…'t exist

Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.

This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.

Resolves:
https://pagure.io/SSSD/sssd/issue/3819

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 945865a)

To make sure that SSSD has synced with the latest data added to the
passwd file sss_cache is called in two places where the current sync
scheme was not reliable. This was mainly observed when running the
integration tests on Debian.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1e23988)

If the domain is not case sensitive and the case of the original user
or group name differs from the name in the rule we failed to find the
rule.

Now we filter the rule only with lower cased values in such domain.

Steps to reproduce:
1. Add user/group with upper case, e.g. USER-1
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
3. Login to system with lower case, e.g. user-1
4. Run sudo -l

Without the patch, rule is not found.

Resolves:
https://pagure.io/SSSD/sssd/issue/3820

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit d7f0b58)

This code:
    pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" +
                     "parameters=configdir='sql:" + config.ABS_BUILDDIR +
                     "/../test_CA/p11_nssdb' " +
                     "dbSlotDescription='SSSD Test Slot' " +
                     "dbTokenDescription='SSSD Test Token' " +
                     "secmod='secmod.db' flags=readOnly)\n\n")
    pkcs11_txt.close()

Was producing warnings such as:
./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator

Even though it looks OK visually and conforms to pep8's written form.

Additionaly, this regular expression compilation:
 Template = re.compile(
            ' *<template name="(\S+)">(.*?)</template>\r?\n?',
            re.MULTILINE | re.DOTALL
        )

Was producing a warning such as:
./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S'

Since the \S literal is part of a regular expression, let's suppress
this warning as well.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit ec76659)

Otherwise we end up with memory leak since the result is never freed.

We need to convert nctx->*ent structures into talloc pointer so
we can use enum_ctx as parent.

Resolves:
https://pagure.io/SSSD/sssd/issue/3870

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 406b731)

Related:
https://pagure.io/SSSD/sssd/issue/3451

A tevent _send() function should only return NULL on ENOMEM, otherwise
it should mark the request as failed but return the req pointer. This
was not much of an issue, before, but the next patch will add another
function call to the auth_send call which would make error handling
awkward.

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 09091b4)

…r information

Related:
https://pagure.io/SSSD/sssd/issue/3451

Commit add7286 initially addressed SSSD#3451 by
using the full sdap_cli_connect() request during LDAP authentication. This
was a good idea as it addressed the case where the authentication connection
must also look up some user information (typically with id_provider=proxy
where you don't know the DN to bind as during authentication), but this
approach also broke the use-case of id_provider=ldap and auth_provider=ldap
with ldap_sasl_auth=gssapi.

This is because (for reason I don't know) AD doesn't like if you use
both GSSAPI and startTLS on the same connection. But the code would
force TLS during the authentication as a general measure to not transmit
passwords in the clear, but then, the connection would also see that
ldap_sasl_auth=gssapi is set and also bind with GSSAPI.

This patch checks if the user DN is already known and if yes, then
doesn't authenticate the connection as the connection will then only be
used for the user simple bind.

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 57fc60c)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6f113c7)

The macro CURLE_SSL_CACERT is deprecated in upstream curl
since commit 3f3b26d6feb0667714902e836af608094235fca2.

  commit 3f3b26d6feb0667714902e836af608094235fca2
  Author: Han Han <hhan@thousandeyes.com>
  Date:   Wed Aug 22 11:13:32 2018 -0700

      ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code

      Long live CURLE_PEER_FAILED_VERIFICATION

  sh$ git tag --contains 3f3b26d6feb0667714902e836af608094235fca2
  curl-7_62_0

It was not removed. It is just an alias to
CURLE_PEER_FAILED_VERIFICATION which causes compile time failures in
switch/case.

