[PATCH] CI: Move intgcheck to essential set
by Nikolai Kondrashov
Hi everyone,
We had an integration test issue sneak in to our public repo, because
gatekeepers only run essential CI test set by default.
The attached patch moves the integration tests to that set to avoid the issue
in the future and to also have more bugs caught, potentially.
Nick
8 years, 10 months
Announcing SSSD 1.12.5
by Jakub Hrozek
=== SSSD 1.12.5 ===
The SSSD team is proud to announce the release of version 1.12.5 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21, 22 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release adds several new enhancements and fixes many bugs
* Notable new enhancements:
* The background refresh tasks now supports refreshing users and groups
as well. Please see the description of the `refresh_expired_interval`
parameter in the `sssd.conf` man page.
* A new option subdomain_inherit was added. Options included in
the subdomain_inherit option also apply for trusted domains, if
supported. This release supports inheriting ignore_group_members,
ldap_purge_cache_timeout, ldap_use_tokengroups and
ldap_user_principal.
* When an expired account attempts to log in, a configurable error
message can be displayed with sufficient pam_verbosity setting. Please
see the description of the pam_account_expired_message option for
more information.
* OpenLDAP ppolicy can be honored even when an alternate login method
(such as SSH key) is used. Please see the description of the new
ppolicy value of the ldap_access_order option.
* A new option krb5_map_user was added. This option allows the admin
to map UNIX usernames to Kerberos principals. The option would be
mostly useful for setups that wish to continue using UNIX file-based
identities together with SSSD Kerberos authentication
* The important bug fixes include:
* Several AD-specific bugs that resulted in the incorrect set of groups
being displayed after the initgroups operation were fixed
* Many fixes related to the IPA ID views feature are included. Setups
using the ID views feature should update the SSSD instance on both
IPA servers and clients.
* The AD provider now handles binary GUIDs correctly. This bug was
manifested with an error message saying ldb_modify failed: Invalid
attribute syntax.
* The AD provider no longer downloads full group objects during
initgroups request if POSIX attributes are used. This fix may speed
up the login times significantly.
* A bug that prevented the `ignore_group_members` parameter to be used
with the AD provider was fixed
* The fail over code now reads and honors TTL value for SRV queries
as well. Previously, SRV queries used a hardcoded timeout
* The SELinux context set up during login with an IPA provider is only
called if the context had changed. This fixes a performance regression
with the IPA provider.
* Race condition between setting the timeout in the back ends and
reading it in the front end during initgroup operation was fixed. This
bug affected applications that perform the `initgroups(3)` operation
in multiple processes simultaneously.
* Setups that only want to use the domain SSSD is connected to, but not
the autodiscovered trusted domains by setting `subdomains_provider=none`
now work correctly as long as the domain SID is set manually in the
config file
* In case only allow rules are used, the simple access provider is
now able to skip unresolvable groups.
* The GPO access control code now handles situations where user and
computer objects were in different domains. Previously, an attempt to
log in as user from a different domain than computer always resulted
in login failure.
== Packaging Changes ==
* The cmocka unit tests now require cmocka version 1.0 or later
* The libsss_krb5_common.so library had been moved to the sssd-common
subpackage to avoid ordering issues between libsss_krb5_common and
libsss_ldap_common
* The proxy_child helper binary was marked as setuid in order for the
proxy provider to work without root privileges.
== Documentation Changes ==
* A new option subdomain_inherit was added. See the highlights section
for more details.
* A new option krb5_map_user was added. See the highlights section for
more details.
* The ldap_access_order option accepts new value ppolicy.
