Odd "Timer Expired" Errors causing SSH login drops
by Caio James
Greetings,
I'm running a file transfer server inside of my business with some decent traffic (but not what I would call heavy traffic).
Users use SFTP to transfer files. A couple of times per day, one or two of my users (not all of them) experience issues logging in. These users are local users, not LDAP. /var/log/secure shows the following:
> Sep 18 08:17:04 radvma29 sshd[27378]: pam_unix(sshd:session): session opened for user wwbi by (uid=0)
> Sep 18 08:27:04 radvma29 sshd[27378]: pam_sss(sshd:session): Request to sssd failed. Timer expired
The user's connection is subsequently dropped, and they're not able to login until sssd is restarted. The sssd log doesn't seem to show any anomaly.
I've got sssd scheduled to restart twice per day with cron, but the traffic is increasing and users are now experiencing this more frequently.
I'm running Oracle Linux 6.3.
> [root@radvma29 ~]# sssd --version
> 1.8.0
My sssd.conf is below. Note that we do connect to an LDAP server insecurely. We're working with our IT team to fix this but it's a few months away:
> [sssd]
> config_file_version = 2
> services = nss, pam
> debug_level = 5
> domains = default
>
> [nss]
>
> [pam]
> cache_credentials = true
>
> [domain/default]
> ldap_auth_disable_tls_never_use_in_production = true
> access_provider = simple
> auth_provider = ldap
> chpass_provider = ldap
> cache_credentials = True
> krb5_realm = EXAMPLE.COM
> ldap_search_base = dc=mybusiness,dc=com
> id_provider = ldap
> ldap_uri = ldap://od.mybusiness.com/
> krb5_kdcip = kerberos.example.com
> ldap_tls_cacertdir = /etc/openldap/cacerts
Thank you for any direction that you can point me.
Caio
11 years, 7 months
Announcing SSSD 1.9.0
by Jakub Hrozek
=== SSSD 1.9.0 ===
The SSSD team is proud to announce the release of the System Security
Services Daemon version 1.9.0.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
=== New Features ===
* Add a new AD provider to improve integration with Active Directory 2008
R2 or later servers
- Support for ID-mapping when connecting to Active Directory
- Support for handling very large (> 1500 users) groups in Active Directory
* The SSSD is able to act as an IPA client in cases where the IPA server
has established a trust setup with an Active Directory server
- Support for sub-domains for dealing with trust relationships
- Add a new PAC responder for dealing with cross-realm Kerberos trusts
- The IPA authentication provider now supports subdomains
- In scenarios, where the SSSD is acting as an IPA client, it is able
to discover and save the DNS domain-Kerberos realm mappings between an
IPA server and a trusted Active Directory server.
* Add a new fast in-memory cache to speed up lookups of cached data on
repeated requests
* Many fixes for the support for setting default SELinux user context from
FreeIPA, most notably fixed the specificity evaluation
* Add support for the Kerberos DIR cache for storing multiple TGTs automatically
* SUDO integration was completely rewritten. The new implementation works
with multiple domains and uses an improved refresh mechanism to download
only the necessary rules
* The SSSD supports the concept of a Primary Server and a Back Up
Server. If the SSSD switches to a back up server because a primary server
is not available, it would later try to re-establish a connection to the
primary server.
* Add native support for autofs to the IPA provider
* A new command-line tool sss_seed is available. This tool is able to
prime the internal cache with a user record and a cached password to
support the scenario when a user needs to log in to the client before
the network connection to the centralized identity source is established,
such as the first log in to a new machine.
* A new option, override_shell was added. If this option is set, all users
managed by SSSD will have their shell set to its value.
=== Important Fixes and Enhancements ===
* Major performance enhancement when storing large groups in the cache
* Major performance enhancement when performing initgroups() against Active Directory
* Terminate idle connections to the NSS and PAM responders
* The shadowLastChange attribute value is now correctly updated with the
number of days since the Epoch, not seconds
* Mutexes in the nss_sss module are now released correctly if one thread
in a multithreaded application is cancelled while the mutex is locked
* The fail over code works correctly when the IPA provider is not able to
establish a GSSAPI-encrypted connection to an IPA server
* The SSSD correctly accepts -1 as a valid value of the shadow attributes
* When the SSSD is unable to resolve a host name, it tries the next
configured server now instead of going offline
* The default SELinux login context for IPA users was changed to unconfined_t
when there are no rules on the server
* A file descriptor leak in cases the SSSD was unable to establish SSL
connection to an LDAP server was fixed
* Potential crash when one of two parallel requests would expire the list
of servers resolved from a SRV query
* Fixed a crash that occured when a service was requested by both name
and protocol
=== Packaging Changes ===
* SSSDConfig data file default locations can now be set during configure
for easier packaging
* Switch from libunistring to glib2 for unicode support
* A new Python wrapper around the murmur hash library has been introduced. It
is only useful to the FreeIPA server at the moment.
* a new binary, called sss_seed is available. The binary is installed to
/usr/sbin/sss_seed by default and includes its own manual page.
* The SSSD uses a new directory to store the DNS domain - Kerberos realm
mappings. The default location is /var/lib/sss/pubconf/krb5.include.d
== Tickets fixes ==
https://fedorahosted.org/sssd/ticket/1331
Off-by-one error in sss_hmac_sha1
https://fedorahosted.org/sssd/ticket/1364
[abrt] sssd-1.8.3-11.fc16: set_server_common_status: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1438
SSSD crashes at boot time
https://fedorahosted.org/sssd/ticket/1452
Authentication fails if kpasswd cannot be resolved
https://fedorahosted.org/sssd/ticket/1454
if allocation fails, sss_mmap_cache_init may dereference NULL pointer
https://fedorahosted.org/sssd/ticket/1458
Full sudo refresh is scheduled even if there is no sudo responder
https://fedorahosted.org/sssd/ticket/1466
Proxy: Cannot retrieve an user after a group he is a member of was retrieved
https://fedorahosted.org/sssd/ticket/1467
enumeration is broken in the proxy provider
https://fedorahosted.org/sssd/ticket/1479
Hbac logs show wrong rule name granting access
https://fedorahosted.org/sssd/ticket/1486
[abrt] sssd-1.8.4-14.fc17: sss_ldap_init_send: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1496
[abrt] sssd-1.8.4-14.fc17: ldap_pvt_sasl_getmechs: Process /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1505
sudo with sss backend should use ipa_hostname
https://fedorahosted.org/sssd/ticket/1509
libsss_sudo is not updated when yum update sssd is called
https://fedorahosted.org/sssd/ticket/1513
Change the processing of the SELinux default map
https://fedorahosted.org/sssd/ticket/1515
pam_sss report System Error on wrong password
https://fedorahosted.org/sssd/ticket/1516
krb5_mod_ccname should cancel the transaction at one place only
https://fedorahosted.org/sssd/ticket/1519
membership of IPA hostgroups is not evaluated when treating them as netgroups
https://fedorahosted.org/sssd/ticket/734
on reconnect we need to detect that a ipa/ds server has been reinitialized
https://fedorahosted.org/sssd/ticket/1156
Do not use "goto" to jump backwards in the proxy code
https://fedorahosted.org/sssd/ticket/1194
when nesting limit is reached, the LDAP provider tries to establish link to members outside the nesting limit
https://fedorahosted.org/sssd/ticket/1345
sssd does not warn into sssd.log for broken configurations
https://fedorahosted.org/sssd/ticket/1365
ipv6 address with square brackets doesn't work for krb5_server
https://fedorahosted.org/sssd/ticket/1388
domain.remove_provider() does not work
https://fedorahosted.org/sssd/ticket/1390
Add support for nested automount maps
https://fedorahosted.org/sssd/ticket/1393
shadow attributes should accept -1
https://fedorahosted.org/sssd/ticket/1396
Kerberos validation algorithm is insufficient for cross-realm trusts
https://fedorahosted.org/sssd/ticket/1415
Group lookups no longer work when fastcache cannot be initialized
https://fedorahosted.org/sssd/ticket/1416
sssd_be crashes on using inappropriate keytab file
https://fedorahosted.org/sssd/ticket/1430
Password change prompt doesn't appear when "User must change password on next logon" is set for a AD user.