./src/util/tev_curl.c: In function 'curl_code2errno':
./src/util/tev_curl.c:113:5: error: duplicate case value
     case CURLE_PEER_FAILED_VERIFICATION:
     ^~~~
./src/util/tev_curl.c: 100:5: note: previously used here
     case CURLE_SSL_CACERT:
     ^~~~

Merges: https://pagure.io/SSSD/sssd/pull-request/3878

Resolves:
https://pagure.io/SSSD/sssd/issue/3875

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 1ee12b0)

Merges: https://pagure.io/SSSD/sssd/pull-request/3881

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 4f824ec)

It will show reasons why tests were skipped.
e.g.
  ====================== test session starts ========================
  platform linux -- Python 3.7.1, pytest-3.9.3, py-1.5.4,
                    pluggy-0.7.1 -- /usr/bin/python3
  cachedir: .pytest_cache
  rootdir: /dev/shm/sssd/src/tests/intg, inifile:
  collected 286 items / 285 deselected

  test_pac_responder.py::test_multithreaded_pac_client SKIPPED [100%]
  ==================== short test summary info ======================
  SKIP [1] test_pac_responder.py:108: No PAC responder, skipping

Merges: https://pagure.io/SSSD/sssd/pull-request/3881

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit fdbe67a)

Valgrind does not generate full stack trace for errors.
It is just limited amount of frames. Therefore we cannot see main
function with the new c-ares.

The suppression file generated with c-ares-1.14.0
{
   <insert_a_suppression_name_here>
   Memcheck:Leak
   match-leak-kinds: possible
   fun:malloc
   fun:strdup
   fun:ares_init_options
   fun:recreate_ares_channel
   fun:resolv_init
   fun:be_res_init
   fun:be_res_init
   fun:be_init_failover
   fun:test_ipa_server_create_trusts_setup
   obj:/usr/lib64/libcmocka.so.0.5.1
   fun:_cmocka_run_group_tests
   fun:main
}

The suppression file generated with c-ares-1.15.0
{
   <insert_a_suppression_name_here>
   Memcheck:Leak
   match-leak-kinds: possible
   fun:malloc
   fun:strdup
   obj:/usr/lib64/libcares.so.2.3.0
   obj:/usr/lib64/libcares.so.2.3.0
   fun:ares_init_options
   fun:recreate_ares_channel
   fun:resolv_init
   fun:be_res_init
   fun:be_res_init
   fun:be_init_failover
   fun:test_ipa_server_create_trusts_setup
   obj:/usr/lib64/libcmocka.so.0.5.1
   fun:_cmocka_run_group_tests
}

Merges: https://pagure.io/SSSD/sssd/pull-request/3884

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit f02714d)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 53e6fdf)

To just test some ccache related functionality without talking to an
actual KDC to get the tickets some needed libkrb5 structs were mocked
based on tests from the MIT Kerberos source code. One struct member
(is_skey) was so far not regarded by libkrb5 for out test case. But a
recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718
changed this and we have to change the mocking.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 08bba3a)

With recent version of valgrind some tests failed during a CI run with a
timeout. To avoid this the related p11_child_timeout is increased for
the affected tests.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1617f3e)

This reverts commit 149174a.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9096fc0)

While creating the domains and sub-domains each domain gets a global
catalog services assigned but only one should be used because the global
catalog is by definition responsible for the whole forest so it does not
make sense to use a global catalog service for each domain and in the
worst case connect to the same GC multiple times.

In the AD provider this is simple because the GC service of the
configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA
case all domains from the trusted forest are on the level of sub-domains
so we have to pick one. Since the forest root is linked from all domain
of the same forest it will be the most straight forward choice.

Related to https://pagure.io/SSSD/sssd/issue/3902

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62d671b)

For empty home directory in passwd file sssd returns "/". Sssd
should respect system behaviour and return the same as nsswitch
"files" module - return empty string.

Resolves:
https://pagure.io/SSSD/sssd/issue/3901

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 90f3239)

The conf.db needn't exist(sssd has never been started) and in such situation
sss_cache failed when trying to invalidate all entries.

There is nothing to invalidate and therefore we are already in state
which we want to achieve with calling sss_cache.
No reason to fail.

Resolves:
https://pagure.io/SSSD/sssd/issue/3919

Merges: https://pagure.io/SSSD/sssd/pull-request/3926

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 88c0c3f)

Related to:
https://pagure.io/SSSD/sssd/issue/3919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 325df4a)

It might happen that we have some domains in conf.db but nothing
has been cached yet. sss_cache failed in such situation,

bash-4.4# sss_cache -E
No cache object matched the specified search
bash-4.4# echo $?
2

Because there is nothing to invalidate and so we are already in state
which we want to achieve with calling sss_cache.
There is no reason to fail.

