sssd-devel October 2017

sssd-devel@lists.fedorahosted.org

11 participants
66 discussions

[sssd PR#402][opened] LDAP: Allow autogenerating user-private groups
by jhrozek 21 Oct '17

21 Oct '17

URL: https://github.com/SSSD/sssd/pull/402 Author: jhrozek Title: #402: LDAP: Allow autogenerating user-private groups Action: opened PR body: """ This PR exposes the already existing feature that generates private groups for user objects for the generic LDAP provider. Most of the work in the PR is tests and different corner cases, but there is also one commit that is technically backwards incompatible: SYSDB: Prevent users and groups ID collision in MPG domains Without checks for the collision, if an LDAP domain contains both a user entry and a group with the same gidNumber and the group is cached first, then the user is requested and cached, at that point the responder search by ID would return two objects. Therefore we need to guard against the duplicate IDs. Instead of the backwards incompatible change, we could also enable the check if the domain is neither subdomain nor a id_provider=local domain or we could prefer the user object if a group-by-GID search returns two results. But both alternatives seem like quite a hack to me and at the same time I wasn't able to find a way where the change matters except for the local domain -- and in that case I think the local domain doesn't matter as a whole. I've also sent a design page to the sssd-devel mailing list, my WIP version is at https://pagure.io/fork/jhrozek/SSSD/docs/blob/mpg/f/design_pages/auto_priva… """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/402/head:pr402 git checkout pr402

