CONFDB: Add passwd_files and group_files options Add new options to the files provider allowing an administrator to configure the files provider to read and monitor multiple or non-standard passwd and group file sources. These options default to /etc/passwd and /etc/group when unset. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: remove NSS test databases NSS databases with the certificates from the test CA will be automatically generated. The static databases are not needed anymore. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: simple CA to generate certificates for test To avoid issue with certificate lifetimes a simple OpenSSL based CA is used to generate certificates for tests. To make management easy all related data is kept in src/tests/test_CA. Since some header files will be generated the generation of the needed files is added to BUILT_SOURCES as other generated code. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

intg: Build with optimisations and debug symbols We override CFLAGS for macro KCM_PEER_UID. Such change also remove standard CFLAGS (-O2 -g) and therefore it was not possible to debug processes in gdb unless environment variable CFLAGS was set. But we should test optimized code by default and let developers override default with environment variable CFLAGS and not vice versa. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix using of libdlopen_test_providers.so in tests libdlopen_test_providers.la was missing in libsss_ad_tests.la which caused linked failures with linker flag -defs and therefore had to be added to some tests (ad_access_filter_tests) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Add missing libs found by -Wl,-z,defs It is not possible to fully build sssd with -Wl,-z,defs because we are using sssd_be as a "library" in some cases e.g. src/providers/krb5/.libs/libsss_krb5_common_la-krb5_init_shared.o: In function `krb5_child_init': src/providers/krb5/krb5_init_shared.c:38: undefined reference to `_dp_opt_get_bool' src/providers/krb5/krb5_init_shared.c:47: undefined reference to `_dp_opt_get_string' src/providers/krb5/krb5_init_shared.c:94: undefined reference to `_dp_opt_get_cstring' Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove legacy script for upgrading sssd.conf The script was mainly required to upgrade sssd.conf from version 1 to version 2 which was done in sssd-0.6. All currently supported linux distribution have at least sssd >= 1.8 and require 2nd version of sssd.conf. Therefore upgrade does not make any sense. There was an attempt to port this file to python3 as part of ticket#2017 3 years ago. But it does not work and nobody noticed that due to missing code coverage. sh# ls -l /etc/sssd/sssd.conf -rw-------. 1 root root 5372 Jan 24 21:09 /etc/sssd/sssd.conf sh# python3 -m SSSDConfig.sssd_upgrade_config ERROR: a bytes-like object is required, not 'str' sh# ls -l /etc/sssd/sssd.conf -rw-------. 1 root root 0 Jan 24 21:09 /etc/sssd/sssd.conf Summary: The script does not make any sense today, it is not used by anyone and it does not worth to keep it in upstream anymore. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Remove unnecessary script for upgrading debug_levels Older versions of SSSD <= 1.5 would take a debug_level value set in the [sssd] section as authoritative for all other sections where not explicitly overridden. The script update_debug_levels.py could be used to make the new version of sssd produce the same logs as the old versions did, by explicitly adding debug_level to all domains and services that did not have it set already. The change was done 7 years ago and people get used to new behaviour The script was never installed together with sssd and therefore does not have any usage anymore. Lets remove it. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TOOLS: Add a new sssctl command access-report Resolves: https://pagure.io/SSSD/sssd/issue/2840 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Revert "BUILD: Disable tests with know failures" This reverts commit 44bc6e8f49eec9e7ab9a952845bffcc0fd3b3a44. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Disable tests with know failures Temporary workaround for: https://pagure.io/SSSD/sssd/issue/3563 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam: add prompt string for certificate authentication A new certificate attribute is added which contains a string which is used in the certificate selection list displayed to the user. The Subject-DN of the certificate is used here because it is present in all certificate and in general differs for certificate with different usage. libsss_certmap is used to extract the subject-DN from the certificate and convert it into a string. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: handled multiple certs in the responder This patch refactors the handling of the certificate and the attributes to address the certificate on the Smartcard (module name, token name and key id). Instead of using individual variables the values are put into a new struct cert_auth_info. Since the new struct can be used as a list the PAM responder can now handle multiple certificates on the Smartcard and can send the needed data to pam_sss with multiple SSS_PAM_CERT_INFO messages. Unit tests are added to confirm the expected behavior. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

BUILD: Properly expand variables in sssd-ifp.service systemd[1]: [/usr/lib/systemd/system/sssd-ifp.service:9] Path '-@environment_file@' is not absolute, ignoring. sh-4.2# systemctl cat sssd-ifp.service # /usr/lib/systemd/system/sssd-ifp.service [Unit] Description=SSSD IFP Service responder Documentation=man:sssd-ifp(5) After=sssd.service BindsTo=sssd.service [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ Type=dbus BusName=org.freedesktop.sssd.infopipe ExecStart=/usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated ${DEBUG_LOGGER} Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

nss-idmap: add timeout version of old sss_nss_* calls Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss-idmap: add nss like calls with timeout and flags This patch adds new calls to libsss_nss_idmap to get NSS like user and group information directly from SSSD without using the system's NSS interfaces. Additionally a timeout and a flags options are added which are not available for system's NSS. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_client: create nss_common.h This patch makes sss_nss_getpw_readrep() and sss_nss_getgr_readrep() calls which parse SSSD's replies for user and group requests available to other components. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER} Users can set variable DEBUG_LOGGER in environment files (/etc/sysconfig/sssd or /etc/default/sssd; depending on the distribution) to override default logging to files. e.g. DEBUG_LOGGER=--logger=stderr DEBUG_LOGGER=--logger=journald Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

LDAP: Add support for rhost access control This patch implements verification of pam_rhost against rules stored in LDAP entry of a user. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SSSCTL: Replace sss_debuglevel with shell wrapper The sss_debuglevel binary is replaced by a shell wrapper calling sssctl debug-level as part of merging sss_debuglevel into sssctl. The wrapper will redirect sss_debuglevel to the sssctl debug-level command performing the same task. The sss_debuglevel(8) man page is updated to indicate that sss_debuglevel is deprecated and functionality exists now in sssctl. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSCTL: Move sss_debuglevel to sssctl debug-level Move code from sss_debuglevel to sssctl_logs.c and add new debug-logs sssctl command to perform the same task of changing debug level dynamically. POPT_CONTEXT_KEEP_FIRST Flag added to poptGetContext call in sssctl_debug_level() to fix argument parsing. Resolves: https://pagure.io/SSSD/sssd/issue/3057 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

sssd_client: add mutex protected call to the PAC responder SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder currently uses sss_pac_make_request() which does not protect the communication with the PAC responder with a mutex as e.g. the NSS and PAM clients. If an application using threads loads this plugin via libkrb5 in different threads and is heavily processing Kerberos tickets with PACs chances are that two threads try to communicate with SSSD at once. In this case one of the threads will miss a reply and will wait for it until the default client timeout of 300s is passed. This patch adds a call which uses a mutex to protect the communication which will avoid the 300s delay mentioned above. Resolves: https://pagure.io/SSSD/sssd/issue/3518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: fix handling of certmap_ctx This patch fixes a use-after-free in the AD provider part and initializes the certmap_ctx with data from the cache at startup. Related to https://pagure.io/SSSD/sssd/issue/3508 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CONTRIB: Add DP Request analysis script Run this script using stap as root and Ctrl-C to print the summary report stap -v /usr/share/sssd/systemtap/dp_request.stp This script will use the data provider request probe markers to provide elapsed time of each request and more information about the slowest request in the summary report. Resolves: https://pagure.io/SSSD/sssd/issue/3061 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Add Generic DP Request Probes Add the ability to analyze performance and monitor Data Provider requests at a high-level, probes fire when a request is sent and when a request is completed. Request name, domain, target, method, and return code information is passed as target variables to the systemtap probe tapsets which can be used in systemtap scripts. Resolves: https://pagure.io/SSSD/sssd/issue/3061 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SELINUX: Use getseuserbyname to get IPA seuser The libselinux function getseuserbyname is more reliable method to retrieve SELinux usernames then functions from libsemanage `semanage_user_query` and is recommended by libsemanage developers. Replace get_seuser function with getseuserbyname. Resolves: https://pagure.io/SSSD/sssd/issue/3308 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Petr Lautrbach <plautrba@redhat.com>

certmap: add OpenSSL implementation The OpenSSL 1.1 API is used but there is a short macro block which should added the needed compatibility if and older OpenSSL version is used. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SECRETS: Do not link with c-ares Since we started using libcurl for the proxy provider, there is no point in initializing or linking against c-ares. If we want to explicitly use a resolver in the future, we should use libcurl callbacks. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: add unit tests for krb5 localauth plugin Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: move {files,selinux}.c under util directory files.c has at least one function that will be re-used for the new session provider that's about to be added. Also, a few other functions may be added and files.c seems the right place for those. selinux.c has been moved together with files.c as the latter takes advantage of some functions from the former and we do not want to always link agains the tools code. The public functions from files.c got a "sss_" prefix and it has been changed whenever they're used. Last but not least, all the places that included "tools/tools_util.h" due to the functions on files.c had this include removed (as they were already including "util/util.h". Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Make ipa_hbac_sysdb_save() more generic Although there's no change in the ipa_hbac_sysdb_save() itself, its name has been changed to ipa_common_entries_and_groups_sysdb_save() and its been split out from HBAC related files and moved to the newly created ipa_rules_common.[ch] files, which will also be used in the future for new backend modules. ipa_rules_common.[ch] is not exactly the best name for those files, IMO, but I really cannot come up with something better. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Moving headers used by both server and client to special folder These are the header files which are used by both client and server: src/util/io.h src/util/murmurhash3.h src/util/util_safealign.h This patch is about moving these header files to special folder (src/shared). It will be easier to identify these headers when looking for them in the src tree. util_safalign.h is renamed as safalign.h because util_ namespace is appropriate when this file belonged to the util's folder which is no longer the case. Resolves: https://pagure.io/SSSD/sssd/issue/1898 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

INTG: Add --with-session-recording=/bin/false to intgcheck's configure Let's ensure that running `make intgcheck-*` doesn't fail when done locally. As --with-session-recording=/bin/false is now set in the Makefile.am, there's no need to set it in contrib/ci/configure.sh. Thus, the option has been removed from there. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CACHE_REQ: Pull sessionRecording attrs from initgr After entires are retrieved by cache_req for user info requests (except initgr), overlay them with sessionRecording attribute retrieved from an initgr request made additionally for each entry. Do not do additional initgr requests with selective session recording enabled, if we don't have any group names to match against in session recording configuration. Only do user name matches instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Add session recording conf loading Add session recording configuration loading to the data provider initialization. To be used for matching users and groups with session recording enabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Add session recording conf loading Add session recording configuration loading to the common responder initialization. To be used for substituting the user shell when session recording is enabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Add session recording conf management module Add an util module for loading session recording configuration. To be used by responders and data provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

