[Pkg-sssd-devel] [Git][sssd-team/sssd][upstream] 65 commits: CI: clean configure.sh

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Jan 18 10:15:17 GMT 2024 


Timo Aaltonen pushed to branch upstream at Debian SSSD packaging / sssd


Commits:
ba7b9938 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean configure.sh

Support for Fedora 36-, RHEL/CentOS 6 and 7 in master branch ended, so
let's remove them. In addition, Python2 support only exists in
RHEL/Centos 8, so make only those two dstributions use
`python2-bindings`. Finally, include RHEL/CentOS 10 for configurable
features.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 3edc04d17fbfa520f5522293e861227f5119e15f)

- - - - -
31617400 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean distro.sh

Support for Fedora 36- in master branch ended, so let's remove them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 39a0de22daa8b95feb280427876732bcbbb22583)

- - - - -
52acc394 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: clean deps.sh

Support for Fedora 36- in master branch ended, so let's remove them.

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 05ea3f1bec1b1b51e5248c6276ada7870cf03fdc)

- - - - -
776f6e19 by Iker Pedrosa at 2023-11-14T12:44:46+01:00
CI: upload cwrap logs

Signed-off-by: Iker Pedrosa <ipedrosa at redhat.com>

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 292ef326b4a181d061c59a15fc7819feb8118313)

- - - - -
fd414aae by Jakub Vavra at 2023-11-15T07:02:15+01:00
Tests: Add a test for bz1900973 kcm delete expired tickets

Reviewed-by: Alejandro Lopez <allopez at redhat.com>
Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0f1a6e350584924fd9f18aceae20d04c54bdd845)

- - - - -
f394acee by Alexey Tikhonov at 2023-11-17T14:09:30+01:00
SPEC: 'sssd-proxy' requires 'libsss_certmap.so'

Resolves following rpminspect warning:
```
Subpackage sssd-proxy carries 'Requires: libsss_certmap.so.0()(64bit)' which comes from
subpackage libsss_certmap but does not carry an explicit package version requirement.
Please add 'Requires: libsss_certmap = %{version}-%{release}' to the spec file to avoid
the need to test interoperability between various combinations of old and new subpackages.
```

Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3eae4cc5282e4b76454b358e986da0757bb81d7f)

- - - - -
4b4564c3 by Alexey Tikhonov at 2023-11-17T14:10:35+01:00
UTIL: use proper specifier for 'DEBUG_CHAIN_ID_FMT_*'

Resolves: https://github.com/SSSD/sssd/issues/6790

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2617dcfd6376e0bb0a44cc15b11f0e6531c33960)

- - - - -
1e2af0d1 by Alexey Tikhonov at 2023-11-17T14:10:35+01:00
Don't provide 'uint64_t' as POPT_ARG_LONG.

Sizes might not match on some platforms.

Resolves: https://github.com/SSSD/sssd/issues/6790

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 098bf64a03e5e7c054bd0e40717484d45c93d031)

- - - - -
b536e4b3 by Dan Lavu at 2023-11-28T12:35:11+01:00
tests: consolidation, refactoring and organizing, renaming of some tests

- added markers to pytest.ini
- added markers to tests
- consolidated two sssctl test files into one, sssctl_config_check.py and sssctl.py
- renamed test_id.py, to test_identity.py, just to match the marker groups
- renamed the test cases in test_identity.py to be more readable
- renamed test_ldap_extra_attrs.py to test_schema.py , after looking at the tests, its testing the schema attributes
- appended test_shadow.py to test_ldap.py , tests shadowlastchange = 0 in LDAP

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 92e85f1a135c89bca17cbd8c7efe8562d2c5beca)

- - - - -
469ddcbf by Alejandro López at 2023-11-28T13:23:18+01:00
LOGROTATE: logrotate should also signal sssd_kcm

sssd_kcm is not registered with SSSD's monitor, so it is not signaled
when it must restart the log. Adding this command will directly signal
sssd_kcm (in addition to the monitor).

If sssd_kcm is also running in one or more containers, they will also
receive the signal. Because only the log files in the host where rotated,
the instances in the containers will go on using the same log files.
Nothing will happen except for the "Received SIGHUP. Rotating logfiles."
message in the log files. If we want to avoid this, we should implement
a PID file.

Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 230e7757a7805c7c530d0914936f353882bd504e)

- - - - -
8c832345 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Replace a hard-coded constant by a macro

The per-UID quota is internally increased by 2. This value is no
longer hard-coded but replaced by the KCM_MAX_UID_EXTRA_SECRETS macro.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c73b7eb801ed14892e34cd8e810678220785edf5)

- - - - -
855d0465 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Fixed a wrong check

The pointer to the newly allocated iobuffer is stored into
state->op_ctx->reply but the check for NULL is done on state->reply,
which we already know is not NULL because it was checked before and
not modified after that.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3cba6d1153c102f9596335db28cc017e8338e868)

- - - - -
14e7d7c0 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Remove unused cc_be_type from struct kcm_ccdb

This field is never set and never used. Let's remove it.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 126920546e38f9df6c1c1bda95f0bcd6991cb722)

- - - - -
3e740a25 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: When freeing the client, check that it is not NULL.

`cc-> client` could be NULL.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2eb67afc014878108a555fd0ac41bef954a2a962)

- - - - -
a5c96e29 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: sss_iobuf_init_empty() shall not zero memory

sss_iobuf_init_empty() and related functions zero the allocated memory
even though it is not needed. Most of the time, all the fields in the
structures will be set to non-zero values. In these cases zeroing the
is useless and we stop doing it.

Only in two cases, some pointers were being left unmodified, so they
are now being manually set to NULL.

Resolves: https://github.com/SSSD/sssd/issues/7014

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit edb63cde4fcfa1089e8f39c5d0b6f1e0c184ea0d)

- - - - -
78d0a97d by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Reduce the amount of memory allocated for the packages

Some packages are being allocated to their maximum size, even though all
that memory is not required. When the amount of memory needed is not know,
We reduce the amount of memory allocated to the initial size defined by
the KCM_PACKET_INITIAL_SIZE macro.

The existing KCM_REPLY_MAX was replaced by KCM_PACKET_MAX_SIZE.

Resolves: https://github.com/SSSD/sssd/issues/7014

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit fe6c35addee2cfd0c32021e4b079eec7575ca90c)

- - - - -
60fde9d5 by Alejandro López at 2023-11-28T13:23:52+01:00
KCM: Do not zero memory when not need.

A few more cases where memory is allocated and zeroed when it is not
required.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit b4f9f63bd74722c543c7d2f3695f0d2351eba4c3)

- - - - -
c5d04578 by Patrik Rosecky at 2023-11-29T08:30:56+01:00
Tests: converted alltests/test_default_debug_level

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit e9189052a46d28e6397686c28d744d5e45f1f72d)

- - - - -
ff520020 by Sumit Bose at 2023-12-01T10:35:10+01:00
ci: make valgrind suppression more relaxed for test_ipa_subdomains_server

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit e9e6d80e20fbf82c8b48ca4edbe2996018f7f7cd)

- - - - -
e03921e4 by Sumit Bose at 2023-12-01T10:35:38+01:00
nssidmap: fix sss_nss_getgrouplist_timeout() with empty secondary group list

sss_nss_getgrouplist_timeout() is intended as a replacement for
getgrouplist() which only gets secondary groups from SSSD. Currently it
returns an ENOENT error if there are no secondary groups returned by
SSSD. However, as with getgrouplist(), there is the second parameter
which expects a single GID which will be added to the result. This means
that sss_nss_getgrouplist_timeout() will always return at least this GID
as a result and an ENOENT error does not make sense.

With this patch sss_nss_getgrouplist_timeout() will not return an error
anymore if there are no secondary groups but just a result with the
single GID from the second parameter.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit cffe6e09c6b4cd8afa049365bbd432ace5d2a9d9)

- - - - -
9a6ff9e7 by Sumit Bose at 2023-12-04T11:25:47+01:00
pam: fix Smartcard auth with files provider

It is expected that the files provider ignores the local_auth_policy
option and supports Smartcard authentication by default.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 5e7cd889d6b2554e822370d2c962791d00f26278)

- - - - -
a8928a9a by Madhuri Upadhye at 2023-12-05T22:10:38+01:00
tests: add passkey tests for authentication failures

Test cases are as follows:
4. Check auth deny for incorrect pin for LDAP, IPA, Ad and Samba.
5. Check auth deny for incorrect passkey mapping for LDAP, IPA, AD and Samba.
6. Check auth of user when server is not resolvable for IPA, LDAP, AD and Samba.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Jakub Vávra <jvavra at redhat.com>
(cherry picked from commit f4c9d6efd6492ca32679aff1897b3d2593b9455d)

- - - - -
be5399c1 by Sumit Bose at 2023-12-06T17:55:14+01:00
sssctl: do not require root for user-checks

There is no requirement for root to run the test and if the user does
not has the needed privileges to access the related services this is
good as a test result as well. Additionally at least pam_chauthtok()
behaves differently when being called as root compared to an ordinary
user.

