September 2012 - sssd-devel - Fedora Mailing-Lists

Odd "Timer Expired" Errors causing SSH login drops

by Caio James

Greetings, I'm running a file transfer server inside of my business with some decent traffic (but not what I would call heavy traffic). Users use SFTP to transfer files. A couple of times per day, one or two of my users (not all of them) experience issues logging in. These users are local users, not LDAP. /var/log/secure shows the following: > Sep 18 08:17:04 radvma29 sshd[27378]: pam_unix(sshd:session): session opened for user wwbi by (uid=0) > Sep 18 08:27:04 radvma29 sshd[27378]: pam_sss(sshd:session): Request to sssd failed. Timer expired The user's connection is subsequently dropped, and they're not able to login until sssd is restarted. The sssd log doesn't seem to show any anomaly. I've got sssd scheduled to restart twice per day with cron, but the traffic is increasing and users are now experiencing this more frequently. I'm running Oracle Linux 6.3. > [root@radvma29 ~]# sssd --version > 1.8.0 My sssd.conf is below. Note that we do connect to an LDAP server insecurely. We're working with our IT team to fix this but it's a few months away: > [sssd] > config_file_version = 2 > services = nss, pam > debug_level = 5 > domains = default > > [nss] > > [pam] > cache_credentials = true > > [domain/default] > ldap_auth_disable_tls_never_use_in_production = true > access_provider = simple > auth_provider = ldap > chpass_provider = ldap > cache_credentials = True > krb5_realm = EXAMPLE.COM > ldap_search_base = dc=mybusiness,dc=com > id_provider = ldap > ldap_uri = ldap://od.mybusiness.com/ > krb5_kdcip = kerberos.example.com > ldap_tls_cacertdir = /etc/openldap/cacerts Thank you for any direction that you can point me. Caio

