[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 196 commits: Update version in version.m4 to track the next release.
Timo Aaltonen
gitlab at salsa.debian.org
Mon Jul 13 09:38:26 BST 2020
Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd
Commits:
a706ea8e by Michal Židek at 2019-12-02T11:59:58+01:00
Update version in version.m4 to track the next release.
- - - - -
7578bdea by Yuri Chornoivan at 2019-12-04T11:55:16+01:00
sssctl: fix typo in user message
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bd201746 by Tomas Halman at 2019-12-04T11:56:59+01:00
sdap: Add randomness to ldap connection timeout
In case of mass deployment, mass registration of IPA clients roughly on
the same time leads to regular CPU load spikes on IPA servers, the load
spikes are caused by all/most clients refreshing their LDAP connections
(ldap_connection_expire_timeout) every 15 minutes.
This patch introduces new random value (from 0 up to
ldap_connection_expire_offset) that is added to the timeout.
Resolves:
https://pagure.io/SSSD/sssd/issue/3630
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
1cdd4314 by Andrew Gunnerson at 2019-12-04T11:59:31+01:00
ad: Add support for passing --add-samba-data to adcli
This adds a new option named `ad_update_samba_machine_account_password`,
which when enabled, will pass `--add-samba-data` to the adcli command
for updating the machine account password in Samba's secrets.tdb
database.
This option is necessary when Samba is configured to use AD for
authentication. For Kerberos auth, Samba can use the system keytab, but
for NTLM, Samba uses its own copy of the machine account password in its
secrets.tdb database.
See: https://pagure.io/SSSD/sssd/issue/3920
Signed-off-by: Andrew Gunnerson <andrewgunnerson at gmail.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
58a67cd3 by Paweł Poławski at 2019-12-04T12:02:48+01:00
sysdb_sudo: Enable LDAP time format compatibility
LDAP specification allows to ommit seconds and minutes
in time border definition. In that case they defaults to zeros.
Current sssd.sudo implementation requires precision up to
seconds in time definition. This commit allows to lower
the precision up to hours.
Resolves:
https://pagure.io/SSSD/sssd/issue/4118
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
03bc9624 by Pavel Březina at 2019-12-11T14:37:22+01:00
nss: use real primary gid if the value is overriden
SYSDB_PRIMARY_GROUP_GIDNUM contains original primary group id from AD
because any possible override may not be known at the time of storing
the user.
Now we try to lookup group by its originalADgidNumber and if it is found
we will replace the original id with real primary group id.
Steps to reproduce:
1. Enroll SSSD to IPA domain with AD trust
2. Add ID override to Domain Users `ipa idoverridegroup-add 'Default Trust View' "Domain Users at ad.vm" --gid=40000000`
3. On IPA server: Remove cache for the overrides to apply immediately and restart SSSD `sssctl cache-remove --stop --start`
4. On IPA server: Resolve user `id Administrator at ad.vm`
There will be visible both new and old gids without the patch.
Resolves:
https://pagure.io/SSSD/sssd/issue/4124
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
97c96fd0 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: add rhel7
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
63c38d61 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: set sssd-ci notification to pending state when job is started
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
c861a390 by Pavel Březina at 2019-12-11T15:16:45+01:00
ci: archive ci-mock-result
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
3477f2c2 by Fabiano Fidêncio at 2019-12-11T16:21:19+01:00
INTG: Increase the sleep() time so the changes are reflected on SSSD
Those tests have been failing a lot recently and it does happen becase
the time to reflect the changes on SSSD is not enough for the machine
where the tests are running.
There's no reasonable explanation in the code why 4 seconds is used as
INTERACTIVE_TIMEOUT, neither a reasonable explanation why 2 seconds is
used as the time waited in order to have those changes reflected on
SSSD (neither in the code nor in the commit messages).
This patch uses the most simple empiric way to determine a better value
for this timeout, which was "run the tests a considerable amount of time
and check that there were no failures".
So, in order to avoid failures and our tests giving us more reliable
information, let's give more time so the changes are reflected on SSSD.
Resolves:
https://pagure.io/SSSD/sssd/issue/3463
Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
116b144b by Pavel Březina at 2019-12-11T16:21:19+01:00
tests: fix race condition in enumeration tests
This change is relevant to Nyquist frequency. To ensure that enumeration has been
run we need to wait at least twice the enumeration timeout. In other words, we need
to make sure enumeration is run at least twice the frequency of our assertions to
ensure that it has been run at least once.
Patch was amended by Alexey Tikhonov <atikhono at redhat.com> to include nice
comment originally provided by Pavel Březina at
https://github.com/SSSD/sssd/pull/947#issuecomment-559440211
Relates: https://pagure.io/SSSD/sssd/issue/3463
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
b6266518 by Tomas Halman at 2019-12-11T17:27:41+01:00
INI: sssctl config-check command error messages
In case of parsing error sssctl config-check command does not give
proper error messages with line number. With this patch the error
message is printed again.
Resolves:
https://pagure.io/SSSD/sssd/issue/4129
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
580d6188 by Sumit Bose at 2019-12-14T01:51:31+01:00
ldap_child: do not try PKINIT
if the PKINIT plugin is installed and pkinit_identities is set in
/etc/krb5.conf libkrb5 will try to do PKINIT although ldap_child only
wants to authenticate with a keytab. As a result ldap_child might try to
access a Smartcard which is either not allowed at all or might cause
unexpected delays.
To avoid this the current patch sets pkinit_identities for LDAP child
explicitly to make the PKINIT plugin fail because if installed libkrb5
will always use it.
It turned out the setting pre-authentication options requires some
internal flags to be set and krb5_get_init_creds_opt_alloc() must be
used to initialize the options struct.
Related to https://pagure.io/SSSD/sssd/issue/4126
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
21cb9fb2 by Sumit Bose at 2019-12-14T01:57:10+01:00
certmap: mention special regex characters in man page
Since some of the matching rules use regular expressions some characters
must be escaped so that they can be used a ordinary characters in the
rules.
Related to https://pagure.io/SSSD/sssd/issue/4127
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
1d4a7ffd by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
providers/krb5: got rid of unused code
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
e41e9b37 by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
data_provider_be: got rid of duplicating SIGTERM handler
It was wrong to install two libtevent SIGTERM handlers both of which did
orderly_shutdown()->exit(). Naturally only one of the handlers was executed
(as process was terminated with exit()) and libtevent docs doesn't say
anything about order of execution. But chances are, be_process_finalize()
was executed first so default_quit() was not executed and main_ctx was not
freed.
Moreover there is just no reason to have separate be_process_finalize()
at all: default server handler default_quit() frees main_ctx. And be_ctx
is linked to main_ctx so will be freed by default handler as well.
Resolves: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
3f52de89 by Alexey Tikhonov at 2019-12-14T02:04:09+01:00
util/server: improved debug at shutdown
Relates: https://pagure.io/SSSD/sssd/issue/4088
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
2c13d8bd by Alexey Tikhonov at 2019-12-14T02:30:17+01:00
util/watchdog: fixed watchdog implementation
In case watchdog detected locked process and this process was parent
process it just sent SIGTERM to the whole group of processes, including
itself.