* Account expiration message can be customized using a new option
pam_account_expired_message
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1884
[RFE] Read and use the TTL value when resolving a SRV query
https://fedorahosted.org/sssd/ticket/2050
ssh login reject is abrupt
https://fedorahosted.org/sssd/ticket/2167
[RFE] Allow SSSD to issue shadow expiration warning even if alternate
authentication method is used
https://fedorahosted.org/sssd/ticket/2346
[RFE] Implement background refresh for users and groups
https://fedorahosted.org/sssd/ticket/2444
extop request marks dp_req as failed when an entry is not found
https://fedorahosted.org/sssd/ticket/2507
Cyclic dependencies between sssd-ldap and krb5-common
https://fedorahosted.org/sssd/ticket/2509
RFE: Handle setups with id_provider=proxy and auth_provider=krb5 better
https://fedorahosted.org/sssd/ticket/2513
Add a hint on using DEBUG levels to the troubleshooting page
https://fedorahosted.org/sssd/ticket/2528
Document that that libkrb5 and sssd use different expansion templates
for principals
https://fedorahosted.org/sssd/ticket/2534
[RFE] Lock out ssh keys when account naturally expires
https://fedorahosted.org/sssd/ticket/2587
With empty ipaselinuxusermapdefault security context on client is staff_u
https://fedorahosted.org/sssd/ticket/2588
Properly handle AD's binary objectGUID
https://fedorahosted.org/sssd/ticket/2591
sssd nss bug update vs create cache
https://fedorahosted.org/sssd/ticket/2592
ccname_file_dummy is not unlinked on error
https://fedorahosted.org/sssd/ticket/2598
sssd_nss segfaults if initgroups request is by UPN and doesn't find
anything
https://fedorahosted.org/sssd/ticket/2601
SSSD downloads too much information when fetching information about groups
https://fedorahosted.org/sssd/ticket/2604
sssd_be segfault on IPA(when auth with AD trusted domain) client at
src/providers/ipa/ipa_s2n_exop.c:1605
https://fedorahosted.org/sssd/ticket/2606
GPO access control looks for computer object in user's domain only
https://fedorahosted.org/sssd/ticket/2608
sssd crashes intermittently
https://fedorahosted.org/sssd/ticket/2611
sssd_be dumping core if enumeration times out
https://fedorahosted.org/sssd/ticket/2612
ldap_access_order=ppolicy: Explicitly mention in manpage that unsupported
time specification will lead to sssd denying access
https://fedorahosted.org/sssd/ticket/2613
sysdb sudo search doesn't escape special characters
https://fedorahosted.org/sssd/ticket/2614
id lookup resolves "Domain Local" group and errors appear in domain log
https://fedorahosted.org/sssd/ticket/2624
Only set the selinux context if the context differs from the local one
https://fedorahosted.org/sssd/ticket/2629
sssd_be segfault id_provider = ad src/providers/ad/ad_gpo.c:843
https://fedorahosted.org/sssd/ticket/2630
Overrides with --login work in second attempt
https://fedorahosted.org/sssd/ticket/2631
idoverridegroup for ipa group with --group-name does not work
https://fedorahosted.org/sssd/ticket/2632
Overridde with --login fails trusted adusers group membership resolution
https://fedorahosted.org/sssd/ticket/2633
Group resolution is inconsistent with group overrides
https://fedorahosted.org/sssd/ticket/2634
sssd nss responder gets wrong number of secondary groups
https://fedorahosted.org/sssd/ticket/2635
ID mapping does not wotk with disabled subdomains
https://fedorahosted.org/sssd/ticket/2642
Override for IPA users with login does not list user all groups
https://fedorahosted.org/sssd/ticket/2643
autofs provider fails when default_domain_suffix and
use_fully_qualified_names set
https://fedorahosted.org/sssd/ticket/2644
ignore_group_members doesn't work for subdomains
https://fedorahosted.org/sssd/ticket/2646
Disapeared groups with ad providers and enabled ignore_group_members
https://fedorahosted.org/sssd/ticket/2647
external users do not resolve with "default_domain_suffix" set in IPA
server sssd.conf
https://fedorahosted.org/sssd/ticket/2649
/usr/libexec/sssd/selinux_child crashes and gets avc denial when ssh
https://fedorahosted.org/sssd/ticket/2650
Unable to resolve group memberships for AD users when using
sssd-1.12.2-58.el7_1.6.x86_64 client in combination with
ipa-server-3.0.0-42.el6.x86_64 with AD Trust
https://fedorahosted.org/sssd/ticket/2654
sssd_be crashed if initialisation of proxy_child failed
https://fedorahosted.org/sssd/ticket/2655
proxy provider does not work in non-root mode
https://fedorahosted.org/sssd/ticket/2659
IPA enumeration provider crashes
https://fedorahosted.org/sssd/ticket/2663
id lookup for non-root domain users doesn't return all groups on
first attempt
== Detailed changelog ==
Adam Tkac (1):
* Option filter_users had no effect for retrieving sudo rules
Aron Parsons (2):
* IPA: fix segfault in ipa_s2n_exop
* autofs: fix 'Cannot allocate memory' with FQDNs
Daniel Hjorth (1):
* LDAP: unlink ccname_file_dummy if there is an error
Jakub Hrozek (34):
* Updating the version for the 1.12.5 release
* resolv: Use the same default timeout for SRV queries as previously
* FO: Use SRV TTL in fail over code
* selinux: Delete existing user mapping on empty default
* NSS: Handle ENOENT when doing initgroups by UPN
* selinux: Handle setup with empty default and no configured rules
