sssd/sssd #2

The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

filter_value is a better name, because we don't look just by name, the same variable is used to look up certificates etc. Reviewed-by: Sumit Bose <sbose@redhat.com>

When looking up users or groups by name, we need to user the plain username in the filter. The domain is typically signified by the search base. When looking up by UPN, we can keep using the raw value from the DP. Reviewed-by: Sumit Bose <sbose@redhat.com>

The username we receive from LDAP is short name. Convert it to a qualified name before saving the user. Reviewed-by: Sumit Bose <sbose@redhat.com>

…s before acting on them Ghostnames must be qualified as well, same as all other name attributes across SSSD. The ghost names are used by the NSS responder during getgr* output and the domain name parsed from the name is used in the output. Reviewed-by: Sumit Bose <sbose@redhat.com>

Adds a utility function the LDAP provider can use. This is different from sss_create_internal_fqname_list in the sense that the LDAP provider passes in the attribute name that contains the name attribute value. Reviewed-by: Sumit Bose <sbose@redhat.com>

… names Just provides a more descriptive name of a function parameter. Reviewed-by: Sumit Bose <sbose@redhat.com>

All user and group names are already qualified at this point, so let's remove the special case that stored users from trusted domains qualified. Reviewed-by: Sumit Bose <sbose@redhat.com>

Even incomplete groups must be stored using the internal name format instead of whatever we receive from LDAP. Reviewed-by: Sumit Bose <sbose@redhat.com>

Previously, the user account was only looked by name when the LDAP provider didn't match any entry on the server side. This patch removes the entry from the cache with the matching function, either by name or by UPN. Reviewed-by: Sumit Bose <sbose@redhat.com>

The LDAP access control code uses shortnames to construct an LDAP filter. Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Only user shortnames to interact with the system. Reviewed-by: Sumit Bose <sbose@redhat.com>

Normally we convert the names from short to internal format on input. For the local domain tools, we can consider the sss_sync_ops an input interface, to avoid having to convert the name in each tool and interface separately. Reviewed-by: Sumit Bose <sbose@redhat.com>

No need to export functions that are only used internally. Reviewed-by: Sumit Bose <sbose@redhat.com>

…ame instead for users and groups All users and groups are now stored in the cache using the same format, so we can use that one instead of creating a domain-specific name. Reviewed-by: Sumit Bose <sbose@redhat.com>

Same as all other tools. Reviewed-by: Sumit Bose <sbose@redhat.com>

Use sss_create_internal_fqname for internal cache lookups. Because the object's existence is verified using getpw* and getgr*, we keep using sss_tc_fqname there, just to feed the NSS interface the expected qualified or unqualified name format. Reviewed-by: Sumit Bose <sbose@redhat.com>

Because internally, we use the same name for all users and groups regardless of the domain they belong to, we can parse the username from the qualified name in a simpler manner. Reviewed-by: Sumit Bose <sbose@redhat.com>

The domain name is part of the domain name, so we can parse it from there instead of relying on DN components. Reviewed-by: Sumit Bose <sbose@redhat.com>

Creating the username part of the ccache file is an output operation, it makes sense to use sss_output_name() there which parses the name out of the internal qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>

All usernames across SSSD are stored in the same manner, so there's no need to create per-domain names anymore. Reviewed-by: Sumit Bose <sbose@redhat.com>

…ember_overrides Because all users and groups are stored the same way in sysdb, we can avoid parsing and unparsing the name with NSS functions and instead just grab the name from the FQDN in the cache. Reviewed-by: Sumit Bose <sbose@redhat.com>

Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SSSD uses an internal format to store user and group names, but the libhbac_ipa library uses only short names. Un-qualify the names before passing them on to the HBAC evaluator. Reviewed-by: Sumit Bose <sbose@redhat.com>

libselinux uses getpwnam() to retrieve the user data, therefore we qualify the data with sss_output_name() before calling libselinux. Reviewed-by: Sumit Bose <sbose@redhat.com>

name.name is the input name. Since cache_req is an internal interface, we need to return the sysdb name instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

When converting from the native IPA schema to the sysdb sudo schema, qualify sudoUser attributes that contain user and group names. Reviewed-by: Sumit Bose <sbose@redhat.com>

If the sudoUser values we fetch from LDAP correspond to a user or a group name per: http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html then we parse the usernames into (name,domain) tuples and store them qualified. This patch not only makes the sudo provider work with qualified names, but also makes it possible to use qualified names on the LDAP side, allowing for example AD users from different domains to access sudo rules. Reviewed-by: Sumit Bose <sbose@redhat.com>

Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com>

For users and groups, convert the input name to the qualified format. Resolves: https://fedorahosted.org/sssd/ticket/3059 Reviewed-by: Sumit Bose <sbose@redhat.com>

