New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finish test if needed (sssd-1-16 only) #780
Commits on Sep 11, 2018
-
SELINUX: Always add SELinux user to the semanage database if it doesn…
…'t exist Previously, we tried to optimize too much and only set the SELinux user to Linux user mapping in case the SELinux user was different from the system default. But this doesn't work for the case where the Linux user has a non-standard home directory, because then SELinux would not have any idea that this user's home directory should be labeled as a home directory. This patch relaxes the optimization in the sense that on the first login, the SELinux context is saved regardless of whether it is the same as the default or different. Resolves: https://pagure.io/SSSD/sssd/issue/3819 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 945865a)
Configuration menu - View commit details
-
Copy full SHA for e7e942c - Browse repository at this point
Copy the full SHA e7e942cView commit details
Commits on Sep 19, 2018
-
intg: flush the SSSD caches to sync with files
To make sure that SSSD has synced with the latest data added to the passwd file sss_cache is called in two places where the current sync scheme was not reliable. This was mainly observed when running the integration tests on Debian. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1e23988)
Configuration menu - View commit details
-
Copy full SHA for 3dc8853 - Browse repository at this point
Copy the full SHA 3dc8853View commit details -
sudo: respect case sensitivity in sudo responder
If the domain is not case sensitive and the case of the original user or group name differs from the name in the rule we failed to find the rule. Now we filter the rule only with lower cased values in such domain. Steps to reproduce: 1. Add user/group with upper case, e.g. USER-1 2. Add sudo rule with lower cased name, e.g. sudoUser: user-1 3. Login to system with lower case, e.g. user-1 4. Run sudo -l Without the patch, rule is not found. Resolves: https://pagure.io/SSSD/sssd/issue/3820 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit d7f0b58)
Configuration menu - View commit details
-
Copy full SHA for 2d92861 - Browse repository at this point
Copy the full SHA 2d92861View commit details
Commits on Oct 3, 2018
-
pep8: Ignore W504 and W605 to silence warnings on Debian
This code: pkcs11_txt.write("library=libsoftokn3.so\nname=soft\n" + "parameters=configdir='sql:" + config.ABS_BUILDDIR + "/../test_CA/p11_nssdb' " + "dbSlotDescription='SSSD Test Slot' " + "dbTokenDescription='SSSD Test Token' " + "secmod='secmod.db' flags=readOnly)\n\n") pkcs11_txt.close() Was producing warnings such as: ./src/tests/intg/test_pam_responder.py:143:22: W504 line break after binary operator Even though it looks OK visually and conforms to pep8's written form. Additionaly, this regular expression compilation: Template = re.compile( ' *<template name="(\S+)">(.*?)</template>\r?\n?', re.MULTILINE | re.DOTALL ) Was producing a warning such as: ./src/sbus/codegen/sbus_Template.py:156:29: W605 invalid escape sequence '\S' Since the \S literal is part of a regular expression, let's suppress this warning as well. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit ec76659)
Configuration menu - View commit details
-
Copy full SHA for bca1935 - Browse repository at this point
Copy the full SHA bca1935View commit details
Commits on Nov 22, 2018
-
nss: use enumeration context as talloc parent for cache req result
Otherwise we end up with memory leak since the result is never freed. We need to convert nctx->*ent structures into talloc pointer so we can use enum_ctx as parent. Resolves: https://pagure.io/SSSD/sssd/issue/3870 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 406b731)
Configuration menu - View commit details
-
Copy full SHA for 720a423 - Browse repository at this point
Copy the full SHA 720a423View commit details
Commits on Nov 26, 2018
-
LDAP: minor refactoring in auth_send() to conform to our coding style
Related: https://pagure.io/SSSD/sssd/issue/3451 A tevent _send() function should only return NULL on ENOMEM, otherwise it should mark the request as failed but return the req pointer. This was not much of an issue, before, but the next patch will add another function call to the auth_send call which would make error handling awkward. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 09091b4)
Configuration menu - View commit details
-
Copy full SHA for 876f1cb - Browse repository at this point
Copy the full SHA 876f1cbView commit details -
LDAP: Only authenticate the auth connection if we need to look up use…