11 years, 7 months

2
3
0 / 0

Announcing SSSD 1.9.0

by Jakub Hrozek

=== SSSD 1.9.0 === The SSSD team is proud to announce the release of the System Security Services Daemon version 1.9.0. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == === New Features === * Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory * The SSSD is able to act as an IPA client in cases where the IPA server has established a trust setup with an Active Directory server - Support for sub-domains for dealing with trust relationships - Add a new PAC responder for dealing with cross-realm Kerberos trusts - The IPA authentication provider now supports subdomains - In scenarios, where the SSSD is acting as an IPA client, it is able to discover and save the DNS domain-Kerberos realm mappings between an IPA server and a trusted Active Directory server. * Add a new fast in-memory cache to speed up lookups of cached data on repeated requests * Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation * Add support for the Kerberos DIR cache for storing multiple TGTs automatically * SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules * The SSSD supports the concept of a Primary Server and a Back Up Server. If the SSSD switches to a back up server because a primary server is not available, it would later try to re-establish a connection to the primary server. * Add native support for autofs to the IPA provider * A new command-line tool sss_seed is available. This tool is able to prime the internal cache with a user record and a cached password to support the scenario when a user needs to log in to the client before the network connection to the centralized identity source is established, such as the first log in to a new machine. * A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. === Important Fixes and Enhancements === * Major performance enhancement when storing large groups in the cache * Major performance enhancement when performing initgroups() against Active Directory * Terminate idle connections to the NSS and PAM responders * The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds * Mutexes in the nss_sss module are now released correctly if one thread in a multithreaded application is cancelled while the mutex is locked * The fail over code works correctly when the IPA provider is not able to establish a GSSAPI-encrypted connection to an IPA server * The SSSD correctly accepts -1 as a valid value of the shadow attributes * When the SSSD is unable to resolve a host name, it tries the next configured server now instead of going offline * The default SELinux login context for IPA users was changed to unconfined_t when there are no rules on the server * A file descriptor leak in cases the SSSD was unable to establish SSL connection to an LDAP server was fixed * Potential crash when one of two parallel requests would expire the list of servers resolved from a SRV query * Fixed a crash that occured when a service was requested by both name and protocol === Packaging Changes === * SSSDConfig data file default locations can now be set during configure for easier packaging * Switch from libunistring to glib2 for unicode support * A new Python wrapper around the murmur hash library has been introduced. It is only useful to the FreeIPA server at the moment. * a new binary, called sss_seed is available. The binary is installed to /usr/sbin/sss_seed by default and includes its own manual page. * The SSSD uses a new directory to store the DNS domain - Kerberos realm mappings. The default location is /var/lib/sss/pubconf/krb5.include.d == Tickets fixes == https://fedorahosted.org/sssd/ticket/1331 Off-by-one error in sss_hmac_sha1 https://fedorahosted.org/sssd/ticket/1364 [abrt] sssd-1.8.3-11.fc16: set_server_common_status: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1438 SSSD crashes at boot time https://fedorahosted.org/sssd/ticket/1452 Authentication fails if kpasswd cannot be resolved https://fedorahosted.org/sssd/ticket/1454 if allocation fails, sss_mmap_cache_init may dereference NULL pointer https://fedorahosted.org/sssd/ticket/1458 Full sudo refresh is scheduled even if there is no sudo responder https://fedorahosted.org/sssd/ticket/1466 Proxy: Cannot retrieve an user after a group he is a member of was retrieved https://fedorahosted.org/sssd/ticket/1467 enumeration is broken in the proxy provider https://fedorahosted.org/sssd/ticket/1479 Hbac logs show wrong rule name granting access https://fedorahosted.org/sssd/ticket/1486 [abrt] sssd-1.8.4-14.fc17: sss_ldap_init_send: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1496 [abrt] sssd-1.8.4-14.fc17: ldap_pvt_sasl_getmechs: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1505 sudo with sss backend should use ipa_hostname https://fedorahosted.org/sssd/ticket/1509 libsss_sudo is not updated when yum update sssd is called https://fedorahosted.org/sssd/ticket/1513 Change the processing of the SELinux default map https://fedorahosted.org/sssd/ticket/1515 pam_sss report System Error on wrong password https://fedorahosted.org/sssd/ticket/1516 krb5_mod_ccname should cancel the transaction at one place only https://fedorahosted.org/sssd/ticket/1519 membership of IPA hostgroups is not evaluated when treating them as netgroups https://fedorahosted.org/sssd/ticket/734 on reconnect we need to detect that a ipa/ds server has been reinitialized https://fedorahosted.org/sssd/ticket/1156 Do not use "goto" to jump backwards in the proxy code https://fedorahosted.org/sssd/ticket/1194 when nesting limit is reached, the LDAP provider tries to establish link to members outside the nesting limit https://fedorahosted.org/sssd/ticket/1345 sssd does not warn into sssd.log for broken configurations https://fedorahosted.org/sssd/ticket/1365 ipv6 address with square brackets doesn't work for krb5_server https://fedorahosted.org/sssd/ticket/1388 domain.remove_provider() does not work https://fedorahosted.org/sssd/ticket/1390 Add support for nested automount maps https://fedorahosted.org/sssd/ticket/1393 shadow attributes should accept -1 https://fedorahosted.org/sssd/ticket/1396 Kerberos validation algorithm is insufficient for cross-realm trusts https://fedorahosted.org/sssd/ticket/1415 Group lookups no longer work when fastcache cannot be initialized https://fedorahosted.org/sssd/ticket/1416 sssd_be crashes on using inappropriate keytab file https://fedorahosted.org/sssd/ticket/1430 Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user. https://fedorahosted.org/sssd/ticket/1436 LOCAL domain lookups don't work https://fedorahosted.org/sssd/ticket/1446 sssd does not try another server when unable to resolve hostname https://fedorahosted.org/sssd/ticket/1447 Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection https://fedorahosted.org/sssd/ticket/1453 proxy provider: value stored to status is never read in get_pw_name https://fedorahosted.org/sssd/ticket/1455 SELinux code must fall back to default only if there are no rules on the server https://fedorahosted.org/sssd/ticket/1456 Attempt to close the same file stream twice https://fedorahosted.org/sssd/ticket/1457 Insecure temporary file in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1459 SRV servers are always marked as back up https://fedorahosted.org/sssd/ticket/1460 SSSD thread issue can cause the application to not get any identity information https://fedorahosted.org/sssd/ticket/1470 FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context https://fedorahosted.org/sssd/ticket/1472 Duplicate detection in fail over does not work https://fedorahosted.org/sssd/ticket/1478 ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf https://fedorahosted.org/sssd/ticket/1480 1.9.0b6 does not build with SELinux disabled https://fedorahosted.org/sssd/ticket/1488 Segfault in IPA subdomain provider https://fedorahosted.org/sssd/ticket/1490 SSSD does not close TCP connections when SSL fails https://fedorahosted.org/sssd/ticket/1491 Consolidate functions that make a realm upper-case https://fedorahosted.org/sssd/ticket/1492 There is no /etc/selinux/targeted/logins on RHEL5 https://fedorahosted.org/sssd/ticket/1500 SSSD's default ccache location needs to be updated (again), and the man pages should reflect it https://fedorahosted.org/sssd/ticket/904 Create tool to seed a user for first-boot https://fedorahosted.org/sssd/ticket/1087 RFE: Allow Forcing User Shell https://fedorahosted.org/sssd/ticket/1128 Introduce the concept of a Primary Server in SSSD https://fedorahosted.org/sssd/ticket/1185 [Feature] AD Extensions