URL: https://github.com/SSSD/sssd/pull/390
Author: mzidek-rh
Title: #390: NSS: Add option to disable memcache
Action: opened
PR body:
"""
Added option use_memcache to centrally disable memcache
for all clients without the need to specify SSS_NSS_USE_MEMCACHE=NO
environment variable.
Resolves:
https://pagure.io/SSSD/sssd/issue/3496
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/390/head:pr390
git checkout pr390
URL: https://github.com/SSSD/sssd/pull/560
Author: ChrisKowalczyk
Title: #560: NSS: close files after mmap
Action: opened
PR body:
"""
The files in MC cache folder were initialized by SSSD on startup, and mapped by using mmap function. due to the fact that they weren't closed afterwards, their File descriptors were still marker alive but marked as 'Deleted'.
This was noticed by a customer of SUSE, see more details here: https://bugzilla.suse.com/show_bug.cgi?id=1080156
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/560/head:pr560
git checkout pr560
URL: https://github.com/SSSD/sssd/pull/677
Author: thalman
Title: #677: pcre: port to pcre2
Action: opened
PR body:
"""
Some distributions want to drop pcre support. Sssd should work with
pcre2. With this patch sssd tries to use pcre2 if pcre is not present.
Resolves:
https://pagure.io/SSSD/sssd/issue/3833
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/677/head:pr677
git checkout pr677
URL: https://github.com/SSSD/sssd/pull/541
Author: pbrezina
Title: #541: memberof: keep memberOf attribute for nested member
Action: opened
PR body:
"""
If we have a member that is both direct and nested member,
memberOf attribute was removed if the direct membership
was deleted.
1)
user ----------> groupB -> groupC
-> groupA /
2)
user -> groupA -> groupB -> groupC
If we remove user->groupB from 1), we get 2) but groupB was still
removed from user memberOf attribute.
Resolves:
https://pagure.io/SSSD/sssd/issue/3636
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/541/head:pr541
git checkout pr541
URL: https://github.com/SSSD/sssd/pull/650
Author: jhrozek
Title: #650: Implement a hybrid mode of generating private groups
Action: opened
PR body:
"""
Related:
https://pagure.io/SSSD/sssd/issue/3822
Design page PR:
https://pagure.io/SSSD/docs/pull-request/72
Commit mesages follow, hopefully they are enough to explain what is going on.
SYSDB: Special case getgrnam and getgrgid searches in hybrid MPG mode
In hybrid MPG mode, we want to return the MPG group only in case the user
entry has no original GID set. To achieve this, we first search with the
non-MPG filter to find 'real' groups. If that fails, we try the MPG filter,
but throw away entries that has any real GID set.
Related: https://pagure.io/SSSD/sssd/issue/3822
SYSDB: Refactor the mpg and non-mpg searches out of sysdb_getgrnam() and sysdb_getgrgid() to make them more reusable
The getgrnam and getgrgid searches already special-case lookups with
overrides where in some cases the search falls back no a non-MPG search.
The upcoming special case for the hybrid mode would do something similar,
just in the opposite direction, so it makes sense to split out the
functions for just the MPG step and just the non-MPG step into reusable
functions.
Related: https://pagure.io/SSSD/sssd/issue/3822
CONFDB/NSS: Add the hybrid MPG mode
Permits a new option value 'hybrid' for the auto_private_groups option. The
option was even previously marked as a string option in both the configAPI
and the man pages, so we don't have to change the type now.
If the hybrid mode is selected and the user's original GID number is
available, then during initgroups and getpwnam, it is used as their primary
GID instead of the MPG group. The original group is also not added as a
secondary group during initgroups in this case.
Related: https://pagure.io/SSSD/sssd/issue/3822
CONFDB: Read auto_private_groups as string, not bool
In preparation to adding the third value of auto_private_groups, this patch
reads the confdb value as string and checks for the option values on its
own.
