wiki:Releases/Notes-1.14.0
Last modified 9 months ago Last modified on 07/07/16 17:59:31

Highlights

This section includes all changes since the last stable release, even those included in the Alpha and Beta releases.

Smart Card related enhancements

  • The IPA provider allows looking up users from trusted Active Directory domains by certificates that are included in the IPA ID-views. Please note that this functionality requires a recent IPA server.
  • The AD provider is now able to look up users from Active Directory domains by certificate. This change enables logins for Active Directory users with the help of a smart card.
  • The sss_override tool is now able to add certificates as local overrides in the SSSD cache. Please note that the certificate overrides are stored in the local cache, so removing the cache also removes all the certificates!
  • Invalid certificates are skipped instead of aborting the whole operation when logging in with a smart card using SSH.
  • This version allows several OCSP-related options such as the OCSP responder to be configured during smart card authentication
  • SSSD is now able to determine the name of the user who logs in from the inserted smart card without having to type in the username. Please note that this functionality must be enabled with the allow_missing_name pam_sss option.

Enhancements for easier administration

  • The sss_cache command line tool is now able to invalidate SUDO rules with its new -r/-R switches. Please note that the sudo rules are not refreshed with the sss_cache tool immediately. Refer to the sssd-sudo man page for the existing refresh timeouts.
  • SSSD is able to merge configuration file snippets from an include directory. This functionality requires the latest libini release 1.3.0.
  • The GPO evaluator is able to skip malformed INI files. This feature is also only available with libini release 1.3.0 or newer.
  • SSSD is able to validate configuration files against a built-in schema. To retain backwards-compatibility with configuration files that would otherwise not validate, the validator only warns about errors in the config file in this version.
  • A new command line tool, called sssctl was added. This tool allows the administrator to observe the status of SSSD. In this version, the tool is able to:
    • list SSSD domains and subdomains, including their online and offline status
    • print information about objects stored in the cache
    • backup or remove the local databases
    • check the validity of the configuration file
    • help truncate SSSD logs

Two-factor authentication improvements

  • With a recent IPA server (4.4.x), it is now possible to authenticate either with OTP or with password. When a user has OTP authentication enabled and hits enter during the password prompt, the authentication will proceed with single factor only. The authentication method is stored in the ticket and depending on configuration of Kerberized services, the user will be able to only access selected service unless he authenticates with the second factor as well.

Performance improvements

  • Several systemtap probes were added across the SSSD codebase as well as example systemtap scripts that use these probes. The scripts allow the administrator to observe the performance of some operations such as saving a group or the 'id' command with systemtap.
  • SSSD's cache performance was improved. SSSD now stores operational attributes of cache entries to a separate database with asynchronous writes mode, which results in substantially faster cache update times in most cases. Note that the performance of the initial cache write with an empty cache does not improve, only subsequent updates.

Miscellanous improvements

  • A new option local_negative_timeout was added. This option allows the admin to specify the time during which lookups for users that are not handled by SSSD but are present on the system (typically in /etc/passwd and /etc/group) and prevents repeated lookups of local users on the remote server during initgroups operation.
  • The AD provider as well as the IPA provider part that handles AD users is able to use the PAC blob attached to the Kerberos ticket to resolve group memberships for a user if available. If the PAC blob is not available, other methods such as tokenGroups are used instead.
  • An ID-mapping plugin for the winbind deamon was added. With this plugin, it's possible for winbind to use the same ID-mapping scheme as SSSD uses, producing consistent ID values

Developer-facing features

  • A new "secrets" responder was added. This responder allows an application to communicate with SSSD over a UNIX socket using the Custodia API. SSSD then stores the secrets either in its local database or proxies them to a remote Custodia server.

Internal changes

  • All user and group names are now stored fully qualified in the SSSD cache. This change decouples the format for storing the users from the format used for output. As a consequence, it is now possible to configure short user names even for users from trusted domains.
  • Several internal interfaces were refactored, providing cleaner code and better memory hierarchy. This change will allow the code to be easier to maintain and extend and get rid of sssd_be crashes on service restarts while active requests are running.
  • The libipa_hbac library was decorated with debug statements, allowing the administrator to see individual parts of the HBAC rules as well as the request passed to the evaluator

Packaging Changes

  • The libsss_sudo.so and libsss_autofs.so libraries were moved to individual subpackage. This change allows the sudo and autofs libraries to be installed in containers when the SSSD deamon is running on the host or in another container.
  • The PolicyKit? rules used by the p11 child during smartcard authentication were moved into their own subpackage to prevent conflict in ownership with the polkit package
  • The upstream RPMs no longer run as an unprivileged user, because there are several known issues related to running SSSD completely unprivileged. It it still possible to switch to a non-privileged user in the sssd.conf file.
  • If no configuration file exists on SSSD startup, the SSSD is now able to read a default sssd.conf on first start. Downstreams are encouraged to ship a default sssd.conf to allow SSSD to be enabled by default.
  • SSSD stores ephemeral attributes in a new ldb database called timestamps_$domain.ldb stored in the same directory as the regular caches.
  • The winbind ID-mapping plugin is packages in its own subpackage called winbind-idmap
  • The SSSD configuration snippets are being read from a newly-owned directory /etc/sssd/conf.d.
  • SSSD ships a file with rules for the configuration validator. In Fedora, this file is located at /var/lib/sss/cfg_rules.ini

Documentation Changes

  • The default attribute mappings for autofs provider with ldap_schema set to rfc2307 were changed. The rfc2307 schema now uses the nis* attribute maps. This is especially important for users who store their automounter maps on an Active Directory server, which typically lacks the RFC2307bis extensions.
  • It is possible to configure SSSD debugging with the debug option which is an alias to the existing debug_level option.
  • A new local_negative_timeout option was added to configure the time during which lookups for users that exist on the system but are not handled by SSSD are negatively cached.
  • The PAC responder allows the time during which data read from the PAC bloc is considered valid with a new pac_lifetime option.
  • Several PAM services were added to the default list of Group Policy mappings. These include adding the unity login manager to the ad_gpo_map_interactive list and the polkit-1 service to the ad_gpo_map_allow list.
  • The p11 responder allows configuring the default OCSP responder with its new option ocsp_default_responder and the certificate expected to sign the OCSP response with the new ocsp_default_responder_signing_cert option.
  • The pam_sss.so PAM module has a new option allow_missing_name that allows looking up the user (typically with the help of a certificate on a smartcard) during login.
  • The sss_override tool gained a new option -x/--certificate that can be used to specify a local (as in the local cache) certificate for a particular user.
  • The sss_cache tool gained new options -r/-R that allow the administrator to invalidate the sudo rules in the cache.