* tests: convert all unit tests to cmocka 1.0 or later
* RPM: BuildRequire libcmocka >= 1.0
* build: Only run cmocka tests if cmocka 1.0 or newer is available
* Resolv: re-read SRV query every time if its TTL is 0
* IPA: Use custom error codes when validating HBAC rules
* IPA: Drop useless sysdb parameter
* IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled
* IPA: Deprecate the ipa_hbac_treat_deny_as option
* selinux: Disconnect before closing the handle
* selinux: Begin and end the transaction on the same nesting level
* selinux: Only call semanage if the context actually changes
* tests: Use cmocka-1.0+ API in test_sysdb_utils
* sysdb: Add cache_expire to the default
sysdb_search_object_by_str_attr set
* SELINUX: Avoid disconnecting disconnected handle
* LDAP: return after tevent_req_error
* MAN: refresh_expired_interval also supports users and groups
* tests: ncache_hit must be an int to test UPNs
* tests: Add a getpwnam-by-UPN test
* Add unit tests for initgroups
* Download complete groups if ignore_group_members is set with
tokengroups
* DP: Set extra_value to NULL for enum requests
* Skip enumeration requests in IPA and AD providers as well
* confdb: Add new option subdomain_inherit
* DP: Add a function to inherit DP options, if set
* SDAP: Add sdap_copy_map_entry
* UTIL: Inherit ignore_group_members
* subdomains: Inherit cleanup period and tokengroup settings from
parent domain
* Updating translations for the 1.12.5 release
Lukas Slebodnik (19):
* Log reason in debug message why ldb_modify failed
* ipa_selinux: Fix warning may be used uninitialized
* memberof: Do not create request with 0 attribute values
* CLIENT: Clear errno with enabled sss-default-nss-plugin
* GPO: Check return value of ad_gpo_store_policy_settings
* SDAP: Do not set gid 0 twice
* SDAP: Extract filtering AD group to function
* SDAP: Filter ad groups in initgroups
* GPO: Do not ignore missing attrs for GPOs
* sss_nss_idmap-tests: Use different prepared buffers for big endian
* SDAP: Fix id mapping with disabled subdomains
* SPEC: Fix cyclic dependencies between sssd-{krb5,}-common
* negcache: Soften condition for expired entries
* test_nss_srv: Use right function for storing time_t
* nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
* SDAP: Set initgroups expire attribute at the end
* SDAP: Remove unnecessary argument from sdap_save_user
* PROXY: proxy_child should work in non-root mode
* PROXY: Do not register signal with SA_SIGINFO
Michal Zidek (2):
* DEBUG: Add missing strings for error messages
* test: Check ERR_LAST
Pavel Březina (8):
* be_refresh: refresh all domains in backend
* sdap_handle_acct_req_send: remove be_req
* be_refresh: refactor netgroups refresh
* be_refresh: add sdap_refresh_init
* be_refresh: support users
* be_refresh: support groups
* enumeration: fix talloc context
* sudo: sanitize filter values
Pavel Reichl (18):
* PAM: do not reject abruptly
* PAM: new option pam_account_expired_message
* PAM: warn all services about account expiration
* PAM: check return value of confdb_get_string
* SDAP: refactor pwexpire policy
* SDAP: enable change phase of pw expire policy check
* UTIL: convert GeneralizedTime to unix time
* SDAP: Lock out ssh keys when account naturally expires
* SDAP: fix minor neglect in is_account_locked()
* ldap_child: fix coverity warning
* MAN: libkrb5 and SSSD use different expansions
* IPA: set EINVAL if dn can't be linearized
* LDAP: remove unused code
* LDAP: fix a typo in debug message
* MAN: Update ppolicy description
* simple-access-provider: make user grp res more robust
* LDAP: warn about lockout option being deprecated
* krb5: new option krb5_map_user
Stephen Gallagher (3):
* AD: Clean up ad_access_gpo
* AD: Always get domain-specific ID connection
* AD GPO: Always look up GPOs from machine domain
Sumit Bose (25):
* ldap_child: initialized ccname_file_dummy
* PAM: use the logon_name as the key for the PAM initgr cache
* pam_initgr_check_timeout: add debug output
* ipa: do not treat missing sub-domain users as error
* ipa: make sure extdom expo data is available
* LDAP/AD: do not resolve group members during tokenGroups request
* IPA idviews: check if view name is set
* IPA: make sure output variable is set
* GPO: error out instead of leaving array element uninitialized
* sdap: properly handle binary objectGuid attribute
* IPA: do not try to save override data for the default view
* IPA: use sysdb_attrs_add_string_safe to add group member
* IPA: check ghosts in groups found by uuid as well
* IPA: allow initgroups by SID for AD users
* IPA: do initgroups if extdom exop supports it
* IPA: update initgr expire timestamp conditionally
* IPA: enhance ipa_initgr_get_overrides_send()
* IPA: search for overrides during initgroups in sever mode
* IPA: do not add domain name unconditionally
* NSS: check for overrides before calling backend
* IPA: allow initgroups by UUID for FreeIPA users
* SDAP: use DN to update entry
* IPA: do not fail if view name lookup failed on older versions
* libwbclient-sssd: update interface to version 0.12
* ldap: use proper sysdb name in groups_by_user_done()
8 years, 10 months
[PATCHES] Support one-way trusts with AD domains in IPA server mode
by Jakub Hrozek
Hi,
the attached patches implement most of the one-way trust functionality.