Previously, the sss_parse_name function was used. That function is meant to parse SSSD input, mainly in responders, not internal object names. Reviewed-by: Sumit Bose <sbose@redhat.com>

The conversion to sysdb made several functions obsolete. Remove them. Reviewed-by: Sumit Bose <sbose@redhat.com>

The timestamp cache tests look into ldb to check the timestamps. This patch converts the lookups to qualified names to make sure the lookups actually match. Reviewed-by: Sumit Bose <sbose@redhat.com>

The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com>

We decide on whether to upgrade or not based on a pointer value, not a boolean. This pointer points to a structure that the upgrade invoker (typically the monitor) can use to fill auxilary data the sysdb upgrade has no means of instantiating. Reviewed-by: Sumit Bose <sbose@redhat.com>

This patch fixes several issues introduced during the recent sysdb upgrade: 1) The upgrade code often accesses sysdb->ldb, but at this point, the ldb pointer might not be initialized yet. As a kind of an ugly, yet functional workaround, we pass in the ldb pointer that we received from the caller as part of the sysdb structure. 2) the version that sysdb_domain_cache_upgrade() returns is not a talloc pointer, so the upgrade was crashing when we tried to steal it. 3) the ldb pointer sysdb_cache_connect() returns was kept allocated on the tmp_ctx. We need to steal it instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

When the cache is upgraded, we want to avoid upgrading the timestamps cache, because it was only introduced recently in Beta, so it doesn't make senes to write complex code to change the format. This patch rather removes the cache during upgrade, it will be recreated with later lookups anyway. Reviewed-by: Sumit Bose <sbose@redhat.com>

The next sysdb upgrade will be changing memberUid and memberOf attributes as well. To avoid chanding the memberof module just because of an upgrade, add a environment variable that disabled the memberof plugin altogether when set. The variable will be set at the beginning of the upgrade and unset later. Reviewed-by: Sumit Bose <sbose@redhat.com>

…o rules and override objects Runs a sysdb upgrade that changes objects that represent users, groups, sudo rules and overrides to the new schema, which uses the fully qualified names. Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Since we want to use the sssctl tool during upgrade, we need to amend the tools initialization code to not error out if sysdb can't be instantiated, but rather return errno and let the tool handle the error. Each tool command now has a 'allowed errno' the command is able to handle. In this patch iteration, only a single errno can be handled and only the upgrade command is able to do so. Reviewed-by: Sumit Bose <sbose@redhat.com>

Allows to upgrade the cache using the sssctl tool, which might be useful e.g. in RPM %post scripts. Reviewed-by: Sumit Bose <sbose@redhat.com>

sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Just adds more debugging messages that are handy in seeing what gets passed between sudo responder and client. Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Separate logic to fill errobj so that the errors can be printed by the caller. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fixes: https://fedorahosted.org/sssd/ticket/2269 sssctl sconfig-check command allows to call SSSD config file validators on demand. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Related to: https://fedorahosted.org/sssd/ticket/2247 Explain configuration merging in sssd.conf man page. Signed-off-by: Dan Lavu <dlavu@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com>

The DP refactoring changed the way we handle strings from sbus. We no longer receive NULL strings, but empty strings instead. Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Currently cert_verify_opts is only initialized when there is an option in the config file. This might cause issues later when the struct is accessed. Since parse_cert_verify_opts() can already handle an empty option the additional check is not needed at all. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

In the ssh keys a leading 0 is added to the bignums of the RSA modulus and exponent if the leading bit is set to avoid the interpretation as a negative number. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3055 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Functions sysdb_user_base_dn() and sysdb_group_base_dn() expect that struct sss_domain_info contains pointer to struct sysdb_ctx. This is not true in case of sysdb_upgrade functions. This patch fixes the situation and revert code to the state before 12a000c commit. Resolves: https://fedorahosted.org/sssd/ticket/3023 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Improve output when access check error is detected by sssctl config-check command. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3009 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

src/tools/sssctl/sssctl_config.c: In function 'sssctl_config_check': src/tools/sssctl/sssctl_config.c:93:14: warning: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'size_t {aka unsigned int}' [-Wformat=] printf(_("Issues identified by validators: %lu\n"), num_errors); ^ src/tools/sssctl/sssctl_config.c:93:12: note: in expansion of macro '_' printf(_("Issues identified by validators: %lu\n"), num_errors); ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Warning: tag INPUT: input source `src/providers/ipa/ipa_hbac.h' does not exist warning: source src/providers/ipa/ipa_hbac.h is not a readable file or directory... skipping. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

src/lib/ipa_hbac/ipa_hbac.h:68: warning: expected whitespace after [ command Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