…r information Related: https://pagure.io/SSSD/sssd/issue/3451 Commit add7286 initially addressed SSSD#3451 by using the full sdap_cli_connect() request during LDAP authentication. This was a good idea as it addressed the case where the authentication connection must also look up some user information (typically with id_provider=proxy where you don't know the DN to bind as during authentication), but this approach also broke the use-case of id_provider=ldap and auth_provider=ldap with ldap_sasl_auth=gssapi. This is because (for reason I don't know) AD doesn't like if you use both GSSAPI and startTLS on the same connection. But the code would force TLS during the authentication as a general measure to not transmit passwords in the clear, but then, the connection would also see that ldap_sasl_auth=gssapi is set and also bind with GSSAPI. This patch checks if the user DN is already known and if yes, then doesn't authenticate the connection as the connection will then only be used for the user simple bind. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 57fc60c)
Configuration menu - View commit details
-
Copy full SHA for 7eb18ab - Browse repository at this point
Copy the full SHA 7eb18abView commit details -
LDAP: Log the encryption used during LDAP authentication
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 6f113c7)
Configuration menu - View commit details
-
Copy full SHA for 1a7c6ab - Browse repository at this point
Copy the full SHA 1a7c6abView commit details -
UTIL: Fix compilation with curl 7.62.0
The macro CURLE_SSL_CACERT is deprecated in upstream curl since commit 3f3b26d6feb0667714902e836af608094235fca2. commit 3f3b26d6feb0667714902e836af608094235fca2 Author: Han Han <hhan@thousandeyes.com> Date: Wed Aug 22 11:13:32 2018 -0700 ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code Long live CURLE_PEER_FAILED_VERIFICATION sh$ git tag --contains 3f3b26d6feb0667714902e836af608094235fca2 curl-7_62_0 It was not removed. It is just an alias to CURLE_PEER_FAILED_VERIFICATION which causes compile time failures in switch/case. ./src/util/tev_curl.c: In function 'curl_code2errno': ./src/util/tev_curl.c:113:5: error: duplicate case value case CURLE_PEER_FAILED_VERIFICATION: ^~~~ ./src/util/tev_curl.c: 100:5: note: previously used here case CURLE_SSL_CACERT: ^~~~ Merges: https://pagure.io/SSSD/sssd/pull-request/3878 Resolves: https://pagure.io/SSSD/sssd/issue/3875 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 1ee12b0)
Configuration menu - View commit details
-
Copy full SHA for 4d3841c - Browse repository at this point
Copy the full SHA 4d3841cView commit details -
test_pac_responder: Skip test if pac responder is not installed
Merges: https://pagure.io/SSSD/sssd/pull-request/3881 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 4f824ec)
Configuration menu - View commit details
-
Copy full SHA for e80e869 - Browse repository at this point
Copy the full SHA e80e869View commit details -
INTG: Show extra test summary info with pytest
It will show reasons why tests were skipped. e.g. ====================== test session starts ======================== platform linux -- Python 3.7.1, pytest-3.9.3, py-1.5.4, pluggy-0.7.1 -- /usr/bin/python3 cachedir: .pytest_cache rootdir: /dev/shm/sssd/src/tests/intg, inifile: collected 286 items / 285 deselected test_pac_responder.py::test_multithreaded_pac_client SKIPPED [100%] ==================== short test summary info ====================== SKIP [1] test_pac_responder.py:108: No PAC responder, skipping Merges: https://pagure.io/SSSD/sssd/pull-request/3881 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit fdbe67a)
Configuration menu - View commit details
-
Copy full SHA for de7f877 - Browse repository at this point
Copy the full SHA de7f877View commit details -
CI: Modify suppression file for c-ares-1.15.0
Valgrind does not generate full stack trace for errors. It is just limited amount of frames. Therefore we cannot see main function with the new c-ares. The suppression file generated with c-ares-1.14.0 { <insert_a_suppression_name_here> Memcheck:Leak match-leak-kinds: possible fun:malloc fun:strdup fun:ares_init_options fun:recreate_ares_channel fun:resolv_init fun:be_res_init fun:be_res_init fun:be_init_failover fun:test_ipa_server_create_trusts_setup obj:/usr/lib64/libcmocka.so.0.5.1 fun:_cmocka_run_group_tests fun:main } The suppression file generated with c-ares-1.15.0 { <insert_a_suppression_name_here> Memcheck:Leak match-leak-kinds: possible fun:malloc fun:strdup obj:/usr/lib64/libcares.so.2.3.0 obj:/usr/lib64/libcares.so.2.3.0 fun:ares_init_options fun:recreate_ares_channel fun:resolv_init fun:be_res_init fun:be_res_init fun:be_init_failover fun:test_ipa_server_create_trusts_setup obj:/usr/lib64/libcmocka.so.0.5.1 fun:_cmocka_run_group_tests } Merges: https://pagure.io/SSSD/sssd/pull-request/3884 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit f02714d)
Configuration menu - View commit details
-
Copy full SHA for 517fe07 - Browse repository at this point
Copy the full SHA 517fe07View commit details -