This handling was wrong: generic `server_setup()` installs custom
libtevent handler for SIGTERM signal so this signal is only processed
in the context of tevent mainloop. But if tevent mainloop is stuck
(exactly the case that triggers WD) then event is not processed
and this made watchdog useless.
`watchdog_handler()` and `watchdog_detect_timeshift()` were amended to do
unconditional `_exit()` after optionally sending a signal to the group.
Resolves: https://pagure.io/SSSD/sssd/issue/4089
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
090cf77a by Sumit Bose at 2020-01-13T12:01:32+01:00
ad: allow booleans for ad_inherit_opts_if_needed()
Currently ad_inherit_opts_if_needed() can only handle strings. With this
patch it can handle boolean options as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
341ba49b by Sumit Bose at 2020-01-13T12:01:32+01:00
ad: add ad_use_ldaps
With this new boolean option the AD provider should only use the LDAPS
port 636 and the Global Catalog port 3629 which is TLS protected as
well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
78649907 by Sumit Bose at 2020-01-13T12:01:33+01:00
ldap: add new option ldap_sasl_maxssf
There is already the ldap_sasl_minssf option. To be able to control the
maximal security strength factor (ssf) e.g. when using SASL together
with TLS the option ldap_sasl_maxssf is added as well.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
24387e19 by Sumit Bose at 2020-01-13T12:01:33+01:00
ad: set min and max ssf for ldaps
AD does not allow to use encryption in the TLS and SASL layer at the
same time. To be able to use ldaps this patch sets min and max ssf to 0
if ldaps should be used.
Related to https://pagure.io/SSSD/sssd/issue/4131
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
26e33b19 by Alexey Tikhonov at 2020-01-14T11:05:51+01:00
util/sss_ptr_hash: fixed double free in sss_ptr_hash_delete_cb()
Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead
to freeing of value->ptr and thus to destruction of value->spy that is
attached to value->ptr.
In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() ->
hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive
execution hash entry was actually deleted and value was freed.
When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried
to free value again => double free.
To prevent this bug value and hence spy are now freed before execution of
data->callback(value->ptr).
Resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d1f8ec8a by David Mulder at 2020-01-14T11:09:13+01:00
SSSD should accept host entries from GPO's security filter
Not accepting host entries in the security filter
creates the need for sub-OU's, each with its own
GPO, otherwise one OU with an assigned GPO would
be sufficient.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8aa2f9ed by David Mulder at 2020-01-14T11:09:13+01:00
Test the host sid checking
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8d333499 by Samuel Cabrero at 2020-01-14T11:09:13+01:00
AD: Improve host SID retrieval
Set the entry expire time for cached computers and avoid querying twice
the cache by passing the host SID in the processing state if it is found
the first time.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d6f0b432 by David Mulder at 2020-01-14T11:09:13+01:00
Remove sssd Security Filtering host comment from man
Remove the sssd-ad man page comment explaining
that host entries in GPO Security Filtering is
not supported.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a2e7f687 by David Mulder at 2020-01-14T11:09:13+01:00
Create a computer_timeout for caching GPO security filter
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5c8f7960 by David Mulder at 2020-01-14T11:09:13+01:00
Resolve computer lookup failure when sam!=cn
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
007d5b79 by Lukas Slebodnik at 2020-01-22T11:47:11+01:00
BE_REFRESH: Do not try to refresh domains from other backends
We cannot refresh domains from different sssd_be processes.
We can refresh just subdomains
Resolves:
https://pagure.io/SSSD/sssd/issue/4142
Merges: https://pagure.io/SSSD/sssd/pull-request/4139
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b47edd9f by Lukas Slebodnik at 2020-01-22T11:48:14+01:00
SSS_INI: Fix syntax error in sss_ini_add_snippets
CC src/util/libsss_util_la-sss_ini.lo
src/util/sss_ini.c: In function ‘sss_ini_add_snippets’:
src/util/sss_ini.c:325: error: expected ‘;’ before ‘}’ token
Merges: https://pagure.io/SSSD/sssd/pull-request/4140
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
3bdce86b by Lukas Slebodnik at 2020-01-22T11:49:15+01:00
PROXY: Fix warning-format-overflow directive argument is null
CC src/providers/proxy/libsss_proxy_la-proxy_id.lo
In file included from src/util/util.h:47,
from src/providers/proxy/proxy.h:35,
from src/providers/proxy/proxy_id.c:30:
In function ‘delete_user’,
inlined from ‘get_pw_uid’ at src/providers/proxy/proxy_id.c:383:15,
inlined from ‘proxy_account_info’ at src/providers/proxy/proxy_id.c:1617:19,
inlined from ‘proxy_account_info_handler_send’ at src/providers/proxy/proxy_id.c:1760:20:
src/util/debug.h:126:9: error: ‘%s’ directive argument is null
[-Werror=format-overflow=]
126 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127 | __debug_macro_level, \
| ~~~~~~~~~~~~~~~~~~~~~~
128 | format, ##__VA_ARGS__); \
| ~~~~~~~~~~~~~~~~~~~~~~
src/providers/proxy/proxy_id.c:215:5: note: in expansion of macro ‘DEBUG’
215 | DEBUG(SSSDBG_TRACE_FUNC,
| ^~~~~
src/providers/proxy/proxy_id.c: In function ‘proxy_account_info_handler_send’:
src/providers/proxy/proxy_id.c:216:17: note: format string is defined here
216 | "User %s does not exist (or is invalid) on remote server,"
| ^~
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d7ddcc56 by Lukas Slebodnik at 2020-01-22T11:49:19+01:00
test_nss_srv: Suppress Conditional jump or move depends on uninitialised value
gcc10 reordered conditions in long "or" condition
```
if (size < 2 || _list == NULL || *_list == NULL) {
```
And _list(gr->gr_mem) could be uninitialized in size was lover than 2.
It is a simplified implementation of parsing packet in unit test due to
mocking. `gr->gr_mem` always points to some array in real code.
Therefore we could see following error
Splitting condition to two if blocks fixes warning as well but
initializing `gr->gr_mem` to `NULL` is simpler change
[ RUN ] test_nss_getgrnam_no_members
==12857== Conditional jump or move depends on uninitialised value(s)
==12857== at 0x41B6C5: order_string_array (test_nss_srv.c:599)
==12857== by 0x41B6C5: assert_groups_equal (test_nss_srv.c:617)
==12857== by 0x41B810: test_nss_getgrnam_no_members_check (test_nss_srv.c:1476)
==12857== by 0x41CB3F: __wrap_sss_cmd_done (test_nss_srv.c:138)
==12857== by 0x4270C4: nss_protocol_done (nss_protocol.c:69)
==12857== by 0x423949: nss_getby_done (nss_cmd.c:571)
==12857== by 0x4E08359: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0837D: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0E1BF: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E0C54A: ??? (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x4E075D7: _tevent_loop_once (in /usr/lib64/libtevent.so.0.10.1)
==12857== by 0x42D45B: test_ev_loop (common_tev.c:82)
==12857== by 0x41C442: test_nss_getgrnam_no_members (test_nss_srv.c:1503)
==12857==
[ OK ] test_nss_getgrnam_no_members
Merges: https://pagure.io/SSSD/sssd/pull-request/4141
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d3d72b90 by Pavel Březina at 2020-01-28T15:51:16+01:00
ci: add CentOS 7
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
a18a6f00 by MIZUTA Takeshi at 2020-02-03T12:17:09+01:00
util/server: Fix the timing to close() the PID file
The PID file is closed just before pidfile function returns.