It looks like some special gcc optimalisation and special case may cause to have unitialized output argument _dom when return code is EOK src/tools/sssctl/sssctl_cache.c: In function ‘sssctl_print_object’: src/tools/sssctl/sssctl_cache.c:491:8: error: ‘dom’ may be used uninitialized in this function [-Werror=maybe-uninitialized] if (dom == NULL) { ^ src/tools/sssctl/sssctl_cache.c:447:15: error: ‘entry’ may be used uninitialized in this function [-Werror=maybe-uninitialized] *_entry = talloc_steal(mem_ctx, entry); ^~~~~~~~~~~~ src/tools/sssctl/sssctl_cache.c:412:25: note: ‘entry’ was declared here struct sysdb_attrs *entry; ^~~~~ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Currently a new override for a non-default view cannot be displayed at run-time. It even does not only require a restart but the view must be un-applied and applied again to make the changes visible. This patch fixes this and makes non-default view behave like the default view where the data from a newly added override are displayed after the cached entry of the related object is expired. Resolves https://fedorahosted.org/sssd/ticket/3092 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

The argument ttl was recently removed from negative cache functions (sss_ncache_check_user, sss_ncache_check_uid, sss_ncache_check_sid, sss_ncache_check_cert) but it was not removed from wrapped versions in nss-srv-tests. It caused a crash on machine with big endian and when configure wih --coverage. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

VAR_CHECK is called with (var, EOK, ...) EOK would be returned in case of "var != EOK" and output argument _attrs would not be initialized. Therefore there could be dereference of null pointer after calling function usermod_build_attrs. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

src/tests/sysdb-tests.c: In function 'test_sysdb_memberof_close_loop': src/tests/sysdb-tests.c:2740:5: warning: passing argument 1 of '_ck_assert_msg' makes integer from pointer without a cast [enabled by default] fail_unless(data->attrlist[0], "talloc_array failed."); ^ In file included from src/tests/sysdb-tests.c:23:0: /usr/include/check.h:237:16: note: expected 'int' but argument is of type 'const char *' void CK_EXPORT _ck_assert_msg (int result, const char *file, ^ Reviewed-by: Pavel Březina <pbrezina@redhat.com>

be_ctx had talloc_zero() initialized uid and gid which was used in function dp_init(). Therefore back-end was every time started as root and therefore non-root responders could not communicate with back-end due to wrong permission of unix sockets. This patch sets right uid and gid to data-providers if sssd runs as non-root user. Resolves: https://fedorahosted.org/sssd/ticket/3077 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fixes: https://fedorahosted.org/sssd/ticket/3076 We segfaulted in this area once. This patch makes the code more defensive and adds some DEBUG messages. Normally the structures are filled in online and/or resolve callbacks. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We wrongly tried to store empty user attributes instead of the local user attributes with ldap_rfc_2307_fallback_to_local_users set to true. This gave us bad initgroups results and caused segfaults. Resolves: https://fedorahosted.org/sssd/ticket/3045 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3024 Reviewed-by: Noam Meltzer <tsnoam@gmail.com>

Resolves: https://fedorahosted.org/sssd/ticket/3096 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

The test directory was not removed (tp_test_utils-test_utils) because it contain the snippet for krb5_libdefaults. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

There is a bug on debian_testing in bash. sh$ valgrind /bin/bash ==25145== Memcheck, a memory error detector ==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==25145== Command: /bin/bash ==25145== ==25145== Invalid read of size 1 ==25145== at 0x4B90B1: ??? (in /bin/bash) ==25145== by 0x43FE9B: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd ==25145== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==25145== by 0x475D1A: xmalloc (in /bin/bash) ==25145== by 0x4B7F4A: tilde_expand (in /bin/bash) ==25145== by 0x42E63D: bash_tilde_expand (in /bin/bash) ==25145== by 0x43FE79: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== malloc: .././variables.c:570: assertion botched free: called with unallocated block argument last command: (null) Aborting...==25145== And /bin/bash was used as a default SHELL in scripts generated by configure+libtool. It starting to fail with the latest valgrind valgrind-3.12.0~svn20160714-1 Workaround is to use /bin/sh which is a symlink to /bin/dash Reviewed-by: Petr Cech <pcech@redhat.com>

Type: Unchecked return value Reported by coverity Reviewed-by: Petr Čech <pcech@redhat.com>

the capaths for a single domain should be collected in a single sub-section in the MIT Kerberos configuration not spread over multiple one. See the capaths section of the krb5.conf man page for details. Resolves: https://fedorahosted.org/sssd/ticket/3103 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Some messages did not have errno or name of problematic file. There was also improper use of negative value. The function strerror was called with -1 instead of errno Reviewed-by: Petr Čech <pcech@redhat.com>

Only users and groups have timestamp data in separate cache. It caused false positive warnings for autofs, netgroup ... Reviewed-by: Petr Čech <pcech@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