KCM: Modify krb5 snippet file kcm_default_ccache The file kcm_default_ccache must enable KCM ccache by default without any modification of the file. /etc/krb5.conf.d/ is fedora/el7 specific and it is not allowed to enable or start systemd services in scriptlets. It would result in broken krb5 configuration. Therefore krb5 configuration snippet was moved from /etc/krb5.conf.d/ -> /usr/share/sssd-kcm. And each downstream distribution should enable systemd services + change krb5 configuration in it's own way. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

idmap_error_string: add missing descriptions Related to https://pagure.io/SSSD/sssd/issue/1960 Related to https://pagure.io/SSSD/sssd/issue/1938 Related to https://pagure.io/SSSD/sssd/issue/1844 Related to https://pagure.io/SSSD/sssd/issue/1593 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Add unit tests for cfg validation Add infrastructure for unit tests for validators. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Fix build without ssh cache_req_host_by_name_lookup should be used only by ssh responder. But we cannot rely on this fact and therefore we should return ERR_INTERNAL instead of EOK to catch mis-usage of the cache_req plugin autoreconf -if ./configure --without-ssh make check CCLD sssd_nss src/responder/common/cache_req/plugins/cache_req_host_by_name.o: In function `cache_req_host_by_name_lookup': src/responder/common/cache_req/plugins/cache_req_host_by_name.c:48: undefined reference to `sysdb_get_ssh_host' collect2: error: ld returned 1 exit status make: *** [Makefile:14285: sssd_nss] Error 1 src/tests/cmocka/test_utils-test_sss_ssh.o: In function `test_textual_public_key': src/tests/cmocka/test_sss_ssh.c:78: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:82: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:86: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:89: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_sss_ssh.c:92: undefined reference to `sss_ssh_format_pubkey' src/tests/cmocka/test_utils-test_sss_ssh.o:src/tests/cmocka/test_sss_ssh.c:95: more undefined references to `sss_ssh_format_pubkey' follow collect2: error: ld returned 1 exit status Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

BUILD: Link libwbclient with libdl dlopen-tests cannot catch it because it has to be linked with libdl sh$ grep dlopen src/sss_client/libwbclient/ src/sss_client/libwbclient/wbc_pwd_sssd.c: ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); sh$ nm --dynamic --undefined-only .libs/libwbclient.so | grep dlopen U dlopen Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

INTG: Do not use configure time option enable-files-domain The implicit_files was started with each test even though was not required. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

test: make sure p11_child is build for pam-srv-tests Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sssctl: integrate pam_test_client into sssctl Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam_test_client: add InfoPipe user lookup Related to https://pagure.io/SSSD/sssd/issue/3292 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sss_sifp: update method names Related to https://pagure.io/SSSD/sssd/issue/3292 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam_test_client: add SSSD getpwnam lookup Related to https://pagure.io/SSSD/sssd/issue/3292 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

selinux: Do not fail if SELinux is not managed Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Fix compilation of libsss_certmap with libcrypto CC src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo src/lib/certmap/sss_cert_content_nss.c:25:18: fatal error: cert.h: No such file or directory #include <cert.h> ^ compilation terminated. Reviewed-by: Sumit Bose <sbose@redhat.com>

secrets: use tcurl in proxy provider We switch from http-parser to libcurl for an http client. This gaves us many features for free such as tls and http basic authentication support instead of implementing it on our own. Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CACHE_REQ: Make use of domainResolutionOrder domainResolutionOrder has been introduced in the previous commits and allows the admin to set up a specific order which the domains will be resolved during a lookup and with this patch we can take advantage of this. In order to have it working a new structure has been added (struct domain_resolution_order) to the responder context and will be used by the cache_req to perform the lookups based on this list. As the ipaDomainResolutionOrder may be set globally on IPA or per View, SSSD does respect the following precedence order: View > Globally. The way the list is built is quite simple, basically having the domains present on ipaDomainResolutionOrder as the first domains (in that specific order) and then appending the remaining domains to this list. The final result is a completely flat list with all the domains respecting the specified order (it's important to remember that the domains not specified won't follow any specific order, they're just "random" based on the domains list present in the responder context. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB/TESTS: Add tests for the domain's resolution order methods Introduce a new and small set of tests for these new helper methods that are going to be used in different parts of the code in the follow-up patches. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: Add methods to deal with the domain's resolution order In the following-up patches those newly introduced methods will be used to deal with the domainResolutionOrder attribute. The sysdb_update_domain_resolution_order() method is purposely not checking whether a value has changed or not before writing to sysdb and while may not be optimal, the readability of the code has increased a lot by keeping it as simple as possible. Tests for these new methods are part of the next commit. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

intg: fix configure failure with strict cflags The warning -Wstrict-prototypes is a part of AM_CFLAGS which was appended for CFLAGS in make target intgcheck-prepare. And combination with strict CFLAGS in environment variable (e.g. -Werror) caused failures. sh$ CFLAGS="-Werror" make intgcheck-prepare checking for gcc... gcc checking whether the C compiler works... no configure: error: in `/home/build/sssd/ci-build-debug/intg/bld': configure: error: C compiler cannot create executables configure:3719: checking whether the C compiler works configure:3741: gcc -g3 -O2 -Werror -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -DKCM_PEER_UID=1000 conftest.c >&5 conftest.c:11:1: error: function declaration isn't a prototype [-Werror=strict-prototypes] main () ^~~~ cc1: all warnings being treated as errors Reviewed-by: Pavel Březina <pbrezina@redhat.com>

KCM: Queue requests by the same UID In order to avoid race conditions, we queue requests towards the KCM responder coming from the same client UID. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KCM: Store ccaches in secrets Adds a new KCM responder ccache back end that forwards all requests to sssd-secrets. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Implement KCM server operations Implements the actual KCM server operations. On a high level, each operation unmarhalls the needed data from the input buffer, calls into the ccache db and marshalls a response. Only the operations that are also implemented by the MIT client are implemented by our KCM server. Resolves: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Add a in-memory credential storage Implements a simple back end for the ccache module that lets the KCM server store credentials directly in memory. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Implement an internal ccache storage and retrieval API In order for the KCM server to work with ccaches stored in different locations, implement a middle-man between the KCM server and the ccache storage. This module has asynchronous API because we can't assume anything about where the ccaches are stored. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Initial responder build and packaging Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

nss-idmap: add sss_nss_getlistbycert() This patch adds a getlistbycert() call to libsss_nss_idmap to make it on par with InfoPipe. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add certmap related calls Add sysdb calls to write and read data for the certificate mapping library to the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_cert_derb64_to_ldap_filter: add sss_certmap support Use certificate mapping library if available to lookup a user by certificate in LDAP. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

certmap: add placeholder for OpenSSL implementation Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

certmap: add new library libsss_certmap With this library it would be possible to map certificates and users not only by adding the full certificate to the user's LDAP object but by adding e.g. only parts like the issuer and subject name. Additionally the library is also able to flexible select/match certificates based on values in the certificate. Details about mapping and matching rules can be found in the included man page. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

split_on_separator: move to a separate file To be able to include split_on_separator() without additional dependencies (only talloc), it is moved into a separate file. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: test the curl wrapper with a command-line tool In order to test the curl integration code, this patch adds a command-line tool and tests that it's possible to drive a conversation with the secrets responder using the tool. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Add a libtevent libcurl wrapper Adds a request that enables the caller to issue an asynchronous request with libcurl. Currently only requests towards UNIX sockets are supported. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Add a generic iobuf module The KCM responder reads bytes and writes bytes from a buffer of bytes. Instead of letting the caller deal with low-level handling using the SAFEALIGN macros, this patch adds a new iobuf.c module with more high-level functions. The core is a iobuf struct that keeps track of the buffer, its total capacity and a current read or write position. There are helper function to read or write a generic buffer with a set length. Later, we will also add convenience functions to read C data types using the SAFEALIGN macros. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CACHE_REQ: Move result manipulation into a separate module This patch is preparing the field for coming up patches where new lookup logic will be added. Taking this into consideration let's move the result manipulation code into a separate module and focus purely in the lookups logic in the main module. Related: https://pagure.io/sssd/sssd/issue/3001 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SYSTEMD: Don't mix up responders' socket and monitor activation Let's ensure that in case a responder is explicitly configured in the sssd.conf its socket won't even start. The patchset introduces a new binary that will be distributed and will be called before starting the responders' sockets, ensuring the sockets will only start in case the responder is supposed to be socket-activated and its been configured accordingly. Otherwise the responders' socket startup will fail with a quite helpful debug message leading the admins to choose between using systemd or not and what has to be done to achieve their desire. This suggestion came from Sumit Bose. The reason for adding a new binary instead of a simple python script is to avoid dragging unnecessary dependencies to sssd-common package. Resolves: https://pagure.io/SSSD/sssd/issue/3300 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: use own namespace for UPNs If the UPN use the same domain name as the configured domain an unsuccessful lookup by name will already create an entry in the negative cache. If the lookup by UPN would use the same namespace the lookup will immediately be finished because there would already be an entry in the negative cache. Resolves: https://pagure.io/SSSD/sssd/issue/3313 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: Enable the files domain for all integration tests This is done to make sure that enabling the files domain doesn't break existing functionality as well as making it possible to even that the implicit domain, since all integration tests use the same configuration. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MONITOR: Use the common inotify code to watch resolv.conf The monitor code used its own inotify callbacks to watch for changes to resolv.conf. Instead of keeping this duplicated code around, let's use the shared inotify module that also powers the files provider. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Add the files provider Adds a new provider type "files". The provider watches the UNIX password and group databases for changes using inotify and propagates its contents to the sysdb. The files provider is only built on platforms that support the inotify interface, polling or loading the entries on-deman is not supported. During initialization, the files are loaded from the environment variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to /etc/passwd and /etc/group respectively. Loading the files from environment variables is mostly implemented for tests that need to load nss_wrapped files. The files provider is a bit different from other provider types in the sense that it always enumerates full contents of the database. Therefore, the requests from Data Provider are always just replied to with success. Enumerating the contents is done in full at the moment, all users and all groups are removed and added anew. Modifying the passwd and group databses should be rare enough for this to be justified and we can optimize the code later. Since with large databases, the cache update might take a bit of time, we signal the responders to disable the files domain once we receive the inotify notification and re-enable the files domain after the update is finished. The idea is that the NSS configuration would still contain "files" after "sss" so that if the domain is disabled, libc would fall back to a direct "files" lookup. Resolves: https://fedorahosted.org/sssd/ticket/3262 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Add a generic inotify module Adds a reusable module for watching files using the Linux-specific inotify(7) interface. Adds the possibility to watch the file's parent directory as well to make it possible to watch moves into the directory and allow watching file that doesn't exist at the time the watch is created. This interface is needed to implement the files provider, so this commit is related to: https://fedorahosted.org/sssd/ticket/2228 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Add internal DP interface to set domain state Adds functions to the interface Data Provider publishes towards back ends that allows the back ends to notify responders that a domain has been enabled or disabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: A sbus interface to reset negatively cached users and groups Adds two new responder sbus interface functions: ResetNegcacheUsers and ResetNegcacheGroups. These functions can be called by a Data Provider to signal to a responder that it should drop its negative cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Add a responder sbus interface to set domain state Adds a generic responder s-bus interface that all responders implement. The interface currently contains methods that make it possible for a sssd domain to be marked as active or inconsistent by a back end. In the future, this commit will be superseded by sbus signals. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Fix linking of test_sdap_initgr There was a linking fialure on debian: /usr/bin/ld: src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o: undefined reference to symbol 'hash_iterate@@DHASH_0.4.3' //usr/lib64/libdhash.so.1: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status This patch adds some missing libraries and remove unnecessary libraries. Bug was intoduced in commit 0b7ded15e53b3f31f1570c366f04bc41e5761929 Reviewed-by: Michal Židek <mzidek@redhat.com>

