this is the first unit test for nested groups. It covers only the most
basic situation when we are trying to resolve one group with no members.
Even though it is only one test, the patch set is quite big. This is
because it creates the possibility to mock providers related modules.
Most of the patches are just a preparation for unit testing providers.
Moves the code around to reduce number of dependencies. (E.g. you do not
want to load fail over when you are testing nested groups.)
Mocks basic SDAP interface.
Mocks sysdb objects - currently user and rfc2307bis group. You can
decide what set of attributes the object should posses. For example,
creating a user requires only basedn and name parameter, to construct
originalDN and name attributes. The rest is provided by (attrname,
value) pairs via variadic function.
mock_sysdb_user(mem_ctx, basedn, name, SYSDB_UIDNUM, uid, ...)
get_attr_type() translates the sysdb attribute name to proper data type.
This should be extended as needed.
Adds provider tests related common object files and cflags in makefile
New macro sss_will_return_always(fn, value). This can be used to mock
function data in such way that any call of mock() will return the value.
It was just pushed also to cmocka upstream as will_return_always().
Removes a noisy debug message.
I would like to get this reviewed before I continue with more test
cases, so the framework is tuned enough.
I also created new macro called fail_msg, which will make the test fail
printing a message. I didn't use this macro in the end, but it made its
way to cmocka upstream.
make discheck failed on current master.
mv: cannot move ‘./sssd_build/sssd-1.11.90/_build/po/de.new.po’ to ‘de.po’: Permission denied
msgmerge for de.po failed: cannot move ./sssd_build/sssd-1.11.90/_build/po/de.new.po to de.po
make: *** [de.po-update] Error 1
It is because german translation file "de.po" for manual pages was stored in
wrong directory (po/) and should be stored directory for manual pages.
I did not test generation of german manual pages, but make distcheck passes
without any problem.
gzip-ed patch is attached
=== SSSD 1.11.4 ===
The SSSD team is proud to announce the release of version 1.11.4 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
== Highlights ==
* This release focuses primarily on bug fixes, especially for use cases
where SSSD is acting as an Active Directory client
* The simple access provider supports specifying users and groups using
their NetBIOS domain name (such as `DOMAIN\username`)
* Support for enumerating users and groups from trusted AD domains was
added to the AD provider
* The Active Directory site discovery was made more robust for configurations
which use multiple trusted domains
* Several bugs in the LDAP provider that affected setups which mapped
Windows SIDs to POSIX IDs were fixed
* The SSSD is now able to use One Time Password (OTP) authentication
configured on an IPA server. Please note that this functionality is not
present in the released FreeIPA versions yet
== Documentation Changes ==
* The `krb5_use_fast` option changes its default from `never` to `try` in the
IPA provider. The config option value did not change in the other providers.
== Tickets Fixed ==
AD Enumeration reads data from LDAP while regular lookups connect to GC
Implement heuristics to detect if POSIX attributes have been replicated
to the Global Catalog or not
sssd_be crashes when ad_access_filter uses FOREST keyword.
"System Error" when invalid ad_access_filter is used
RHEL7 sssd not setting IPA AD trusted user homedir
Enabling ldap_id_mapping doesn't exclude uidNumber in filter
FAST does not work in SSSD 1.11.2 in Fedora 20
Access denied for users from gc domain when using format DOMAIN\user
Group membership lookup issue
Group lookup does not return member with multiple names after user lookup
sssd ad trusted sub domain do not inherit fallbacks and overrides settings
sssd_be crashes when ldap_search_base cannot be parsed.
sssd_be aborts a request if it doesn't match any configured idmap domain
sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth
Warn with a user-friendly error message when permissions on sssd.conf
sudo rules time filter is nondeterministic
Man page states default_shell option supersedes other shell options
but in fact override_shell does.
