[Pkg-sssd-devel] sssd: Changes to 'upstream-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Apr 3 09:03:20 UTC 2015
New branch 'upstream-next' available with the following commits:
commit 6e37fea2fe0d5795a5fe9b0a9f997498069febb3
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Feb 18 16:58:58 2015 +0100
Updating translations for the 1.12.4 release
commit 29b2fbec52308454fc87ec4bc43b638236220901
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Wed Feb 18 10:23:19 2015 +0100
RESPONDERS: Warn to syslog about colliding objects
Resolves:
https://fedorahosted.org/sssd/ticket/2203
Reviewed-by: Pavel Reichl <preichl at redhat.com>
commit 89caf3e55c20567d24f08eeabe4b6289c6e28852
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 28 11:22:49 2015 +0100
LDAP: Handle ENOENT better in the cleanup task
The cleanup task handled both count=0 and ret=ENOENT separately which
makes no sense, the count=0 handler was dead code previously. Set
count=0 on ENOENT instead to just bubble through the DEBUG message
gracefully as well.
Reviewed-by: Pavel Reichl <preichl at redhat.com>
commit dcc7ceea40ffbe6bcf30c58180af632861cc32bb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 28 11:21:40 2015 +0100
LDAP: Add better DEBUG messages to the cleanup task
Some failures would shortcut to the done handler without telling us
anything about why it failed. This commit decorates the cleanup task
with more DEBUG statements.
Reviewed-by: Pavel Reichl <preichl at redhat.com>
commit 2ce4203ca72f265e664bfec3481a17b233b1832b
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Feb 17 11:24:58 2015 +0100
GPO: Better debugging for gpo_child's mkdir
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
commit efb313cc46634282dbdc67b97e78565662f6c0d3
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Fri Jan 30 11:02:11 2015 +0100
CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice
Macro AC_PROG_MKDIR_P need to be used just conditionally
This patch also fixes fallback of macro MKDIR_P
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
commit 7bc69afc71c0b8f48bdbf0b5b79d229a47aa49f2
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Tue Feb 17 16:40:01 2015 +0100
Add missing new lines to debug messages
Reviewed-by: Pavel Reichl <preichl at redhat.com>
commit 46020d2dbb0f092fca7ec2a27e8c822543ab50fd
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Thu Jan 29 10:32:23 2015 +0100
sbus_codegen: Port to python3
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori at redhat.com>
commit d0a95d87f41721bb57149471897cc920a8730c20
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Wed Jan 28 16:10:12 2015 +0100
Remove strict requirements of python2
* fix hashbangs
* remove strict requirements of python2 in build system
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori at redhat.com>
(cherry picked from commit e8058322725ba050014777ee2484f7e833ab1e3a)
commit af8e9134176b4517ecfdd2e10e6204fd3f0ad765
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Thu Jan 29 09:46:27 2015 +0100
SSSDConfig: Port missing parts to python3
* fix incompatible imports
* fix translation.[u]?gettext
* fix dict method has_key
* fix octal literals PEP 3127
* long is not defined in python3
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori at redhat.com>
(cherry picked from commit a71004c112cd5d61d3a9e37a4cfc5760dc9a1cec)
commit d36ff71364db4abc08053d36d392aa602fc5860a
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Mon Feb 9 16:46:05 2015 +0100
SSSDConfig: Remove unused exception name
"except ValueError, e:" was the syntax used for what is normally written
as "except ValueError as e:" in modern Python. The old syntax is still
supported in python2 for backwards compatibility.
This means "except ValueError, KeyError:" is not equivalent to
"except (ValueError, KeyError):" but to "except ValueError as KeyError:"
and variable with name "KeyError" was not used in exception handler.
