Timeline


and

12/10/14:

23:26 Ticket #2526 (User is unable to authenticate if the option krb5_fast_principal is NULL) created by lslebodn
Problematic configuration: […] Retrieving identities works well but …
18:33 Ticket #2525 (Monitor SIGKILL timer issue and service restart failure) created by kieren
Per IRC conv with sgallagh, sssd (1.9.2) failed to SIGKILL sssd_pam which …
17:31 Ticket #2523 (PAC: krb5_pac_verify failures should not be fatal (backport fix from ...) closed by jhrozek
fixed: This bug was already fixed, just linking with downstream bugzilla for …
17:27 Ticket #2524 (getent fails for posix group with AD users after login) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
17:27 Ticket #2523 (PAC: krb5_pac_verify failures should not be fatal (backport fix from ...) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
16:36 Changeset [df62ac0] by Jakub Hrozek <jhrozek@…>
sssd-1-11PAC: krb5_pac_verify failures should not be fatal As noted in the MIT KRB5 documentation, some servers send PAC with no checksum, therefire the PAC validation should not be fatal, instead, we should treat a failure from krb5_pac_verify as if there was no PAC at all. Reported on sssd-devel by Thomas Sondergaard (cherry picked from commit 6e51d44a65b15c2f0491b0a8b452caac0bc00584)
14:55 InternalsDocs edited by nkondras
Fix SIGKILL spelling (diff)
14:52 Ticket #2426 (contrib/ci/run script: Display number of problems detected by clang's ...) closed by nkondras
invalid: We no longer run Clang analyzer, so this doesn't apply anymore.
14:51 Ticket #2428 (contrib/ci/run script: Prepare suppression database for valgrind test) closed by nkondras
fixed

12/09/14:

19:14 Changeset [d164404] by Jakub Hrozek <jhrozek@…>
sssd-1-11LDAP: Do not clobber return value when multiple controls are returned We loop over the array of returned controls and set 'ret' based on the control value. In case multiple controls were returned, the 'ret' variable might be clobbered with result of a string-to-int conversion. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 6a3ec7ba6f99b027c4c15a360ef0116fe60a0705)
15:04 DesignDocs/ActiveDirectoryFixedDNSSite edited by dpal
(diff)
14:19 DesignDocs/ActiveDirectoryFixedDNSSite edited by jhrozek
(diff)
13:47 DesignDocs/ActiveDirectoryFixedDNSSite created by jhrozek
12:31 Ticket #2522 ([RFE] IPA: resolve external group memberships of IPA groups during ...) created by sbose
Handling group memberships of AD users from a trusted domain has a bit of …

12/08/14:

21:47 Changeset [5a05b61] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14UTIL: Fix dependencies of internal sss libraries Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
21:47 Changeset [4d9db27] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14MAKE: Fix linking of test_child_common Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
20:51 Ticket #2439 (Return a different errno from client when sssd is not running.) closed by jhrozek
fixed: * master: 5bb0c0596765dd5dd1973b7fc2d1e830bca3e345
20:47 Changeset [5bb0c05] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sss_client: Work around glibc bug glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
12:46 Ticket #2521 (be_ptask unit test fails sometimes) created by jhrozek
See …
10:03 Ticket #1939 (Create unit test for be_ptask) closed by jhrozek
fixed: * master: babaca78cc196e7e0dcc3e972347951a081159f2
09:56 Ticket #2519 (SSSD should not fail authentication when only allow rules are used) closed by jhrozek
fixed: * master: 79f128801d598ca57a6acebade01136525a47e00
09:55 Changeset [958037c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14simple-access-provider: break matching allowed users Stop matching username with names in simple_allow_users after positive match. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
09:55 Changeset [79f1288] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14simple access provider: non-existing object Resolves: https://fedorahosted.org/sssd/ticket/2519 Not existing user/group in simple_allow_users/simple_allow_groups should not imply access denied. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
09:46 Changeset [1b4bd7e] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IFP: Return group names with the right case The IFP code wasn't honoring the case settings of the domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
09:44 Ticket #2512 (selinuxusermap rule does not apply to trusted AD users) closed by jhrozek
fixed: * master: b02eda90e9c6d6666af55041b1b12f5ac2f47b73
09:43 Changeset [b02eda9] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IPA: Do not append domain name to fq name Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
09:39 Changeset [babaca7] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14be_ptask: let backoff affect only period With this patch the first and enabled delay values are respected. Reviewed-by: Michal Židek <mzidek@redhat.com>

