| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
This prevents error messages like:
[!] Locale mappings are now handled using locale aliases on the server, so locale mappings in the project config file (zanata.xml) are now deprecated.
Please add a locale alias in the project language settings to replace each locale mapping in zanata.xml, then remove the <locales> section from zanata.xml
See also:
http://docs.zanata.org/en/release/client/configuration/
Reviewed-by: N/A
|
| |
|
|
| |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The file kcm_default_ccache must enable KCM ccache by default
without any modification of the file.
/etc/krb5.conf.d/ is fedora/el7 specific and it is not allowed to
enable or start systemd services in scriptlets. It would result in
broken krb5 configuration. Therefore krb5 configuration snippet was
moved from /etc/krb5.conf.d/ -> /usr/share/sssd-kcm. And each downstream
distribution should enable systemd services + change krb5 configuration
in it's own way.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If sss_idmap_unix_to_sid() returns an error we can assume that the given
POSIX ID is not from the current domain and can be skipped. This is e.g.
the case in the IPA provider if a POSIX ID used in the IPA domain is
checked in a trusted id-mapped AD domain before the IPA domain is
checked.
Resolves https://pagure.io/SSSD/sssd/issue/3452
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
expired TGT
Since 1.14.2 and in particular commit
d3348f49260998880bb7cd3b2fb72d562b1b7a64 we return ERR_NETWORK_IO for any
krb5_child operations that receive KRB5KRB_AP_ERR_TKT_EXPIRED from libkrb5.
However, when the action that krb5_child performs is ticket renewal and
the ticket is totally expired, this can send the SSSD into offline mode.
Instead, this patch converts the KRB5KRB_AP_ERR_TKT_EXPIRED code into
sssd-internal ERR_CREDS_EXPIRED which map_krb5_error() won't map
anymore.
The effect on the deamon is that just the single renewal fails, but
the failover code is not called and therefore sssd doesn't switch into
offline mode.
Resolves:
https://pagure.io/SSSD/sssd/issue/3406
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Tested-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling setup and teardown on every encryption cases issues like the one
described in https://bugzilla.redhat.com/show_bug.cgi?id=1456151
eventually.
Similarly to other crypto functions, don't tear down NSS by calling
NSS_Shutdown. Let the OS reclaim the resources.
Resolves:
https://pagure.io/SSSD/sssd/issue/3424
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
Temporary workaround:
https://pagure.io/SSSD/sssd/issue/3386
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Related to https://pagure.io/SSSD/sssd/issue/1960
Related to https://pagure.io/SSSD/sssd/issue/1938
Related to https://pagure.io/SSSD/sssd/issue/1844
Related to https://pagure.io/SSSD/sssd/issue/1593
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 925a14d50edf0e3b800ce659b10b771ae1cde293.
It broke a test for enumerate nested groups if they are part
of non POSIX groups https://pagure.io/SSSD/sssd/issue/2406
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
To ensure the client timeout is not too low and clients do not reconnect
too often, the client_idle_timeout is forced to be 10 seconds minimum.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The secrets responder test was chosen even though the bug was in the generic
responder code b/c it runs a single responder process, so it's trivial to
read the PID of the responder under test.
Changes subprocess.call() for os.execv() so that the setup function can
return the secret responder PID right away.
The client timeout in the test has to be at least 10 seconds because
internally, the responders don't allow a shorter timeout.
Regression test for https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The client_idle_handler() function tried to schedule another tevent
timer to check for idle client connections in case the current
connection was still valid, but in doing so, it also stored the current
time into the last_request_time field of the client context.
This kept the connection always alive, because the last_request_time
could then never be older than the timeout.
This patch changes the setup_client_idle_timer() function to only do
what the synopsis says and set the idle timer. The caller (usually the
function that accepts the connection) is supposed to store the request
time itself.
Resolves:
https://pagure.io/SSSD/sssd/issue/3448
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
Since the README.md is more or less what the wiki front page used to be,
it makes sense, especially for Github users, to point to our releases
from README.md
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
| |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Since we keep a code mirror on github but disable notifications there,
it might be nice to hint to users where they can actually file a ticket.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User and group override have been failing when using it with files provider.
This test helps us to avoid such regression in the future.
As mentioned in the comment added to the test's code, there's an issue
in nss_wrapper [0] and nss_wrapper always looks into the files first
before using the NSS module, causing a test failure in case the
fully-qualified name is not used when looking up for the original (not
overriden) user and group.
Related:
https://pagure.io/SSSD/sssd/issue/3391
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
|
|
| |
Changes done for section ipa_server_mode since description of section was bit vague. Text is re-phrased for better understanding.
Resolves: https://pagure.io/SSSD/sssd/issue/3404
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
process be killed
Text added in timeout section of sssd.conf man page describing number of heartbeat missed before process self kills itself.
Resolves: https://pagure.io/SSSD/sssd/issue/3398
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Only the 'local' provider will use the 'local' auth provider, for all
other id providers the configured auth provider in the backend should
be checked.
Resolves https://pagure.io/SSSD/sssd/issue/3447
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
During the domain update the views related objects are read form the
cache and added to the domain object accordingly. This is needed to make
sure that both providers properly work with local overrides.
Resolves to https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the files provider refreshes the cached user and group data by
deleting all objects and adding them again. This might not be the most
efficient way performance wise but helps to avoid additional code for
updates.
To handle overrides efficiently the override data is stored in a
separate sub-tree and attributes with the DNs link the original and the
override object together. During the removal of the users and groups
this attribute pointing to the override is removed from the original
attribute as well. To make sure overrides are still applied after a
refresh the attribute is added back after the original objects are read
from the source files.