https://fedorahosted.org/sssd/ticket/1436
LOCAL domain lookups don't work
https://fedorahosted.org/sssd/ticket/1446
sssd does not try another server when unable to resolve hostname
https://fedorahosted.org/sssd/ticket/1447
Fail over does not work correctly when IPA server is establishing a GSSAPI-encrypted LDAP connection
https://fedorahosted.org/sssd/ticket/1453
proxy provider: value stored to status is never read in get_pw_name
https://fedorahosted.org/sssd/ticket/1455
SELinux code must fall back to default only if there are no rules on the server
https://fedorahosted.org/sssd/ticket/1456
Attempt to close the same file stream twice
https://fedorahosted.org/sssd/ticket/1457
Insecure temporary file in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1459
SRV servers are always marked as back up
https://fedorahosted.org/sssd/ticket/1460
SSSD thread issue can cause the application to not get any identity information
https://fedorahosted.org/sssd/ticket/1470
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
https://fedorahosted.org/sssd/ticket/1472
Duplicate detection in fail over does not work
https://fedorahosted.org/sssd/ticket/1478
ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf
https://fedorahosted.org/sssd/ticket/1480
1.9.0b6 does not build with SELinux disabled
https://fedorahosted.org/sssd/ticket/1488
Segfault in IPA subdomain provider
https://fedorahosted.org/sssd/ticket/1490
SSSD does not close TCP connections when SSL fails
https://fedorahosted.org/sssd/ticket/1491
Consolidate functions that make a realm upper-case
https://fedorahosted.org/sssd/ticket/1492
There is no /etc/selinux/targeted/logins on RHEL5
https://fedorahosted.org/sssd/ticket/1500
SSSD's default ccache location needs to be updated (again), and the man pages should reflect it
https://fedorahosted.org/sssd/ticket/904
Create tool to seed a user for first-boot
https://fedorahosted.org/sssd/ticket/1087
RFE: Allow Forcing User Shell
https://fedorahosted.org/sssd/ticket/1128
Introduce the concept of a Primary Server in SSSD
https://fedorahosted.org/sssd/ticket/1185
[Feature] AD Extensions
https://fedorahosted.org/sssd/ticket/1318
RFE: make the NSS memory cache timeout configurable
https://fedorahosted.org/sssd/ticket/1368
Missing hostid and subdomains sections in sssd-ipa.conf
https://fedorahosted.org/sssd/ticket/1380
domain_realm mappings manipulation by sssd
https://fedorahosted.org/sssd/ticket/1418
document how sudo works with sssd
https://fedorahosted.org/sssd/ticket/1420
sudo: provide automatic configuration of machine hostnames
https://fedorahosted.org/sssd/ticket/1427
Don't refersh HBAC rules when looking up SELinux rules
https://fedorahosted.org/sssd/ticket/1429
IPA session code returns error when SELinux mapping rule links to an HBAC rule
https://fedorahosted.org/sssd/ticket/1432
Mention AD Provider in manpage of sssd.conf
https://fedorahosted.org/sssd/ticket/1433
Suggested additions to manpage of sssd-ad
https://fedorahosted.org/sssd/ticket/1435
SELinux specifity does not work with HBAC rules
https://fedorahosted.org/sssd/ticket/1439
sss_pam needs to write out SELinux login file during the account phase
https://fedorahosted.org/sssd/ticket/1445
The SELinux login file needs to be created by the responder, not PAM module
https://fedorahosted.org/sssd/ticket/1448
sss_seed tool review issues
https://fedorahosted.org/sssd/ticket/1360
format of file for pam_selinux is incorrect
https://fedorahosted.org/sssd/ticket/1379
Possible use of uninitialized values
https://fedorahosted.org/sssd/ticket/1395
SELinux rule matching ignores specificity requirement
https://fedorahosted.org/sssd/ticket/1417
Several unowned directories
https://fedorahosted.org/sssd/ticket/1419
sssd incorrectly sets shadowLastChange in seconds not days
https://fedorahosted.org/sssd/ticket/1421
selinux rules are never deleted from sysdb
https://fedorahosted.org/sssd/ticket/1422
When ldap_sasl_minssf is assigned large values, appropriate error message should be logged sssd_DOMAIN log
https://fedorahosted.org/sssd/ticket/1431
Set "krb5_canonicalize = False" for password change to work
https://fedorahosted.org/sssd/ticket/1239
[RFE] sudo: send username and uid while requesting default options
https://fedorahosted.org/sssd/ticket/1299
Per domain formats for qualified user names
https://fedorahosted.org/sssd/ticket/1352
[RFE] Add the subdomain functionality to IPA auth provider
https://fedorahosted.org/sssd/ticket/1377
[RFE] Add AD provider
https://fedorahosted.org/sssd/ticket/1382
pac responder interface needs checks
https://fedorahosted.org/sssd/ticket/1385
heimdal: compile time diference
https://fedorahosted.org/sssd/ticket/1398
Dependency issue while "yum update libsss_sudo"
https://fedorahosted.org/sssd/ticket/1403
Combine keytab options for AD provider
https://fedorahosted.org/sssd/ticket/1404
AD provider should default to case-insensitive operation
https://fedorahosted.org/sssd/ticket/1407
Revert sssd patch for limiting enctypes to keytab
https://fedorahosted.org/sssd/ticket/1409
Resource leak in sssdpac_import_authdata
https://fedorahosted.org/sssd/ticket/1410
Dead code in ipa_subdomains_handler_done()
https://fedorahosted.org/sssd/ticket/1412
Starting SSSD with a domain using the LOCAL provider segfaults the responders
https://fedorahosted.org/sssd/ticket/1163
[Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts)
https://fedorahosted.org/sssd/ticket/1354
Add support for terminating idle connections in sssd_nss
https://fedorahosted.org/sssd/ticket/1383
sssd_nss segfaults performing netgroup lookups without a specified domain
https://fedorahosted.org/sssd/ticket/974
[RFE] Support DIR: credential caches for multiple TGT support
https://fedorahosted.org/sssd/ticket/984
RFE: sssd should support Netscape LDAP password expiration controls
https://fedorahosted.org/sssd/ticket/1213
Warn to syslog when dereference requests fail
https://fedorahosted.org/sssd/ticket/1240
sudo: contact data provider only once
https://fedorahosted.org/sssd/ticket/1255
RFE: change the way we deal with fake users
https://fedorahosted.org/sssd/ticket/1256
Document the expectations about ghost users showing in the lookups
https://fedorahosted.org/sssd/ticket/1330
Potential NULL dereference in sss_krb5_read_etypes_for_keytab
https://fedorahosted.org/sssd/ticket/1336
Please only use named parameters in translatable strings
https://fedorahosted.org/sssd/ticket/1337
Minor typos in SSSD messages and man pages
https://fedorahosted.org/sssd/ticket/1346
in-memory cache causes nss to segfault if it cannot be initialized properly