Resolves:
https://fedorahosted.org/sssd/ticket/2017
Reviewed-by: Petr Viktorin <pviktori at redhat.com>
(cherry picked from commit 1ac368d0962ef8cc83dcd642c7fec8b3cba5b6fe)
commit 42563a20baf2f334c01a8f821c5c2d98c208fc84
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 21 21:35:11 2015 +0100
BUILD: Include python-test.py in the tarball
(cherry picked from commit 51d65c4ad15c2cc23f38fa09dd6efeb15e4f3e86)
commit 9687d7db79e15846de385537a99525d11cae6a15
Author: Bohuslav Kabrda <bkabrda at redhat.com>
Date: Fri Dec 12 11:04:40 2014 +0100
Python3 support in SSSD
https://fedorahosted.org/sssd/ticket/2017
(cherry picked from commit 341a00311680a440d7f979f06c34c70d86c9367a)
commit dc13b1aff629b0271eb6b75a9f3bdb43c9767093
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 27 20:32:33 2015 +0100
SELINUX: Check the return value of setuid and setgid
Silences a Coverity warning
Reviewed-by: Pavel Reichl <preichl at redhat.com>
(cherry picked from commit b0f46a3019e0ff4f375ef07682ceb9418751707f)
commit 00ac96c02b8f11a57c2c7bc67166f07043549ebb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri Feb 13 17:36:42 2015 +0100
resolv: Fix a typo
Reviewed-by: Pavel Reichl <preichl at redhat.com>
(cherry picked from commit 842fe49b8c53d84b7f5b7cf67338abb038b5a617)
commit cbc53f94af31704131d5c9b10ad878ece0936b24
Author: Rob Crittenden <rcritten at redhat.com>
Date: Thu Feb 12 23:14:40 2015 -0500
Add user_attributes to ifp section of API schema
Resolves: https://fedorahosted.org/sssd/ticket/2586
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 0e4d3214d95316f182c04c7166a6b92dfc92a85d)
commit a5d81569531c1c5bbdd26e1f3cb631b16d13f199
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Thu Feb 12 19:10:34 2015 +0100
MONITOR: Fix double free
If kill timer was successfully executed then it will be released by libtevent.
So we should not released it in mt_svc_exit_handler for the second time.
[sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] terminated with signal [9]
[sssd] [talloc_log_fn] (0x0010): talloc: access after free error - first free
may be at ../tevent_timed.c:351
[sssd] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free
==19129== Invalid read of size 4
==19129== at 0x50470CD: talloc_chunk_from_ptr (talloc.c:372)
==19129== by 0x50470CD: _talloc_free (talloc.c:1559)
==19129== by 0x11086C: mt_svc_exit_handler (monitor.c:2754)
==19129== by 0x8AF9B2F: sss_child_invoke_cb (child_common.c:181)
==19129== by 0x4E39823: tevent_common_loop_immediate (tevent_immediate.c:135)
==19129== by 0x4E3AF4D: poll_event_loop_once (tevent_poll.c:649)
==19129== by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
==19129== by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
==19129== by 0x84C4B02: server_loop (server.c:668)
==19129== by 0x10D9A6: main (monitor.c:3028)
==19129== Address 0xb8a06c0 is 64 bytes inside a block of size 176 free'd
==19129== at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19129== by 0x50472F2: _talloc_free_internal (talloc.c:1057)
==19129== by 0x50472F2: _talloc_free (talloc.c:1581)
==19129== by 0x4E3D0A3: tevent_common_loop_timer_delay (tevent_timed.c:351)
==19129== by 0x4E3AF59: poll_event_loop_once (tevent_poll.c:653)
==19129== by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
==19129== by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
==19129== by 0x84C4B02: server_loop (server.c:668)
==19129== by 0x10D9A6: main (monitor.c:3028)
Resolves:
https://fedorahosted.org/sssd/ticket/2572
Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
(cherry picked from commit 373946b540eaa5d97c6efb39629195dbe2a1f015)
commit 3149069126599133a8fe0c66734df6deb3907dfb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri Dec 12 17:10:25 2014 +0100
RESOLV: Add an internal function to read TTL from a DNS packet
Related:
https://fedorahosted.org/sssd/ticket/1884
Adds an internal resolver function that reads the TTL for SRV records as
specified by RFC-2181. Several internal c-ares definitions are used
until c-ares contains a function that exposes all this information via a
parsing function.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit bf54fbed126ec3d459af40ea370ffadacd31c76d)
commit 07d69e93a2d2ba68c2fe67d8fb5de18cf69ba797
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 21 17:24:52 2015 +0100
LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 4d7fe714fe74ad242497b2bdbeb7b4e0bf40141f)
commit e3e6a3f87496667bf6456de8855ff831bf222abb
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jan 29 20:31:19 2015 +0100
fill_id() fix LE/BE issue with wrong data type
Related to https://fedorahosted.org/sssd/ticket/1588
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 866ab45027c83fafb7f7f45d34d3e1e7721b77dc)
commit 8b61b994f95f351d7036f4748e5c6f467698f6ae
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jan 28 14:04:45 2015 +0100
AD: use GC for SID requests as well
If a universal group is looked up by SID the cross-domain members must
be resolved with the help of the Global Catalog.
Related to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
commit cc33fd2251f6c3f5cceb15f50f31539ee98c2ea0
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jan 28 11:44:37 2015 +0100
ipa_s2n_save_objects: properly handle fully-qualified group names
Check if the given name is already fully-qualified instead of adding a
domain name unconditionally.
Related to https://fedorahosted.org/sssd/ticket/2529
and https://fedorahosted.org/sssd/ticket/2524
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 9ad346318dc2cc5d5a340d8d981ddfdcc6f632da)
commit 21266b63b7a1d28b0bda39916e85d21c1e953a8b
Author: Pavel Reichl <preichl at redhat.com>
Date: Fri Jan 16 08:25:40 2015 -0500
MAN: amend sss_ssh_authorizedkeys
Directive AuthorizedKeysCommand should be used in conjunction with
AuthorizedKeysCommandUser.
Reviewed-by: Jan Cholasta <jcholast at redhat.com>
(cherry picked from commit ab5f9b58ae740868cb09e92379ed41d30b9401ac)
commit 74d708790a202b78242bd2951178f0a2483327be
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Mon Jan 26 23:25:17 2015 +0100
IPA: Resolve IPA user groups' overrideDN in non-default view
When the client is in a non-default view, we need to store the override
data, in particular the overrideDN as well.
Resolves:
https://fedorahosted.org/sssd/ticket/2571
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b2c3722b9a1eaf265f6b102043958f6d4378788c)
commit d18bd28fb09f104e2b13382c430247cad731f867
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 27 16:02:33 2015 +0100
LDAP: Add UUID when saving incomplete groups
Related to:
https://fedorahosted.org/sssd/ticket/2571
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 108db0e3b9e06e530364ef8228634f5e3f6bd3b5)
commit 8e0766215aef902eec24d880fbf2b30686c452e6
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Thu Jan 29 08:10:36 2015 +0100
pysss: Fix double free
The talloc context is removed in destructor.
