[PATCH] sysdb: Write additional attrs in sysdb_add_user
by Daniel Gollub
In the uid=0 case (to obtain new free id) only uidNumber and gidNumber
attributes got written, but not the additonal provided attributes like
alias or others.
---
src/db/sysdb_ops.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index e32d79a..b1a2992 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1401,7 +1401,8 @@ int sysdb_add_user(struct sss_domain_info *domain,
}
ret = sysdb_set_user_attr(domain, name, id_attrs, SYSDB_MOD_REP);
- goto done;
+ /* continue on success, to commit additional attrs */
+ if (ret) goto done;
}
if (!attrs) {
--
1.9.1
9 years, 7 months
Announcing SSSD 1.11.7
by Jakub Hrozek
=== SSSD 1.11.7 ===
The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and 20 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on delivering bug fixes and smaller features backported
from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
provider), any returned referral would be ignored. Previously, the back
end would switch to offline mode on encountering a referral.
== Documentation Changes ==
* A new option override_space was added. When this option is set, a space
character in user or group names is replaced by the character specified
in this option
* A small random value is now added to the offline_timeout parameter value
to avoid flooding servers with periodical online checks
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1854
[RFE] Add option for sssd to replace space with specified character in LDAP group
https://fedorahosted.org/sssd/ticket/2212
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
https://fedorahosted.org/sssd/ticket/2323
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
https://fedorahosted.org/sssd/ticket/2343
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
https://fedorahosted.org/sssd/ticket/2345
tokengroups do not work with id_provider=ldap
https://fedorahosted.org/sssd/ticket/2349
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
https://fedorahosted.org/sssd/ticket/2355
Requests queued during transition from offline to online mode
https://fedorahosted.org/sssd/ticket/2360
The SSSD dbus service should retry system bus connection if it fails
https://fedorahosted.org/sssd/ticket/2364
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
https://fedorahosted.org/sssd/ticket/2377
sudo: invalid sudoHost filter with asterisk
https://fedorahosted.org/sssd/ticket/2380
Race condition in the client code
https://fedorahosted.org/sssd/ticket/2383
dereferencing control failure against openldap server
https://fedorahosted.org/sssd/ticket/2385
ad: group membership is empty when id mapping is off and tokengroups are enabled
https://fedorahosted.org/sssd/ticket/2389
Problems with tokengroups and ldap_group_search_base
https://fedorahosted.org/sssd/ticket/2390
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
https://fedorahosted.org/sssd/ticket/2391
sssd_be segfaults in ldb_msg_find_element
https://fedorahosted.org/sssd/ticket/2397
Auth fails when space in username is replaced with character set by override_default_whitespace
https://fedorahosted.org/sssd/ticket/2399
RHEL6.6 sssd not running after upgrade
https://fedorahosted.org/sssd/ticket/2400
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
https://fedorahosted.org/sssd/ticket/2401
clarify the offline timeout in man page
https://fedorahosted.org/sssd/ticket/2402
IFP: FQDN lookups are broken
https://fedorahosted.org/sssd/ticket/2405
use-after-free in dyndns code
https://fedorahosted.org/sssd/ticket/2406
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
https://fedorahosted.org/sssd/ticket/2407
simple_allow_groups does not lookup groups from other AD domains
https://fedorahosted.org/sssd/ticket/2409
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
https://fedorahosted.org/sssd/ticket/2410
Race condition between sudo refresh
https://fedorahosted.org/sssd/ticket/2418
sssd does not recognize Windows server 2012 R2's LDAP as AD
https://fedorahosted.org/sssd/ticket/2421
Dereference code errors out when dereferencing entries protected by ACIs
https://fedorahosted.org/sssd/ticket/2436
ipa user private group not found
== Detailed Changelog ==
Ian Lee (1):
* Add user lookup and session dependencies to systemd service file.