https://fedorahosted.org/sssd/ticket/1367
Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN
https://fedorahosted.org/sssd/ticket/357
SSSD should provide fast in memory cache to provide similar functionality as NSCD currently provides
https://fedorahosted.org/sssd/ticket/783
Support range retrievals
https://fedorahosted.org/sssd/ticket/887
Implement mechanism to fetch and store domain info
https://fedorahosted.org/sssd/ticket/917
Document sss_tools better
https://fedorahosted.org/sssd/ticket/949
Filter out inappropriate IP addresses from IPA dynamic DNS update
https://fedorahosted.org/sssd/ticket/996
RFE: Allow Constructing uid from Active Directory objectSid
https://fedorahosted.org/sssd/ticket/1031
[RFE] Implement "AD friendly" schema mapping
https://fedorahosted.org/sssd/ticket/1064
Sub-Domains: define new get_domains method
https://fedorahosted.org/sssd/ticket/1065
Sub-Domains: implement new get_domains method in IPA provider
https://fedorahosted.org/sssd/ticket/1067
Sub-Domains: add new get_domains method to responders
https://fedorahosted.org/sssd/ticket/1114
get_uid_from_pid() perfoms an improper read
https://fedorahosted.org/sssd/ticket/1119
Monitor SIGKILL time should be configurable
https://fedorahosted.org/sssd/ticket/1140
RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf
https://fedorahosted.org/sssd/ticket/1170
sss_cache should support invalidating services and autofs maps
https://fedorahosted.org/sssd/ticket/1172
Bad check for id_provider=local and access_provider=permit
https://fedorahosted.org/sssd/ticket/1174
sssd.conf has wrong defaults for the "command" parameter
https://fedorahosted.org/sssd/ticket/1176
SSH: Add dp_get_host_send to common responder code
https://fedorahosted.org/sssd/ticket/1181
Typos in sssd manual
https://fedorahosted.org/sssd/ticket/1203
Hash the hostname/port information in the known_hosts file.
https://fedorahosted.org/sssd/ticket/1209
Convert all read and write loops to use atomic I/O function
https://fedorahosted.org/sssd/ticket/1233
Memory leak in sss_sudo_send_recv_generic
https://fedorahosted.org/sssd/ticket/1250
Add default home directory mapping
https://fedorahosted.org/sssd/ticket/1271
Stop using HTML_FOOTER_DESCRIPTION in doxygen docs
https://fedorahosted.org/sssd/ticket/1281
Add unit test for compatibility of ldap options between schemas
https://fedorahosted.org/sssd/ticket/1289
Create a way to define a default shell for cases when there no shell
https://fedorahosted.org/sssd/ticket/1297
Use keytab to select etypes for krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1298
Invalid cache file created when canoning principals during krb5_get_init_creds_keytab()
https://fedorahosted.org/sssd/ticket/1301
sss_cache does nothing when executed without any options.
https://fedorahosted.org/sssd/ticket/1305
sss_cache should return a warning/error while validating unknown user/group
https://fedorahosted.org/sssd/ticket/1306
sss_cache should return an error, when executed against inactive domains
https://fedorahosted.org/sssd/ticket/1313
exec_child, execv and friends don't return success
https://fedorahosted.org/sssd/ticket/1316
kpasswd server status set to working when Kerberos auth succeeds
== Detailed Changelog ==
Ariel Barria (6):
* Bad check for id_provider=local and access_provider=permit
* Potential NULL dereference in proxy provider
* Warn to syslog when dereference requests fail
* Clarify how comments work in sssd.conf
* SIGUSR2 should force SSSD to reread resolv.conf as well
* Missing resolv.conf should be non-fatal
George McCollister (1):
* libcrypto fully implemented
Jakub Hrozek (205):
* Fix SSH compilation on RHEL5
* AUTOFS: IPA provider
* Two sssd-ldap manual pages fixes
* Fix group enumeration
* Only fetch SELinux string if the user is found
* Remove setent structure when callback is called
* Allocate setent structure on state, not on the client context
* Fix memory hierarchy when processing nested group memberships
* Fix case insensitive service lookups
* Include the fd_limit configuration option
* End request if ldap_parse_result fails
* remove unused function
* Save errno value before calling DEBUG
* libnl: fix the path to phy80211 subdirectory
* AUTOFS: Invoke implicit setautomntent if needed
* AUTOFS: Search all search bases for automounter map entries
* AUTOFS: speed up the client by requesting multiple entries at once
* Use proper errno code
* Only do one cycle when resolving a server
* krb5_child: set debugging sooner
* Search netgroups by alias, too
* Detect cycle in the fail over on subsequent resolve requests only
* Autofs: operate on contents of double-pointer, not address
* Only free returned values on success
* Save original name into the in-memory cache
* Handle errors from lookup_netgr_step gracefully
* Fix nested groups processing
* Fix netgroup error handling
* Handle empty elements in proxy netgroups:
* Fix uninitialized variable
* Free entry found in negative cache
* Make the string_equal() function public
* Save alias of the primary name, too
* NSS: Look for services with correct case when cache is updated
* AUTOFS: fix copy-and-paste bug in the autofs client
* LDAP services: Keep the protocol around
* Silence Coverity warning in the autofs test tool
* Return correct resolv_status on resolver timeout
* Add sss_get_cased_name_list utility function
* LDAP services: Save lowercased protocol names in case-insensitive domains
* Proxy services: Save lowercased protocol names and aliases in case-insensitive domains
* Fix off-by-one error in principal selection
* Catch cases where D-Bus connection is NULL
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
* Fix regression in SSSDConfig.py
* netlink integration: ensure that interface name is NULL-terminated
* Remove forgotten DEBUG message
* autofs: load the correct option
* man: document that referral chasing might bring performance penalty
* Prevent printing NULL from DEBUG messages
* Do not call sdap_auth if not needed
* pam_sss: improve error handling in SELinux code
* Remove the "command" option from documentation
* Add sysdb_set_service_attr and sysdb_set_autofsmap_attr
* sss_cache: support invalidating services and autofs maps
* autofs: Raise the maximum key length to PATH_MAX
* sss_cache: Better error reporting
* MAN: timeout can be specified for services, too
* MAN: document the hostid and autofs providers
* proxy: Canonicalize user and group names
* proxy: new option proxy_fast_alias
* Free controls in sdap_rebind_proc
* Make the monitor SIGKILL time configurable
* sdap_check_aliases must not error when detects the same user
* sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read
* Move atomic io function to a separate module
* Convert read and write operations to sss_atomic_read
* Document sss_tools better
* Warn on 'make update-po' if there are manpages not listed in po4a.cfg
* Test RFC2307bis and RFC2307 option maps
* Get the RootDSE after binding if not successfull before
* Lowercase group members in case-insensitive domains
* NSS: Only return data from initgroups once
* SUDO: Return ret, not EOK
* SYSDB: return EOK if empty message is passed into get_rm_msg
* SYSDB: check return value
* SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain
* SERVER: use the correct return code of sss_atomic_write_s
* LDAP: check return value of sysdb_attrs_get_el
* RESPONDER: check return value from confdb_get_int
* PYHBAC: Return NULL on failure
* PAM_SSS: report error code if write fails
* NSS: Check return code of sss_mmap_cache_gr_store
* IPA netgroups: return EOK when there are no netgroups to process
* ipa_get_config_send: remove unused assignment
* HBAC: Prevent NULL dereference in hbac_evaluate
* DP: return correct error message when subdomains back end target is not configured
* NSS: fix returning group from cache
* SSS_DEBUGLEVEL: silence analyzer warnings
* PROXY: return correct return codes
* IPA: Check return values
* AUTOFS: remove unused assignments
* Rename split_service_name_filter
* SSH: Add dp_get_host_send to common responder code
* Read sysdb attribute name, not LDAP attribute map name
* Kerberos locator: Include the correct krb5.h header file
* Special-case LDAP_SIZELIMIT_EXCEEDED
* krb5 locator: Do not leak addrinfo
* Only reset kpasswd server status when performing a chpass operation
* Try all KDCs when getting TGT for LDAP
* Send the correct enumeration request
* subdomains: Fix error handling in Data Provider
* Filter out IP addresses inappropriate for DNS forward records
* sysdb: return proper error code from sysdb_sudo_purge_all
* SYSDB: Handle user and group renames better
* NSS: keep a pointer to body after body is reallocated
* Use sized_string correctly in FQDN domains
* Use the sysdb attribute name, not LDAP attribute name
* LDAP nested groups: Do not process callback with _post deep in the nested structure
* Send 16bit protocol numbers from the sss_client
* Revert the client packet length, too, after reverting the packet protocol
* Fix the default sssd.conf path
* Fix the 0.11 sysdb upgrade
* sss_names_init: Report correct error code if allocation failed
* Two small krb5_child fixes
* Provide more debugging in krb5_child and ldap_child
* Allow redefining the KRB5_CHILD path
* Split parse_krb5_child_response so it can be reused
* Add a krb5_child test tool
* Residual util functions
* Handle trailing slash in the ccname template
* Add a credential cache back end structure
* Add support for storing credential caches in the DIR: back end
* Use Kerberos context in KRB5_DEBUG
* Make krb5_ccname_template and krb5_ccachedir configurable
* Print based on pointer contents not address
* Cast uid_t to unsigned long long in DEBUG messages
* Update translations for 1.9.0 beta 4 release
* Bumping version to 1.9.0 beta 5
* Add newline to DEBUG messages
* RPM: Own several directories
* Add missing "%" to specfile
* IPA: Download defaults even if there are no SELinux mappings
* SYSDB: Delete SELinux mappings
* IPA: Return and save all SELinux rules in the provider
* PAM: Fix off-by-one-error in the SELinux session code
* Update translations for 1.9.0 beta 5 release
* Bumping version to 1.9.0 beta 6
* Fix sysdb_search_selinux_usermap_by_username return value
* Fix SSSDConfigTest
* Fix bad check
* Create a domain-realm mapping for krb5.conf to be included
* Update translations for 1.9.0 beta 6 release
* Bumping version for the 1.9.0 release
* Don't call fo_set_{server,port}_status for SRV servers
* Fix the version number
* SYSDB: Check the return value
* SYSDB: Use ldb_msg_add_string for simple string additions
* Failover: Return last tried server if it's still being tried
* Subdomains: Send the DP reply in the correct format
* Always mark SRV servers as primary
* Allocate on top of a talloc context, not NULL
* Abort PAM access phase if HBAC does not return PAM_SUCCESS
* Change default for ldap_idmap_range_min to 200000
* Don't use server after SRV data collapsed
* Document entry_cache_autofs_timeout
* Add autofs-related options to configAPI
* sss_client: Group lookups should work even when fastcache cannot be initialized
* FO: Don't retry the same server if it's not working
* FO: Return EAGAIN if there are more servers to try
* KRB5: Only return PAM error for unreachable kpasswd when performing chpass
* Build SELinux code in responder conditionally
* Do not try to remove the temp login file if already renamed
* Only create the SELinux login file if there are mappings on the server
* Fix compilation error in Python murmurhash bindings
* Process all groups from a single nesting level
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
* RPM: Switch the default ccache location
* RPM: Always include the patch file
* Check if the SELinux login directory exists
* SYSDB: Commit transaction in sysdb_store_user
* SYSDB: Abort unit test if sysdb_getpwnam fails
* Retry the next server if bind during LDAP auth times out
* Don't terminate the same connection twice
* Update translations for 1.9.0 beta 7 release
* Bumping version for the 1.9.0 beta 7 release
* libsss_sudo should have a versioned dependency on SSSD
* KRB5: cancel the sysdb transaction on one place only
* KRB5: Return PAM_AUTH_ERR on incorrect password
* RPM: BuildRequire selinux-policy-targeted
* SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}
* KRB5: Add a missing string argument
* NSS: Fix off-by-one error in parse_getservbyname
* FO: Check server validity before setting status
* DB: Always write the SELinux object to sysdb
* SELinux: Always use the default if it exists on the server
* Updating the translations for the 1.9.0 RC1 release
* Updating the version for the RC1 release
* KRB5 child: Don't return System Error on empty password
* KRB5 child: handle more error codes gracefully
* DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails
* Mark the fastcache files in the spec file as %ghost
* autofs, sudo, ssh and PAC are not experimental anymore
* AUTOFS: Do not fail if search base is not provided
* AUTOFS: Add sysdb tests
* AUTOFS: Add entry objects below map objects
* AUTOFS: Use both key and value in entry RDN
* AUTOFS: convert the existing autofs entries during a sysdb upgrade