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
(cherry picked from commit 8ff7fdc127dafb8d4d98231e0f7d43af89f8595b)

- - - - -
e44ad324 by Jakub Vavra at 2023-12-06T17:56:06+01:00
Tests: Add a test for kcm log rotation SSSD-5687

Ticket: https://issues.redhat.com/browse/SSSD-5687

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit 38db355aa1b0b8f370e8eba2001bbdf58a9d7d77)

- - - - -
2bc72a2b by Patrik Rosecky at 2023-12-06T17:56:37+01:00
Tests: alltests/test_autoprivategroup.py converted to system/test_auto_private_groups.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit a5f636bb4c90dc6077ebe0bbc50ae166d39ecf24)

- - - - -
35bcb91b by Pavel Březina at 2023-12-06T18:50:25+01:00
ad: do not print backtrace if SSSD domain name is not the same as DNS name

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 76d3b5a45bff7a473613504414e8f913f2929800)

- - - - -
eabeb3a7 by Pavel Březina at 2023-12-06T18:50:25+01:00
ad: do not print backtrace if SOM is missing in GPO

This is expected on empty GPOs and we just skip the element.
Therefore we should not print backtrace.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 3e976dc6a7a5785d5ea657dd050709eb04889748)

- - - - -
d02874be by Pavel Březina at 2023-12-07T16:15:47+01:00
tests: adapt to new firewall API

The firewall API was redesigned in order to make it more flexible and
start supporting outbound rules as well. Blocking all communication
to given host using an outbound rules is less prone to errors since
it does not depend on specific ports.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 0f9611cdc6c0bef30d1762f9665a973c31b59fd3)

- - - - -
f4908728 by Justin Stephenson at 2023-12-07T16:22:32+01:00
passkey: Add krb5 preauthentication prompt support

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit 60fdacfd88247ca4cd7f69e77c51749285c3e89b)

- - - - -
6959dc6a by Alexey Tikhonov at 2023-12-08T12:14:16+01:00
DP: reduce log level in case a responder asks for unknown domain

Since 9358a74d3a56c738890353aaf6bc956bfe72df99 a domain might be
skipped by 'ad_enabled_domains' option

Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 39cd0baa06742b349ed763aa40ea4de366e80f1a)

- - - - -
66bd91d5 by Patrik Rosecky at 2023-12-08T13:22:39+01:00
Tests: alltests/test_ldap_extra_attrs.py converted to system/tests/test_schema.py

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Pavel Březina <pbrezina at redhat.com>
(cherry picked from commit c2360811d5a65e0438eb4a26e4f7e8148e631a8a)

- - - - -
f6faf123 by Alexey Tikhonov at 2023-12-12T11:34:04+01:00
LOGS: added missing new line

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 97c05c4e3cf5f6af6bf080ceb70bff772db556db)

- - - - -
4d01e11d by Justin Stephenson at 2023-12-12T11:36:13+01:00
passkey: Skip processing non-passkey mapping data

In the AD case, the user altSecurityIdentities attribute can
store passkey, smartcard, or ssh public key mapping data. Check
to ensure we are handling passkey data before continuing in
PAM passkey processing.

:relnote: Fixes a crash when PAM passkey processing incorrectly
handles non-passkey data.

Resolves: https://github.com/SSSD/sssd/issues/7061

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 6ed1eff44f8cad2e1c1d07cd4d3731b3d143dd9b)

- - - - -
1cffe5bc by Jakub Vavra at 2023-12-12T15:37:13+01:00
Tests: Fix tokengroups tests.

