml
- − .github/workflows/copr_cleanup.yml
- .github/workflows/coverity.yml
- + .github/workflows/release.yml
- .github/workflows/static-code-analysis.yml
- + .packit.yaml
- + .pre-commit-config.yaml
- Makefile.am
- configure.ac
- contrib/ci/get-matrix.py
- contrib/fedora/bashrc_sssd
- contrib/sssd.spec.in
- contrib/test-suite/README.md
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fi.po
- po/fr.po
- po/hu.po
- po/id.po
- po/it.po
- po/ja.po
- po/ka.po
- po/ko.po
- po/nb.po
- po/nl.po
- po/pl.po
- po/pt.po
- po/pt_BR.po
- po/ru.po
- po/sssd.pot
- po/sv.po
- po/tg.po
- po/tr.po
- po/uk.po
- po/zh_CN.po
- po/zh_TW.po
- sbus_generate.sh.in
- scripts/release.sh
- src/conf_macros.m4
- src/confdb/confdb.c
- src/confdb/confdb.h
- src/config/SSSDConfig/__init__.py.in
- src/config/SSSDConfig/ipachangeconf.py
- src/config/SSSDConfig/sssdoptions.py
- src/config/SSSDConfigTest.py
- src/config/cfg_rules.ini
- src/config/etc/sssd.api.conf
- src/config/etc/sssd.api.d/sssd-ad.conf
- src/config/etc/sssd.api.d/sssd-ipa.conf
- src/config/etc/sssd.api.d/sssd-krb5.conf
- src/config/etc/sssd.api.d/sssd-ldap.conf
- src/config/etc/sssd.api.d/sssd-proxy.conf
- src/config/testconfigs/noparse.api.conf
- src/config/testconfigs/sssd-invalid-badbool.conf
- src/db/sysdb.c
- src/db/sysdb.h
- src/db/sysdb_ops.c
- − src/db/sysdb_passkey_user_verification.c
- − src/db/sysdb_passkey_user_verification.h
- src/db/sysdb_private.h
- src/db/sysdb_search.c
- src/db/sysdb_selinux.c
- src/db/sysdb_subdomains.c
- src/db/sysdb_views.c
- src/examples/sssdproxytest
- src/external/docbook.m4
- src/external/inotify.m4
- src/external/libdhash.m4
- src/external/pac_responder.m4
- src/external/pam.m4
- src/krb5_plugin/passkey/passkey_clpreauth.c
- src/krb5_plugin/sssd_krb5_localauth_plugin.c
- src/man/Makefile.am
- src/man/po/br.po
- src/man/po/ca.po
- src/man/po/cs.po
- src/man/po/de.po
- src/man/po/es.po
- src/man/po/eu.po
- src/man/po/fi.po
- src/man/po/fr.po
- src/man/po/ja.po
- + src/man/po/ka.po
- src/man/po/ko.po
- src/man/po/lv.po
- src/man/po/nl.po
- src/man/po/pt.po
- src/man/po/pt_BR.po
- src/man/po/ru.po
- src/man/po/sssd-docs.pot
- src/man/po/sv.po
- src/man/po/tg.po
- src/man/po/uk.po
- src/man/po/zh_CN.po
- src/man/sss-certmap.5.xml
- src/man/sssd-ad.5.xml
- src/man/sssd-idp.5.xml
- src/man/sssd-ifp.5.xml
- src/man/sssd-ipa.5.xml
- src/man/sssd-kcm.8.xml
- src/man/sssd-ldap-attributes.5.xml
- src/man/sssd-ldap.5.xml
- src/man/sssd.conf.5.xml
- src/monitor/monitor.c
- + src/monitor/monitor_services.c
- + src/monitor/monitor_services.h
- src/oidc_child/oidc_child.c
- src/oidc_child/oidc_child_curl.c
- src/p11_child/p11_child_common.c
- src/p11_child/p11_child_openssl.c
- src/passkey_child/passkey_child.c
- src/passkey_child/passkey_child_common.c
- src/passkey_child/passkey_child_credentials.c
- src/providers/ad/ad_common.c
- src/providers/ad/ad_common.h
- src/providers/ad/ad_dyndns.c
- src/providers/ad/ad_gpo.c
- src/providers/ad/ad_gpo_child.c
- src/providers/ad/ad_id.c
- src/providers/ad/ad_id.h
- src/providers/ad/ad_init.c
