sssd.git, branch master Unnamed repository; edit this file 'description' to name the repository. IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifier 2017-04-24T08:21:24+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-21T10:39:44+00:00 ef019268d2d112ebff3577e551cd19478d73d93b There was an issue in a production deployment where the admin selected a GID outside the IDM range for a group that contained a user from the trusted domain. This resulted in not adding a SID for the IPA group, which in turn meant the group couldn't be resolved on the client. This patch just improves the DEBUG message so that it's clearer for the admins where the issue is. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
There was an issue in a production deployment where the admin selected a
GID outside the IDM range for a group that contained a user from the
trusted domain. This resulted in not adding a SID for the IPA group,
which in turn meant the group couldn't be resolved on the client.

This patch just improves the DEBUG message so that it's clearer for the
admins where the issue is.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SECRETS: remove unused variable 2017-04-21T11:45:02+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-04-19T15:56:20+00:00 0e8f0c06cad5805b1a1161f60e3f2cdb7a5a2921 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IFP: Use sized_domain_name to format the groups the user is a member of 2017-04-21T09:24:41+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-19T15:46:03+00:00 c9a73bb6ffa010ef206896a0d1c2801bc056fa45 Resolves: https://pagure.io/SSSD/sssd/issue/3268 Uses the common function sized_domain_name() to format a group the user is a member of to the appropriate format. To see the code is working correctly, run: dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:trusted_user Where trusted_user is a user from a trusted domain that is a member of groups from the joined domain and a trusted domain as well. The groups from the joined domain should not be qualified, the groups from the trusted domain should be qualified. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://pagure.io/SSSD/sssd/issue/3268

Uses the common function sized_domain_name() to format a group the user
is a member of to the appropriate format.

To see the code is working correctly, run:
        dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe
                  /org/freedesktop/sssd/infopipe
                  org.freedesktop.sssd.infopipe.GetUserGroups
                  string:trusted_user

Where trusted_user is a user from a trusted domain that is a member of groups
from the joined domain and a trusted domain as well. The groups from the
joined domain should not be qualified, the groups from the trusted
domain should be qualified.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Move sized_output_name() and sized_domain_name() into responder common code 2017-04-21T09:24:41+00:00 Jakub Hrozek jhrozek@redhat.com 2017-04-19T15:44:40+00:00 7c074ba2f923985ab0d4f9d6a5e01ff3f2f0a7a8 These functions are used to format a name into a format that the user configured for output, including case sensitiveness, replacing whitespace and qualified format. They were used only in the NSS responder, which typically returns strings to the NSS client library and then the user. But it makes sense to just reuse the same code in the IFP responder as well, since it does essentially the same job. The patch also renames sized_member_name to sized_domain_name. Previously, the function was only used to format a group member, the IFP responder would use the same function to format a group the user is a member of. Related to: https://pagure.io/SSSD/sssd/issue/3268 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
These functions are used to format a name into a format that the user
configured for output, including case sensitiveness, replacing
whitespace and qualified format. They were used only in the NSS
responder, which typically returns strings to the NSS client library and
then the user.

But it makes sense to just reuse the same code in the IFP responder as
well, since it does essentially the same job.

The patch also renames sized_member_name to sized_domain_name.
Previously, the function was only used to format a group member, the IFP
responder would use the same function to format a group the user is a
member of.

Related to:
    https://pagure.io/SSSD/sssd/issue/3268

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
README: Update links to mailing lists 2017-04-20T14:23:28+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-04-12T13:13:45+00:00 363e4c407085ea5623850b1dadb1344f2edd3c34 Old links are redirected to information about Fedorahosted-retirement e.g. https://fedorahosted.org/mailman/listinfo/sssd-devel -> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Old links are redirected to information about Fedorahosted-retirement

e.g.
  https://fedorahosted.org/mailman/listinfo/sssd-devel
  -> https://fedoraproject.org/wiki/Infrastructure/Fedorahosted-retirement

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SPEC: Drop conditional build for krb5_local_auth_plugin 2017-04-19T18:52:17+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-03-15T11:07:37+00:00 bf8f119774dc2eabc5b9bc9f348cd95063ab2199 It was mainly aimed for time when stable CentOS and rhel nightly had different versions of krb5. Anyway, rhel7.0 and rhel <= 6.6 are already out of support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
It was mainly aimed for time when stable CentOS and
rhel nightly had different versions of krb5.

Anyway, rhel7.0 and rhel <= 6.6 are already out of support

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
minor typo fixes 2017-04-19T16:05:34+00:00 René Genz liebundartig@freenet.de 2017-04-19T08:36:12+00:00 0a86dede8773ecce91b5bd2ae75a02f9ff89a358 Merges: https://pagure.io/SSSD/sssd/pull-request/3374 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3374

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
UTIL: Use max 15 characters for AD host UPN 2017-04-12T21:15:06+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-03-14T09:34:00+00:00 c6f1bc32774a7cf2f8678499dfbced420be3a3a1 We do not want to use host principal with AD "host/name.domain.tld@DOMAIN.TLD" because it does not work. We need to use correct user principal for AD hosts. And we cannot rely all fallback "*$" because of other principals in keytab. The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits NetBIOS names to 15 characters and uses the 16th character as a NetBIOS suffix. https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name Resolves: https://pagure.io/SSSD/sssd/issue/3329 Reviewed-by: Michal Židek <mzidek@redhat.com> 
We do not want to use host principal with AD
"host/name.domain.tld@DOMAIN.TLD" because it does not work.
We need to use correct user principal for AD hosts. And we cannot
rely all fallback "*$" because of other principals in keytab.

The NetBIOS naming convention allows for 16 characters in a NetBIOS
name. Microsoft, however, limits NetBIOS names to 15 characters and
uses the 16th character as a NetBIOS suffix.
https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name

Resolves:
https://pagure.io/SSSD/sssd/issue/3329

Reviewed-by: Michal Židek <mzidek@redhat.com>
sbus: check connection for NULL before unregister it 2017-04-12T13:04:58+00:00 Sumit Bose sbose@redhat.com 2017-04-10T11:45:27+00:00 35186217d44d0138a1aedf7a4db72249b2c40e66 There seem to be code paths where the data is a added to the hash before the connection is properly initialized, to avoid core dump during shut down we only call dbus_conection_unregister_object_path() if there is a connection. Resolves: https://pagure.io/SSSD/sssd/issue/3367 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
There seem to be code paths where the data is a added to the hash before
the connection is properly initialized, to avoid core dump during shut
down we only call dbus_conection_unregister_object_path() if there is a
connection.

Resolves:
https://pagure.io/SSSD/sssd/issue/3367

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
KRB5_LOCATOR: add env variable to disable plugin 2017-04-11T15:21:23+00:00 Sumit Bose sbose@redhat.com 2016-11-17T09:55:43+00:00 1193f20a8267e506d863b27c74870c86c085902b If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value SSSD's krb5 locator plugin is disabled. The variable is needed because there is currently no other way than removing the plugin completely to disable it. For a use-case see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1072939. Resolves: https://pagure.io/SSSD/sssd/issue/3359 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
value SSSD's krb5 locator plugin is disabled. The variable is needed
because there is currently no other way than removing the plugin
completely to disable it. For a use-case see e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1072939.

Resolves:
https://pagure.io/SSSD/sssd/issue/3359

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>