| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the tarball is generated with minimal dependencies extracted from spec file
then translated manual pages are not generated due to missing script po4a.
This step is not necessary for regular nightly/developer builds.
The tarball is created faster without such step. However rpm >= 4.13
will fail due to empty manifest file.
Resolves:
https://fedorahosted.org/sssd/ticket/2738
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Modules libsystemd-journal and libsystemd-login are
deprecated and "libsystemd" should be used instead
of them.
Resolves:
https://fedorahosted.org/sssd/ticket/2733
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sss_nss_mc_get_record return copy of record from memory
cache in last argument. Because we should not access data directly
to avoid problems with consistency of record.
The function sss_nss_mc_get_record also check whether length of record
is within data area (with macro MC_CHECK_RECORD_LENGTH)
However we also tried to do the same check in functions sss_nss_mc_get{gr, pw}*
Pointer to end of strings in record was compared to pointer to the end
of data table. But these two pointers are not within the same allocated area
and does not make sense to compare them. Sometimes record can be allocated
before mmaped area and sometime after. Sometimes it will return cached data
and other time will fall back to responder.
Resolves:
https://fedorahosted.org/sssd/ticket/2743
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Function sysdb_get_real_name overrode reurned code LDAP
and thus user was not removed from cache after removing it from LDAP.
This patch also do not try to set initgroups flag if user
does not exist. It reduce some error message.
Resolves:
https://fedorahosted.org/sssd/ticket/2681
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 9fc96a4a2b07b92585b02dba161ab1eb2dbdad98)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allows the administrator to extend the functionality of
ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to
the subdomains.
This is a less intrusive way of achieving:
https://fedorahosted.org/sssd/ticket/2627
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
subdomain_inherit = ignore_group_members
in the domain section.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 12089241f6a6eabf4f0c95669e5fc2bb3b503c06)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Related to:
https://fedorahosted.org/sssd/ticket/2644
Adds a utility function that checks if a DP option is present in
the subdomain_inherit list. If it is, then the option is set from source
to destination dp_option array.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit b3d110fbc424a03674a6e50e489a7cbab9702f0b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new option subdomain_inherit that would allow administrators to pick
and choose which option to pass to subdomains.
This option is required for:
https://fedorahosted.org/sssd/ticket/2644
as a short-term fix.
The proper solution is described in:
https://fedorahosted.org/sssd/ticket/2599
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit d0b7e5fcfca7d0db9e3d19be7b51f34d03d3d720)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Checking the enum request in the underlying LDAP provider to skip it
might be too late as the richer IPA or AD providers depend on having a
useful result when the sdap request finishes.
Move the enumeration check earlier instead and allow directly in the IPA
or AD handler.
Related:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 40bc389bc79bc41429b5a92d5ce75955f8eefaf5)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some providers, notably IPA, rely on extra_value to be either a useful
value or NULL. In enumeration, however, extra_value was random. Set
the extra_value pointer explicitly to NULL to make it clear that it's
not used for enumeration and also use talloc_zero as future-proof.
Resolves:
https://fedorahosted.org/sssd/ticket/2659
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit d9296ba018228ac6a19f710b8bb9044c4ea9ab5b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Argument "siginfo_t *siginfo" (void *__siginfo) was not used in
signal handlers pc_init_sig_handler, proxy_child_sig_handler.
siginfo is mostly used for additional information for about signal
and precesses (@see man 2 sigaction) and we store needed information
in custom context (private_data); It's tevent style.
Why backend crashed:
proxy_child_init_send creates request; forks a process and register
handler for signal SIGCHLD. Talloc parent of tevent_signal is previously
created request.
If proxy_child fails (return code is not 0) then SIGCHLD is received
handler pc_init_sig_handler is called. However pc_init_sig_handler can call
tevent_req_error for request which calls request callback and released
request.
tevent_signal_destructor was called as a part of releasing
tevent_signal. The destructor cleared siginfo in ring buffer for first time.
Then tevent tried to clear the same siginfo in ring buffer for the secont time
after returning from signal hander (pc_init_sig_handler). But it was already
cleared and it caused dereference of NULL pointer.
Resolves:
https://fedorahosted.org/sssd/ticket/2654
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit df233bce93c6e6752cf22cd4244c85c94d68b17b)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1370bcccaed090f36d75e8a8cebb320ea1612b7e)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
|
|
|
|
|
|
|
|
|
|
| |
New option `krb5_map_user` providing mapping of ID provider names to
Kerberos principals.