3 25

RFC: 1.16.0 release notes
by Jakub Hrozek 20 Oct '17

20 Oct '17

Hi, below are the 1.16.0 release notes in the RST format. Please feel free to provide feedback. SSSD 1.16.0 =========== Highlights ---------- Security fixes ^^^^^^^^^^^^^^ * This release fixes CVE-2017-12173: Unsanitized input when searching in local cache database. SSSD stores its cached data in an LDAP like local database file using ``libldb.`` To lookup cached data LDAP search filters like ``(objectClass=user)(name=user_name)`` are used. However, in ``sysdb_search_user_by_upn_res()``, the input was not sanitized and allowed to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user. New Features ^^^^^^^^^^^^ * SSSD now supports session recording configuration through ``tlog``. This feature enables recording of everything specific users see or type during their sessions on a text terminal. For more information, see the ``sssd-session-recording(5)`` manual page. * SSSD can act as a client agent to deliver `Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>`_ policies defined on an IPA server. Fleet Commander provides a configuration management interface that is controlled centrally and that covers desktop, applications and network configuration. * Several new `systemtap <https://sourceware.org/systemtap/>`_ probes were added into various locations in SSSD code to assist in troubleshooting and analyzing performance related issues. Please see the ``sssd-systemtap(5)`` manual page for more information. * A new LDAP provide access control mechanism that allows to restrict access based on PAM's rhost data field was added. For more details, please consult the ``sssd-ldap(5)`` manual page, in particular the options ``ldap_user_authorized_rhost`` and the ``rhost`` value of ``ldap_access_filter``. Performance enhancements ^^^^^^^^^^^^^^^^^^^^^^^^ * Several attributes in the SSSD cache that are quite often used during cache searches were not indexed. This release adds the missing indices, which improves SSSD performance in large environments. Notable bug fixes ^^^^^^^^^^^^^^^^^ * The SSSD libwbclient implementation adjusted its behaviour in order to be compatible with Winbind's return value of wbcAuthenticateUserEx(). This enables the SSSD libwbclient library to work with Samba-4.6 or newer. * SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder did not protect the communication with the PAC responder with a mutex. This was causing multi-threaded applications that process the Kerberos PAC to miss a reply from SSSD and then were blocked until the default client timeout of 300 seconds passed. This release adds the mutex, which fixes the PAC responder usage in multi-threaded environments. * Previously, SSSD used to refresh several expired sudo rules by combining them into a long LDAP filter. This was ineffective, because the LDAP server had to process the query, but at that point, the client was quite often querying most or all of the sudo rules anyway. In this version, when the number of sudo rules to be refreshed exceeds the value of a new option ``sudo_threshold``, all sudo rules are fetched instead. * A bug in the sudo integration that prevented the rules from matching if the user name referenced in that rule was overriden with ``sss_override`` or IPA ID views was fixed * When SSSD is configured with ``id_provider=ad``, then a Kerberos configuration is created that instructs libkrb5 to use TCP for communication with the AD DC by default. This would save switching from UDP to TCP, which happens almost every time with the ``ad`` provider due to the PAC attached to the Kerberos ticket. Packaging Changes ----------------- * The ``sss_debuglevel`` and ``sss_cache`` utilities were superseded by ``sssctl`` commands ``sssctl debug-level`` and ``sssctl cache-expire``, respectively. While this change is backwards-compatible in the sense that the old commands continue to work, it is recommended to switch to the ``sssctl`` command which will in future encompass all SSSD administration tasks. * Two new manpages, ``sssd-session-recording(5)`` and ``sssd-systemtap(5)`` were added. * A new systemtap example script, which is packaged by default at ``/usr/share/sssd/systemtap/dp_request.stp`` was added. * A new directory called ``deskprofile`` under the SSSD state directory (typically ``/var/lib/sss/``) was added. SSSD downloads the Fleet Commander profiles into this directory. Documentation Changes --------------------- * The ``ldap_user_certificate`` option has changed its default value in the LDAP provider from "not set" to ``userCertificate;binary``. * The ``ldap_access_filter`` option has a new allowed value ``rhost`` to support access control based on the PAM rhost value. The attribute that SSSD reads during the rhost access control can be configured using the new option ``ldap_user_authorized_rhost``. * The thresholds after which the IPA and LDAP sudo providers