…nfo() netlogon_get_domain_info() does not fail if only the site is missing in the CLDAP ping respond. If the site is not available a Global Catalog can still be looked up with the forest name. Only if the forest name is missing as well we fall back to the configured domain name. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

do_update should be only set if there is a change, i.e if something was added to the ldb_message. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Currently the user name used in the extdom exop request is unconditionally set to the short name. While this is correct for the general name based lookups it breaks UPN/email based lookups where the name part after the @-sign might not match to domain name. I guess this was introduce during the sysdb refactoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

In general a user can have multiple principals and recent IPA version added support to defined multiple principals. With this patch SSSD does not only store the first but all principals read by LDAP from a server. Resolves https://fedorahosted.org/sssd/ticket/2958 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Email addresses and Kerberos user principals names (UPNs) do not only look similar they also can be used to identify a user uniquely. In future this approach should be replace by a more generic one where the attributes which can uniquely identifies a user can be configured to support even a wider range of login names. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To allow searches with the plain alias 'name@alt.realm' the returned value is converted before it is saved to the cache. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Unfortunately principal aliases with an alternative realm are stored in IPA as the string representation of an enterprise principal, i.e. name\@alt.realm@IPA.REALM. To be able to lookup the alternative principal in LDAP properly the UPN search filter is extended to search for this type of name as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

If there are no supplementary groups, we tried to qualify a NULL pointer to an array which resulted in an error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

This debug message used to confuse our customer. So this patch changes it. Resolves: https://fedorahosted.org/sssd/ticket/3091 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3093 Because we compare the list of LDAP names with the list of sysdb names, we need to qualify the list of LDAP names before running the diff. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

As this is not FATAL and may happen when SELinux is disabled, let's just decrease the debug level to MINOR_FAILURE Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Be explicit that it may happen when SELinux is disabled and also suggest to enable SELinux. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Currently ret, which is -1, is passed to strerror() instead of errno. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Related: https://fedorahosted.org/sssd/ticket/3094 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Syntax errors in configuration files prevent SSSD or sssctl to start completely. It would be good to display these errors by default with the highest level. Reviewed-by: Petr Čech <pcech@redhat.com>

Use TOPIC-ACTION pattern for sssctl command names. Resolves: https://fedorahosted.org/sssd/ticket/3087 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

It caused an errors. (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectclass=user)(nameAlias=t(u)ser@ldap)) (Tue Aug 2 06:29:39 2016) [sssd[be[LDAP]]] [sysdb_cache_search_users] (0x0080): Error: 5 (Input/output error) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

==32577== Conditional jump or move depends on uninitialised value(s) ==32577== at 0x140DCE10: sdap_process_missing_member_2307 (sdap_async_groups.c:1556) ==32577== by 0x140DCE10: sdap_process_group_members_2307 (sdap_async_groups.c:1625) ==32577== by 0x140DCE10: sdap_process_group_send (sdap_async_groups.c:1298) ==32577== by 0x140DCE10: sdap_get_groups_process (sdap_async_groups.c:2130) ==32577== by 0x140CFDA8: generic_ext_search_handler.isra.3 (sdap_async.c:1688) ==32577== by 0x140D2416: sdap_get_generic_op_finished (sdap_async.c:1578) ==32577== by 0x140D0DFC: sdap_process_message (sdap_async.c:353) ==32577== by 0x140D0DFC: sdap_process_result (sdap_async.c:197) ==32577== by 0x8BF1B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==32577== by 0x8BF2B59: epoll_event_loop_once (tevent_epoll.c:911) ==32577== by 0x8BF1256: std_event_loop_once (tevent_standard.c:114) ==32577== by 0x8BED40C: _tevent_loop_once (tevent.c:533) ==32577== by 0x8BED5AA: tevent_common_loop_wait (tevent.c:637) ==32577== by 0x8BF11F6: std_event_loop_wait (tevent_standard.c:140) ==32577== by 0x529DD02: server_loop (server.c:702) ==32577== by 0x110951: main (data_provider_be.c:587) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

There was a crash in nss responder when a group contained a user with special charactes which shoudl be sanitized before using in filter. ==31651== Conditional jump or move depends on uninitialised value(s) ==31651== at 0x8BEA7DE: _talloc_steal_loc (talloc.c:1215) ==31651== by 0x5264889: sysdb_get_user_members_recursively (sysdb_ops.c:4759) ==31651== by 0x5278F61: sysdb_add_group_member_overrides (sysdb_views.c:1375) ==31651== by 0x526677C: sysdb_getgrnam_with_views (sysdb_search.c:799) ==31651== by 0x1172F6: nss_cmd_getgrnam_search (nsssrv_cmd.c:3168) ==31651== by 0x119C67: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1382) ==31651== by 0x10FD14: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:916) ==31651== by 0x12898B: sss_dp_internal_get_done (responder_dp.c:791) ==31651== by 0x58FF861: complete_pending_call_and_unlock (dbus-connection.c:2314) ==31651== by 0x5902B50: dbus_connection_dispatch (dbus-connection.c:4580) ==31651== by 0x527F261: sbus_dispatch (sssd_dbus_connection.c:96) ==31651== by 0x89D8B4E: tevent_common_loop_timer_delay (tevent_timed.c:341) Resolves: https://fedorahosted.org/sssd/ticket/3121 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