Resolves https://pagure.io/SSSD/sssd/issue/3391
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add function to copy search bases from one sdap_domain to
another.
Resolves:
https://pagure.io/SSSD/sssd/issue/3435
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Add code to the existing zero nesting level test, check group list and
ensure nested groups are intentionally skipped and filtered out.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct an issue with nesting level comparison of option
ldap_group_nesting_level to ensure that setting nesting level 0
will avoid parent group of group searches.
Resolves:
https://pagure.io/SSSD/sssd/issue/3425
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This is a short term fix to un-break the unit tests. The proper fix
would be to create the certificates at runtime during the tests.
Related to https://pagure.io/SSSD/sssd/issue/3436
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update parent sdap_list with newly created subdomain sdap domain.
Preiously, we inherited the parent sdap_list and used it also in the
subdomain's context (this was introduced recently with commit
c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems
that were difficult to debug (we somewhere rewrite part of the list
incorrectly).
This patch reverses to the previous bahavior, where every subdomain
has it's own sdap_list, however this time the parrent domain's
sdap_list is updated so that it has correct information about
search bases of the child domains.
We should ideally have just one sdap_list to avoid the updating
completely, but this would require more refactoring in the sdap
code.
Resolves:
https://pagure.io/SSSD/sssd/issue/3421
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's avoid setting a domain's property directly from cr_domain code.
In order to do so, let's introduce a setter, which may help us in the
future whenever we decide to make sss_domain_info an opaque structure.
For completeness, a getter has also been introduced and used in the
usertools code.
Related:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`
In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.
As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3403
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 35f29b17699c3d52f77857c530300318b14148f8.
Workaround is not required anymore.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was a bug in valgrind < 3.13 which override some log files
and therefore there was missing errors for shell wrappers generated
by libtool for dummy-child.
https://bugs.kde.org/show_bug.cgi?id=162848
We could add more suppressions for errors/leaks in bash to our suppression
file but dummy child is built just for test purposes. Another possible solution
would to avoid linking dummy-child with internal libraries; So libtool
would not generate shell wrapper for dummy-child.
But the simplest think is to ignore all errors for dummy-child.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the appropriate methods for searching users and groups bv timestamp.
Resolves:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These new two sysdb methods are going to be used, at least for now,
uniquely and exclusively in the cleanup task.
The reason for adding those is that during the cleanup task a timestamp
search is done in the persistent cache, which doesn't have the updated
timestamps, returning then a wrong result that ends up in having all the
users being removed from the cache.
The persistent cache doesn't have its entries' timestamps updated
because those are kept updated in the timestamp cache, therefore these
new two methods end up doing:
- if the timestamp cache is present:
- search for the entries solely in the timestamp cache;
- get the needed attributes from these entries from the persistent
cache;
- otherwise:
- search for the entries in the persistent cache;
- merge its results with timestamp cache's results;
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Similarly to what has been in the previous commit (expiring an entry
also in the timestamp cache), we should do the same when invalidating an
entry.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the cleanup task will start using new methods for searching the users
and groups which have to be cleaned up, SSSD starts relying more in a
more consistent state of the timestamp cache on pretty much everything
related to the cleanup task.
One of the things that would cause SSSD some problems is not having the
ghost user expired in the persistent cache but not in the timestamp
cache.
With this patch, the entry is also expired in the timestamp cache when
it's present.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In order to make this function re-usable in different parts of our code,
let's start passing an already built filter to it instead of having the
specific code building the name filter there.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This function will be used in the follow-up patches. As it's going to be
"exposed", let's also rename it from search_ts_matches() to
sysdb_search_ts_matches().
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change affects sysdb_search_ts_{users,groups} functions and is
mainly needed in order to avoid breaking our current tests due to the
changes planned for fixing https://pagure.io/SSSD/sssd/issue/3369.
Related:
https://pagure.io/SSSD/sssd/issue/3369
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Similar as in https://pagure.io/SSSD/sssd/issue/3426 enterprise
principals should be avoided while requesting a kadmin/changepw@REALM
principal for a password change.
Resolves https://pagure.io/SSSD/sssd/issue/3419
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://pagure.io/SSSD/sssd/issue/3431
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
| |
|
|
|
|
| |
This bug was introduced in 37d2194cc9ea4d0254c88a3419e2376572562bab
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
| |
Found by coverity.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
org.freedekstop.sssd.infopipe.Users.User gets two new attributes:
- domain: object path of user's domain
- domainname: user's domain name
org.freedekstop.sssd.infopipe.GetUserAttr can now request new attribute:
- domainname: user's domain name
Resolves:
https://pagure.io/SSSD/sssd/issue/2714
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://pagure.io/SSSD/sssd/issue/3428
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add verbose option to sssctl domain-list, when this option is provided
SSSD will print the domain type(primary or trusted domain) retrieved
from infopipe API, in addition to the domain name.
Resolves:
https://pagure.io/SSSD/sssd/issue/3065
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
Patch also replace util.h on place where it was not needed directly
and directly include required header files.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
| |
They are mostly required for macros MAX/MIN which were not used
in these modules.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
limits.h is not used directly by util/util.h. The header file limits.h
must be included in 17 files and after removing it from util.h it had to be
added only to 4 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
| |
|
|
|
|
|
|
| |
ctype.h is not used directly by util/util.h. The header file ctype.h
must be included in 32 files and after removing it from util.h it had to be
added only to 8 missing files
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