ssh: rewrite ssh responder to use cache_req This is a bigger change since both supported commands could be rewritten for cache_req and the logic could be deleted. I decided to also split the file into more modules and follow similar pattern as with nss responder. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add host by name search Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Tests for sdap_search_initgr_user_in_batch This patch provides tests for core logic of sdap_search_initgr_user_in_batch() function. This function replaces old approach with sysdb_try_to_find_expected_dn() function. Resolves: https://fedorahosted.org/sssd/ticket/3230 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Partially revert "CONFIG: Use default config when none provided" This reverts part of commit 59744cff6edb106ae799b2321cb8731edadf409a. Removed is copying of default configuration into /etc/sssd/sssd.conf Sample configurations is still part of installation. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix linking of test_wbc_calls Client code does not anymore depend on libpthread in master. This is a reason why we didn't notice any linking failure in master. But the test should be linked with CLIENT_LIBS. CCLD test_wbc_calls /usr/bin/ld: src/sss_client/test_wbc_calls-common.o: undefined reference to symbol 'pthread_mutexattr_setrobust@@GLIBC_2.12' //lib/x86_64-linux-gnu/libpthread.so.0: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status Makefile:12460: recipe for target 'test_wbc_calls' failed Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Make IFP responder dbus-activatable As part of the effort of making all responders socket-activatable (or, in the IFP case, dbus-activatable), let's make the IFP responder ready for this by providing its systemd's units. Related: https://fedorahosted.org/sssd/ticket/2243 Resolves: https://fedorahosted.org/sssd/ticket/3129 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SUDO: Make Sudo responder socket-activatable As part of the effort of making all responder socket-activatable, let's make Sudo responder ready for this by providing its systemd's units. In case the administrators want to use Sudo responder taking advantage of socket-activation they will need to enable sssd-sudo.socket and after a restart of the sssd service, the Sudo socket will be ready waiting for any activity in order to start the Sudo responder. Also, the Sudo responder must be removed from the services line on sssd.conf. The Sudo responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SSH: Make SSH responder socket-activatable As part of the effort of making all responder socket-activatable, let's make SSH responder ready for this by providing its systemd's units. In case the administrators want to use SSH responder taking advantage of socket-activation they will need to enable sssd-ssh.socket and after a restart of the sssd service, the SSH socket will be ready waiting for any activity in order to start the SSH responder. Also, the SSH responder must be removed from the services line on sssd.conf. The SSH responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Make PAM responder socket-activatable As part of the effort of making all responder socket-activatable, let's make PAM responder ready for this by providing its systemd's units. In case the administrators want to use PAM responder taking advantage of socket-activation they will need to enable sssd-pam.socket and after a restart of the sssd service, the PAM socket will be ready waiting for any activity in order to start the PAM responder. Also, the PAM responder must be removed from the services line on sssd.conf. The PAM responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. PAM responder, differently from the others, is a special case as it has two sockets and its private sockets must be owned by root and must have a specifc permission (0600). It's not new, though, and it's following what has been already done in the project.. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAC: Make PAC responder socket-activatable As part of the effort of making all responder socket-activatable, let's make PAC responder ready for this by providing its systemd's units. In case the administrators want to use PAC responder taking advantage of socket-activation they will need to enable sssd-pac.socket and after a restart of the sssd service, the PAC socket will be ready waiting for any activity in order to start the PAC responder. Also, the PAC responder must be removed from the services line on sssd.conf. The PAC responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Make NSS responder socket-activatable As part of the effort of making all responders socket-activatable, let's make the NSS responder ready for this by providing its systemd's units. In case the administrators want to use NSS responder taking advantage of socket-activation they will need to enable sssd-nss.socket and after a restart of the sssd service, the NSS socket will be ready waiting for any activity in order to start the NSS responder. Also, the NSS responder must be removed from the services line on sssd.conf. The NSS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Is quite important to mention that NSS responder will always run as root. The reason behind this is that systemd calls getpwnam() and getgprnam() when "User="/"Group=" is set to something different than "root". As it's done _before_ starting NSS responder, the clients would end up hanging for a few minutes (due to "default_client_timeout"), which is something that we really want to avoid. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AUTOFS: Make AutoFS responder socket-activatable As part of the effort of making all responders socket-activatable, let's make the AutoFS responder ready for this by providing its systemd's units. In case the administrators want to use AutoFS responder taking advantage of socket-activation they will need to enable sssd-autofs.socket and after a restart of the sssd service, the AutoFS socket will be ready waiting for any activity in order to start the AutoFS responder. Also, the AutoFS responder must be removed from the services line on sssd.conf. The AutoFS responder service is binded to the SSSD service, which means that the responder will be restarted in case SSSD is restarted and shutdown in case SSSD is shutdown/crashes. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient-sssd: wbcLookupSid() allow NULL arguments Some caller might not be interested in some of the values wbcLookupSid() returns and just pass NULL. Currently 'net ads user info' does this because it is not interested in the domain. wbcLookupSid() should handle this gracefully. Resolves: https://fedorahosted.org/sssd/ticket/3273 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MONITOR: Create pidfile after responders started Resolves: https://fedorahosted.org/sssd/ticket/3080 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

intg: Generate tmp dir with lowercase This is a workaround for buggy python-requests 2.12.4. It cannot handle uppercase letters in file path. The manual page MKTEMP(1) says that the parameter --dry-run is unsafe. It is not critical for our use-case in CI but we should revert the patch after fixed version of puython-request will be released Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: remove the old code Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: make nss responder tests work with new code There were few type of changes that were require for tests to work: 1) When calling "get by name" commands, a name is parsed with sss_parse_inp. Returned value is now mocked. 2) When calling "get by upn" commands, a name is parsed with sss_parse_inp and negative cache is not hit in the first run since cache_req knows it may be upn since it is not equal to any known domain. Returned value of sss_parse_inp is now mocked to return ERR_DOMAIN_NOT_FOUND and negative cache hits are checked to be 0. 3) Lookups by certificate or sid do not require name parsing so those have separate mock functions. 4) Sometime the test fail since different number of mocked functions is called due to changes in the code. Where possible, will_return_always() is used, otherwise number of mocked values was fixed. 5) In SID by name lookups, we set nss_test_ctx->tctx->done to false on the beggining of for cycle, since the code now contains tevent calls and withough it only a first request proceed into tevent_loop in test_ev_loop() because the first finished request sets it to true. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: rewrite nss responder so it uses cache_req Given the size of the current nss responder it was quite impossible to simply switch into using the cache_req interface, especially because most of the code was duplication of cache lookups. This patch completely rewrites the responder from scratch. The amount of code was reduced to less than a half lines of code with no code duplication, better documentation and better maintainability and readability. All functionality should be intact. *Code organization* All protocol (parsing input message and send a reply) is placed in nss_protocol.c. Functions that deals with creating a reply packet are placed into their specific nss_protocol_$object.c files. All supported commands are placed into nss_cmd.c. Functions that deals with cache req are in nss_get_object.c and nss_enum.c. *Code flow for non-enumeration* An nss_getby_$input-type is called for each non-enumeration command. This function parses the input message, creates a cache_req_data structure and issues nss_get_object that calls cache_req. When this request is done nss_getby_done make sure a reply is sent to the client. *Comments on enumeration* I made some effort to make sure enumeration shares the same code for users, groups, services and netgroups. Netgroups now uses nss negative cache instead of implementing its own. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

utils: add sss_ptr_hash module We often work with <string, pointer> type of hash table throughout sssd. This module creates and maintains such hash table and makes sure that hash entry is destroyed when original value is freed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add object by id This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add object by name This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: return well known objects in object by sid Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for netgroups Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for services enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for service by port Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for service by name Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add group enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add user enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5: add tests for common functions Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Drop libsss_config libsss_config has been used only by OpenLMI and the project has been deprecated making, then, no sense to keep the support on SSSD. Distros that, for some reason, are still packing and distributing OpenLMI can stick to SSSD 1.14 branch. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_client: Defer thread cancellation until completion of nss/pam operations The client code is not cancellation-safe, an application which has cancelled an NSS operation will experience subtle bugs, hence thread cancellation is deferred until completion of client operations. Resolves: https://fedorahosted.org/sssd/ticket/3156 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>

BUILD: Fix linking with librt The posix realime extensions defines timer_* functions but it does not mention library with these functions. http://www.unix.org/version2/whatsnew/realtime.html The autoconf macro AC_SEARCH_LIBS firstly check the function timer_create with no libraries, then for each library listed in 2nd parameter. Possible libraries librt and libposix4 were used in nspr for similar detection. Reviewed-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>

BUILD: Fix installation without samba winbindplugindir is defined only when BUILD_SAMBA is on. Also the file doesn't exist when BUILD_SAMBA is off, so installation will fail. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Fix build without samba The test test_ad_subdom should be compiled only if samba build is enabled. In file included from src/tests/cmocka/test_ad_subdomains.c:39:0: ./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory #include <ndr.h> ^ compilation terminated. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

crypto: Port libcrypto code to openssl-1.1 EVP_MD_CTX and EVP_CIPHER_CTX are opaque in openssl-1.1 Reviewed-by: Tomas Mraz <tmraz@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssctl: use systemd D-Bus API If systemd is used we leverage it's D-Bus API instead of running systemctl. Resolves: https://fedorahosted.org/sssd/ticket/3056 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: intgcheck need to fail if pytest fails Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SSSDConfig: Do not fail with nonexisting domains/services dict.keys() returns iterator in python3 and not list Chaging data in dictionary while using iterator fails with "RuntimeError: dictionary changed size during iteration" https://fedorahosted.org/sssd/ticket/3107 Reviewed-by: Michal Židek <mzidek@redhat.com>

TESTS: Add simple test for double semicolon Reviewed-by: Pavel Březina <pbrezina@redhat.com>

MAKEFILE: Fixing CFLAGS in some tests Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Remove leftover after sysdb refactoring Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

BUILD: Fix typo in intgcheck-run rule During the review process "intgcheck-build" ended up being merged to the "intgcheck-prepare" rule. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Clean up prerelease targets Clean up the pre-release targets in order to avoid lines exceeding 80 characters. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Add a few more targets for intg tests Running "make intgcheck" has been proven to be a bit painful (mainly when the developer is just writing down a single test case), as it cleans up the build directory and fireis a new build before, finally, run the tests. In order to make it a little less painful, let's break the whole operation into 3 new targets: intgcheck-{prepare,run,clean}. As expected, "make intgcheck" calls these 3 new operations in the same order they were presented, not changing then the current behavior. Each operation will trigger the previous one in case there is no "$$prefix" directory created and the directory is _only_ created in the very first operation (intghcheck-prepare). A note must be done about how to run a simple test file or a simple test from a test file when running "make intgcheck-run". The option always been here but only makes sense now that we have the intgcheck split in a few useful steps. See the examples below (and for more detailed information, check the py.test documentation): #Run a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_netgroup.py" #Run a single test from a single file make intgcheck-run INTGCHECK_PYTEST_ARGS="-k test_add_empty_netgroup" Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Allow to read private pipes for root Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Ship systemd service file for sssd-secrets Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Use sss_atomic_read_s in generate_csprng_buffer There was a bug in generate_csprng_buffer() where if we read the exact amount of bytes from /dev/urandom, we would always return EIO. Instead, let's reuse the existing code from sss_atomic_read_s() which fixes this bug and reduces code duplication. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>

TESTS: Adding tests for ad_enabled_domains option There is special logic around ad_enabled_domains option: * option is disabled by default * master domain is always added to enabled domains Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Remove old data provider interface Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PROXY: Do not abuse data provider interface We want to use custom interface for proxy provider so we do not abuse the data provider one. This way we gain more control over it and we can remove the old interface entirely. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: add utility function to simplify message and reply handling This patch adds the ability to hook DBusMessage to a talloc context to remove the need of calling dbus_message_unref(). It also provides an automatical way to detect error in a reply so the caller does not need to parse it manually and the whole code around DBusError can be avoided. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SIMPLE: Make the DP handlers testable To make it possible to call the whole DP handler in the unit test, not just the evaluator part. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: add tests for netlogon_get_domain_info Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssctl: Add config-check command Fixes: https://fedorahosted.org/sssd/ticket/2269 sssctl sconfig-check command allows to call SSSD config file validators on demand. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Convert the tests to use qualified names for ldb lookups The timestamp cache tests look into ldb to check the timestamps. This patch converts the lookups to qualified names to make sure the lookups actually match. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