==1695== Invalid read of size 4
==1695== at 0x1243D0CD: talloc_chunk_from_ptr (talloc.c:372)
==1695== by 0x1243D0CD: _talloc_free (talloc.c:1559)
==1695== by 0x117B18C3: PySssLocalObject_dealloc (pysss.c:836)
==1695== by 0x117B1AEE: PySssLocalObject_new (pysss.c:898)
==1695== by 0x4ED5522: type_call (typeobject.c:729)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F15584: do_call (ceval.c:4328)
==1695== by 0x4F15584: call_function (ceval.c:4133)
==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F16BE5: fast_function (ceval.c:4196)
==1695== by 0x4F16BE5: call_function (ceval.c:4131)
==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== by 0x4EA46BC: function_call (funcobject.c:526)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F1504F: ext_do_call (ceval.c:4423)
==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== Address 0x112d4560 is 64 bytes inside a block of size 96 free'd
==1695== at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1695== by 0x1243D2F2: _talloc_free_internal (talloc.c:1057)
==1695== by 0x1243D2F2: _talloc_free (talloc.c:1581)
==1695== by 0x117B1ABF: PySssLocalObject_new (pysss.c:876)
==1695== by 0x4ED5522: type_call (typeobject.c:729)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F15584: do_call (ceval.c:4328)
==1695== by 0x4F15584: call_function (ceval.c:4133)
==1695== by 0x4F15584: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F16BE5: fast_function (ceval.c:4196)
==1695== by 0x4F16BE5: call_function (ceval.c:4131)
==1695== by 0x4F16BE5: PyEval_EvalFrameEx (ceval.c:2753)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
==1695== by 0x4EA46BC: function_call (funcobject.c:526)
==1695== by 0x4E7F902: PyObject_Call (abstract.c:2529)
==1695== by 0x4F1504F: ext_do_call (ceval.c:4423)
==1695== by 0x4F1504F: PyEval_EvalFrameEx (ceval.c:2792)
==1695== by 0x4F183FF: PyEval_EvalCodeEx (ceval.c:3342)
Reviewed-by: Pavel Reichl <preichl at redhat.com>
(cherry picked from commit 3cd7275c3c41a03eb65769c2bf4e472d1de7b8c0)
commit 31dd2a8c5042493b24ef4f9360139525c018bcb4
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Sat Jan 24 09:17:35 2015 -0500
PROXY: Fix use after free
The dbus_req and associated talloc context are no longer valid after
execution of the function sbus_request_return_and_finish even if error code
was returned.
==32479== Invalid read of size 8
==32479== at 0x131F275F: client_registration (proxy_init.c:474)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
==32479== by 0x529E255: server_loop (server.c:668)
==32479== by 0x40DBC5: main (data_provider_be.c:2915)
==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd
==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
==32479== by 0x131F264D: client_registration (proxy_init.c:443)
==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
Resolves:
https://fedorahosted.org/sssd/ticket/2573
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 33889b2ad764beb6b129f5211b1fab9790da8884)
commit b8894eb53017af67224d05470d2cdd2a65070a41
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 27 11:12:18 2015 +0100
SELINUX: Set and reset umask when caling set_seuser from deamon code
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek at redhat.com>
(cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
commit 6772568c21cbea19c63ff047a5f668dc3372a114
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Mon Jan 26 15:15:29 2015 +0100
SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
https://fedorahosted.org/sssd/ticket/2564
libselinux uses many access(2) calls and access() uses the real UID,
not the effective UID for the check. Therefore, the setuid selinux_child,
which only has effective UID of root would fail the check.
Reviewed-by: Michal Židek <mzidek at redhat.com>
(cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)
commit 42aa9151b9f01bb4fe9d81313f65e9cac0c0aaf1
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Mon Jan 26 20:29:37 2015 +0100
IPA: Use attr's dom for users, too
The 'dom' pointer points to domain of the main object being saved. In
case of group, dom points to the domain where the group resides. But
when saving members, each members might be from a different domain, so we
need to find every member's domain based on the attributes.
Also don't use Yoda style in conditions.
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit b2c5e98def89a0c3d16f5cf7e07ce2020338b540)
commit 5a41c136b82b5cfb50522e7b5aa38534fb9a351f
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jan 21 16:33:59 2015 +0100
IPA: process_members() add ghosts only once
Since ghost entries might not be properly removed on the IPA server
(https://fedorahosted.org/sssd/ticket/2567) chances are that during
extdom group lookups a single user is returned multiple time. This patch
removes the duplicates before trying to write the data to the cache.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 60f11e2fa1f63cd40ebace525ad823b0360fac94)
commit e6aeb257e5b7d704530ce079c6e0ab9da1d5c139
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jan 22 21:20:25 2015 +0100
IPA: resolve IPA group-memberships for AD users
So far only for initgroups requests the IPA group memberships where
resolved for AD users and due to
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
overridden by other request. But it turned out that the originalMemberOf
attributes related to the IPA group memberships can be overridden by
user lookups. Since the originalMemberOf attribute is important in the
HBAC evaluation this patch makes sure that the originalMemberOf
attribute is not removed but updated during user lookups.
