URL: https://github.com/SSSD/sssd/pull/175
Author: lslebodn
Title: #175: Add module for starting services
Action: opened
PR body:
"""
This is a WIP version of reducing code duplication in our cwrap integration tests.
I am still not sure whether we should also reuse function `create_sssd_fixture`.
And if yes; then probably in different nodule then `services`
And comments are welcome.
BTW I wrote patches few weeks ago; therefore new tests are not converted.
I am just sending patches to get some feedback.
Site effect of this patches is that tests are cca 20% faster (IIRC)
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/175/head:pr175
git checkout pr175
URL: https://github.com/SSSD/sssd/pull/844
Author: mastersin
Title: #844: sssd-ad and gpo_child: GPO apply fixes during reading fails
Action: opened
PR body:
"""
Ignore AD GPO errors:
- if SecEdit/GptTmpl.inf is missing
or
- if reading sysvol_gpt_version fails and cached_gpt_version already exists
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/844/head:pr844
git checkout pr844
URL: https://github.com/SSSD/sssd/pull/616
Author: asheplyakov
Title: #616: become_user: add supplementary groups so ad provider can access keytab
Action: opened
PR body:
"""
For security reasons one might want to run providers as a non-privileged
user (say, _sssd). However some providers (in particular ad) might need
an access to restricted (non world-readable) files (for instance,
/etc/krb5.keytab). One of the possible ways to solve the problem is to
- add a special group (for instance, _keytab)
- set the owner:group of the file in question to root:_keytab
- set the permissions of the file in question to 640
- make the _sssd user a member of the _keytab group
For this to work become_user should assign supplementary groups, which
is what this patch does.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/616/head:pr616
git checkout pr616
URL: https://github.com/SSSD/sssd/pull/943
Author: elkoniu
Title: #943: files_ops: Fix cached password remove
Action: opened
PR body:
"""
When SSSD daemon will detect refresh of password (group) file
it will delete all cached users (groups) data.
With this change cached data will be deleted only for non
existing users (groups).
Resolves:
https://pagure.io/SSSD/sssd/issue/3591
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/943/head:pr943
git checkout pr943
URL: https://github.com/SSSD/sssd/pull/269
Author: NWilson
Title: #269: Add support for ActiveDirectory's logonHours restrictions
Action: opened
PR body:
"""
This is a straightforward patch for denying access to a user when the user is not permitted to access their account due to logonHours restrictions.
This matches the default behaviour for domain-joined Windows machines. When outside the logonHours, all types of authentication are denied (password/Kerberos/certificate) - so it is appropriate to put this check inside the PAM "account" rules.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/269/head:pr269
git checkout pr269
URL: https://github.com/SSSD/sssd/pull/837
Author: sumit-bose
Title: #837: p11_child: make OCSP digest configurable
Action: opened
PR body:
"""
Currently sha1 is used to create the certid for an OCSP request. Since sha1
is not recommend for new applications anymore and not FIPS compliant this
patch changes the default to sha256 and makes the digest function
configurable as well.
Related to https://pagure.io/SSSD/sssd/issue/4032
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/837/head:pr837
git checkout pr837
URL: https://github.com/SSSD/sssd/pull/578
Author: amitkumar50
Title: #578: proxy: proxy_child hardening
Action: opened
PR body:
"""
proxy_child will call chdir("/"), umask(022)
and reset the environment with clearenv().
The --domain argument to be sanitized.
Resolves: https://pagure.io/SSSD/sssd/issue/2689
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/578/head:pr578
git checkout pr578
URL: https://github.com/SSSD/sssd/pull/5171
Author: pbrezina
Title: #5171: files: allow root membership
Action: opened
PR body:
"""
SSSD design decision was to "never handle root" and we use uid=0 and gid=0 to indicate
various error states. root user and group is unconditionally added in negative cache.
This makes perfect sense for LDAP but introduced regressions in files provider
when compared to nss_files:
1) When a user is part of root group - the membership is not returned
2) When a user has root as primary group - the user is not returned and every other membership is broken.
The "never handle root" policy is basically kept, with few exceptions for files provider:
- it will not filter out root as group member if it is also files provider - solves 1)
- it will store user with gid=0 unless it also has uid=0 thus solving 2)
Direct request for root user or group will still not be handled.
Resolves:
https://github.com/SSSD/sssd/issues/5170
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5171/head:pr5171
git checkout pr5171
ehlo,
Running pycodestyle-2.6.0 currently reports cases which is one of a set of three
style checks to avoid ambiguous single letter names which look like numbers
./src/tests/python-test.py:54:35: E741 ambiguous variable name 'l'
./src/tests/python-test.py:102:38: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:101:27: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:116:23: E741 ambiguous variable name 'l'
./src/tests/intg/krb5utils.py:140:28: E741 ambiguous variable name 'l'
https://pycodestyle.pycqa.org/en/latest/intro.html#error-codes
LS