The trust directions, fetching keytabs and using different keytabs and
different principals works well for me. I'm still working on changing
the ldap_child to either use ccache collection or using the environment
variables safer, also the failover changes are still missing. But the
feature is testable in my opinion.
There are two NOSUBMIT patches that are useful only for testing until
patches that allow the IPA server principal to read the direction are
available. I hope exposing my super-secret DM password like that is OK,
please change these patches in your testing..
Several patches are not strictly related to one-way trusts, but unify
the info we store for subdomains in IPA and AD or info we store for
subdomains that represent forest root versus member domains.
There are also patches that rename or refactor a bit functions in the
ad_common.c module. I hope this is acceptable, because I had a hard time
le-learning my way around the module. I still think we need to make the
code that selects the appropriate principal from keytab readable better,
currently the setting of "desired_primary" and "default_primary" is a
total mess.
Most of the code is also unit-tested, so several patches just change
tests.
Here are some points I'd like to get reviewed carefully as I'm not sure
about them myself:
- do we need the SD_TRUST_DIRECTION_NOT_SET enum? I was going back
and forth between having it and just using either a NULL pointer
if the trust direction is uknown or a zero value.
- is the reading of the direction OK? Do we fall back the way we
should?
- are the additional data stored with (sub)domains like forest
stored for forest root subdomains and realm for master domains OK? In
my opinion they make processing of domains easier as there's fewer
special cases..
- should I add a full-blown getter for the forest_root member of
sss_domain_info a a first step towards making the structure
opaque?
Also feel free to propose more tests, either scenarios that I should
test manually or something that should be unit tested.
8 years, 10 months
[PATCH] SDAP: Log failure from sysdb_handle_original_uuid
by Lukas Slebodnik
ehlo,
I was reviewing patch for sysdb_handle_original_uuid
and I found out that debug message is not printed after each invocation of this
function. It was also reported by clang.
Simple patch is attached.
LS
8 years, 10 months
RFC: SSSD-1.12.5 release notes
by Jakub Hrozek
Hi,
I would like to release 1.12.5 tomorrow (Fri Jun 12), so I prepared
the release notes page:
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.5
1.12.5 is going to be slightly larger than usual, so I split the highlights
section into enhancements and fixes. Please reply to this mail or edit
the wiki right away..
For your convenience, the wiki text is also included inline.
Thank you!
== Highlights ==
* This release adds several new enhancements and fixes many bugs
* Notable new enhancements:
* The background refresh tasks now supports refreshing users and groups as well. Please see the description of the `refresh_expired_interval` parameter in the `sssd.conf` man page.
* A new option subdomain_inherit was added. Options included in subdomain_inherit also apply for trusted domains, if supported. This release supports inheriting `ignore_group_members`, `ldap_purge_cache_timeout`, `ldap_use_tokengroups` and `ldap_user_principal`.
* When an expired account attempts to log in, a configurable error message can be displayed with sufficient `pam_verbosity` setting
* OpenLDAP ppolicy can be honored even when an alternate login method (such as SSH key) is used. Please see the description of the new `ppolicy` value of the `ldap_access_order` option.
* A new option `krb5_map_user` was added. This option allows the admin to map UNIX usernames to Kerberos principals. The option would be mostly useful for setups that wish to continue using UNIX file-based identities together with SSSD Kerberos authentication
* The important bug fixes include
* Several AD-specific bugs that resulted in the correct set of groups not being displayed after initgroups operation were fixed
* Many fixes relate to the IPA ID views feature are included. Setups using the ID views feature should update the SSSD instance on both IPA servers and clients.
* The AD provider now handles binary GUIDs correctly. This bug was manifested with an error message saying "ldb_modify failed: Invalid attribute syntax".