BUILD: Accept krb5 1.17 for building the PAC plugin
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 53e6fdf)
Configuration menu - View commit details
-
Copy full SHA for 9e85879 - Browse repository at this point
Copy the full SHA 9e85879View commit details -
tests: fix mocking krb5_creds in test_copy_ccache
To just test some ccache related functionality without talking to an actual KDC to get the tickets some needed libkrb5 structs were mocked based on tests from the MIT Kerberos source code. One struct member (is_skey) was so far not regarded by libkrb5 for out test case. But a recent fix for http://krbdev.mit.edu/rt/Ticket/Display.html?id=8718 changed this and we have to change the mocking. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 08bba3a)
Configuration menu - View commit details
-
Copy full SHA for d1c9308 - Browse repository at this point
Copy the full SHA d1c9308View commit details -
tests: increase p11_child_timeout
With recent version of valgrind some tests failed during a CI run with a timeout. To avoid this the related p11_child_timeout is increased for the affected tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1617f3e)
Configuration menu - View commit details
-
Copy full SHA for 19e6c50 - Browse repository at this point
Copy the full SHA 19e6c50View commit details
Commits on Dec 11, 2018
-
Revert "IPA: use forest name when looking up the Global Catalog"
Configuration menu - View commit details
-
Copy full SHA for d33ec64 - Browse repository at this point
Copy the full SHA d33ec64View commit details -
ipa: use only the global catalog service of the forest root
While creating the domains and sub-domains each domain gets a global catalog services assigned but only one should be used because the global catalog is by definition responsible for the whole forest so it does not make sense to use a global catalog service for each domain and in the worst case connect to the same GC multiple times. In the AD provider this is simple because the GC service of the configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA case all domains from the trusted forest are on the level of sub-domains so we have to pick one. Since the forest root is linked from all domain of the same forest it will be the most straight forward choice. Related to https://pagure.io/SSSD/sssd/issue/3902 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 62d671b)
Configuration menu - View commit details
-
Copy full SHA for 74568bd - Browse repository at this point
Copy the full SHA 74568bdView commit details -
nss: sssd returns '/' for emtpy home directories
For empty home directory in passwd file sssd returns "/". Sssd should respect system behaviour and return the same as nsswitch "files" module - return empty string. Resolves: https://pagure.io/SSSD/sssd/issue/3901 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 90f3239)
Configuration menu - View commit details
-
Copy full SHA for 2879252 - Browse repository at this point
Copy the full SHA 2879252View commit details
Commits on Jan 29, 2019
-
sss_cache: Do not fail for missing domains
The conf.db needn't exist(sssd has never been started) and in such situation sss_cache failed when trying to invalidate all entries. There is nothing to invalidate and therefore we are already in state which we want to achieve with calling sss_cache. No reason to fail. Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3926 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 88c0c3f)
Configuration menu - View commit details
-
Copy full SHA for 8e6c52f - Browse repository at this point
Copy the full SHA 8e6c52fView commit details -
intg: Add test for sss_cache & shadow-utils use-case
Related to: https://pagure.io/SSSD/sssd/issue/3919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 325df4a)
Configuration menu - View commit details
-
Copy full SHA for 0a27a47 - Browse repository at this point
Copy the full SHA 0a27a47View commit details -
sss_cache: Do not fail if noting was cached
It might happen that we have some domains in conf.db but nothing has been cached yet. sss_cache failed in such situation, bash-4.4# sss_cache -E No cache object matched the specified search bash-4.4# echo $? 2 Because there is nothing to invalidate and so we are already in state which we want to achieve with calling sss_cache. There is no reason to fail. We will still fail for invalidating particular entry. User might have a typo in the name and should be informed about possible mistake. bash-4.4# sss_cache -u test_user No cache object matched the specified search bash-4.4# echo $? 2 Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3926 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 71475f1)
Configuration menu - View commit details
-
Copy full SHA for 498aaac - Browse repository at this point
Copy the full SHA 498aaacView commit details -