Tickets Fixed

#1656
Name-space add_string and make it clear it can also remove string
#2081
[RFE] sss_cache: invalidate sudo rules
#2151
[RFE] Integrate SSSD with containers
#2158
PAC responder needs much time to process large group lists
#2317
make the negcache timeout part of nc_ctx
#2369
check correct usage of talloc_realloc
#2424
review the use of umask() in sssd code
#2683
man sssd.conf should clarify details about subdomain_inherit option.
#2703
Need better libhbac debuging added to sssd
#2715
Make it possible to lookup user via UPN / Kerberos principal via IFP
#2816
CI: whitespace_test FAILED without any output
#2848
cache_req: add SID lookups
#2855
Move libsss_sudo.so outside sssd-common
#2866
Cannot authenticate AD trust users after disconnecting network
#2869
cache_req tests don't use leak_check_push/leak_check_pop in fixtures
#2870
AD GPO fails if the machine account belongs to a domain controller
#2897
Smart Cards: Certificate in the ID View
#2903
Review and update wiki pages for 1.14 Alpha
#2924
Incorrect mapping for locked vs expired accounts with the krb provider
#2928
NSS responder should negatively cache local users for a longer time
#2941
Screen locks and smart card is removed - must show a message to insert the correct smartcard
#2968
Abstract async connect functions from sss_ldap
#2973
Common responder code closes socket to early on client shutdown
#2977
ssh with Smartcards - skip invalid certificates
#2999
RFE - alias log_level to debug_level
#3005
[Patch] Vague error message: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
#3010
SSSD doesn't fail over to next GC if authentication fails

#385
[RFE] Provide a Method to Display SSSD Status Information
#1662
[RFE] Provide a force reload utility
#1800
[RFE] create a generic sssdctl utility
#1937
[RFE] Improve LDAP error logging
#2028
sssd does not detail which line in configuration is invalid
#2166
[RFE] SSSD cache database reporting
#2247
[RFE] SSSD should be able to merge configuration from multiple files
#2466
[RFE] Method for setting custom shells without Unix Attributes in AD account
#2602
Optimize cache writes to sysdb
#2671
RFE: sss_cache: Add an option to rm the database files
#2735
Document best practices from security standpoint for OpenScap team
#2751
SSSD can't process GPO from Active Directory when it contains lines with no equal sign
#2913
Add a Secrets as a Service component
#2918
Make cli_ctx more generic
#2921
Replace the monitor ping with an in-process heartbeat
#2957
Extend interface between DP and IFP
#3070
Add infrastructure for socket-activated responders

#2011
sysdb API is not consistent about the RDN of subdomain users
#2269
[RFE] SSSD configuration file test tool (sssd_check)
#2449
Enable the sssd krb5 localauth plugin by default
#2788
Allow fallback to default krb5_kuserok() implementation for root user from localauth plugin
#2838
full_name_format and default_domain_suffix breaks supplemental AD trust groups
#2858
Please fix rfc2307 ldap schema implementation
#2919
Improve sudo protocol
#2929
NSS responder does not lowercase AD external group members
#2966
Support authentication indicators from IPA
#2988
[RFE] Make OTP/2FA authentication optional
#3003
IPA key authentication logs false error message for root user.
#3041
SSSD IPA provider should request client principal canonicalization by default
#3055
The sssctl tool is missing a manpage
#3059
The sssctl tool doesn't work with users from subdomains
#3062
amend the sssd.conf manpage to mention include directories
#3066
sssctl remove-cache should restart, not stop sssd
#3071
Review and update SSSD's wiki pages for 1.14.0 release
#3079
endianess issues in NSS tests and sysdb utils
#3135
[RFE] Functionality to change the default OCSP responder
#3190
sssd debug logging prints "No matching domain found for [$id]" everytime nss_cmd_getpwuid_search is called

Detailed changelog

Alexander Bokovoy (1):

  • SPEC: Move polkit rules into sssd-polkit-rules subpackage

Christian Heimes (1):

  • Secrets: m4 macros for jansson and http-parser

Dan Lavu (8):

  • sss_override: Add restart requirements to man page
  • sss_override: Add restart requirements to man page
  • MAN: Clarify that subdomain_inherit only works for IPA and AD
  • URL in BUILD.txt is incorrect
  • Clarify that subdomains always use service discovery
  • Clarify that subdomains always use service discovery
  • PAM: Fix man for pam_account_{expired,locked}_message
  • PAM: Fix man for pam_account_{expired,locked}_message

David Disseldorp (2):

  • build: detect endianness at configure time
  • build: detect endianness at configure time

Fabiano Fidêncio (4):

  • sysdb: move add_string() convenience to sysdb.c
  • sysdb: add sysdb_{add,replace,delete}_string()
  • sysdb: move add_ulong() convenience to sysdb.c
  • sysdb: add sysdb_{add,replace,delete}_ulong()

Graham Leggett (1):

  • Add underlying diagnostic message for SSL errors.

Jakub Hrozek (189):