NSS: Fix NSS responder to cope with fully-qualified usernames Adds a utility function sized_output_name() which wraps the output_name() function and returns the sized_struct structure. This function is used when formatting the output name for the client, but also when saving/deleting the memory cache entries. Its sister function sized_member_name() is very similar, but infers the domain name from memberuid or ghost attribute. Because all names internally are used in the same format, the logic to append domain or format the usename for output in the fill_XXX() family of functions is much simpler. In general, adding a domain suffix no longer relies in the domain being a subdomain, but only the dom->fqnames The parse_member() function was removed because it is no longer required. The nss test was amended to store names in the internal fqdn format on input and checks for either shortnames or qualified names with the right format created using sss_tc_fqname() on output. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Fix the nested group tests to cope with FQDNs Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Convert the simple access provider to cmocka Using a cmocka-based test allows us to initialize the domain using the common helper functions which in turn allows us to set different properties with confdb, same as sssd itself does. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Amend sysdb_view tests for the FQDN schema Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Fix sysdb tests to work with the new format The sysdb tests now user the qualified name to store users and groups. To avoid the sysdb interface being tied too tightly to our specific format, all names are constructed using a function, not hardcoded. Just swapping the functions that create or parse the names for a different format should not make the test fail. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Fix the ldap_id_cleanup test for using qualified names in sysdb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Temporarily disable unit and integration tests until we fix them to cope with qualified names in sysdb Many tests use and rely on non-qualified usernames. To avoid huge commits, we will fix them one-by-one. To avoid test failures in the branch, disable all the tests first. Reviewed-by: Sumit Bose <sbose@redhat.com>

Secrets: Add Proxy backend Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Secrets: Add encryption at rest Generates a master key file if it doesn't exist and encrypts secrets using the master key contained in the file. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add initial providers infrastructure. Also adds support for the basic LOCAL provider that stores data on the local machine. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Secrets: Add initial responder code for secrets service Start implementing the Secrets Service Reponder core. This commit implements stratup and basic conenction handling and HTTP parsing (using the http-parser library). Signed-off-by: Simo Sorce <simo@redhat.com> Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Add support for socket activation Add helper that uses systemd socket activation if available to accept a pre-listining socket at startup. Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Util: Add watchdog helper The watchdog uses a kernel timer to issue a signal to the process. It checks if the ticker is not being reset by the main event loop, which would indicate that the process got stuck. At the same time it sets a tevent timer to clear the watchdog ticker, so that the watchdog handler is kept happy. If the watchdog detects that the timer event failed to reset the watchdog for three times in a row then the process is killed. Normally the monitor will detect the child terminated and will rescheduled it. Related: https://fedorahosted.org/sssd/ticket/2921 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Prepare ini schema with rules for validation Resolves: https://fedorahosted.org/sssd/ticket/2028 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

confdb: Make it possible to use config snippets Resolves: https://fedorahosted.org/sssd/ticket/2247 Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssctl: new tool Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Add org.freedesktop.sssd.DataProvider.Failover Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Add org.freedesktop.sssd.DataProvider.Backend Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_tools: create confdb if not exist So tools (especially sssctl) may be run even when databases where removed. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_tools: add test if sssd is running Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_sifp: bump version to 1:0:1 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: new header file that contains interface definitions To be shared across tools and libs. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Add a unit test for timestamps caches Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Move sysdb initialization into a new module sysdb_init.c The sysdb initialization was in the sysdb.c module. With adding initialization of the timestamp cache, this module would become too big with too many private functions meant only for initialization. This patch only moves code around, there are no functional changes to the initialization. Reviewed-by: Sumit Bose <sbose@redhat.com>

Add winbind idmap plugin With this plugin winbind can use the same id-mapping as SSSD which makes it possible to run both together in a consistent way. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDER: New interface for client registration This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP TESTS: Add unit tests for dp_builtin.c Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP TESTS: Add unit tests for dp_request.c Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP TESTS: Add unit tests for dp_request_table.c Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP TESTS: Mock data_provider Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Add callback for backward compatibility Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Introduce new interface for backend Terminology: * Backend: Implemenation of domain * Data Provider: interface between backend and responders * Module: ldap/ipa/ad/... dlopened library that implements dp interface * Target: id/autofs/sudo/... functionality of module Benefits over current code: * data provider is a black box completely separated from backend * method handlers are just simple tevent requests on backend side * no need of spy on be_client * simplified and error proof adding of new responders * simplified adding of new methods * reply to D-Bus message is completely handled by DP code * each target can have several methods defined * properties can be added on objects * each method can have output parameters * modules now support constructor * improved debugging * clear memory hierarchy * ability to chain requests * type safe private data Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_dyndns.c to be_dyndns.c Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_dyndns.h to be_dyndns.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_refresh.c to be_refresh.c Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_refresh.h to be_refresh.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_ptask to be_ptask Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONTRIB: Add a systemstap script to measure nested group code performance When all the dependencies are installed, run the script using systemtap: You'll see an output such as: # stap /usr/share/sssd/systemtap/nested_group_perf.stp ^CTime spent in group sssd_be searches: 600 Time spent in sdap_nested_group_send/recv: 65 ms (ratio: 10.83%) Time spent in zero-level sysdb transactions: 6813 ms (ratio: 1135.50%) Breakdown of sdap_nested_group req (total: 65 ms) sdap_nested_group_process req: 64 sdap_nested_group_process_split req: 22 sdap_nested_group_check_cache: 21 sdap_nested_group_sysdb_search_users: 10 sdap_nested_group_sysdb_search_groups: 9 ldap request breakdown of total 60 sdap_nested_group_deref req: 24 sdap_deref_search_send req 24 processing deref results: 0 sdap_nested_group_lookup_user req: 18 sdap_nested_group_lookup_group req: 0 Time spent refreshing unknown members: 18 Breakdown of results processing (total 6813) Time spent populating nested members: 10 Time spent searching ldb while populating nested members: 5 Time spent saving nested members: 110 Time spent writing to the ldb: 678 ms Please note that since the script is supposed to be used in scenarios such as tracing "id" performance, which typically involve multiple group requests. Therefore, the variables are not zeroed out and you need to interrupt the script manually with Ctrl+C. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONTRIB: Add a systemtap script to analyze the performance of the 'id' command Run this script using "stap" as root: sudo stap /path/to/sssd/contrib/systemtap/id_perf.stp It is not required to restart the script between successive id runs, the variables are cleared when systemtap detects id had started or finished. You should see output as this one: Total run time of id was: 112 ms Number of zero-level cache transactions: 9 Time spent in level-0 sysdb transactions: 84 ms Time spent writing to LDB: 80 ms Number of LDAP searches: 13 Time spent waiting for LDAP: 11 ms LDAP searches breakdown: Number of user requests: 1 Time spent in user requests: 15 Number of group requests: 6 Time spent in group requests: 71 Number of initgroups requests: 1 Time spent in initgroups requests: 20 Unaccounted time: 17 ms sysdb transaction breakdown: 1 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so] sdap_save_users+0x2d2 [libsss_ldap_common.so] sdap_get_users_done+0x186 [libsss_ldap_common.so] sdap_search_user_process+0x2d9 [libsss_ldap_common.so] generic_ext_search_handler+0x22f [libsss_ldap_common.so] sdap_get_and_parse_generic_done+0x6f [libsss_ldap_common.so] sdap_get_generic_op_finished+0x806 [libsss_ldap_common.so] sdap_process_message+0x3c4 [libsss_ldap_common.so] sdap_process_result+0x33a [libsss_ldap_common.so] sdap_ldap_next_result+0x2f [libsss_ avg:14 min: 14 max: 14 sum: 14 5 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so] sdap_nested_done+0x2c8 [libsss_ldap_common.so] sdap_nested_group_done+0x9b [libsss_ldap_common.so] 0x7f47a6320be4 [libtevent.so.0.9.26+0x4be4] avg:9 min: 9 max: 11 sum: 49 1 hits of transaction sysdb_transaction_commit+0x6b [libsss_util.so] sdap_nested_done+0x2c8 [libsss_ldap_common.so] sdap_nested_group_done+0x9b [libsss_ldap_common.so] sdap_nested_group_process_done+0x1dc [libsss_ldap_common.so] sdap_nested_group_single_done+0x112 [libsss_ldap_common.so] sdap_nested_group_recurse_done+0x95 [libsss_ldap_common.so] 0x7f47a6320be4 [libtevent.so.0.9.26+0x4be4] avg:11 min: 11 max: 11 sum: 11 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

LDAP: Decorate the hot paths in the LDAP provider with systemtap probes During performance analysis, the LDAP provider and especially its nested group code proved to be the place where we spend the most time during account requests. Therefore, I decorated the LDAP provider with systemtap probes to be able to observe where the time is spent. The code allows passing of search properties (base, filter, ...) from marks to probes. Where applicable, the probes pass on these arguments to functions and build a human-readable string representation. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

STAP: Add helper functions to for human-readable account request representation The caller of the systemtap script would be able to see what kind of account request sssd received with a string representation, not just the cryptic hexadecimal number. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Add systemtap probes to track sysdb transactions Actually adds marks for sysdb transactions that receive the transaction nesting level as an argument. The nesting is passed on from probes to marks along with a human-friendly description. The transaction commit is decorated with two probes, before and after. This would allow the caller to distinguish between the time we spend in the transaction (which might be important, because if a transaction is active on an ldb context, even the readers are blocked before the transaction completes) and the time we spend commiting the transaction (which is important because that's when the disk writes occur) The probes would be installed into /usr/share/systemtap/tapset on RHEL and Fedora. This is in line with systemtap's paths which are described in detail in "man 7 stappaths". Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Add build infrastructure for systemtap scripts Adds infrastructure that generatest the probes.h and probes.o from the dtrace probes.d file. The probes.d file is empty except for the provider name in this commit, its content will be added with later commits that actually add some content. The probes.d file is always distributed in the tarball so that distributions can optionally enable systemtap support. The generation is done using the "dtrace" command because the probes.d file is compatible with the Solaris dtrace format. Please see "man 1 dtrace" for more information on the dtrace format and the command line tool. In order to make libtool happy, a fake libtool object is generated. This hunk was taken from the libvirt code. The AM_V_GEN macro is used to make the build compatible with the silent build configuration. To enable systemtap probing, configure sssd with: --enable-systemtap In order to do so, the 'dtrace' command-line utility must be installed. On Fedora and RHEL, this package is installed as part of the "systemtap-sdt-devel" package. You'll also want the 'systemtap' package installed as well as the matching versions of kernel-devel and kernel-debuginfo on your machine. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Add a PROBE macro into probes.h The macros are inspired by very similar macros in libvirt code. Adds a macro PROBE that can be used by SSSD developers to add systemtap marks to code. These marks, when coupled with a location in a binary can be in turn used to call probes. The mark can be called like this: PROBE(PROBE_NAME, arguments) This is cleaner than using the SSSD_$(PROBE_NAME) directly as it directly shows that a probe is being called at that place. If the systemtap tracing is disabled, they would expand to an empty macro. If the systemtap tracing is enabled, the systemtap probe will be called. The overhead of calling the probes is close to zero. As one of the systemtap developers explained to me: """ STAP_PROBE() macros cost apprx. one nop in the executable, so apprx. no cost at all. The more the merrier. Only when activated by a stap script do we generally think of it like a microsecond of time. """ The probe arguments can be used in the probes to be printed or passed on to functions. There was an issue in case a string argument was NULL. This commit adds a helper macro to deal with NULL-strings as if they were empty (""). This file would be included by any source file that wants to call the PROBE() macro. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss-idmap: add sss_nss_getnamebycert() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: add SSS_NSS_GETNAMEBYCERT request Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDERS: Negcache in resp_ctx preparing Preparation for initialization of negative cache in common responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFIG: Use default config when none provided This patch makes SSSD possibly useful "out of the box" by allowing packagers to provide a default config file located in $LIBDIR/sssd/conf that will be copied by the monitor to /etc/sssd if no file already exists in that location. This will make it possible to have SSSD set up to have distribution-specific default configuration, such as enabling the proxy provider to cache /etc/passwd (such as in the provided example in this patch). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST: Removing duplication of mock_rctx There were duplicaton of mock_rctx(). Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

build: move ndr_krb5pac check to the other Samba checks Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Test of sysdb_search_sudo_rules There are tests functions of sysdb_sudo_rules. Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: process PAC during initgroups request If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SDAP: make some AD specific calls public Make sdap_ad_tokengroups_get_posix_members() and sdap_ad_resolve_sids_send() reusable. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CI: Use make check instead of make-check-wrap make-check-wrap had to be used due to missing LOG_COMPILER on rhel6 which is enabled with parallel test harness Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