Reviewed-by: Anuj Borah <aborah at redhat.com>
(cherry picked from commit ff8f248b0a773d3d6ef1091543fa8c4342ddd410)

- - - - -
9f406d42 by Jakub Vavra at 2023-12-15T07:49:45+01:00
Tests: Retry realm join as it is flaky on multiarch setups

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit df1b74546f95ab4adb4c69a5d3e23daba1d961b3)

- - - - -
cbd479d7 by Jakub Vavra at 2023-12-15T14:58:44+01:00
Tests: Change path to keytabs to reflect whole domain in them

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit a5270f898c6d22141033b9d9e735c09d65a0a83f)

- - - - -
0ae92383 by Jakub Vavra at 2023-12-20T06:53:28+01:00
Tests: Add importance and ticket to multihost

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 5fb0a9ddcacd85525a1a96e0611198e239f8f895)

- - - - -
854edfb0 by Jakub Vavra at 2023-12-20T13:17:33+01:00
Tests: Revert change of retun type of realm_join

I looks like realm join return value was parsed in one place so I
am reverting the mishap change of the return type.

Reviewed-by: Anuj Borah <aborah at redhat.com>
Reviewed-by: Shridhar Gadekar <sgadekar at redhat.com>
(cherry picked from commit b66035f3d60eea4289206d0b30c3058d18149cb4)

- - - - -
033f3db0 by Andre Boscatto at 2023-12-20T16:50:47+01:00
man: fix wrong product name

Resolves: https://github.com/SSSD/sssd/issues/7094

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 9abcaf90580346ee15ea9f08ec40ce0f5a805cd4)

- - - - -
02c18320 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix coverity memory overrun error

Fix for:

  CID 336599:  Memory - corruptions  (OVERRUN)
  Overrunning dynamic array "result_creds" by passing it to a
  function that accesses it at byte "creds_len".

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 1d33bde42aa747e18c4ab8f202ec1053fd9ab6a0)

- - - - -
f5e3bb39 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix coverity RESOURCE_LEAK

Fix for:

  CID 470374:  Resource leaks  (RESOURCE_LEAK)
  Variable "prompt_reply" going out of scope leaks the storage
  it points to.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit a134074c2ecea50d6ccee80e969b436887c5ef68)

- - - - -
51f90318 by Justin Stephenson at 2023-12-20T16:52:07+01:00
Passkey: Fix valgrind error and missing free

==367086== Conditional jump or move depends on uninitialised value(s)
==367086==    at 0x12BF1A31: string_get (load.c:894)
==367086==    by 0x12BF291D: stream_get.part.0 (load.c:158)
==367086==    by 0x12BF3182: UnknownInlinedFun (load.c:154)
==367086==    by 0x12BF3182: UnknownInlinedFun (load.c:227)
==367086==    by 0x12BF3182: lex_scan.isra.0 (load.c:573)
==367086==    by 0x12BF7F6A: parse_json (load.c:868)
==367086==    by 0x12BF80C8: json_loads (load.c:920)
==367086==    by 0x12BDDFD9: sss_passkey_message_from_reply_json (passkey_utils.c:544)
==367086==    by 0x12BDCA76: sss_passkeycl_process (passkey_clpreauth.c:321)
==367086==    by 0x4906215: UnknownInlinedFun (preauth2.c:352)
==367086==    by 0x4906215: UnknownInlinedFun (preauth2.c:679)
==367086==    by 0x4906215: k5_preauth (preauth2.c:1018)
==367086==    by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1351)
==367086==    by 0x48F9489: UnknownInlinedFun (get_in_tkt.c:1912)
==367086==    by 0x48F9489: krb5_init_creds_step (get_in_tkt.c:1868)
==367086==    by 0x48FA43A: k5_init_creds_get (get_in_tkt.c:564)
==367086==    by 0x48FB3EB: k5_get_init_creds (get_in_tkt.c:1978)
==367086==    by 0x48FB817: krb5_get_init_creds_password (gic_pwd.c:210)

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 22d35690b6379a59b1bdfc5c20812b792e76af02)

- - - - -
160738ee by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: MC: in case mem-cache file validation fails,

don't return anything but EINVAL, because `_nss_sss_*()` functions
can have a special handling for other error codes (for ERANGE in
particular).

