Timeline


and

03/07/17:

07:30 WikiStart edited by mkosek
(diff)

02/23/17:

14:44 SSSD-logo-readonly.png attached to WikiStart by jhrozek
temp logo while we migrate to pagure
09:57 Ticket #3270 ([RFE] Add PKINIT support to SSSD Kerberos proivder) closed by jhrozek
fixed: master: * 2d527aa * 52f4583 * ead25e3 * 82c5971 * dd17a3a * f70d946 …
09:17 Changeset [1b55ac9] by Jakub Hrozek <jhrozek@…>
masterTESTS: Remove unused import Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
09:15 Changeset [2d527aa] by Jakub Hrozek <jhrozek@…>
masterKRB5: allow pkinit pre-authentication Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:15 Changeset [52f4583] by Jakub Hrozek <jhrozek@…>
masterpam: enhance Smartcard authentication token Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:15 Changeset [ead25e3] by Jakub Hrozek <jhrozek@…>
masterp11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:15 Changeset [82c5971] by Jakub Hrozek <jhrozek@…>
masterPAM: forward Smartcard credentials to backends Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:15 Changeset [dd17a3a] by Jakub Hrozek <jhrozek@…>
masterauthtok: enhance support for Smartcard auth blobs The blobs contains beside the PIN the name of the PKCS#11 module and the token name where the certificate of the user was found and the key id. Those data will be used e.g. by the pkinit module to make sure them right certificate is used. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:15 Changeset [f70d946f] by Jakub Hrozek <jhrozek@…>
masterLDAP/proxy: tell frontend that Smartcard auth is not supported Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:14 Changeset [d475744] by Jakub Hrozek <jhrozek@…>
masterutils: new error codes ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE can be used by backends that no authentication method was found. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:14 Changeset [254f389] by Jakub Hrozek <jhrozek@…>
masterPAM: use sentinel error code in PAM tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:14 Changeset [327a166] by Jakub Hrozek <jhrozek@…>
masterPAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:14 Changeset [f561c2b] by Jakub Hrozek <jhrozek@…>
masterPAM: store user object in the preq context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

02/22/17:

14:52 Ticket #3315 (infopipe: org.freedesktop.sssd.infopipe.Groups.Group doesn't show users) created by pcech
[…]
13:14 Changeset [1f49be4] by Jakub Hrozek <jhrozek@…>
masterFILES: Remove unnecessary check "grp_iter->gr_mem" is an array of strings and not just a string. We tried to compare first string to NULL (acctually '\0') But after that we iterated over the array to find count of members and we check for NULL one more time. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
13:03 Changeset [86bcc81] by Jakub Hrozek <jhrozek@…>
masterMONITOR: Don't return an error in case we fail to register a service This behaviour was mistakenly changed by the {dbus,socket}-activation series and, as it's now, I've noticed the monitor may end up in some weird state due to this change, where it doesn't stop properly and leave some defuncts children processes. Let's change it back to what it was before and avoid possible regressions (even if no regression where hit yet). Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
12:58 Ticket #3296 (pam_sss crashes in do_pam_conversation if no conversation function is ...) closed by jhrozek
fixed: * master: 0965a77c4ff0b358d24582955cb7ae375ebaa0d2 * sssd-1-14: …
12:45 Changeset [cc8c28a] by Jakub Hrozek <jhrozek@…>
sssd-1-13pam_sss: check conversation callback With this patch pam_sss checks if a conversation callback is available before using it. Resolves https://fedorahosted.org/sssd/ticket/3296 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 0965a77c4ff0b358d24582955cb7ae375ebaa0d2) (cherry picked from commit ba8e3f2850e5a328bc3e732b471280fc4fa49c53)
12:41 Changeset [ba8e3f2] by Jakub Hrozek <jhrozek@…>
sssd-1-14pam_sss: check conversation callback With this patch pam_sss checks if a conversation callback is available before using it. Resolves https://fedorahosted.org/sssd/ticket/3296 Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 0965a77c4ff0b358d24582955cb7ae375ebaa0d2)
12:30 Changeset [0965a77] by Jakub Hrozek <jhrozek@…>
masterpam_sss: check conversation callback With this patch pam_sss checks if a conversation callback is available before using it. Resolves https://fedorahosted.org/sssd/ticket/3296 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
12:12 Changeset [fc91d72] by Jakub Hrozek <jhrozek@…>
masterFILES: Fix reallocation logic There were two bugs in the files provider reallocation logic: 1) the reallocated array was not NULL-terminated properly 2) talloc_get_size was used in place of talloc_array_length This bug could have resulted in a crash when the passwd or groups file contained more than FILES_REALLOC_CHUNK entries. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
11:38 Ticket #3231 (Segfault while checking ldap_user_extra_attrs config options) closed by jhrozek
fixed: * master: * 454cf0c3808a9f6a0c9f79e9796e17c58907ee6c * …
11:34 Changeset [bb4b624] by Jakub Hrozek <jhrozek@…>
sssd-1-14sdap_extend_map: make sure memory can be freed If there is an error after calling talloc_realloc() the caller cannot free the memory properly because neither src_map nor _map were pointing to a valid memory location. With this patch _map will always point to the current valid location so that it can always be used with talloc_free(). Reviewed-by: Petr Cech <pcech@redhat.com> (cherry picked from commit 08bf6b4a281ef4308119dccbba4e86cf28b505d2)
11:34 Changeset [c14980e] by Jakub Hrozek <jhrozek@…>
sssd-1-14check_duplicate: check name member before using it Resolves https://fedorahosted.org/sssd/ticket/3231 Reviewed-by: Petr Cech <pcech@redhat.com> (cherry picked from commit 454cf0c3808a9f6a0c9f79e9796e17c58907ee6c)
11:30 Changeset [454cf0c] by Jakub Hrozek <jhrozek@…>
mastercheck_duplicate: check name member before using it Resolves https://fedorahosted.org/sssd/ticket/3231 Reviewed-by: Petr Cech <pcech@redhat.com>
11:30 Changeset [08bf6b4] by Jakub Hrozek <jhrozek@…>
mastersdap_extend_map: make sure memory can be freed If there is an error after calling talloc_realloc() the caller cannot free the memory properly because neither src_map nor _map were pointing to a valid memory location. With this patch _map will always point to the current valid location so that it can always be used with talloc_free(). Reviewed-by: Petr Cech <pcech@redhat.com>
11:27 Ticket #3227 (sssd doesn't update PTR records if A/PTR zones are configured as ...) closed by jhrozek
fixed: * master: fccd8f9ab7a0ac9868c43ea0e8c3af142b2809fa
11:26 Ticket #3220 (Improve successful Dynamic DNS update log messages) closed by jhrozek
fixed: * master: d694d4fdcc81f24c2f9e3bb5a0dbe0a52498f196
11:21 Changeset [d694d4f] by Jakub Hrozek <jhrozek@…>
masterDYNDNS: Correct debug log message of realm If the realm is not added to the nsupdate message, the SSSD Debug log message should inform about utilizing autodiscovered realm. Resolves: https://fedorahosted.org/sssd/ticket/3220 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
11:21 Changeset [fccd8f9] by Jakub Hrozek <jhrozek@…>
masterDYNDNS: Update PTR record after non-fatal error Continue to send PTR record update in situations where the nsupdate child forward zone updates are successful but nsupdate returns non-zero Resolves: https://fedorahosted.org/sssd/ticket/3227 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
09:46 Ticket #3280 (Unclear in sssd_krb5_locator_plugin how to deal with lowercase/uppercase ...) closed by sbose
invalid: I'll close the ticket because I think SSSD is working as expected here. …

02/21/17:

11:21 Ticket #3314 (sssd ignores entire groups from proxy provider if one member is listed ...) created by pcech
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …

02/20/17:

14:21 Ticket #3313 (cache_req should use an negative cache entry for UPN based lookups) created by sbose
In the old (non-cache_req) code a special name was used to add UPN lookups …
11:39 Ticket #3260 (handle default_domain_suffix for ssh requests with default_domain_suffix) closed by pbrezina
fixed: Fixed as part of cache_req refactoring.
10:32 Ticket #3312 (SSSD AD Failover Failure) created by chrismwheeler
I am attempting to understand the failure of our Red Hat Linux devices to …