UTIL: Move debug part from util.h -> new debug.h Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

mock domain: reset ldb errors After ldb connect ldb context contains the following error: "NULL Base DN invalid for a base search" This comes from internal ldb function ldb_set_default_dns() which runs base search on NULL dn to discover records similar to what rootDSE provides. However, tdb backend considers this an error and sets the message above. This may break memory leak checks in tests when we do push/pop on test_ctx which is a indirect parent of ldb_context. The error message is allocated when push is called but it is freed by other ldb queries and therefore not preset during the push phase and thus the leak check fails. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libipa_hbac: Ensure we always build with C90 libipa_hbac is also used by external projects such as pam_hbac: https://github.com/jhrozek/pam_hbac In order to make sure we don't use C99 features in the libipa_hbac code in the future, this patch adds an explicit -std=c89 flag to CFLAGS. Signed-off-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libipa_hbac: Move the library to src/lib/ipa_hbac Moving the library to the lib directory will force maintainers to think twice about changes, because it would be obvious this is a library. Also don't use includes from sssd source tree paths, but add the util path to Makefile's CFLAGS so that other projects can copy the hbac_evaluator.c file verbatim. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Add a unit test for the external groups resolution Adds a test that tests a complex nested group hierarchy. Also defines the talloc chunk for group members to 1 to make sure the realloc branch is always tested. Unit test for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Remove unused include directories We do not have the "include" directory in git and such directory is not generated by autotools in build directory either. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Util: Move socket setup in a common utility file Other components may need to connect sockets, the code here is generic enough that with minimal modifications can be used for non-ldap connections too. So create a sss_sockets.c/h utility file with all the non-ldap specific socket setup functions and make them available for other uses. Resolves: https://fedorahosted.org/sssd/ticket/2968 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TEST_TOOLS_COLONDB: Add tests for sss_colondb_* There are three functions at API of colondb wrapper: * sss_colondb_open() * sss_colondb_readline() * sss_colondb_writeline() This patch adds tests for all of them. We test those cases: * open nonexisting file for read * open nonexisting file for write * open existing empty file for read * open existing file with records for read * open existing empty file for write * open existing file with records for write * write to empty file * write to file with existing records * sss_colondb_open() * sss_colondb_readline() * sss_colondb_write_line() * write to empty file and read it Resolves: https://fedorahosted.org/sssd/ticket/2764 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Util: Improve code to get connection credentials Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

MAKE: Do not compile generated header files Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IDMAP: Add support for automatic adding of ranges Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: add task to renew the machine account password if needed AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA SUDO: Implement full refresh Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA SUDO: Implement sudo handler Resolves: https://fedorahosted.org/sssd/ticket/XXXX Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: use ipa_get_rdn() in nested groups Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: add ipa_get_rdn and ipa_check_rdn To exploit knowledge of IPA LDAP hierarchy. Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: move code shared between ldap and ipa to separate module Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: make sudo sysdb interface more reusable Reviewed-by: Sumit Bose <sbose@redhat.com>

SDAP: Add request that iterates over all search bases We often need to iterate over many search bases but we always use mostly copy&paste iterator. This will reduce code duplication and simplify code flow. Reviewed-by: Sumit Bose <sbose@redhat.com>

SUDO: convert periodical refreshes to be_ptask This removes old sudo timer and simplyfies code a lot. It also allows to manage offline/online state. - Full and smart refresh are disabled when offline. - Full refresh is run immediately when sssd is back online. - Smart refresh is scheduled normally when sssd is back online. Resolves: https://fedorahosted.org/sssd/ticket/1943 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Mark globals in krb5_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Mark globals in ipa_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Mark globals in ad_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Mark globals in ldap_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add autofs provider https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Only install polkit rules if the directory is available Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

p11: allow p11_child to run completely unprivileged To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Remove sudo doxygen file There aren't any documented files in directory src/sss_client/sudo/ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix doc directory for sss_simpleifp make all docs && make install DESTDIR=`pwd`/_instdir will not install doxygen generated files for sss_simpleifp because directory was wrong Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: Run intgcheck without libsemanage For now the libsemanage can not be used inside intgcheck tests. See the tracking ticket for this issue: https://fedorahosted.org/sssd/ticket/2859 Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Avoid symlinks with python modules We need to use different names for python{2,3} modules if we want to build them in the same time with automake (prefix _py2 and _py3). But resulting name need to correspond with name of module because it is used in C import function. We used symbolic links for that purpose but it breaks debian python tools which rename the real modules making symbolic links to point nowhere Resolves: https://fedorahosted.org/sssd/ticket/2814 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Remove unused variable TEST_MOCK_OBJ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Link crypto_tests with existing library It's not necessary to bundle libsss_crypto to crypto_tests. We can link it directly. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Link just libsss_crypto with crypto libraries It should prevent such failures as in commit 73ec8fdfddb2d4bf99977f758eec80e1b1ee8542 BUILD: Link test_data_provider_be with -ldl Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

HBAC: Better libhbac debugging Added support for logging via external log function. Log provides information about rules evaluating (HBAC_DBG_INFO level) and additionally can describe rules (HBAC_DBG_TRACE level). Resolves: https://fedorahosted.org/sssd/ticket/2703 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Link test_data_provider_be with -ldl The module data_provider_be.o uses uncfion dlsym and thus need to be linked with -ldl. /usr/bin/ld: src/providers/test_data_provider_be-data_provider_be.o: undefined reference to symbol 'dlsym@@GLIBC_2.2.5' /usr/lib64/libdl.so.2: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status Makefile:10461: recipe for target 'test_data_provider_be' failed It was not a problem when sssd was compiled with NSS because it contains -ldl among its flags. NSS_LIBS='-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl ' However the compilation failed when sssd was compiled with libcrypto Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Remove unused variable SSSD_UTIL_OBJ It was removed as part of commit fe2091327ff44f80d6681c261494e4432404e9ba Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Do not build libsss_ad_common.la as library libsss_ad_common.la was a dynamic library and was linked just with unit tests. It was a workaroud because module libsss_ad.so cannot be linked with tests without portability issues. But it was addted to pkglib_LTLIBRARIES and therefore it was installed with other libraries. This patch changed it and libsss_ad_test.la (old name libsss_ad_common.la) will be compiled only for unit tests (check_LTLIBRARIES) and will not be installed with command "make install". Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Remove unused variable CHECK_OBJ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Simplify build of test_data_provider_be It's an alternative solution for https://fedorahosted.org/sssd/ticket/2799 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Make p11_child timeout configurable Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Filter out multiple entries when searching overlapping domains In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: link dp tests with LDB directly to fix builds on Debian https://fedorahosted.org/sssd/ticket/2799 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout https://fedorahosted.org/sssd/ticket/2637 Adds a new Data Provider function be_mark_dom_offline() that is a replacement for be_mark_offline(). When called, the function would either set the whole back end offline, just like be_mark_offline or just set the subdomain status to inactive. When a subdomain is inactive, there is a singleton timed task that would re-set the subdomin after offline_timeout seconds. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: Sanitize group dn before using in filter Each string should be sanitized(rfc4515) before using ldbsearch. A group dn was not sanitized in the function cleanup_groups. Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Partially revert "LDAP: sanitize group name when used in filter" This reverts commit e2e334b2f51118cb14c7391c4e4e44ff247ef638. + temporary disable unit test Reviewed-by: Pavel Březina <pbrezina@redhat.com>

test_ipa_subdomains_server: Use unique dorectory for keytabs Resolves: https://fedorahosted.org/sssd/ticket/2694 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: Use unique name for TEST_PATH We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>

BUILD: Simplify build of simple_access_tests Link test with existing libraries instead of building all necessary source file on more time. It's not portable to link with libsss_simple.so because it is a dynamic module and not dynamic library. *** Warning: Linking the executable simple_access-tests against the loadable module *** libsss_simple.so is not portable! Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Speed up build of some tests Some tests were built with files require for backend $(sssd_be_SOURCES). This automake variable contains 15 files which were build every time for each test. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Build libdlopen_test_providers.la as a dynamic library Module which can be loaded by dlopen but cannot be linked with other binaries. *** Warning: Linking the executable test_xyzp against the loadable module *** libdlopen_test_providers.so is not portable! Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Makefile.am: Add missing AM_CFLAGS Some targets were missing AM_CFLAGS so it was not possible to compile C99 features in their source code. Reviewed-by: Pavel Reichl <preichl@redhat.com>

TESTS: Add trailing whitespace test Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

UTIL: Fixing Makefile.am for util/sss_cli_cmd.h Last patch for ticket 2708 broke make distcheck. This is fix. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>

UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_override: support import and export Resolves: https://fedorahosted.org/sssd/ticket/2737 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: sanitize group name when used in filter cleanup_groups() uses DN of group in filter for ldbsearch. But the name might contain characters with special meaning for filtering like - "*()\/" Resolves: https://fedorahosted.org/sssd/ticket/2744 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam: Incerease p11 child timeout Ticket: https://fedorahosted.org/sssd/ticket/2746 It was timeouting often in CI machines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Always re-fetch the keytab from the IPA server Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

krb5 utils: add sss_krb5_realm_has_proxy() Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ssh: generate public keys from certificate Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add NSS version of p11_child Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

utils: add NSS version of cert utils Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TOOLS: add sss_override for local overrides Resolves: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TOOLS: add common command framework Add general framework to simplify creating "cmd COMMAND [OPTIONS...]" style tools. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: Add and use krb5_auth_queue_send to queue requests by default Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_client: Use initgr mmap cache in client code Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>

test_ipa_subdomains_server: Fix build with --coverage It seems that gcc did some optimization and used execve instead of execle when the code was instrumented for coverage analysis. So the exec* function was not wrapped and it tried to call real binary ipa-getkeytab Reviewed-by: Michal Židek <mzidek@redhat.com>

IFP: add FindByCertificate method for User objects Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

certs: add PEM/DER conversion utilities Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sbus: listen to NameOwnerChanged Resolves: https://fedorahosted.org/sssd/ticket/2326 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: add support for incoming signals Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Export nodes IFP now exports cached users and groups in introspection. After a user is cached with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store And Introspection called with: dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.DBus.Introspectable.Introspect The cached users would be visible in the Introspection XML as: <node name="ipaldap/397400000" /> </node> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object] Resolves: https://fedorahosted.org/sssd/ticket/2338 Example use: $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.FindByName \ string:admin object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Store boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ object path "/org/freedesktop/sssd/infopipe/Users/ipaldap/397400000" ] $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users/ipaldap/397400000 \ org.freedesktop.sssd.infopipe.Cache.Object.Remove boolean true $ dbus-send --print-reply --system \ --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Cache.List array [ ] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Store keytabs in /var/lib/sss/keytabs Make sure the directory is only accessible to the sssd user Reviewed-by: Michal Židek <mzidek@redhat.com>

CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss Reviewed-by: Michal Židek <mzidek@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Add unit test for the subdomain_server.c module Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Add a common mock_be_ctx function Reduces code duplication between tests. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Split off keytab creation into a common module This change will make the keytab creating reusable by other tests. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Split two functions to new module ipa_subdomains_utils.c These functions will be later reused by the subdomains_server.c module. Splitting them into a separate subdomains_utils.c module will make sure there are no cyclic dependencies and the functions are testable in isolation. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Move server-mode functions to a separate module There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Add a test for sysdb_subdomains.c The sysdb_subdomains.c module should have its own sysdb test, not share the generic sysdb one. Reviewed-by: Sumit Bose <sbose@redhat.com>

PROXY: proxy_child should work in non-root mode According to design page[1], proxy_child should run with root privileges in non-root mode however proxy_child did not have setuid bit. After setting setuid bit proxy_child will be executed with extra privileges. The effective user ID will be 0 but effective group ID will be still the same as egid of sssd_be. Therefore gid of private pipe for proxy_child should be the same. Otherwise proxy_child will fail due to wrong permissions of unix pipe (sbus_client_init -> check_file) [1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD Resolves: https://fedorahosted.org/sssd/ticket/2655 Reviewed-by: Michal Židek <mzidek@redhat.com>

Add integration tests Add "intgcheck" make target. Update CI to use it. The "intgcheck" target configures and builds sssd in a sub-directory, installs it into a prefix in another sub-directory, and then makes the "intgcheck-installed" target from within src/tests/intg in that separate build. The "intgcheck-installed" target in src/tests/intg runs py.test for all tests it can find in that directory, under fakeroot and nss_wrapper/uid_wrapper environments emulating running under root. It also adds the value of INTGCHECK_PYTEST_ARGS environment/make variable to the py.test command line. You can use it to pass additional py.test options, such as specifying a subset of tests to run. See "py.test --help" output. There are only two test suites in src/tests/intg at the moment: ent_test.py and ldap_test.py. The ent_test.py runs tests on ent.py - a module of assertion functions for checking entries in NSS database (passwd and group), for use in actual tests. The ent_test.py suite can be used as ent.py usage reference. The ldap_test.py suite sets up and starts a slapd instance, adds a few user and group entries, configures and starts sssd and verifies that those users and groups are retrieved correctly using various NSS functions. The tests are very basic at the moment. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

SSSDConfigTest: Use unique temporary directory Test SSSDConfigTest is executed twice with make check if python2 and python3 are available. Tests are executed in parallel with new automake and therefore it caused sometimes failures e.g. ERROR: testModifyExistingConfig (__main__.SSSDConfigTestValid) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/sssd/src/config/SSSDConfigTest.py", line 215, in testModifyExistingConfig mode = os.stat(of)[ST_MODE] FileNotFoundError: [Errno 2] No such file or directory: '/tmp/testModifyExistingConfig.conf' Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libwbclient-sssd: update interface to version 0.12 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users.User Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name method return sender=:1.159 -> dest=:1.165 reply_serial=2 variant string "user-1" Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: add org.freedesktop.sssd.infopipe.Users Example calls: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:user-1 method return sender=:1.159 -> dest=:1.160 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/10001" dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByID uint32:10001 method return sender=:1.159 -> dest=:1.163 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/LDAP_2ePB/1000 Resolves: https://fedorahosted.org/sssd/ticket/2150 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: provide custom error names Errors provided directly by D-Bus are not sufficient to fulfill all our needs. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add PAM responder unit test Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: move message encoding into separate file Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: add pre-auth and 2fa support Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

utils: add sss_authtok_[gs]et_2fa Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add leak check and command line option to test_authtok Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: Add NSS responder tests for bysid requests Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

selinux: Only call semanage if the context actually changes https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Extract filtering AD group to function Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Add missing header file to tarball make distcheck failed due to missing header file. ../src/tests/cmocka/test_ldap_auth.c:33:45: fatal error: tests/cmocka/test_expire_common.h: No such file or directory #include "tests/cmocka/test_expire_common.h" ^ compilation terminated. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: test expiration Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Lock out ssh keys when account naturally expires Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: convert GeneralizedTime to unix time New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: refactor pwexpire policy Move part of pwexpire policy code to a separate function. Relates to: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>

FO: Use SRV TTL in fail over code Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Uninstall also symbolic links to python bindings Make uninstall did not remove symbolic links and make distcheck did not detect it. As a result of this bug another make install failed. cd /usr/lib64/python2.7/site-packages && \ ln -s _py2sss.so pysss.so ; \ ln -s _py2hbac.so pyhbac.so ; \ ln -s _py2sss_murmur.so pysss_murmur.so ; \ ln -s _py2sss_nss_idmap.so pysss_nss_idmap.so ln: failed to create symbolic link ‘pysss.so’: File exists ln: failed to create symbolic link ‘pyhbac.so’: File exists ln: failed to create symbolic link ‘pysss_murmur.so’: File exists ln: failed to create symbolic link ‘pysss_nss_idmap.so’: File exists Makefile:19361: recipe for target 'install-exec-hook' failed make[4]: *** [install-exec-hook] Error 1 This patch also use argument "-f" with command ln which remove existing destination files before creating symbolic link Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: print the pam status as string, too On several places, let's add a pam_strerror() call so that it's easier to debug user problems. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

TESTS: Run python tests with all supported python versions This patch add simple bash wrappers for python tests. They are executed either with python2 or python3. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

BUILD: Add possibility to build python{2,3} bindings Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

BUILD: Remove unused libraries for pysss.so Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

IFP: move interface definitions from ifpsrv.c into separate file Number of IFP interfaces will grown up rapidly in the future. It is not convenient to keep it inside ifpsrv.c. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: use hard coded getters instead of generated Properties are single value of a small number of predefined D-Bus types. There is no need to generate them with codegen. Actually, the source generator for property getters is already quite mess with branching for array, strings and object paths. Adding any more complex type in the future (such as dictionary) would require even more branching or creating a separate path for it. Hard coding the getters will simplify creating new ones for more complex types. This patch also reduces lots of code duplication and creates a simple function for GetAll. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing SSSD contained several backwards-compatible definitions of SRV and TXT APIs as well as structures that carry TTL data. These were intended for RHEL-5 and older releases. Since we don't support those upstream, it's better to remove the code -- it has drifted apart from upstream anyway. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESOLV: Add an internal function to read TTL from a DNS packet Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sbus: move common opath functions from ifp to sbus code These functions are quite general thus they may be part of sbus interface. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Include python-test.py in the tarball

sbus: move iface and object path code to separate file This is done to better distinguish between connection code and interface stuff. It will help with orientation and thus simplify next changes. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAKE: Don't include autoconf generated file to tarball Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Cover child_common.c with unit tests The module wasn't tested properly, which made it harder to patch it Reviewed-by: Pavel Březina <pbrezina@redhat.com>

responders: new interface for cache request Many areas of responders performs an expiration check and refresh of cached objects during single or multiple domain search. This code is duplicated on many areas of the code with small or none modifications. This interface aims to reduce code duplication between responders, by providing one universal API for requesting cached objects. This API will take care of cache lookup, expiration check, cache refresh, out of band cache request, negative cache in both single and multi domain searches. Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Install libsss_crypt after its dependencies A library should not be installed before it's internal dependencies otherwise there is an error in make distcheck. libtool: install: error: relink `libsss_crypt.la' with the above command before installing it It would be sufficient just to change order of libraries in automake variable pkglib_LTLIBRARIES, but it's better to have internal libraries on the one place. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Fix dependencies of internal sss libraries Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

MAKE: Fix linking of test_child_common Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Rename test-child to dummy-child Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Build test_child even without cmocka Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Basic child tests The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>

BUILD: restrict perms. when installing from source Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

krb5_child: become user earlier The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ldap_child: copy keytab into memory to drop privileges earlier Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: add copy_keytab_into_memory() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: add copy_ccache_into_memory() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: do not fail if checking the old ccache failed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: be_ptask Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

be_ptask: create a private header file This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fix KRB5_CONF_PATH Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: add split_ipa_anchor() This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Touch files in DESTDIR Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Make chown of files to sssd user non-fatal In build environments, we can't assume the sssd user will be created prior to installing the package, so we can't chown the files. RPM will own the files instead in this case. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Use separate chown to make changing ownership to the sssd user non-fatal When the SSSD is built in the build system using a non-root user, the user doesn't exist in the build system and file ownership will be maintained by the downstream packaging instead. We need to make sure that setting the ownership to the sssd user is a separate step from creating the directories in this case in order to make failure to set the ownership non-fatal. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move all ccache operations to krb5_child.c The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

KRB5: Move ccache-related functions to krb5_ccache.c Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Install krb5_child as suid if running under non-privileged user If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Move setting the SELinux context to a child process In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>

LDAP: Drop privileges after kinit in ldap_child After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Install ldap_child and as setuid if running under non-privileged user The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com>

Add test for sysdb_add_overrides_to_object() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add parse_attr_list_ex() helper function Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Add a config option for sssd user, own private directories as the user Adds a new configure-time option that lets you select the user to run SSSD as. The default is 'root' for backwards compatibility. The directories the deamon stores its private data at are also created as owned by this user during install time. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SSSD: Add the options to specify a UID and GID to run as Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>

util: Move semanage related functions to src/util These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

views: add ipa_get_ad_override_send() Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sysdb: add sysdb_update_view_name() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sss_nss_idmap: add sss_nss_getorigbyname() This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of the nss responder to libsss_nss_idmap. The main use case for this new call is to replace sss_nss_getsidbyname() in the extdom plugin on the FreeIPA server to get more information about the given object than just the SID which is not available with the default POSIX interfaces. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: Add a test to change user IDs Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Move become_user outside krb5 tree In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Use $(MKDIR_P) in Makefile.am It was suggested by the Fedora automake maintainer to use the autoconf macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is more portable and might actually expand to something else than "mkdir -p" on some platforms (usually it would be a variant of install.sh) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CI: Add Valgrind suppression support Add an empty Valgrind suppressions file, use it when invoking Valgrind. This prepares for addition of Valgrind suppressions for current false positives and issues that cannot be fixed, preparing for enforcing Valgrind check. Make Valgrind output a suppression for every error and make it output used suppression names and counts at the end of each run. This simplifies discovery and addition of new suppressions and removal of unused ones. Related to https://fedorahosted.org/sssd/ticket/2428 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient: avoid collision with Samba version Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_sifp: bump version to 0:1:0 Interface did not change, only the code. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient: make build optional Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NFSv4 client: add to build system Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com>

Add basic support for CI test execution Add basic support for executing continuous integration (CI) tests on RHEL6, RHEL7, Fedora 20, Fedora Rawhide and Debian Testing. This adds two front-end scripts which can be executed either locally by developers, or on a CI server: contrib/ci/run and contrib/ci/clean. The first one will run the tests and the second will wipe out the artifacts. See contrib/ci/README.md for further details. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Implement MIT Kerberos localauth plugin The MIT Kerberos localauth pluing interface defines two different calls. The first checks if a given Kerberos principal relates to a given name of a local user (userok). The implementation lets SSSD resolve the principal and the user name and if the returned user entries both have the same UID success is returned. The second translates a given Kerberos principal to a local user name (a2l). Here SSSD is only called once to resolve the principal and the user name is returned. Resolves https://fedorahosted.org/sssd/ticket/1835 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add conditional build for MIT Kerberos localauth plugin This patch adds everything what is needed to build the MIT Kerberos localauth plugin if the used version of MIT Kerberos supports it. It does not implement the plugin. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

libwbclient: SSSD implementation This patch implements the libwbclient API for Samba daemons and utilities. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups identified by their POSIX UIDs and GIDs respectively. The API is not fully implemented because SSSD does not support some AD features like WINS or NTLM. Additionally this implementation has its focus on the file-server use case and hence does not implement some features which might be needed for a domain controller use case. Some API calls are generic and independent of the backend like e.g. converting binary SIDs and GUIDs into a string representation and back or memory allocation and deallocation. These parts are taken from the original Samba sources together with copyright and authors. Files with'_sssd' as part of the name contain the SSSD related calls. Resolves: https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: add sysdb_gpo support for caching gpo version Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Add functions for replacing whitespaces. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

test_utils: Use common header file for libsss_util tests. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