However, if close() is called immediately after read()/write(),
there is no need to call close() at multiple places.
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
- - - - -
192eadaa by Alex Rodin at 2020-02-03T12:18:44+01:00
Update pam_sss.8.xml
pam_sss: Added return values on a man page
Resolves: https://pagure.io/SSSD/sssd/issue/3672
Reviewed-by: Michal Židek <mzidek at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
c3b98b2b by Lukas Slebodnik at 2020-02-04T13:18:41+01:00
CONFIGURE: Fix detection of samba version for idmap plugin
The parameter -e is not standard parameter for echo builtin.
And therefore needn't be implemented in some shells.
e.g.
sh$ /bin/dash -c 'echo -e "#include <samba/version.h>\nSAMBA_VERSION_MAJOR"'
-e #include <samba/version.h>
SAMBA_VERSION_MAJOR
And it caused failures in configure
checking Samba's idmap plugin interface version... idmap test result is: 6
configure: Samba's idmap interface version: 6
configure: Samba version: -e #include <samba/version.h>
SAMBA_VERSION_MAJOR -e #include <samba/version.h>
SAMBA_VERSION_MINOR -e #include <samba/version.h>
SAMBA_VERSION_RELEASE
/home/build/sssd/configure: 21832: test: #include: unexpected operator
configure: Samba's struct idmap_domain does not have dom_sid member
Merges: https://pagure.io/SSSD/sssd/pull-request/4153
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a483bfa6 by Lukas Slebodnik at 2020-02-04T13:18:59+01:00
CONFIGURE: Fix detection of attribute fallthrough
configure:27218: checking whether compiler supports __attribute__((fallthrough))
configure:27228: gcc -c -Werror conftest.c >&5
conftest.c:185:2: error: 'fallthrough' attribute at top level [-Werror=attributes]
185 | __attribute__ ((fallthrough));
| ^~~~~~~~~~~~~
cc1: all warnings being treated as errors
Merges: https://pagure.io/SSSD/sssd/pull-request/4153
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
50cc1963 by MIZUTA Takeshi at 2020-02-06T11:15:01+01:00
Remove redundant header file inclusion
There are some source code including the same header file redundantly.
We remove these redundant header file inclusion.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4dbfaae4 by Andreas Hasenack at 2020-02-06T11:15:38+01:00
Fix another build failure with python 3.8
The parsing of python3-config --ldflags would break if multiple -L
path components were present. This change loops over these paths
until it finds the correct one.
Fixes https://pagure.io/SSSD/sssd/issue/4147
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bc56b10a by Stephen Gallagher at 2020-02-06T11:16:19+01:00
Fix build failure against samba 4.12.0rc1
The ndr_pull_get_switch() function was dropped, but it was just a wrapper
around the ndr_token_peek() function, so we can use this approach on both
old and new versions of libndr.
Signed-off-by: Stephen Gallagher <sgallagh at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
399ee9d1 by Lukas Slebodnik at 2020-02-10T11:12:00+01:00
BUILD: Accept krb5 1.18 for building the PAC plugin
Merges: https://pagure.io/SSSD/sssd/pull-request/4152
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
7aa96458 by Simo Sorce at 2020-02-10T11:14:43+01:00
Add TCP level timeout to LDAP services
In some cases the TCP connection may hang with data sent because
of network conditions, this may cause the socket to stall for much
longer than the timeout intended.
Set a TCP option to forcibly timeout a socket that sees its data not
ACKed within the ldap_network_timeout seconds.
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ceea56be by MIZUTA Takeshi at 2020-02-10T11:19:12+01:00
monitor: Fix check process about multiple starts of sssd when pidfile remains
If PIDFile is invalid in sssd.service, pidfile remains if sssd terminates abnormally.
Also, if /var/run is not tmpfs, the pidfile will remain when the OS is forcibly stopped.
In check process about multiple starts of sssd, only the existence of pidfile is checked.
Fix not only to check if pidfile exists, but also to check if PID exists.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2014d8f5 by Alex Rodin at 2020-02-10T11:25:13+01:00
Update __init__.py.in
We shouldn't modify the list of domain options in a loop. In some cases (for example issue #4149) that will cause problems, for example when deleting provider options after deleting the provider itself.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5b87af6f by Pavel Březina at 2020-02-10T16:57:34+01:00
sss_sockets: pass pointer instead of integer
```
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c: In function ‘set_fd_common_opts’:
/home/pbrezina/workspace/sssd/src/util/sss_sockets.c:123:61: error: passing argument 4 of ‘setsockopt’ makes pointer from integer without a cast [-Werror=int-conversion]
123 | ret = setsockopt(fd, IPPROTO_TCP, TCP_USER_TIMEOUT, milli,
| ^~~~~
| |
| unsigned int
In file included from /home/pbrezina/workspace/sssd/src/util/sss_sockets.c:28:
/usr/include/sys/socket.h:216:22: note: expected ‘const void *’ but argument is of type ‘unsigned int’
216 | const void *__optval, socklen_t __optlen) __THROW;
| ~~~~~~~~~~~~^~~~~~~~
CC src/util/sssd_kcm-sss_iobuf.o
cc1: all warnings being treated as errors
```
Introduced by 7aa96458f3bec4ef6ff7385107458e6b2b0b06ac
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9483bf41 by Alex Rodin at 2020-02-12T10:54:10+01:00
SSSDConfig: Update of config options
- Added missing config options with a description
- Removed not used or replaced options such as ldap_group_search_scope, ldap_group_search_filter, etc...
Resolves:
https://pagure.io/SSSD/sssd/issue/1362
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f9b3c0d1 by Sumit Bose at 2020-02-17T11:35:25+01:00
ssh: do not mix different certificate lists
There was a list of binary certificates and a list with base64 encoded
ones which might be different depending on the active matching rules.
Only the base64 one with the filtered results should be used.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
849d495e by Sumit Bose at 2020-02-17T11:35:25+01:00
ssh: add 'no_rules' and 'all_rules' to ssh_use_certificate_matching_rules
To make ssh_use_certificate_matching_rules option more flexible and
predictable the keywords 'all_rules' and 'no_rules' are added.
'no_rules' can be used to allow all certificates.