test_sss_cache: Add test case for invalidating missing entries
Related to: https://pagure.io/SSSD/sssd/issue/3919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4150946)
Configuration menu - View commit details
-
Copy full SHA for 7983826 - Browse repository at this point
Copy the full SHA 7983826View commit details -
pyhbac-test: Do not use assertEquals
src/tests/pyhbac-test.py:163: DeprecationWarning: Please use assertEqual instead. self.assertEquals(el.__repr__(), u'<category 0 names [] groups []>') src/tests/pyhbac-test.py:169: DeprecationWarning: Please use assertEqual instead. u'<category 1 names [foo] groups [bar, baz]>') Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 9b06c75)
Configuration menu - View commit details
-
Copy full SHA for 088eb54 - Browse repository at this point
Copy the full SHA 088eb54View commit details -
SSSDConfigTest: Do not use assertEquals
src/config/SSSDConfigTest.py:88: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['debug_level'][0], int) src/config/SSSDConfigTest.py:91: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['command'][0], str) src/config/SSSDConfigTest.py:94: DeprecationWarning: Please use assertEqual instead. self.assertEquals(new_options['reconnection_retries'][0], int) + many more Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit c4db34c)
Configuration menu - View commit details
-
Copy full SHA for b27ab9e - Browse repository at this point
Copy the full SHA b27ab9eView commit details -
SSSDConfig: Fix ResourceWarning unclosed file
/usr/lib64/python3.7/unittest/case.py:763: ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/sssd-invalid.conf' mode='r' encoding='UTF-8'> context = None ResourceWarning: Enable tracemalloc to get the object allocation traceback /usr/lib64/python3.7/unittest/case.py:763: ResourceWarning: unclosed file <_io.TextIOWrapper name='src/config/testconfigs/noparse.api.conf' mode='r' encoding='UTF-8'> context = None ResourceWarning: Enable tracemalloc to get the object allocation traceback Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 769dc24)
Configuration menu - View commit details
-
Copy full SHA for 07d7eea - Browse repository at this point
Copy the full SHA 07d7eeaView commit details -
SSSDConfigTest: Remove usage of failUnless
src/config/SSSDConfigTest.py:1855: DeprecationWarning: Please use assertTrue instead. self.failUnless(domain.get_name() in sssdconfig.list_domains()) src/config/SSSDConfigTest.py:1856: DeprecationWarning: Please use assertTrue instead. self.failUnless(domain.get_name() in sssdconfig.list_inactive_domains()) src/config/SSSDConfigTest.py:1585: DeprecationWarning: Please use assertTrue instead. self.failUnless(service.get_name() in sssdconfig.list_services()) Merges: https://pagure.io/SSSD/sssd/pull-request/3927 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 21bba05)
Configuration menu - View commit details
-
Copy full SHA for 3c0213f - Browse repository at this point
Copy the full SHA 3c0213fView commit details -
BUILD: Fix condition for building sssd-kcm man page
Merges: https://pagure.io/SSSD/sssd/pull-request/3928 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 39b3b0e)
Configuration menu - View commit details
-
Copy full SHA for 8f0a2ac - Browse repository at this point
Copy the full SHA 8f0a2acView commit details -
NSS: Do not use deprecated header files
In file included from src/util/cert/nss/cert.c:26: /usr/include/nss3/key.h:9:9: note: #pragma message: key.h is deprecated. Please include keyhi.h instead. #pragma message("key.h is deprecated. Please include keyhi.h instead.") ^~~~~~~ Merges: https://pagure.io/SSSD/sssd/pull-request/3930 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit afd23bd)
Configuration menu - View commit details
-
Copy full SHA for 9e6a224 - Browse repository at this point
Copy the full SHA 9e6a224View commit details
Commits on Feb 5, 2019
-
sss_cache: Fail if unknown domain is passed in parameter
If sss_cache is called with --domain parameter we should fail in case of unknown domain. It might be a typo and user should know about such case. Resolves: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3940 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2de3c5f)
Configuration menu - View commit details
-
Copy full SHA for 6c80847 - Browse repository at this point
Copy the full SHA 6c80847View commit details -
test_sss_cache: Add test case for wrong domain in parameter
Related to: https://pagure.io/SSSD/sssd/issue/3919 Merges: https://pagure.io/SSSD/sssd/pull-request/3940 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 159a231)
Configuration menu - View commit details
-
Copy full SHA for 3ec716b - Browse repository at this point
Copy the full SHA 3ec716bView commit details
Commits on Feb 6, 2019
-
Fix error in hostname retrieval