Only check GID if ID-mapping Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Store policy settings in local files Reviewed-by: Sumit Bose <sbose@redhat.com>

BUILD: Link sdap-tests with openldap libraries sdap-tests uses functions from openldap, but it was not linked with libldap or liblber. sh-4.2$ nm --undefined-only .libs/sdap-tests | grep -E "ldap|ber" U ber_free U ldap_control_create U ldap_err2string U ldap_get_option U ldap_init_fd U ldap_install_tls U ldap_is_ldaps_url U ldap_unbind_ext sdap-tests cannot be linked on platfrms with disabled link_all_deplibs. CCLD sdap-tests /usr/bin/ld: src/providers/ldap/sdap_tests-sdap.o: undefined reference to symbol 'ber_free' /usr/bin/ld: note: 'ber_free' is defined in DSO /lib64/liblber-2.4.so.2 so try adding it to the linker command line /lib64/liblber-2.4.so.2: could not read symbols: Invalid operation clang: error: linker command failed with exit code 1 (use -v to see invocation) make[3]: *** [sdap-tests] Error 1 Reviewed-by: Pavel Reichl <preichl@redhat.com>

BUILD: Add version symbol files for public libraries. Version symbol files will help package systems to catch backward compatible changes (newly added functions) into library. The difference between libraries libsss_nss_idmap_test.so and libsss_nss_idmap.so is that the 1st library will not be installed and has more exported functions, which are necessary for mocking with cmocka for test sss_nss_idmap-test. Resolves: https://fedorahosted.org/sssd/ticket/2194 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Add the DBus service activation The system bus has the ability to start services on demant. This patch adds the sysbus service activation file that, currently, only calls the sss_signal tool to signal the monitor. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TOOLS: New helper tool sss_signal A minimal tool whose only purpose is to signal the monitor with SIGUSR2. The tool will be executed by the system bus in order to provide system activation, so it's packaged in libexec. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: dbusintrospectdir is not used anymore We fprintf the introspection data on demand rather than printing an XML file. The directory specification can be removed. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: Add a unit test for the sdap.c module Covers the sdap_parse_entry function with unit tests so that we know that modifying the function in a later patch will not result in a regression. Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: ad_gpo_tests should be built only with samba Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Add gpo-smb implementation in gpo_child process Reviewed-by: Sumit Bose <sbose@redhat.com>

build: Allow augmenting TESTS_ENVIRONMENT Add substitution of a special variable "AUX_TESTS_ENVIRONMENT" to the "TESTS_ENVIRONMENT" value, allowing its augmentation from the make command line. This enables wrapping test commands with older versions of Automake, where LOG_COMPILER support is missing. This enables executing "make check" target with Valgrind on RHEL6, like this: make check AUX_TESTS_ENVIRONMENT="libtool --mode=execute valgrind" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

build: Augment systemdconfdir at configure stage Add "/sssd.service.d" to systemdconfdir at configure stage, instead of the make stage. This way, if systemd is not used, systemdconfdir variable stays empty. That in turn, works around the attempt by older versions of Automake to create the installation directory even though no files are installed there [1]. This fixes installation and distcheck target on RHEL6, where an "/sssd.service.d" directory creation would otherwise be attempted. [1] http://debbugs.gnu.org/cgi/bugreport.cgi?bug=11030 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

build: Switch back to DISTCHECK_CONFIGURE_FLAGS Switch back to using DISTCHECK_CONFIGURE_FLAGS instead of the AM_-version in Makefile.am, as the latter is not supported by Automake version in RHEL6. Instead, use a special variable AUX_DISTCHECK_CONFIGURE_FLAGS to augment distcheck target configure flags from the command line. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TESTS: sss_ssh - textual public key format Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Define compatible macros for some functions. Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam. This patch conditionally define macros for these function if they are not available. Compatible macros use standard functions vsyslog, getlogin Reviewed-by: Sumit Bose <sbose@redhat.com>

CONFIGURE: Enhance detection of pam Reviewed-by: Sumit Bose <sbose@redhat.com>

MAKE: Remove PAM libraries from libsss_simple libsss_simple does not call any pam function. sh-4.2$ nm --dynamic --undefined-only .libs/libsss_simple.so | grep pam sh-4.2$ echo $? 1 Reviewed-by: Sumit Bose <sbose@redhat.com>

TEST: Add ad_gpo unit tests Reviewed-by: Sumit Bose <sbose@redhat.com>

MAKE: Link libsss_ldap.so with ldap libraries Tests ad_common_tests, test_search_bases, ad_access_filter_tests could not be linked on ubuntu and dlopen test faild as well. Running suite(s): dlopen 0%: Checks: 1, Failures: 1, Errors: 0 src/tests/dlopen-tests.c:143:F:dlopen:test_dlopen_base:0: Error opening libsss_ldap.so: [dlopen() failed: sssd-1.11.90/.libs/libsss_ldap_common.so: undefined symbol: ber_pvt_opt_on] Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Disable dbus tests when running distcheck https://fedorahosted.org/sssd/ticket/2291 The dbus tests that mock an sbus server were failing when make distcheck was ran by a user logged in through the SSSD. The reason was that the libtool wrapper around the test library alters the LD_LIBRARY_PATH and as a consequence, the standard getpwuid_r() calls the dbus server performs would load the in-tree NSS library and not the system one. The-in tree library would then attempt to talk to an in-tree NSS socket, fail, which would fail the getpwuid_r call with an error such as: """ Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry """ This patch adds a new configure-time option called --enable-dbus-tests that is enabled by default and disabled during distcheck. When the option is disabled, the tests that require a mocked dbus server are not compiled at all.

sss_sifp: add shortcuts for common use cases https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_sifp: add support for string dictionary https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_sifp: unit tests https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_sifp: build https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

IFP: Implement SSSD components Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Add ListDomains and FindDomainByName Reviewed-by: Pavel Březina <pbrezina@redhat.com>

build: Switch to AM_DISTCHECK_CONFIGURE_FLAGS Use AM_DISTCHECK_CONFIGURE_FLAGS in Makefile.am instead of DISTCHECK_CONFIGURE_FLAGS to allow using the latter at build time, upon making distcheck target. In particular, the above would allow specifying --with-test-dir option to help archive test data in CI runs, like this: make distcheck DISTCHECK_CONFIGURE_FLAGS=--with-test-dir=/dev/shm/ci-test-dir Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: add libsmbclient to makefiles Reviewed-by: Sumit Bose <sbose@redhat.com>

AD-GPO: Remove dependency on libsamba-security Reviewed-by: Sumit Bose <sbose@redhat.com>

SBUS: Start implementing property access This patch adds the basis of SBUS getters and setters. A new module, sssd_dbus_properties.c would contain handlers for the property methods like Get, Set and GetAll. Type-safe property access works in a similar fashion like type-safe method calls - the invoker calls the getter which returns the primitive type, which is in turn marshalled into variant by the invoker. This patch does not contain the complete functionality, see later patches that continue implementing the getters and setters. Reviewed-by: Stef Walter <stefw@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Make samba4 libraries optional Samba 4 libraries are necessary for building {ad, ipa} provider, but samba4 needn't be available on older distributions. This patch add possibility to build SSSD without {ad, ipa} provider and thus without Samba 4 libraries. The script configure have new argument --with-samba with default value yes. Reviewed-by: Michal Židek <mzidek@redhat.com>

IFP: Add a GetGroupsList method This patch adds a new method on the bus with the following synopsis: <method name="GetUserGroups"> <arg name="user" type="s" direction="in" /> <arg name="values" type="as" direction="out"/> </method> Its purpose is to return names of groups the user is a member of as a list of strings. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sss_config: build only when IFP is allowed since the IFP responder is currently the only planned consumer. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_config: unit tests Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_config: build Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IFP: Per-attribute ACL for users Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Add utility functions Adds a number of utility functions, most importanly ifp_req_create(). The ifp_req is a structure that will be passed along with the ifp request and would provide easy access to both the sbus_request data and per-responder data, like the ifp_ctx. Also includes a utility function to split a path prefix from a full path and add a ldb_element into a dictionary. These will be reused later. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

SBUS: Add an async request to retrieve the caller ID Adds an async request sbus_get_sender_id_{send,recv} that allows retrieval of UID based on "sender" as returned by dbus_message_get_sender(). The UID is an int64_t to be able to use "-1" to as a fallback value for uknown or error cases. The unit test is added as a standalone one, not part of the sbus_tests because the request, and by extension the unit test relies on being connected to the system bus, which is very unlikely to work in a build system. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com>

TEST: Link ipa_ldap_opt test with openldap libs The test ipa_ldap_opt has undefined symbols from libldap and liblber, but it was not directly linked with openldap libraries. sh-4.2$ nm --undefined-only .libs/ipa_ldap_opt-tests | grep -E "ldap|ber" U ber_free U ldap_err2string It causes linker failure on systems with disabled link_all_deplibs (debian) /usr/bin/ld: src/providers/ldap/ipa_ldap_opt_tests-sdap.o: undefined reference to symbol 'ber_free' /usr/bin/ld: note: 'ber_free' is defined in DSO /lib64/liblber-2.4.so.2 so try adding it to the linker command line /lib64/liblber-2.4.so.2: could not read symbols: Invalid operation clang: error: linker command failed with exit code 1 (use -v to see invocation) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Fix off-by-one bug in sdap_copy_opts The sdap_copy_opts function copied all the arguments except for the sentinel. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDERS: Add a new request sss_parse_inp_send The responders were copying code to parse input and on encountering an uknown domain, send the discover subdomain request. This patch adds a reusable request that can always be called in responders and in case the name can be parsed, just shortcut. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: Split a separate common_mock_resp_dp module Splitting the module would allow responders that test the Data Provider requests to use the mock_rctx/mock_cctx functions without duplicate definitions. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

build: List test extensions List test extensions with TEST_EXTENSIONS [1] in Makefile.am to allow applying separate LOG_COMPILER for binary and Python tests. This is needed to avoid running Python tests under Valgrind as that produces too many interpreter-specific errors which are hard to suppress reliably [2]. Thus a run like this would run only binary tests under Valgrind: make check PY_LOG_COMPILER=env LOG_COMPILER=valgrind Or more briefly: make check LOG_COMPILER=valgrind [1] http://www.gnu.org/software/automake/manual/automake.html#index-TEST_005fEXTENSIONS [2] http://svn.python.org/projects/python/trunk/Misc/README.valgrind Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus_codegen_tests: Add test case type-safe handler args This adds a big test case for invoking a handler with all supported basic arguments, and constructing a reply with the same. Lots of tedious code, but worth it to make sure things work well.

build: Don't assume systemd implies journald Don't add --with-syslog=journald to extra_distcheck_flags if configured with systemd (--with-initscript=systemd). Add it if configured with journald (--with-syslog=journald) instead. This fixes distcheck target when configured with systemd, but without journald. Don't install journal.conf helping with enabling journald logging, unless configured with journald (--with-syslog=journald), as it would be useless and misleading. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Move duplicated files from providers to libsss_ldap_common.so Files sss_ldap.c, user_info_msg.c were built in libsss_{ad,ipa,ldap}.so. In these two files, there are functions sss_ldap_get_diagnostic_msg, pack_user_info_chpass_error which are needed in libsss_ldap_common.so sss_ldap_get_diagnostic_msg is used in src/providers/ldap/sdap_async.c, src/providers/ldap/sdap_async_connection.c pack_user_info_chpass_error is used in src/providers/ldap/ldap_auth.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