…e current time sysdb is already able to retrieve the current timestamp if the caller doesn't specify it. However, for the timestamp cache this came too late and the timestamp cache used zero as the 'now' time. Resolves: https://fedorahosted.org/sssd/ticket/3064 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

…pecified" This reverts commit aa58e21. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

This patch fixes the issue with empty string recieving from D-Bus. Data providers obtains NULL. So this is simple conversin. Resolves: https://fedorahosted.org/sssd/ticket/3084 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

The message in SSS_TOOL_DELIMITER should be translated. Reviewed-by: Petr Čech <pcech@redhat.com>

When no users are found during the search users process, just log (at TRACEL_ALL level) that zero users were retrieve and avoid logging (at OP_FAILURE level) that a failure has occurred, which may end up misleading admins, giving them the impression that something wrong has happened. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://fedorahosted.org/sssd/ticket/3089 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

The commit dc30c60 changed the logic in NULL check - if (protocol) { + if (protocol == NULL) { Found by Coverity: Reviewed-by: Petr Čech <pcech@redhat.com>

This patch adds right pam error code for sssd offline state. Resolves: https://fedorahosted.org/sssd/ticket/3109

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We should fail the request if sss_parse_internal_fqname() fails. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3111 Reviewed-by: Petr Cech <pcech@redhat.com>

sssctl COMMAND --help should print at least generic help, even if the command does not accept any command specific options. Resolves: https://fedorahosted.org/sssd/ticket/3086 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sssd_nss can set different negative timeout for local users and groups. However, checking whether user/group is local is quite expensive operation. We can avoid such operations if local_negative_timeout is not set. This fix improve performance(40%) of lookup non-existing entries in offline mode and with disabled local_negative_timeout. sh$ cat pok.sh for i in {1..10000}; do getent passwd -s sss temp$i getent group -s sss temp$i done #without patch sh $time /bin/bash pok.sh real 0m41.534s user 0m3.580s sys 0m14.202s #with patch sh $time /bin/bash pok.sh real 0m26.686s user 0m3.292s sys 0m13.165s Resolves: https://fedorahosted.org/sssd/ticket/3122 Reviewed-by: Petr Cech <pcech@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/2978 Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove all entries in a directory but will not remove the directory itself. Reviewed-by: Petr Cech <pcech@redhat.com>

Reviewed-by: Petr Cech <pcech@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

The path to sssd nss module (libsss_nss.so) was relative to prefix and expected subdirectory "lib". 32bit and 64bit platforms and different distributions use different paths. This patch allows to use python module sssd_id even with real module and not just integration tests. It is just required to prepare "config.py" with right path. e.g. cd ~/sssd/src/tests/intg [~/sssd/src/tests/intg]$ echo "NSS_MODULE_DIR = '/usr/lib64'" > config.py [~/sssd/src/tests/intg]$ python Python 2.7.12 (default, Jul 18 2016, 09:57:01) [GCC 6.1.1 20160621 (Red Hat 6.1.1-3)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_id >>> sssd_id.get_user_gids('user') (1, 0, [5977, 1070, 5845, 1076, 1074, 10327, 5975, 5766]) Reviewed-by: Petr Čech <pcech@redhat.com>

sh-4.2# getent netgroup -s sss QAUsers QAUsers ( ,qa1,example.com) ( ,qa2,example.com) ( ,qa3,example.com) sh-4.2# getent netgroup -s sss QASystems QASystems (qahost1.example.com,,) (qahost2.lab.eng.pnq.redhat.com,,) sh-4.2# getent netgroup -s sss test sh-4.2# echo $? 2 sh-4.2# python Python 2.7.5 (default, Aug 2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import sssd_netgroup >>> sssd_netgroup.get_sssd_netgroups('QAUsers') (1, 0, [(None, 'qa1', 'example.com'), (None, 'qa2', 'example.com'), (None, 'qa3', 'example.com')]) >>> sssd_netgroup.get_sssd_netgroups('QASystems') (1, 0, [('qahost1.example.com', None, None), ('qahost2.lab.eng.pnq.redhat.com', None, None)]) >>> sssd_netgroup.get_sssd_netgroups('test') (0, 0, []) >>> Reviewed-by: Petr Čech <pcech@redhat.com>

After refactoring of sysdb, we get and internal fully qualified name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck Previously we got short name and we created fq name in nss_update_initgr_memcache. Memory cache still need to use short names if it was specified. This patch uses right name in different places. Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