We will still fail for invalidating particular entry. User might have a
typo in the name and should be informed about possible mistake.

bash-4.4# sss_cache -u test_user
No cache object matched the specified search
bash-4.4# echo $?
2

Resolves:
https://pagure.io/SSSD/sssd/issue/3919

Merges: https://pagure.io/SSSD/sssd/pull-request/3926

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 71475f1)

Related to:
https://pagure.io/SSSD/sssd/issue/3919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4150946)

src/tests/pyhbac-test.py:163: DeprecationWarning: Please use assertEqual instead.
  self.assertEquals(el.__repr__(), u'<category 0 names [] groups []>')
src/tests/pyhbac-test.py:169: DeprecationWarning: Please use assertEqual instead.
  u'<category 1 names [foo] groups [bar, baz]>')

Merges: https://pagure.io/SSSD/sssd/pull-request/3927

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9b06c75)

src/config/SSSDConfigTest.py:88: DeprecationWarning: Please use assertEqual instead.
  self.assertEquals(new_options['debug_level'][0], int)
src/config/SSSDConfigTest.py:91: DeprecationWarning: Please use assertEqual instead.
  self.assertEquals(new_options['command'][0], str)
src/config/SSSDConfigTest.py:94: DeprecationWarning: Please use assertEqual instead.
  self.assertEquals(new_options['reconnection_retries'][0], int)

+ many more

Merges: https://pagure.io/SSSD/sssd/pull-request/3927

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c4db34c)

/usr/lib64/python3.7/unittest/case.py:763:
    ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/sssd-invalid.conf'
                                    mode='r' encoding='UTF-8'>
  context = None
ResourceWarning: Enable tracemalloc to get the object allocation traceback
/usr/lib64/python3.7/unittest/case.py:763:
    ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/noparse.api.conf'
                                    mode='r' encoding='UTF-8'>
  context = None
ResourceWarning: Enable tracemalloc to get the object allocation traceback

Merges: https://pagure.io/SSSD/sssd/pull-request/3927

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 769dc24)

src/config/SSSDConfigTest.py:1855: DeprecationWarning: Please use assertTrue instead.
  self.failUnless(domain.get_name() in sssdconfig.list_domains())
src/config/SSSDConfigTest.py:1856: DeprecationWarning: Please use assertTrue instead.
  self.failUnless(domain.get_name() in sssdconfig.list_inactive_domains())
src/config/SSSDConfigTest.py:1585: DeprecationWarning: Please use assertTrue instead.
  self.failUnless(service.get_name() in sssdconfig.list_services())

Merges: https://pagure.io/SSSD/sssd/pull-request/3927

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 21bba05)

Merges: https://pagure.io/SSSD/sssd/pull-request/3928

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 39b3b0e)

In file included from src/util/cert/nss/cert.c:26:
/usr/include/nss3/key.h:9:9: note: #pragma message: key.h is deprecated. Please include keyhi.h instead.
 #pragma message("key.h is deprecated. Please include keyhi.h instead.")
         ^~~~~~~

Merges: https://pagure.io/SSSD/sssd/pull-request/3930

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit afd23bd)

If sss_cache is called with --domain parameter we should fail
in case of unknown domain. It might be a typo and user should know
about such case.

Resolves:
https://pagure.io/SSSD/sssd/issue/3919

Merges: https://pagure.io/SSSD/sssd/pull-request/3940

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2de3c5f)

Related to:
https://pagure.io/SSSD/sssd/issue/3919

Merges: https://pagure.io/SSSD/sssd/pull-request/3940

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 159a231)

Fix off-by-one error in gethostname() param

Resolves:
https://pagure.io/SSSD/sssd/issue/3865

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1706258)

Fixed following warning:
```
lib/cifs_idmap_sss/cifs_idmap_sss.c: In function ‘sss_sid_to_id’:
lib/cifs_idmap_sss/cifs_idmap_sss.c:221:47: warning: taking address
of packed member of ‘struct cifs_uxid’ may result in an unaligned
pointer value [-Waddress-of-packed-member]

err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type);
```

Actually there are two issues:
1) Packed `cifs_uxid::id.uid` may be unaligned thus generating run time
error on some architectures (as compiler complains);
2) In theory size of `uid_t` may be different than size of `uint32_t`
thus resulting in corruption of `cifs_uxid` content.