If rules names are given but no matching rules can be found this is
considered an error and no ssh keys will be derived from the
certificates.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
faa5dbf6 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sbus_server: stylistic rename
Renamed sbus_server_name_remove_from_table() to
sbus_server_name_remove_from_table_cb() to keep naming consistent
with other functions used as `hash_delete_callback` argument of
sss_ptr_hash_create()
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
adc7730a by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: don't keep empty sss_ptr_hash_delete_data
There is no need to allocate memory for `sss_ptr_hash_delete_data`
if table user doesn't provide custom delete callback.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d0eb8808 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: sss_ptr_hash_delete fix/optimization
- no reason to skip hash_delete() just because sss_ptr_hash_lookup_internal()
failed
- avoid excessive lookup if it is not required to free payload
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8cc2ce4e by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: removed redundant check
`sss_ptr_hash_check_type()` call would take care of this case.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4bc0c2c7 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: fixed memory leak
In case `override` check was failed in _sss_ptr_hash_add()
`value` was leaking.
Fixed to do `override` check before value allocation.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0bb12892 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
sss_ptr_hash: internal refactoring
sss_ptr_hash code was refactored:
- got rid of a "spy" to make logic cleaner
- table got destructor to wipe its content
- described some usage limitation in the documentation
And resolves: https://pagure.io/SSSD/sssd/issue/4135
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
88b23bf5 by Alexey Tikhonov at 2020-02-17T11:37:30+01:00
TESTS: added sss_ptr_hash unit test
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9188aa17 by Paweł Poławski at 2020-02-20T10:51:23+01:00
GPO: Duplicated error message for unreadable GPO
sss_log() had wrong type set as log level.
The result was error message with very high
priority displayed on all terminals.
Resolves:
https://pagure.io/SSSD/sssd/issue/4133
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7b647338 by Sumit Bose at 2020-02-24T12:44:11+01:00
p11_child: check if card is present in wait_for_card()
Some implementations of C_WaitForSlotEvent() might return even if no
card was inserted. So it has to be checked if a card is really present.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
37780b89 by Sumit Bose at 2020-02-24T12:44:11+01:00
PAM client: only require UID 0 for private socket
Some privileged services like e.g. gdm might only call with UID 0 but
with a different GID. This patch removes the GID 0 requirement to access
to private PAM socket so that e.g. gdm can use the wait-for-card option.
Resolves: https://pagure.io/SSSD/sssd/issue/4159
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a4219bbc by Alex Rodin at 2020-02-25T11:02:57+01:00
SSSDConfig: New SSSDOptions class
- Moved option_strings dictionary to an external SSSDOptions class
- Removed duplicate keys from option_strings dictionary
- Updated Makefile.am to honor new sssdoptions.py file
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
746d4ff3 by ikerexxe at 2020-02-26T11:52:06+01:00
config: allowed auto_private_groups in child domains
sssctl config-check failed if auto_private_groups was enabled/disabled in child domains
Resolves:
https://pagure.io/SSSD/sssd/issue/4161
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b11907c6 by Michal Židek at 2020-02-27T00:16:10+01:00
Bump the version.
Recently added option ssh_use_certificate_matching_rules
changed behavior. This justifies version bump.
- - - - -
fe9eeb51 by Michal Židek at 2020-02-28T10:11:45+01:00
nss: Collision with external nss symbol
One of our internal static function names started
to collide with external nss symbol. Additional
sss_ suffix was added to avoid the collision.
This is needed to unblock Fedora Rawhide's
SSSD build.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
bfa02b0b by Pavel Březina at 2020-02-28T10:14:03+01:00
ci: keep system list outside repository
This way we do not need to push new commit to repository every time
when we change the list of distribution we test on and changes
will be immediately picked up by opened pull request without the
need to rebase them.
It will also help us to temporarily disable particular distribution
when there are errors that we can not fix (e.g. current rawhide issue)
so we can still have all green results.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
feaf8891 by Pavel Březina at 2020-02-28T10:14:03+01:00
ci: remove old dependency repository
This repository is no longer needed and packages there are not maintained
for many years. Recent update of mock-core-configs changes `yum.conf` to
`dnf.conf` on Fedora and this breaks things for us.
The original purpose was to add newer libraries (such as ding-libs) to
RHEL-6 an early RHEL-7 so we could test current master there. This is no
longer needed since it contains up to date packages. Therefore it is safe
to remove it instead of trying to determine whether there should be yum.conf
or dnf.conf.
Otherwise we end up during mock build with:
```
KeyError: 'yum.conf'
ERROR: Error in configuration
```
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
7fbc7e3f by Michal Židek at 2020-03-02T11:20:23+01:00
sssd.spec: Add recommended packages
sssd-dbus is recommended for tools and SSSD's logrotate
support can only be useful with the logrotate package
in place. It makes sense to recommend them.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
2143c727 by Samuel Cabrero at 2020-03-02T11:21:06+01:00
AD: use getaddrinfo with AI_CANONNAME to find the FQDN
In systems where gethostbyname() does not return the FQDN try calling
getaddrinfo().
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2dc82a24 by Thorsten Scherf at 2020-03-04T12:46:13+01:00
Fix sssd-ldap man page
The option 'ldap_default_authtok_type' also accepts non clear text passwords
in the meantime.
Signed-off-by: Thorsten Scherf <tscherf at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
b19b25e1 by Thorsten Scherf at 2020-03-04T12:46:13+01:00
add reference to sss_obfuscate man page
Signed-off-by: Thorsten Scherf <tscherf at redhat.com>
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
9ccf78db by MIZUTA Takeshi at 2020-03-04T12:46:48+01:00
man: fix typos - correct manpage reference - correct wrong word - capitalize the first letter
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e4c6ebf6 by Pavel Březina at 2020-03-05T10:30:24+01:00
sdap: provide error message when password change fail in ldap_modify mode
Steps to reproduce:
1. Configure LDAP server to enable password constraints
2. Set ldap_pwmodify_mode = ldap_modify in [domain]
3. Run SSSD and authenticate as a user
4. Run passwd to change password, use password that does not meet requirements
It will print "password change successful" without this patch and server
error message with this patch applied.