* The AD provider no longer downloads full group objects during initgroups request if POSIX attributes are used. This fix may speed up the login times significantly.
* A bug that prevented the `ignore_group_members` parameter to be used with the AD provider was fixed
* The fail over code now reads and honors TTL value for SRV queries as well. Previously, SRV queries used a hardcoded timeout
* The SELinux context set up during login with an IPA provider is only called if the context had changed. This fixes a performance regression with the IPA provider.
* Race condition between setting the timeout in the back ends and reading it in the front end during initgroup operation was fixed. This bug affected applications that perform the `initgroups(3)` operation in multiple processes simultaneously.
* Setups that only want to use the domain SSSD is connected to by setting `subdomains_provider=none` now work correctly as long as the domain SID is set manually in the config file
* In case only allow rules are used, the simple access provider is now able to skip unresolvable groups.
* The GPO access control code now handles situations where user and computer objects were in different domains. Previously, attempt to log in as user from a different domain than computer always resulted in login failure.
== Documentation Changes ==
* A new option `subdomain_inherit` was added. See the highlights section for more details.
* A new option `krb5_map_user` was added. See the highlights section for more details.
* The `ldap_access_order` option accepts new value `ppolicy`.
* Account expiration message can be customized using a new option `pam_account_expired_message`
8 years, 10 months
[PATCH] dyndns: ipa_dyndns.h missed declaration of used data
by Pavel Reichl
> There are some other issues with the header file, if you want to go wild
> -- it uses be_ctx but doesn't bring in the API that declares be_ctx.
> Same for ipa_options and errno_t.
Hello,
please see simple patch attached.
Thanks!
8 years, 10 months
Re: [SSSD] [INI] Patches for the INI configuration modification
by Dmitri Pal
On 05/30/2015 03:47 PM, Lukas Slebodnik wrote:
> On (02/01/15 14:47), Dmitri Pal wrote:
>> Hello,
>>
>> Please find attached patches for the new interface to modify configuration
>> files using libini_config.
>>
> Dimitri,
> I was writing additional unit tests for missing parts
> and I found a small problem with INI_VA_MOD and INI_VA_MODADD
>
> The documentation says:
> /**
> * @brief Update a specific value (best effort).
> *
> * Value of the index is used to determine which one of the duplicates
> * needs to be updated. Index is 0-based. If the index is out of range
> * the function will do best effort and return the last instance of the key.
> * For example if you have five duplicates and you are searching for the tenth
> * the function will find and return the fifth instance.
> */
> INI_VA_MOD = 1,
>
> Input config:
> key0 = valuer0
> key1 = value1a
> key1 = value1b
> key1 = value1c
> key1 = value1d
> key2 = value2
> key3 = value3
>
>
> Expected: Result:
> [zero] [zero]
> [one] [one]
> key0 = valuer0 key0 = valuer0
> key1 = value1a key1 = value1a
> key1 = value1b key1 = value1b
> key1 = value1c key1 = value1c
> key1 = newvalue <<<<<<<<<< key1 = value1d <<<<<<<
> key2 = value2 <<<<<<<<<< key2 = newvalue <<<<<<<
> key3 = value3 key3 = value3
>
>
> I need the second pair of eyes to look into this issue.
> I will appreciate if you could find few minutes.
> Attached is updated patches with check-based unit for this problem.
> (ini_configmod_ut_check)
I have not looked at that yet. However I reviewed the patch where you
fix the leak - that one makes sense.
Other patches (except the unit test which will take me a bit to digest)
look good. But I just reviewed them visually.
The patch with unit test is challenging and will take some time for me
to grasp.
>
> BTW. It's not clear to me waht is a difference
> between INI_VA_MOD and INI_VA_MODADD
> or between INI_VA_MOD_E and INI_VA_MODADD_E.
> The code is the same.
With MOD or MOD_E you expect to modify a value so you expect that the
value exists. If the value does not exist the col_get_dup_item with
return ENOENT and the function ini_config_add_str_value will return
error too because you are trying to modify something that should exist
but it does not.
If you do not care whether some value exists you can use MODADD or
MODADD_E. In this case the ENOENT error is suppressed. See error
checking line (this is the difference). So later we check that item
exists. If it exists we will modify it, otherwise just add.
The difference between no _E suffix and with _E is what search we are
conducting: an exact one or not. For more details see col_get_dup_item.
In exact mode it will return error if you are asking for 10th duplicate
when there are just five. In not exact mode it will do its best as
described in you quoted text at the top of this email.
HTH
Dmitri
>
> LS
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
8 years, 10 months