will refresh all sudo rules instead of only the expired ones can be tuned using the ``sudo_threshold`` option. * A new provider handler, ``session_provider`` was added. At the moment, only two handlers, ``ipa`` and ``none`` are supported. The IPA session handler is used to fetch the Fleet Commander profiles from an IPA server. * The interval after which the IPA session provider will check for new FleetCommander profiles can be configured using the new ``ipa_deskprofile_request_interval`` option. Tickets Fixed ------------- * `#3549 <https://pagure.io/SSSD/sssd/issue/3549>`_ - CVE-2017-12173: Unsanitized input when searching in local cache database * `#3531 <https://pagure.io/SSSD/sssd/issue/3531>`_ - dbus-1.11.18 caused hangs in cwrap integration tests * `#3518 <https://pagure.io/SSSD/sssd/issue/3518>`_ - sssd_client: add mutex protected call to the PAC responder * `#3511 <https://pagure.io/SSSD/sssd/issue/3511>`_ - sssd incorrectly checks 'try_inotify' thinking it is the wrong section * `#3508 <https://pagure.io/SSSD/sssd/issue/3508>`_ - Issues with certificate mapping rules * `#3501 <https://pagure.io/SSSD/sssd/issue/3501>`_ - Accessing IdM kerberos ticket fails while id mapping is applied * `#3491 <https://pagure.io/SSSD/sssd/issue/3491>`_ - pysss_nss_idmap: py3 constants defined as strings or bytes * `#3485 <https://pagure.io/SSSD/sssd/issue/3485>`_ - getsidbyid does not work with 1.15.3 * `#3481 <https://pagure.io/SSSD/sssd/issue/3481>`_ - ERROR at setup of test_kcm_sec_init_list_destroy * `#3459 <https://pagure.io/SSSD/sssd/issue/3459>`_ - Allow fallback from krb5_aname_to_localname to other krb5 plugins * `#3461 <https://pagure.io/SSSD/sssd/issue/3461>`_ - unable to access cifs share using sssd-libwbclient * `#3488 <https://pagure.io/SSSD/sssd/issue/3488>`_ - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server * `#3478 <https://pagure.io/SSSD/sssd/issue/3478>`_ - sudo: fall back to the full refresh after reaching a certain threshold * `#3473 <https://pagure.io/SSSD/sssd/issue/3473>`_ - Failures on test_idle_timeout() * `#3472 <https://pagure.io/SSSD/sssd/issue/3472>`_ - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. * `#3363 <https://pagure.io/SSSD/sssd/issue/3363>`_ - secrets: Per UID secrets quota * `#3507 <https://pagure.io/SSSD/sssd/issue/3507>`_ - Long search filters are created during IPA sudo command + command group retrieval * `#3499 <https://pagure.io/SSSD/sssd/issue/3499>`_ - Change the ldap_user_certificate to userCertificate;binary for the generic LDAP provider as well * `#3482 <https://pagure.io/SSSD/sssd/issue/3482>`_ - Fleet Commander: Add a timeout to avoid contacting the DP too often in case there was no profile fetched in the last login * `#3460 <https://pagure.io/SSSD/sssd/issue/3460>`_ - id root triggers an LDAP lookup * `#3315 <https://pagure.io/SSSD/sssd/issue/3315>`_ - infopipe: org.freedesktop.sssd.infopipe.Groups.Group doesn't show users * `#3308 <https://pagure.io/SSSD/sssd/issue/3308>`_ - SELinux: Use libselinux's getseuserbyname to get the correct seuser * `#3307 <https://pagure.io/SSSD/sssd/issue/3307>`_ - RFE: Log to syslog when sssd cannot contact servers, goes offline * `#3306 <https://pagure.io/SSSD/sssd/issue/3306>`_ - infopipe: List* with limit = 0 returns 0 results * `#3305 <https://pagure.io/SSSD/sssd/issue/3305>`_ - infopipe: crash when filter doesn't contain '*' * `#3254 <https://pagure.io/SSSD/sssd/issue/3254>`_ - Set udp_preference_limit=0 by sssd-ad using a krb5 snippet * `#2995 <https://pagure.io/SSSD/sssd/issue/2995>`_ - RFE: Deliver FleetCommander URL endpoint from an IPA server * `#2893 <https://pagure.io/SSSD/sssd/issue/2893>`_ - [RFE] Conditionally wrap user terminal with tlog * `#3513 <https://pagure.io/SSSD/sssd/issue/3513>`_ - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only * `#3450 <https://pagure.io/SSSD/sssd/issue/3450>`_ - Unnecessary second log event causing much spam to syslog * `#3417 <https://pagure.io/SSSD/sssd/issue/3417>`_ - MAN: document that attribute 'provider' is not allowed in section 'secrets' * `#3399 <https://pagure.io/SSSD/sssd/issue/3399>`_ - Improve description of 'trusted domain section' in sssd.conf's man page * `#3061 <https://pagure.io/SSSD/sssd/issue/3061>`_ - Add systemtap probes into the top-level data provider requests * `#2809 <https://pagure.io/SSSD/sssd/issue/2809>`_ - CI doesn't work with DNF * `#2301 <https://pagure.io/SSSD/sssd/issue/2301>`_ - Print a warning when enumeration is requrested but disabled * `#1898 <https://pagure.io/SSSD/sssd/issue/1898>`_ - Move header files consumed by both server and client to special folder * `#3517 <https://pagure.io/SSSD/sssd/issue/3517>`_ - Prevent "TypeError: must be type, not classobj" * `#3147 <https://pagure.io/SSSD/sssd/issue/3147>`_ - sssctl: get and set debug level * `#3057 <https://pagure.io/SSSD/sssd/issue/3057>`_ - Merge existing command line tools into sssctl