12/07/14:

21:01 Ticket #2518 (SSSD master doesn't build on RHEL-6) closed by jhrozek
fixed: * master: 5dcf3ffa3aa228701a79556dc0b889dba0aac535
20:54 Changeset [5dcf3ff] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: add wrapper for krb5_kt_have_content() krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
20:54 Changeset [6cab8e9] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14tests: Free popt_context Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
20:53 Changeset [6d6f41d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14CI: Suppress memory errors from poptGetNextOpt Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

12/05/14:

19:12 Ticket #2520 (Crash in function get_object_from_cache) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
12:49 WikiStart edited by jhrozek
1.9.7 (diff)
12:47 Releases edited by jhrozek
(diff)
12:45 Releases edited by jhrozek
1.9.7 (diff)
12:24 Releases/Notes-1.9.7 edited by jhrozek
(diff)
12:23 Documentation edited by jhrozek
(diff)
12:20 Changeset [41ad910] by Jakub Hrozek <jhrozek@…>
sssd-1-9Updating version for 1.9.8
12:12 Changeset [a1215fb7] by Jakub Hrozek <jhrozek@…>
sssd-1-9Updating translations for the 1.9.7 release
09:03 Changeset [759c6e6] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14CI: Update valgrind suppresion database for libselinux The problem is already fixed in fedora >= 21 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
07:22 Ticket #2519 (SSSD should not fail authentication when only allow rules are used) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …

12/04/14:

21:04 Releases/Notes-1.9.7 edited by jhrozek
(diff)
21:01 Releases/Notes-1.9.7 created by jhrozek
20:23 Ticket #2518 (SSSD master doesn't build on RHEL-6) created by jhrozek
Found by CI: […]
16:46 Ticket #2517 (krb5_child: Remove getenv() ran as root) created by jhrozek
As a first step towards fixing ticket #697 we should get rid of …
16:26 DesignDocs/KerberosPrincipalMappingToProxyUsers edited by jhrozek
(diff)
16:26 DesignDocs/KerberosPrincipalMappingToProxyUsers edited by jhrozek
(diff)
11:48 DesignDocs/KerberosPrincipalMappingToProxyUsers edited by jhrozek
(diff)
11:45 DesignDocs/KerberosPrincipalMappingToProxyUsers created by jhrozek
10:39 Changeset [fb3c5cd] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Rename test-child to dummy-child Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
10:39 Changeset [9f521c6] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14TESTS: Build test_child even without cmocka Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

12/03/14:

16:38 Ticket #2516 (pam_sss domains option: User auth should fail when domains=<emtpy value>) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
14:06 Ticket #2515 (sssd-ad: The man page description to enable GPO HBAC Policies are unclear) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
14:05 Ticket #2514 (gid is overridden by uid in default trust view) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
10:19 Changeset [714446c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Relax DEBUG message Reviewed-by: Sumit Bose <sbose@redhat.com>
10:09 Changeset [8e44ddf] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sss_atomic_write_s() return value is signed Reviewed-by: Sumit Bose <sbose@redhat.com>
10:09 Changeset [75afab2] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14LDAP: Remove useless include Using a PAM include file in an LDAP child is confusing. Reviewed-by: Sumit Bose <sbose@redhat.com>
10:08 Ticket #2503 (Use the MEMORY ccache to pass around keytab contents) closed by jhrozek
fixed: * 543d1652e0185abadd5d8b45c718a3db96cd2828 * …
10:02 Changeset [543d165] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Create the fast ccache in a child process Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
10:02 Changeset [b4f87b4] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Add extra_args to exec_child() Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
10:02 Changeset [e00c2b5] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14TESTS: Basic child tests The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>
08:43 Ticket #2513 (Add a hint on using DEBUG levels to the troubleshooting page) created by jhrozek
It's not clear to our users which debug levels to use under which …

