sssd.git/src/responder, branch subdomfo sssd with jhrozek's patches UTIL: Convert domain->disabled into tri-state with domain states 2015-09-01T12:06:29+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-18T15:15:44+00:00 13e1628e34e4b4bc2320a87dd5ac888c70a63ddd This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as enabled, previously we only relied on talloc_zero marking dom->disabled as false. 
This is a first step towards making it possible for domain to be around,
but not contacted by Data Provider.

Also explicitly create domains as enabled, previously we only relied on
talloc_zero marking dom->disabled as false.
NSS: Don't ignore backslash in usernames with ldap provider 2015-09-01T06:41:51+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-28T05:07:40+00:00 90b8e2e47ecc0dd555cae401a0c9b082d12ab989 The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com> 
The regression was caused by changing default domain regex
for ldap provider in ticket #2717

Resolves:
https://fedorahosted.org/sssd/ticket/2772

Reviewed-by: Sumit Bose <sbose@redhat.com>
UTIL: Function 2string for enum sss_cli_command 2015-08-31T16:30:19+00:00 Petr Cech pcech@redhat.com 2015-07-08T11:17:28+00:00 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Improvement of debug messages.
Instead of:"(0x0400): Running command [17]..."
We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..."
(It's not used in sss_client. There are only hex numbers of commands.)

Resolves:
https://fedorahosted.org/sssd/ticket/2708

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
NSS: Fix use after free 2015-08-20T20:48:28+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-07T12:29:45+00:00 b9901fe3d6cfe05cd75a2440c0f9c7985aea36c6 It can happed if there are two domains and user is not found in the first one. ==29279== Invalid read of size 1 ==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) ==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd ==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) Resolves: https://fedorahosted.org/sssd/ticket/2749 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
It can happed if there are two domains and user is not found
in the first one.

==29279== Invalid read of size 1
==29279==    at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279==    by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2)
==29279==    by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191)
==29279==    by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279==    by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279==    by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279==    by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279==    by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279==    by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279==    by 0x879A936: std_event_loop_once (tevent_standard.c:114)
==29279==  Address 0xbbad240 is 96 bytes inside a block of size 106 free'd
==29279==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==29279==    by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2)
==29279==    by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190)
==29279==    by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208)
==29279==    by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759)
==29279==    by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802)
==29279==    by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4)
==29279==    by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96)
==29279==    by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341)
==29279==    by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911)
==29279==    by 0x879A936: std_event_loop_once (tevent_standard.c:114)

Resolves:
https://fedorahosted.org/sssd/ticket/2749

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SSH: Use sss_unique_file_ex to create the known hosts file 2015-08-17T13:22:15+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-12T11:05:32+00:00 84493af37d4b57294e94b7bb0596dec51e06b7b0 Simplifies the code. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Simplifies the code.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
pam: Incerease p11 child timeout 2015-08-17T13:10:03+00:00 Michal Židek mzidek@redhat.com 2015-08-13T12:03:24+00:00 9da121c08b785b56733a11fa46e14c708dda62e9 Ticket: https://fedorahosted.org/sssd/ticket/2746 It was timeouting often in CI machines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Ticket:
https://fedorahosted.org/sssd/ticket/2746

It was timeouting often in CI machines.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
sudo: use "higher value wins" when ordering rules 2015-08-14T20:47:45+00:00 Pavel Březina pbrezina@redhat.com 2015-07-29T12:51:30+00:00 52e3ee5c5ff2c5a4341041826a803ad42d2b2de7 This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This commit changes the default ordering logic (lower value wins) to
a correct one that is used by native ldap support. It also adds a new
option sudo_inverse_order to switch to the original SSSD (incorrect)
behaviour if needed.

Resolves:
https://fedorahosted.org/sssd/ticket/2682

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IFP: use default limit if provided is 0 2015-08-14T20:44:50+00:00 Pavel Březina pbrezina@redhat.com 2015-08-13T10:46:59+00:00 ef7de95fc4827a660254a942fa394f34ed9694a9 Returning zero values doesn't make any sense, so we may use it as "use sssd configuration instead". Reviewed-by: Petr Cech <pcech@redhat.com> 
Returning zero values doesn't make any sense, so we may use it as
"use sssd configuration instead".

Reviewed-by: Petr Cech <pcech@redhat.com>
NSS: Initgr memory cache should work with fq names 2015-08-05T09:28:37+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-07-13T08:40:06+00:00 dda0258705de7255e6ec54b7f9adbde83a220996 We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com> 
We need to stored two versions of name to the initgroups memory cache.
Otherwise it could be stored many times if sssd is configured with
case_sensitive = false. It would be impossible to invalidate all
version of names after user login. As a result of this wrong user
groups could be returned from initgroups memory cache.

Therefore we store raw name provided by glibc function
and internal sanitized fully qualified name,
which is unique for particular user.

This patch also increase average space for initgroups
because there are also stored two quite long names in case of
fq names.

Resolves:
https://fedorahosted.org/sssd/ticket/2712

Reviewed-by: Michal Židek <mzidek@redhat.com>
mmap: Invalidate initgroups memory cache after any change 2015-08-05T09:28:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-08-03T10:58:03+00:00 ea7839cec593b4a7c678fab52ab864518db6699b Initgroups memory cache was invalidated only in case on removed user. it should be invalidated also after changes in group membership. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Initgroups memory cache was invalidated only in case on removed user.
it should be invalidated also after changes in group membership.

Resolves:
https://fedorahosted.org/sssd/ticket/2716

Reviewed-by: Michal Židek <mzidek@redhat.com>