2 4

Announcing SSSD 1.16.0
by Jakub Hrozek 20 Oct '17

20 Oct '17

SSSD 1.16.0 =========== The SSSD team is proud to announce the release of version 1.16.0 of the System Security Services Daemon. The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback -------- Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users Highlights ---------- Security fixes ^^^^^^^^^^^^^^ * This release fixes CVE-2017-12173: Unsanitized input when searching in local cache database. SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like (objectClass=user)(name=user_name) are used. However, in sysdb_search_user_by_upn_res(), the input was not sanitized and allowed to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user. New Features ^^^^^^^^^^^^ * SSSD now supports session recording configuration through tlog. This feature enables recording of everything specific users see or type during their sessions on a text terminal. For more information, see the sssd-session-recording(5) manual page. * SSSD can act as a client agent to deliver Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander> policies defined on an IPA server. Fleet Commander provides a configuration management interface that is controlled centrally and that covers desktop, applications and network configuration. * Several new systemtap <https://sourceware.org/systemtap/> probes were added into various locations in SSSD code to assist in troubleshooting and analyzing performance related issues. Please see the sssd-systemtap(5) manual page for more information. * A new LDAP provide access control mechanism that allows to restrict access based on PAM's rhost data field was added. For more details, please consult the sssd-ldap(5) manual page, in particular the options ldap_user_authorized_rhost and the rhost value of ldap_access_filter. Performance enhancements ^^^^^^^^^^^^^^^^^^^^^^^^ * Several attributes in the SSSD cache that are quite often used during cache searches were not indexed. This release adds the missing indices, which improves SSSD performance in large environments. Notable bug fixes ^^^^^^^^^^^^^^^^^ * The SSSD libwbclient implementation adjusted its behaviour in order to be compatible with Winbind's return value of wbcAuthenticateUserEx(). This enables the SSSD libwbclient library to work with Samba-4.6 or newer. * SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder did not protect the communication with the PAC responder with a mutex. This was causing multi-threaded applications that process the Kerberos PAC to miss a reply from SSSD and then were blocked until the default client timeout of 300 seconds passed. This release adds the mutex, which fixes the PAC responder usage in multi-threaded environments. * Previously, SSSD used to refresh several expired sudo rules by combining them into a long LDAP filter. This was ineffective, because the LDAP server had to process the query, but at that point, the client was quite often querying most or all of the sudo rules anyway. In this version, when the number of sudo rules to be refreshed exceeds the value of a new option sudo_threshold, all sudo rules are fetched instead. * A bug in the sudo integration that prevented the rules from matching if the user name referenced in that rule was overriden with sss_override or IPA ID views was fixed * When SSSD is configured with id_provider=ad, then a Kerberos configuration is created that instructs libkrb5 to use TCP for communication with the AD DC by default. This would save switching from UDP to TCP, which happens almost every time with the ad provider due to the PAC attached to the Kerberos ticket. Packaging Changes ----------------- * The sss_debuglevel and sss_cache utilities were superseded by sssctl commands sssctl debug-level and sssctl cache-expire, respectively. While this change is backwards-compatible in the sense that the old commands continue to work, it is recommended to switch to the sssctl command which will in future encompass all SSSD administration tasks. * Two new manpages, sssd-session-recording(5) and sssd-systemtap(5) were added. * A new systemtap example script, which is packaged by default at /usr/share/sssd/systemtap/dp_request.stp was added. * A new directory called deskprofile under the SSSD state directory (typically /var/lib/sss/) was added. SSSD downloads the Fleet Commander profiles into this directory. Documentation Changes --------------------- * The ldap_user_certificate option has changed its default value in the LDAP provider from "not set" to userCertificate;binary. * The ldap_access_filter option has a new allowed value rhost to support access control based on the PAM rhost value. The attribute that SSSD reads during the rhost access