BUILD: Move file sss_krb5.c into libsss_krb5_common.so Functions from module sss_krb5.c were duplicated in many libraries. e.g. symol check_fast was in libsss_ad.so, libsss_ipa.so, libsss_krb5.so, libsss_ldap.so This patch also remove duplicate files between libsss_ldap.so and libsss_krb5_common.so. libsss_ldap.so has already depended on libkrb5. Now, it will depend on libsss_krb5_common.so Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

BUILD: Move file find_uid.c into libsss_util.so Functions from module find_uid.c were duplicated in many libraries. e.g. symol check_if_uid_is_active was in libsss_ad.so, libsss_ipa.so, libsss_krb5.so, libsss_ldap.so Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

BUILD: Link libsss_ldap_common.so to libsss_idmap.so Library libsss_ldap.so does not directly use functions from library libsss_idmap.so. It only call function sdap_idmap_init (from file sdap_idmap.c) which is in library libsss_ldap_common.so sh-4.2$ nm -D --undefined-only /usr/lib64/sssd/libsss_ldap.so | grep idmap U sdap_idmap_init On the other hand, libsss_ldap_common.so uses functions from libsss_idmap but it was not linked to libsss_idmap.so. sh-4.2$ objdump -p /usr/lib64/sssd/libsss_ldap_common.so | grep idmap sh-4.2$ echo $? 1 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

BUILD: Link libsss_krb5_common.so to libkeyutils.so The symbol add_key (from libkeyutils) is used by function add_user_to_delayed_online_authentication (from file src/providers/krb5/krb5_delayed_online_authentication.c) which is part of libsss_krb5_common.so Fixes following error: [sssd[be[default]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib64/sssd/libsss_ad.so), error: /usr/lib64/sssd/libsss_krb5_common.so: undefined symbol: add_key -lkeyutils was passed to the libraries libsss_{krb5,ipa,ad}.so, but when compiling with -Wl,--as-needed this flag will be ignored, since it is not used directly. So it was unavailable to libsss_krb5_common.so which actually needs it. This patch removes $(KEYUTILS_LIBS) from those libraries and adds it to libsss_krb5_common.so Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SBUS: Generate introspection from the interface meta structure https://fedorahosted.org/sssd/ticket/2234 This patch generates the introspection data from the sbus interface meta structure. The generated XML conforms to http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format The XML description of the interface also always includes the org.freedesktop.DBus.Introspectable interface, which this patch also allows in the policy settings.

AUTOMAKE: Do not include generated files into tarball sssd.service was assigned to the dist_systemdunit_DATA variable. Automake will install this file into the systemd unit directory after building it if necessary. Automake will also include this generated file in the tarball. As a result, when building sssd from the tarball, the paths needn't be recreated. The files in DATA primaries are added as dependencies to the all target via the internal all-am target. If sssd.service doesn’t exist, make will look for a rule to build it. Since there is such a rule, make will simply execute that rule when I build the all target. Resolves: https://fedorahosted.org/sssd/ticket/2314 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Makefile: Use alternative method to replace *bindir https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Installation-Directory-Variables.html Most of these variables have values that rely on prefix or exec_prefix. It is deliberate that the directory output variables keep them unexpanded: typically ‘@sbindir@’ is replaced by ‘${exec_prefix}/sbin’, not ‘/usr/local/sbin’. This behavior is mandated by the GNU Coding Standards. Installation directory variables (sbindir, pkgdatadir ...) should be used only in makefiles. Similarly, we should not rely on AC_CONFIG_FILES to replace sbindir and friends in shell scripts and other files; instead, let make manage their replacement. Resolves: https://fedorahosted.org/sssd/ticket/2293 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: do not create client socket There is no need for client socket in IFP responder, since it uses D-Bus for communication with clients. Resolves: https://fedorahosted.org/sssd/ticket/2290 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Connect to the system bus Related: https://fedorahosted.org/sssd/ticket/2072 Adds the possibility for the InfoPipe responder to connect to the system bus. At the moment, only a dummy method "Ping" is provided. The method only accepts a single string parameter that has to be 'ping'.

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.

IFP: Fix a typo in the Makefile

cmocka-unit-test-for-functions-getpwuid*-added Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Enable additional compiler warnings Reviewed-by: Pavel Reichl <preichl@redhat.com>

sbus_tests: Add some testing of dispatch and handler code This starts a DBus server with some handlers, and runs some method calls against it. Note that we don't use the codegen in the sbus_tests, as we sorta want to test this non-codegen related functionality on its own before we run the sbus_codegen_tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: Add struct sbus_request to represent a DBus invocation struct sbus_request represents a request from a dbus client being handled by a dbus server implementation. The struct contains the message, connection and method (and in the future teh property) which is being requested. In the future it will contain caller information as well. sbus_request is a talloc memory context, and is a good place to attach any allocations and memory specific to the request. Each handler accepts an sbus_request. If a handler returns EOK, it is assumed that the handler will finish the request. Any of the sbus_request_*finish() methods can be used to complete the request and send back a reply. sbus_request_return_and_finish() uses the same argument varargs syntax as dbus_message_append_args(), which isn't a great syntax. Document it a bit, but don't try to redesign: The marshalling work (will follow this patch set) will remove the need to use varargs for most DBus implementation code. This patch migrates the monitor and data provider dbus code to use sbus_request, but does not try to rework the talloc context's to use it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Makefile: Add missing library to the dp_opt_tests dp_opt_tests cannot be linked properly if link_all_deplibs is disabled (debian) /usr/bin/ld: src/tests/cmocka/dp_opt_tests-test_dp_opts.o: undefined reference to symbol 'poptFreeContext@@LIBPOPT_0' /usr/bin/ld: note: 'poptFreeContext@@LIBPOPT_0' is defined in DSO /lib64/libpopt.so.0 so try adding it to the linker command line /lib64/libpopt.so.0: could not read symbols: Invalid operation Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Unit-test-for-negcache-module-added Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

config API: prepend source dir search path for tests Instead of appending the search patch in the source directory should be prepended. Otherwise the test might find files installed in the default paths of the system first. As a result the compiled python files in the build directory must be remove in the clean target to make 'make distcheck' pass. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

config API: read only specific files from schemaplugindir Currently the config API read any file in the schema plugin dir, typically /usr/share/sssd/sssd.api.d. If there are any unexpected files, like e.g. editor copies or backups, the python code might break because it cannot parse the files. With this patch only files matching the pattern '^sssd-.*\.conf$' are read from this directory. Additionally this patch contains a file which will break the config API self test if it is not filtered out correctly. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

SUDO: AD provider This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

libsss_idmap: bump version-info Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Provide separate dp_copy_defaults function https://fedorahosted.org/sssd/ticket/2257 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: refactor idmap code and add test Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: Rework sbus to use interface metadata and vtables Previous commits added support for interface metadata and handler vtables. This commit ports sbus_dbus_connection to use them. Port the internal uses of dbus to use the new scheme in a very minimal way. Further cleanup is possible here. This commit provides basic definitions of the internal dbus interfaces. The interfaces aren't fully defined, as the handlers will continue to unpack manually, and often overload DBus methods with different arguments (which is rather unorthodox, but not the end of the world). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sbus: Add sbus_vtable and update codegen to support it Each interface is a vtable structure derived from sbus_vtable, in the sense that it has an sbus_vtable struct as its first argument. This lets us upcast the interface vtable structure to an sbus_vtable and dispatch to it dynamically and cleanly. The interface metadata contains information about which vtable offset in the interface metadata should be dispatched to for a given function. This is a common scheme, not only among dbus implementations, but also compiled languages. Currently all the vtable functions are of type sbus_msg_handler_fn. These are the handlers we are familiar with and perform raw processing of the message. Later commits will introduce type safe handlers that levelage compile checking and automatic argument packing/unpacking. Although this may seem contrived now, the remainder of the dbus infrastructure work will build on this, including ofd.Properties, ofd.ObjectManager, ofd.Introspect, compiler checked type safe unpacking/packing, etc. The codegen now generates vtable structures for each interface along-side the metadata, and fills in vtable offsets appropriately. It is obviously still possible to hand-craft such vtables and metadata if needed for a special case. Once again examples output can be found at: src/tests/sbus_codegen_tests_generated.h Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sbus: Add meta data structures and code generator These metadata structures hold the information about all the details of a DBus interface. They are typically generated from the canonical XML form of the DBus interface, although they may also be hand crafted. Add some handy functions for looking up methods, props, signals, in the metadata of an interface. Currently lookups are just done by looking through an array. If performance becomes an issue (ie: very large interfaces) it would be really easy to sort things and use bsearch(). Later commits will include some definitions using this metadata and related functions. DBus interfaces are defined here: http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format The introspection data format has become the standard way to represent a DBus interface. For many examples see /usr/share/dbus-1/interfaces/ on a typical linux machine. A word about annotations. These are extra flags or values that can be assigned to anything. So far, the codegen supports this annotation: org.freedesktop.DBus.GLib.CSymbol - An annotation specified in the specification that tells us what C symbol to generate for a given interface or method. By default the codegen will build up a symbol name from the DBus name. It is possible to confuse the code generator into producing invalid C code (with strange method names, for example), but the C compiler catches such silliness right away. Add tests testing basic features of the codegen and poking through the metadata it creates. Also test the metadata lookup functions. Generated code is checked in for easy discovery. An example of the XML interface definitions can be found at: src/tests/sbus_codegen_tests.xml And an example of the generated header can be found here: src/tests/sbus_codegen_tests_generated.h Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Use KRB5_CFLAGS where appropriate There are cases when MIT Kerberos is installed with includes in a subdirectory of /usr/include (or /usr/local/include). In such case we have to properly use KRB5_CFLAGS to reach them. https://fedorahosted.org/sssd/ticket/2226 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Simplify enabling journald on installed systems systemd supports overrides of the standard service file to be placed in /etc/systemd/system/<service>.service.d/ With this patch, we will install a commented-out override file to /etc that will instruct the user on how to enable logging to journald. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

tests: nested groups unit test Resolves: https://fedorahosted.org/sssd/ticket/2024 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: prepare makefile for provider related unit tests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: mock sysdb users and groups Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: mock SDAP Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ldap: move domain related content from ldap_common.c to sdap_domain.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ldap: move options related content from ldap_common.c to ldap_options.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sdap: move non async functions from sdap_async.c to sdap_utils.c Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: explicitly link libsss_ipa with selinux library Function selinux_policy_root is used in the module ipa_selinux.c by macro selogin_path, but libsss_ipa.so was not linked with selinux library It was not problem because another libraries depens on selinux.so libsss_ipa.so -> libk5crypto.so -> libkrb5support.so -> libselinux.so We should not rely on dependencies of other libraries. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Makefile: Remove unused libraries ldap_child, krb5_child do not use any function from libsss_child, libtevent and openldap libraries

util: A safe printf for user provided format strings Since the default printf(3) implementation cannot safely be used on user (or admin) provided input, this is a safe implementation. This will be used in later patches by the full_name_format option The implementation came from realmd, but only has libc dependencies. The number of fields is pre-defined, and safe printf fails if an invalid field is accessed. Only string fields are supported, and only flags relevant to string fields are supported. Width and precision work as expected, but precision cannot read from a field. Tests are included, and ported to the check based testing that sssd uses.

cmocka unit test for authtok module added

Bump sss_idmap version to 3:0:3 New functions were added.

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.

SSSD: Unit test - sss_ldap_dn_in_search_bases Unit test testing detection of the right domain when processing group with members from several domains Resolves: https://fedorahosted.org/sssd/ticket/2132

AUTOMAKE: Don't build libsss_test_common every time Although static library libsss_test_common was used only in tests, it was also built with command "make all" Resolves: https://fedorahosted.org/sssd/ticket/2097

TESTS: Link libsss_test_common with tevent Static library libsss_test_common calls tevent functions directly (in module common_tev.c), but it was not linked with tevent library.