CONFIGURE: drop unused check Related to: https://pagure.io/SSSD/sssd/issue/3656 Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: simple CA to generate certificates for test To avoid issue with certificate lifetimes a simple OpenSSL based CA is used to generate certificates for tests. To make management easy all related data is kept in src/tests/test_CA. Since some header files will be generated the generation of the needed files is added to BUILT_SOURCES as other generated code. Related to https://pagure.io/SSSD/sssd/issue/3436 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Drop unused ifdef HAVE_SELINUX_LOGIN_DIR Macros ALL_SERVICES and selogin_path were conditionally defined in case of existing selinux login directory at configure time (defined macro AVE_SELINUX_LOGIN_DIR) However, these macros were unused for quite a long 2.5 year and last usage was removed in commit 9c47c8c59b5c9078f342f82367cd0ad7857acef8 "IPA: Use set_seuser instead of writing selinux login file" Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Avoid double semicolon warnings on older compilers Compilers that don't support fallthrough will end up with an empty SSS_ATTRIBUTE_FALLTHROUGH define and just see a semicolon. The probably will warn that there are double semicolons in the code. Merges: https://pagure.io/SSSD/sssd/pull-request/3645 Signed-off-by: Andreas Schneider <asn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss-idmap: add nss like calls with timeout and flags This patch adds new calls to libsss_nss_idmap to get NSS like user and group information directly from SSSD without using the system's NSS interfaces. Additionally a timeout and a flags options are added which are not available for system's NSS. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Support configuring session recording shell Add support for specifying the shell used for recording user sessions, at configure time. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Improve error messages for optional dependencies Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

build: make curl required by secrets Also remove --disable-libcurl since it doesn't make sense. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KCM: Implement an internal ccache storage and retrieval API In order for the KCM server to work with ccaches stored in different locations, implement a middle-man between the KCM server and the ccache storage. This module has asynchronous API because we can't assume anything about where the ccaches are stored. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

KCM: Initial responder build and packaging Adds the initial build of the Kerberos Cache Manager responder (KCM). This is a deamon that is capable of holding and storing Kerberos ccaches. When KCM is used, the kerberos libraries (invoked through e.g. kinit) are referred to as a 'client' and the KCM deamon is referred to as 'server'. At the moment, only the Heimdal implementation of Kerberos implements the KCM server: https://www.h5l.org/manual/HEAD/info/heimdal/Credential-cache-server-_002d-KCM.html This patch adds a KCM server to SSSD. In MIT, only the 'client-side' support was added: http://k5wiki.kerberos.org/wiki/Projects/KCM_client This page also describes the protocol between the client and the server. The client is capable of talking to the server over either UNIX sockets (Linux, most Unixes) or Mach RPC (macOS). Our server only implements the UNIX sockets way and should be socket-activated by systemd, although can in theory be also ran explicitly. The KCM server only builds if the configuration option "--with-kcm" is enabled. It is packaged in a new subpackage sssd-kcm in order to allow distributions to enable the KCM credential caches by installing this subpackage only, without the rest of the SSSD. The sssd-kcm subpackage also includes a krb5.conf.d snippet that allows the admin to just uncomment the KCM defaults and instructs them to start the socket. The server can be configured in sssd.conf in the "[kcm]" section. By default, the server only listens on the same socket path the Heimdal server uses, which is "/var/run/.heim_org.h5l.kcm-socket". This is, however, configurable. The file src/responder/kcm/kcm.h is more or less directly imported from the MIT Kerberos tree, with an additional sentinel code and some comments. Not all KCM operations are implemented, only those that also the MIT client implements. That said, this KCM server should also be usable with a Heimdal client, although no special testing was with this hybrid. The patch also adds several error codes that will be used in later patches. Related to: https://pagure.io/SSSD/sssd/issue/2887 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