control can be configured using the new option ldap_user_authorized_rhost. * The thresholds after which the IPA and LDAP sudo providers will refresh all sudo rules instead of only the expired ones can be tuned using the sudo_threshold option. * A new provider handler, session_provider was added. At the moment, only two handlers, ipa and none are supported. The IPA session handler is used to fetch the Fleet Commander profiles from an IPA server. * The interval after which the IPA session provider will check for new FleetCommander profiles can be configured using the new ipa_deskprofile_request_interval option. Tickets Fixed ------------- * https://pagure.io/SSSD/sssd/issue/3549 - CVE-2017-12173: Unsanitized input when searching in local cache database * https://pagure.io/SSSD/sssd/issue/3531 - dbus-1.11.18 caused hangs in cwrap integration tests * https://pagure.io/SSSD/sssd/issue/3518 - sssd_client: add mutex protected call to the PAC responder * https://pagure.io/SSSD/sssd/issue/3511 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section * https://pagure.io/SSSD/sssd/issue/3508 - Issues with certificate mapping rules * https://pagure.io/SSSD/sssd/issue/3501 - Accessing IdM kerberos ticket fails while id mapping is applied * https://pagure.io/SSSD/sssd/issue/3491 - pysss_nss_idmap: py3 constants defined as strings or bytes * https://pagure.io/SSSD/sssd/issue/3485 - getsidbyid does not work with 1.15.3 * https://pagure.io/SSSD/sssd/issue/3481 - ERROR at setup of test_kcm_sec_init_list_destroy * https://pagure.io/SSSD/sssd/issue/3459 - Allow fallback from krb5_aname_to_localname to other krb5 plugins * https://pagure.io/SSSD/sssd/issue/3461 - unable to access cifs share using sssd-libwbclient * https://pagure.io/SSSD/sssd/issue/3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server * https://pagure.io/SSSD/sssd/issue/3478 - sudo: fall back to the full refresh after reaching a certain threshold * https://pagure.io/SSSD/sssd/issue/3473 - Failures on test_idle_timeout() * https://pagure.io/SSSD/sssd/issue/3472 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc.. * https://pagure.io/SSSD/sssd/issue/3363 - secrets: Per UID secrets quota * https://pagure.io/SSSD/sssd/issue/3507 - Long search filters are created during IPA sudo command + command group retrieval * https://pagure.io/SSSD/sssd/issue/3499 - Change the ldap_user_certificate to userCertificate;binary for the generic LDAP provider as well * https://pagure.io/SSSD/sssd/issue/3482 - Fleet Commander: Add a timeout to avoid contacting the DP too often in case there was no profile fetched in the last login * https://pagure.io/SSSD/sssd/issue/3460 - id root triggers an LDAP lookup * https://pagure.io/SSSD/sssd/issue/3315 - infopipe: org.freedesktop.sssd.infopipe.Groups.Group doesn't show users * https://pagure.io/SSSD/sssd/issue/3308 - SELinux: Use libselinux's getseuserbyname to get the correct seuser * https://pagure.io/SSSD/sssd/issue/3307 - RFE: Log to syslog when sssd cannot contact servers, goes offline * https://pagure.io/SSSD/sssd/issue/3306 - infopipe: List* with limit = 0 returns 0 results * https://pagure.io/SSSD/sssd/issue/3305 - infopipe: crash when filter doesn't contain '*' * https://pagure.io/SSSD/sssd/issue/3254 - Set udp_preference_limit=0 by sssd-ad using a krb5 snippet * https://pagure.io/SSSD/sssd/issue/2995 - RFE: Deliver FleetCommander URL endpoint from an IPA server * https://pagure.io/SSSD/sssd/issue/2893 - [RFE] Conditionally wrap user terminal with tlog * https://pagure.io/SSSD/sssd/issue/3513 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only * https://pagure.io/SSSD/sssd/issue/3450 - Unnecessary second log event causing much spam to syslog * https://pagure.io/SSSD/sssd/issue/3417 - MAN: document that attribute 'provider' is not allowed in section 'secrets' * https://pagure.io/SSSD/sssd/issue/3399 - Improve description of 'trusted domain section' in sssd.conf's man page * https://pagure.io/SSSD/sssd/issue/3061 - Add systemtap probes into the top-level data provider requests * https://pagure.io/SSSD/sssd/issue/2809 - CI doesn't work with DNF * https://pagure.io/SSSD/sssd/issue/2301 - Print a warning when enumeration is requrested but disabled * https://pagure.io/SSSD/sssd/issue/1898 - Move header files consumed by both server and client to special folder * https://pagure.io/SSSD/sssd/issue/3517 - Prevent "TypeError: must be type, not classobj" * https://pagure.io/SSSD/sssd/issue/3147 - sssctl: get and set debug level * https://pagure.io/SSSD/sssd/issue/3057 - Merge existing command line tools into sssctl Detailed Changelog ------------------ * Alexey Kamenskiy (1): * LDAP: Add support for rhost access control * AmitKumar (6): * Moving headers used