sssd.git/src, branch sudo1-13 Unnamed repository; edit this file 'description' to name the repository. sudo: always use srv_opts from id context 2017-11-06T11:10:44+00:00 Pavel Březina pbrezina@redhat.com 2017-10-19T08:39:21+00:00 2c0a0f2babecc3438734cff7bd01362723c59331 Prior this patch, we remember id_ctx->srv_opts in sudo request to switch the latest usn values. This works fine most of the time but it may cause a crash. If we have two concurrent sudo refresh and one of these fails, it causes failover to try the next server and possibly replacing the old srv_opts with new one and it causes an access after free in the other refresh. 
Prior this patch, we remember id_ctx->srv_opts in sudo request to switch
the latest usn values. This works fine most of the time but it may cause
a crash.

If we have two concurrent sudo refresh and one of these fails, it causes
failover to try the next server and possibly replacing the old srv_opts
with new one and it causes an access after free in the other refresh.
PAM: Fix domain for UPN based lookups 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-07-22T15:34:20+00:00 3542fe821765cad1f25f6c2a077b55fc1d7d0553 Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469) 
Since sysdb_search_user_by_upn() searches the whole cache we have to set
the domain so that it matches the result.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 9b8fcf685c5ca70a5067a621385bcdc8d9fd6469)
NSS: use different neg cache name for UPN searches 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-07-22T14:01:38+00:00 7f95edc43d9fc410aab5712552e17f28932ba344 If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a) 
If Kerberos principals or email address have the same domain suffix as
the domain itself the first user lookup by name might have already added
the name to the negative cache and the second lookup by UPN/email will
skip the domain because of the neg cache entry. To avoid this a special
name with a '@' prefix is used here.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 62df78512145db94b51c5573d4df1737197e368a)
PAM: continue with UPN/email search if name was not found 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-06-22T16:21:11+00:00 07db882d99e2036be94dd305ba50587733b5f3a1 Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c) 
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3381d9736b698d6111d10e219a0b5b898a4c757c)
NSS: continue with UPN/email search if name was not found 2017-10-13T08:30:56+00:00 Sumit Bose sbose@redhat.com 2016-06-21T09:06:19+00:00 6b55915c3939da6e2474633d79783f838627a4b1 Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 447b1da857368678990b54cd6b9cfed940357c44) 
Currently we only search for UPNs if the domain part of the name was not
know, with Kerberos aliases and email addresses we have to do this even
if the domain name is a know domain.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 447b1da857368678990b54cd6b9cfed940357c44)
BUILD: Accept krb5 1.16 for building the PAC plugin 2017-10-09T11:31:33+00:00 Sumit Bose sbose@redhat.com 2017-10-09T07:55:31+00:00 d9f1ebef65146b856062dcda88d813a0bfe2e96a Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit ce68b4ff25cbd52935a540046f0412ce869a27a5) (cherry picked from commit 09ba77f7de5011d4871fd261ab5291649f025404) 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ce68b4ff25cbd52935a540046f0412ce869a27a5)
(cherry picked from commit 09ba77f7de5011d4871fd261ab5291649f025404)
GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found 2017-10-09T08:01:44+00:00 Jakub Hrozek jhrozek@redhat.com 2017-09-20T20:26:20+00:00 38ce53d228c077b799b8b712c485fb643058d7a4 If a referral returned during AD GPO processing cannot be assigned to a known domain, at the moment SSSD accesses memory that was freed previously with ldap_free_urldesc(). This patch moves the ldap_free_urldesc() call to both the error handler and the success branch after we are done working with the LDAPURLDesc instance. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 381bc154ef06fd3cc0660ce0fd62504367f420f5) (cherry picked from commit d3f5675022b398b60252cc4cd712edc481d89b70) 
If a referral returned during AD GPO processing cannot be assigned to a
known domain, at the moment SSSD accesses memory that was freed
previously with ldap_free_urldesc().