Related to https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
commit 6992f203c2b37d130287eae11f3929d0000e6d44
Author: Pavel Reichl <preichl at redhat.com>
Date: Wed Jan 7 11:02:44 2015 +0000
AD: support for AD site override
Override AD site found during DNS discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit e438fbf102c3d787902504bdae177e84230cbbc9)
commit e2f4a87ef4a657d27c3ec544fd75a21eefcf3ce7
Author: Pavel Reichl <preichl at redhat.com>
Date: Wed Jan 7 09:40:45 2015 +0000
AD: add new option ad_site
This option overrides a result of the automatic site discovery.
Resolves:
https://fedorahosted.org/sssd/ticket/2486
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit b22e0da9e644f5eb84ee0c8986979fec3fe7eb56)
commit 20f4640cd4dbec3a91b615611a4adc418ffae91c
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Jan 23 14:39:07 2015 +0100
sysdb: remove ghosts in all sub-domains as well
If a user is a member is a group in a different sub-domain, e.g with
universal groups in AD, the ghost attribute might not be properly
removed from the group object if the user is resolved. The reason is
that only groups from the domain of the user were search for ghost
attributes. This patch increases the search-base to all sub-domains of
the configured SSSD domain.
Resolves https://fedorahosted.org/sssd/ticket/2567
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
commit 97c0a591a1e09be520a6faaf51a4ba72d76f0c24
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jan 22 18:30:04 2015 +0100
nss: fix SID lookups
https://fedorahosted.org/sssd/ticket/2566
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
commit 79a818a4f473e3517b2bfe4ad03391e2d82fe33d
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jan 22 17:03:00 2015 +0100
IPA: properly handle mixed-case trusted domains
In the SSSD cache domain names are handled case-sensitive. As a result
fully-qualified names in RDN contain the domain part in the original
spelling. When IPA client lookup up group-memberships on the IPA server
via the extdom plugin the names returned are all lower case. To make
sure new DNs are generated correctly the domain part must adjusted.
Related to https://fedorahosted.org/sssd/ticket/2159
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
commit 7407b227b67749d854d1632cd04f6106606cbdda
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Jan 21 12:35:00 2015 +0100
views: fix GID overrride for mpg domains
When adding a user sysdb internally adds a value to SYSDB_GIDNUM for
mpg domain which might cause conflicts with the one we added to users
git GID overrides. With this patch the override GID is added after the
user is created but in the same transaction
Releted to https://fedorahosted.org/sssd/ticket/2514
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit ba818cc39dfe94c2b8613f4badf7912811f0f737)
commit bfdd8d2b828d0decb3730879f328bcde95dc584b
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 20 18:06:49 2015 +0100
Open the PAC socket from krb5_child before dropping root
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.
https://fedorahosted.org/sssd/ticket/2559
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 858e750c3d4fe54e50616a1ed1e101469503c070)
commit dcc99fc87bc7ec44fdc8ec897218384cc274d4dd
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Jan 20 12:51:57 2015 +0100
nss: Add original DN and memberOf to origbyname request
IPA HBAC evaluation relies on the original values for DN and memberOf
attributes.
