| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Regression tests for ticket #3178.
Resolves:
https://fedorahosted.org/sssd/ticket/3178
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 7fa4964d84f41bd80a6d971ffaeef87a7c2f19be)
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds regression CI test for ticket #3173 and #3175.
Resolves:
https://fedorahosted.org/sssd/ticket/3173
https://fedorahosted.org/sssd/ticket/3175
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 20c2d76d9430a1fc069531ff537df046a74c8f61)
|
| |
|
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1584db9c0b15ee239bd4e163c4ecaf6909b1b11b)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Most linux distribution create local users from UID 1000.
We used similar UID space in sssd but it might caused
issues in add remove tests becuase sssd in cwrap enviroment
run in the same PID space. If sssd try to remove user
with uid 1001 it will fail because the local user with the same UID
is active and sssd does not remove active users.
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit e97d9972e8ad05dff1a3b99468ee5728c2c183a8)
|
| |
|
|
|
|
|
| |
Integration test for #3121
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e59b73366d3067c576e39a214a34ace2f9a84878)
|
| |
|
|
|
|
|
| |
Integration test for #3093
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1ba26271952de1beeb9e041bedf87d720d3f5680)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The /usr/lib64 should be preffered path for searching
binary modules for openldap backends. The /usr/lib/ should
be used for storing no binary files on 64 bit platform
e.g. scripts ...
The current vresion of would choose /usr/lib/ even though
/usr/lib64 contains real openldap modules.
Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
(cherry picked from commit bf472d2422599d14345e7cd9999289c26455c622)
|
| |
|
|
|
|
|
|
|
|
| |
Side effect of this change was that some primary groups
could not be resolved and therefore get_user_groups
failed in override tests. We should do the same as "id user".
return decimal representation GID if it cannot be mapped to name.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit de19c0af27f1576c13bef183600136851baf767d)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 49a5412cbc98e630de17359c29cb8d6ce0e16168)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8def4f07aedf2cebf77e816b201d91beac9b964b)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 1f4dc2971bac4ceb0803b18f86a746656a0f1990)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 361f9fe207f82693bbfd40dfe272a4513652856c)
|
| |
|
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit bc1e74e5f0f69d7ed9a7ad8455de59c979816431)
|
| |
|
|
|
|
|
|
|
|
| |
We use finalizers in pytest for cleaning up of
openldap server. But sometimes destructor was called
in case of failure which causes many issues in tests.
Running teardown in destructor is not reliable due to pyhton nature.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a035366f622f42c865dbaa1579f741a81548fde2)
|
| |
|
|
|
| |
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit f5d3f4304a767f20484c5a97012720e272a9a022)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2813
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 11540d9efb85b9ed0341e8a1fc97fc078c6ce418)
|
| |
|
|
|
|
|
|
|
|
|
| |
dict.keys() returns iterator in python3 and not list
Chaging data in dictionary while using iterator
fails with "RuntimeError: dictionary changed size during iteration"
https://fedorahosted.org/sssd/ticket/3107
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 1773fdad2730f3f910782781fa286f402ce36cca)
|
| |
|
|
|
|
|
|
| |
Tests that running two duplicate SRV resolution queries succeeds
and returns a valid host name.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a299f900981343904d7c9c5d148e30b8e0b2c460)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple failover requests come in same time, the first one will
result in collapsing the meta server but multiple resolution of
SRV records are triggered. The first one finishes normally but the
others won't find any new server thus ends with an error.
This patch makes failover to proceed normally even in such case.
Resolves:
https://fedorahosted.org/sssd/ticket/3131
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 03cb5ac6aa4c60d2c64c6fdc2daae656bf5493f4)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Current an invalid certificate cause the whole ssh key lookup request to
abort. Since it is possible that e.g. the LDAP user entry contains
certificates where the client does not have the needed CA certificates
for validation we should just ignore invalid certificates.
Resolves https://fedorahosted.org/sssd/ticket/2977
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 60787fb44924e84a0c7ddfe9d5e62e64ea1edcd1)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3123
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a3108c5cd1ebb05c133c8e8990278ac4f4b8e25c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If talking to the Data Provider failed, we never re-tried looking into
the cache. We should consult the cache on DP failures and return cached
results, if possible.