* SYSDB: Remove unnecessary domain parameter from several sysdb calls
* DB: Use TALLOC_CTX for talloc context
* KRB5: Recover gracefully if the ccache file could not be reused
* Detect LDAPDerefRes in configure script
* RPM: Create ghost files during install
* Set the version number to 1.9.0 for the release
* Updating translations for the 1.9.0 release
Jan Cholasta (29):
* Add methods for activating and deactivating services to SSSDConfig
* Add ssh service to sssd.api.conf
* SSH: Verify that names received from client are valid UTF-8 in responder
* SSH: Build man pages conditionally
* SSH: Save SSH host name aliases
* SSH: Refactor responder and client common code
* UTIL: Add function for atomic I/O
* SSH: Continue connecting to SSH server even when SSSD is not running in sss_ssh_knownhostsproxy
* SSH: Manage global known_hosts file in the responder
* SSH: Don't abort known_hosts update when host search fails
* SSH: Add more debugging messages
* SSH: Add missing break statements to sss_ssh_format_pubkey
* SSH: Use fchmod instead of chmod on known_hosts file
* SSH: Replace blocking getaddrinfo call in the responder with asynchronous resolver code
* SSH: Remove unused --file option of sss_ssh_knownhostsproxy
* SSH: Update sss_ssh_knownhostsproxy manual page
* Include missing source files to the list of source files which contain translatable strings
* SSH: Allow clients to explicitly specify host alias
* SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy
* SSH: Fix infinite loop in sss_ssh_knownhostsproxy
* UTIL: Add HMAC-SHA-1 function
* SSH: Add support for hashed known_hosts
* SSH: Update sss_ssh_knownhostsproxy manual page
* SSH: Supress error message output in sss_ssh_knownhostsproxy
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are missing
* SSH: Return error code in SSH utility functions
* SSH: Simplify public key formatting function
* SSH: Add support for OpenSSH-style public keys
* SSH: Fix possible infinite loop when updating known_hosts
Jan Engelhardt (1):
* build: resolve link failure
Jan Vcelak (1):
* LDAP: Properly cast type for MINSSF value
Jan Zeleny (87):
* Fixed issue with netgroup update in IPA provider
* Don't give memory context in confdb where not needed
* IPA hosts refactoring
* SELinux related attributes added to config API
* Delete missing attributes from netgroups to be stored
* Modifications to simplify list_missing_attrs
* Fix the script path
* Fixed uninitialized pointer in SSH known host proxy
* Fixed uninitialized pointer in SSH authorized keys client
* Add umask before mkstemp() call in SSH responder
* Fixed resource leak in ssh client code
* Removed a block of dead code in sdap_async_groups.c
* Removed unused block of code is sdap_fill_memberships()
* Removed unused function sysdb_attrs_users_from_ldb_vals()
* Fixed memory context in sdap_fill_memberships()
* Fixed minor memory leak in ldap provider
* Sysdb routines for subdomains
* Add some utility functions for subdomains
* Add conn_name to allow different names for domains and connections
* Responder part of the subdomain retrieval work
* Modified responder_get_domain()
* Retrieve subdomains if there is a request for fully qualified user
* Ask for subdomains in responder in the first request after startup
* New config option for subdomains
* Moved expand_homedir_template() from NSS responder to utility code
* Add ID operations in subdomains
* Send PAM requests for subdomains to the right provider
* Basic support for subdomains in auth provider
* Carry sysdb context and domain info in be_req structure
* Accept be_req instead if be_ctx in LDAP access provider
* Detect subdomain request in IPA access provider
* Utilize sysdb context within be_req in HBAC
* Two fixes in responder subdomain code
* Modify behavior of pam_pwd_expiration_warning
* Fixed two minor memory leaks
* Fixed issue in SELinux user maps
* Ghost members - add the ghost attribute to sysdb
* Ghost members - support in LDAP provider
* Ghost members - support in proxy provider
* Ghost members - modifications in sysdb
* Ghost members - modifications in memberof plugin
* Ghost members - sysdb upgrade routine
* Ghost members - NSS responder changes
* Ghost members - removed sdap_check_aliases()
* Ghost members - modified sss_groupshow
* Ghost members - various small changes
* Add support for filtering atributes
* Utilize attribute exclusion in LDAP initgroups
* Fixed setting of debug level in test suite
* IPA subdomains - ask for information about master domain
* Allow fast memcache timeout to be configurable
* Fix an issue in ghost users
* Provide "service filter" for SELinux context
* Fixed debug message in sdap_save_group()
* Fix possible segfault in sdap_save_group()
* PAC responder: add some utility functions
* PAC responder: test suite
* Fix re_expression matching with subdomains
* SELinux user maps: pick just one map
* Fixed wrong number in shadowLastChange
* Add function sysdb_attrs_copy_values()
* Modify priority evaluation in SELinux user maps
* Added some DEBUG statements into SELinux related code
* Extend category support in SELinux user maps
* Remove ipa_selinux_map_merge()
* Fix linking of HBAC rules and SELinux user maps
* Provide counter of possible matches in SELinux IPA provider
* Always free request in data provider PAM callback
* Renamed session provider to selinux provider
* Move SELinux processing from session to account PAM stack
* Remove unused member of be_req
* Write SELinux config files in responder instead of PAM module
* Modify hbac_get_cached_rules() so it can be used outside of HBAC code
* Support fetching of HBAC rules from sysdb in SELinux code
* Support fetching of host from sysdb in SELinux code
* Primary server support: introduce concept of reconnection
* Primary server support: basic support in failover code
* Primary server support: support for "disconnecting" connections in LDAP
* Primary server support: IPA adaptation
* Primary server support: krb5 adaptation
* Primary server support: LDAP adaptation
* Primary server support: AD adaptation
* Primary server support: man page, failover section
* Primary server support: new option in ldap provider
* Primary server support: new options in krb5 provider
* Primary server support: new option in IPA provider
* Primary server support: new option in AD provider
Joshua Roys (1):
* Simple implementation of Netscape password warning expiration control
Marco Pizzoli (1):
* Two manual pages fixes
Michal Zidek (18):
* Fixed: Unchecked return value from dp_opt_set_int.
* Fixed: Uninitialized value in krb5_child-test if ccname was specified.