Jakub Hrozek (32):
* Updating the version for the 1.11.7 release
* BUILD: dbusintrospectdir is not used anymore
* IFP: Fix DEBUG messages
* IFP: Return a specific value on failure connecting to the system bus
* IFP: Provide a SBUS method to reconnect to sysbus
* MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
* TOOLS: New helper tool sss_signal
* BUILD: Add the DBus service activation
* IFP: Fix lookups with fully-qualified names
* RPM: Restart service in %posttrans, not %post
* NSS: Ignore default_domain for netgroups
* Only replace space with the specified substitution
* Make the space override responder-agnostic
* PAM: Use the override_space option
* IFP: Use the override_space option
* SUDO: Use the override_space option
* IPA: handle searches by SID in apply_subdomain_homedir
* Revert "IPA: new attribute map for non-posix groups"
* Revert "IPA: process non-posix nested groups"
* Revert "IPA: try to resolve nested groups as poxix group"
* LDAP: Do not shortcut on ret != EOK during password expiry check
* LDAP: Split out linking primary group members into a separate function
* LDAP: Don't add a user member twice when adding a primary group
* LDAP: Use tmp_ctx in ldap_child for temporary data
* LDAP: Use randomized ccname for storing credentials
* LDAP: Add Windows Server 2012 R2 functional level
* LDAP: Fall back to functional level of Windows Server 2003
* LDAP: Enable tokenGroups with Windows Server 2003
* LDAP: Ignore returned referrals if referral support is disabled
* LDAP: Skip dereferenced entries that we are not permitted to read
* Ignore referrals in deref and ASQ, too
* Updating the translations for the 1.11.7 release
Jan Cholasta (1):
* SSH: Allow newline at the end of public key values in LDAP
Lukas Slebodnik (19):
* Don't use macro _XOPEN_SOURCE for function strptime
* sss_client: thread safe initialisation of sss_cli_mc_ctx
* sss_client: Fix memory leak in nss_mc_{group,passwd}
* LDAP: Remove unused option ldap_netgroup_uuid
* LDAP: Remove unused option ldap_group_uuid
* LDAP: Remove unused option ldap_user_uuid
* test_utils: Use common header file for libsss_util tests.
* UTIL: Add functions for replacing whitespaces.
* NSS: Replace spaces with specified string in names.
* dyndns_test: Use right socket length of for IPv4 address.
* responder-get-domains-tests: fix checking of leaks
* test_dyndns: Use different talloc context in wrapped functions.
* TESTS: leak_check functions shouldn't be called with NULL context
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
* test_dyndns: sss_iface_addr_list_get can return more values
* SDAP: free subrequest in sdap_dyndns_update_addrs_done
* SDAP: Immediately finish request for empty array
* SDAP: Use different talloc_context for array of names
* SDAP: Update groups for user just once.
Michal Zidek (6):
* ptask: Allow adding random_offset to scheduled execution time
* ptask: Add backoff feature to the ptask api.
* Exit offline mode only if server is available.
* MAN: How much time sssd spends offline
* Add alternative objectClass to group attribute maps
* Use the alternative objectclass in group maps.
Michal Šrubař (1):
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'
Nalin Dahyabhai (1):
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
Nikolai Kondrashov (1):
* build: Switch back to DISTCHECK_CONFIGURE_FLAGS
Pavel Březina (9):
* sbus_request: fix potential NULL dereference
* ad: comment ENOENT when id mapping is disabled
* ad: update membership after SIDs are resolved
* sudo: fetch sudoRunAs attribute
* sudo: use dbus array for rules refresh
* sudo: replace asterisk with escape sequence in host filter
* failover: set port status to not working if previous srv lookup failed
* ad initgroups: continue if resolved SID is still missing
* sudo: work with correct D-Bus iterator
Pavel Reichl (18):
* TESTS: sss_ssh - textual public key format
* LDAP: tokengroups do not work with id_provider=ldap
* SDAP: Continue resolving SID even if some fail
* IPA: new attribute map for non-posix groups
* IPA: process non-posix nested groups
* IPA: try to resolve nested groups as poxix group
* SDAP: split sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_send
* SDAP: nitpicks in sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_done
* SDAP: don't log error on access denied
* SDAP: refactor AC offline checks
* SDAP: new option - DN to ppolicy on LDAP
* SDAP: account lockout to restrict access via ssh key
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'
* IPA: process non-posix nested groups
* AD: process non-posix nested groups w/o tokenGroups
* AD: process non-posix nested groups using tokenGroups
Sumit Bose (1):
* Replace space: add some checks
9 years, 7 months
SSSD 1.11.7?
by Jakub Hrozek
Hi,
I think we have all the patches for 1.11.7 in. Can we tag and release
it?
9 years, 7 months
[PATCH] CI: Preserve mock config timestamps
by Nikolai Kondrashov
Hi everyone,
This patch adds preserving of mock configuration timestamps, so mock root
cache is not rebuilt unnecessarily, shaving off about a minute of CI run time.
Nick
9 years, 7 months
[PATCHES] TESTS: Fix memory leaks
by Nikolai Kondrashov
Hi everyone,
These patches fix a few test memory leaks detected by Valgrind.
While these are not important for test functionality, fixing them will let us
keep Valgrind reports clean and enable binary Valgrind test results in CI.
Nick
9 years, 7 months