sssd.git, branch sudo1-13 Unnamed repository; edit this file 'description' to name the repository. sudo: always use srv_opts from id context 2017-11-06T11:10:44+00:00 Pavel Březina pbrezina@redhat.com 2017-10-19T08:39:21+00:00 2c0a0f2babecc3438734cff7bd01362723c59331 Prior this patch, we remember id_ctx->srv_opts in sudo request to switch the latest usn values. This works fine most of the time but it may cause a crash. If we have two concurrent sudo refresh and one of these fails, it causes failover to try the next server and possibly replacing the old srv_opts with new one and it causes an access after free in the other refresh. 
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.

If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
PAM: Fix domain for UPN based lookups 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-07-22T15:34:20+00:00 3542fe821765cad1f25f6c2a077b55fc1d7d0553 Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469) 
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469)
NSS: use different neg cache name for UPN searches 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-07-22T14:01:38+00:00 7f95edc43d9fc410aab5712552e17f28932ba344 If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a) 
If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a)
PAM: continue with UPN/email search if name was not found 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-06-22T16:21:11+00:00 07db882d99e2036be94dd305ba50587733b5f3a1 Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c) 
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c)
NSS: continue with UPN/email search if name was not found 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-06-21T09:06:19+00:00 6b55915c3939da6e2474633d79783f838627a4b1 Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 447b1da857368678990b54cd6b9cfed940357c44) 
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 447b1da857368678990b54cd6b9cfed940357c44)
BUILD: Accept krb5 1.16 for building the PAC plugin 2017-10-09T11:31:33+00:00 Sumit Bose sbose@redhat.com 2017-10-09T07:55:31+00:00 d9f1ebef65146b856062dcda88d813a0bfe2e96a Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ce68b4ff25cbd52935a540046f0412ce869a27a5) (cherry picked from commit 09ba77f7de5011d4871fd261ab5291649f025404) 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ce68b4ff25cbd52935a540046f0412ce869a27a5)
(cherry picked from commit 09ba77f7de5011d4871fd261ab5291649f025404)
GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found 2017-10-09T08:01:44+00:00 Jakub Hrozek jhrozek@redhat.com 2017-09-20T20:26:20+00:00 38ce53d228c077b799b8b712c485fb643058d7a4 If a referral returned during AD GPO processing cannot be assigned to a known domain, at the moment SSSD accesses memory that was freed previously with ldap_free_urldesc(). This patch moves the ldap_free_urldesc() call to both the error handler and the success branch after we are done working with the LDAPURLDesc instance. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 381bc154ef06fd3cc0660ce0fd62504367f420f5) (cherry picked from commit d3f5675022b398b60252cc4cd712edc481d89b70) 
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().

This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 381bc154ef06fd3cc0660ce0fd62504367f420f5)
(cherry picked from commit d3f5675022b398b60252cc4cd712edc481d89b70)
intg: Fix execution with dbus-1.11.18 2017-10-04T04:42:03+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-10-03T13:34:33+00:00 26f2a1cbc317face478cbb444a2984692dbde9c3 Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable and fallback to value returned from getpwnam only if env HOME does not exist. It caused problem for dbus communication between sssd processes because local user usually do not have directory $HOME/.dbus-keyrings/. And directory created in cwrap environment is problmatic [build@host ~]$ ls -ld ~/.dbus-keyrings/ drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/ [buildhost ~]$ ls -lna ~/.dbus-keyrings/ ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied total 0 d????????? ? ? ? ? ? . d????????? ? ? ? ? ? .. [build@host ~]$ touch ~/.dbus-keyrings/test touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied Other alternative would be to set env variable HOME to the same value as in fake passwd file: HOME=$(abs_builddir)/root Related dbus bug: https://bugs.freedesktop.org/show_bug.cgi?id=101960 Resolves: https://pagure.io/SSSD/sssd/issue/3531 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 82c36227e36de155b13e6eb7cfa3e80a25774157) (cherry picked from commit ff2ff94a1cdb98a55a2d8a3c3bbe06e1fb948d5a) 
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic

[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct  3 10:44 /home/build/.dbus-keyrings/

[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..

[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied

Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
  HOME=$(abs_builddir)/root

Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960

Resolves:
https://pagure.io/SSSD/sssd/issue/3531

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 82c36227e36de155b13e6eb7cfa3e80a25774157)
(cherry picked from commit ff2ff94a1cdb98a55a2d8a3c3bbe06e1fb948d5a)
CI: Use dnf 2.x for installation of packages in fedora 2017-09-14T13:48:18+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-09-11T07:57:42+00:00 f210542365abb475695b1b1b17aed1c332e93caa Weak dependencies are intentionally disabled. If we need them then they should be explicitly specified because they are not weak. Resolves: https://pagure.io/SSSD/sssd/issue/2809 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 51c4da6e4941dfc5fca40bffa2248b9a77f139b2) (cherry picked from commit 0984355ef5f4899a593038ea6ad54c4db67ce78e) 
Weak dependencies are intentionally disabled. If we need them
then they should be explicitly specified because they are not weak.

Resolves:
https://pagure.io/SSSD/sssd/issue/2809

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 51c4da6e4941dfc5fca40bffa2248b9a77f139b2)
(cherry picked from commit 0984355ef5f4899a593038ea6ad54c4db67ce78e)
SPEC: Fix detecting of minor release 2017-09-14T13:15:39+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-09-14T07:59:28+00:00 914d1694467bb507982d076b2b49991d563e587b INFO: Installed packages: Start: build phase for sssd-1.15.4-0.el7.src.rpm Start: build setup for sssd-1.15.4-0.el7.src.rpm error: unmatched ( error: unmatched ( error: /builddir/build/SPECS/sssd.spec:56: bad %if condition Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit c20a9efbf5da0587fbb6a855a2d366ce19f1abe1) (cherry picked from commit b788aaa4341bcd0c1f0fc3081c540af958de8d45) 
INFO: Installed packages:
Start: build phase for sssd-1.15.4-0.el7.src.rpm
Start: build setup for sssd-1.15.4-0.el7.src.rpm
error: unmatched (
error: unmatched (
error: /builddir/build/SPECS/sssd.spec:56: bad %if condition

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit c20a9efbf5da0587fbb6a855a2d366ce19f1abe1)
(cherry picked from commit b788aaa4341bcd0c1f0fc3081c540af958de8d45)