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 958a5e25c447dc502e8f8fbecf3253e62f92b0b2)

- - - - -
a186224d by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: check if mem-cache fd was hijacked

Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
 - TigerVNC unconditionally overwrites fd=3

Resolves: https://github.com/SSSD/sssd/issues/6986

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 0344c41aca0d6fcaa33e081ed77297607e48ced4)

- - - - -
abb146e1 by Alexey Tikhonov at 2023-12-21T13:51:27+01:00
SSS_CLIENT: check if reponder socket was hijacked

Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
 - TigerVNC unconditionally overwrites fd=3

Reviewed-by: Alejandro López <allopez at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 2bcfb7f9238c27025e99e6445e9ba799e0bde7b8)

- - - - -
8bf25b6c by Pavel Březina at 2023-12-21T13:51:53+01:00
scripts: sign tarball with sssd project key

... also switch to gpg2.

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit 2e75d735e963dc1f5399648a804c9ccc89721261)

- - - - -
5c224730 by Pavel Březina at 2023-12-21T13:51:53+01:00
scripts: create checksum file for release tarball

Reviewed-by: Alexey Tikhonov <atikhono at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit c7a6e62d1a8f0c3a9424ad01555b24c0f67b4251)

- - - - -
46f4161e by Alejandro López at 2023-12-27T10:29:24+01:00
KCM: Fix a memory "leak"

When an operation is processed, a buffer is allocated for the reply
and its parent is the client context (struct cli_ctx). This buffer
is not explicitly freed but it is released when the client context is
freed. With each operation a new buffer is allocated and the
previous one gets "lost."

This is not an actual leak because the lost buffers are released by
talloc once the client context is freed, when the connection is closed.
But on long-lived connections this can consume a large amount of memory
before the connection is closed.

To solve this, the request context (struct kcm_req_ctx) is the new
parent of the buffer. The request is freed as soon as the operation is
completed and no buffer gets lost.

Resolves: https://github.com/SSSD/sssd/issues/7072

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit cbae6855320b53f3f2bdc0e11c5a9c8eb84daf87)

- - - - -
8a78c75a by Patrik Rosecky at 2023-12-27T10:31:17+01:00
Tests: multihost/test_sssctl_analyzer.py converted to system/test_sssctl_analyze.py

Reviewed-by: Jakub Vávra <jvavra at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
(cherry picked from commit 543eda1953652494c594ce1f4bf1ed0ca6ac1b42)

- - - - -
5a2256cb by Jakub Vavra at 2024-01-05T14:27:30+01:00
Tests: Add a plugin for a per-test logging

Add a pytest plugin to remove / duplicate test log from console
and put it into a stand-alone per-test log files.

Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 9d6caaed3a804978186338c896ce120aa258fffd)

- - - - -
852b9e0c by Patrik Rosecky at 2024-01-05T14:43:25+01:00
Tests: alltests/test_config_validation converted

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit d3a2bd0870e2267ebaaf32dab03ab5707be6483c)

- - - - -
bd9cf6f4 by Patrik Rosecky at 2024-01-05T14:47:43+01:00
Tests: alltests/test_offline.py converted

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
(cherry picked from commit ea7de588dcf1272dd7284925333b08829adae806)

- - - - -
80d5a34f by Madhuri Upadhye at 2024-01-08T12:13:20+01:00
Tests: Add passkey test cases for following scenario

Test cases are as follows:
7.  Check offline authentication of a user with LDAP, IPA, AD and Samba
8.  Fetch user from cache for LDAP, IPA, AD and Samba server
9.  Check authentication of user when multiple keys added for same user with
    LDAP, IPA, AD and Samba server.
10. Check authentication of user when same key added for multiple user with
    LDAP, IPA, AD and Samba server.

Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>

Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Scott Poore <spoore at redhat.com>
(cherry picked from commit 173f31148c1d3d0493ad620521414ab076d0623c)

- - - - -
a3393156 by Tomas Halman at 2024-01-08T14:20:27+01:00
Handle child-domain group membership

In AD, a user from a domain can be a member of a group that is
from a child of the domain.

The old code did not account for this and created a cache object
with incorrect DNs when ldap_use_tokengoups is set to False.

This patch looks up the correct domain before saving
group and membership attributes.