12/02/14:

21:41 Changeset [c9eaf8c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14SYSDB: sysdb_get_bool() return ENOENT & unit tests sysdb_get_bool() return ENOENT if no result is found. Unit test for sysdb_get_bool() & sysdb_set_bool() was added. This patch also fixes ldap_setup_enumeration() to handle ENOENT returned by sysdb_has_enumerated(). Resolves: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
21:36 Changeset [b6db8fe] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14TOOLS: sss_debuglevel should worh with ifp responder Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
21:21 Ticket #2467 (Set the right permissions in Makefile.am when installing from source) closed by jhrozek
fixed: * master: eba68b29d934e6ba3879947ab002f1b0a2c24496
21:21 Changeset [eba68b2] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BUILD: restrict perms. when installing from source Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
20:08 Changeset [ce21876] by Jakub Hrozek <jhrozek@…>
sssd-1-9Do not switch to credentials everytime. If user decide to kinit as another user we do not want to switch back to user ccache at another login. We will switch to new ccache if and only if default principal name is the same as current principal name, or there is not any default ccache. https://fedorahosted.org/sssd/ticket/1936 Reviewed-by: Pavel Reichl <preichl@redhat.com>
20:08 Changeset [da1ee87] by Jakub Hrozek <jhrozek@…>
sssd-1-9Every time return directory for krb5 cache collection. Function krb5_cc_get_full_name is called only as a way to validate that, we have the right cache. Instead of returned name, location will be returned from function cc_dir_cache_for_princ. https://fedorahosted.org/sssd/ticket/1936 Reviewed-by: Pavel Reichl <preichl@redhat.com>
20:08 Changeset [cd1e5f2] by Jakub Hrozek <jhrozek@…>
sssd-1-9Fix wrong detection of krb5 ccname DIR:/run/user/1000/krb5cc is valid ccname, but function sss_krb5_cc_file_path returned NULL in this case. Reviewed-by: Pavel Reichl <preichl@redhat.com>
19:02 Changeset [939d44c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5_child: become user earlier The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
19:02 Changeset [96bdf29] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14ldap_child: copy keytab into memory to drop privileges earlier Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
19:02 Changeset [a0ab15c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: add copy_keytab_into_memory() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
19:02 Changeset [8023858] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: add copy_ccache_into_memory() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
19:02 Changeset [e36226d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14test: avoid leaks in leak tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:55 Ticket #2512 (selinuxusermap rule does not apply to trusted AD users) created by lslebodn
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
10:50 Ticket #2510 (The Kerberos provider is not properly views-aware) closed by jhrozek
fixed: This was a bug in the views feature. I think it's OK to bypass the triage …
10:44 Changeset [b7088215] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: do not fail if checking the old ccache failed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:44 Changeset [2bf1cbf] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IPA: only update view data if it really changed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:44 Changeset [61d2ccf] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: make krb5 provider view aware https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:46 Changeset [42bc7cb2] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14AD: Set dp_error if gc was not used Global catalog was not used in ipa server mode and request failed then dp_error was not set (default is zero). dp_error should not be OK on failed request. [ipa_get_ad_acct_ad_part_done] (0x0040): AD lookup failed: 11 [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: 11 [sdap_id_op_destroy] (0x4000): releasing operation connection [ipa_account_info_error_text] (0x0020): Bug: dp_error is OK on failed request [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Account info lookup failed Reviewed-by: Sumit Bose <sbose@redhat.com>

11/29/14:

05:00 Ticket #2511 (sssd SRV hardcoded timeouts (and general HA gripes)) created by gprocunier
Given an environment that consists of multiple authentication nodes you …

11/28/14:

15:16 Changeset [a562336] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14tests: be_ptask Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:16 Changeset [5900a5d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14be_ptask: do not store sync ctx to _task The _task is an output variable of type struct be_ptask * which is filled by be_ptask_create(). However, we tried to set sync ctx there as a result of copy and paste error. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:16 Changeset [087da85] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14be_ptask: add next_execution time to struct be_ptask For debugging and testing purposes. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:16 Changeset [da74725] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14be_ptask: handle OFFLINE_DISABLE mode before task execution Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:16 Changeset [fa70db6] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14be_ptask: create a private header file This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:16 Changeset [aff8b0e] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Fix: always check return value of unlink() Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
15:14 Ticket #2506 (Check unlink return values to silence Coverity warnings) closed by jhrozek
fixed: * master: aff8b0e3b41644c70704b78e15501779d52b6ff4
15:10 Changeset [5b4c6f22] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14AD: Never store case_sensitive as "true" to confdb If case_sensitive was set 'true' for AD backend, we ignore it and continue with AD default (false). However we still set confdb to whatever was set in sssd.conf for the responders. We should store to confdb the value that is used by the backend. Also fixes some misleading DEBUG messages in that code area. Reviewed-by: Pavel Reichl <preichl@redhat.com>
15:09 Changeset [4b6fa94] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14confdb: Make confdb_set_string accept const char pointer The last parameter (value) in the confdb_set_string is not modified, so it makes sense to make it const to avoid unnecessary warnings or casts. Reviewed-by: Pavel Reichl <preichl@redhat.com>
15:06 Changeset [466f5a5] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: Check return value of sss_krb5_princ_realm sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>
15:06 Changeset [2dc519b] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14krb5: Check return value of krb5_principal_get_realm Function krb5_principal_get_realm can return NULL an it would case segfault in function strlen. Reviewed-by: Pavel Reichl <preichl@redhat.com>

11/27/14:

17:11 Ticket #2510 (The Kerberos provider is not properly views-aware) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
13:05 Ticket #2509 (RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better) created by jhrozek
Some SSSD laptop users prefer to use a user entry from /etc/passwd using …
12:54 Ticket #2508 (Handle AD clients with FQDN longer than 15 characters) created by jhrozek
When a client with FQDN longer than 15 chars joins AD, the principal in …

11/26/14:

15:47 Ticket #2507 (Cyclic dependencies between sssd-ldap and krb5-common) created by jhrozek
There are cyclic dependencies on the source level between sssd-ldap and …

11/25/14:

19:02 Ticket #2370 (sssd should run under unprivileged user) closed by jhrozek
fixed: Most of the work is done, so I'm closing this ticket. There are some …
18:38 Changeset [cd5033e] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14views: allow view name change at startup Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
18:38 Changeset [2fe140d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sysdb: add sysdb_invalidate_overrides() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
18:38 Changeset [fe2ab0d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sysdb: add sysdb_delete_view_tree() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
18:25 Ticket #2501 (pam_sss domains option: Untrusted users from the same domain are allowed ...) closed by jhrozek
fixed: * master: fb106682e0277955e203ad074a368ddeb121fed3
17:48 Changeset [ff7481f] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14PAM: Move is_uid_trusted from pam_ctx to preq Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>
17:48 Changeset [fb10668] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14PAM: Check for trusted domain before sending the request to BE https://fedorahosted.org/sssd/ticket/2501 Moving the checks to one place has the advantage of not duplicating security decisions. Previously, the checks were scattered all over the responder code, making testing hard. The disadvantage is that we actually check for the presence of the user, which might trigger some back end lookups. But I think the benefits overweight the disadvantage. Also only check the requested domains from a trusted client. An untrusted client should simply have no say in what domains he wants to talk to, it should ignore the 'domains' option. Reviewed-by: Sumit Bose <sbose@redhat.com>
14:04 Changeset [6c4b125] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14SBUS: Initialize DBusError before using it In case either handler_fn() or invoker_fn() failed in sbus_request_invoke_or_finish() we would have accessed an uninitialized DBusError variable, causing a segfault. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:03 Ticket #2487 (sssd does not work with custom value of option re_expression) closed by jhrozek
fixed: * e894a127a9979dea667408b0cced59fedc3bcd0a * …
12:47 Changeset [8394edd] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14util: Special-case PCRE_ERROR_NOMATCH in sss_parse_name Add new SSSD specific error code for the case when pcre_exec returns PCRE_ERROR_NOMATCH. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
12:47 Changeset [e894a12] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14util: sss_get_domain_name regex mismatch not fatal Assume name is not FQDN if sss_parse_name fails to match domain with regular expression. Fixes: https://fedorahosted.org/sssd/ticket/2487 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
12:45 Changeset [5777a98] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14test: Wrong parameter type in sss_parse_name_check This caused aritmetic overflow when SSSD specific error codes where used. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
12:40 Ticket #2473 (RFE: Add a configuration option to specify where a snippet with ...) closed by jhrozek
fixed: * master: 4fa184e2c60b377fd71e0115a618bd68dc73627d
12:38 Ticket #2506 (Check unlink return values to silence Coverity warnings) created by jhrozek
As we added some more calls to unlink that checked the return value, …
12:28 Changeset [4fa184e] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
12:28 Changeset [eaaeaa7] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Fix KRB5_CONF_PATH Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:36 Ticket #2505 (Check it ${sysconfdir} and other autoconf/automake variables are expanded ...) created by sbose
${sysconfdir} style autoconf/automake variables are only expanded …