Resolves:
https://fedorahosted.org/sssd/ticket/2509
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 1270ffe9f3809f2fd488ef4a320d344ae107ab87)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit dca741129d221558a4325479aefc617240f1ab08)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initgrups consisted of two main steps:
1. store user to cache
2. store all user groups to cache.
Previously the attribute SYSDB_INITGR_EXPIRE was set in the first step.
So in case of epmty cache and parallel initgroups request in responders
there was a small period when SYSDB_INITGR_EXPIRE was valid but groups were
not cached. Therefore sometime responder could return zero supplementary
groups.
This patch moves the setting of initgroups expire attribute from 1st step
to the end of 2nd step.
In case of parallel initgroups requests in responder there are two
other ways how we could get correct results even thought there was a bug.
a) Time between two request was too small. User was not stored in cache
yet and 2nd request waited for response from DP.
b) Time between two request was big enough. All users groups were
successfully stored in cache and 2nd request returned correct results.
Resolves:
https://fedorahosted.org/sssd/ticket/2634
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit d0cc678d20d8bde829450eb50bec1b7397cea3e1)
|
|
|
|
|
|
|
|
|
| |
When SYSDB_INITGR_EXPIRE had default value (0) then value of
SYSDB_CACHE_EXPIRE was used as initgroups expire attribute.
The right apoach is already used in responder_cache_req.c
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit fd60528321fd52720222ec35b895ade54cccb48d)
|
|
|
|
|
|
|
|
| |
The size of time_t can be 8 bytes on some platforms.
It is because of year 2038 problem.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 390de028b3130ae564059101c662fe74e0e85a45)
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit aa648535f445e7a95bf6dedc7c43bb5f94ab7354)
|
|
|
|
|
| |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 84a4c4fcc93b3dcc70604817a05f7943606ff596)
|
|
|
|
|
|
|
|
|
| |
In order to detect faulty cases where negcache would be checked twice,
we need to convert the ncache_hit to integer and check exact amounts of
hits.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 9cc2223e0bc0478c1b47a47fd71bba7e7129492d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Type of timestamp for entries in negative cache is time_t
which is number of *seconds* that have elapsed since 1 January 1970.
The condition for ttl was to strict so entry could be valid
from "ttl-1" to ttl e.g.
* ttl is 1 second
* entry was stored to negative cache at 1432120871.999639
stored_timestamp = 1432120871
* entry was tested few miliseconds later 1432120872.001293
current_time = 1432120872
Entry was marked as expired becuase result of condition was false
stored_timestamp + ttl < current_time
1432120871 + 1 < 1432120872
This is a reason why ./test-negcache sometime fails.
It's quite easily reproducible on slow machine or when valgrind was used.
sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 75e4a7753c44e9f2a7a65fad77d95e394f81c125)
|
|
|
|
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f80ef0b6ace6b331bcf99e5e5c7d73cfb92c6)
|
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 108a49f0e816d95cf75a1e964f63b397e53c8b56)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the version 389ds return a different error code if the
search for the view name failed because our dereference attribute
ipaAssignedIDView is not known. Newer version return
LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to
EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is
returned as EIO. In both cases we have to assume that the server is not
view aware and keep the view name unset.
Resolves https://fedorahosted.org/sssd/ticket/2650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sdap_nested_group_populate_users() has code to handle user name changes.
It updates the SYSDB_NAME attribute. This attribute is also used in the
RDN but changing the attribute in the object does not change the DN
hence the DN still contains the old name. Currently
sysdb_set_user_attr() was used to update the entry which creates the DN
based on the give name. This will fail if the name is changed for a
second time. Since the DN is already available in the search result it
is more reliable to use it directly with sysdb_set_entry_attr().
Related to https://fedorahosted.org/sssd/ticket/2591
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 305267064a9d8c86536fcd5c92c1c9cb3e7df268)
|
|
|
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit f1f5854566c1ee44320a1111a33c12bcc409f00a)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2649
libsemanage is very strict about its API usage and actually doesn't
allow disconnecting a handle that is not connected. The unpatched code
would fail with:
selinux_child: handle.c:231: semanage_disconnect: Assertion `sh !=
((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect !=
((void *)0)' failed.
If semanage_connect() failed.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.
sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message
sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
U krb5_service_init
U krb5_try_kdcip
U remove_krb5_info_files
U select_principal_from_keytab
U sss_krb5_get_error_message
This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2507
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 56552c518a07b45b25d4a2ef58d37fac0918ce60)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0f9c28eb52d2b45c8a97f709308dc11377831b8c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the flag that the input data in a user or group lookup request
might be an override value is only set if no cached entry was found. If
the cached entry of an object with overrides is expired and a request
with the override value as input is processed the flag is not set and
the backend might not be able to find the right entry on the server.