- src/providers/ad/ad_machine_pw_renewal.c
- src/providers/ad/ad_opts.c
- src/providers/ad/ad_pac_common.c
- src/providers/ad/ad_subdomains.c
- src/providers/backend.h
- src/providers/be_dyndns.c
- src/providers/be_dyndns.h
- src/providers/data_provider/dp_targets.c
- src/providers/data_provider_be.c
- src/providers/data_provider_opts.c
- src/providers/idp/idp_auth.c
- src/providers/idp/idp_id.c
- src/providers/idp/idp_init.c
- src/providers/idp/idp_opts.c
- src/providers/idp/oidc_child_handler.c
- src/providers/ipa/ipa_autofs.c
- src/providers/ipa/ipa_common.c
- src/providers/ipa/ipa_common.h
- src/providers/ipa/ipa_dyndns.c
- src/providers/ipa/ipa_hosts.c
- src/providers/ipa/ipa_id.c
- src/providers/ipa/ipa_init.c
- src/providers/ipa/ipa_opts.c
- src/providers/ipa/ipa_s2n_exop.c
- src/providers/ipa/ipa_selinux.c
- src/providers/ipa/ipa_session.c
- src/providers/ipa/ipa_subdomains.c
- src/providers/ipa/ipa_subdomains.h
- src/providers/ipa/ipa_subdomains_ext_groups.c
- src/providers/ipa/ipa_subdomains_id.c
- − src/providers/ipa/ipa_subdomains_passkey.c
- src/providers/ipa/ipa_subdomains_server.c
- src/providers/ipa/ipa_views.c
- src/providers/ipa/selinux_child.c
- src/providers/krb5/krb5_auth.c
- src/providers/krb5/krb5_auth.h
- src/providers/krb5/krb5_ccache.c
- src/providers/krb5/krb5_ccache.h
- src/providers/krb5/krb5_child.c
- src/providers/krb5/krb5_child_handler.c
- src/providers/krb5/krb5_delayed_online_authentication.c
- src/providers/krb5/krb5_init.c
- src/providers/ldap/ldap_auth.c
- src/providers/ldap/ldap_child.c
- src/providers/ldap/ldap_common.h
- src/providers/ldap/ldap_id.c
- src/providers/ldap/ldap_id_subid.c
- src/providers/ldap/ldap_init.c
- src/providers/ldap/ldap_options.c
- src/providers/ldap/ldap_opts.c
- src/providers/ldap/ldap_opts.h
- src/providers/ldap/sdap.c
- src/providers/ldap/sdap.h
- src/providers/ldap/sdap_ad_groups.c
- src/providers/ldap/sdap_async.c
- src/providers/ldap/sdap_async_groups.c
- src/providers/ldap/sdap_async_initgroups.c
- src/providers/ldap/sdap_async_initgroups_ad.c
- src/providers/ldap/sdap_async_nested_groups.c
- src/providers/ldap/sdap_autofs.h
- src/providers/ldap/sdap_child_helpers.c
- src/providers/ldap/sdap_dyndns.c
- src/providers/ldap/sdap_dyndns.h
- src/providers/ldap/sdap_range.c
- src/providers/ldap/sdap_utils.c
- src/providers/proxy/proxy.h
- src/providers/proxy/proxy_auth.c
- src/providers/proxy/proxy_child.c
- src/providers/simple/simple_access_check.c
- src/python/pysss.c
- src/responder/autofs/autofssrv.c
- src/responder/common/cache_req/cache_req.c
- src/responder/common/cache_req/plugins/cache_req_user_by_upn.c
- src/responder/ifp/ifp_users.c
- src/responder/ifp/ifpsrv.c
- src/responder/kcm/kcm.c
- src/responder/kcm/kcmsrv_ccache.c
- src/responder/kcm/kcmsrv_ccache.h
- src/responder/kcm/kcmsrv_ccache_secdb.c
- src/responder/nss/nsssrv.c
- src/responder/nss/nsssrv_mmap_cache.c
- src/responder/pac/pacsrv.c
- src/responder/pam/pam_helpers.c
- src/responder/pam/pam_prompting_config.c
- src/responder/pam/pamsrv.c
- src/responder/pam/pamsrv.h
