| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Make sure the directory is only accessible to the sssd user
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Uses the ipa-getkeytab call to retrieve keytabs for one-way trust
relationships.
https://fedorahosted.org/sssd/ticket/2636
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To set up a Vagrant development environment:
* Install the Vagrant packages for your development system
* On Fedora 22 and later: 'dnf install vagrant-libvirt'
* Deploy the Vagrant box:
* 'vagrant up'
* Build SSSD:
* vagrant ssh -c "cd /vagrant; reconfig; chmake"
Vagrant can keep your development tree in-sync with the Vagrant box
by running 'vagrant rsync-auto' in a shell (this will continue to
run, monitoring for changes and syncing them as they are saved).
Alternately, it can be manually synced with 'vagrant rsync' at will.
More information:
http://fedoramagazine.org/running-vagrant-fedora-22/
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.
After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD
Resolves:
https://fedorahosted.org/sssd/ticket/2655
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "intgcheck" make target. Update CI to use it.
The "intgcheck" target configures and builds sssd in a sub-directory,
installs it into a prefix in another sub-directory, and then makes the
"intgcheck-installed" target from within src/tests/intg in that separate
build.
The "intgcheck-installed" target in src/tests/intg runs py.test for all
tests it can find in that directory, under fakeroot and
nss_wrapper/uid_wrapper environments emulating running under root.
It also adds the value of INTGCHECK_PYTEST_ARGS environment/make
variable to the py.test command line. You can use it to pass additional
py.test options, such as specifying a subset of tests to run. See
"py.test --help" output.
There are only two test suites in src/tests/intg at the moment:
ent_test.py and ldap_test.py.
The ent_test.py runs tests on ent.py - a module of assertion functions
for checking entries in NSS database (passwd and group), for use in
actual tests. The ent_test.py suite can be used as ent.py usage
reference.
The ldap_test.py suite sets up and starts a slapd instance, adds a few
user and group entries, configures and starts sssd and verifies that
those users and groups are retrieved correctly using various NSS
functions. The tests are very basic at the moment.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libsss_ldap_common(sssd-common) requires libsss_krb5_common.so(sssd-krb5-common)
and sssd-krb5-common requires sssd-common.
sh$ nm --dynamic --defined-only /usr/lib64/sssd/libsss_krb5_common.so
000000000000c4d0 T krb5_service_init
000000000000b8c0 T krb5_try_kdcip
000000000000c710 T remove_krb5_info_files
0000000000014960 T select_principal_from_keytab
00000000000141d0 T sss_krb5_get_error_message
sh$ nm --dynamic --undefined-only /usr/lib64/sssd/libsss_ldap_common.so
U krb5_service_init
U krb5_try_kdcip
U remove_krb5_info_files
U select_principal_from_keytab
U sss_krb5_get_error_message
This patch fix cyclic dependency with rpm packaging becuase
it's not simple task to remove krb5 dependency from ldap provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2507
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
| |
- removed unnecessary blank lines (leftover after many changes)
- list manual pages according to section number
- add missing white spaces to shall scripts
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The optional definition of rpm macro with_ccache was removed in patch
"BUILD: Remove unnecessary patch and configure opts"
as a part of ticket https://fedorahosted.org/sssd/ticket/2036.
It is not used anymore so it can be removed.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
Old versions of rpmbuild require ghost files to be present in the buildroot.
It was mainly problem of rpmbuild on rhel5 which is not supported anymore.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
| |
This workaround was for libtool in rhel 5
and we dropped support for it few months ago due to missing dependencies.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Generated warning:
/usr/include/features.h:328:4: warning: warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp]
warning _FORTIFY_SOURCE requires compiling with optimization (-O)
Macro _FORTIFY_SOURCE requiers to be compiled with optimization. But
the problem with bash function chmake is that it turns off optimization.
To avoid generating warning chmake should undefine macro
_FORTIFY_SOURCE.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2574
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
|
| |
Some pyhton bindings pysss and pysss_murmur was in package sssd-common.
Therefore package sssd-common had python as a dependency.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
| |
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
| |
|
|
|
|
| |
RHEL6.6 contains libnl3.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2017
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2550
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
| |
The problem is already fixed in fedora >= 21
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.
Related:
https://fedorahosted.org/sssd/ticket/2370
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Missing dependency, libini_config >= 1.1 is in debian testing
for some time.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
| |
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Starting from Automake 1.13, the parallel testsuite harness has been made
the default one; this harness is quite silent.
