sssd.git, branch f23 sssd with jhrozek's patches IPA: Always re-fetch the keytab from the IPA server 2015-09-07T16:22:05+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-24T11:13:08+00:00 042600d08a9d3188d7d3135fc235e6a7c2237a4b Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Even if a keytab for one-way trust exists, re-fetch the keytab again and
try to use it. Fall back to the previous one if it exists.

This is in order to allow the admin to re-establish the trust keytabs
with a simple sssd restart.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
UTIL: Provide a common interface to safely create temporary files 2015-09-07T16:21:55+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-12T10:41:44+00:00 5b71bd7da12503792a481b1599bfcf9415b1014f Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Change the default of ldap_user_certificate to userCertificate;binary 2015-09-07T16:21:48+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-10T10:40:39+00:00 6a5abcaf3eb6133bc96c44a11e423fe7a0dca3a6 This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is safe from ldb point of view, because ldb gurantees the data is
NULL-terminated. We must be careful before we save the data, though.

Resolves:
https://fedorahosted.org/sssd/ticket/2742

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: use ldb_binary_encode when printing attribute values 2015-09-07T16:21:42+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-10T10:40:30+00:00 0158fc7bd5b1ffeb2ae9929e5af6924c831a132a Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA: Handle sssd-owned keytabs when running as root 2015-09-07T16:20:27+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T15:20:11+00:00 fd68d59f701ff90e4baae7b4bd137c374c719e8a https://fedorahosted.org/sssd/ticket/2718 This patch handles the case where the keytab is created with sssd:sssd ownership (perhaps by the IPA oddjob script) but SSSD runs as root, which is the default in many distributions. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/sssd/ticket/2718

This patch handles the case where the keytab is created with sssd:sssd
ownership (perhaps by the IPA oddjob script) but SSSD runs as root,
which is the default in many distributions.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
UTIL: Lower debug level in perform_checks() 2015-09-07T16:20:21+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T14:29:09+00:00 75b3a8eaaaa74d34406a2899c8e21ba12233ab6e Failures in perform_checks() don't have to be fatal, therefore the debug messages shouldn't be either. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
Failures in perform_checks() don't have to be fatal, therefore the debug
messages shouldn't be either.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
IPA: Better debugging 2015-09-07T16:20:14+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-22T13:17:57+00:00 9581883ba3d8651aca3888d6883f41280cd97979 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> 
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
IPA: Remove MPG groups if getgrgid was called before getpw() 2015-09-07T16:12:16+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-21T09:44:03+00:00 e5dcfc2888611cadc482307d8b5147f85332ec86 https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com> 
https://fedorahosted.org/sssd/ticket/2724

This bug only affects IPA clients that are connected to IPA servers with
AD trust and ID mapping in effect.

If an IPA client calls getgrgid() for an ID that matches a user, the
user's private group would be returned and stored as a group entry.

Subsequent queries for that user would fail, because MPG domains impose
uniqueness restriction for both the ID and name space across groups and
users.

To work around that, we remove the UPG groups in MPG domains during a
group lookup.

Reviewed-by: Sumit Bose <sbose@redhat.com>
TESTS: dyndns tests support AAAA addresses 2015-09-07T16:08:25+00:00 Pavel Reichl preichl@redhat.com 2015-07-15T14:58:38+00:00 e2e8e236d8cdf171e12ee2a351f4ff877477b53c Resolves: https://fedorahosted.org/sssd/ticket/2558 
Resolves:
https://fedorahosted.org/sssd/ticket/2558
DYNDNS: special value '*' for dyndns_iface option 2015-09-07T16:08:17+00:00 Pavel Reichl preichl@redhat.com 2015-07-14T08:21:34+00:00 236e56df392a18ac0ccc23f56f4e9586f996a16f Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update. 
Option dyndns_iface has now special value '*' which implies that IPs
from add interfaces should be sent during DDNS update.