11/24/14:

21:23 Changeset [efe95361] by Jakub Hrozek <jhrozek@…>
sssd-1-11sss_client: Fix race condition in memory cache Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 6a60e29468fc6b4043a4dc52d3aab73e8465db70)
21:22 Changeset [bbaa6a4] by Jakub Hrozek <jhrozek@…>
sssd-1-11sss_client: Extract destroying of mmap cache to function Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 19f6a6733b5c6cf7dd2f6f746cfa5c787706331c)
20:22 Changeset [ca92e649] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14PAM: Make pam_forwarder_parse_data static Reviewed-by: Pavel Reichl <preichl@redhat.com>
20:21 Ticket #2477 (SSSD doesn't tell that it can't start because of no longer existent ID ...) closed by jhrozek
fixed: * master: e0d2777620726f3f9f1f0eee911c5a9c66488443
20:19 Changeset [e0d2777] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Hint about removing sysdb if initializing ID map fails https://fedorahosted.org/sssd/ticket/2477 Reviewed-by: Pavel Reichl <preichl@redhat.com>
20:11 Changeset [1b2a9e3] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IPA: Handle IPA groups returned from extop plugin Reviewed-by: Sumit Bose <sbose@redhat.com>
20:07 Changeset [ae104bc] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BE: Fix a debug message Reviewed-by: Pavel Reichl <preichl@redhat.com>
20:04 Ticket #2445 (Race condition while invalidating memory cache in client code) closed by jhrozek
fixed: * master: * 6a60e29468fc6b4043a4dc52d3aab73e8465db70 * …
19:54 Changeset [6a60e29] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sss_client: Fix race condition in memory cache Thread safe initialisation was fixed in ticket #2380, but there is still race condition in reinitialisation. If caches is invalidated with command sss_cache -U (-G or -E) then client code will need to reinitialize fast memory cache. Let say we have two threads. The 1st thread find out that memory cache should be reinitialized; therefore the fast memory cached is unmapped and context destroyed. In the same time, 2nd thread tried to check header of memory cache whether it is initialized and valid. As a result of previously unmapped memory the 2nd thread access out of bound memory (SEGFAULT). The destroying of fast memory cache cannot be done any time. We need to be sure that there isn't any other thread which uses mmaped memory. The new counter of active threads was added for this purpose. The state of fast memory cache was converted from boolean to three value state (UNINITIALIZED, INITIALIZED, RECYCLED) UNINITIALIZED - the fast memory cache need to be initialized. - if there is a problem with initialisation the state will not change - after successful initialisation, the state will change to INITIALIZED INITIALIZED - if the cahe was invalidated or there is any other problem was detected in memory cache header the state will change to RECYCLED and memory cache IS NOT destroyed. RECYCLED - nothing will be done is there are any active threads which may use the data from mmaped memory - if there aren't active threads the fast memory cahe is destroyed and state is changed to UNINITIALIZED. https://fedorahosted.org/sssd/ticket/2445 Reviewed-by: Michal Židek <mzidek@redhat.com>
19:53 Changeset [19f6a67] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sss_client: Extract destroying of mmap cache to function Reviewed-by: Michal Židek <mzidek@redhat.com>