Resolves:
https://fedorahosted.org/sssd/ticket/3080
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit b9e155da725e711ab306ca8a96e3ba6fbda41a3a)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 53ef8f81b60929a6c866efdd133627e7d7d61705)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit aa35995ef056aa8ae052a47c62c6750b7adf065e)
|
| |
|
|
|
|
|
|
| |
The pam_cert_auth and pam_cert_db_path option where missing in the
config API and had no man page entries.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 875c90d531e6869a92da4b515db729ffce7c4244)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 8eb4a1f773b6c2246b0a6c6e3c3b8ef4d79c9ca6)
|
| |
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3010
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 73dd89c3fb361dab43b4802510f4c64d282dbde1)
|
| |
|
|
|
|
|
|
|
|
|
| |
Update sssd-sudo man page to reflect native IPA sudo support
Resolves:
https://fedorahosted.org/sssd/ticket/3145
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 72bab5640b3ec57950b53dad0fb3042ea563592c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The new option 'proxy_max_children' is applicable
in domain section. Default value is 10.
Resolves:
https://fedorahosted.org/sssd/ticket/3153
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit aef0171e0bdc9a683958d69c7ee984fb10cd5de7)
|
| |
|
|
|
|
|
|
|
|
| |
We should set pagging flag in state and not in local
variable which is not read anywhere in the function.
Found by clang static analyzer.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit 6c335dee38da943796710b5e336472a10cf641f2)
|
| |
|
|
|
|
|
|
|
| |
During the review process "intgcheck-build" ended up being merged to the
"intgcheck-prepare" rule.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 9639cf410dd6ba9670748535811f061e0c475bc6)
|
| |
|
|
|
|
|
|
|
| |
Clean up the pre-release targets in order to avoid lines exceeding 80
characters.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 01d970a8afa6ffed82b3e8dda96e08118222e16e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running "make intgcheck" has been proven to be a bit painful (mainly
when the developer is just writing down a single test case), as it
cleans up the build directory and fireis a new build before, finally,
run the tests.
In order to make it a little less painful, let's break the whole
operation into 3 new targets:
intgcheck-{prepare,run,clean}.
As expected, "make intgcheck" calls these 3 new operations in the same
order they were presented, not changing then the current behavior.
Each operation will trigger the previous one in case there is no
"$$prefix" directory created and the directory is _only_ created in the
very first operation (intghcheck-prepare).
A note must be done about how to run a simple test file or a simple test
from a test file when running "make intgcheck-run". The option always
been here but only makes sense now that we have the intgcheck split in a
few useful steps. See the examples below (and for more detailed
information, check the py.test documentation):
#Run a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py"
#Run a single test from a single file
make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup"
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 6159c33125f8ee82e88d495ea2aa5d00018ea844)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Root can read anything from any directory even with permissions 000.
However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied
{ dac_override } for pid=20257 comm=vsftpd capability=dac_override
scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
Resolves:
https://fedorahosted.org/sssd/ticket/3143
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit f49724cd6b3e0e3274302c3d475e93f7a7094f40)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds SIGCHLD callback for ldap_child. So if timeout is
reached and ldap_child is terminated by handler we have debug message
about it.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We add better termination of ldap_child. If ldap_child reaches
the timeout for termination parent sents SIGTERM signal. Child
has 2 seconds for removing temporary file and exit.
If it is not sufficient there is SIGKILL send to the child.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
We add support for handling SIGTERM signal. If ldap_child receives
SIGTERM signal it removes temporary file.
Resolves:
https://fedorahosted.org/sssd/ticket/3106
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3114
We failed GPO procesing if the gPCMachineExtensionNames
attribute contained just whitespaces. This coused
failures in some server settings.