* Added unit test for sysdb_ssh.c
* Return value of fread in src/tools/sss_debuglevel.c no longer ignored.
* Change default value of ldap_sasl_string to host/hostname@REALM in man page.
* SRV resolution for backup servers should not be permitted.
* When ldap_group_nesting_level was reached, the LDAP provider tried to link group members with groups outside nesting limit.
* Duplicate detection in fail over did not work.
* Typo in debug message (SSSd -> SSSD).
* Unify usage of sysdb transactions
* Fix: IPv6 address with square brackets doesn't work.
* Adding -std=gnu99 flag.
* Unify usage of sysdb transactions (part 2).
* LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno.
* SSSD fails to store users if any of the requested attribute is empty.
* tools_util.h provides signal_sssd function.
* sss_cache tool invalidates records in memory cache.
* Bad debug message when no dns_discovery_domain specified.
Nick Guay (4):
* added DEBUG messages to krb5_child and ldap_child
* Fix uninitialized values
* First-boot sss_seed tool
* remove duplicate sss_obfuscate reference in seealso manpage section
Ondrej Kos (7):
* Removed unused variable assignment
* Replaced "id_max" & "id_min"
* Backward GOTOs rewritten into do-while loops.
* AD context was set to null due to type mismatch
* Consolidation of functions that make realm upper-case
* Out-of-bounds read fix in hmac-sha-1
* Add more debuginfo into ldap_child
Pavel Březina (96):
* Improve debug messages in sysdb_sudo_check_time()
* SUDO responder: check if the input is a UTF-8 string
* Refactor sss_result into sss_sudo_result
* Redesign purging of the sudo cache
* Honor case_sensitive option in sudo responder
* Move sudo_dom_ctx.user to local variable
* Hide --debug option in sss_debuglevel
* Two memory leaks in sss_sudo_get_values
* Missing debug message if sdap_sudo_refresh_set_timer fails
* Use of unininitialized value in sudosrv_cache_set_entry and sudosrv_cache_lookup_internal
* Use of unininitialized value in sss_sudo_parse_response
* Potential NULL-dereference in sudosrv_cmd_get_sudorules
* sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic()
* Install and uninstall all documentation
* fix copy and paste error in comment
* Fix typo in debug message
* sudo api: remove EOK
* sudo responder: remove code duplication in commands
* sudo responder: get rid of dctx where possible
* sudo sysdb: make sysdb_get_sudo_user_info more configurable
* sudo api: send uid, username and domainname
* sudo responder: change protocol version to 1
* libsss_sudo: bump version to 2:0:1
* sudo responder: discard in-memory cache
* sudo ldap provider: move async routines to sdap_async_sudo.c
* sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters
* confdb: add entry_cache_sudo_timeout option
* sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state
* sudo ldap provider: add domain info in sdap_sudo_refresh_state
* sudo ldap provider: add expiration time to each rule
* sysdb: add getter/setter for last sudo full refresh time
* sudo ldap provider: provide API for full refresh
* sudo ldap provider: add support for on demand full refresh
* sudo ldap provider: provide API for refresh of specific rules
* sudo ldap provider: add support for on demand refresh of specific rules
* sudo backend - support only on demand full refresh
* sudo backend - add support for on demand refresh of specific rules
* sudo provider: add ldap_sudo_full_refresh_interval
* sudo provider: remove old timer
* sudo ldap provider: add new timer API
* sysdb: remove sudo_set/get_refreshed
* sudo ldap provider: support periodical full refresh
* ldap provider: add sudo usn value
* sudo ldap provider: find highest USN
* sudo ldap provider: add sdap_sudo_set_usn()
* sudo ldap provider: remember highest usn after full refresh
* sudo ldap provider: add smart refresh API
* sudo ldap provider: when sysdb filter is NULL remove downloaded rules
* sudo provider: add ldap_sudo_smart_refresh_interval
* sudo ldap provider: add periodical smart refresh API
* sudo ldap provider: support periodical smart refresh
* sudo responder: new request enum type
* sudo sysdb: add expiration time to the filter
* sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()
* sudo responder: update dp interface
* sudo responder: refresh expired rules
* sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv()
* sudo ldap provider: notify responder when an expired rule has been deleted
* sudo responder: schedule OOB full refresh when expired rule is deleted
* sudo: clean up
* sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()
* sdap_sudo.c: move _recv after _done
* sudo ldap provider: pass sudo_ctx instead of id_ctx
* sudo: add host info options
* sudo ldap provider: load host filter configuration on init
* sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static
* sudo ldap provider: do per-host updates
* sudo ldap provider: support autoconfiguration of IP addresses
* sudo: manpage updated
* resolv_gethostbyname_send: strdup hostname to work properly when hostname is allocated on stack
* sudo test client: avoid SIGSEGV when run without arguments
* sdap_sudo.c: add missing end of line in few debug messages
* add hostid and subdomains sections in sssd-ipa.conf
* manpage: seealso - include ssh conditionally
* tests: allow changing cwd in all tests
* manpage: sssd-sudo - documents how sudo works with sssd
* sudo ldap provider: support autoconfiguration of hostnames
* Unbreak SASL
* tests: build sysdb ssh tests conditionally
* shadow attributes can contain -1
* Add end of line to debug message
* monitor: set debug level when unable to load configuration
* Remove redefinition of some SYSDB_* macros
* Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC
* Remove SYSDB_SUDO_CACHE_OC from attribute lists
* Fix LOCAL domain lookups
* Close LDAP connection when unable to install TLS
* Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
* Remove compilation warning: ret may be uninitialized
* Clean up cache on server reinitialization
* netgroup: resolve hostgroup membership correctly
* be_process_init(): free ctx on error
* backend: initialize sudo only when it is enabled in services
* Failover: use _srv_ when no primary server is defined
* rpm: put localized sssd_krb5_locator_plugin manpages into client
* sdap_add_incomplete_groups(): fix ret may be uninitialized warning
Rambaldi (2):
* heimdal: fix compile error in krb5-child-test
* heimdal: use sss_krb5_princ_realm to access realm
Shantanu Goel (4):
* Set return errno to the value prior to calling close().
* Log message if close() fails in destructor.
* Do not send SIGPIPE on disconnection
* Add support for terminating idle connections
Simo Sorce (31):
* nss_group: Cache the result from sssd when the glibc provided buffer is too small.
* pam_sss: keep selinux optional
* Use the correct hash table for pending requests
* util: Helper headers for shared memory cache
* nsssrv: shared memory cache server initialization
* nsssrv: Add memory cache record handling utils
* nsssrv: add handling of memory cache passwd map
* sss_client: Add common shared memory cache utils
* sss_client: shared memory cache passwd map support
* nsssrv: add handling of memory cache group map
* sss_client: shared memory cache group map support
* Do not leak file descriptors in client libs.
* Add close on exec support for old platforms
* Fix segfault when sudo is not configured.