11/21/14:

20:12 DesignDocs/NotRootSSSD edited by jhrozek
(diff)
19:56 DesignDocs/NotRootSSSD edited by jhrozek
(diff)
19:55 DesignDocs/NotRootSSSD edited by jhrozek
(diff)
19:54 Ticket #2504 (Split provider initialization into privileged and non-privileged parts) created by jhrozek
Currently the whole provider initialization (which is the function …
19:50 Ticket #2503 (Use the MEMORY ccache to pass around keytab contents) created by jhrozek
In order to drop privileges sooner in ldap_child and/or krb5_child we …
19:42 Ticket #2502 (RFE: Merge ldap_child and krb5_child) created by jhrozek
During design review, it was also proposed to look into merging the …
19:38 Ticket #2501 (pam_sss domains option: Untrusted users from the same domain are allowed ...) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
19:24 Ticket #2500 (RFE: Run the command line tools unprivileged, if possible) created by jhrozek
Some command line tools we have could run unprivileged. The tools should …
18:36 Ticket #2499 (RFE: Support multiple IP addresses resolved from a single host name) created by jhrozek
For some cases, it might be prudent to support load balancing over all …
14:39 DesignDocs/NotRootSSSD edited by jhrozek
(diff)
14:30 DesignDocs/NotRootSSSD edited by jhrozek
(diff)

11/20/14:

12:56 Ticket #2448 (MAN: If ldap_group_base is set, tokengroups might not be able to convert ...) closed by jhrozek
fixed: * sssd-1-11: 3cc9377bfce8bfda69244f7d79ce0062c60faa65
12:54 Changeset [3cc9377] by Jakub Hrozek <jhrozek@…>
sssd-1-11MAN: page edit for ldap_use_tokengroups Resolves: https://fedorahosted.org/sssd/ticket/2448 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:34 Ticket #2498 ("debug_timestamps = false" and "debug_microseconds = true" do not work ...) closed by jhrozek
fixed: * master: cbbe63ded9d628ffb2494132ca1e5ebe90e2d5f8
10:32 Changeset [cbbe63d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Man: debug_timestamps and debug_microseconds Add note that these two options are ignored if journald is used. https://fedorahosted.org/sssd/ticket/2498 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:27 Ticket #2462 (Manpage description of case_sensitive=preserving is incomplete) closed by jhrozek
fixed: * master: a40897fce90abf48882ea74f923711df7333fecf
10:24 Changeset [a40897f] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14MAN: Update case_sensitive=Preserving in man pages. https://fedorahosted.org/sssd/ticket/2462
10:15 Ticket #2481 (ID Views implementation does not support IPA user&group overrides) closed by jhrozek
fixed: * b114bcc370c8d78b5e9f43963cfa91213901c3be * …
09:53 Changeset [b114bcc] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Enable views for all domains Currently views and overrides were only available for sub-domains, this patch enables the lookup for the configured domains as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [acebf94] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IPA: check overrrides for IPA users as well Currently overrides were only available for sub-domains, e.g. trusted AD domains. With this patch overrides can be used for IPA users as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [f1436acd] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14IPA: make get_object_from_cache() public Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [1c82a31] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14ipa: add get_be_acct_req_for_uuid() This new call creates the needs data for a lookup by UUID which is needed when trying to find the original object for an IPA override object. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [933326b4] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14LDAP: always store UUID if available Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [7964d2bd] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14LDAP: add support for lookups by UUID Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [8eb981d] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14ipa: add split_ipa_anchor() This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:52 Changeset [907a7c6] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14sysdb: add sysdb_search_object_by_uuid() Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

11/19/14:

22:44 Changeset [a5b55bd] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14SYSDB: sysdb_idmap_get_mappings returns ENOENT sysdb_idmap_get_mappings returns ENOENT if no results were found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
22:39 Changeset [0201118] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14MAN: page edit for ldap_use_tokengroups Resolves: https://fedorahosted.org/sssd/ticket/2448 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
20:06 DesignDocs/IntegrateSSSDWithCIFSClient edited by jhrozek
(diff)
16:22 DesignDocs/ActiveDirectoryGPOIntegration edited by jhrozek
(diff)
16:11 DesignDocs/IntegrateSSSDWithCIFSClient edited by jhrozek
(diff)
14:37 DesignDocs/NSSWithKerberosPrincipal edited by jhrozek
(diff)
14:06 DesignDocs/NotRootSSSD edited by jhrozek
(diff)
10:32 DesignDocs/RestrictDomainsInPAM edited by jhrozek
(diff)

11/18/14:

23:21 DesignDocs/RestrictDomainsInPAM edited by jhrozek
(diff)
19:54 Changeset [10d5716] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BE: Become a regular user after initialization Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com>
19:49 Changeset [d167039] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BUILD: Touch files in DESTDIR Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:49 Changeset [0a039d5] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BUILD: Make chown of files to sssd user non-fatal In build environments, we can't assume the sssd user will be created prior to installing the package, so we can't chown the files. RPM will own the files instead in this case. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:49 Changeset [f9ac9aa] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BUILD: Use separate chown to make changing ownership to the sssd user non-fatal When the SSSD is built in the build system using a non-root user, the user doesn't exist in the build system and file ownership will be maintained by the downstream packaging instead. We need to make sure that setting the ownership to the sssd user is a separate step from creating the directories in this case in order to make failure to set the ownership non-fatal. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [35b4b21] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Do not switch_creds() if already the specified user The code didn't have to handle this case previously as sssd_be was always running as root and switching to the ccache as the user logging in. Also handle NULL creds on restore_creds() in case there was no switch. One less if-condition and fewer indentation levels. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [2745b01] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [7c5cd2e7] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Move checking for illegal RE to krb5_utils.c Otherwise we would have to link krb5_child with pcre and transfer the regex, which would be cumbersome. Check for illegal patterns when expanding the template instead. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [45aeb92] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [476b78b3] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14KRB5: Drop privileges in the child, not the back end In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
19:33 Changeset [a60f4bb] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14BUILD: Install krb5_child as suid if running under non-privileged user If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
08:59 Ticket #2498 ("debug_timestamps = false" and "debug_microseconds = true" do not work ...) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
08:48 Ticket #2497 (When machine gets IPA-enrolled to different IPA with the same domain name ...) created by adelton
Recently I've created IPA + IPA-enrolled machine for testing purposes. …

11/17/14:

20:07 Ticket #2496 (sssd_be sent sigterm, no response, sssd dies) created by acidrainfall
Logs from the error: http://fpaste.org/151535/ This appears to only …

11/15/14:

01:30 Ticket #2495 ([RFE]Allow sssd to add a new option that would specify which server to ...) created by dpal
Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): …
01:07 Ticket #2494 (Allow sssd to retrieve sudo rules of local users whose sudo rules stored ...) created by dpal
Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): …

11/14/14:

16:19 Ticket #2493 (Check chown_debug_file() usage) created by sbose
Currently chown_debug_file() is called unconditionally and it does not …
14:52 PageTemplates/FeatureDesign edited by jhrozek
(diff)

11/13/14:

18:39 Ticket #2461 (Proxy Provider: Fails to lookup case sensitive users and groups with ...) closed by jhrozek
fixed: * master: * 22e074249928605a1d5b926274ae2efb1596bc73 * …
18:37 Changeset [38429c9] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14PROXY: Preserve service name in proxy provider Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
18:36 Changeset [22e0742] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14proxy: Do not try to store same alias twice LDB does not store attributes if they have the same name and value and errors out instead. Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
15:58 Ticket #2492 (Group membership gets lost in IPA server mode) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
11:38 Ticket #2491 (Simple Access Provider - fail on non-existing objects in deny lists) created by preichl
As result of discussion on sssd-devel in thread - "simple access provider …

11/12/14:

