sssd.git, branch memberof sssd with jhrozek's patches memberof: Use fqname instead of name 2015-05-05T14:11:16+00:00 Jakub Hrozek jhrozek@redhat.com 2015-05-04T10:08:18+00:00 2434f76240756cbba61972684652f6bc6b6cf491 






SPEC: Fix cyclic dependencies between sssd-{krb5,}-common
2015-05-05T13:49:02+00:00

Lukas Slebodnik
lslebodn@redhat.com

2015-04-18T15:36:35+00:00

56552c518a07b45b25d4a2ef58d37fac0918ce60

libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.

sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message

sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
                 U krb5_service_init
                 U krb5_try_kdcip
                 U remove_krb5_info_files
                 U select_principal_from_keytab
                 U sss_krb5_get_error_message

This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.

Resolves:
https://fedorahosted.org/sssd/ticket/2507

Reviewed-by: Pavel Březina <pbrezina@redhat.com>





libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.

sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message

sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
                 U krb5_service_init
                 U krb5_try_kdcip
                 U remove_krb5_info_files
                 U select_principal_from_keytab
                 U sss_krb5_get_error_message

This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.

Resolves:
https://fedorahosted.org/sssd/ticket/2507

Reviewed-by: Pavel Březina <pbrezina@redhat.com>







SDAP: Fix id mapping with disabled subdomains
2015-05-05T13:47:20+00:00

Lukas Slebodnik
lslebodn@redhat.com

2015-04-28T18:26:47+00:00

21687d1d553579e81aa43bfa20f2e70fb39e8461

If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.

However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.

[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
        Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
        Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
        calling ldap_search_ext with
                        [(&(sAMAccountName=hdpadmin)(objectclass=user)
                           (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
                        [DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users

Resolves:
https://fedorahosted.org/sssd/ticket/2635

Reviewed-by: Pavel Březina <pbrezina@redhat.com>





If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.

However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.

[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
        Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
        Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
        Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
        calling ldap_search_ext with
                        [(&(sAMAccountName=hdpadmin)(objectclass=user)
                           (sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
                        [DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users

Resolves:
https://fedorahosted.org/sssd/ticket/2635

Reviewed-by: Pavel Březina <pbrezina@redhat.com>







sss_nss_idmap-tests: Use different prepared buffers for big endian
2015-05-04T11:55:02+00:00

Lukas Slebodnik
lslebodn@redhat.com

2015-05-04T05:34:19+00:00

582f6b1d15d216a39a66b70f0b3ecdf5b0f47673

We get error EBADMSG instead of EOK due to endianess issue

[==========] Running 2 test(s).
[ RUN      ] test_getsidbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:108: error: Failure!

[  FAILED  ] test_getsidbyname
[ RUN      ] test_getorigbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:127: error: Failure!

[  FAILED  ] test_getorigbyname

Reviewed-by: Sumit Bose <sbose@redhat.com>





We get error EBADMSG instead of EOK due to endianess issue

[==========] Running 2 test(s).
[ RUN      ] test_getsidbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:108: error: Failure!

[  FAILED  ] test_getsidbyname
[ RUN      ] test_getorigbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:127: error: Failure!

[  FAILED  ] test_getorigbyname

Reviewed-by: Sumit Bose <sbose@redhat.com>







GPO: Do not ignore missing attrs for GPOs
2015-04-30T06:47:00+00:00

Lukas Slebodnik
lslebodn@redhat.com

2015-04-29T07:17:18+00:00

03e5f1528184a558fd990e66f083157b404dce08

We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629

Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>





We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629

Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>







autofs: fix 'Cannot allocate memory' with FQDNs
2015-04-30T06:24:57+00:00

Aron Parsons
parsonsa@bit-sys.com

2015-04-29T02:44:18+00:00

4df706219e64527209f12ad0c7814ee1be979c07

https://fedorahosted.org/sssd/ticket/2643

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





https://fedorahosted.org/sssd/ticket/2643

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







IPA: fix segfault in ipa_s2n_exop
2015-04-29T15:09:04+00:00

Aron Parsons
parsonsa@bit-sys.com

2015-04-29T03:19:32+00:00

c520f40d1a2d77cf1d413451b5682297733521ed

can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.

Reviewed-by: Sumit Bose <sbose@redhat.com>





can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.

Reviewed-by: Sumit Bose <sbose@redhat.com>







IPA: allow initgroups by SID for AD users
2015-04-29T09:33:22+00:00

Sumit Bose
sbose@redhat.com

2015-04-22T14:57:37+00:00

f70a1adbfc30b9acc302027439fb8157e0c6ea2a

If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







simple-access-provider: make user grp res more robust
2015-04-28T09:58:53+00:00

Pavel Reichl
preichl@redhat.com

2015-04-20T15:33:29+00:00

82a958e6592c4a4078e45b7197bbe4751b70f511

Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>







IPA: check ghosts in groups found by uuid as well
2015-04-27T13:42:39+00:00

Sumit Bose
sbose@redhat.com

2015-04-24T15:07:22+00:00

605dc7fcc848dffb7c9d270c864c70e6dff1242e

With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.

Resolves https://fedorahosted.org/sssd/ticket/2631

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>





With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.

Resolves https://fedorahosted.org/sssd/ticket/2631

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>