* Change subdomain_info
* tests: Remove useless consts
* 80 columns police
* Fix double semi-colons
* Fix wrong elements used in comparison
* Use ldb_msg_add_string with bare strings
* Fix return error and debug message
* Make structure initializer more readable
* 80 col and style fixes
* Use a more tractable name for subdomain request
* Add realm paramter to subdomain list
* Expose an initializer function from subdomain
* Change refreshing of subdomains
* Limit refreshes keeping track of last refresh time
* Add online callback to enumerate subdomains
* Add automatic periodic retrieval of subdomains
* Remove obsolete comment
Stef Walter (10):
* Fix erronous reference to the 'allow' access_provider
* execv, excvp and exec_child never return EOK
* If canon'ing principals, write ccache with updated default principal
* Remove erroneous failure message in find_principal_in_keytab
* Limit krb5_get_init_creds_keytab() to etypes in keytab
* Clearer documentation for use_fully_qualified_names
* Make re_expression and full_name_format per domain options
* Move some debug lines to new debug log levels
* Fix crash when interface doesn't have an address
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
Stephen Gallagher (178):
* Set version to 1.9dev
* Updating translatable strings for string freeze
* Updating translations
* Remove dead code
* Fix missing NULL check after malloc
* Avoid uninitialized value comparison
* Add missing breaks to switch statements
* Fix uninitialized in_transaction
* Fix bad failure handling in be_sudo_handler()
* Check for failure in sss_packet_grow()
* Fix uninitialized value error in proxy provider
* Ensure NULL-termination in get_uid_from_pid()
* Move sss_ssh_* binaries to the main 'sssd' package
* Always include all manpage XML files in the distribution tarball
* Fix missing %endif in sssd.spec.in
* NSS: Always return the same protocol that was requested
* LDAP: Ignore group member users that do not have name attributes
* RESPONDERS: Allow increasing the file-descriptor limit
* RESPONDERS: Make the fd_limit setting configurable
* Add tool to convert debug levels
* IPA: Add ipa_parse_search_base()
* LDAP: Properly assign orig_dn
* LDAP: Only use paging control on requests for multiple entries
* LDAP: Remove unnecessary filter sanitize
* Eliminate build-time requirement for nscd
* PAM: Don't send PAM_SYSTEM_INFO message if module unset
* Fix typo in autofs option description
* Include the debug_level upgrade tool in the tarball
* Include new manpages in translations
* Fix typo in script name
* Handle cases where UID is -1
* IPA: Set the DNS discovery domain to match ipa_domain
* IPA: Fix segfault with srchost functionality enabled
* DP: Reorganize memory hierarchy of requests
* Prune python provides correctly
* Make RPM spec more explicit
* Build experimental features by default in RPMs
* Properly terminate GIT_CHECKOUT
* LDAP: Make sdap_access_send/recv public
* IPA: Check nsAccountLock during PAM_ACCT_MGMT
* PROXY: Create fake user entries for group lookups
* SSH: Fix missing semicolon
* IPA: Initialize hbac_ctx to NULL
* i18n: Remove empty translations
* LDAP: Add AD 2008r2 schema
* IPA: Allow service lookups
* SYSDB: Save only lowercased aliases in case-insensitive domains
* LDAP: Errors retrieving the RootDSE should not be fatal
* NSS: Fix debug message
* Start SSSD earlier and stop it later
* LDAP: Add better error logging when ldap_result() fails
* LDAP: Fix memory leaks in synchronous_tls_setup
* BUILDSYS: Create common libs for LDAP and KRB5 sources
* Put dp_option maps in their own file
* Add terminator for dp_option
* Add better dp_option tests
* Add terminator for sdap_attr_map
* Add better tests for sdap_attr compability
* Remove old compatibility tests
* Fix building manpages in parallel build dirs
* Clean up log messages about keytab_name
* MAN: Improve ldap_disable_paging documentation
* MAN: Add ldap_sasl_minssf to the manpage
* Fix linker issue with pam_sss
* murmurhash: Relax inline requirement
* Handle endianness issues on older systems
* SYSDB: Handle upgrade script failures better
* LDAP: Add objectSID config option
* LDAP: Add id-mapping option
* SYSDB: Add sysdb routines for ID-mapping
* LDAP: Add helper routines for ID-mapping
* LDAP: Add ID mapping range settings
* LDAP: Initialize ID mapping when configured
* LDAP: Enable looking up ID-mapped users by name
* LDAP: Add autorid compatibility mode
* LDAP: Allow setting a default domain for id-mapping slice 0
* LDAP: Add routine to extract domain SID from an object SID
* LDAP: Allow automatically-provisioning a domain and range
* LDAP: Enable looking up id-mapped users by UID
* LDAP: Allow looking up ID-mapped groups by name
* LDAP: Enable looking up id-mapped groups by GID
* LDAP: Map the user's primaryGroupID
* LDAP: Add helper routine to convert LDAP blob to SID string
* LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped entries
* LDAP: Add helper function to map IDs
* LDAP: Treat groups with unmappable SIDs as non-POSIX groups
* MAN: Add manpage for ID mapping
* LDAP: Add support for enumeration of ID-mapped users and groups
* SSSDConfigAPI: Fix missing option in tests
* NSS: Add fallback_homedir option
* NSS: Add default_shell option
* SYSDB: Add better error logging to sysdb_set_entry_attr()
* LDAP: Add attr_count return value to build_attrs_from_map()
* LDAP: Handle very large Active Directory groups
* Updating translations for 1.9.0 beta 1 release
* Bumping version to 1.8.91 for 1.9.0 beta 1 release
* Bumping version ton 1.8.92 for beta 2 development
* RPM: Allow running 'make rpms' on RHEL 5 machines
* NSS: Expire in-memory netgroup cache before the nowait timeout
* Always use positional arguments in translatable strings
* KRB5: Avoid NULL-dereference with empty keytab
* Update translation sources
* NSS: Fix segfault when mmap cache cannot be initialized
* NSS: Restore original protocol for getservbyport
* SSSDConfig: Make SSSDConfig a package
* SSSDConfig: Make default config and schema file locations configurable
* PAM: Better pam_reply message
* SYSDB: Reduce noise level of debug messages in lookups
* LDAP: Remove redundant check
* LDAP: Fix incorrect switch statement in sdap_get_initgr_done()
* LDAP: Add helper function to get list of a user's groups from sysdb
* LDAP: Make sdap_initgr_common_store() non-static
* LDAP: Add ldap_*_use_matching_rule_in_chain options
* LDAP: Add support for AD chain matching extension in group lookups
* LDAP: Add support for AD chain matching extension in initgroups
* LDAP: Auto-detect support for the ldap match rule
* LDAP: Fix missing variable in debug message
* SSS_CLIENT: Fix uninitialized value error
* Fix compilation on older little-endian systems
* KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data