Resolves https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 7543052f562f157f7b17fdc46a6777d80c0cb3bd)
commit 2eb78055d7a344c0ef58adbaa84dac86df13174e
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Jan 20 13:50:16 2015 +0100
nss: refactor fill_orig()
The two loops in fill_orig were almost identical.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit a4d64002b5ca763622bde240d27797d361ba0388)
commit 70ec6df14be2ddc26147095e260b4f9c7e606a6b
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Jan 20 12:48:19 2015 +0100
nss: make fill_orig() multi-value aware
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 5f4d896ec8e06476f4282b562b1044de14c48ecf)
commit 24df1487413d13248dcc70d2548a763930da4c65
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Jan 15 10:38:33 2015 +0100
krb5: fix entry order in MEMORY keytab
Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY
type keytab and not at the end a simple copy into a MEMORY type keytab
will revert the order of the keytab entries. Since e.g. the sssd_krb5
man page give hints about where to add entries into keytab files to help
SSSD to find a right entry we have to keep the order when coping a
keytab into a MEMORY type keytab. This patch fixes this by doing a
second copy to retain the original order.
Resolves https://fedorahosted.org/sssd/ticket/2557
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
commit 7a98103f88b80543ace05a655507a61f01a9d1f8
Author: Pavel Reichl <preichl at redhat.com>
Date: Wed Jan 14 08:09:38 2015 -0500
MAN: add dots as valid character in domain names
Add dots into a set of allowed characters for domain names.
Resolves:
https://fedorahosted.org/sssd/ticket/2527
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 9a15eb105d01d9e100e69e9d66fb8e880b228246)
commit 6e9c11ed1513ebd130085651da6703abd12e1624
Author: Pavel Reichl <preichl at redhat.com>
Date: Wed Jan 14 08:44:17 2015 -0500
MAN: dyndns_iface supports only one interface
Resolves:
https://fedorahosted.org/sssd/ticket/2548
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 702176303382b5a385e90fe68ad2c32bd708ebf1)
commit 66418c376763ea6eaeccf4215326f3d2ab1ee160
Author: Pavel Reichl <preichl at redhat.com>
Date: Tue Jan 13 17:43:30 2015 -0500
GPO: add systemd-user to gpo default permit list
Resolves:
https://fedorahosted.org/sssd/ticket/2556
Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
(cherry picked from commit b49c6abe12721ee8442be1c1bd6c15443b518ca2)
commit f5c3dcc3701e203f17a2803ff5019b853b4d7bee
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 14 11:03:14 2015 +0100
krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW
Previously, we were only handling KRB5KRB_AP_ERR_SKEW
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 9b2cd4e5e451c07cb2f04cdbaea2b94ccb5fb2ee)
commit 5730f53f1fd47a2a485593048adf540c66d09934
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Dec 9 17:48:46 2014 +0100
IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST
Since RESP_USER_GROUPLIST contains all group memberships it is
effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 62d919aea98edd1095f6a22241903d4c045b46ed)
commit 04455af12b45a4790039e3655467cf164799c627
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Dec 5 11:12:42 2014 +0100
IPA: resolve missing members
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 3cd287313d93e29f9754feb46017dba2a039affd)
commit 161c2fa226a31001d184594476616143d7fe34d3
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Dec 9 17:04:30 2014 +0100
IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit f1f22df95996390f63266ebacb624e521d934592)
commit 87cc3049b74705afbb182fcceeec3c9fd5b668da
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Dec 5 11:11:49 2014 +0100
IPA: process_members() optionally return missing members list
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 942ebb62c8df766a22271103abd518ddae02ea3a)
commit 6b57aa03c7810dc45c79f087eb47a05c55f64056
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Dec 5 11:06:26 2014 +0100
IPA: add missing break
The current request already returned the SID, we do not need to request
it separately.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit e6046d23b3e90102fb3c796737ced03fb5a60fea)
