this patch set contains some improvements for the view related code on
IPA client. Most of them are performance related, patches 4,5 and 6 make
sure that during group requests all members are properly resovled if a
non-default view is applied to be able to handle user name overrides.
the attached patch is related to GPO offline functionality, please check
the commit message.
To reproduce, set up an AD client with GPOs, make sure credential
caching is enabled. Log in as a permitted user to cache the credentials.
Go offline, in my case by pointing resolv.conf to a DNS server that
doesn't know the AD domain. Attempt to log in.
these two patches add a missing part to
https://fedorahosted.org/sssd/ticket/2481 (ID Views implementation does
not support IPA user&group overrides). Since it is not allowed to have
ghost members if a non-default view is applied because otherwise user
name overrides would not be covered ghosts members have to be resolved
for IPA groups in this case. The changes are only in the IPA provider so
they should not cause a regression in other providers. Since the generic
LDAP code use some IPA specific optimizations (derives user name from
the user's DN to avoid LDAP lookups) there wouldn't be a performance
benefit if this change would be in the generic LDAP code.
the attached patches work around the Samba bug
To reproduce, set a high "log level" in smb.conf and attempt to log in.
At least with RHEL-7.1's Samba version, the gpo_child output would
contain error messages unless there is a file called /root/.smb/smb.conf
exists. Then processing the buffer gpo_child sends to parent would fail.
I'm not thrilled about using such a heavy-weight change and
special-casing where gpo_child sends output but I couldn't think of a
I'll include unit test for the child_common change along with the other
child_common tests (it's easier to build upon them).
for past few days, I've been working on python3-compat patch for sssd. The patch  is attached to the issue that requests this feature .
- The patch tries to maintain backward compatibility for Python 2.6 and 2.7 - I admit I only tested 2.7 so far, but it seemed to work ok.
- I didn't yet solve the build part - for now, I just handedit configure.ac to set "PYTHON=python3" and src/external/python.m4 to set "AC_PATH_PROG(PYTHON, python3)" and compile with that.
- I managed to run Python tests in src/tests except python-test.py itself (it says "OSError: [Errno 5] Could not initialize connection to the confdb" and I didn't yet investigate why that happens).
- To run tests, one must modify the hashbangs to /usr/bin/python3 (I now see that I left one of these in the actual patch, so please disregard that).
I'd like to ask you, sssd devels, to give me some comments on the patch (or ask questions) and if you have some time to spare, doing more extensive testing would also be very welcome.
Bohuslav "Slavek" Kabrda.