Fix off-by-one error in gethostname() param Resolves: https://pagure.io/SSSD/sssd/issue/3865 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1706258)
Configuration menu - View commit details
-
Copy full SHA for d6ed04f - Browse repository at this point
Copy the full SHA d6ed04fView commit details
Commits on Feb 10, 2019
-
lib/cifs_idmap_sss: fixed unaligned mem access
Fixed following warning: ``` lib/cifs_idmap_sss/cifs_idmap_sss.c: In function ‘sss_sid_to_id’: lib/cifs_idmap_sss/cifs_idmap_sss.c:221:47: warning: taking address of packed member of ‘struct cifs_uxid’ may result in an unaligned pointer value [-Waddress-of-packed-member] err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type); ``` Actually there are two issues: 1) Packed `cifs_uxid::id.uid` may be unaligned thus generating run time error on some architectures (as compiler complains); 2) In theory size of `uid_t` may be different than size of `uint32_t` thus resulting in corruption of `cifs_uxid` content. Proposed patch is not ideal due to `(uid_t)uid` cast but solves most of issues with minimal effor. Proper solution would require patching of `sss_nss_getidbysid()` and all underlying functions for no good reason. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 12f74f8)
Configuration menu - View commit details
-
Copy full SHA for acce032 - Browse repository at this point
Copy the full SHA acce032View commit details
Commits on Feb 16, 2019
-
The calculation of the size of an array is used in the main code as well, so it makes sense to move N_ELEMENTS to a common header to use it more often. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e32920a)
Configuration menu - View commit details
-
Copy full SHA for 0a27fba - Browse repository at this point
Copy the full SHA 0a27fbaView commit details -
ad: replace ARRAY_SIZE with N_ELEMENTS
ARRAY_SIZE is taken from the Samba header file memory.h which is not available as a public header in newer Samba versions anymore. This patch replaces it with an internal macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e1ff063)
Configuration menu - View commit details
-
Copy full SHA for 911d7bb - Browse repository at this point
Copy the full SHA 911d7bbView commit details -
ssh: sssd_ssh fails completely on p11_child timeout
When p11_child fails or timeout is reached, ssh login fails. With this patch sssd_ssh proceeds to ssh key and password login. Resolves: https://pagure.io/SSSD/sssd/issue/3937 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit e1755a0)
Configuration menu - View commit details
-
Copy full SHA for 31637fd - Browse repository at this point
Copy the full SHA 31637fdView commit details -
ssh: p11_child error message is too generic
We have only one error core for p11_child error. With this patch new error ERR_P11_CHILD_TIMEOUT is introduced. It is then used for better log message. Resolves: https://pagure.io/SSSD/sssd/issue/3937 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 52c8336)
Configuration menu - View commit details
-
Copy full SHA for 340de23 - Browse repository at this point
Copy the full SHA 340de23View commit details -
Added note about default value of ad_gpo_map_batch parameter
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 938dd6c)
Configuration menu - View commit details
-
Copy full SHA for db06ec5 - Browse repository at this point
Copy the full SHA db06ec5View commit details
Commits on Feb 20, 2019
-
CONFIG: add missing ldap attributes for validation
https://pagure.io/SSSD/sssd/issue/3961 This patch adds missing 'ldap_host_*' attributes for config validation. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> (cherry picked from commit 85e3630)
Configuration menu - View commit details
-
Copy full SHA for 5e70cf5 - Browse repository at this point
Copy the full SHA 5e70cf5View commit details
Commits on Feb 22, 2019
-
GPO: Add gpo_implicit_deny option
This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. Resolves: https://pagure.io/SSSD/sssd/issue/3701 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3bd67c7)
Configuration menu - View commit details
-
Copy full SHA for c96a382 - Browse repository at this point
Copy the full SHA c96a382View commit details
Commits on Feb 26, 2019
-
GPO: Allow customization of GPO_CROND per OS
For both Debian and Ubuntu, the cron PAM service is named "cron" instead of "crond", denying the use of the service by default. This patch enables the HAVE_$OS (HAVE_DEBIAN/HAVE_FEDORA...) macros to select the service name during build, allowing further customization if required. Resolves: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit bc65ba9)
Configuration menu - View commit details
-
Copy full SHA for 8ba4727 - Browse repository at this point
Copy the full SHA 8ba4727View commit details -
responder: fix domain lookup refresh timeout