  • Updating the version to track 1.14 development
  • MAN: Clarify pam_trusted_users option description
  • MAN: proxy and krb5 are valid access control modules
  • contrib: Add a pre-push hook to warn about commits without Reviewed-By
  • AD: Provide common connection list construction functions
  • AD: Consolidate connection list construction on ad_common.c
  • AD: Provide common connection list construction functions
  • AD: Consolidate connection list construction on ad_common.c
  • tests: Fix compilation warning
  • tests: Fix compilation warning
  • FO: Don't free rc-allocated structure
  • tests: Reduce failover code duplication
  • FO: Use refcount to keep track of servers returned to callers
  • tools: Don't shadow 'exit'
  • tools: Don't shadow 'exit'
  • IFP: Skip non-POSIX groups properly
  • IFP: Skip non-POSIX groups properly
  • SSSD: Add a new option diag_cmd
  • DP: Drop dp_pam_err_to_string
  • DP: Check callback messages for valid UTF-8
  • sbus: Check string arguments for valid UTF-8 strings
  • DP: Drop dp_pam_err_to_string
  • DP: Check callback messages for valid UTF-8
  • sbus: Check string arguments for valid UTF-8 strings
  • Updating translations for the 1.13.2 release
  • Upgrading the version for the 1.13.3 release
  • DP: Do not confuse static analysers with dead code
  • DP: Do not confuse static analysers with dead code
  • CONTRIB: Add a gdb pretty-printer for ldb and sysdb_attrs
  • BUILD: Only install polkit rules if the directory is available
  • BUILD: Only install polkit rules if the directory is available
  • AD: Add autofs provider
  • KRB5: Handle preauth request timeout more gracefully
  • KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO
  • FO: Use tevent_req_defer_callback() when notifying callers
  • IPA: Use search timeout, not enum timeout for searching overrides
  • IPA: Use search timeout, not enum timeout for searching overrides
  • AD: Add autofs provider
  • DP: Reduce code duplication in the callback handlers
  • DP: Reduce code duplication in Data Provider handlers
  • MAN: Clarify when should TGs be disabled for group nesting restriction
  • MAN: Clarify when should TGs be disabled for group nesting restriction
  • Update translations for the 1.13.3 release
  • Upgrading the version for the 1.13.4 release
  • DP: Print warning when the handler is not configured
  • tests: use unittest.TestCase?.assertCountEqual if possible
  • Fix pep8 warnings in pyhbac-test.py
  • SDAP: Make it possible to silence errors from dereference
  • SDAP: Make it possible to silence errors from dereference
  • Add a new option ldap_group_external_member
  • IPA: Add interface to call into IPA provider from LDAP provider
  • LDAP: Use the IPA provider interface to resolve external group members
  • Add a new option ldap_group_external_member
  • IPA: Add interface to call into IPA provider from LDAP provider
  • LDAP: Use the IPA provider interface to resolve external group members
  • IPA: Use the common if-else coding style
  • tests: Extend test_child_common.c to include tests for the only_extra_args functionality
  • FO: Don't free rc-allocated structure
  • tests: Reduce failover code duplication
  • FO: Use refcount to keep track of servers returned to callers
  • FO: Use tevent_req_defer_callback() when notifying callers
  • NSS: Move a DEBUG message so that it's less confusing
  • MAN: Move subdomain_inherit to the correct man section
  • MAN: Move proxy_fast_alias to the correct man section
  • memberof: Don't allocate on a NULL context
  • memberof: Don't allocate on a NULL context
  • tests: Add a unit test for the external groups resolution
  • tests: Add a unit test for the external groups resolution
  • libipa_hbac: Do not use C99
  • libipa_hbac: Add more debug messages
  • libipa_hbac: Fix typo in constant name
  • libipa_hbac: Move the library to src/lib/ipa_hbac
  • MAN: Remove duplicate description of the pam_account_locked_message option
  • MAN: Remove duplicate description of the pam_account_locked_message option
  • AD: Recognize Windows Server 2016
  • AD: Recognize Windows Server 2016
  • memberof: Fix a memory leak when removing ghost users
  • memberof: Don't allocate on NULL when deleting memberUids
  • tests: Check NULL context in sysdb-tests when removing group members
  • memberof: Fix a memory leak when removing ghost users
  • memberof: Don't allocate on NULL when deleting memberUids
  • tests: Check NULL context in sysdb-tests when removing group members
  • Updating translations for the 1.13.4 release
  • MAN: Drop the reference to IPAv2 in the man page
  • Make sdap_process_group_send() static
  • MAN: Remove references to the obsolete PubkeyAgent? ssh option
  • UTIL: Add ERR_SBUS_REQUEST_HANDLED
  • IFP: Do not crash on invalid arguments to GetUserAttr?
  • UTIL: exit() the forked process if exec()-ing a child process fails
  • AD: Do not schedule the machine renewal task if adcli is not executable
  • AD: Do not leak file descriptors during machine password renewal
  • Do not leak fds in case of failures setting up a child process
  • LDAP: Try also the AD access control for IPA users
  • RESPONDER: Fix error check in cache_req.c
  • UTIL: Add a PROBE macro into probes.h
  • BUILD: Add build infrastructure for systemtap scripts
  • SYSDB: Track transaction nesting in sysdb_ctx
  • SYSDB: Add systemtap probes to track sysdb transactions
  • STAP: Add helper functions to for human-readable account request representation
  • LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
  • CONTRIB: Add a systemtap script to analyze the performance of the 'id' command
  • CONTRIB: Add a systemstap script to measure nested group code performance
  • BUILD: Enable systemtap during RPM build and CI
  • Updating the translations for the 1.14 alpha release
  • Updating the version for the 1.14 beta release
  • SYSDB: Move sysdb initialization into a new module sysdb_init.c
  • UTIL: Add error codes for sysdb too old or too new
  • SYSDB: Refactor database connection
  • SYSDB: Add a second, timestamp-only ldb cache
  • SYSDB: Open a timestamps cache for caching domains
  • SYSDB: Wrap sysdb_store_group in a transaction and split it into smaller functions
  • SYSDB: Search the timestamp caches in addition to the sysdb cache
  • SYSDB: If modifyTimestamp is the same, only update the TS cache
  • SYSDB: Check if group attributes differ before saving a group
  • SYSDB: Refactor sysdb_store_user
  • SYSDB: Only update user attributes if needed
  • TESTS: Add a unit test for timestamps caches
  • TESTS: Add an integration test for the timestamps cache
  • LDAP: Shortcut looking up for group members sooner
  • Contrib: Add a gdbinit file
  • BUILD: Fall back to non-strict http parser, if strict is not available
  • MAN: Include idmap_sss.8.xml in the manpage sources
  • Updating the translations for the 1.14 beta release
  • Updating the version for the next release
  • SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user
  • LDAP: Change the default rfc2307 autofs attribute mappings
  • TESTS: Add a test for sss_parse_internal_fqname
  • TESTS: Add a test for sss_create_internal_fqname
  • UTIL: Add a utility function to create a list of qualified names
  • UTIL: Add a utility function sss_output_name
  • BUILD: Temporarily disable unit and integration tests until we fix them to cope with qualified names in sysdb
  • SYSDB: add_name_and_aliases_for_name_override no longer needs to special case subdomain users
  • SDAP: Search functions don't need to construct per-domain names
  • TESTS: Fix sysdb tests to work with the new format
  • TESTS: Amend sysdb_view tests for the FQDN schema
  • SIMPLE: Make the simple access provider work with qualified names
  • TESTS: Convert the simple access provider to cmocka
  • RESPONDER: Use fqnames for cache_req lookups of users and groups
  • RESPONDER: Add a helper function sss_resp_create_fqname
  • UTIL: expand_homedir_template manages usernames internally
  • TESTS: Fix the nested group tests to cope with FQDNs
  • NCACHE: Store FQDNs internaly, check for shortnames in files
  • NSS: Fix NSS responder to cope with fully-qualified usernames
  • PAM: Use qualified names internally in the PAM responder
  • SSH: Use a qualified name for user searches in the SSH responder
  • LDAP: Rename DP filter value from name to filter_value
  • LDAP: Use shortname for LDAP queries
  • LDAP: save users with FQDN
  • LDAP: Convert RFC2307 member attribute values to FQDN-style ghostnames before acting on them
  • SYSDB: Add a utility function to return a list of qualified names
  • LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb names
  • LDAP: Use fqdns during nested RFC2307 initgroups
  • LDAP: Use FQDNs when saving incomplete groups
  • LDAP: Delete cache entry if not found by UPN
  • LDAP: The access control filter just needs the plain username
  • PROXY: Use fully qualified names internally
  • TOOLS: Make the local domain operate on FQDNs
  • SSS_CACHE: Make internal functions static
  • SSS_CACHE: Don't use sss_get_domain_name, but create the internal fqname instead for users and groups
  • SSS_SEED: Use FQDN for accessing sysdb
  • SSS_OVERRIDE: Fixes for fully qualified names
  • KRB5: Rely on internal fqname when constructing UPNs
  • KRB5: Rely on sysdb names for the renewal task
  • KRB5: Use shortname when expanding the user template in Kerberos ccache
  • AD: No need to separately qualify subdomain users anymore
  • SYSDB: Construct internal fqnames, not NSS names in sysdb_add_group_member_overrides
  • IPA: Use internal fqname format instead of parsing NSS names
  • IPA: HBAC evaluator consumes shortnames
  • SELINUX: Parse the internal fqname before using it
  • RESPONDERS: Return the sysdb name from cache_req
  • IPA: Save sudoUser qualified in the cache
  • LDAP: Qualify user and group names when saving the sudo users
  • IFP: Amend the InfoPipe? responder for fqdns
  • TOOLS: sssctl: Work with trusted users
  • UTIL: Parse internal fqnames in find_domain_by_object_name
  • UTIL: Remove unused functions
  • TESTS: Convert the tests to use qualified names for ldb lookups
  • SYSDB: Remove useless parameter from sysdb_init()
  • SYSDB: Allow passing a context to sysdb upgrade functions
  • SYSDB: Fix small issues during db upgrade
  • SYSDB: Remove the timestamps cache on update
  • MEMBEROF: Allow bypassing memberof during upgrade
  • SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects
  • TOOLS: Some tools command might not need initialization to succeed
  • TOOLS: Add the upgrade-cache command
  • SUDO: Add more low-level tracing messages
  • LDAP: Lookup services by all protocols unless a protocol is specified
  • Updating the translations for the 1.14.0 release
  • Updating the version for the 1.14.0 release

Lukas Slebodnik (187):