commit 1869e832b811cc0aae833cbf9f24fa151001f2b2
Author: Sumit Bose <sbose at redhat.com>
Date: Fri Dec 5 11:03:48 2014 +0100
IPA: make version check more precise
The call protected by the check does not only expect the version 1 of
the extdom plugin is used but a specific response type as well. Since
version 1 can return older response types as well we want to be on the
safe side.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 2fc12875f7d51248799016c19c1298b85e06a286)
commit 497e35d5d4b58f7194b11528be8a5f2ea7aca351
Author: Sumit Bose <sbose at redhat.com>
Date: Thu Dec 4 13:26:32 2014 +0100
IPA: do not look up overrides on client with default view
The IPA extdom plugin returns the data with the default view already
applied hence it is on needed to look up the override data if the client
has the default view assigned.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit d8ceb194023a2cdc8bc183acc322e9a7fb6fe2b1)
commit 626356e2df2c8f65229f61c29a1347562eca6884
Author: Sumit Bose <sbose at redhat.com>
Date: Tue Jan 13 11:03:37 2015 +0100
IPA: ipa_resolve_user_list_send() take care of overrides
Currently ipa_resolve_user_list_send() only looks up the related user
objects but do not check for overrides. This patch tries to fix this.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit eab17959df71341073f946c533f59fc5e593b35c)
commit 907222ac05258620ead57cdaa86343535ae04b57
Author: Sumit Bose <sbose at redhat.com>
Date: Mon Jan 12 18:36:42 2015 +0100
sysdb: fix group members with overridden names
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit fbcdc08722aa8ed17c4b114e01fbb37c02cfb2fe)
commit 4d9a6caab65d76422c4b7b262064c3c2ebe91e3a
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Dec 10 15:03:18 2014 +0100
IPA: resolve ghost members if a non-default view is applied
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 765d9075bb1e10ae0f09b6c2701bfd50aeb423d4)
commit 3a6827af5a810070aa4f413a0152d8fab2431a61
Author: Sumit Bose <sbose at redhat.com>
Date: Wed Dec 10 15:02:15 2014 +0100
IPA: add get_be_acct_req_for_user_name()
Related to https://fedorahosted.org/sssd/ticket/2481
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit d32b165fad7b89462f49c82349e1df5a2343afa2)
commit 6cdefffcc399f09ee29aacf858905bfad179f1b3
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 6 13:03:34 2015 +0100
GPO: Extract server hostname after connecting
https://fedorahosted.org/sssd/ticket/2543
The LDAP URI is not valid prior to connecting to LDAP. Moreover,
reconnecting to a different server might invalidate the URI.
Move reading the URI after the connection has been established.
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ccff8e75940963a0f68f86efcddc37133318abfa)
commit fc62521e72eb9ed8336e4797f2cd9c89d8b013f1
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 7 10:42:09 2015 +0100
GPO: Don't use stdout for output in gpo_child
Resolves:
https://fedorahosted.org/sssd/ticket/2544
Use a dedicated fd instead to work around
https://bugzilla.samba.org/show_bug.cgi?id=11036
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit f00a61b6079d8de81432077a59daf015d85800d2)
commit d31fba405f3392f27f0eea861834083cfaa0ef10
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Wed Jan 7 10:36:12 2015 +0100
UTIL: Allow dup-ing child pipe to a different FD
Related to:
https://fedorahosted.org/sssd/ticket/2544
Adds a new function exec_child_ex and moves setting the extra_argv[]
to exec_child_ex() along with specifying the input and output fds.
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
commit 9740d8a555dee2e41294f6e4acf558e4998656d9
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 6 16:54:44 2015 +0100
GPO: Set libsmb debugging to stderr
libsmb logs to stdout by default. It's much more reasonable to log to
stderr by default.
Please also note:
https://bugzilla.samba.org/show_bug.cgi?id=11036
and:
https://fedorahosted.org/sssd/ticket/2544
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit bb7ddd2be9847bfb07395341c7623da1b104b8a6)
commit 1d39190e64b84e12c41706d450fc9531888707c0
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Fri Jan 9 10:50:59 2015 +0100
logrotate: Fix warning file size changed while zipping
Postpone compression of the previous log file to the next rotation cycle.