by both server and client to special folder * ldap_child: Removing duplicate log message * MAN: Improve description of 'trusted domain section' in sssd.conf's man page * MAN: Improve ipa_hostname description * IPA: check if IPA hostname is fully qualified * Print a warning when enumeration is requested but disabled * Fabiano Fidêncio (57): * CACHE_REQ: Fix warning may be used uninitialized * INTG: Add --with-session-recording=/bin/false to intgcheck's configure * IFP: Change ifp_list_ctx_remaining_capacity() return type * IFP: Don't pre-allocate the amount of entries requested * IPA_ACCESS: Remove not used attribute * IPA: Make ipa_hbac_sysdb_save() more generic * IPA: Leave only HBAC specific defines in ipa_hbac_private.h * IPA_ACCESS: Make hbac_get_cache_rules() more generic * IPA_ACCESS: Make ipa_purge_hbac() more generic * IPA_RULES_COMMON: Introduce ipa_common_save_rules() * IPA_RULES_COMMON: Introduce ipa_common_get_hostgroupname() * IPA_ACCESS: Make use of struct ipa_common_entries * IPA_COMMON: Introduce ipa_get_host_attrs() * UTIL: move {files,selinux}.c under util directory * UTIL: Add sss_create_dir() * DESKPROFILE: Introduce the new IPA session provider * HBAC: Fix tevent hierarchy in ipa_hbac_rule_info_send() * HBAC: Document ipa_hbac_rule_info_next()'s behaviour * HBAC: Remove a cosmetic extra space from an if clause * HBAC: Improve readability of ipa_hbac_rule_info_send() * HBAC: Enforce coding style on ipa_hbac_rule_info_send() * HBAC: Enforce coding style ipa_hbac_rule_info_recv() * HBAC: Add a debug message in case ipa_hbac_rule_info_next() fails * HBAC: Not having rules should not be logged as error * DESKPROFILE: Add ipa_deskprofile_request_interval * NEGCACHE: Add some comments about each step of sss_ncache_prepopulate() * NEGCACHE: Always add "root" to the negative cache * TEST_NEGCACHE: Test that "root" is always added to ncache * NEGCACHE: Descend to all subdomains when adding user/groups * CACHE_REQ: Don't error out when searching by id = 0 * NSS: Don't error out when deleting an entry which has id = 0 from the memcache * NEGCACHE: Add root's uid/gid to ncache * TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache * CONFDB: Set a default value for subdomain_refresh_interval in case an invalid value is set * SDAP: Add a debug message to explain why a backend was marked offline * SDAP: Don't call be_mark_offline() because sdap_id_conn_data_set_expire_timer() failed * PYTHON: Define constants as bytes instead of strings * SYSDB: Add sysdb_search_by_orig_dn() * TESTS: Add tests for sysdb_search_{users,groups}_by_orig_dn() * IPA: Use sysdb_search_*_by_orig_dn() _hbac_users.c * SDAP: Use sysdb_search_*_by_orig_dn() in sdap_async_nested_groups.c * SDAP: Use sysdb_search_*_by_orig_dn() in sdap_async_groups.c * IPA: Use sysdb_search_*_by_orig_dn() in _subdomains_ext_group.c * MAN: Add a note about the output of all commands when using domain_resolution_order * RESOLV: Fix "-Werror=null-dereference" caught by GCC * SIFP: Fix "-Wjump-misses-init" caught by GCC * NSS: Fix "-Wold-style-definition" caught by GCC * TESTS: Fix "-Werror=null-dereference" caught by GCC * TOOLS: Fix "-Wstack-protector" caught by GCC * SSSCTL: Fix "-Wshadow" warning caught by GCC * SSSCTL: Fix "-Wunitialized" caught by GCC * SSSCTL: Use get prefix for the sssctl_attr_fn functions * TESTS: Fix "-Wshadow" caught by GCC * RESPONDER: Fix "-Wold-style-definition" caught by GCC * PAM: Avoid overwriting pam_status in _lookup_by_cert_done() * DP: Fix the output type used in dp_req_recv_ptr() * DP: Log to syslog whether it's online or offline * Jakub Hrozek (29): * Updating the version for the 1.15.4 release * MAN: Don't tell the user to autostart sssd-kcm.service; it's socket-enabled * TESTS: Add wrappers to request a user or a group by ID * TESTS: Add files provider tests that request a user and group by ID * TESTS: Add regression tests to try if resolving root and ID 0 fails as expected * CONFDB: Do not crash with an invalid domain_type or case_sensitive value * IPA: Only attempt migration for the joined domain * SECRETS: Remove unused declarations * SECRETS: Do not link with c-ares * SECRETS: Store quotas in a per-hive configuration structure * SECRETS: Read the quotas for cn=secrets from [secrets/secrets] configuration subsection * SECRETS: Rename local_db_req.basedn to local_db_req.req_dn * SECRETS: Use separate quotas for /kcm and /secrets hives * TESTS: Test that ccaches can be stored after max_secrets is reached for regular non-ccache secrets * SECRETS: Add a new option to control per-UID limits * SECRETS: Support 0 as unlimited for the quotas * TESTS: Relax the assert in test_idle_timeout * IPA: Reword the DEBUG message about SRV resolution