sssd.git/src, branch rhel7.0 sssd with jhrozek's patches LDAP/AD: do not resolve group members during tokenGroups request 2015-03-17T15:56:00+00:00 Sumit Bose sbose@redhat.com 2015-03-09T15:36:29+00:00 bfa2f2a8125d20f374f5ee8647f2e54d5bca7c06 During initgroups requests we try to avoid to resolve the complete member list of groups if possible, e.g. if there are no nested groups. The tokenGroups LDAP lookup return the complete list of memberships for a user hence it is not necessary lookup the other group member and un-roll nested groups. With this patch only the group entry is looked up and saved as incomplete group to the cache. This is achieved by adding a new boolean parameter no_members to groups_get_send() and sdap_get_groups_send(). The difference to config options like ldap_group_nesting_level = 0 or ignore_group_members is that if no_members is set to true groups which are missing in the cache are created a incomplete groups. As a result a request to lookup this group will trigger a new LDAP request to resolve the group completely. This way no information is ignored but the time needed to read all data is better distributed between different requests. https://fedorahosted.org/sssd/ticket/2601 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1) 
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.

This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.

https://fedorahosted.org/sssd/ticket/2601

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
LDAP: Enable tokenGroups with Windows Server 2003 2014-10-14T09:39:30+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-28T16:07:52+00:00 442af10df5ece547f025e93c08a88ee240235682 According to Microsoft documentation, the tokenGroups attribute is available since Windows 2000: http://msdn.microsoft.com/en-us/library/cc220937.aspx We were not able to test against Windows 2000, though, as we don't have that OS around, so this patch only changes the compatibility level to 2003. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9) 
According to Microsoft documentation, the tokenGroups attribute is
available since Windows 2000:
http://msdn.microsoft.com/en-us/library/cc220937.aspx

We were not able to test against Windows 2000, though, as we don't have
that OS around, so this patch only changes the compatibility level to
2003.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9)
LDAP: Fall back to functional level of Windows Server 2003 2014-10-14T09:37:27+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-27T15:21:26+00:00 7a2d5d5994ff706e57f91140eb11f6ee4730cf13 The newest functional level we branch for is currently DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for Windows server 2003 ends in 2015) we can safely set the functional level to 2003 if the attribute is present but not a known value. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 0fafb51756913e78dbf523a69fc3a4ef2bac54ec) 
The newest functional level we branch for is currently
DS_BEHAVIOR_WIN2003. Therefore (and also because extended support for
Windows server 2003 ends in 2015) we can safely set the functional level
to 2003 if the attribute is present but not a known value.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 0fafb51756913e78dbf523a69fc3a4ef2bac54ec)
LDAP: Add Windows Server 2012 R2 functional level 2014-10-14T09:36:45+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-27T15:14:07+00:00 6c3e3b0c05ee4bb5ecede4312946de360f3855f5 https://fedorahosted.org/sssd/ticket/2418 According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a Windows Server 2012 R2 has a functional level set to '6'. We need to support that value in order for tokenGroups to be functional. For more information on the functional levels, please refer to: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 9ea0969f6a9e52b7c57feb5808266b0739ee40a4) 
https://fedorahosted.org/sssd/ticket/2418

According to http://msdn.microsoft.com/en-us/library/cc223272.aspx a
Windows Server 2012 R2 has a functional level set to '6'. We need to
support that value in order for tokenGroups to be functional.

For more information on the functional levels, please refer to:
    http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 9ea0969f6a9e52b7c57feb5808266b0739ee40a4)
IPA: Use GC for group lookups in server mode 2014-10-14T09:04:41+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-09T20:13:52+00:00 756a944b898e55a83c212999b31ba6550af4b1ce https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f) 
https://fedorahosted.org/sssd/ticket/2412

Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
Ignore referrals in deref and ASQ, too 2014-10-14T09:04:41+00:00 Jakub Hrozek jhrozek@redhat.com 2014-09-10T09:55:24+00:00 5b5cb000d63c3edad40ebb420776df2a18950fcb Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
LDAP: Ignore returned referrals if referral support is disabled 2014-10-14T09:04:41+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-20T12:00:38+00:00 b224c49b8f0a9cdf343a443fdf2190dc6f047508 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2) 
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2)
IPA: handle searches by SID in apply_subdomain_homedir 2014-10-14T09:04:41+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-12T08:32:33+00:00 5ecab6dc08ac35a400e067af09b49e7fcb0f17c0 https://fedorahosted.org/sssd/ticket/2391 apply_subdomain_homedir() didn't handle the situation where an entity that doesn't match was requested from the cache. For user and group lookups this wasn't a problem because the negative match was caught sooner. But SID lookups can match either user or group. When a group SID was requested, the preceding LDAP request matched the SID and stored the group in the cache. Then apply_subdomain_homedir() only tried to search user by SID, didn't find the entry and accessed a NULL pointer. A simple reproducer is: $ python >>> import pysss_nss_idmap >>> pysss_nss_idmap.getnamebysid(group_sid) The group_sid can be anything, including Domain Users (XXX-513) Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442) 
https://fedorahosted.org/sssd/ticket/2391

apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.

But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.

A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)

The group_sid can be anything, including Domain Users (XXX-513)

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 82347f452febe3cbffc36b0a3308ffb462515442)
tests: Remove tests that check creating public directories 2014-05-21T13:35:05+00:00 Jakub Hrozek jhrozek@redhat.com 2014-01-07T09:43:55+00:00 567093719cba804366d49b8e27562bad192c6f71 The functionality was removed, but we forgot to remove the corresponding tests, mostly because these tests were only ever ran as root. 
The functionality was removed, but we forgot to remove the corresponding
tests, mostly because these tests were only ever ran as root.
ipa subdomains provider: make sure search by SID works for homedir 2014-05-21T13:35:05+00:00 Alexander Bokovoy abokovoy@redhat.com 2014-05-13T08:22:29+00:00 503e1ebb9c36ecb978a28a5cefd94d24945ee39b Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>