Resolves:
https://pagure.io/SSSD/sssd/issue/4148
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
12bd3f96 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
STAP: Add missing session data provider target
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d263fa9d by Samuel Cabrero at 2020-03-05T10:31:44+01:00
UTIL: Add a function to canonicalize IP addresses
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
860c4570 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SYSDB: Add sysdb functions for hosts entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
62284927 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SYSDB: Add index for hostAddress attribute
Adding the IP address to the indexed attributes will speed up the
host-by-address searches.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
99ce1171 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
SBUS: Add new resolver target interface
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d76d818c by Samuel Cabrero at 2020-03-05T10:31:44+01:00
DP: Add a new filter type, filter by address
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
469891df by Samuel Cabrero at 2020-03-05T10:31:44+01:00
RESPONDER: Add sss_dp_resolver_get_send
This function sends requests for IP hosts and networks to the resolver
target. Will be used by following cache req plugins:
* cache_req_ip_host_by_name
* cache_req_ip_host_by_addr
* cache_req_ip_network_by_name
* cache_req_ip_network_by_addr
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1cb20955 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Rename cache req host by name name plugin used by SSH
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
dafdd066 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Add a data field to store network addresses
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6e66e321 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
CACHE_REQ: Implement ip_host_by_addr and ip_host_by_name plugins
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e931f27d by Samuel Cabrero at 2020-03-05T10:31:44+01:00
NSS: Add client support for hosts (non-enumeration)
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
55cfacfe by Samuel Cabrero at 2020-03-05T10:31:44+01:00
NSS: Add gethostbyname and gethostbyaddr support to the NSS responder
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
014cd3a5 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
TESTS: Add gethostbyname and gethostbyaddr NSS responder tests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2c317ce9 by Samuel Cabrero at 2020-03-05T10:31:44+01:00
DP: Implement resolver target handler
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6f690037 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CONFDB: Add new options for resolver provider
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d6d03aaf by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CONFDB: Add a new resolver_timeout to timeout cached resolver entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b523fb6a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
UTIL: Allow to specify mandatory and optional symbols when loading nss libs
It is needed a flexibler way of loading NSS shared libraries as not all
of them provide the same symbols.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0ec8bd57 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Create a module context to store id and auth contexts
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
688e6a6b by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Load resolver NSS library
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b1fe85eb by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Register resolver hosts handler method
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
be791978 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Handle resolver hosts by name requests
Call NSS library to get IPv4 and IPv6 addresses. If host not found,
cache entries are deleted.
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bbb7a45d by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Store results from NSS library call into the cache
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
00bc7897 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
SYSDB: Extend sysdb_store_host() to accept extra attributes
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
29c583b6 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Handle resolver hosts by address requests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5672d2be by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Initialize resolver provider
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
1402f100 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Initialize resolver provider
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a61c6d61 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Initialize ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
6a777526 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Document new ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
0498591e by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Initialize ldap_iphost_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
b8fba016 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Prepare for iphost lookups
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
29b27395 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Add support for iphost lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
bbcd849a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
NSS: Add client support for [set|get|end]hostent()
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
11cc32e4 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
SYSDB: Add support for enumerating hosts
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8b96109f by Samuel Cabrero at 2020-03-05T10:31:45+01:00
CACHE_REQ: Add support for enumerating hosts
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8a51bc0d by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Setup resolver enumeration tasks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
82b808d9 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
2be80a00 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Setup resolver enumeration tasks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
10d9346a by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
ae6d042c by Samuel Cabrero at 2020-03-05T10:31:45+01:00
LDAP: Implement iphost cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
45dbaddd by Samuel Cabrero at 2020-03-05T10:31:45+01:00
AD: Implement iphost cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e980b0f6 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
PROXY: Add support for iphost enumeration
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8a66d6e5 by Samuel Cabrero at 2020-03-05T10:31:45+01:00
TESTS: Add LDAP resolver target integration tests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
e698d53e by Michal Židek at 2020-03-06T12:08:48+01:00
spec: Do not overwrite /etc/pam.d/sssd-shadowutils
We should not overwrite this file when sssd-common is
updated.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
6ab9ac3f by Petr Vaněk at 2020-03-06T12:13:55+01:00
configure: prefer python3 if available
We should prefer python3 every time when it is available regardless of
whether python3 binding are generated, otherwise sbus_generate.sh fails
in python3 only systems, where sssd is configured with
--without-python3-bindings parameter.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d4bf6626 by Pavel Březina at 2020-03-16T16:42:59+01:00
sbus: commit complete generated code
99ce117106b9c0d0e0167f1c10f5840a7912fa7f incorrectly commited generated code.
Reviewed-by: Michal Židek <mzidek at redhat.com>
- - - - -
6f7f1569 by Sumit Bose at 2020-03-16T17:12:29+01:00
ssh: fix matching rules default
Before the ssh_use_certificate_matching_rules option was added the ssh
responder returned ssh keys derived from all valid certificates. Since
the default of the ssh_use_certificate_matching_rules option is
'all_rules' in a case where no matching rules are defined all
certificated will be filtered out and no ssh keys are returned.
The intention of the default was to allow the same same certificates
which are allowed in the PAM responder for authentication. The missing
default matching rule which is currently use by the PAM responder if no
other rules are available is added by this patch.
There might still be a small regression in case certificates without the
extended key usage (EKU) clientAuth were used for ssh. In this case
'ssh_use_certificate_matching_rules = no_rules' or a suitable matching
rule must be added to the configuration.
Related to https://pagure.io/SSSD/sssd/issue/4121
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
653df698 by Alexey Tikhonov at 2020-03-18T13:24:26+01:00
Watchdog: fixes "off-by-one" error
'man sssd.conf': timeout: "Note that after three missed heartbeats
the process will terminate itself."
But implementation was:
```
\#define WATCHDOG_MAX_TICKS 3
...
if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) {
...
_exit(1);
```
-- since after reset ticks start from 0 effectively this was 4 heartbeats.
Fixed to match man page.
Resolves: https://pagure.io/SSSD/sssd/issue/4169
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
863f71ac by Alexey Tikhonov at 2020-03-26T12:41:44+01:00
sssd.spec.in: added missing Requires
This partially resolves warnings of rpmdiff tool.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b432b2c4 by Paweł Poławski at 2020-04-01T11:15:40+02:00
LDAP: Netgroups refresh in background task
refresh_expired_interval config value spawns be_task
responsible for refreshing expired cache entries
in background.
Netgroup related entries are stored in persistent
cache rather than timestamp cache. After sdap_refresh_step()
has been replaced by generic be_refresh_step()
lookup routine was searching for entries only in
timestamp cache. This result in LDAP netgroup entries
not refreshing in background.
Resolves:
https://pagure.io/SSSD/sssd/issue/4177
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
704d9f1d by Paweł Poławski at 2020-04-01T11:15:40+02:00
SYSDB: Cache selector as enum
Sysdb has two sources of cache: timestamp based and persistent.
This change changes implementation of that selector from
binary flag to enum.
Reviewed-by: Jakub Hrozek <jhrozek at redhat.com>
- - - - -
0003eda9 by Sumit Bose at 2020-04-03T11:26:21+02:00
ipa: add missing new-line in debug message
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
27a3c0cf by Sumit Bose at 2020-04-03T11:26:21+02:00
sysdb: sanitize certmap rule name before using it in DN
The name of a certificate mapping and matching rule might contain
characters which are not allowed in RDNs an must be escaped before if
can be used in the DN of the cached certmap object.
Resolves: https://pagure.io/SSSD/sssd/issue/3721
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
626c9c2f by Tomas Halman at 2020-04-03T11:27:32+02:00
SYSDB: override_gid not working for subdomains
The override_gid is not propagated to subdomain. This patch
assigns subdomain's override_gid to the value comming from
parent domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/4061
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ae5a2cdc by Pavel Březina at 2020-04-06T12:04:36+02:00
proxy: set pwfield to x for files library
Resolves:
https://pagure.io/SSSD/sssd/issue/4174
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
1fdd8fa2 by Noel Power at 2020-04-06T12:05:40+02:00
Use ndr_pull_steal_switch_value for modern samba versions
commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
fix the build error resulting from removal of 'ndr_pull_get_switch'
This change uses the new replacement method
'ndr_pull_steal_switch_value' however depending on the samba version
the ndr_pull_steal_switch_value abi is different.