on IDM masters * IPA: Only generate kdcinfo files on clients * MAN: Improve failover documentation by explaining the timeout better * MAN: Document that the secrets provider can only be specified in a per-client section * TESTS: Use NULL for pointer, not 0 * SUDO: Use initgr_with_views when looking up a sudo user * KCM: Do not leak newly created ccache in case the name is malformed * KCM: Use the right memory context * KCM: Add some forgotten NULL checks * GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found * Updating the translation for the 1.16.0 release * Updating the version for the 1.16.0 release * Justin Stephenson (8): * SELINUX: Use getseuserbyname to get IPA seuser * DP: Add Generic DP Request Probes * CONTRIB: Add DP Request analysis script * MAN: Add sssd-systemtap man page * SSSCTL: Move sss_debuglevel to sssctl debug-level * SSSCTL: Replace sss_debuglevel with shell wrapper * SSSCTL: Add cache-expire command * IPA: Add threshold for sudo searches * Lukas Slebodnik (31): * SPEC: Use language file for sssd-kcm * SHARED: Return warning back about minimal header files * intg: Disable add_remove tests * SPEC: require http-parser only on rhel7.4 * intg: Increase startup timeouts for kcm and secrets * libwbclient: Change return code for wbcAuthenticateUserEx * libwbclient: Fix warning statement with no effect * SPEC: rhel8 will have python3 as well * SPEC: Fix unowned directory * certmap: Suppress warning Wmissing-braces * cache_req: Look for name attribute also in nss_cmd_getsidbyid * SPEC: Update owner and mode for /var/lib/sss/deskprofile * CI: Use dnf 2.0 for installation of packages in fedora * Revert "PYTHON: Define constants as bytes instead of strings" * pysss_nss_idmap: return same type as it is in module constants * pysss_nss_idmap: Fix typos in python documentation * CONFIG: Fix schema for try_inotify * SPEC: Fix detecting of minor release * Fix warning declaration of 'index' shadows a global declaration * intg: Fix execution with dbus-1.11.18 * TOOLS: Log redirection info for sss_debuglevel to stderr * TOOLS: Print Better usage for sssctl debug-level * TOOLS: Hide option --debug in sssctl * intg: Fix pep8 warnings in config.py template * intg: Let python paths be configurable * intg: prevent "TypeError: must be type, not classobj" * intg: Prefer locally built python modules * ds_openldap: Extract functionality to protected methods * intg: Create FakeAD class based on openldap * intg: Add sanity tests for pysss_nss_idmap * Revert "IPA: Only generate kdcinfo files on clients" * Marlena Marlenowska (1): * IDMAP: Prevent colision for explicitly defined slice. * Nikolai Kondrashov (16): * CACHE_REQ: Propagate num_results to cache_req_state * NSS: Move shell options to common responder * NSS: Move nss_get_shell_override to responder utils * CONFIG: Add session_recording section * BUILD: Support configuring session recording shell * UTIL: Add session recording conf management module * RESPONDER: Add session recording conf loading * DP: Add session recording conf loading * SYSDB: Add sessionRecording attribute macro * DP: Load override_space into be_ctx * DP: Overlay sessionRecording attribute on initgr * CACHE_REQ: Pull sessionRecording attrs from initgr * NSS: Substitute session recording shell * PAM: Export original shell to tlog-rec-session * INTG: Add session recording tests * MAN: Describe session recording configuration Pavel Březina (4): * DP: Update viewname for all providers * sudo: add a threshold option to reduce size of rules refresh filter * IFP: fix typo in option name in man pages * IFP: parse ping arguments in codegen Petr Čech (4): * IFP: Do not fail when a GHOST group is not found * UTIL: Set udp_preference_limit=0 in krb5 snippet * IFP: Filter with * in infopipe group methods * IFP: Fix of limit = 0 (unlimited result) Sumit Bose (15): * libwbclient-sssd: update interface to version 0.14 * localauth plugin: change return code of sss_an2ln * tests: add unit tests for krb5 localauth plugin * IPA: format fixes * certmap: add OpenSSL implementation * ipa: make sure view name is initialized at startup * certmap: make sure eku_oid_list is always allocated * IPA: fix handling of certmap_ctx * sysdb: add missing indices * IDMAP: add a unit test * sssd_client: add mutex protected call to the PAC responder * BUILD: Accept krb5 1.16 for building the PAC plugin * sysdb: sanitize search filter input * IPA: sanitize name in override search filter * sss_client: refactor internal timeout handling Yuri Chornoivan (3): * Fix minor typos * Fix minor typos * Fix minor typos in docs amitkuma (2): * ldap: Change ldap_user_certificate to userCertificate;binary * python: Changing class declaration from old to new-style type

