sssd.git/src/providers, branch mdbtest sssd with jhrozek's patches GPO: Do not ignore missing attrs for GPOs 2015-04-30T06:47:00+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-29T07:17:18+00:00 03e5f1528184a558fd990e66f083157b404dce08 We don't want to skip over a GPO that might properly be denying users. [sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD [sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq]. [sssd[be[a.foo.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'lzb.hq' [sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000): Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com [sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040): no attrs found for GPO; try next GPO. Resolves: https://fedorahosted.org/sssd/ticket/2629 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> 
We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629

Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
IPA: fix segfault in ipa_s2n_exop 2015-04-29T15:09:04+00:00 Aron Parsons parsonsa@bit-sys.com 2015-04-29T03:19:32+00:00 c520f40d1a2d77cf1d413451b5682297733521ed can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com> 
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA: allow initgroups by SID for AD users 2015-04-29T09:33:22+00:00 Sumit Bose sbose@redhat.com 2015-04-22T14:57:37+00:00 f70a1adbfc30b9acc302027439fb8157e0c6ea2a If a user from a trusted AD domain is search with the help of an override name the SID from the override anchor is used to search the user in AD. Currently the initgroups request only allows searches by name. With this patch a SID can be used as well. Resolves https://fedorahosted.org/sssd/ticket/2632 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name.  With this patch a SID can be used as well.

Resolves https://fedorahosted.org/sssd/ticket/2632

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
simple-access-provider: make user grp res more robust 2015-04-28T09:58:53+00:00 Pavel Reichl preichl@redhat.com 2015-04-20T15:33:29+00:00 82a958e6592c4a4078e45b7197bbe4751b70f511 Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Not all user groups need to be resolved if group deny list is empty.

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: check ghosts in groups found by uuid as well 2015-04-27T13:42:39+00:00 Sumit Bose sbose@redhat.com 2015-04-24T15:07:22+00:00 605dc7fcc848dffb7c9d270c864c70e6dff1242e With views and overrides groups are not allowed to have ghost members anymore because the name of a member might be overridden. To achieve this ghost members are looked up and resolved later during group lookups. Currently this is only done for group lookups by name but should happen as well if the group is looked up by uuid. Resolves https://fedorahosted.org/sssd/ticket/2631 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.

Resolves https://fedorahosted.org/sssd/ticket/2631

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: use sysdb_attrs_add_string_safe to add group member 2015-04-27T13:41:21+00:00 Sumit Bose sbose@redhat.com 2015-04-03T10:12:34+00:00 625cff0b0938538e51fdd3b2d985e6082b492ea5 The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA: do not try to save override data for the default view 2015-04-27T13:39:12+00:00 Sumit Bose sbose@redhat.com 2015-04-22T13:10:07+00:00 2ab9a4538eb2e1a255e645f7efdcfd6bb722d265 For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
For the default view all override data is available in the cached user
or group object. Even if separate override data is available it should
not be written into the cache.

Resolves https://fedorahosted.org/sssd/ticket/2630

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ad_opts: Use different default attribute for group name 2015-04-17T11:35:49+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-07T07:47:17+00:00 adb148603344a42d6edffdda0786a10af715dacb The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com> 
The MSFT docs [1,2] for LDAP attributes says:
samAccountName is mandotory for 'user' and 'group' objectclasses
via the 'Security-Principal' aux-class

name is part of the 'top' class and *not* mandatory for 'user' or 'group'.

[1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
[2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx

Resolves:
https://fedorahosted.org/sssd/ticket/2593

Reviewed-by: Sumit Bose <sbose@redhat.com>
subdom: Remove unused function get_flat_name_from_subdomain_name 2015-04-16T07:31:48+00:00 Jakub Hrozek jhrozek@redhat.com 2015-04-15T19:12:26+00:00 6fa190d636805a7126ebc775c0eacdd97dd78035 The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and
is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
AD GPO: Always look up GPOs from machine domain 2015-04-15T15:30:30+00:00 Stephen Gallagher sgallagh@redhat.com 2015-04-10T20:34:37+00:00 475d986b534c5e0dfdb8e2348ab89b13fd4874aa When dealing with users from a child domain, SSSD was attempting to use the subdomain for lookups. However, all GPOs applicable to this machine are stored in the primary domain (the domain the host directly joined). This patch has the GPO processing use the primary domain instead of the user domain. Resolves: https://fedorahosted.org/sssd/ticket/2606 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).

This patch has the GPO processing use the primary domain instead of the
user domain.

Resolves:
https://fedorahosted.org/sssd/ticket/2606

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>