Currently the timeout to check for new domains is reset whenever there is a request with an unknown domain name. If those requests happen more then once a minute (the default timeout) the timeout is always reset before it can expire and as a result the domain list is never refreshed. If SSSD starts offline with an empty domain list the NSS responder might never be able to resolve sub-domain users or groups even if the backend has switched to the online state and already refreshed the domain list. Related to https://pagure.io/SSSD/sssd/issue/3967 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit c013643)
Configuration menu - View commit details
-
Copy full SHA for 3824008 - Browse repository at this point
Copy the full SHA 3824008View commit details -
ldap: add get_ldap_conn_from_sdom_pvt
Related: https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit eaece8b)
Configuration menu - View commit details
-
Copy full SHA for 8ffc64c - Browse repository at this point
Copy the full SHA 8ffc64cView commit details -
ldap: prefer LDAP port during initgroups user lookup
The first step of an initgroups request is to lookup the user. When using the AD provider the Global Catalog will be the preferred source. But not all LDAP attributes of the user might be replicated to the Global Catalog and as a result some of the missing attributes might be removed from the cached user object. Related to https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b2352a0)
Configuration menu - View commit details
-
Copy full SHA for 0b5a359 - Browse repository at this point
Copy the full SHA 0b5a359View commit details -
ldap: user get_ldap_conn_from_sdom_pvt() where possible
Currently when trying to prefer LDAP port lookups over Global Catalog searches some AD specific structs are needed in the common LDAP provider code. By using get_ldap_conn_from_sdom_pvt() this can be avoided and all AD specific details are handled inside sdap_async_initgroups_ad.c now. Related to https://pagure.io/SSSD/sssd/issue/2474 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3cb9a3d)
Configuration menu - View commit details
-
Copy full SHA for f80dad6 - Browse repository at this point
Copy the full SHA f80dad6View commit details -
krb5_locator: always use port 88 for master KDC
If the kpasswdinfo file exists and the found IP address includes a port number as well the master KDC lookup will use this port number which is most probably wrong. Better use the default port 88 always for master KDC lookups. This patch also updates the man page for the locator plugin which was quite outdated. Related to https://pagure.io/SSSD/sssd/issue/3958 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 05350ab)
Configuration menu - View commit details
-
Copy full SHA for 1791eed - Browse repository at this point
Copy the full SHA 1791eedView commit details -
NSS: Avoid changing the memory cache ownership away from the sssd user
Resolves: https://pagure.io/SSSD/sssd/issue/3890 In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root. This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V. This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root. Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as: type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 61e4ba5)
Configuration menu - View commit details
-
Copy full SHA for 118c44f - Browse repository at this point
Copy the full SHA 118c44fView commit details -
test_files_provider: Do not use pytest fixtures as functions
test_files_provider.py::test_getpwnam_after_start src/tests/intg/test_files_provider.py:344: RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. src/tests/intg/test_files_provider.py:362: RemovedInPytest4Warning: Fixture "group_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. return setup_gr_with_list(request, [GROUP1, CANARY_GR]) Resolves: https://pagure.io/SSSD/sssd/issue/3942 Merges: https://pagure.io/SSSD/sssd/pull-request/3953 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 686a8f5)
Configuration menu - View commit details
-
Copy full SHA for 2805121 - Browse repository at this point
Copy the full SHA 2805121View commit details -
test_ldap: Do not uses pytest fixtures as functions
test_ldap.py::test_local_negative_timeout_enabled_by_default /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "passwd_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. res = fixturefunc(**kwargs) /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "group_ops_setup" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. res = fixturefunc(**kwargs) /usr/lib/python3.7/site-packages/_pytest/fixtures.py:827: RemovedInPytest4Warning: Fixture "user_and_group_rfc2307" called directly. Fixtures are not meant to be called directly, are created automatically when test functions request them as parameters. See https://docs.pytest.org/en/latest/fixture.html for more information. Resolves: https://pagure.io/SSSD/sssd/issue/3942 Merges: https://pagure.io/SSSD/sssd/pull-request/3953 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 948cd08)