Related: https://pagure.io/SSSD/sssd/issue/3822
UTIL: Convert bool mpg to an enum mpg_mode
Instead of bool mpg inside struct sss_domain_info, let's introduce enum
mpg_mode that currently maps pretty much 1:1 to the boolean. In future
patches, a third value will be added.
Also adds a getter for the mpg_mode value because we want to discourage
getting or setting the value directly. Instead, the sss_domain_info
structure should be opaque in the future.
Related: https://pagure.io/SSSD/sssd/issue/3822
UTIL: Add a is_domain_mpg shorthand
Instead of looking into the domain structure directly, add a
sss_domain_is_mpg() function. This will make sense when we add a third
state instead of the boolean that will also be mpg-like.
Related: https://pagure.io/SSSD/sssd/issue/3822
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/650/head:pr650
git checkout pr650
URL: https://github.com/SSSD/sssd/pull/702
Author: jhrozek
Title: #702: NSS: Avoid changing the memory cache ownership away from the SSSD user
Action: opened
PR body:
"""
Resolves: https://pagure.io/SSSD/sssd/issue/3890
In case SSSD is compiled --with-sssd-user but run as root (which is the
default on RHEL and derivatives), then the memory cache will be owned by
the user that sssd_nss runs as, so root.
This conflicts with the packaging which specifies sssd.sssd as the owner.
And in turn, this means that users can't reliably assess the package
integrity using rpm -V.
This patch makes sure that the memory cache files are chowned to sssd.sssd
even if the nss responder runs as root.
Also, this patch changes the sssd_nss responder so that is becomes a member
of the supplementary sssd group. Even though in traditional UNIX sense, a
process running as root could write to a file owned by sssd:sssd, with
SELinux enforcing mode this becomes problematic as SELinux emits an error
such as:
type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for
pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:system_r:sssd_t:s0 tclass=capability
To make it possible for the sssd_nss process to write to the files, the
files are also made group-writable. The 'others' permission is still set to
read only.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/702/head:pr702
git checkout pr702
URL: https://github.com/SSSD/sssd/pull/696
Author: thalman
Title: #696: DYNDNS: SSSD does not batch DDNS update requests
Action: opened
PR body:
"""
SSSD includes a 'send' command in between each record modification
and does not batch DDNS update requests. This is problematic in
complex AD environments because those requests may not be processed
by the same server.
Now zone update is done in two steps - one per
protocol family. If dyndns_update_per_family is set
to false, update is performed in single step.
Resolves:
https://pagure.io/SSSD/sssd/issue/3829
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/696/head:pr696
git checkout pr696
URL: https://github.com/SSSD/sssd/pull/701
Author: pbrezina
Title: #701: ci: add ability to run tests in jenkins
Action: opened
PR body:
"""
Jenkins master polls github for new branches and pull requests. When it discovers new pull request or branch or changes to existing pull request or branch it will allocate a jenkins agent and executes pipeline defined in `./Jenkinsfile` (in SSSD source) on this agent.
The pipeline executes `./contrib/test-suite/run.sh` and archives logs when testing is finished. Script `./contrib/test-suite/run.sh` prepares sssd-test-suite, starts the vagrant machines and copy SSSD source code to the client machine. Then it calls `./contrib/test-suite/run-client.sh` on the client machine which runs continuous integration tests.
### Extending current tests
To extend current testing capabilities, modify `./contrib/test-suite/run.sh` and `./contrib/test-suite/run-client.sh` to new requirements. These files can be modified by anyone but are considered untrusted from contributor that is not an administrator of SSSD repository. This means that if a public contributor submits a pull request that changes those files, Jenkins will refuse to run tests.
### Adding additional distribution to test on
You need to modify `./Jenkinsfile`. Simply copy, paste and amend existing Fedora 28 stage. This file is also considered untrusted so only administrators can modify it within a pull request.
You also need to extend `sssd-test-suite` and prepare vagrant boxes for this distro.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/701/head:pr701
git checkout pr701