  • CONTRIB: pre-push hook could work with python3
  • BUILD: Link just libsss_crypto with crypto libraries
  • BUILD: Link crypto_tests with existing library
  • BUILD: Remove unused variable TEST_MOCK_OBJ
  • BUILD: Link just libsss_crypto with crypto libraries
  • BUILD: Link crypto_tests with existing library
  • BUILD: Remove unused variable TEST_MOCK_OBJ
  • BUILD: Avoid symlinks with python modules
  • BUILD: Avoid symlinks with python modules
  • SSSDConfigTest: Try load saved config
  • SSSDConfigTest: Test real config without config_file_version
  • SSSDConfigTest: Try load saved config
  • SSSDConfigTest: Test real config without config_file_version
  • intg_tests: Fix PEP8 warnings
  • intg_tests: Fix PEP8 warnings
  • responder_common_tests: Removed unused libraries
  • BUILD: Remove unused variables
  • BUILD: Remove SSS_CRYPTO_LIBS from common libraries
  • BUILD: Accept krb5 1.14 for building the PAC plugin
  • BUILD: Accept krb5 1.14 for building the PAC plugin
  • BUILD: Fix detection of pthread with strict CFLAGS
  • BUILD: Fix detection of pthread with strict CFLAGS
  • sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
  • BUILD: Fix cleanup without NLS
  • SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create
  • BUILD: Fix doc directory for sss_simpleifp
  • BUILD: Fix doc directory for sss_simpleifp
  • LDAP: Fix leak of file descriptors
  • LDAP: Fix leak of file descriptors
  • BUILD: Remove sudo doxygen file
  • CI: Workaroung for code coverage with old gcc
  • CI: Workaroung for code coverage with old gcc
  • FAIL_OVER: Fix warning value computed is not used
  • cache_req: Fix warning -Wshadow
  • SBUS: Fix warnings -Wshadow
  • TESTS: Fix warnings -Wshadow
  • cache_req: Fix warning -Wshadow
  • SBUS: Fix warnings -Wshadow
  • TESTS: Fix warnings -Wshadow
  • INIT: Drop syslog.target from service file
  • INIT: Drop syslog.target from service file
  • sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
  • AD: Remove unused memory context from ad_user_conn_list
  • DP_PTASK: Fix warning may be used uninitialized
  • DP_PTASK: Fix warning may be used uninitialized
  • UTIL: Fix memory leak in switch_creds
  • TESTS: Initialize leak check
  • TESTS: Check return value of check_leaks_pop
  • TESTS: Make check_leaks static function
  • TESTS: Add warning for unused result of leak check functions
  • UTIL: Fix memory leak in switch_creds
  • TESTS: Initialize leak check
  • TESTS: Check return value of check_leaks_pop
  • TESTS: Make check_leaks static function
  • TESTS: Add warning for unused result of leak check functions
  • sss_client: Fix underflow of active_threads
  • sssd_client: Do not use removed memory cache
  • test_memory_cache: Test removing mc without invalidation
  • Revert "intg: Invalidate memory cache before removing files"
  • sss_client: Fix underflow of active_threads
  • sssd_client: Do not use removed memory cache
  • test_memory_cache: Test removing mc without invalidation
  • Revert "intg: Invalidate memory cache before removing files"
  • CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
  • CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
  • test_sysdb_subdomains: Do not use assignment in assertions
  • test_sysdb_subdomains: Do not use assignment in assertions
  • ldap_local_override_test: Fix failure with python2.6
  • sbus_codegen_tests: Use portable definition of large constants
  • sbus_codegen_tests: Use portable definition of large constants
  • CI: Update suppression file for 32bit el6
  • DEBUG: Add missing new lines
  • DEBUG: Add missing new lines
  • AD: Log SID in debug message
  • SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
  • SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
  • SPEC: Move libsss_sudo.so outside sssd-common
  • SPEC: Fix unowned directories
  • SPEC: Use systemd macros
  • pam-srv-tests: Reuse test directory for IO tests
  • FAILOVER: Improve reporting of errors
  • TOOLS: Fix warning Wsign-compare
  • pysss_murmur: Fix warning Wsign-compare
  • pyhbac: Fix warning Wsign-compare
  • SPEC: Remove unnecessary clean-up of buildroot
  • SPEC: Fix packaging of libsss_simpleifp
  • CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
  • CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
  • TESTS: Fix race condition in python test
  • TESTS: Fix race condition in python test
  • server-tests: Fix clean-up after successful test
  • PYTHON: sss_obfuscate should work with python3
  • PYTHON: Fix pep8 errors in sss_obfuscate
  • PYTHON: sss_obfuscate should work with python3
  • PYTHON: Fix pep8 errors in sss_obfuscate
  • intg: Change preference of openldap module path
  • SPEC: Move libsss_autofs.so outside sssd-common
  • SPEC: Remove unnecessary requirements
  • UTIL: Backport error code ERR_ACCOUNT_LOCKED
  • sss_idmap-tests: Fix segmentation fault
  • sss_idmap-tests: Fix segmentation fault
  • krb5_child: Warn if user cannot read krb5.conf
  • krb5_child: Warn if user cannot read krb5.conf
  • Fix typos reported by lintian
  • Fix typos reported by lintian
  • UTIL: Use prefix for debug function
  • UTIL: Provide varargs version of debug_fn
  • IPA: Use sss_vdebug_fn in hbac_debug_messages
  • IPA: log real hbac function
  • HBAC: Check format string in hbac log function
  • UTIL: Use sss_vdebug_fn for callbacks
  • UTIL: Use prefix for debug function
  • UTIL: Provide varargs version of debug_fn
  • UTIL: Use sss_vdebug_fn for callbacks
  • Revert "DEBUG: Preventing chown_debug_file if journald on"
  • DEBUG: Ignore ENOENT for change owner of log files
  • Revert "DEBUG: Preventing chown_debug_file if journald on"
  • DEBUG: Ignore ENOENT for change owner of log files
  • TOOLS: Fix minor memory leak in sss_colondb_writeline
  • TOOLS: Fix minor memory leak in sss_colondb_writeline
  • CI: Use yum-deprecated instead of dnf
  • CI: Use yum-deprecated instead of dnf
  • FAIL_OVER: Fix warning value computed is not used
  • BUILD: Remove unused include directories
  • BUILD: Simplify build of cwrap tests
  • UTIL: Fix indentation in dlinklist.h
  • UTIL: Fix warning misleading-indentation
  • UTIL: Fix indentation in dlinklist.h
  • UTIL: Fix warning misleading-indentation
  • CLIENT: Reduce code duplication
  • CLIENT: Retry request after EPIPE
  • CLIENT: Reduce code duplication
  • CLIENT: Retry request after EPIPE
  • libipa_hbac: Ensure we always build with C90
  • UTIL: Do not call stderr with negative number
  • UTIL: Move debug part from util.h -> new debug.h
  • UTIL: Allow to append new line in sss_vdebug_fn
  • UTIL: Move debug part from util.h -> new debug.h
  • UTIL: Allow to append new line in sss_vdebug_fn
  • AUTOMAKE: Force usage of parallel test harness
  • CI: Use make check instead of make-check-wrap
  • AUTOMAKE: Force usage of parallel test harness
  • CI: Use make check instead of make-check-wrap
  • IPA: Remove unused parameter from ipa_ext_group_member_check
  • SDAP: Remove unused parameter talloc context
  • test_ipa_subdom_server: Workaround for slow krb5 + SELinux
  • SPEC: Run extra unit tests with epel
  • GPO: Soften umask in gpo_child
  • GPO_CHILD: Create directories in gpo_cache with right permissions
  • test_ipa_subdom_server: Workaround for slow krb5 + SELinux
  • SPEC: Run extra unit tests with epel
  • GPO: Soften umask in gpo_child
  • GPO_CHILD: Create directories in gpo_cache with right permissions
  • GPO: Process GPOS in offline mode if ldap search failed
  • GPO: Process GPOS in offline mode if ldap search failed
  • IPA: Check RDN in ipa_add_ad_memberships_get_next
  • IPA: Check RDN in ipa_add_ad_memberships_get_next
  • dp_ptask: Fix memory leak in synchronous ptask
  • test_be_ptask: Check leaks in tests
  • dp_ptask: Fix memory leak in synchronous ptask
  • test_be_ptask: Check leaks in tests
  • test_ad_common: Include missing header if building with NSS
  • SYSDB_SUDO: Remove useless test
  • IPA_SUDO: Prevent dereference of NULL pointer
  • intg: Use different uid range for add_remove tests
  • LDAP: Print port in sdap_print_server
  • TOOLS: Fix warning maybe-uninitialized
  • pam-srv-tests: Increase cached_auth_timeout
  • CI: Exclude files in /tmp during coverage runs
  • pam-srv-tests: Fix warning unused-function
  • SPEC: Run sssd as privileged user
  • Prepare ini schema with rules for validation
  • UTIL: Fix debug message in sssd_async_connect_done
  • UTIL: Revent connection handling in sssd_async_connect_send
  • Downcast to errno_t after tevent_req_is_error
  • BUILD: Fix detection of systemd
  • BUILD: Detect libsystemd-daemon or libsystemd
  • Secrets: Fix format string
  • UTIL: Fix warning Wmissing-braces
  • Fix warning sign-compare
  • MAN: Update documentation of sss_cache
  • IPA: Fix uninitialized pointer read (UNINIT)
  • DOC: Fix few typos in doxygen comments
  • MAN: Remove leading spaces from elements programlisting
  • test_sysdb_ts_cache: Do not use wrong pointer for output argument
  • sysdb: Use ldb_result as output in sysdb_search_ts_{users,groups}
  • CONFIGURE: Inform about optional build dependencies

Mathieu Deaudelin-Lemay (1):

  • Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller.