1 0

[sssd PR#418][opened] CACHE_REQ: Copy the cr_domain list for each request
by fidencio 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/418 Author: fidencio Title: #418: CACHE_REQ: Copy the cr_domain list for each request Action: opened PR body: """ Let's copy the cr_domain list for each request as this list may be free'd due to a refresh domains request. This is a cheap solution to avoid the crash but a proper one should be implemented in the future, which is properly handling new domains being inserted and existing domains disappearing from the list. Signed-off-by: Fabiano Fidêncio <fidencio(a)redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/418/head:pr418 git checkout pr418

4 11

[sssd PR#420][opened] NSS: memcache_timeout=0
by mzidek-rh 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/420 Author: mzidek-rh Title: #420: NSS: memcache_timeout=0 Action: opened PR body: """ This is PR is continuation of: https://github.com/SSSD/sssd/pull/416 about new semantics of memcache_timeout=0 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/420/head:pr420 git checkout pr420

3 22

[sssd PR#416][opened] NSS: Memcache timeout equals zero
by mzidek-rh 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/416 Author: mzidek-rh Title: #416: NSS: Memcache timeout equals zero Action: opened PR body: """ Hi, these patches add new semantics to the memcache_timeout=0. From users perspective there is basically no change, but with value 0 the memcache files are not created. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/416/head:pr416 git checkout pr416

5 33

[sssd PR#417][opened] Revert "sysdb: add missing indices"
by lslebodn 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/417 Author: lslebodn Title: #417: Revert "sysdb: add missing indices" Action: opened PR body: """ This reverts commit 9acdf51bf32d7b4389f3faea0fc6b73c56b6da71. Indices can help with search operations but they are not for free especially when you need to modify them. (add, remove operations) There are worse results with this patch when obtaining huge number of users. Maybe it will help to drop some indices https://pagure.io/SSSD/sssd/issue/3503 But better is to do proper measurement instead of and do not increase sysdb version twice. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/417/head:pr417 git checkout pr417

1 3

[sssd PR#411][opened] AD: Remember last site discovered
by pbrezina 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/411 Author: pbrezina Title: #411: AD: Remember last site discovered Action: opened PR body: """ To discover Active Directory site for a client we must first contact any directory controller for an LDAP ping. This is done by searching domain-wide DNS tree which may however contain servers that are not reachable from current site and than we face long timeouts or failure. This patch makes sssd remember the last successfuly discovered site and use this for DNS search to lookup a site and forest again similar to what we do when ad_site option is set. Resolves: https://pagure.io/SSSD/sssd/issue/3265 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/411/head:pr411 git checkout pr411

3 12

[sssd PR#419][opened] sudo: document background activity
by pbrezina 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/419 Author: pbrezina Title: #419: sudo: document background activity Action: opened PR body: """ When we introduced socket activation, we changed the internall behaviour. Previously we disabled sudo if it was not listed in services, with socket activation we removed this feature. Some users were confused so this change documents current behaviour. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/419/head:pr419 git checkout pr419

2 1

[sssd PR#414][opened] NSS: Add a way to disable memory cache
by lslebodn 20 Oct '17

20 Oct '17

URL: https://github.com/SSSD/sssd/pull/414 Author: lslebodn Title: #414: NSS: Add a way to disable memory cache Action: opened PR body: """ It is a temporary workaround for case where you hit corner case when restarting sssd very often and different process open different different memory cache. Experimental features are enabled by default in upstream. Resolves: https://pagure.io/SSSD/sssd/issue/3496 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/414/head:pr414 git checkout pr414

3 16

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2017