17:23 Ticket #2490 (dereferencing failure against openldap server) closed by jhrozek
fixed
17:22 Ticket #2490 (dereferencing failure against openldap server) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
16:50 Changeset [6037341] by Jakub Hrozek <jhrozek@…>
sssd-1-11LDAP: Disable token groups by default We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)
16:50 Ticket #2483 (TokenGroups for LDAP provider breaks in corner cases) closed by jhrozek
fixed: * master: 5febf5ed0cfb4ba7665d8c3e36ee6941988da773
16:48 Changeset [5febf5ed] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14LDAP: Disable token groups by default We tried to speed up processing of initgroup lookups with tokenGroups even for the LDAP provider (if remote server is Active Directory), but it turns out that there are too many corner cases that we didn't catch during development that break. For instance, groups from other trusted domains might appear in TG and the LDAP provider isn't equipped to handle them. Overall, users who wish to use the added speed benefits of tokenGroups are advised to use the AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2483 Reviewed-by: Michal Židek <mzidek@redhat.com>
15:41 PageTemplates/FeatureDesign edited by jhrozek
(diff)
15:39 PageTemplates/FeatureDesign edited by jhrozek
(diff)
15:37 PageTemplates/FeatureDesign created by jhrozek
initial version
14:35 Ticket #2489 (refactor fill_pwent) created by preichl
This function is too long, completely uncommented and there are no unit …
10:51 Ticket #2488 (sssd DBus service does not produce useful error message/code when sssd is ...) created by jsafrane
OpenLMI sssd provider does not work when sssd service is not running - …

11/11/14:

16:55 DesignDocs/DBusMultipleInterfaces edited by pbrezina
(diff)
15:25 DesignDocs/DBusSimpleAPI edited by pbrezina
(diff)
15:09 DesignDocs/DBusMultipleInterfaces created by pbrezina
15:07 DesignDocs/DBusSimpleAPI edited by pbrezina
(diff)
12:09 Ticket #2487 (sssd does not work with custom value of option re_expression) created by lslebodn
How to reproduce: * configure sssd with ipa (ipa-client-install) * amend …
11:49 Changeset [494b227] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14CI: Build sssd on debian with samba support Missing dependency, libini_config >= 1.1 is in debian testing for some time. Reviewed-by: Michal Židek <mzidek@redhat.com>
11:48 Changeset [35e0d0c] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14AD: Change level of debug message The end of dnf update is not an operation failure it is just a usefull debug message. Reviewed-by: Michal Židek <mzidek@redhat.com>

11/10/14:

17:15 Ticket #2361 (sssd creates bad ldap filter if ldap_id_mapping is set true) closed by lslebodn
invalid
17:14 Ticket #2361 (sssd creates bad ldap filter if ldap_id_mapping is set true) reopened by lslebodn
Replying to jhrozek: > * master: …
09:50 Changeset [c6a7cf7] by Jakub Hrozek <jhrozek@…>
sssd-1-11Revert "LDAP: Change defaults for ldap_user/group_objectsid" This reverts commit 29e5b5d17d9700022958bf1f59bb861cdf68bb57. OpenLDAP server cannot dereference unknown attributes. The attribute objectSID isn't in any standard objectclass on OpenLDAP server. This is a reason why objectSID cannot be set by default in rfc2307 map and rfc2307bis map. It is the same problem as using non standard attribute "nsUniqueId" in ticket https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Michal Židek <mzidek@redhat.com>
09:38 Changeset [30c964a] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14Revert "LDAP: Change defaults for ldap_user/group_objectsid" This reverts commit f834f712548db811695ea0fd6d6b31d3bd03e2a3. OpenLDAP server cannot dereference unknown attributes. The attribute objectSID isn't in any standard objectclass on OpenLDAP server. This is a reason why objectSID cannot be set by default in rfc2307 map and rfc2307bis map. It is the same problem as using non standard attribute "nsUniqueId" in ticket https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Michal Židek <mzidek@redhat.com>
09:31 Changeset [1a818ee] by Jakub Hrozek <jhrozek@…>
mastersssd-1-12sssd-1-13sssd-1-14NSS: Fix warning enumerated type mixed with another type src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with another type "enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very strict in this. Reviewed-by: Michal Židek <mzidek@redhat.com>
Note: See TracTimeline for information about the timeline view.