Michal Zidek (12):

  • Remove misleading comment
  • UTIL: Add function to parse internal fqname format
  • UTIL: Add function to create internal fqname
  • SYSDB: convert sysdb_group_membership_mod to operate on qualified names
  • SYSDB: Search functions don't need to construct per-domain names
  • SDAP: Save user and group aliases qualified
  • SDAP: Store SID members during AD initgroups with a qualified name
  • TESTS: Fix the ldap_id_cleanup test for using qualified names in sysdb
  • TESTS: First pass on converting the sysdb tests to the fqname format
  • TESTS: Start converting the sysdb views tests to the fqname format
  • TESTS: Start fixing the NSS test for fully qualified names in sysdb
  • TESTS: Start fixing the PAM responder tests for fully qualified names in sysdb

Michal Židek (36):

  • SSSDConfig: Do not raise exception if config_file_version is missing
  • SSSDConfig: Do not raise exception if config_file_version is missing
  • spec: Missing initgroups mmap file
  • spec: Missing initgroups mmap file
  • util: Update get_next_domain's interface
  • tests: Add get_next_domain_flags test
  • sysdb: Include disabled domains in link_forest_roots
  • sysdb: Use get_next_domain instead of dom->next
  • Refactor some conditions
  • util: Update get_next_domain's interface
  • tests: Add get_next_domain_flags test
  • sysdb: Include disabled domains in link_forest_roots
  • sysdb: Use get_next_domain instead of dom->next
  • Refactor some conditions
  • util: Continue if setlocale fails
  • server_setup: Log failed attempt to set locale
  • tests: Run intgcheck without libsemanage
  • tests: Regression test with wrong LC_ALL
  • ldap_local_override_test: Remove sss_cache from teardown
  • MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
  • MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
  • NSS: do not skip cache check for netgoups
  • NSS: do not skip cache check for netgoups
  • util: Continue if setlocale fails
  • server_setup: Log failed attempt to set locale
  • tests: Run intgcheck without libsemanage
  • tests: Regression test with wrong LC_ALL
  • GPO: log specific ini parse error messages
  • GPO: log specific ini parse error messages
  • GPO: ignore non-KVP lines if possible
  • confdb: Make it possible to use config snippets
  • confdb: Check for config file errors on sssd startup
  • config: Fix filename matching regex
  • sss_ini: Small refacoring of sss_ini_call_validators
  • sssctl: Add config-check command
  • MAN: Config file merging

Nikolai Kondrashov (28):

  • CI: Exclude whitespace_test from Valgrind checks
  • CI: Exclude whitespace_test from Valgrind checks
  • TESTS: Make whitespace_test pass without whitespace
  • man: Mention groups in filter_groups description
  • man: Note filter_groups are not affecting nesting
  • intg: Get base DN from LDAP connection object
  • intg: Add support for specifying all user attrs
  • intg: Split LDAP test fixtures for flexibility
  • intg: Reduce sssd.conf duplication in test_ldap.py
  • intg: Fix RFC2307bis group member creation
  • intg: Get base DN from LDAP connection object
  • intg: Add support for specifying all user attrs
  • intg: Split LDAP test fixtures for flexibility
  • intg: Reduce sssd.conf duplication in test_ldap.py
  • intg: Fix RFC2307bis group member creation
  • intg: Do not use non-existent pre-increment
  • intg: Do not use non-existent pre-increment
  • CI: Do not skip tests not checked with Valgrind
  • CI: Handle dashes in valgrind-condense
  • CI: Do not skip tests not checked with Valgrind
  • CI: Handle dashes in valgrind-condense
  • intg: Fix all PEP8 issues
  • intg: Fix all PEP8 issues
  • CI: Enforce coverage make check failures
  • CI: Enforce coverage make check failures
  • intg: Add more LDAP tests
  • intg: Add more LDAP tests
  • Fix packet size calculation in sss_packet_new

Pavel Březina (242):