Resolves: https://github.com/SSSD/sssd/issues/7084

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 830a2e3d6abf337448f60541da66260d381fbe32)

- - - - -
98d8bedd by Alexey Tikhonov at 2024-01-09T17:10:24+01:00
DEBUG: added missing new line

Reviewed-by: Andre Boscatto <aboscatt at redhat.com>
(cherry picked from commit 4cdb41751c95cd88b8398fe4f86e025c4c507970)

- - - - -
936b8281 by Sumit Bose at 2024-01-09T17:13:50+01:00
LDAP: make groups_by_user_send/recv public

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 9b73614c49aeb3cfc3208dba5f472354086180b5)

- - - - -
09dcc73e by Sumit Bose at 2024-01-09T17:13:50+01:00
ad: gpo evalute host groups

With this patch the group-memberships of the client running SSSD are
included in the evaluation of the security filtering. Similar as in AD
the host object is more or less handled as a user object which allows
to skip some code dedicated to computers only.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c02e09afe9610d872121708893db8a21fb201b12)

- - - - -
dda0f2e0 by Sumit Bose at 2024-01-09T17:13:50+01:00
sysdb: remove sysdb_computer.[ch]

The related calls are not needed anymore.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit ff23e7e2879f94a907d05b615dbdb547aaa2e542)

- - - - -
f5ce7c1d by Sumit Bose at 2024-01-09T17:13:50+01:00
sdap: add set_non_posix parameter

This patch adds a new parameter set_non_posix to the user and group
lookup calls. Currently the domain type is used to determine if the
search should be restricted to POSIX objects or not. The new option
allows to drop this restriction explicitly to look up non-POSIX objects.

Resolves: https://github.com/SSSD/sssd/issues/5708

Reviewed-by: Justin Stephenson <jstephen at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit 5f63d9bfc71b271844db1ee122172630be1afed0)

- - - - -
05de56d0 by Tomas Halman at 2024-01-10T09:38:11+01:00
GPO evaluation of primary group

When we are evaluating GPO the SID of user's primary
group is not returned in the list. This patch converts
the value of origPrimaryGroupGidNumber attribute back to
SID and that SID is added to the list of SIDs before
evaluating the GPO rules.

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Sumit Bose <sbose at redhat.com>
(cherry picked from commit ecb0c6370dbab8fdcb3cdfa3495a38319c8e5266)

- - - - -
cb64d47b by Dan Lavu at 2024-01-12T07:07:09+01:00
tests: updating poor assertion in dyndns

Reviewed-by: Dan Lavu <dlavu at redhat.com>
(cherry picked from commit 90eca38eca804b89bf76fec443f9a2f2ac420695)

- - - - -
c054fc00 by aborah at 2024-01-12T12:07:53+01:00
Tests: Fix ipa test for gating.

Error: remote username contains invalid characters

Reviewed-by: Madhuri Upadhye <mupadhye at redhat.com>
(cherry picked from commit 23087669ef9826fbba9e3e6b379f2b0bb86c9820)

- - - - -
1c5a11fc by Dan Lavu at 2024-01-12T12:08:23+01:00
tests: adding background refresh tests to the new framework

Reviewed-by: Dan Lavu <dlavu at redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa at redhat.com>
Reviewed-by: Tomáš Halman <thalman at redhat.com>
(cherry picked from commit c6d216fb74108d798f9ef5b804c87b3654ab1c30)

- - - - -
eecd4183 by Pavel Březina at 2024-01-12T13:05:07+01:00
pot: update pot files

- - - - -
02d3f214 by Pavel Březina at 2024-01-12T13:05:40+01:00
Release sssd-2.9.4

- - - - -


30 changed files:

- .github/workflows/ci.yml
- Makefile.am
- contrib/ci/configure.sh
- contrib/ci/deps.sh
- contrib/ci/distro.sh
- contrib/ci/sssd.supp
- contrib/sssd.spec.in
- po/bg.po
- po/ca.po
- po/cs.po
- po/de.po
- po/es.po
- po/eu.po
- po/fi.po
- po/fr.po
- po/hu.po
- po/id.po
- po/it.po
- po/ja.po
- po/ka.po
- po/ko.po
- po/nb.po
- po/nl.po
- po/pl.po
- po/pt.po
- po/pt_BR.po
- po/ru.po
- po/sssd.pot
- po/sv.po
- po/tg.po


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ee2e0cd9bce728c1cd4d53dcd6ce0ed9f962847c...02d3f214ba5e95e228427594bfef4366fb38a635

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/ee2e0cd9bce728c1cd4d53dcd6ce0ed9f962847c...02d3f214ba5e95e228427594bfef4366fb38a635
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20240118/7dc52c6c/attachment-0001.htm>

More information about the Pkg-sssd-devel mailing list