Typically this should not happen because of mid-point refreshes. To
reproduce this create a FreeIPA user and override the login name for a
specific view. On a client which has this view applied call
getent passwd overridename
sss_cache -E
getent passwd overridename
The second getent command will still show the right output but in the
logs a
[sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
code: 3 errno: 0 error message: Account info lookup failed
message can be found for the second request.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 35b178d02dfd293778aefbc0b465a5a3a4b6cd8f)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on the server-side configuration the extdom plugin can return
short or fully qualified names for IPA objects. The client must handle
the names according to its own configuration and not add the domain part
of the fully-qualified name unconditionally.
Resolves https://fedorahosted.org/sssd/ticket/2647
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a)
|
|
|
|
|
|
|
|
|
|
|
| |
After the group memberships of a user from a trusted domain are read it
must be checked if there are overrides for the discovered groups to be
able to return the right gid or name to the caller.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a)
|
|
|
|
|
|
|
|
|
|
| |
This patch makes ipa_initgr_get_overrides_send() public and add support
to search overrides by UUID or by SID.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 145578006684481434ced78461ab8d1c3570f478)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during user lookups. As a result the lifetime of the
group-membership data is updates in those cases. But if the user is not
looked up directly but is resolved as a group member during a group
lookup SSSD does not resolve all group-membership of the user to avoid
deep recursion and eventually a complete enumeration of the user and
group base. In this case the lifetime of the group-memberships should
not be updated because it might be incomplete.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cffe3135f29c737f2598f3c1384bfba1694fb843)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If subdomains are disabled "subdomain_provider = none"
then auto-discovery discovery of domain SID is disabled.
It is possible to configure options ldap_idmap_default_domain{,_sid}
and id mapping should work.
However value of option ldap_idmap_default_domain_sid was not assigned to
sss_domain_info for main domain. It was only used for initialisation of
sdap_idmap_ctx. As a result of this bug posix attributes were used in
ldap filter and id mapping worked just for users with posix attributes.
[be_get_account_info] (0x0100): Got request for [0x1001][1][name=user]
[be_req_set_domain] (0x0400):
Changing request domain from [EXAMPLE.TEST] to [EXAMPLE.TEST]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080):
Could not parse domain SID from [(null)]
[sdap_search_user_next_base] (0x0400):
Searching for users with base [DC=EXAMPLE,DC=TEST]
[sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=hdpadmin)(objectclass=user)
(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))]
[DC=EXAMPLE,DC=TEST].
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sdap_get_users_done] (0x0040): Failed to retrieve users
Resolves:
https://fedorahosted.org/sssd/ticket/2635
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 21687d1d553579e81aa43bfa20f2e70fb39e8461)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We get error EBADMSG instead of EOK due to endianess issue
[==========] Running 2 test(s).
[ RUN ] test_getsidbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:108: error: Failure!
[ FAILED ] test_getsidbyname
[ RUN ] test_getorigbyname
0x4a != 0
src/tests/cmocka/sss_nss_idmap-tests.c:127: error: Failure!
[ FAILED ] test_getorigbyname
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 582f6b1d15d216a39a66b70f0b3ecdf5b0f47673)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't want to skip over a GPO that might properly be denying
users.
[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
no attrs found for GPO; try next GPO.
Resolves:
https://fedorahosted.org/sssd/ticket/2629
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
(cherry picked from commit 03e5f1528184a558fd990e66f083157b404dce08)
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2643
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4df706219e64527209f12ad0c7814ee1be979c07)
|
|
|
|
|
|
|
|
|
| |
can be triggered on demand by assigning a POSIX group
with external members sudo privileges, then dropping
the cache and doing a sudo -U <user> -l.
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit c520f40d1a2d77cf1d413451b5682297733521ed)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f70a1adbfc30b9acc302027439fb8157e0c6ea2a)
|
|
|
|
|
|
|
|
|
|
| |
Not all user groups need to be resolved if group deny list is empty.
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With views and overrides groups are not allowed to have ghost members
anymore because the name of a member might be overridden. To achieve
this ghost members are looked up and resolved later during group
lookups. Currently this is only done for group lookups by name but
should happen as well if the group is looked up by uuid.
Resolves https://fedorahosted.org/sssd/ticket/2631
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 605dc7fcc848dffb7c9d270c864c70e6dff1242e)
|
|
|
|
|
|
|
|
|
| |
The member list returned by the extdom plugin might contain some entries
more than once. Although this is an issue on the server side to avoid
ldb errors duplicates should be filtered out on the client as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 625cff0b0938538e51fdd3b2d985e6082b492ea5)
|