02/18/17:

13:54 Ticket #3309 (Coverity warns about an unused value in IPA sudo code) closed by lslebodn
fixed: master: * 334029028e566fab3dce5ce4b1b53cc4809c21b8 sssd-1-14: * …
13:51 Changeset [6e8536d] by Lukas Slebodnik <lslebodn@…>
sssd-1-14IPA_SUDO: Unused value fix Unused value was immediately overwritten. Resolves: https://fedorahosted.org/sssd/ticket/3309 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 334029028e566fab3dce5ce4b1b53cc4809c21b8)

02/17/17:

15:41 Ticket #3311 (group filter isn't useful) created by hedrick
I'm trying to use a single IPA server to handle several different clusters …
15:37 DesignDocs/SubdomConf edited by mzidek
(diff)
13:46 DesignDocs/SubdomConf edited by mkosek
(diff)
12:29 Changeset [bac4458] by Lukas Slebodnik <lslebodn@…>
masterintg: Fix python3 issues NamedTemporaryFile use the default mode 'w+b' and we tried to write strings. It is not a problem on python2 but failed on pyhton3 Python module ctypes directly uses C functions from libraries. C functions usually expect/returns "char *" when string is expected. But python3 uses unicode for string. Decoding returned bytes ("char *") to unicode strings simplify tests in python3. Otherwise we would need to convert bytes to string in each assertion. Reviewed-by: Martin Basti <mbasti@redhat.com>
11:42 DesignDocs/SubdomConf edited by mzidek
(diff)

02/16/17:

19:43 Changeset [3340290] by Lukas Slebodnik <lslebodn@…>
masterIPA_SUDO: Unused value fix Unused value was immediately overwritten. Resolves: https://fedorahosted.org/sssd/ticket/3309 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

02/15/17:

13:57 Ticket #3262 (Implement a files provider to mirror the contents of /etc/passwd and ...) closed by jhrozek
fixed: * master: * 0e7047c1533e5e424b28959488e8ffa91613abd9 * …
13:53 Changeset [ee6c7e8] by Jakub Hrozek <jhrozek@…>
masterMONITOR: Use the common inotify code to watch resolv.conf The monitor code used its own inotify callbacks to watch for changes to resolv.conf. Instead of keeping this duplicated code around, let's use the shared inotify module that also powers the files provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:53 Changeset [da95ec5] by Jakub Hrozek <jhrozek@…>
masterMAN: Add documentation for the files provider The new provider needs a man page. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:53 Changeset [89e53f71] by Jakub Hrozek <jhrozek@…>
masterEXAMPLES: Do not point to id_provider=local It makes more sense to show id_provider=files Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:53 Changeset [0e7047c] by Jakub Hrozek <jhrozek@…>
masterSBUS: Document how to free the result of sbus_create_message It might not be apparent how to free the message constructed by sbus_create_message(). This patch just adds a comment that tells the developer to either free the parent context or unref the message with a dbus call directly. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:53 Changeset [f9f1310] by Jakub Hrozek <jhrozek@…>
masterMONITOR: Remove checks for sssd.conf changes This feature was if-ed out for many years and since it's quite unlikely we will re-enable the feature in the foreseeable future, let's just remove this code. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:53 Changeset [8bdb8c0] by Jakub Hrozek <jhrozek@…>
masterTESTS: Add files provider integration tests Implements integration tests for the files provider. In order to change entries in the nss-wrapped passwd and group files, this commit also implements a helper module that creates a new passwd and group file and moves it in place of the nss-wrapped files. We move the files instead of modifying them in-place in order to trigger similar inotify notifications as shadow-utils would. The unit test uses sleep on several places. This is suboptimal, but during testing especially on slow machines, it became apparent that sometimes the inotify message arrives later than the test would check for the changed entries. Therefore, the check would query the NSS responder even before the sss-files domain was invalidated. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:53 Changeset [3728db5] by Jakub Hrozek <jhrozek@…>
masterTESTS: Add a module to call nss_sss's getgr* from tests Implements a python module that allows to load the nss_sss module and call functions that act like getgr* Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:53 Changeset [8578fba] by Jakub Hrozek <jhrozek@…>
masterTESTS: Add a module to call nss_sss's getpw* from tests Implements a python module that allows to load the nss_sss module and simulate calling getpw* functions from tests. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:53 Changeset [1921d739] by Jakub Hrozek <jhrozek@…>
masterTESTS: add a helper module with shared NSS constants Every module that reads the sssd_nss module directly copied around the same definition of NSS constants. This commit moves them into a single file to avoid code duplication. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:53 Changeset [4e17c05] by Jakub Hrozek <jhrozek@…>
masterTESTS: move helper fixtures to back up and restore a file to a utility module The fixtures will be useful for tests that set up and restore a user and group database. While it would be possible to import them already, the functions were previously used in a test and importing from a test seems a bit like a hack. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
13:52 Changeset [26577ac] by Jakub Hrozek <jhrozek@…>
masterMAN: Document the pwfield configuration option The pwfield was not documented at all previously. In addition, document the different defaults for remote provider and the file provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:52 Changeset [ece2ac6] by Jakub Hrozek <jhrozek@…>
masterCONFDB: The files domain defaults to "x" as pwfield In order to make it possible for files provider users to authenticate with pam_unix, default to "x" as the pwfield of users from the files domain. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [c778c36] by Jakub Hrozek <jhrozek@…>
masterCONFDB: Make pwfield configurable per-domain Previously, the pwfield option was only configurable at the NSS level. Because it's important for the files provider to report "x" as the pwfield instead of "*" which is the SSSD default, this commit makes the pwfield configurable at the domain level. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [a60e6ec] by Jakub Hrozek <jhrozek@…>
masterCONFDB: The files provider always enumerates Since the files provider always mirrors the whole passwd and group contents, the files domain should always permit its contents to be enumerated. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
13:51 Changeset [c71e0a6] by Jakub Hrozek <jhrozek@…>