Comment from Alexander Bokovoy quoting:
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b1a8b4a1291529367b46c79eb02448eced3bf8d2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The child process finished faster then it has handled by parent
and therefore it timed out. It's the similar solution as in
b3074dca3acebd91437ef13d3329d6d65d655215
[ RUN ] dyndns_test_error
(Fri Jul 29 16:12:00:621444 2016) [sssd] [nsupdate_child_timeout] (0x0020):
Timeout reached for dynamic DNS update
Could not run the test - check test fixtures
[ ERROR ] dyndns_test_error
Reviewed-by: Petr Čech <pcech@redhat.com>
(cherry picked from commit bad17a253bf979f23b2294c3720300d1053744b1)
|
| |
|
|
|
|
|
|
|
|
|
| |
/usr/bin/ld: src/providers/ad/ad_common_tests-ad_domain_info.o:
undefined reference to symbol 'idmap_error_string@@SSS_IDMAP_0.4'
/dev/shm/13/.libs/libsss_idmap.so.0:
error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Makefile:9169: recipe for target 'ad_common_tests' failed
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (oneliner-rule)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
netlogon_get_domain_info() does not fail if only the site is missing in
the CLDAP ping respond. If the site is not available a Global Catalog
can still be looked up with the forest name. Only if the forest name is
missing as well we fall back to the configured domain name.
Resolves:
https://fedorahosted.org/sssd/ticket/3104
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 3000d86bea2bae735175f93b0e013bbcb3979f1e)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 7fe7073ad2c84946a699528a3bb79f7803c96b69)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
netlogon_get_domain_info() should not fail if not all parameters can be
retrieved. It should be the responsibility of the caller to see if the
needed data is available and act accordingly.
Resolves:
https://fedorahosted.org/sssd/ticket/3104
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 44656ce260030556820c4b6be519e66ffdacb408)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 74bef2150c76c8814bf4c1654ecd3660604eb4e6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bug on debian_testing in bash.
sh$ valgrind /bin/bash
==25145== Memcheck, a memory error detector
==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==25145== Command: /bin/bash
==25145==
==25145== Invalid read of size 1
==25145== at 0x4B90B1: ??? (in /bin/bash)
==25145== by 0x43FE9B: initialize_shell_variables (in /bin/bash)
==25145== by 0x41E4C0: ??? (in /bin/bash)
==25145== by 0x41F722: main (in /bin/bash)
==25145== Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd
==25145== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==25145== by 0x475D1A: xmalloc (in /bin/bash)
==25145== by 0x4B7F4A: tilde_expand (in /bin/bash)
==25145== by 0x42E63D: bash_tilde_expand (in /bin/bash)
==25145== by 0x43FE79: initialize_shell_variables (in /bin/bash)
==25145== by 0x41E4C0: ??? (in /bin/bash)
==25145== by 0x41F722: main (in /bin/bash)
==25145==
malloc: .././variables.c:570: assertion botched
free: called with unallocated block argument
last command: (null)
Aborting...==25145==
And /bin/bash was used as a default SHELL in scripts generated by
configure+libtool. It starting to fail with the latest valgrind
valgrind-3.12.0~svn20160714-1
Workaround is to use /bin/sh which is a symlink to /bin/dash
Reviewed-by: Petr Cech <pcech@redhat.com>
(cherry picked from commit 35f29b17699c3d52f77857c530300318b14148f8)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 66588a6241df42a04cb9ead75cf3afb38495d74a)
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2efebde7ddd5f1729a70ef4ec9de607cc393214c)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the capaths for a single domain should be collected in a single
sub-section in the MIT Kerberos configuration not spread over multiple
one. See the capaths section of the krb5.conf man page for details.
Resolves:
https://fedorahosted.org/sssd/ticket/3103
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 5e40ba3168e21dbd5fa1812d6f2fc95f508a9e6e)
|
| |
|
|
|
|
|
|
|
| |
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 740bfe1a5bf519de8e13bdce5c4143b0f24d7433)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We wrongly tried to store empty
user attributes instead of the
local user attributes with
ldap_rfc_2307_fallback_to_local_users
set to true. This gave us bad
initgroups results and caused
segfaults.
Resolves:
https://fedorahosted.org/sssd/ticket/3045
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit aa8ec3758d885d6ae4088174369d30f8493ec898)
|