The usage of modifyTimestamp needn't be a reliable way for detecting of changes in user entry in LDAP. The authorisation need to rely current data from LDAP and therefore we will temporary disable optimisation with modifyTimestamp and we will rather rely on deep comparison of attributes. In he future, it might be changed and responders might control the optimization level. Resolves: https://fedorahosted.org/sssd/ticket/3110 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

The child process finished faster then it has handled by parent and therefore it timed out. It's the similar solution as in b3074dc [ RUN ] dyndns_test_error (Fri Jul 29 16:12:00:621444 2016) [sssd] [nsupdate_child_timeout] (0x0020): Timeout reached for dynamic DNS update Could not run the test - check test fixtures [ ERROR ] dyndns_test_error Reviewed-by: Petr Čech <pcech@redhat.com>

It's not required to parse names on SSSD startup in the simple access provider. We can instead just parse the name when the access request is processed. Resolves: https://fedorahosted.org/sssd/ticket/3101 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Use the full simple access control handlers, just like SSSD does in the tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3114 We failed GPO procesing if the gPCMachineExtensionNames attribute contained just whitespaces. This coused failures in some server settings. Comment from Alexander Bokovoy quoting: You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when processing gPCMachineExtensionNames, "Group Policy processing terminates at the first <CSE GUIDn> out of sequence." Since ' ' (space only) does not fall into defined syntax for gPCMachineExtensionNames, this Group Policy processing is stopped and its CSE GUIDs are set to 'empty list'. Because of the 3.2.5.1.10 'Extension Protocol Sequences' language ------------------------------------------------------------------------ The Group Policy client MUST evaluate the subset of the abstract element Filtered GPO list separately for each Group Policy extension by including in the subset only those GPOs whose gPCUserExtensionNames (for user policy mode) or gPCMachineExtensionNames (for computer policy mode) attributes contain CSE GUID that correspond to the Group Policy extension. If the CSE GUID corresponding to the Group Policy extension is present in Extension List, it is invoked using the Implementation Identifier field. Applicability is determined as specified in section 3.2.1.5. The Group Policy Registry Extension MUST always execute first. All other applicable Group Policy extensions in the Extension List MUST be loaded and executed in Extension List order. A failure in any Group Policy extension sequence MUST NOT affect the execution of other Group Policy extensions. ------------------------------------------------------------------------- I think we can practically treat wrong content of gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the GPO to pass through the Filtered GPO list. Thus, the GPO would be ignored. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

In cases where the InfoPipe servers just as a middle-man between the DataProvider and a client we can simply forward the reply reducing amount of coded needed in the InfoPipe. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

This simplifies error handling in sbus requests since we avoid creating DBusError and checking for NULL manually. It removes few lines of code. This patch does not replace all calls to sbus_request_fail_and_finish since sometimes it is desirable to create the error manualy. But it replaces it in most recent places. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

This patch adds the ability to hook DBusMessage to a talloc context to remove the need of calling dbus_message_unref(). It also provides an automatical way to detect error in a reply so the caller does not need to parse it manually and the whole code around DBusError can be avoided. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

This way we completely move D-Bus memory management to talloc and we reduce number of code lines needed to send and receive reply. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3069 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssd-1.14.1/src/lib/sifp/sss_sifp_dbus.c:51: check_return: Calling "dbus_message_append_args_valist" without checking return value (as is done elsewhere 4 out of 5 times). Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

When a talloc-bound message was freed by removing all references to it with dbus_message_unref we failed to free the talloc context and thus leaking memory or unreferencing invalid message when the parent context is freed. This patch allows to bound dbus message to talloc in the way that allows us to free the message by both talloc and dbus api. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We want to use custom interface for proxy provider so we do not abuse the data provider one. This way we gain more control over it and we can remove the old interface entirely. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

When removing the old data provider I noticed that those functions are not used at all. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

GSSAPI is dependent on DNS with hostnames and we should warn about this. Resolves: https://fedorahosted.org/sssd/ticket/2789 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

There is special logic around ad_enabled_domains option: * option is disabled by default * master domain is always added to enabled domains Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

We add support for handling SIGTERM signal. If ldap_child receives SIGTERM signal it removes temporary file. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

We add better termination of ldap_child. If ldap_child reaches the timeout for termination parent sents SIGTERM signal. Child has 2 seconds for removing temporary file and exit. If it is not sufficient there is SIGKILL send to the child. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

This patch adds SIGCHLD callback for ldap_child. So if timeout is reached and ldap_child is terminated by handler we have debug message about it. Resolves: https://fedorahosted.org/sssd/ticket/3106 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