- src/responder/pam/pamsrv_cmd.c
- + src/responder/pam/pamsrv_json.c
- + src/responder/pam/pamsrv_json.h
- src/responder/pam/pamsrv_p11.c
- src/responder/pam/pamsrv_passkey.c
- src/responder/pam/pamsrv_passkey.h
- src/responder/ssh/ssh_cert_to_ssh_key.c
- src/responder/ssh/sshsrv.c
- src/responder/sudo/sudosrv.c
- src/sbus/request/sbus_request_hash.c
- src/sbus/sbus_private.h
- src/shared/cred.h
- src/shared/io.h
- src/sss_client/autofs/sss_autofs.c
- src/sss_client/autofs/sss_autofs.exports
- src/sss_client/autofs/sss_autofs_private.h
- src/sss_client/nss_group.c
- src/sss_client/nss_hosts.c
- src/sss_client/nss_ipnetworks.c
- src/sss_client/nss_mc.h
- src/sss_client/nss_mc_common.c
- src/sss_client/nss_mc_group.c
- src/sss_client/nss_mc_passwd.c
- src/sss_client/nss_passwd.c
- src/sss_client/nss_services.c
- src/sss_client/pam_message.c
- src/sss_client/pam_message.h
- src/sss_client/pam_sss.c
- src/sss_client/pam_sss_prompt_config.c
- src/sss_client/sss_cli.h
- − src/sss_client/sss_pac_responder_client.c
- src/sss_client/sss_sudo.exports
- src/sysv/systemd/sssd-kcm.service.in
- src/sysv/systemd/sssd.service.in
- src/tests/auth-tests.c
- src/tests/check_file-tests.c
- src/tests/cmocka/dummy_child.c
- src/tests/cmocka/test_authtok.c
- src/tests/cmocka/test_child_common.c
- src/tests/cmocka/test_dyndns.c
- src/tests/cmocka/test_fqnames.c
- src/tests/cmocka/test_iobuf.c
- src/tests/cmocka/test_ipa_subdomains_server.c
- src/tests/cmocka/test_kcm_marshalling.c
- src/tests/cmocka/test_kcm_queue.c
- src/tests/cmocka/test_krb5_common.c
- src/tests/cmocka/test_negcache.c
- src/tests/cmocka/test_negcache_2.c
- src/tests/cmocka/test_nss_srv.c
- src/tests/cmocka/test_pam_srv.c
- + src/tests/cmocka/test_pamsrv_json.c
- src/tests/cmocka/test_prompt_config.c
- src/tests/cmocka/test_responder_cache_req.c
- + src/tests/cmocka/test_sss_pam_data.c
- src/tests/cmocka/test_string_utils.c
- src/tests/cmocka/test_sysdb_subdomains.c
- src/tests/cmocka/test_sysdb_ts_cache.c
- src/tests/cmocka/test_sysdb_views.c
- src/tests/cmocka/test_utils.c
- src/tests/cmocka/test_utils.h
- src/tests/cwrap/test_server.c
- src/tests/files-tests.c
- src/tests/intg/Makefile.am
- − src/tests/intg/ent_test.py
- − src/tests/intg/ldap_local_override_test.py
- − src/tests/intg/test_enumeration.py
- − src/tests/intg/test_infopipe.py
- − src/tests/intg/test_ldap.py
- − src/tests/intg/test_pac_responder.py
- − src/tests/intg/test_pysss_nss_idmap.py
- − src/tests/intg/test_resolver.py
- − src/tests/intg/test_session_recording.py
- − src/tests/intg/test_sssctl.py
- src/tests/krb5_utils-tests.c
- src/tests/multihost/ad/conftest.py
- src/tests/multihost/ad/pytest.ini
- src/tests/multihost/ad/readme.rst
- src/tests/multihost/ad/test_access_control.py
- src/tests/multihost/ad/test_adparameters_ported.py
- src/tests/multihost/ad/test_hostkeytabrotation.py
- − src/tests/multihost/ad/test_idmap.py
- − src/tests/multihost/ad/test_samba_data.py
- src/tests/multihost/admultidomain/pytest.ini
- src/tests/multihost/adsites/pytest.ini
- src/tests/multihost/alltests/pytest.ini