Note: ndr_pull_steal_switch_value is used since samba 4.10 for
the affected methods
Note: the following methods have been refreshed from samba-4.12 generated
code;
o ndr_pull_security_ace_object_type
o ndr_pull_security_ace_object_inherited_type
o ndr_pull_security_ace_object_ctr
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c031adde by Noel Power at 2020-04-06T12:05:40+02:00
ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5019d216 by Lars Francke at 2020-04-06T12:14:14+02:00
ldap: set ldap_group_name to sAMAccountName for ad schema
This is to make it consistent with the AD provider which was changed
in adb148603344a42d6edffdda0786a10af715dacb.
"name" is an optional field for the group class.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dab522c0 by Sumit Bose at 2020-04-09T13:08:23+02:00
confdb: use proper timestamp if sssd.conf is missing
If sssd.conf is missing the timestamp is uninitialized and as a result
the lastUpdate attribute in config.ldb will contain some random binary
value.
This patch initializes the timestamp to "1".
Resolves: https://pagure.io/SSSD/sssd/issue/4178
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
c7d328ea by Pavel Březina at 2020-04-09T13:11:21+02:00
proxy: do not fail if proxy_resolver_lib_name is not set
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
23c2d376 by Pavel Březina at 2020-04-09T13:11:21+02:00
be: add BE_REQ_HOST to be_req2str
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
41220021 by Pavel Březina at 2020-04-09T13:11:21+02:00
dp: free methods if target is not configured
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
494b838d by Joakim Tjernlund at 2020-04-09T13:14:50+02:00
Update OpenRC init.d script
Modernize the script, add TERM delay,rotate,online and offline
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
d028df03 by Lukas Slebodnik at 2020-04-09T13:19:22+02:00
CI: Drop usage of unnecessary copr repo for mock
Merges: https://pagure.io/SSSD/sssd/pull-request/4156
- - - - -
fa9ab958 by Alexey Tikhonov at 2020-04-17T12:53:47+02:00
PAM: fixed wrong debug message
Fixed wrong debug message in case of fail to read CONFDB_PAM_P11_URI
option from config.
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
903fe0fa by Alexey Tikhonov at 2020-04-21T13:22:17+02:00
MAN: fixed description of pam_cert_db_path
Part about "PKCS#11 modules" only applies to NSS version.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
80b9285b by ikerexxe at 2020-04-21T13:23:07+02:00
man: in sssd-ipa clarified trusted domains section
In sssd-ipa man page added a second option when configuring trusted domains
Resolves:
https://pagure.io/SSSD/sssd/issue/4041
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
1b84c3a1 by Pavel Březina at 2020-04-22T13:10:05+02:00
sysdb: check if the id override belongs to requested domain
Steps to reproduce:
1. Setup an id override (administrator at ad.vm: uid -> 10001)
2. Request user by name to fill cache
```
$ id Administrator at ad.vm
uid=10001(administrator at ad.vm) ...
```
3. Request user by id and see that domain part is missing
```
$ id 10001
uid=10001(administrator) ...
```
First, the uid is looked up in IPA domain and the override object is
found when we hit `sysdb_search_override_by_id` because id values are
not qualified. Therefore the origin object (administrator at ad.vm) is
returned as part of IPA domain.
We need to check if the original object belongs to the requested domain.
Resolves:
https://pagure.io/SSSD/sssd/issue/4173
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
233d30a5 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
SYSDB: Add sysdb functions for ipnetwork entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b37a13db by Samuel Cabrero at 2020-04-23T13:40:43+02:00
SYSDB: Add index for ipNetworkNumber attribute
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
c01c1c34 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
CACHE_REQ: Implement ip_network_by_name and ip_network_by_addr plugins
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
9c96d570 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
NSS: Add client support for networks (non-enumeration)
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
e88aac3b by Samuel Cabrero at 2020-04-23T13:40:43+02:00
NSS: Add getnetbyname and getnetbyaddr support to the NSS responder
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0ae36657 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
TESTS: Add getnetbyname and getnetbyaddr NSS responder tests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5dfced3c by Samuel Cabrero at 2020-04-23T13:40:43+02:00
DP: Handle IP network requests in resolver target
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
be1e6c12 by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Load networks symbols
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5e92783f by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Handle resolver IP network by name requests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0b88ce5d by Samuel Cabrero at 2020-04-23T13:40:43+02:00
PROXY: Handle resolver IP network by address requests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
fe9f0ecf by Samuel Cabrero at 2020-04-23T13:40:44+02:00
SYSDB: Add functions to store IP networks from providers
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
92e8c1e8 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
PROXY: Store IP network results from NSS library in the cache
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
93de591c by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Initialize ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
4ab99ef1 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Document new ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
407d766d by Samuel Cabrero at 2020-04-23T13:40:44+02:00
AD: Initialize new ldap_ipnetwork_* options
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
3533697f by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Prepare for ipnetwork lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
0e5303ba by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Add support for ipnetwork lookups (no enumeration)
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
29adb108 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
NSS: Add client support for [set|get|end]netent()
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
cad60f63 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
SYSDB: Add support for enumerating ipnetworks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
5e75d695 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
CACHE_REQ: Add support for enumerating ip networks
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ab2cd9ca by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Add support for ipnetworks enumeration
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f7069573 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
LDAP: Implement ipnetwork cleanup for expired cache entries
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
08b774e4 by Samuel Cabrero at 2020-04-23T13:40:44+02:00
PROXY: Add support for ipnetwork enumeration
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
ebe944ba by Samuel Cabrero at 2020-04-23T13:40:44+02:00
TESTS: Add LDAP resolver IP networks tests
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
f5cb0e16 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Grant access if DACL is not present
We falsely stopped GPO processing when Group Policy Container
in AD did not contain a DACL or "DACL Present" bit was not set.
Such GPOs are considered to be applicable according to MS-ADTS:
https://msdn.microsoft.com/en-us/library/cc223518.aspx.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth at gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
8527ed11 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Support group policy file main folders with upper case name
There are AD domain controller implementations that use upper case names
for the main folder on SYSVOL under which group policy files and templates
are stored. E. g. 'MACHINE' instead of 'Machine'.
gpo_child uses library libsmbclient to copy group policy files from the AD
domain controller into a local GPO cache directory. libsmbclient does not
allow to request the domain controller to perform case insensitive SMB URI
lookups, if SYSVOL is located on a case sensitive file system. If a group
policy template is stored under main folder 'MACHINE' gpo_child cannot
retrieve the policy data and exits with error code 2 (No such file or
directory). GPO based access control fails with error 22 (Invalid argument)
and users may not be able to login.