There was a bug in generate_csprng_buffer() where if we read the exact amount of bytes from /dev/urandom, we would always return EIO. Instead, let's reuse the existing code from sss_atomic_read_s() which fixes this bug and reduces code duplication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

sss_atomic_read_s and sss_atomic_write_s are macro-wrappers around sss_atomic_io_s but it's easier to follow the code with the read/write vairants used directly. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

grep -nE "0x0040" /var/log/sssd/sssd_example.com.log 361:(Tue Aug 16 13:04:04 2016) [sssd[be[example.com]]] [ldap_get_autofs_options] (0x0040): Your configuration uses the autofs provider with schema set to rfc2307 and default attribute mappings. The default map has changed in this release, please make sure the configuration matches the server attributes. Reviewed-by: Petr Čech <pcech@redhat.com>

Reviewed-by: Petr Čech <pcech@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/2860 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3130 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

We use finalizers in pytest for cleaning up of openldap server. But sometimes destructor was called in case of failure which causes many issues in tests. Running teardown in destructor is not reliable due to pyhton nature. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Side effect of this change was that some primary groups could not be resolved and therefore get_user_groups failed in override tests. We should do the same as "id user". return decimal representation GID if it cannot be mapped to name. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

E302 expected 2 blank lines, found 1 E303 too many blank lines (2) E501 line too long (84 > 79 characters) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Integration test for SSSD#3093 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Integration test for SSSD#3121 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

When extending map with entry that already exists in the map in the exacty same form, then there is no need to fail. We should only fail if we try to change purpose of already used sysdb attribute. Resolves: https://fedorahosted.org/sssd/ticket/3120 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Regresion test for ticket SSSD#3120 Resolves: https://fedorahosted.org/sssd/ticket/3120 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

We should not warn about it in the validator and should allow selinux_provider from the config API. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

The session_provider used to exist a long time ago when we used to set the SELinux context from it, but the provider had been removed for a long time. We just forgot to remove the value from the config API and the validator. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

When saving the user there is a comparison between the "cased alias" and the "lowercase password name". However, the first doesn't use fully qualified name while the second does, resulting in a not expected override of the "nameAlias" attribute of a stored user when trying to authenticate more than once using an alias. Resolves: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Petr Čech <pcech@redhat.com>

There were problem with local key which wasn't properly removed. This patch fixes it. Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

This patch adds tests on reproducer of t2841. Resolves: https://fedorahosted.org/sssd/ticket/2841 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

When a time is changed into the past during sssd runtime (e.g. on boot during time correction), it is possible that we never hit watchdog tevent timer since it is based on system time. This patch adds a past-time shift detection mechanism. If a time shift is detected we restart watchdog. Resolves: https://fedorahosted.org/sssd/ticket/3154 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

As sysdb_cache_connect() has two very specific use cases (connect to the cache and connect to the timestamp cache) and each of those calls have a predetermined/fixed sets of values for a few parameters, let's try to make the code a bit simpler to follow by having explicit functions for connecting to the cache and connecting to the timestamp cache. Macros could be used as well, but I have a slightly preference for having two new functions instead of macros accessing internal parameters of the macro's parameter. Related: https://fedorahosted.org/sssd/ticket/3128 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

As many users are used to remove the persistent cache without removing the timestamp cache, let's throw away the timestamp cache in this case. Resolves: https://fedorahosted.org/sssd/ticket/3128 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

For this, just make use of the sysdb_error_to_errno() function. Resolves: https://fedorahosted.org/sssd/ticket/3125 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Most AD users store their UPN in an attribute. If they don't, or the sssd was configured (typically in earlier versions to work around a bug) to not look at the principal attribute, then sssd is supposed to guess the attribute. That currently doesn't work in 1.14, because the username is already qualified and then we also append the realm name to it. We need to parse the simple username from the qualified name first. The issue can be reproduced simply by authenticating as the Administrator account in IPA-AD trust setups. Resolves: https://fedorahosted.org/sssd/ticket/3127 Reviewed-by: Sumit Bose <sbose@redhat.com>

As this function already receives a struct sss_domain_info * parameter as argument, we can simply check whether we will need a lowercase name by accessing domain->case_sensitive. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->user_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

As this function already receives a struct sss_domain_info * parameter as argument, we can simply get the cache_timeout attribute by accessing domain->group_timeout. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Those comments are similar to what we have in the save_group() function. Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

These two functions (save_user() and save_group()) share, between themselves, the code preparing the attributes that are going to be stored in the sysdb. This patch basically splits this code out of those functions and introduces the new prepare_attrs_for_saving_ops(). Related: https://fedorahosted.org/sssd/ticket/3134 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