Configuration menu - View commit details
-
Copy full SHA for 0fb6543 - Browse repository at this point
Copy the full SHA 0fb6543View commit details -
Revert "intg: Generate tmp dir with lowercase"
This reverts commit 929bb11. It is already fixed in upstream. Combination of python-urllib3-1.24 and python-requests-2.19 works well. Resolves: https://pagure.io/SSSD/sssd/issue/3276 Merges: https://pagure.io/SSSD/sssd/pull-request/3952 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 5773463)
Configuration menu - View commit details
-
Copy full SHA for 688134e - Browse repository at this point
Copy the full SHA 688134eView commit details -
ent_test: Update assertions for python 3.7.2
pwd and grp modules return different string in KeyError since python 3.7.2 sh-4.4$ python3 --version Python 3.7.1 sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");' Traceback (most recent call last): File "<string>", line 1, in <module> KeyError: 'getgrnam(): name not found: non-exist' sh-4.4$ python3 --version Python 3.7.2 sh-4.4$ python3 -c 'import grp; grp.getgrnam("non-exist");' Traceback (most recent call last): File "<string>", line 1, in <module> KeyError: "getgrnam(): name not found: 'non-exist'" Merges: https://pagure.io/SSSD/sssd/pull-request/3951 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 54d7175)
Configuration menu - View commit details
-
Copy full SHA for f441617 - Browse repository at this point
Copy the full SHA f441617View commit details
Commits on Mar 14, 2019
-
NEGCACHE: initialize UPN negative cache as well
UPNs are handled separately in the negative cache. To properly filter user names even in the case of the fallback to a UPN lookup the negative cahe for UPNs has to be initialized with the names from the filter_user option as well. If the name from the option is a short name it will be added to the negative UPN cache for each domain with the respective domain name. If the name from the option is fully-qualified it will be added as is to the negative UPN cache for each domain. Related to https://pagure.io/SSSD/sssd/issue/3978 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 2f5aca3)
Configuration menu - View commit details
-
Copy full SHA for 6bb46a6 - Browse repository at this point
Copy the full SHA 6bb46a6View commit details -
NEGCACHE: fix typo in debug message
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 6b93ee6)
Configuration menu - View commit details
-
Copy full SHA for 720907d - Browse repository at this point
Copy the full SHA 720907dView commit details -
NEGCACHE: repopulate negative cache after get_domains
If SSSD starts offline the responders might only know about the configured domain because the sub-domains have not been discovered yet. As a result the permanent negative cache is only populated for the configured domain. If later the system goes online and the sub-domains are discovered or a new sub-domain was discovered at runtime the permanent negative cache is currently not created for those domains. This patch repopulates the negative cache for all known domains to the end of the get_domains request. Related to https://pagure.io/SSSD/sssd/issue/3983 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 640edac)
Configuration menu - View commit details
-
Copy full SHA for faede6d - Browse repository at this point
Copy the full SHA faede6dView commit details -
ci/sssd.supp: fixed c-ares-suppress-leak-from-init
Valgrind suppression pattern was adjusted to prevent fails on some target OS. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Configuration menu - View commit details
-
Copy full SHA for 2fb5be4 - Browse repository at this point
Copy the full SHA 2fb5be4View commit details -
netgroups: honor cache_refresh_percent
The value of cache refresh percent was not passed to cache_req. Steps to reproduce: 1. Configure SSSD like so: ```ini [nss] entry_cache_nowait_percentage=10 memcache_timeout=0 [domain/mydomain] entry_cache_timeout = 30 ``` 2. Run SSSD 3. Fetch netgroup for the first time 4. Wait 15 seconds (midpoint refresh will be triggered from 10-29 seconds interval) 5. Fetch netgroup again, see in logs that midpoint refresh was triggered Resolves: https://pagure.io/SSSD/sssd/issue/3947 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit ce8a607)
Configuration menu - View commit details
-
Copy full SHA for 486b552 - Browse repository at this point
Copy the full SHA 486b552View commit details
Commits on Mar 15, 2019
-
TESTS: Only use __wrap_sss_ncache_reset_repopulate_permanent to finis…
…h test if needed Resolves: https://pagure.io/SSSD/sssd/issue/3986
Configuration menu - View commit details
-
Copy full SHA for 7aaa508 - Browse repository at this point
Copy the full SHA 7aaa508View commit details