This patch moves the ldap_free_urldesc() call to both the error handler
and the success branch after we are done working with the LDAPURLDesc
instance.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 381bc154ef06fd3cc0660ce0fd62504367f420f5)
(cherry picked from commit d3f5675022b398b60252cc4cd712edc481d89b70)
intg: Fix execution with dbus-1.11.18 2017-10-04T04:42:03+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-10-03T13:34:33+00:00 26f2a1cbc317face478cbb444a2984692dbde9c3 Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable and fallback to value returned from getpwnam only if env HOME does not exist. It caused problem for dbus communication between sssd processes because local user usually do not have directory $HOME/.dbus-keyrings/. And directory created in cwrap environment is problmatic [build@host ~]$ ls -ld ~/.dbus-keyrings/ drw-------. 2 build build 6 Oct 3 10:44 /home/build/.dbus-keyrings/ [buildhost ~]$ ls -lna ~/.dbus-keyrings/ ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied total 0 d????????? ? ? ? ? ? . d????????? ? ? ? ? ? .. [build@host ~]$ touch ~/.dbus-keyrings/test touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied Other alternative would be to set env variable HOME to the same value as in fake passwd file: HOME=$(abs_builddir)/root Related dbus bug: https://bugs.freedesktop.org/show_bug.cgi?id=101960 Resolves: https://pagure.io/SSSD/sssd/issue/3531 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> (cherry picked from commit 82c36227e36de155b13e6eb7cfa3e80a25774157) (cherry picked from commit ff2ff94a1cdb98a55a2d8a3c3bbe06e1fb948d5a) 
Since dbus-1.11.18 DBUS_COOKIE_SHA1 respect $HOME variable
and fallback to value returned from getpwnam only if env HOME
does not exist. It caused problem for dbus communication
between sssd processes because local user usually do not have
directory $HOME/.dbus-keyrings/. And directory created in cwrap
environment is problmatic

[build@host ~]$ ls -ld ~/.dbus-keyrings/
drw-------. 2 build build 6 Oct  3 10:44 /home/build/.dbus-keyrings/

[buildhost ~]$ ls -lna ~/.dbus-keyrings/
ls: cannot access '/home/build/.dbus-keyrings/.': Permission denied
ls: cannot access '/home/build/.dbus-keyrings/..': Permission denied
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..

[build@host ~]$ touch ~/.dbus-keyrings/test
touch: cannot touch '/home/build/.dbus-keyrings/test': Permission denied

Other alternative would be to set env variable HOME to the
same value as in fake passwd file:
  HOME=$(abs_builddir)/root

Related dbus bug:
https://bugs.freedesktop.org/show_bug.cgi?id=101960

Resolves:
https://pagure.io/SSSD/sssd/issue/3531

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 82c36227e36de155b13e6eb7cfa3e80a25774157)
(cherry picked from commit ff2ff94a1cdb98a55a2d8a3c3bbe06e1fb948d5a)
CONFIG: Fix schema for try_inotify 2017-09-13T08:15:14+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-09-12T08:45:16+00:00 c51334a1147ee657d49a05351eec9c41349a92fb It is read only from "[sssd]" section. Resolves: https://pagure.io/SSSD/sssd/issue/3511 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 895584001760e8188db486bc39f9938624822d35) (cherry picked from commit 69e61a52493a8c143f83763c2dd783cabea5c9f4) 
It is read only from "[sssd]" section.

Resolves:
https://pagure.io/SSSD/sssd/issue/3511

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 895584001760e8188db486bc39f9938624822d35)
(cherry picked from commit 69e61a52493a8c143f83763c2dd783cabea5c9f4)
pysss_nss_idmap: Fix typos in python documentation 2017-09-13T07:46:35+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-09-06T08:28:49+00:00 0e3091daa2864e9217e9f3925a36255e66a198b5 s/dictonary/dictionary/g Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit e7fd33642a16cbb2cd814d3578c28affcf16f68c) (cherry picked from commit 0d5e92b3ce507f8c46d3605729abc69d8310ff93) 
s/dictonary/dictionary/g

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e7fd33642a16cbb2cd814d3578c28affcf16f68c)
(cherry picked from commit 0d5e92b3ce507f8c46d3605729abc69d8310ff93)