  • sbus codegen tests: free ctx
  • sss tools: improve option handling
  • sss tools: improve option handling
  • sbus codegen tests: free ctx
  • cache_req: provide extra flag for oob request
  • cache_req: add support for UPN
  • cache_req tests: reduce code duplication
  • cache_req: remove raw_name and do not touch orig_name
  • cache_req: provide extra flag for oob request
  • cache_req: add support for UPN
  • cache_req tests: reduce code duplication
  • cache_req: remove raw_name and do not touch orig_name
  • intg: fix typos
  • sss_override: fix comment describing format
  • sss_override: explicitly set ret = EOK
  • sss_override: steal msgs string to objs
  • sss_override: fix comment describing format
  • sss_override: explicitly set ret = EOK
  • sss_override: steal msgs string to objs
  • nss: send original name and id with local views if possible
  • sudo: search with view even if user is found
  • sudo: send original name and id with local views if possible
  • nss: send original name and id with local views if possible
  • sudo: search with view even if user is found
  • sudo: send original name and id with local views if possible
  • sss_tools: always show common and help options
  • sss_override: fix exporting multiple domains
  • sss_override: add user-find
  • sss_override: add group-find
  • sss_override: add user-show
  • sss_override: add group-show
  • sss_override: do not free ldb_dn in get_object_dn()
  • sss_override: use more generic help text
  • sss_tools: do not allow unexpected free argument
  • sss_tools: always show common and help options
  • sss_override: fix exporting multiple domains
  • sss_override: add user-find
  • sss_override: add group-find
  • sss_override: add user-show
  • sss_override: add group-show
  • sss_override: do not free ldb_dn in get_object_dn()
  • sss_override: use more generic help text
  • sss_tools: do not allow unexpected free argument
  • BE: Add IFP to known clients
  • BE: Add IFP to known clients
  • AD: remove annoying debug message
  • AD: remove annoying debug message
  • man sssd-ad: fix typo
  • SYSDB: Add missing include to sysdb_services.h
  • LDAP: Mark globals in ldap_opts.h as extern
  • AD: Mark globals in ad_opts.h as extern
  • IPA: Mark globals in ipa_opts.h as extern
  • KRB5: Mark globals in krb5_opts.h as extern
  • SYSDB: Add missing include to sysdb_services.h
  • LDAP: Mark globals in ldap_opts.h as extern
  • AD: Mark globals in ad_opts.h as extern
  • IPA: Mark globals in ipa_opts.h as extern
  • KRB5: Mark globals in krb5_opts.h as extern
  • SUDO: convert periodical refreshes to be_ptask
  • SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
  • SUDO: move offline check to handler
  • SUDO: simplify error handling
  • SUDO: fix sdap_id_op logic
  • SUDO: fix tevent style
  • SUDO: fix sdap_sudo_smart_refresh_recv()
  • SUDO: sdap_sudo_load_sudoers improve iterator
  • SUDO: set USN inside sdap_sudo_refresh request
  • SUDO: built host filter inside sdap_sudo_refresh request
  • SUDO: do not imitate full refresh if usn is unknown in smart refresh
  • SUDO: fix potential memory leak in sdap_sudo_init
  • SUDO: obtain host information when going online
  • SUDO: remove finalizer
  • SUDO: make sdap_sudo_handler static
  • SUDO: use size_t instead of int in for cycles
  • SUDO: get srv_opts after we are connected
  • SUDO: convert periodical refreshes to be_ptask
  • SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
  • SUDO: move offline check to handler
  • SUDO: simplify error handling
  • SUDO: fix sdap_id_op logic
  • SUDO: fix tevent style
  • SUDO: fix sdap_sudo_smart_refresh_recv()
  • SUDO: sdap_sudo_load_sudoers improve iterator
  • SUDO: set USN inside sdap_sudo_refresh request
  • SUDO: built host filter inside sdap_sudo_refresh request
  • SUDO: do not imitate full refresh if usn is unknown in smart refresh
  • SUDO: fix potential memory leak in sdap_sudo_init
  • SUDO: obtain host information when going online
  • SUDO: remove finalizer
  • SUDO: make sdap_sudo_handler static
  • SUDO: use size_t instead of int in for cycles
  • SUDO: get srv_opts after we are connected
  • AD SRV: prefer site-local DCs in LDAP ping
  • AD SRV: prefer site-local DCs in LDAP ping
  • SDAP: handle ret properly in ldap_get_options()
  • SDAP: do not fail if refs are found but not processed
  • SDAP: do not fail if refs are found but not processed
  • SDAP: Add request that iterates over all search bases
  • SDAP: rename sdap_get_id_specific_filter
  • SDAP: support empty filters in sdap_combine_filters()
  • SUDO: use sdap_search_bases instead custom sb iterator
  • SUDO: make sudo sysdb interface more reusable
  • SUDO: move code shared between ldap and ipa to separate module
  • SUDO: allow to disable ptask
  • SUDO: fail on failed request that cannot be retry
  • IPA: add ipa_get_rdn and ipa_check_rdn
  • SDAP: use ipa_get_rdn() in nested groups
  • IPA SUDO: choose between IPA and LDAP schema
  • IPA SUDO: Add ipasudorule mapping
  • IPA SUDO: Add ipasudocmdgrp mapping
  • IPA SUDO: Add ipasudocmd mapping
  • IPA SUDO: Implement sudo handler
  • IPA SUDO: Implement full refresh
  • IPA SUDO: Implement rules refresh
  • IPA SUDO: Remember USN
  • SDAP: Add sdap_or_filters
  • IPA SUDO: Implement smart refresh
  • SUDO: sdap_sudo_set_usn() do not steal usn
  • SUDO: remove full_refresh_in_progress
  • SUDO: assume zero if usn is unknown
  • SUDO: allow disabling full refresh
  • SUDO: remember usn as number instead of string
  • SUDO: simplify usn filter
  • IPA SUDO: Add support for ipaSudoRunAsExt* attributes
  • SDAP: Add request that iterates over all search bases
  • SDAP: rename sdap_get_id_specific_filter
  • SDAP: support empty filters in sdap_combine_filters()
  • SUDO: use sdap_search_bases instead custom sb iterator
  • SUDO: make sudo sysdb interface more reusable
  • SUDO: move code shared between ldap and ipa to separate module
  • SUDO: allow to disable ptask
  • SUDO: fail on failed request that cannot be retry
  • IPA: add ipa_get_rdn and ipa_check_rdn
  • SDAP: use ipa_get_rdn() in nested groups
  • IPA SUDO: choose between IPA and LDAP schema
  • IPA SUDO: Add ipasudorule mapping
  • IPA SUDO: Add ipasudocmdgrp mapping
  • IPA SUDO: Add ipasudocmd mapping
  • IPA SUDO: Implement sudo handler
  • IPA SUDO: Implement full refresh
  • IPA SUDO: Implement rules refresh
  • IPA SUDO: Remember USN
  • SDAP: Add sdap_or_filters
  • IPA SUDO: Implement smart refresh
  • SUDO: sdap_sudo_set_usn() do not steal usn
  • SUDO: remove full_refresh_in_progress
  • SUDO: assume zero if usn is unknown
  • SUDO: allow disabling full refresh
  • SUDO: remember usn as number instead of string
  • SUDO: simplify usn filter
  • IPA SUDO: Add support for ipaSudoRunAsExt* attributes
  • sdap_connect_send: fail if uri or sockaddr is NULL
  • sdap_connect_send: fail if uri or sockaddr is NULL
  • MAKE: Do not compile generated header files
  • cache_req: simplify cache_req_cache_check()
  • cache_req: do not lookup views if possible
  • cache_req: simplify cache_req_cache_check()
  • cache_req: do not lookup views if possible
  • remove user certificate if not found on the server
  • remove user certificate if not found on the server
  • IPA SUDO: download externalUser attribute
  • IPA SUDO: download externalUser attribute
  • cache_req: bring together search parameters
  • cache_req: fix typo in debug message
  • cache_req: break cache_req_input_create into more functions
  • cache_req: rename debug_fqn to debugobj
  • cache_req: improve debugging
  • cache_req tests: remove unused users and groups
  • mock domain: reset ldb errors
  • cache_req tests: use leak check in test fixtures
  • cache_req tests: improve user and group creation
  • utils: return const char from dup_string_list
  • cache_req: add SID lookups
  • cache_req test: add lookup by sid
  • cache_req: hide input and pass parameters in struct
  • cache_req: rename cache_req_input to cache_req
  • cache_req: remove old comment
  • IPA SUDO: fix typo
  • IPA SUDO: support old ipasudocmd rdn
  • IPA SUDO: fix typo
  • IPA SUDO: support old ipasudocmd rdn
  • SUDO: be able to parse modifyTimestamp correctly
  • SUDO: be able to parse modifyTimestamp correctly
  • sudo: remove unused structure sudo_dp_request
  • sudo: use cache_req for initgroups
  • sudo: do not use tevent when parsing query
  • sudo: convert get_sudorules to tevent
  • Inform about (un)successful connection
  • Failover to next server if authentication fails
  • Remove braces from DEBUG statements
  • Rename dp_ptask to be_ptask
  • Rename dp_refresh.h to be_refresh.h
  • Rename dp_refresh.c to be_refresh.c
  • Rename dp_dyndns.h to be_dyndns.h
  • Rename dp_dyndns.c to be_dyndns.c
  • Rename dp_backend.h to backend.h
  • SBUS: Add sbus_conn_register_iface_map
  • SBUS: Add data provider errors
  • SBUS: Print debug message when handler fails
  • ERRORS: Add ERR_OFFLINE
  • ERRORS: Add ERR_TERMINATED
  • ERRORS: Add ERR_INVALID_DATA_TYPE
  • ERRORS: Add ERR_MISSING_DP_TARGET
  • sdap_search_bases: allow map to be NULL
  • sdap_search_bases: allow returning only the first reply
  • sdap ops: add support for deref
  • DP: Introduce new interface for backend
  • DP: Add callback for backward compatibility
  • DP TESTS: Mock data_provider
  • DP TESTS: Add unit tests for dp_request_table.c
  • DP: Switch to new interface
  • RESPONDER: New interface for client registration
  • DP: Move be_req_acct and remove discard_const
  • IFP: Add domain nodes
  • IFP: new header file that contains interface definitions
  • sss_sifp: make it compatible with latest version of the infopipe
  • sss_sifp: return context even on IO error
  • sss_sifp: bump version to 1:0:1
  • sss_tools: add command description
  • sss_tools: add help commands to usage message
  • sss_tools: unify description of --debug
  • sss_tools: tell whether an option was provided
  • sss_tools: add commands delimiter
  • sss_tools: pad help message properly
  • sss_tools: return errno_t instead of system code
  • sss_tools: add test if sssd is running
  • sss_tools: create confdb if not exist
  • sss_override: return EXIT_SUCCESS even when no overrides are found
  • sss_override: return EXIT_FAILURE if file does not exist during import
  • ERRORS: Add errors to indicated whether SSSD is running or not
  • SBUS ERRORS: Add unknown domain
  • SBUS: Fix typo in comment
  • SBUS: Add string helper macros
  • DP: Add function to get be_ctx directly from dp_client
  • DP: Add org.freedesktop.sssd.DataProvider?.Backend
  • DP: Add org.freedesktop.sssd.DataProvider?.Failover
  • IFP: Provide domain and failover status
  • sssctl: new tool
  • sssctl: restart SSSD when removing cache
  • sssctl: remove also ccache
  • sudo: solve problems with fully qualified names
  • sssctl: manual page