This only has effect when used in combination with compress. We need to use it
because we cannot tell sssd to close log files and thus sssd processes might
continue writing to the previous log file for some time.
Resolves:
https://fedorahosted.org/sssd/ticket/2547
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
(cherry picked from commit 565eb6fa43e74e2fbfff00dc29fdb20c5544a3d2)
commit 1ff29079f9acf6d5bd20e0be6e124cbf94ad785d
Author: Pavel Březina <pbrezina at redhat.com>
Date: Thu Jan 8 21:39:13 2015 +0100
spec: sifp requires sssd-dbus
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn at redhat.com>
(cherry picked from commit ce6ba48c5a0723d9c8db6d960d2dfbcb6ffdd673)
commit e4eec975e58b1c91bf5270add0b0f01d2c1ba9e1
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 6 14:15:47 2015 +0100
TESTS: Cover sysdb_gpo.c with unit tests
Untested code is risky to change.
Reviewed-by: Pavel Reichl <preichl at redhat.com>
(cherry picked from commit ee8dccf5f0a7de4aba16ab73a53872df9a65175c)
commit c60710d6836ec4010e7a02302133f723a282abcb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Tue Jan 6 13:14:35 2015 +0100
GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()
https://fedorahosted.org/sssd/ticket/2542
If the GPO result object was missing completely, we would error out with
a fatal error code. It's more user-friendly to treat the missing object
as if the requested attribute was missing on the provider level.
Reviewed-by: Pavel Reichl <preichl at redhat.com>
(cherry picked from commit fc2cc91a5b645180e53d46436b0d08011aac8d74)
commit 5c14f85f2f27d492ad9631627cd10b826b7b08c5
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Thu Jan 8 18:34:55 2015 +0100
Updating the version to the 1.12.4 release
commit 481ec0e1eb0058195732cb320845b41f6f4d43eb
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Thu Jan 8 18:19:45 2015 +0100
Updating translations for the 1.12.3 release
commit 6836ab313b2a0cd5037ba29a5c61cdf827502a30
Author: Carlos A. Munoz <camunoz at redhat.com>
Date: Mon Dec 15 15:25:33 2014 +1000
Add zanata.xml file for integration with Zanata command line client
To set up and use the Zanata client, follow:
http://zanata.org/help/cli/cli-configuration/
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
commit a28d949e66785a0e2c28612d095cc491876cf46f
Author: Pavel Reichl <preichl at redhat.com>
Date: Wed Jan 7 11:01:05 2015 +0000
TESTS: typo in 'assert message'
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
commit 152251b13a99c88054055d46600e0478c4f7bd05
Author: Stephen Gallagher <sgallagh at redhat.com>
Date: Wed Dec 10 14:16:49 2014 -0500
monitor: Service restart fixes
There are actually two bugs here:
1) When either the kill(SIGTERM) or kill(SIGKILL) commands returned
failure (for any reason), we would talloc_free(svc) which removed it
from being eligible for restart, resulting in the service never
starting again without an SSSD service restart.
2) There is a fairly wide race condition where it's possible for a
SIGKILL timer to "catch up" to the child exit handler between us
noticing the termination and actually restarting it. The race
happens because we re-enter the mainloop and add a restart
timeout to avoid a quick failure if we keep restarting due to a
transitory issue (the mt_svc object, and therefore the SIGKILL
timer, were never freed until we got to the actual service
restart).
We can minimize this race by recording the timer_event for the
SIGKILL timeout in the mt_svc object. This way, if the process
exits via SIGTERM, we will immediately remove the timer for the
SIGKILL. Additionally, we'll catch the special-case of an ESRCH
response from the kill(SIGKILL) and assume that it means that the
More information about the Pkg-sssd-devel
mailing list