* KRB5: Auto-detect DIR cache support in configure
* KRB5: Avoid shadowing dirname
* Updating translations for 1.9.0 beta 2 release
* Bumping version to 1.9.0 beta 3
* Fix typo breaking DIR cache detection
* Make the client idle timeout configurable
* UTILS: Fix segfault due to sss_parse_name_for_domains
* BUILD: Change default unicode library to glib2
* Update translations for 1.9.0 beta 3 release
* Bumping version to 1.9.0 beta 4
* TESTS: Print messages when LDAP options do not match
* DEBUG: Log to syslog if we are unable to open a debug fd
* KRB5: Initialize the credential cache type properly
* IPA: Don't hang onto memory longer than necessary
* LDAP: Print extended failure message for SASL bind
* MAN: Unify "SEE ALSO" sections
* KRB5: Some logging enhancements for krb5_child
* KRB5_LOCATOR: Print the filename that couldn't be opened
* KRB5: Drop memctx parameter of krb5_try_kdcip
* KRB5: Create a common init routine for krb5_child options
* LDAP: Rename user and group maps for AD
* AD: Add AD identity provider
* AD: Add AD auth and chpass providers
* AD: Add AD access-control provider
* AD: Add AD provider to the spec file
* AD: use krb5_keytab for validation and GSSAPI
* AD: Add manpages and SSSDConfig entries
* CONFDB: Add the ability to set a boolean value in the confdb
* AD: Force case-insensitive operation in AD provider
* Fix use-after-free
* Fix uninitialized variable
* Fix potential NULL-dereference
* Fix potential NULL-dereference
* Fix incorrect return value in tests
* Fix potential NULL-dereference
* Fix uninitialized value return
* Fix uninitialized memcpy error
* Avoid NULL-dereference in error-handling
* Add missing return value check
* Check for errors from krb5_unparse_name
* Fix incorrect error-check
* Fix segfault when using local provider
* AD: Add missing DP option terminator
* AD: Fix defaults for krb5_canonicalize
* MAN: List all available backends for provider options
* MAN: Improvements to the AD provider manpage
* NSS: Add override_shell option
* SYSDB: Add log message for unexpected LDB errors
* SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
* IPA: Do not attempt to close the same file twice
* IPA: Securely set umask for mkstemp in subdomain provider
* MAN: Fix minor typo in ldap_search_base section
* MAN: Improve description of ldap_*_search_base options
* SYSDB: Make sysdb_attrs_get_el_int() public
* AD: autorid compatibility should recommend the use of default domain
* AD: Detect domain controller compatibility version
* AD: Optimize initgroups lookups with tokenGroups
* AD: Handle sysdb lookup failure during tokenGroups processing
Sumit Bose (40):
* Use curly braces in pkgconfig metadata file
* Keep sysdb context in domain info struct
* Remove sysdb_get_ctx_from_list()
* Always initialize the returned data in sss_krb5_princ_realm()
* Add idmap library
* Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
* data provider: added subdomains
* IPA: Add get-domains target
* Add domain name to get_account_info request
* Add s2n extended operation
* Allow different SID representations in libidmap
* Fix typo in spec file
* Fix endian issue in SID conversion
* Rename struct dom_sid to struct sss_dom_sid
* Fix libsss_hbac library version
* sss_idmap: add support for samba struct dom_sid
* sss_idmap: fix typo which prevents sub auth larger then 2^31
* PAC responder: add basic infrastructure
* PAC responder: add the core functionality
* PAC responder: support in spec file
* PAC client: add basic support in common client code
* PAC client: add krb5 authdata plugin
* Add support for ID ranges
* Add range support to PAC responder
* Try to build PAC responder only if all dependencies are available
* Build pac responder tests only if pac responder is build
* Add man page section for the PAC responder
* Set default for subdomain_homedir
* Fix SSSDConfigTest for separate build directories
* Set file descriptor limits in pac responder
* Remove resource leak in sssdpac_import_authdata
* Remove dead code in ipa_subdomains_handler_done()
* pac responder: limit access by checking UIDs
* Add python bindings for murmurhash3
* accept_fd_handler: add missing return
* Fix fallback in validate_tgt()
* Use new debug levels in validate_tgt()
* Check flat names when searching for sub-domains as well
* Add provider specific default regular expressions
* Make subdomain discovery less noisy
Ville Skyttä (1):
* Require and call ldconfig from subpackages if appropriate
Yuri Chornoivan (5):
* fix typos in manual
* Fix typo: retreiving->retrieving
* Fix typos in message and man pages.
* Fix typo: exhasution->exhaustion.
* Fix various typos in documentation.
11 years, 7 months
[PATCH] RPM: Create ghost files during install
by Jakub Hrozek
My previous patch that ghosted the fastcache files broke the RPM build,
because as Stephen noted, the old rpmbuild version shipped with RHEL5
requires that the ghost files must be present in the buildroot.
A patch is attached.
11 years, 7 months
AUTOFS: Store entry objects below map objects
by Jakub Hrozek
[PATCH 1/5] AUTOFS: Do not fail if search base is not provided
We need to fall back to rootDSE provided search base instead of failing
[PATCH 2/5] AUTOFS: Add sysdb tests
I knew I would be changing the sysdb interface so I coded up tests to
avoid regressions
[PATCH 3/5] AUTOFS: Add entry objects below map objects
https://fedorahosted.org/sssd/ticket/1506
Changes how the new autofs entry objects are handled. Instead of
creating the entry on the cn=autofs,cn=custom level, the entry is
created below the map it belongs to.
[PATCH 4/5] AUTOFS: Use both key and value in entry RDN
This patch switches from using just key in the RDN to using both key and
value. That is neccessary to allow multiple direct mounts in a single
map.
[PATCH 5/5] AUTOFS: convert the existing autofs entries during a sysdb upgrade
The sysdb is upgraded to a new version to convert the existing entries
to the new format.
11 years, 7 months
Re: [SSSD] [PATCH] sdap_get_ad_tokengroups_initgroups_lookup_done(): fix group_name may be uninitialized warning
by Stephen Gallagher
On Mon 24 Sep 2012 11:24:59 AM EDT, Stephen Gallagher wrote:
> On Mon 24 Sep 2012 11:01:20 AM EDT, Pavel Březina wrote:
>> Recent AD patches introduced another warning.
>>
>> If I read the code correctly it is safe to just initialize the
>> variable to NULL.
>>
>
> Nack, this would not be safe. We would then be attempting to
> talloc_strdup() the NULL value at line 367. What is actually wrong
> here is that the error check from sysdb_search_group_by_gid() needs to
> fail if it returns anything but EOK or ENOENT, which I forgot to
> include. Falling through below is bad.
>
> Thanks for catching that.
Whoops, forgot to attach the patch.
11 years, 7 months