== Detailed Changelog ==
Alexander Bokovoy (1):
* FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one
Benjamin Franzke (1):
* dlopen-tests: Check the result of asprintf
Jakub Hrozek (27):
* Updating the version for the 1.11.4 release
* LDAP: Fix typo and use the right attribute map
* LDAP: Add a new error code for malformed access control filter
* tests: Remove tests that check creating public directories
* UTIL: Inherit parent domain's default_shell
* NSS: Use plain user name when expanding homedir
* AD: Don't fail the request if ad_account_can_shortcut fails
* MAN: Fix a typo
* LDAP: Fix error check
* LDAP: Don't abort request if no id mapping domain matches
* AD: Don't mark domain as enumerated twice
* AD: Store info on whether a subdomain is set to enumerate
* LDAP: Pass a private context to enumeration ptask instead of hardcoded connection
* LDAP: Add enum request with custom connection
* AD: Enumerate users from GC, other entities from LDAP
* LDAP: Don't clobber original_member during enumeration
* DB: Add sss_ldb_el_to_string_list
* AD: Establish cross-domain memberships after enumeration finishes
* MAN: clarify which shell option takes precedence
* LDAP: Detect the presence of POSIX attributes
* AD: Only download domains that are set to enumerate
* AD: Remove dead code
* LDAP: Handle errors from sdap_id_op properly in enum code
* SSS_CACHE: Reset the initgroups attribute when resetting users
* IPA: Default to krb5_use_fast=try
* MAN: Clarify the new krb5_use_fast IPA default
* Updating translations for the 1.11.4 release
Lukas Slebodnik (7):
* AD: Return right error code from netlogon_get_flat_name
* LDAP: Don't fail if subdomain cannot be found by sid
* LDAP: update id mapping detection for ldap provider
* sdap_idamp: Fall back to another method if sid is wrong
* krb5: fix warning may be used uninitialized
* LDAP: store group if subdomain cannot be found by sid
* LDAP: require attribute groupType for AD groups
Pavel Březina (2):
* sudo: memset tm when converting time attributes
* IPA: default krb5_fast_principal to host/$client@$realm
Pavel Reichl (10):
* responder: Set forest attribute in AD domains
* simple access: match objects using flat name
* simple access: refresh master domain info
* NSS: add support for subdomain_homedir
* krb5: hint to increase krb5_auth_timeout
* MONITOR: Incorrect permissions on sssd.conf
* Revert "NSS: add support for subdomain_homedir"
* AD: support for subdomain_homedir
* MAN: update of subdomain_homedir usage
* utils: handling NULL params in sss_parse_name
Sumit Bose (2):
* IPA: fix for recent AD group membership changes
* AD SRV: use right domain name for CLDAP ping
IPA: default krb5_fast_principal to host/$client@$realm
If krb5_fast_principal is not set in sssd.conf it was set to
host/$client, KRB5 default realm was used which doesn't have to be the
same as realm used for IPA, thus authentication failed when using FAST.
dlopen test failed when I was testing patches for krb5 CFLAGS with custom build
of MIT kerberos.
Running suite(s): dlopen
0%: Checks: 1, Failures: 1, Errors: 0
Error opening libsss_ipa.so: [dlopen() failed: ./sssd/.libs/libsss_ipa.so:
undefined symbol: selinux_policy_root].
Function selinux_policy_root is used in the module ipa_selinux.c
by macro selogin_path,
sh-4.2$ objdump -T /usr/lib64/sssd/libsss_ipa.so | grep selinux_policy_root
0000000000000000 D *UND* 0000000000000000 selinux_policy_root
But libsss_ipa.so was not linked with selinux library
It was not problem because another libraries depens on selinux.so
libsss_ipa.so -> libk5crypto.so -> libkrb5support.so -> libselinux.so
We should not rely on dependencies of other libraries.
sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ipa.so | grep selinux
sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ipa.so | grep selinux
The simple patch is attached.
as agreed with Nathaniel, we should change the defaults of krb_use_fast
to "try" with the IPA backend and also change the default of
krb5_fast_principal to "host/$client_hostname".
So far I've tested this patch on F-20 only with IPA server
3.3.90GIT0f82cbf. More testing is needed with older IPA servers as well,
but that shouldn't block the patch review.