The boolean variable newly_created could be used uninitialized in done section in case of failure. The variable was firstly initialized to true after succesfull execution of function sysdb_cache_create_empty. Uninitialized variable usually means true for boolean variable. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Running "make intgcheck" has been proven to be a bit painful (mainly when the developer is just writing down a single test case), as it cleans up the build directory and fireis a new build before, finally, run the tests. In order to make it a little less painful, let's break the whole operation into 3 new targets: intgcheck-{prepare,run,clean}. As expected, "make intgcheck" calls these 3 new operations in the same order they were presented, not changing then the current behavior. Each operation will trigger the previous one in case there is no "$$prefix" directory created and the directory is _only_ created in the very first operation (intghcheck-prepare). A note must be done about how to run a simple test file or a simple test from a test file when running "make intgcheck-run". The option always been here but only makes sense now that we have the intgcheck split in a few useful steps. See the examples below (and for more detailed information, check the py.test documentation): #Run a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py" #Run a single test from a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup" Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Clean up the pre-release targets in order to avoid lines exceeding 80 characters. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

During the review process "intgcheck-build" ended up being merged to the "intgcheck-prepare" rule. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

After introducing the watchdog, the diag_cmd is longer used and makes no sense trying to make it usable by watchdog as the result of "pstack %p" seems next to useless in this context. Related: https://fedorahosted.org/sssd/ticket/3051 Reviewed-by: Petr Čech <pcech@redhat.com>

After introducing the watchdog, the force_timeout option is no longer used. Resolves: https://fedorahosted.org/sssd/ticket/3052 Reviewed-by: Petr Čech <pcech@redhat.com>

Instead of using the number 3 directly, let's introduce and use WATCHDOG_MAX_TICKS. Reviewed-by: Petr Čech <pcech@redhat.com>

We used internal fq name in ldap filter with id_provider proxy to files and auth provider ldap [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=testuser1@ldap)(objectclass=posixAccount))][dc=example,dc=com]. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

One of confdb_get_ calls in sec_get_config() used a variable referenced from rctx, the other used a hardcoded string. Use one of them on both places instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Applications should never #define USE_GNU themselves, but rather _GNU_SOURCE. This patch removes USE_GNU and replaces it with including config.h which has _GNU_SOURCE defined if applicable for that platform See for example: https://gcc.gnu.org/ml/fortran/2005-10/msg00365.html Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Seems that when I sent the v2 of 7579cf99 I attached the wrong patch that ended up being pushed. That patch was incomplete as there are still some leftovers. Related: https://fedorahosted.org/sssd/ticket/3051 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

Seems that wen I sent the v2 of ac35fe74 I attached the wrong pacth that ended up being pushed. The patch was incomplete as there are still some leftovers. The .po and sssd-docs.pot were not touched as I do believe they are autogenerated from Zanata. Related: https://fedorahosted.org/sssd/ticket/3052 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Petr Čech <pcech@redhat.com>

We ignored failures from sysdb_search_entry Reviewed-by: Petr Čech <pcech@redhat.com>

It wasn't simple to read log files from libsemanage because they were on single line. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

I think this is a leftover from the change to use fully-qualified names in sysdb. To verify this you can create a nested group in IPA. Without this patch the id command will only show the groups the user is a direct member of. With the patch the indirect groups memberships should be shown as well. https://fedorahosted.org/sssd/ticket/3163 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

There were unused parameter struct ldb_message *cached_group in sysdb_store_group_attrs(). This parameter was introduced by 40de79d SYSDB: Check if group attributes differ before saving a group Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Resolves: https://fedorahosted.org/sssd/ticket/3173

Commits on Sep 6, 2016

TOOLS: Fix a typo in groupadd()

Resolves: https://fedorahosted.org/sssd/ticket/3173

jhrozek committed Sep 6, 2016

Copy the full SHA

c9a8540 View commit details

Browse the repository at this point in the history

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sssd/sssd #2

sssd/sssd #2

Commits on Jul 7, 2016

Commits on Jul 11, 2016

Commits on Jul 12, 2016

Commits on Jul 13, 2016

Commits on Jul 15, 2016

Commits on Jul 18, 2016

Commits on Jul 22, 2016

Commits on Jul 25, 2016

Commits on Jul 26, 2016

Commits on Jul 29, 2016

Commits on Aug 2, 2016

Commits on Aug 4, 2016

Commits on Aug 5, 2016

Commits on Aug 8, 2016

Commits on Aug 9, 2016

Commits on Aug 10, 2016

Commits on Aug 11, 2016

Commits on Aug 12, 2016

Commits on Aug 16, 2016

Commits on Aug 17, 2016

Commits on Aug 18, 2016

Commits on Aug 19, 2016

Commits on Aug 23, 2016

Commits on Aug 24, 2016

Commits on Aug 25, 2016

Commits on Aug 26, 2016

Commits on Aug 27, 2016

Commits on Aug 29, 2016

Commits on Aug 30, 2016

Commits on Aug 31, 2016

Commits on Sep 1, 2016

Commits on Sep 6, 2016