masterFILES: Add the files provider Adds a new provider type "files". The provider watches the UNIX password and group databases for changes using inotify and propagates its contents to the sysdb. The files provider is only built on platforms that support the inotify interface, polling or loading the entries on-deman is not supported. During initialization, the files are loaded from the environment variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to /etc/passwd and /etc/group respectively. Loading the files from environment variables is mostly implemented for tests that need to load nss_wrapped files. The files provider is a bit different from other provider types in the sense that it always enumerates full contents of the database. Therefore, the requests from Data Provider are always just replied to with success. Enumerating the contents is done in full at the moment, all users and all groups are removed and added anew. Modifying the passwd and group databses should be rare enough for this to be justified and we can optimize the code later. Since with large databases, the cache update might take a bit of time, we signal the responders to disable the files domain once we receive the inotify notification and re-enable the files domain after the update is finished. The idea is that the NSS configuration would still contain "files" after "sss" so that if the domain is disabled, libc would fall back to a direct "files" lookup. Resolves: https://fedorahosted.org/sssd/ticket/3262 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [90a103d] by Jakub Hrozek <jhrozek@…>
masterCONFDB: Re-enable the files provider The files provider was "blacklisted" for a long time, because very old (pre-1.0) versions of sssd had the capability to create users and groups by calling into the shadow-utils binaries directly which was later removed. Since nobody is (hopefully) running these ancient versions anymore and we are about to re-enable the files provider, we can remove this check. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [8cfb42e] by Jakub Hrozek <jhrozek@…>
masterUTIL: Add a generic inotify module Adds a reusable module for watching files using the Linux-specific inotify(7) interface. Adds the possibility to watch the file's parent directory as well to make it possible to watch moves into the directory and allow watching file that doesn't exist at the time the watch is created. This interface is needed to implement the files provider, so this commit is related to: https://fedorahosted.org/sssd/ticket/2228 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [50c740cb] by Jakub Hrozek <jhrozek@…>
masterRESPONDER: Contact inconsistent domains Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [2686648] by Jakub Hrozek <jhrozek@…>
masterRESPONDER: Include the files provider in NEEDS_CHECK_PROVIDER It makes no sense to contact the Data Provider with the files provider except when the files provider is updating itself. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [2c61b6e] by Jakub Hrozek <jhrozek@…>
masterRESPONDER: Use the NEED_CHECK_DOMAIN macro This is to avoid a needless round-trip between the responder and the back end for domains that do not have a traditional back end such as local or files. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [5007103] by Jakub Hrozek <jhrozek@…>
masterDP: Add internal interface to invalidate memory cache from DP Adds an interfae to the Data Provider that allows the DP to notify the NSS responder to invalidate its memory cache records. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [af28fa6] by Jakub Hrozek <jhrozek@…>
masterDP: Add internal interface to reset negative cache from DP Adds a an interface that allows the Data Provider to notify responders to drop their negative cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [b3ee4be] by Jakub Hrozek <jhrozek@…>
masterDP: Add internal DP interface to set domain state Adds functions to the interface Data Provider publishes towards back ends that allows the back ends to notify responders that a domain has been enabled or disabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [205a0b9] by Jakub Hrozek <jhrozek@…>
masterRESPONDER: A sbus interface to reset negatively cached users and groups Adds two new responder sbus interface functions: ResetNegcacheUsers and ResetNegcacheGroups. These functions can be called by a Data Provider to signal to a responder that it should drop its negative cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:51 Changeset [c109f06] by Jakub Hrozek <jhrozek@…>
masterRESPONDER: Add a responder sbus interface to set domain state Adds a generic responder s-bus interface that all responders implement. The interface currently contains methods that make it possible for a sssd domain to be marked as active or inconsistent by a back end. In the future, this commit will be superseded by sbus signals. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:50 Changeset [2d1a59f] by Jakub Hrozek <jhrozek@…>
masterUTIL: Add a new domain state called DOM_INCONSISTENT This is a new domain state that indicates to the responder that it should always send a DP request because the provider is rebuilding the cache. Currently it will be only used by the files provider when it is updating the cache to make sure sssd always returns current data and updating the cache from files is not as racy. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:50 Changeset [f2047f6] by Jakub Hrozek <jhrozek@…>
masterNSS: Rename the interface to invalidate memory cache initgroup records for consistency Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
13:50 Changeset [c3a225d4] by Jakub Hrozek <jhrozek@…>
masterNSS: Add sbus interface to clear memory cache Adds three new NSS interface sbus methods to disable memory caches of users, groups and initgroups. It's enough to add this interface to the NSS responder because the NSS responder is the only writer to the memory cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
13:50 Changeset [99a32e4] by Jakub Hrozek <jhrozek@…>
masterNEGCACHE: Add API to reset all users and groups Adds a negative cache API to reset negatively cached users and groups. This will be used when the files back end finishes enumeration to make sure all results are available. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