https://fedorahosted.org/sssd/ticket/1318 RFE: make the NSS memory cache timeout configurable https://fedorahosted.org/sssd/ticket/1368 Missing hostid and subdomains sections in sssd-ipa.conf https://fedorahosted.org/sssd/ticket/1380 domain_realm mappings manipulation by sssd https://fedorahosted.org/sssd/ticket/1418 document how sudo works with sssd https://fedorahosted.org/sssd/ticket/1420 sudo: provide automatic configuration of machine hostnames https://fedorahosted.org/sssd/ticket/1427 Don't refersh HBAC rules when looking up SELinux rules https://fedorahosted.org/sssd/ticket/1429 IPA session code returns error when SELinux mapping rule links to an HBAC rule https://fedorahosted.org/sssd/ticket/1432 Mention AD Provider in manpage of sssd.conf https://fedorahosted.org/sssd/ticket/1433 Suggested additions to manpage of sssd-ad https://fedorahosted.org/sssd/ticket/1435 SELinux specifity does not work with HBAC rules https://fedorahosted.org/sssd/ticket/1439 sss_pam needs to write out SELinux login file during the account phase https://fedorahosted.org/sssd/ticket/1445 The SELinux login file needs to be created by the responder, not PAM module https://fedorahosted.org/sssd/ticket/1448 sss_seed tool review issues https://fedorahosted.org/sssd/ticket/1360 format of file for pam_selinux is incorrect https://fedorahosted.org/sssd/ticket/1379 Possible use of uninitialized values https://fedorahosted.org/sssd/ticket/1395 SELinux rule matching ignores specificity requirement https://fedorahosted.org/sssd/ticket/1417 Several unowned directories https://fedorahosted.org/sssd/ticket/1419 sssd incorrectly sets shadowLastChange in seconds not days https://fedorahosted.org/sssd/ticket/1421 selinux rules are never deleted from sysdb https://fedorahosted.org/sssd/ticket/1422 When ldap_sasl_minssf is assigned large values, appropriate error message should be logged sssd_DOMAIN log https://fedorahosted.org/sssd/ticket/1431 Set "krb5_canonicalize = False" for password change to work https://fedorahosted.org/sssd/ticket/1239 [RFE] sudo: send username and uid while requesting default options https://fedorahosted.org/sssd/ticket/1299 Per domain formats for qualified user names https://fedorahosted.org/sssd/ticket/1352 [RFE] Add the subdomain functionality to IPA auth provider https://fedorahosted.org/sssd/ticket/1377 [RFE] Add AD provider https://fedorahosted.org/sssd/ticket/1382 pac responder interface needs checks https://fedorahosted.org/sssd/ticket/1385 heimdal: compile time diference https://fedorahosted.org/sssd/ticket/1398 Dependency issue while "yum update libsss_sudo" https://fedorahosted.org/sssd/ticket/1403 Combine keytab options for AD provider https://fedorahosted.org/sssd/ticket/1404 AD provider should default to case-insensitive operation https://fedorahosted.org/sssd/ticket/1407 Revert sssd patch for limiting enctypes to keytab https://fedorahosted.org/sssd/ticket/1409 Resource leak in sssdpac_import_authdata https://fedorahosted.org/sssd/ticket/1410 Dead code in ipa_subdomains_handler_done() https://fedorahosted.org/sssd/ticket/1412 Starting SSSD with a domain using the LOCAL provider segfaults the responders https://fedorahosted.org/sssd/ticket/1163 [Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts) https://fedorahosted.org/sssd/ticket/1354 Add support for terminating idle connections in sssd_nss https://fedorahosted.org/sssd/ticket/1383 sssd_nss segfaults performing netgroup lookups without a specified domain https://fedorahosted.org/sssd/ticket/974 [RFE] Support DIR: credential caches for multiple TGT support https://fedorahosted.org/sssd/ticket/984 RFE: sssd should support Netscape LDAP password expiration controls https://fedorahosted.org/sssd/ticket/1213 Warn to syslog when dereference requests fail https://fedorahosted.org/sssd/ticket/1240 sudo: contact data provider only once https://fedorahosted.org/sssd/ticket/1255 RFE: change the way we deal with fake users https://fedorahosted.org/sssd/ticket/1256 Document the expectations about ghost users showing in the lookups https://fedorahosted.org/sssd/ticket/1330 Potential NULL dereference in sss_krb5_read_etypes_for_keytab https://fedorahosted.org/sssd/ticket/1336 Please only use named parameters in translatable strings https://fedorahosted.org/sssd/ticket/1337 Minor typos in SSSD messages and man pages https://fedorahosted.org/sssd/ticket/1346 in-memory cache causes nss to segfault if it cannot be initialized properly https://fedorahosted.org/sssd/ticket/1367 Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN https://fedorahosted.org/sssd/ticket/357 SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides https://fedorahosted.org/sssd/ticket/783 Support range retrievals https://fedorahosted.org/sssd/ticket/887 Implement mechanism to fetch and store domain info https://fedorahosted.org/sssd/ticket/917 Document sss_tools better https://fedorahosted.org/sssd/ticket/949 Filter out inappropriate IP addresses from IPA dynamic DNS update https://fedorahosted.org/sssd/ticket/996 RFE: Allow Constructing uid from Active Directory objectSid https://fedorahosted.org/sssd/ticket/1031 [RFE] Implement "AD friendly" schema mapping https://fedorahosted.org/sssd/ticket/1064 Sub-Domains: define new get_domains method https://fedorahosted.org/sssd/ticket/1065 Sub-Domains: implement new get_domains method in IPA provider https://fedorahosted.org/sssd/ticket/1067 Sub-Domains: add new get_domains method to responders https://fedorahosted.org/sssd/ticket/1114 get_uid_from_pid() perfoms an improper read https://fedorahosted.org/sssd/ticket/1119 Monitor SIGKILL time should be configurable https://fedorahosted.org/sssd/ticket/1140 RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf https://fedorahosted.org/sssd/ticket/1170 sss_cache should support invalidating services and autofs maps https://fedorahosted.org/sssd/ticket/1172 Bad check for id_provider=local and access_provider=permit https://fedorahosted.org/sssd/ticket/1174 sssd.conf has wrong defaults for the "command" parameter https://fedorahosted.org/sssd/ticket/1176 SSH: Add dp_get_host_send to common responder code https://fedorahosted.org/sssd/ticket/1181 Typos in sssd manual https://fedorahosted.org/sssd/ticket/1203 Hash the hostname/port information in the known_hosts file. https://fedorahosted.org/sssd/ticket/1209 Convert all read and write loops to use atomic I/O function https://fedorahosted.org/sssd/ticket/1233 Memory leak in sss_sudo_send_recv_generic https://fedorahosted.org/sssd/ticket/1250 Add default home directory mapping https://fedorahosted.org/sssd/ticket/1271 Stop using HTML_FOOTER_DESCRIPTION in doxygen docs https://fedorahosted.org/sssd/ticket/1281 Add unit test for compatibility of ldap options between schemas https://fedorahosted.org/sssd/ticket/1289 Create a way to define a default shell for cases when there no shell https://fedorahosted.org/sssd/ticket/1297 Use keytab to select etypes for krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1298 Invalid cache file created when canoning principals during krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1301 sss_cache does nothing when executed without any options. https://fedorahosted.org/sssd/ticket/1305 sss_cache should return a warning/error while validating unknown user/group https://fedorahosted.org/sssd/ticket/1306 sss_cache should return an error, when executed against inactive domains https://fedorahosted.org/sssd/ticket/1313 exec_child, execv and friends don't return success https://fedorahosted.org/sssd/ticket/1316 kpasswd server status set to working when Kerberos auth succeeds == Detailed Changelog == Ariel Barria (6): * Bad check for id_provider=local and access_provider=permit * Potential NULL dereference in proxy provider * Warn to syslog when dereference requests fail * Clarify how comments work in sssd.conf * SIGUSR2 should force SSSD to reread resolv.conf as well * Missing resolv.conf should be non-fatal George McCollister (1): * libcrypto fully implemented Jakub Hrozek (205): * Fix SSH compilation on RHEL5 * AUTOFS: IPA provider * Two sssd-ldap manual pages fixes * Fix group enumeration * Only fetch SELinux string if the user is found * Remove setent structure when callback is called * Allocate setent structure on state, not on the client context * Fix memory hierarchy when processing nested group memberships * Fix case insensitive service lookups * Include the fd_limit configuration option * End request if ldap_parse_result fails * remove unused function * Save errno value before calling DEBUG * libnl: fix the path to phy80211 subdirectory * AUTOFS: Invoke implicit setautomntent if needed * AUTOFS: Search all search bases for automounter map entries * AUTOFS: speed up the client by requesting multiple entries at once * Use proper errno code * Only do one cycle when resolving a server * krb5_child: set debugging sooner * Search netgroups by alias, too * Detect cycle in the fail over on subsequent resolve requests only * Autofs: operate on contents of double-pointer, not address * Only free returned values on success * Save original name into the in-memory cache * Handle errors from lookup_netgr_step gracefully * Fix nested groups processing * Fix netgroup error handling * Handle empty elements in proxy netgroups: * Fix uninitialized variable * Free entry found in negative cache * Make the string_equal() function public * Save alias of the primary name, too * NSS: Look for services with correct case when cache is updated * AUTOFS: fix copy-and-paste bug in the autofs client * LDAP services: Keep the protocol around * Silence Coverity warning in the autofs test tool * Return correct resolv_status on resolver timeout * Add sss_get_cased_name_list utility function * LDAP services: Save lowercased protocol names in case-insensitive domains * Proxy services: Save lowercased protocol names and aliases in case-insensitive domains * Fix off-by-one error in principal selection * Catch cases where D-Bus connection is NULL * Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION * Fix regression in SSSDConfig.py * netlink integration: ensure that interface name is NULL-terminated * Remove forgotten DEBUG message * autofs: load the correct option * man: document that referral chasing might bring performance penalty * Prevent printing NULL from DEBUG messages * Do not call sdap_auth if not needed * pam_sss: improve error handling in SELinux code * Remove the "command" option from documentation * Add sysdb_set_service_attr and sysdb_set_autofsmap_attr * sss_cache: support invalidating services and autofs maps * autofs: Raise the maximum key length to PATH_MAX * sss_cache: Better error reporting * MAN: timeout can be specified for services, too * MAN: document the hostid and autofs providers * proxy: Canonicalize user and group names * proxy: new option proxy_fast_alias * Free controls in sdap_rebind_proc * Make the monitor SIGKILL time configurable * sdap_check_aliases must not error when detects the same user * sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read * Move atomic io function to a separate module * Convert read and write operations to sss_atomic_read * Document sss_tools better * Warn on 'make update-po' if there are manpages not listed in po4a.cfg * Test RFC2307bis and RFC2307 option maps * Get the RootDSE after binding if not successfull before * Lowercase group members in case-insensitive domains * NSS: Only return data from initgroups once * SUDO: Return ret, not EOK * SYSDB: return EOK if empty message is passed into get_rm_msg * SYSDB: check return value * SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain * SERVER: use the correct return code of sss_atomic_write_s * LDAP: check return value of sysdb_attrs_get_el * RESPONDER: check return value from confdb_get_int * PYHBAC: Return NULL on failure * PAM_SSS: report error code if write fails * NSS: Check return code of sss_mmap_cache_gr_store * IPA netgroups: return EOK when there are no netgroups to process * ipa_get_config_send: remove unused assignment * HBAC: Prevent NULL dereference in hbac_evaluate * DP: return correct error message when subdomains back end target is not configured * NSS: fix returning group from cache * SSS_DEBUGLEVEL: silence analyzer warnings * PROXY: return correct return codes * IPA: Check return values * AUTOFS: remove unused assignments * Rename split_service_name_filter * SSH: Add dp_get_host_send to common responder code * Read sysdb attribute name, not LDAP attribute map name * Kerberos locator: Include the correct krb5.h header file * Special-case LDAP_SIZELIMIT_EXCEEDED * krb5 locator: Do not leak addrinfo * Only reset kpasswd server status when performing a chpass operation * Try all KDCs when getting TGT for LDAP * Send the correct enumeration request * subdomains: Fix error handling in Data Provider * Filter out IP addresses inappropriate for DNS forward records * sysdb: return proper error code from sysdb_sudo_purge_all * SYSDB: Handle user and group renames better * NSS: keep a pointer to body after body is reallocated * Use sized_string correctly in FQDN domains * Use the sysdb attribute name, not LDAP attribute name * LDAP nested groups: Do not process callback with _post deep in the nested structure * Send 16bit protocol numbers from the sss_client * Revert the client packet length, too, after reverting the packet protocol * Fix the default sssd.conf path * Fix the 0.11 sysdb upgrade * sss_names_init: Report correct error code if allocation failed * Two small krb5_child fixes * Provide more debugging in krb5_child and ldap_child * Allow redefining the KRB5_CHILD path * Split parse_krb5_child_response so it can be reused * Add a krb5_child test tool * Residual util functions * Handle trailing slash in the ccname template * Add a credential cache back end structure * Add support for storing credential caches in the DIR: back end * Use Kerberos context in KRB5_DEBUG * Make krb5_ccname_template and krb5_ccachedir configurable * Print based on pointer contents not address * Cast uid_t to unsigned long long in DEBUG messages * Update translations for 1.9.0 beta 4 release * Bumping version to 1.9.0 beta 5 * Add newline to DEBUG messages * RPM: Own several directories * Add missing "%" to specfile * IPA: Download defaults even if there are no SELinux mappings * SYSDB: Delete SELinux mappings * IPA: Return and save all SELinux rules in the provider * PAM: Fix off-by-one-error in the SELinux session code * Update translations for 1.9.0 beta 5 release * Bumping version to 1.9.0 beta 6 * Fix sysdb_search_selinux_usermap_by_username return value * Fix SSSDConfigTest * Fix bad check * Create a domain-realm mapping for krb5.conf to be included * Update translations for 1.9.0 beta 6 release * Bumping version for the 1.9.0 release * Don't call fo_set_{server,port}_status for SRV servers * Fix the version number * SYSDB: Check the return value * SYSDB: Use ldb_msg_add_string for simple string additions * Failover: Return last tried server if it's still being tried * Subdomains: Send the DP reply in the correct format * Always mark SRV servers as primary * Allocate on top of a talloc context, not NULL * Abort PAM access phase if HBAC does not return PAM_SUCCESS * Change default for ldap_idmap_range_min to 200000 * Don't use server after SRV data collapsed * Document entry_cache_autofs_timeout * Add autofs-related options to configAPI * sss_client: Group lookups should work even when fastcache cannot be initialized * FO: Don't retry the same server if it's not working * FO: Return EAGAIN if there are more servers to try * KRB5: Only return PAM error for unreachable kpasswd when performing chpass * Build SELinux code in responder conditionally * Do not try to remove the temp login file if already renamed * Only create the SELinux login file if there are mappings on the server * Fix compilation error in Python murmurhash bindings * Process all groups from a single nesting level * Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client * RPM: Switch the default ccache location * RPM: Always include the patch file * Check if the SELinux login directory exists * SYSDB: Commit transaction in sysdb_store_user * SYSDB: Abort unit test if sysdb_getpwnam fails * Retry the next server if bind during LDAP auth times out * Don't terminate the same connection twice * Update translations for 1.9.0 beta 7 release * Bumping version for the 1.9.0 beta 7 release * libsss_sudo should have a versioned dependency on SSSD * KRB5: cancel the sysdb transaction on one place only * KRB5: Return PAM_AUTH_ERR on incorrect password * RPM: BuildRequire selinux-policy-targeted * SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains} * KRB5: Add a missing string argument * NSS: Fix off-by-one error in parse_getservbyname * FO: Check server validity before setting status * DB: Always write the SELinux object to sysdb * SELinux: Always use the default if it exists on the server * Updating the translations for the 1.9.0 RC1 release * Updating the version for the RC1 release * KRB5 child: Don't return System Error on empty password * KRB5 child: handle more error codes gracefully * DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails * Mark the fastcache files in the spec file as %ghost * autofs, sudo, ssh and PAC are not experimental anymore * AUTOFS: Do not fail if search base is not provided * AUTOFS: Add sysdb tests * AUTOFS: Add entry objects below map objects * AUTOFS: Use both key and value in entry RDN * AUTOFS: convert the existing autofs entries during a sysdb upgrade * SYSDB: Remove unnecessary domain parameter from several sysdb calls * DB: Use TALLOC_CTX for talloc context * KRB5: Recover gracefully if the ccache file could not be reused * Detect LDAPDerefRes in configure script * RPM: Create ghost files during install * Set the version number to 1.9.0 for the release * Updating translations for the 1.9.0 release Jan Cholasta (29): * Add methods for activating and deactivating services to SSSDConfig * Add ssh service to sssd.api.conf * SSH: Verify that names received from client are valid UTF-8 in responder * SSH: Build man pages conditionally * SSH: Save SSH host name aliases * SSH: Refactor responder and client common code * UTIL: Add function for atomic I/O * SSH: Continue connecting to SSH server even when SSSD is not running in sss_ssh_knownhostsproxy * SSH: Manage global known_hosts file in the responder * SSH: Don't abort known_hosts update when host search fails * SSH: Add more debugging messages * SSH: Add missing break statements to sss_ssh_format_pubkey * SSH: Use fchmod instead of chmod on known_hosts file * SSH: Replace blocking getaddrinfo call in the responder with asynchronous resolver code * SSH: Remove unused --file option of sss_ssh_knownhostsproxy * SSH: Update sss_ssh_knownhostsproxy manual page * Include missing source files to the list of source files which contain translatable strings * SSH: Allow clients to explicitly specify host alias * SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy * SSH: Fix infinite loop in sss_ssh_knownhostsproxy * UTIL: Add HMAC-SHA-1 function * SSH: Add support for hashed known_hosts * SSH: Update sss_ssh_knownhostsproxy manual page * SSH: Supress error message output in sss_ssh_knownhostsproxy * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing * SSH: Return error code in SSH utility functions * SSH: Simplify public key formatting function * SSH: Add support for OpenSSH-style public keys * SSH: Fix possible infinite loop when updating known_hosts Jan Engelhardt (1): * build: resolve link failure Jan Vcelak (1): * LDAP: Properly cast type for MINSSF value Jan Zeleny (87): * Fixed issue with netgroup update in IPA provider * Don't give memory context in confdb where not needed * IPA hosts refactoring * SELinux related attributes added to config API * Delete missing attributes from netgroups to be stored * Modifications to simplify list_missing_attrs * Fix the script path * Fixed uninitialized pointer in SSH known host proxy * Fixed uninitialized pointer in SSH authorized keys client * Add umask before mkstemp() call in SSH responder * Fixed resource leak in ssh client code * Removed a block of dead code in sdap_async_groups.c * Removed unused block of code is sdap_fill_memberships() * Removed unused function sysdb_attrs_users_from_ldb_vals() * Fixed memory context in sdap_fill_memberships() * Fixed minor memory leak in ldap provider * Sysdb routines for subdomains * Add some utility functions for subdomains * Add conn_name to allow different names for domains and connections * Responder part of the subdomain retrieval work * Modified responder_get_domain() * Retrieve subdomains if there is a request for fully qualified user * Ask for subdomains in responder in the first request after startup * New config option for subdomains * Moved expand_homedir_template() from NSS responder to utility code * Add ID operations in subdomains * Send PAM requests for subdomains to the right provider * Basic support for subdomains in auth provider * Carry sysdb context and domain info in be_req structure * Accept be_req instead if be_ctx in LDAP access provider * Detect subdomain request in IPA access provider * Utilize sysdb context within be_req in HBAC * Two fixes in responder subdomain code * Modify behavior of pam_pwd_expiration_warning * Fixed two minor memory leaks * Fixed issue in SELinux user maps * Ghost members - add the ghost attribute to sysdb * Ghost members - support in LDAP provider * Ghost members - support in proxy provider * Ghost members - modifications in sysdb * Ghost members - modifications in memberof plugin * Ghost members - sysdb upgrade routine * Ghost members - NSS responder changes * Ghost members - removed sdap_check_aliases() * Ghost members - modified sss_groupshow * Ghost members - various small changes * Add support for filtering atributes * Utilize attribute exclusion in LDAP initgroups * Fixed setting of debug level in test suite * IPA subdomains - ask for information about master domain * Allow fast memcache timeout to be configurable * Fix an issue in ghost users * Provide "service filter" for SELinux context * Fixed debug message in sdap_save_group() * Fix possible segfault in sdap_save_group() * PAC responder: add some utility functions * PAC responder: test suite * Fix re_expression matching with subdomains * SELinux user maps: pick just one map * Fixed wrong number in shadowLastChange * Add function sysdb_attrs_copy_values() * Modify priority evaluation in SELinux user maps * Added some DEBUG statements into SELinux related code * Extend category support in SELinux user maps * Remove ipa_selinux_map_merge() * Fix linking of HBAC rules and SELinux user maps * Provide counter of possible matches in SELinux IPA provider * Always free request in data provider PAM callback * Renamed session provider to selinux provider * Move SELinux processing from session to account PAM stack * Remove unused member of be_req * Write SELinux config files in responder instead of PAM module * Modify hbac_get_cached_rules() so it can be used outside of HBAC code * Support fetching of HBAC rules from sysdb in SELinux code * Support fetching of host from sysdb in SELinux code * Primary server support: introduce concept of reconnection * Primary server support: basic support in failover code * Primary server support: support for "disconnecting" connections in LDAP * Primary server support: IPA adaptation * Primary server support: krb5 adaptation * Primary server support: LDAP adaptation * Primary server support: AD adaptation * Primary server support: man page, failover section * Primary server support: new option in ldap provider * Primary server support: new options in krb5 provider * Primary server support: new option in IPA provider * Primary server support: new option in AD provider Joshua Roys (1): * Simple implementation of Netscape password warning expiration control Marco Pizzoli (1): * Two manual pages fixes Michal Zidek (18): * Fixed: Unchecked return value from dp_opt_set_int. * Fixed: Uninitialized value in krb5_child-test if ccname was specified. * Added unit test for sysdb_ssh.c * Return value of fread in src/tools/sss_debuglevel.c no longer ignored. * Change default value of ldap_sasl_string to host/hostname@REALM in man page. * SRV resolution for backup servers should not be permitted. * When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit. * Duplicate detection in fail over did not work. * Typo in debug message (SSSd -> SSSD). * Unify usage of sysdb transactions * Fix: IPv6 address with square brackets doesn't work. * Adding -std=gnu99 flag. * Unify usage of sysdb transactions (part 2). * LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno. * SSSD fails to store users if any of the requested attribute is empty. * tools_util.h provides signal_sssd function. * sss_cache tool invalidates records in memory cache. * Bad debug message when no dns_discovery_domain specified. Nick Guay (4): * added DEBUG messages to krb5_child and ldap_child * Fix uninitialized values * First-boot sss_seed tool * remove duplicate sss_obfuscate reference in seealso manpage section Ondrej Kos (7): * Removed unused variable assignment * Replaced "id_max" & "id_min" * Backward GOTOs rewritten into do-while loops. * AD context was set to null due to type mismatch * Consolidation of functions that make realm upper-case * Out-of-bounds read fix in hmac-sha-1 * Add more debuginfo into ldap_child Pavel Březina (96): * Improve debug messages in sysdb_sudo_check_time() * SUDO responder: check if the input is a UTF-8 string * Refactor sss_result into sss_sudo_result * Redesign purging of the sudo cache * Honor case_sensitive option