Pavel Reichl (61):

  • SDAP: Relax POSIX check
  • SDAP: Relax POSIX check
  • AD: fix minor memory leak
  • IPA: fix minor memory leak
  • SDAP: fix minor memory leak
  • PROXY: fix minor memory leak
  • sss_override: amend man page - overrides do not stack
  • DYNDNS: use realm and server commands only as fallback
  • DYNDNS: improve nsupdate_msg_add_fwd()
  • intg: fix assert messages in test_memory_cache
  • HBAC: remove misleading comment about deny rules
  • sudo: remove unused param. in ldap_get_sudo_options
  • autofs: remove unused params in del_autofs_entries
  • LDAP: remove unused param. in sdap_fallback_local_user
  • PAM: remove unused parameter cdb
  • sss_override: Remove unused parameter tool_ctx
  • SDAP: optional warning - sizelimit exceeded in POSIX check
  • SDAP: allow_paging in sdap_get_generic_ext_send()
  • SDAP: change type of attrsonly in sdap_get_generic_ext_state
  • SDAP: pass params in sdap_get_and_parse_generic_send
  • SDAP: optional warning - sizelimit exceeded in POSIX check
  • SDAP: allow_paging in sdap_get_generic_ext_send()
  • SDAP: change type of attrsonly in sdap_get_generic_ext_state
  • SDAP: pass params in sdap_get_and_parse_generic_send
  • sss_override: Removed overrides might be in memcache
  • sss_override: amend man page - overrides do not stack
  • sss_override: Removed overrides might be in memcache
  • sudo: remove unused param name in sdap_sudo_get_usn()
  • pam-srv-tests: split pam_test_setup() so it can be reused
  • pam-srv-tests: Add UT for cached 'online' auth.
  • pam-srv-tests: split pam_test_setup() so it can be reused
  • pam-srv-tests: Add UT for cached 'online' auth.
  • intg: Add test for user and group local overrides
  • intg: Add test for user and group local overrides
  • sysdb-tests: Fix warning - incompatible pointer type
  • sysdb-tests: Fix warning - incompatible pointer type
  • sudo: remove unused param name in sdap_sudo_get_usn()
  • sudo: remove unused param. in ldap_get_sudo_options
  • IDMAP: Fix computing max id for slice range
  • IDMAP: New structure for domain range params
  • IDMAP: Add support for automatic adding of ranges
  • IDMAP: Fix computing max id for slice range
  • IDMAP: New structure for domain range params
  • IDMAP: Add support for automatic adding of ranges
  • IDMAP: Fix minor memory leak
  • IDMAP: Fix minor memory leak
  • IDMAP: Man change for ldap_idmap_range_size option
  • IDMAP: Man change for ldap_idmap_range_size option
  • NSS: Fix memory leak netgroup
  • NSS: Fix memory leak netgroup
  • SDAP: Add error code to debug message
  • IDMAP: Add test to validate off by one bug
  • IDMAP: Add test to validate off by one bug
  • SDAP: Add return code ERR_ACCOUNT_LOCKED
  • PAM: Pass account lockout status and display message
  • SDAP: Add return code ERR_ACCOUNT_LOCKED
  • PAM: Pass account lockout status and display message
  • IDMAP: Add minor performance improvements
  • IDMAP: Make parameter names more descriptive
  • DP TESTS: Add unit tests for dp_request.c
  • DP TESTS: Add unit tests for dp_builtin.c

Petr Cech (73):

  • TESTS: Fixing of uninitialized pointer.
  • HBAC: Better libhbac debugging
  • REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
  • REFACTOR: DFL_RSP_UMASK constant in responder code
  • REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
  • REFACTOR: SCKT_RSP_UMASK constant in responder code
  • P11_CHILD_NSS: More restrictive permissions
  • UTILS: More restrictive permissions in domain_info
  • UTIL-TESTS: More restrictive permissions
  • TESTS: More restrictive permissions in debug_tests
  • TESTS: Restrictive permissions in check_and_open
  • DEBUG: Preventing chown_debug_file if journald on
  • DEBUG: Preventing chown_debug_file if journald on
  • KRB5_CHILD: More restrictive umask
  • UTIL: More restrictive umask on sss_unique_file()
  • TOOLS: DFL_UMASK --> SSS_DFL_UMASK
  • TEST: Add test_user_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add common function are_values_in_array()
  • TEST: Add test_users_by_recent_filter_valid
  • TEST: Add test_group_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add test_groups_by_recent_filter_valid
  • TEST: Add test_user_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add common function are_values_in_array()
  • TEST: Add test_users_by_recent_filter_valid
  • TEST: Add test_group_by_recent_filter_valid
  • TEST: Refactor of test_responder_cache_req.c
  • TEST: Add test_groups_by_recent_filter_valid
  • IPA_PROVIDER: Explicit no handle of services
  • IPA_PROVIDER: Explicit no handle of services
  • KRB5_CHILD: Debug logs for PAC timeout
  • KRB5_CHILD: Debug logs for PAC timeout
  • KRB5: Adding DNS SRV lookup for krb5 provider
  • KRB5: Adding DNS SRV lookup for krb5 provider
  • TOOLS: Fix memory leak after getline() failed
  • TOOLS: Add comments on functions in colondb
  • TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
  • TOOLS: Fix memory leak after getline() failed
  • TOOLS: Add comments on functions in colondb
  • TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
  • REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
  • REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
  • TESTS: global_talloc_context push/pop remove
  • NEGCACHE: Fixing typo in test_sss_ncache_gid()
  • NEGCACHE: Removing of condition for ttl = -1
  • SYSDB: Add new funtions into sysdb_sudo
  • TESTS: Test of sysdb_search_sudo_rules
  • SSS_CACHE: Refactor
  • TOOL: Invalidation of sudo rules at sss_cache
  • AUTOFS: Removing of redudant debug message
  • TEST: Removing duplication of mock_rctx
  • NEGCACHE: Adding timeout to struct sss_nc_ctx
  • NEGCACHE: Removing timeout from sss_ncache_check_*
  • NEGCACHE: Adding getter for timeout
  • RESPONDER: Removing neg_timeout from pam responder
  • RESPONDER: Removing neg_timeout from pac_ctx
  • RESPONDER: Removing neg_timeout from sudo resp.
  • RESPONDER: Removing neg_timeout from ifp repsonder
  • RESPONDER: Removing neg_timeout from nss responder
  • RESPONDERS: Negcache in resp_ctx preparing
  • RESPONDER: Removing ncache from nss_ctx
  • RESPONDER: Removing ncache from ifp_ctx
  • RESPONDER: Removing ncache from pac_ctx
  • RESPONDER: Removing ncache from pam_ctx
  • RESPONDER: Removing ncache from sudo_ctx
  • RESPONDER: Removing of redudant function
  • AD_PROVIDER: Fix constant char *
  • RESPONDERS: Negative caching of local users
  • TEST: New tests for negative caching of locals