GP_EXT_GUID_SECURITY_SUFFIX constant defines a case sensitive main folder
name (/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf) for the policy
template to retrieve. If the group policy file cannot be retrieved, gpo_child
will now also try to retrieve the file using an upper case main folder name,
i.e. /MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth at gmail.com>
Signed-off-by: Thomas Reim <reimth at gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
866d588a by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Close group policy file after copying
The SMB protocol sequence for copying the content of group policy files
should be:
- smbc_getFunctionOpen()
- smbc_getFunctionRead()
- smbc_getFunctionClose().
Inform the AD server, that we do not need further access to a policy file
after we have copied its content.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth at gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
5435e0a6 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Group policy access evaluation not in line with [MS-ADTS]
The implemented security ACE evaluation algorithm is too strict and does not
meet Microsoft technical specifications:
Security access rights for a group policy object may be split into several
access control entries (ACE). The implemented algorithm does not consider
this and denies access to GPOs, where the "ApplyGroupPolicy" (AGP) ACE is
preceded by a standard access rights ACE. The algorithm also denies
access, if the AGP ACE is preceded by other extended object ACEs.
Update security access right evaluation algorithms to be in line with the
applicable Microsoft technical specifications:
- Add a simple evaluation algorithm to check standard access rights for the
complete GPO ([MS-ADTS] 5.1.3.3.2 and [MS-GOPD] 2.4):
The requester must have been granted read access (RIGHT_DS_READ_PROPERTY)
to the properties of the GPO
- Fix the "ApplyGroupPolicy" evaluation algorithm to be in line with
[MS-ADTS] 5.1.3.3.4
Further improve debug messages during security filtering for administrators
to figure out why access to a GPO was denied:
- Inform administrators when a GPO with applicable AGP access right has not
been evaluated due to missing or denied read access.
- Show the trustee's SID that specifies the particular user or group for
which GPO access has been denied
- Align message content to Microsoft tool like Gpresult
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth at gmail.com>
Signed-off-by: Thomas Reim <reimth at gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
a32f94f5 by REIM THOMAS at 2020-04-29T14:16:45+02:00
GPO: Improve logging of GPO security filtering
GPO security filtering is as critical as the actual logon policy rights
checking. Administrators should not only be able to figure out, why GPO
access check granted or denied a user login, but also why a GPO access
check was not performed due to security filtering.
GPO access check can be logged using debug level Function Data, whereas GPO
security filtering can only be logged with lowest level tracing.
- Debug the main security filtering activities on level Function Data
- Debug missing security descriptor as minor failure, because it terminates
GPO security filtering.
Resolves:
https://pagure.io/SSSD/sssd/issue/3324
Signed-off-by: REIM THOMAS <reimth at gmail.com>
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
4c93aa76 by Paweł Poławski at 2020-05-05T12:47:40+02:00
DOMAIN: Downgrade log message type
Not all domains contains flat name.
This is specific and in most cases needed for AD domain.
In case of AD domain flat name checking and failure log already exists:
src/providers/ad/ad_domain_info.c +104
src/util/usertools.c contains more generic domain related
functions. In those cases missing of flat_name should not be
considered as failure.
Resolves:
https://github.com/SSSD/sssd/issues/1032
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
9b120fe0 by Alexey Tikhonov at 2020-05-06T09:41:17+02:00
SPEC: added explicit `samba-client-libs` dependency
Resolves: https://github.com/SSSD/sssd/issues/5136
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
a7099b72 by Sumit Bose at 2020-05-06T09:42:40+02:00
sudo: fix ldap_sudo_include_regexp default
With https://github.com/SSSD/sssd/pull/627 the default value for
ldap_sudo_include_regexp should be set to 'false' but unfortunately the
patch was incomplete. With this patch the default should be change
properly.
Resolves https://pagure.io/SSSD/sssd/issue/3515
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
ac7248e8 by Sumit Bose at 2020-05-06T09:44:20+02:00
ad: use GSSAPI with LDAPS
There is an issue in some cyrus-sasl versions with a max SSF of 0 (zero)
is not handled correctly when using GSS-SPNEGO. To be on the safe side
we switch to GSSAPI in that case.
Related to https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
dc21609f by Sumit Bose at 2020-05-06T09:44:20+02:00
ad: change SASL mech default to GSS-SPNEGO
Resolves: https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
8b2c4ad0 by Alexey Tikhonov at 2020-05-07T11:23:07+02:00
config: switch to OpenSSL as default crypto backend
- switch default to OpenSSL
- warn about deprecation in the case NSS is selected
during configuration
Resolves: https://github.com/SSSD/sssd/issues/1041 parts I.1 and I.2
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
5379fddb by Alexey Tikhonov at 2020-05-07T11:24:21+02:00
SPEC: 'sssd.api.*' should belong `python-sssdconfig`
`sssd.api.conf` and `sssd.api.d/*` are only used by python-sssdconfig,
not by sssd-common.
Resolves: https://github.com/SSSD/sssd/issues/1038
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b4354623 by Alexey Tikhonov at 2020-05-12T10:02:04+02:00
TESTS: NSS db setup is only required in NSS based build
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
090d804c by Samuel Cabrero at 2020-05-12T10:03:14+02:00
Drop obsolete SUSE spec file
Just for reference, SUSE spec files are available in openSUSE build
service: https://build.opensuse.org/package/show/network:ldap/sssd
Signed-off-by: Samuel Cabrero <scabrero at suse.de>
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
ee56fbca by Pavel Březina at 2020-05-12T10:04:04+02:00
p11_child: fix initializer error
Building with:
```
$ echo $CFLAGS
-m64 -mtune=generic -fstack-protector-all -Wall -Wextra -Wno-sign-compare -Wshadow -Wunused-variable -Wno-unused-parameter -Wno-error=cpp -O0 -ggdb3 -Werror -Wp,-U_FORTIFY_SOURCE
```
Produces:
```
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c: In function ‘get_preferred_rsa_mechanism’:
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1296:9: error: missing initializer for field ‘evp_md’ of ‘struct prefs’ [-Werror=missing-field-initializers]
1296 | { 0, NULL }
| ^
/home/pbrezina/workspace/sssd/src/p11_child/p11_child_openssl.c:1288:23: note: ‘evp_md’ declared here
1288 | const EVP_MD *evp_md;
| ^~~~~~
```
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
f2ac087d by Alexey Tikhonov at 2020-05-12T11:35:39+02:00
SBUS: do not return invalid connection pointer
Resolves:
https://github.com/SSSD/sssd/issues/5126
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
db6f6b6d by Alex Rodin at 2020-05-15T10:39:18+02:00
MAN: use_fully_qualified_names description updated
Has updated the information about when the option defaults to TRUE
Resolves: https://github.com/SSSD/sssd/issues/1025
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
49b9ca15 by ikerexxe at 2020-05-15T10:40:21+02:00
ipa_auth and krb5_auth: when providing wrong password return PAM_AUTH_ERR
When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.