02/13/17:

09:18 Ticket #3310 (Support delivering non-POSIX users and groups through the IFP and PAM ...) created by jhrozek
Many projects depend on SSSD now to support application integration …
09:09 Ticket #3309 (Coverity warns about an unused value in IPA sudo code) created by jhrozek
[…]

02/10/17:

16:01 Ticket #3301 (storing a sudo rule with sudoRule attribute values that only differ by ...) closed by jhrozek
fixed: * master: * a5ecc93abb01cece628fdef04ebad43bba267419 * sssd-1-14: * …
15:57 Changeset [d5ddca8] by Jakub Hrozek <jhrozek@…>
sssd-1-14SUDO: Only store lowercased attribute value once The current code doesn't handle the situation where lowercasing the sudoUser attribute would yield the same value again. For example: sudoUser: TUSER sudoUser tuser would break. This patch switches to using the utility function sysdb_attrs_add_lower_case_string() which already checks for duplicates. Resolves: https://fedorahosted.org/sssd/ticket/3301 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit a5ecc93abb01cece628fdef04ebad43bba267419)
15:55 Changeset [a5ecc93] by Jakub Hrozek <jhrozek@…>
masterSUDO: Only store lowercased attribute value once The current code doesn't handle the situation where lowercasing the sudoUser attribute would yield the same value again. For example: sudoUser: TUSER sudoUser tuser would break. This patch switches to using the utility function sysdb_attrs_add_lower_case_string() which already checks for duplicates. Resolves: https://fedorahosted.org/sssd/ticket/3301 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
15:49 Ticket #3299 (SSSD does not start if using only the local provider and services line is ...) closed by jhrozek
fixed: * master: * 00c0b7bc6969d31deab9e8e7541b4a6483b78b3e * …
15:47 Changeset [00c0b7b] by Jakub Hrozek <jhrozek@…>
masterMONITOR: Don't timeout if using local provider + socket-activated responders When using only the local provider with socket-activated services SSSD ends up never notifying systemd its startup has been done, as notifying systemd is done *only* when a service (provider or responder) is started up, leading SSSD's startup to fail due to a timeout. So, in order to avoid this situation, let's just notify the startup earlier in case we have *only* socket-activated services and the *only* provider set up is the LOCAL one. Resolves: https://fedorahosted.org/sssd/ticket/3299 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
15:47 Changeset [040ade7] by Jakub Hrozek <jhrozek@…>
masterMONITOR: Wrap up sending sd_notify "ready" into a new function This new function will be used later on in this series as we also will need to notify systemd that we're up in at least one more scenario (for now). Related: https://fedorahosted.org/sssd/ticket/3299 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

02/08/17:

21:29 Ticket #3286 (man page sssd-ldap not clear on ldap_user_ssh_public_key) closed by jhrozek
duplicate: Since there were no complains, let's close this ticket as a duplicate of …
21:16 Ticket #3308 (SELinux: Use libselinux's getseuserbyname to get the correct seuser) created by jhrozek
This was suggested by Petr Lautrbach in a private discussion. Currently, …
21:07 Ticket #3307 (RFE: Log to syslog when sssd cannot contact servers, goes offline) created by jhrozek
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise …
20:25 Changeset [d9780d2] by Lukas Slebodnik <lslebodn@…>
mastercache_req: always go to dp first when looking up host We need to always lookup host in DP first to update host certificates so we are consinstent during ssh authentication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
20:25 Changeset [2ffa245] by Lukas Slebodnik <lslebodn@…>
masterssh: fix typo Those macros are the same so there is no functional difference. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
20:19 Changeset [e5d8b0e1] by Lukas Slebodnik <lslebodn@…>
masterBUILD: Fix linking of test_sdap_initgr There was a linking fialure on debian: /usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o: undefined reference to symbol 'hash_iterate@@DHASH_0.4.3' //usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status This patch adds some missing libraries and remove unnecessary libraries. Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929 Reviewed-by: Michal Židek <mzidek@redhat.com>
12:14 DesignDocs/SubdomConf edited by mkosek
(diff)
12:08 DesignDocs/SubdomConf edited by mkosek
(diff)
12:07 DesignDocs/SubdomConf edited by mkosek
(diff)
10:17 Changeset [e947a87] by Jakub Hrozek <jhrozek@…>
masterAD: Use ad_domain to match forest root domain, not the configured domain from sssd.conf If the sssd.conf domain name was different from the joined domain name, but sssd was joined to the forest root, the AD subdomains code considered sssd joined to a non-root domain and tried to discover the forest root. This could be reproduced by joining sssd to a domain, for example win.trust.test but calling the sssd.conf domain otherwise, for example: [domain/addomain] ad_domain = win.trust.test This is/was a frequent use-case in the RHEL world, where authconfig often names the sssd.conf domain 'default'. Without the patch, the trusted domains were not detected. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
10:05 Changeset [a8191ce] by Jakub Hrozek <jhrozek@…>
masterssh: rewrite ssh responder to use cache_req This is a bigger change since both supported commands could be rewritten for cache_req and the logic could be deleted. I decided to also split the file into more modules and follow similar pattern as with nss responder. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [53c31b8] by Jakub Hrozek <jhrozek@…>
mastercache_req: add host by name search Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [4df7aec6] by Jakub Hrozek <jhrozek@…>
mastercache_req: move dp request to plugin This will allow to use cache req even for object that do not use account request such as hosts. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [9492b3b] by Jakub Hrozek <jhrozek@…>
mastercache_req: add api to create ldb_result from message Some sysdb methods doesn't return ldb_result as output but return ldb_message instead. Changing sysdb to be consistent is too big so I added this helper function that will wrap resulting message into ldb_result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [7723e79] by Jakub Hrozek <jhrozek@…>
mastercache_req: search user by name with attrs Sometime is is desirable to aquire more attribute from user object than SYSDB_PW_ATTRS set. such as user's public key. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [ddfd190] by Jakub Hrozek <jhrozek@…>
mastercache_req: add ability to not use default domain suffix This will be used in the next plugin "host by name" where it is not desirable to use default domain suffix if set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [2b5704c] by Jakub Hrozek <jhrozek@…>
mastersss_parse_inp_send: provide default_domain as parameter It is not always desirable to consider default_domain from configuration but expect none instead. For example when we search host certificates. This is currently not used in this patch since host lookups parse name directly with sss_parse_name but it will be used in the next patch. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [e33744e] by Jakub Hrozek <jhrozek@…>
masterssh: do not create again fq name We store fully qualified name in sysdb so there is no need to append the domain part again which result in name@domain@domain string. This field is not actually used in ssh client so it doesn't cause any issue but we should stay correct here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
10:05 Changeset [d8c459f] by Jakub Hrozek <jhrozek@…>
masterssh: fix number of output certificates SSH responder returned invalid number of certificates when original ad pubkey attribute was not empty. Since we always return all certificates to the client we should add number of results to the output not override it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:56 Ticket #3230 (Use the same logic for matching GC results in initgroups and user lookups) closed by jhrozek
fixed: * master: * 0b7ded15e53b3f31f1570c366f04bc41e5761929 * …
09:53 Changeset [0b7ded1] by Jakub Hrozek <jhrozek@…>
masterTESTS: Tests for sdap_search_initgr_user_in_batch This patch provides tests for core logic of sdap_search_initgr_user_in_batch() function. This function replaces old approach with sysdb_try_to_find_expected_dn() function. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
09:53 Changeset [f1e3364] by Jakub Hrozek <jhrozek@…>
masterTEST: create_multidom_test_ctx() extending Function create_multidom_test_ctx() prepares test environment for multidomains. This patch enables setting of different params for each domain. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>
09:53 Changeset [3ee4116] by Jakub Hrozek <jhrozek@…>
masterSYSDB: Removing of sysdb_try_to_find_expected_dn() Currently in order to match multiple LDAP search results we use two different functions - we have sysdb_try_to_find_expected_dn() but also sdap_object_in_domain(). This patch removes sysdb_try_to_find_expected_dn() and add new sdap_search_initgr_user_in_batch() based on sdap_object_in_domain(). This function covers necessary logic. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
09:53 Changeset [c3593f06] by Jakub Hrozek <jhrozek@…>
masterLDAP: Better logging message Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

02/07/17:

16:33 Ticket #3288 (IPA - sudo does not handle associated conflict entries) closed by lslebodn
fixed: master: * 1404f3aa541849d880cce591584ba1580014cb50 * …
16:32 Changeset [db0c513] by Lukas Slebodnik <lslebodn@…>
sssd-1-14TESTS: Add to IPA DN test Add test to ensure conflict entries return ENOENT Resolves: https://fedorahosted.org/sssd/ticket/3288 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 1404f3aa541849d880cce591584ba1580014cb50)
16:32 Changeset [c4c47ca9] by Lukas Slebodnik <lslebodn@…>
sssd-1-14SUDO: Add skip_entry boolean to sudo conversions Add boolean to convert_attributes function and pass boolean as argument to sudo conversion functions to add logic for skipping unexpected entries like replication conflicts. Resolves: https://fedorahosted.org/sssd/ticket/3288 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d0aae3c1e87e2e51ab178b7b343261443094a974)
16:27 Changeset [1404f3a] by Lukas Slebodnik <lslebodn@…>
masterTESTS: Add to IPA DN test Add test to ensure conflict entries return ENOENT Resolves: https://fedorahosted.org/sssd/ticket/3288 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
16:27 Changeset [d0aae3c] by Lukas Slebodnik <lslebodn@…>
masterSUDO: Add skip_entry boolean to sudo conversions Add boolean to convert_attributes function and pass boolean as argument to sudo conversion functions to add logic for skipping unexpected entries like replication conflicts. Resolves: https://fedorahosted.org/sssd/ticket/3288 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
15:03 Ticket #3306 (infopipe: List* with limit = 0 returns 0 results) created by dkupka
Design page states "limit: maximum number of entries returned, 0 means …
14:56 Ticket #3305 (infopipe: crash when filter doesn't contain '*') created by dkupka
Design page states "filter: possible asterisk as wildcard …
14:02 Changeset [21fad04] by Lukas Slebodnik <lslebodn@…>
sssd-1-14Partially revert "CONFIG: Use default config when none provided" This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a. Removed is copying of default configuration into /etc/sssd/sssd.conf Sample configurations is still part of installation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit c029f707d4847b01ff64bf3bb1fd46c0b5927cdb)
13:47 Changeset [c029f70] by Lukas Slebodnik <lslebodn@…>
masterPartially revert "CONFIG: Use default config when none provided" This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a. Removed is copying of default configuration into /etc/sssd/sssd.conf Sample configurations is still part of installation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
13:35 Changeset [5e8474c2] by Lukas Slebodnik <lslebodn@…>
sssd-1-13SYSTEMD: Update journald drop-in file We changed type forking into type notify as part of commit d4063e9a21a4e203bee7e0a0144fa8cabb14cc46. But we forgot to update template drop-in file for logging into journald. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 7b4704a10958bb7d3390db9eff863875d2b643f7) (cherry picked from commit 14fe5a922c07da4c95feb65d1455d7f89d9e0f86)
13:34 Changeset [14fe5a9] by Lukas Slebodnik <lslebodn@…>
sssd-1-14SYSTEMD: Update journald drop-in file We changed type forking into type notify as part of commit d4063e9a21a4e203bee7e0a0144fa8cabb14cc46. But we forgot to update template drop-in file for logging into journald. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 7b4704a10958bb7d3390db9eff863875d2b643f7)
13:30 Changeset [7b4704a] by Lukas Slebodnik <lslebodn@…>
masterSYSTEMD: Update journald drop-in file We changed type forking into type notify as part of commit d4063e9a21a4e203bee7e0a0144fa8cabb14cc46. But we forgot to update template drop-in file for logging into journald. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
12:02 Changeset [2ddcd57] by Lukas Slebodnik <lslebodn@…>
masterIFP: Update ifp_iface_generated.c These changes are leftovers from commit 78b4b7e. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
11:38 Ticket #3304 (Only build the local provider conditionally) created by pbrezina
We have refactored data provider API and almost finished conversion of …

02/06/17:

15:17 Changeset [1c7f9a67] by Jakub Hrozek <jhrozek@…>
masterFAILOVER: Improve port status log messages It should be more clear to administrators that when SSSD internal port status is set as PORT_NOT_WORKING, this does not directly relate to an assumed network port-related issue. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
12:40 Ticket #3303 (Review and update SSSD's wiki pages for 1.15.1 release) created by jhrozek
ssia
06:35 Ticket #3302 (KCM: Offer configurable session-scoped access control to credentials) created by jhrozek
In addition to UID-based system-wide access control we could also do …

02/05/17:

19:24 Ticket #3301 (storing a sudo rule with sudoRule attribute values that only differ by ...) created by jhrozek
Consider the following sudo rule where two values of the sudoUser …
15:42 Ticket #3300 (Avoid running two instances of the same service) created by fidencio
This situation can happen when a system is misconfigured in a way that has …
Note: See TracTimeline for information about the timeline view.