in sudo responder * Move sudo_dom_ctx.user to local variable * Hide --debug option in sss_debuglevel * Two memory leaks in sss_sudo_get_values * Missing debug message if sdap_sudo_refresh_set_timer fails * Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal * Use of unininitialized value in sss_sudo_parse_response * Potential NULL-dereference in sudosrv_cmd_get_sudorules * sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic() * Install and uninstall all documentation * fix copy and paste error in comment * Fix typo in debug message * sudo api: remove EOK * sudo responder: remove code duplication in commands * sudo responder: get rid of dctx where possible * sudo sysdb: make sysdb_get_sudo_user_info more configurable * sudo api: send uid, username and domainname * sudo responder: change protocol version to 1 * libsss_sudo: bump version to 2:0:1 * sudo responder: discard in-memory cache * sudo ldap provider: move async routines to sdap_async_sudo.c * sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters * confdb: add entry_cache_sudo_timeout option * sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state * sudo ldap provider: add domain info in sdap_sudo_refresh_state * sudo ldap provider: add expiration time to each rule * sysdb: add getter/setter for last sudo full refresh time * sudo ldap provider: provide API for full refresh * sudo ldap provider: add support for on demand full refresh * sudo ldap provider: provide API for refresh of specific rules * sudo ldap provider: add support for on demand refresh of specific rules * sudo backend - support only on demand full refresh * sudo backend - add support for on demand refresh of specific rules * sudo provider: add ldap_sudo_full_refresh_interval * sudo provider: remove old timer * sudo ldap provider: add new timer API * sysdb: remove sudo_set/get_refreshed * sudo ldap provider: support periodical full refresh * ldap provider: add sudo usn value * sudo ldap provider: find highest USN * sudo ldap provider: add sdap_sudo_set_usn() * sudo ldap provider: remember highest usn after full refresh * sudo ldap provider: add smart refresh API * sudo ldap provider: when sysdb filter is NULL remove downloaded rules * sudo provider: add ldap_sudo_smart_refresh_interval * sudo ldap provider: add periodical smart refresh API * sudo ldap provider: support periodical smart refresh * sudo responder: new request enum type * sudo sysdb: add expiration time to the filter * sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache() * sudo responder: update dp interface * sudo responder: refresh expired rules * sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv() * sudo ldap provider: notify responder when an expired rule has been deleted * sudo responder: schedule OOB full refresh when expired rule is deleted * sudo: clean up * sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done() * sdap_sudo.c: move _recv after _done * sudo ldap provider: pass sudo_ctx instead of id_ctx * sudo: add host info options * sudo ldap provider: load host filter configuration on init * sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static * sudo ldap provider: do per-host updates * sudo ldap provider: support autoconfiguration of IP addresses * sudo: manpage updated * resolv_gethostbyname_send: strdup hostname to work properly when hostname is allocated on stack * sudo test client: avoid SIGSEGV when run without arguments * sdap_sudo.c: add missing end of line in few debug messages * add hostid and subdomains sections in sssd-ipa.conf * manpage: seealso - include ssh conditionally * tests: allow changing cwd in all tests * manpage: sssd-sudo - documents how sudo works with sssd * sudo ldap provider: support autoconfiguration of hostnames * Unbreak SASL * tests: build sysdb ssh tests conditionally * shadow attributes can contain -1 * Add end of line to debug message * monitor: set debug level when unable to load configuration * Remove redefinition of some SYSDB_* macros * Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC * Remove SYSDB_SUDO_CACHE_OC from attribute lists * Fix LOCAL domain lookups * Close LDAP connection when unable to install TLS * Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext() * Remove compilation warning: ret may be uninitialized * Clean up cache on server reinitialization * netgroup: resolve hostgroup membership correctly * be_process_init(): free ctx on error * backend: initialize sudo only when it is enabled in services * Failover: use _srv_ when no primary server is defined * rpm: put localized sssd_krb5_locator_plugin manpages into client * sdap_add_incomplete_groups(): fix ret may be uninitialized warning Rambaldi (2): * heimdal: fix compile error in krb5-child-test * heimdal: use sss_krb5_princ_realm to access realm Shantanu Goel (4): * Set return errno to the value prior to calling close(). * Log message if close() fails in destructor. * Do not send SIGPIPE on disconnection * Add support for terminating idle connections Simo Sorce (31): * nss_group: Cache the result from sssd when the glibc provided buffer is too small. * pam_sss: keep selinux optional * Use the correct hash table for pending requests * util: Helper headers for shared memory cache * nsssrv: shared memory cache server initialization * nsssrv: Add memory cache record handling utils * nsssrv: add handling of memory cache passwd map * sss_client: Add common shared memory cache utils * sss_client: shared memory cache passwd map support * nsssrv: add handling of memory cache group map * sss_client: shared memory cache group map support * Do not leak file descriptors in client libs. * Add close on exec support for old platforms * Fix segfault when sudo is not configured. * Change subdomain_info * tests: Remove useless consts * 80 columns police * Fix double semi-colons * Fix wrong elements used in comparison * Use ldb_msg_add_string with bare strings * Fix return error and debug message * Make structure initializer more readable * 80 col and style fixes * Use a more tractable name for subdomain request * Add realm paramter to subdomain list * Expose an initializer function from subdomain * Change refreshing of subdomains * Limit refreshes keeping track of last refresh time * Add online callback to enumerate subdomains * Add automatic periodic retrieval of subdomains * Remove obsolete comment Stef Walter (10): * Fix erronous reference to the 'allow' access_provider * execv, excvp and exec_child never return EOK * If canon'ing principals, write ccache with updated default principal * Remove erroneous failure message in find_principal_in_keytab * Limit krb5_get_init_creds_keytab() to etypes in keytab * Clearer documentation for use_fully_qualified_names * Make re_expression and full_name_format per domain options * Move some debug lines to new debug log levels * Fix crash when interface doesn't have an address * Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8 Stephen Gallagher (178): * Set version to 1.9dev * Updating translatable strings for string freeze * Updating translations * Remove dead code * Fix missing NULL check after malloc * Avoid uninitialized value comparison * Add missing breaks to switch statements * Fix uninitialized in_transaction * Fix bad failure handling in be_sudo_handler() * Check for failure in sss_packet_grow() * Fix uninitialized value error in proxy provider * Ensure NULL-termination in get_uid_from_pid() * Move sss_ssh_* binaries to the main 'sssd' package * Always include all manpage XML files in the distribution tarball * Fix missing %endif in sssd.spec.in * NSS: Always return the same protocol that was requested * LDAP: Ignore group member users that do not have name attributes * RESPONDERS: Allow increasing the file-descriptor limit * RESPONDERS: Make the fd_limit setting configurable * Add tool to convert debug levels * IPA: Add ipa_parse_search_base() * LDAP: Properly assign orig_dn * LDAP: Only use paging control on requests for multiple entries * LDAP: Remove unnecessary filter sanitize * Eliminate build-time requirement for nscd * PAM: Don't send PAM_SYSTEM_INFO message if module unset * Fix typo in autofs option description * Include the debug_level upgrade tool in the tarball * Include new manpages in translations * Fix typo in script name * Handle cases where UID is -1 * IPA: Set the DNS discovery domain to match ipa_domain * IPA: Fix segfault with srchost functionality enabled * DP: Reorganize memory hierarchy of requests * Prune python provides correctly * Make RPM spec more explicit * Build experimental features by default in RPMs * Properly terminate GIT_CHECKOUT * LDAP: Make sdap_access_send/recv public * IPA: Check nsAccountLock during PAM_ACCT_MGMT * PROXY: Create fake user entries for group lookups * SSH: Fix missing semicolon * IPA: Initialize hbac_ctx to NULL * i18n: Remove empty translations * LDAP: Add AD 2008r2 schema * IPA: Allow service lookups * SYSDB: Save only lowercased aliases in case-insensitive domains * LDAP: Errors retrieving the RootDSE should not be fatal * NSS: Fix debug message * Start SSSD earlier and stop it later * LDAP: Add better error logging when ldap_result() fails * LDAP: Fix memory leaks in synchronous_tls_setup * BUILDSYS: Create common libs for LDAP and KRB5 sources * Put dp_option maps in their own file * Add terminator for dp_option * Add better dp_option tests * Add terminator for sdap_attr_map * Add better tests for sdap_attr compability * Remove old compatibility tests * Fix building manpages in parallel build dirs * Clean up log messages about keytab_name * MAN: Improve ldap_disable_paging documentation * MAN: Add ldap_sasl_minssf to the manpage * Fix linker issue with pam_sss * murmurhash: Relax inline requirement * Handle endianness issues on older systems * SYSDB: Handle upgrade script failures better * LDAP: Add objectSID config option * LDAP: Add id-mapping option * SYSDB: Add sysdb routines for ID-mapping * LDAP: Add helper routines for ID-mapping * LDAP: Add ID mapping range settings * LDAP: Initialize ID mapping when configured * LDAP: Enable looking up ID-mapped users by name * LDAP: Add autorid compatibility mode * LDAP: Allow setting a default domain for id-mapping slice 0 * LDAP: Add routine to extract domain SID from an object SID * LDAP: Allow automatically-provisioning a domain and range * LDAP: Enable looking up id-mapped users by UID * LDAP: Allow looking up ID-mapped groups by name * LDAP: Enable looking up id-mapped groups by GID * LDAP: Map the user's primaryGroupID * LDAP: Add helper routine to convert LDAP blob to SID string * LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped entries * LDAP: Add helper function to map IDs * LDAP: Treat groups with unmappable SIDs as non-POSIX groups * MAN: Add manpage for ID mapping * LDAP: Add support for enumeration of ID-mapped users and groups * SSSDConfigAPI: Fix missing option in tests * NSS: Add fallback_homedir option * NSS: Add default_shell option * SYSDB: Add better error logging to sysdb_set_entry_attr() * LDAP: Add attr_count return value to build_attrs_from_map() * LDAP: Handle very large Active Directory groups * Updating translations for 1.9.0 beta 1 release * Bumping version to 1.8.91 for 1.9.0 beta 1 release * Bumping version ton 1.8.92 for beta 2 development * RPM: Allow running 'make rpms' on RHEL 5 machines * NSS: Expire in-memory netgroup cache before the nowait timeout * Always use positional arguments in translatable strings * KRB5: Avoid NULL-dereference with empty keytab * Update translation sources * NSS: Fix segfault when mmap cache cannot be initialized * NSS: Restore original protocol for getservbyport * SSSDConfig: Make SSSDConfig a package * SSSDConfig: Make default config and schema file locations configurable * PAM: Better pam_reply message * SYSDB: Reduce noise level of debug messages in lookups * LDAP: Remove redundant check * LDAP: Fix incorrect switch statement in sdap_get_initgr_done() * LDAP: Add helper function to get list of a user's groups from sysdb * LDAP: Make sdap_initgr_common_store() non-static * LDAP: Add ldap_*_use_matching_rule_in_chain options * LDAP: Add support for AD chain matching extension in group lookups * LDAP: Add support for AD chain matching extension in initgroups * LDAP: Auto-detect support for the ldap match rule * LDAP: Fix missing variable in debug message * SSS_CLIENT: Fix uninitialized value error * Fix compilation on older little-endian systems * KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data * KRB5: Auto-detect DIR cache support in configure * KRB5: Avoid shadowing dirname * Updating translations for 1.9.0 beta 2 release * Bumping version to 1.9.0 beta 3 * Fix typo breaking DIR cache detection * Make the client idle timeout configurable * UTILS: Fix segfault due to sss_parse_name_for_domains * BUILD: Change default unicode library to glib2 * Update translations for 1.9.0 beta 3 release * Bumping version to 1.9.0 beta 4 * TESTS: Print messages when LDAP options do not match * DEBUG: Log to syslog if we are unable to open a debug fd * KRB5: Initialize the credential cache type properly * IPA: Don't hang onto memory longer than necessary * LDAP: Print extended failure message for SASL bind * MAN: Unify "SEE ALSO" sections * KRB5: Some logging enhancements for krb5_child * KRB5_LOCATOR: Print the filename that couldn't be opened * KRB5: Drop memctx parameter of krb5_try_kdcip * KRB5: Create a common init routine for krb5_child options * LDAP: Rename user and group maps for AD * AD: Add AD identity provider * AD: Add AD auth and chpass providers * AD: Add AD access-control provider * AD: Add AD provider to the spec file * AD: use krb5_keytab for validation and GSSAPI * AD: Add manpages and SSSDConfig entries * CONFDB: Add the ability to set a boolean value in the confdb * AD: Force case-insensitive operation in AD provider * Fix use-after-free * Fix uninitialized variable * Fix potential NULL-dereference * Fix potential NULL-dereference * Fix incorrect return value in tests * Fix potential NULL-dereference * Fix uninitialized value return * Fix uninitialized memcpy error * Avoid NULL-dereference in error-handling * Add missing return value check * Check for errors from krb5_unparse_name * Fix incorrect error-check * Fix segfault when using local provider * AD: Add missing DP option terminator * AD: Fix defaults for krb5_canonicalize * MAN: List all available backends for provider options * MAN: Improvements to the AD provider manpage * NSS: Add override_shell option * SYSDB: Add log message for unexpected LDB errors * SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider() * IPA: Do not attempt to close the same file twice * IPA: Securely set umask for mkstemp in subdomain provider * MAN: Fix minor typo in ldap_search_base section * MAN: Improve description of ldap_*_search_base options * SYSDB: Make sysdb_attrs_get_el_int() public * AD: autorid compatibility should recommend the use of default domain * AD: Detect domain controller compatibility version * AD: Optimize initgroups lookups with tokenGroups * AD: Handle sysdb lookup failure during tokenGroups processing Sumit Bose (40): * Use curly braces in pkgconfig metadata file * Keep sysdb context in domain info struct * Remove sysdb_get_ctx_from_list() * Always initialize the returned data in sss_krb5_princ_realm() * Add idmap library * Check sub-domains in nss_cmd_get{pwuid|grgid}_search() * data provider: added subdomains * IPA: Add get-domains target * Add domain name to get_account_info request * Add s2n extended operation * Allow different SID representations in libidmap * Fix typo in spec file * Fix endian issue in SID conversion * Rename struct dom_sid to struct sss_dom_sid * Fix libsss_hbac library version * sss_idmap: add support for samba struct dom_sid * sss_idmap: fix typo which prevents sub auth larger then 2^31 * PAC responder: add basic infrastructure * PAC responder: add the core functionality * PAC responder: support in spec file * PAC client: add basic support in common client code * PAC client: add krb5 authdata plugin * Add support for ID ranges * Add range support to PAC responder * Try to build PAC responder only if all dependencies are available * Build pac responder tests only if pac responder is build * Add man page section for the PAC responder * Set default for subdomain_homedir * Fix SSSDConfigTest for separate build directories * Set file descriptor limits in pac responder * Remove resource leak in sssdpac_import_authdata * Remove dead code in ipa_subdomains_handler_done() * pac responder: limit access by checking UIDs * Add python bindings for murmurhash3 * accept_fd_handler: add missing return * Fix fallback in validate_tgt() * Use new debug levels in validate_tgt() * Check flat names when searching for sub-domains as well * Add provider specific default regular expressions * Make subdomain discovery less noisy Ville Skyttä (1): * Require and call ldconfig from subpackages if appropriate Yuri Chornoivan (5): * fix typos in manual * Fix typo: retreiving->retrieving * Fix typos in message and man pages. * Fix typo: exhasution->exhaustion. * Fix various typos in documentation.