Robert Antoni Buj Gelonch (1):

  • Add Catalan translation to LINGUAS

Simo Sorce (20):

  • Krb5/PAM: Fix account lockout error handling
  • Util: Improve code to get connection credentials
  • Util: Move socket setup in a common utility file
  • Util: Set socket options and flags separately
  • Util Sockets: Tidy up connect() handling
  • Responders: Fix client destructor
  • Util: Add watchdog helper
  • Server: Enable Watchdog in all daemons
  • Monitor: Remove ping infrastructure
  • Responders: Make the client context more generic
  • Responders: Add support for socket activation
  • ConfDB: Add helper function to get "subsections"
  • Secrets: Add autoconf macros to build with secrets
  • Secrets: Add initial responder code for secrets service
  • Add initial providers infrastructure.
  • Secrets: Add encryption at rest
  • Secrets: Add Proxy backend
  • Local secrets provider Content-Type handling
  • Secrets: Add local container entries support
  • Monitor: Add mode to generate confdb only

Stephen Gallagher (15):

  • LDAP: Inform about small range size
  • LDAP: Inform about small range size
  • Monitor: Show service pings at debug level 8
  • Monitor: Show service pings at debug level 8
  • GPO: Add Cockpit to the Remote Interactive defaults
  • GPO: Add other display managers to interactive logon
  • GPO: Add Cockpit to the Remote Interactive defaults
  • GPO: Add other display managers to interactive logon
  • Netlink: Ignore RTM_NEWADDR signals from link-local
  • GPO: Add "unity" to ad_gpo_map_interactive
  • UTIL: Add secure copy function
  • Internal: Rename CONFDB_DEFAULT_CONFIG_FILE
  • CONFIG: Use default config when none provided
  • GPO: Add "polkit-1" to ad_gpo_map_allow
  • DEBUG: Add debug alias for debug_level

Sumit Bose (117):

  • PAM: only allow missing user name for certificate authentication
  • PAM: only allow missing user name for certificate authentication
  • fix ldb_search usage
  • fix upn cache_req for sub-domain users
  • nss: fix UPN lookups for sub-domain users
  • fix ldb_search usage
  • fix upn cache_req for sub-domain users
  • nss: fix UPN lookups for sub-domain users
  • DP: successful authentication sets explicitly PAM_SUCCESSS
  • NSS: fix a use-after-free issue
  • pam-srv-tests: Change service name
  • cache_req: check all domains for lookups by certificate
  • cache_req: check all domains for lookups by certificate
  • IPA: fix override with the same name
  • IPA: fix override with the same name
  • p11: allow p11_child to run completely unprivileged
  • p11: allow p11_child to run completely unprivileged
  • p11: check if cert is valid before selecting it
  • p11: check if cert is valid before selecting it
  • p11: enable ocsp checks
  • p11: enable ocsp checks
  • ldap: skip sdap_save_grpmem() if ignore_group_members is set
  • initgr: only search for primary group if it is not already cached
  • ldap: skip sdap_save_grpmem() if ignore_group_members is set
  • initgr: only search for primary group if it is not already cached
  • LDAP: check early for missing SID in mapping check
  • LDAP: check early for missing SID in mapping check
  • nfs idmap: fix infinite loop
  • nfs idmap: fix infinite loop
  • ipa_s2n_save_objects(): use configured user and group timeout
  • Use right domain for user lookups
  • sdap_save_grpmem: determine domain by SID if possible
  • Use right domain for user lookups
  • sdap_save_grpmem: determine domain by SID if possible
  • ipa_s2n_save_objects(): use configured user and group timeout
  • ldap: remove originalMeberOf if there is no memberOf
  • ldap: remove originalMeberOf if there is no memberOf
  • UTIL: allow to skip default options for child processes
  • DP_TASK: add be_ptask_get_timeout()
  • AD: add task to renew the machine account password if needed
  • FO: add fo_get_active_server()
  • FO: add be_fo_get_active_server_name()
  • AD: try to use current server in the renewal task
  • UTIL: allow to skip default options for child processes
  • DP_TASK: add be_ptask_get_timeout()
  • AD: add task to renew the machine account password if needed
  • FO: add fo_get_active_server()
  • FO: add be_fo_get_active_server_name()
  • AD: try to use current server in the renewal task
  • p11: add gnome-screensaver to list of allowed services
  • p11: add gnome-screensaver to list of allowed services
  • Just return NULL if tevent_req_create() fails
  • subdomains: inherit ldap_krb5_keytab
  • IPA: lookup idview name even if there is no master domain record
  • IPA: invalidate override data if original view is missing
  • IPA: lookup idview name even if there is no master domain record
  • IPA: invalidate override data if original view is missing
  • sdap: improve filtering of multiple results in GC lookups
  • sdap: improve filtering of multiple results in GC lookups
  • pam_sss: reorder pam_message array
  • pam_sss: reorder pam_message array
  • SDAP: make some AD specific calls public
  • LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()
  • util: make concatenate_string_array() reusable
  • AD: process PAC during initgroups request
  • IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*
  • IPA: ipa_s2n_get_list_send() allow other list types
  • IPA: resolve PAC for trusted users on IPA clients
  • PAC: only save PAC blob into the cache
  • sss_override: do not generate DN, search object
  • tools: read additional data of the master domain
  • sss_override: only add domain if name is not fully qualified
  • intg: local override for user with mixed case name
  • sss_override: do not generate DN, search object
  • tools: read additional data of the master domain
  • sss_override: only add domain if name is not fully qualified
  • intg: local override for user with mixed case name
  • krb5_auth_store_creds: silence spurious debug message
  • build: move ndr_krb5pac check to the other Samba checks
  • IPA: terminate properly if view name lookup fails
  • IPA: use forest name when looking up the Global Catalog
  • libwbclient: wbcSidsToUnixIds() don't fail on errors
  • AD: use krb5_keytab for subdomain initialization
  • p11: add missing man page entry and config API
  • p11: add no_verification option
  • p11: add OCSP default responder options
  • PAM: add pam_sss option allow_missing_name
  • p11: add PKCS11_LOGIN_TOKEN_NAME environment variable
  • sysdb: add sysdb_attrs_add_base64_blob()
  • sysdb: add searches by certificate with overrides
  • cache_req: use overide aware call for lookup by certificate
  • ipa: add support for certificate overrides
  • nss: include certificates in full result list
  • ipa: save cert as blob in the cache
  • AD: read user certificate if available
  • nss: return user certificate base64 encoded
  • sss_override: add certificate support
  • IPA: allow lookups by cert in sub-domains on the client
  • NSS: add SSS_NSS_GETNAMEBYCERT request
  • nss-idmap: add sss_nss_getnamebycert()
  • ssh: skip invalid certificates
  • Add winbind idmap plugin
  • localauth: remove enable_only sssd from config snippet
  • localauth: make plugin non-authoritative on failures
  • utils: add sss_write_krb5_snippet_common()
  • IPA/AD: globally set krb5 canonicalization flag
  • NSS: Fix domain for UPN based lookups
  • TESTS; orig_name does not need to be expanded to sysdb format
  • LDAP: fix typo
  • IPA: expand name in ipa_add_ad_memberships_get_next()
  • IPA: add missing user name to homedir_ctx
  • IPA: make get_object_from_cache() aware of UPN searches
  • SYSDB: qualify_attr: create new attribute only once
  • fix some 'might be used uninitialized' warnings
  • PAM/KRB5: optional otp and password prompting
  • SSH-CERT: always initialize cert_verify_opts
  • cert_to_ssh_key: properly add leading 0 to bignums