- src/tests/multihost/alltests/test_all_misc.py
- src/tests/multihost/alltests/test_kcm.py
- − src/tests/multihost/alltests/test_misc_proxy.py
- src/tests/multihost/alltests/test_multidomain.py
- − src/tests/multihost/alltests/test_proxy_provider_krb_auth.py
- − src/tests/multihost/alltests/test_proxy_rfc2307.py
- − src/tests/multihost/alltests/test_proxy_rfc2307bis.py
- src/tests/multihost/docs/Install.rst
- src/tests/multihost/docs/running.rst
- src/tests/multihost/ipa/pytest.ini
- src/tests/multihost/ipa/test_adtrust.py
- src/tests/multihost/ipa/test_misc.py
- src/tests/multihost/sssd/testlib/common/custom_log.py
- src/tests/multihost/sssd/testlib/common/samba.py
- src/tests/multihost/sssd/testlib/common/utils.py
- src/tests/polarion.yaml
- src/tests/refcount-tests.c
- src/tests/resolv-tests.c
- src/tests/responder_socket_access-tests.c
- src/tests/strtonum-tests.c
- src/tests/sysdb-tests.c
- src/tests/sysdb_ssh-tests.c
- src/tests/system/mhc.yaml
- src/tests/system/pytest.ini
- src/tests/system/tests/test_access_control_simple.py
- src/tests/system/tests/test_authentication.py
- src/tests/system/tests/test_failover.py
- + src/tests/system/tests/test_gdm.py
- + src/tests/system/tests/test_gdm_passkey.py
- src/tests/system/tests/test_identity.py
- src/tests/system/tests/test_infopipe.py
- src/tests/system/tests/test_ipa.py
- src/tests/system/tests/test_ipa_trusts.py
- src/tests/system/tests/test_kcm.py
- src/tests/system/tests/test_ldap.py
- src/tests/system/tests/test_netgroups.py
- + src/tests/system/tests/test_nss.py
- + src/tests/system/tests/test_pac_responder.py
- src/tests/system/tests/test_passkey.py
- + src/tests/system/tests/test_pysss_nss_idmap.py
- + src/tests/system/tests/test_smartcard.py
- src/tests/system/tests/test_sss_override.py
- src/tests/system/tests/test_sssctl.py
- src/tests/system/tests/test_sudo.py
- src/tests/util-tests.c
- src/tools/sssctl/sssctl_config.c
- src/util/authtok-utils.c
- src/util/authtok.c
- src/util/authtok.h
- + src/util/child_bootstrap.c
- src/providers/ipa/ipa_subdomains_passkey.h → src/util/child_bootstrap.h
- src/util/child_common.h
- src/util/child_common.c → src/util/child_handlers.c
- + src/util/child_io.c
- src/util/debug.c
- src/util/debug.h
- src/util/domain_info_utils.c
- src/util/file_watch.c
- src/util/find_uid.c
- src/util/inotify.c
- src/util/murmurhash3.c
- src/util/sss_chain_id.h
- src/util/sss_pam_data.c
- src/util/sss_pam_data.h
- src/util/sss_prctl.c
- src/util/string_utils.c
- src/util/strtonum.c
- src/util/util.c
- src/util/util.h
- src/util/util_creds.h
- src/util/util_errors.c
- src/util/util_errors.h
- src/util/util_watchdog.c
- version.m4
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ced937c9d3818567c59f624379e61be0004edf2f...1a1cf163b78ff4768cc8bfc1e631171bc021e2fe
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ced937c9d3818567c59f624379e61be0004edf2f...1a1cf163b78ff4768cc8bfc1e631171bc021e2fe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20260208/9c02da51/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list