VERBOSE=yes will displays the logs of the non-passed tests (i.e., only
of the failed or skipped ones, or of the ones that passed unexpectedly).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a private SSSD user in the %pre section of SSSD specfile. Also
changes the ownership of SSSD private directories to sssd.sssd.
Does not change the configure time default, so SSSD will still run as
root. The file and directory ownership does not widen, because the
directories are still only accessible by the private user (whose shell
is /sbin/nologin) and of course the root user.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Remove Clang analyzer run from contrib/ci/run as it takes a long time
(5-8 minutes) and its results are unused.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mock config with name default is usually symbolic link
to the configuration file of local architecture. The side effect
of this patch is that we will not try to rebuild on old architectures
src.rpm for new architectures(fedora). It caused issues with mock tmpfs
plugin.
Resolves:
https://fedorahosted.org/sssd/ticket/2441
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
| |
|
|
|
|
|
|
| |
Remove --vgdb=no option from CI's Valgrind invocation, as default
condition for starting gdb (--vgdb-error=999999999) is highly unlikely
and therefore this option is unnecessary.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
Add check for Valgrind test result to contrib/ci/run.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add suppressions for all issues detected by Valgrind during CI runs.
These seem to be false positives, or cannot be fixed.
Resolves:
https://fedorahosted.org/sssd/ticket/2428
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an empty Valgrind suppressions file, use it when invoking Valgrind.
This prepares for addition of Valgrind suppressions for current false
positives and issues that cannot be fixed, preparing for enforcing
Valgrind check.
Make Valgrind output a suppression for every error and make it output
used suppression names and counts at the end of each run. This
simplifies discovery and addition of new suppressions and removal of
unused ones.
Related to https://fedorahosted.org/sssd/ticket/2428
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
Disable running dlopen-tests under Valgrind as their use of dlclose
makes Valgrind drop symbols and produce meaningless backtraces, which
cannot be matched with specific suppressions.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Preserve timestamps of mock configuration files when customizing them in
CI to avoid unnecessary cache rebuilds. This reduces CI run time.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make needn't be installed by default.
$ contrib/ci/run
install-deps: success 00:16:43 ci-install-deps.log
autoreconf: success 00:00:12 ci-autoreconf.log
DEBUG BUILD: ci-build-debug
configure: success 00:00:13 ci-build-debug/ci-configure.log
make-tests: failure 00:00:01 ci-build-debug/ci-make-tests.log
FAILURE
$ cat ci-build-debug/ci-make-tests.log
Start: Mon Sep 8 09:31:43 CEST 2014
+ make-check-wrap -j 4 check -- true
/tmp/sssd/contrib/ci/make-check-wrap: line 52: make: command not found
End: Mon Sep 8 09:31:44 CEST 2014
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
changes from previous patch:
* fixed idmapd.conf example (sss plugin name)
* squahsed the rpm spec into one commit
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It can be possible to build current master without samba
on rhel5, but the spec file would be very complicated.
It is better to simplify spec file.
Resolves:
https://fedorahosted.org/sssd/ticket/1974
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add explicit dependency on libcmocka-devel when running on any Red Hat
distros, as it turns out it exists everywhere, if only in EPEL distros,
and even though the spec file doesn't require it.
This makes the contrib/ci/run consider cmocka present on all the
supported distros, so remove the corresponding condition as well.
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
| |
Add libnfsidmap-dev to CI Debian dependency list. This fixes CI builds
on Debian.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Roland Mainz <rmainz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add basic support for executing continuous integration (CI) tests on
RHEL6, RHEL7, Fedora 20, Fedora Rawhide and Debian Testing.
This adds two front-end scripts which can be executed either locally by
developers, or on a CI server: contrib/ci/run and contrib/ci/clean.
The first one will run the tests and the second will wipe out the
artifacts.
See contrib/ci/README.md for further details.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
| |
This patch adds everything what is needed to build the MIT Kerberos
localauth plugin if the used version of MIT Kerberos supports it. It
does not implement the plugin.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the libwbclient API for Samba daemons and
utilities. The main purpose is to map Active Directory users and groups
identified by their SID to POSIX users and groups identified by their
POSIX UIDs and GIDs respectively.
The API is not fully implemented because SSSD does not support some AD
features like WINS or NTLM. Additionally this implementation has its
focus on the file-server use case and hence does not implement some
features which might be needed for a domain controller use case.
Some API calls are generic and independent of the backend like e.g.
converting binary SIDs and GUIDs into a string representation and back
or memory allocation and deallocation. These parts are taken from the
original Samba sources together with copyright and authors. Files
with'_sssd' as part of the name contain the SSSD related calls.
Resolves: https://fedorahosted.org/sssd/ticket/1588
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