11 years, 7 months

2
2
0 / 0

[PATCH] RPM: Create ghost files during install

by Jakub Hrozek

My previous patch that ghosted the fastcache files broke the RPM build, because as Stephen noted, the old rpmbuild version shipped with RHEL5 requires that the ghost files must be present in the buildroot. A patch is attached.

11 years, 7 months

2
2
0 / 0

[PATCH] Detect LDAPDerefRes in configure script

by Jakub Hrozek

To test, remove the openldap24 RPMs on RHEL5 systems and attempt to build the SSSD. Without the patch, compilation fails because there's no LDAPDerefRes. With the patch, the build process fails during configure. https://fedorahosted.org/sssd/ticket/1317

11 years, 7 months

2
4
0 / 0

[PATCH] KRB5: Recover gracefully if the ccache file could not be reused

by Jakub Hrozek

https://fedorahosted.org/sssd/ticket/1384 I tested by logging in from one terminal, then chowning the ccache to root.root to make the existing ccache unusable by the krb5_child process and attempting to log in from another terminal. Without the patch, the second login would just fail. With the patch, the second login would succeed so the user can su or sudo and fix the permissions problem.

11 years, 7 months

2
3
0 / 0

[PATCH] Bad debug message when no dns_discovery_domain specified.

by Michal Židek

https://fedorahosted.org/sssd/ticket/920 The debug message was simplified and two new debug messages were added. Patch is attached. Michal

11 years, 7 months

2
1
0 / 0

[PATCH] SYSDB: Remove unnecessary domain parameter from several sysdb calls

by Jakub Hrozek

The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained. The second patch just changes void * to TALLOC_CTX * on several places.

11 years, 7 months

2
4
0 / 0

AUTOFS: Store entry objects below map objects

by Jakub Hrozek

[PATCH 1/5] AUTOFS: Do not fail if search base is not provided We need to fall back to rootDSE provided search base instead of failing [PATCH 2/5] AUTOFS: Add sysdb tests I knew I would be changing the sysdb interface so I coded up tests to avoid regressions [PATCH 3/5] AUTOFS: Add entry objects below map objects https://fedorahosted.org/sssd/ticket/1506 Changes how the new autofs entry objects are handled. Instead of creating the entry on the cn=autofs,cn=custom level, the entry is created below the map it belongs to. [PATCH 4/5] AUTOFS: Use both key and value in entry RDN This patch switches from using just key in the RDN to using both key and value. That is neccessary to allow multiple direct mounts in a single map. [PATCH 5/5] AUTOFS: convert the existing autofs entries during a sysdb upgrade The sysdb is upgraded to a new version to convert the existing entries to the new format.

11 years, 7 months

2
6
0 / 0

Re: [SSSD] [PATCH] sdap_get_ad_tokengroups_initgroups_lookup_done(): fix group_name may be uninitialized warning

by Stephen Gallagher

On Mon 24 Sep 2012 11:24:59 AM EDT, Stephen Gallagher wrote: > On Mon 24 Sep 2012 11:01:20 AM EDT, Pavel Březina wrote: >> Recent AD patches introduced another warning. >> >> If I read the code correctly it is safe to just initialize the >> variable to NULL. >> > > Nack, this would not be safe. We would then be attempting to > talloc_strdup() the NULL value at line 367. What is actually wrong > here is that the error check from sysdb_search_group_by_gid() needs to > fail if it returns anything but EOK or ENOENT, which I forgot to > include. Falling through below is bad. > > Thanks for catching that. Whoops, forgot to attach the patch.

11 years, 7 months

2
1
0 / 0

[PATCH] Make subdomain discovery less noisy

by Sumit Bose

Hi, this patch fixes https://fedorahosted.org/sssd/ticket/1517 by increasing some of the debug levels and print a log messages about the actual request only if the subdomain provider is configured. bye, Sumit

11 years, 7 months

3
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel September 2012