Proposed patch is not ideal due to `(uid_t)uid` cast but solves most
of issues with minimal effor. Proper solution would require patching of
`sss_nss_getidbysid()` and all underlying functions for no good reason.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 12f74f8)

The calculation of the size of an array is used in the main code as
well, so it makes sense to move N_ELEMENTS to a common header to use it
more often.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e32920a)

ARRAY_SIZE is taken from the Samba header file memory.h which is not
available as a public header in newer Samba versions anymore. This patch
replaces it with an internal macro.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e1ff063)

When p11_child fails or timeout is reached, ssh login fails.
With this patch sssd_ssh proceeds to ssh key and password login.

Resolves:
https://pagure.io/SSSD/sssd/issue/3937

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e1755a0)

We have only one error core for p11_child error. With this patch
new error ERR_P11_CHILD_TIMEOUT is introduced. It is then used
for better log message.

Resolves:
https://pagure.io/SSSD/sssd/issue/3937

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 52c8336)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 938dd6c)

https://pagure.io/SSSD/sssd/issue/3961

This patch adds missing 'ldap_host_*' attributes for config validation.

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit 85e3630)

This option (when set to True) can be used to deny access to
users even if there is not applicable GPO. Normally users are
allowed access in this situation.

Resolves:
https://pagure.io/SSSD/sssd/issue/3701

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3bd67c7)

For both Debian and Ubuntu, the cron PAM service is named "cron" instead
of "crond", denying the use of the service by default.

This patch enables the HAVE_$OS (HAVE_DEBIAN/HAVE_FEDORA...) macros to select
the service name during build, allowing further customization if required.

Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit bc65ba9)

Currently the timeout to check for new domains is reset whenever there
is a request with an unknown domain name. If those requests happen more
then once a minute (the default timeout) the timeout is always reset
before it can expire and as a result the domain list is never refreshed.

If SSSD starts offline with an empty domain list the NSS responder might
never be able to resolve sub-domain users or groups even if the backend
has switched to the online state and already refreshed the domain list.

Related to https://pagure.io/SSSD/sssd/issue/3967

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c013643)

Related:
https://pagure.io/SSSD/sssd/issue/2474

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit eaece8b)

The first step of an initgroups request is to lookup the user. When
using the AD provider the Global Catalog will be the preferred source.
But not all LDAP attributes of the user might be replicated to the
Global Catalog and as a result some of the missing attributes might be
removed from the cached user object.

Related to https://pagure.io/SSSD/sssd/issue/2474

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b2352a0)

Currently when trying to prefer LDAP port lookups over Global Catalog
searches some AD specific structs are needed in the common LDAP
provider code. By using get_ldap_conn_from_sdom_pvt() this can be
avoided and all AD specific details are handled inside
sdap_async_initgroups_ad.c now.

Related to https://pagure.io/SSSD/sssd/issue/2474

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3cb9a3d)

If the kpasswdinfo file exists and the found IP address includes a port
number as well the master KDC lookup will use this port number which is
most probably wrong. Better use the default port 88 always for master
KDC lookups.

This patch also updates the man page for the locator plugin which was
quite outdated.

Related to https://pagure.io/SSSD/sssd/issue/3958

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 05350ab)

Resolves:
https://pagure.io/SSSD/sssd/issue/3890

In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.

This conflicts with the packaging which specifies sssd.sssd as the owner. And
in turn, this means that users can't reliably assess the package integrity
using rpm -V.

This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.

Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense,
a process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:

type=AVC msg=audit(1543524888.125:1495): avc:  denied  { fsetid } for
pid=7706 comm="sssd_nss" capability=4  scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability

To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set
to read only.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 61e4ba5)

test_files_provider.py::test_getpwnam_after_start
  src/tests/intg/test_files_provider.py:344: RemovedInPytest4Warning:
    Fixture "passwd_ops_setup" called directly. Fixtures are not meant
    to be called directly, are created automatically when test functions
    request them as parameters.
    See https://docs.pytest.org/en/latest/fixture.html for more information.

  src/tests/intg/test_files_provider.py:362: RemovedInPytest4Warning:
    Fixture "group_ops_setup" called directly. Fixtures are not meant
    to be called directly, are created automatically when test functions
    request them as parameters.
    See https://docs.pytest.org/en/latest/fixture.html for more information.
      return setup_gr_with_list(request, [GROUP1, CANARY_GR])

Resolves:
https://pagure.io/SSSD/sssd/issue/3942

Merges: https://pagure.io/SSSD/sssd/pull-request/3953

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 686a8f5)

test_ldap.py::test_local_negative_timeout_enabled_by_default
  /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
    RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly.
    Fixtures are not meant to be called directly, are created
    automatically when test functions request them as parameters. See
    https://docs.pytest.org/en/latest/fixture.html for more information.
    res = fixturefunc(**kwargs)
  /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
    RemovedInPytest4Warning: Fixture "group_ops_setup" called directly.
    Fixtures are not meant to be called directly, are created
    automatically when test functions request them as parameters. See
    https://docs.pytest.org/en/latest/fixture.html for more information.
    res = fixturefunc(**kwargs)
  /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827:
    RemovedInPytest4Warning: Fixture "user_and_group_rfc2307" called directly.
    Fixtures are not meant to be called directly, are created
    automatically when test functions request them as parameters. See
    https://docs.pytest.org/en/latest/fixture.html for more information.

Resolves:
https://pagure.io/SSSD/sssd/issue/3942

Merges: https://pagure.io/SSSD/sssd/pull-request/3953

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 948cd08)

This reverts commit 929bb11.

It is already fixed in upstream.
Combination of python-urllib3-1.24 and python-requests-2.19
works well.

Resolves:
https://pagure.io/SSSD/sssd/issue/3276

Merges: https://pagure.io/SSSD/sssd/pull-request/3952

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5773463)

pwd and grp modules return different string in KeyError
since python 3.7.2

  sh-4.4$ python3 --version
  Python 3.7.1
  sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");'
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
  KeyError: 'getgrnam(): name not found: non-exist'

  sh-4.4$ python3 --version
  Python 3.7.2
  sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");'
  Traceback (most recent call last):
    File "<string>", line 1, in <module>
  KeyError: "getgrnam(): name not found: 'non-exist'"

Merges: https://pagure.io/SSSD/sssd/pull-request/3951

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 54d7175)

UPNs are handled separately in the negative cache. To properly filter
user names even in the case of the fallback to a UPN lookup the negative
cahe for UPNs has to be initialized with the names from the filter_user
option as well.

If the name from the option is a short name it will be added to the
negative UPN cache for each domain with the respective domain name. If
the name from the option is fully-qualified it will be added as is to
the negative UPN cache for each domain.

Related to https://pagure.io/SSSD/sssd/issue/3978

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2f5aca3)

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 6b93ee6)

If SSSD starts offline the responders might only know about the
configured domain because the sub-domains have not been discovered yet.
As a result the permanent negative cache is only populated for the
configured domain.

If later the system goes online and the sub-domains are discovered or a
new sub-domain was discovered at runtime the permanent negative cache is
currently not created for those domains.

This patch repopulates the negative cache for all known domains to the
end of the get_domains request.

Related to https://pagure.io/SSSD/sssd/issue/3983

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 640edac)

Valgrind suppression pattern was adjusted to prevent
fails on some target OS.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

The value of cache refresh percent was not passed to cache_req.

Steps to reproduce:
1. Configure SSSD like so:
```ini
[nss]
entry_cache_nowait_percentage=10
memcache_timeout=0

[domain/mydomain]
entry_cache_timeout = 30
```

2. Run SSSD
3. Fetch netgroup for the first time
4. Wait 15 seconds (midpoint refresh will be triggered from 10-29 seconds interval)
5. Fetch netgroup again, see in logs that midpoint refresh was triggered

Resolves:
https://pagure.io/SSSD/sssd/issue/3947

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ce8a607)

…h test if needed

Resolves:
https://pagure.io/SSSD/sssd/issue/3986