Resolves:
https://github.com/SSSD/sssd/issues/5139
Reviewed-by: Sumit Bose <sbose at redhat.com>
- - - - -
035271b7 by Paweł Poławski at 2020-05-15T10:41:57+02:00
MAN: refresh_expired_interval description updated
In some situations background task triggered by setting
refresh_expired_interval looks to be broken.
MAN description for refresh_expired_interval has been updated
to inform user about this scenario.
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
95c8667a by Sumit Bose at 2020-05-19T11:05:32+02:00
ad: make GSS-SPNEGO maxssf=0 workaround configurable
To allow tp by-pass the workaround if the installed cyrus-sasl can
handle maxsssf=0 with GSS-SPNEGO a new configure option
--enable-gss-spnego-for-zero-maxssf is added. By default this option is
set to 'no' and the workaround is enabled.
Resolves: https://github.com/SSSD/sssd/issues/4978
https://pagure.io/SSSD/sssd/issue/4007
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
11435b10 by Sumit Bose at 2020-05-19T11:06:23+02:00
krb5: do not cache ccache or password during preauth
The PAM preauth step is mainly used to determine which authentication
methods (single factor, two factor, Smartcard) are available for the
user. It does not make sense to try to store the password hash or the
credential cache at this step because this information is not available
or not accurate at this step.
It might even cause issue is the credential cache name contains a random
component. This is typically used for file based credential caches
stored in the /tmp directory to avoid attacks to pre-create the file
since the name is known. Since the credential cache name still contains
the template for the random component 'XXXXXX' updating the credential
cache name in the cache during preauth destroys the information about
the currently used credential cache and upcoming authentications will
create a new one.
This causes issues with screen-savers or screen-lock where every
unlocking creates a new credential cache file and not updates the
existing one as it is expected. Another case is if a user logs in
multiple times to the same host, e.g. with ssh. Here it is expected as
well that the first session will create a new credential cache file
while all additional sessions will reuse it and only update the TGT in
the existing credential.
Resolves: https://github.com/SSSD/sssd/issues/5160
Reviewed-by: Alexey Tikhonov <atikhonov at redhat.com>
- - - - -
bf8536a0 by Alexey Tikhonov at 2020-05-19T11:12:47+02:00
Fixed unsafe usage of strncpy()
This patch fixes unsafe usage of strncpy() that renders warnings like:
```
In function ‘ad_try_to_get_fqdn’,
inlined from ‘ad_get_common_options’ at ../src/providers/ad/ad_common.c:540:19:
../src/providers/ad/ad_common.c:468:5: warning: ‘strncpy’ specified bound 65 equals destination size [-Wstringop-truncation]
468 | strncpy(buf, res->ai_canonname, buflen);
```
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b5728712 by Simo Sorce at 2020-05-19T11:16:16+02:00
cache_req: introduce cache_behavior enumeration
Instead of using individual booleans for controlling the behavior
of the nss reponder with regard to cache usage, use a single
enumeration that can be extended to add new behaviors as needed.
Related:
https://pagure.io/SSSD/sssd/issue/4098
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
d2424bfb by Simo Sorce at 2020-05-19T11:16:16+02:00
pam: Use cache for users with existing session
Users that have an existing session do the bulk of their authentication
to unlock services that do not make use of initgroups (used only to
create a new login session). Forcing online initgroups calls for these
users leads mostly to delays in providing those services and do not
provide any useful data.
Resolves:
https://pagure.io/SSSD/sssd/issue/4098
Signed-off-by: Simo Sorce <simo at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
b66f0e44 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: add option pam_initgroups_scheme
This new option should be used to tell the PAM responder to refresh the
user's group memberships either with every new PAM session or always
rely on cached data or refresh the data only if the user currently has
no active login session.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
68aa68e8 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: use pam_initgroups_scheme
The new pam_initgroups_scheme option is used to control how the PAM
responder is refreshing the group membership data of the user.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
74f0a451 by Sumit Bose at 2020-05-19T11:16:16+02:00
cache_req: no refresh with CACHE_REQ_BYPASS_PROVIDER
This patch fixes an unexpected behavior of the cache request code if the
CACHE_REQ_BYPASS_PROVIDER option is used. Currently even if this option
is used an expired entry in the cache is refreshed by calling the
provider. With this patch an error is returned if the entry is expired
and the provider is not called.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
272efe49 by Sumit Bose at 2020-05-19T11:16:16+02:00
pam: make sure initgr cache is not created twice
There are now two code paths which might call pam_initgr_cache_set() so
we should make sure the initgr cache is not created twice.
Resolves: https://pagure.io/SSSD/sssd/issue/4098
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
- - - - -
7b253751 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: changed timestamp output format
Changed timestamp format from (example) "(Tue Apr 21 14:35:30 2020)" to
"(2020-04-21 14:35:30)" to have tidier and "sorting friendly" logs.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
b5604d07 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: introduce new SSSDBG_TRACE_LDB level
libldb LDB_DEBUG_TRACE messages usually doesn't bring any useful info
but create a lot of unneeded noise in the logs.
Nonetheless it feels too radical to drop them completely.
This patch introduces new debug_level=10 (0x10000) especially for those
messages.
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
00e7b1ad by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
DEBUG: changed "debug_prg_name" format
Removed wrapping "[sssd[...]]" from "debug_prg_name" as this doesn't
carry any information but eats 8 characters of debug line.
For example instead of `[[sssd[ldap_child[12492]]]]` logs will have
`[ldap_child[12492]]`
I also was considering to remove "debug_prg_name" from the output
completely but gave up this idea. It makes sense to have program name
in the output to be able to combine few logs together (sorted by
timestamp).
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
65369f29 by Alexey Tikhonov at 2020-05-19T11:19:04+02:00
WATCHDOG: log process termination to the journal
This patch adds explicit system journal message in case process was
terminated by an internal watchdog.
Resolves: https://github.com/SSSD/sssd/issues/5146
Reviewed-by: Pawel Polawski <ppolawsk at redhat.com>
- - - - -
69de78d8 by Pavel Březina at 2020-05-19T11:50:26+02:00
Move from Pagure to Github
Reviewed-by: Tomáš Halman <thalman at redhat.com>
- - - - -
ed64f142 by Pavel Březina at 2020-05-19T12:21:35+02:00
Update the translations for the 2.3.0 release
- - - - -
11 changed files:
- .git-commit-template
- BUILD.txt
- Jenkinsfile
- Makefile.am
- README.md
- configure.ac
- contrib/ci/run
- contrib/sssd.spec.in
- − contrib/suse/sssd.spec.in
- contrib/test-suite/test-suite.yml
- po/bg.po
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/8607b4822e4b6437d87dabf714882407f8959ef2...ed64f142f617b154235831d5cb68575604567bbc
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/8607b4822e4b6437d87dabf714882407f8959ef2...ed64f142f617b154235831d5cb68575604567bbc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20200713/b5d85412/attachment-0001.html>
More information about the Pkg-sssd-devel
mailing list