certmap: add new library libsss_certmap With this library it would be possible to map certificates and users not only by adding the full certificate to the user's LDAP object but by adding e.g. only parts like the issuer and subject name. Additionally the library is also able to flexible select/match certificates based on values in the certificate. Details about mapping and matching rules can be found in the included man page. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Detect libcurl during configure Currently libcurl is optional and if not present, just silently skipped. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Suppres implicit-fallthrough from gcc 7 Some kind of comments are recognized by gcc7 but they are ignored with -Wimplicit-fallthrough=5 and only attributes disable the warning. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IFP: Make IFP responder dbus-activatable As part of the effort of making all responders socket-activatable (or, in the IFP case, dbus-activatable), let's make the IFP responder ready for this by providing its systemd's units. Related: https://fedorahosted.org/sssd/ticket/2243 Resolves: https://fedorahosted.org/sssd/ticket/3129 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Drop libsss_config libsss_config has been used only by OpenLMI and the project has been deprecated making, then, no sense to keep the support on SSSD. Distros that, for some reason, are still packing and distributing OpenLMI can stick to SSSD 1.14 branch. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_client: Defer thread cancellation until completion of nss/pam operations The client code is not cancellation-safe, an application which has cancelled an NSS operation will experience subtle bugs, hence thread cancellation is deferred until completion of client operations. Resolves: https://fedorahosted.org/sssd/ticket/3156 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>

BUILD: Fix linking with librt The posix realime extensions defines timer_* functions but it does not mention library with these functions. http://www.unix.org/version2/whatsnew/realtime.html The autoconf macro AC_SEARCH_LIBS firstly check the function timer_create with no libraries, then for each library listed in 2nd parameter. Possible libraries librt and libposix4 were used in nspr for similar detection. Reviewed-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>

BUILD: Detect the path of the "service" executable Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Secrets: m4 macros for jansson and http-parser Prepares autoconf for the new Secrets Provider dependencies Related: https://fedorahosted.org/sssd/ticket/2913 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Secrets: Add autoconf macros to build with secrets Prepares autoconf for the new Secrets Provider Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix detection of systemd The macro AM_COND_IF must be called after AM_CONDITIONAL Otherwise it will consider that condition is true. As a result of this the header file config.h had defined macro HAVE_SYSTEMD on all platforms Our macro AM_CHECK_SYSTEMD was removed becuase it was needed in src/external/systemd.m4 and should not be invoked later in configure.ac Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sssctl: new tool Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add winbind idmap plugin With this plugin winbind can use the same id-mapping as SSSD which makes it possible to run both together in a consistent way. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SYSDB: Add systemtap probes to track sysdb transactions Actually adds marks for sysdb transactions that receive the transaction nesting level as an argument. The nesting is passed on from probes to marks along with a human-friendly description. The transaction commit is decorated with two probes, before and after. This would allow the caller to distinguish between the time we spend in the transaction (which might be important, because if a transaction is active on an ldb context, even the readers are blocked before the transaction completes) and the time we spend commiting the transaction (which is important because that's when the disk writes occur) The probes would be installed into /usr/share/systemtap/tapset on RHEL and Fedora. This is in line with systemtap's paths which are described in detail in "man 7 stappaths". Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Add build infrastructure for systemtap scripts Adds infrastructure that generatest the probes.h and probes.o from the dtrace probes.d file. The probes.d file is empty except for the provider name in this commit, its content will be added with later commits that actually add some content. The probes.d file is always distributed in the tarball so that distributions can optionally enable systemtap support. The generation is done using the "dtrace" command because the probes.d file is compatible with the Solaris dtrace format. Please see "man 1 dtrace" for more information on the dtrace format and the command line tool. In order to make libtool happy, a fake libtool object is generated. This hunk was taken from the libvirt code. The AM_V_GEN macro is used to make the build compatible with the silent build configuration. To enable systemtap probing, configure sssd with: --enable-systemtap In order to do so, the 'dtrace' command-line utility must be installed. On Fedora and RHEL, this package is installed as part of the "systemtap-sdt-devel" package. You'll also want the 'systemtap' package installed as well as the matching versions of kernel-devel and kernel-debuginfo on your machine. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AUTOMAKE: Force usage of parallel test harness Parallel test harness[1] is enabled by default with new versions of automake. However, automake on rhel6 (1.11.1-4) still uses serial test harness by default even though it also contains parallel test harness. Downside of serial test is that output of all test are mixed together and is not in separate log files as with parallel test harness. Another problem is slow execution test with valgrind due to missing parallelisation. It's approximately 4-5 minutes slower on machine with 4 CPUs. The automake option parallel-tests is kept for backward-compatibility in new versions of automake, since the parallel test harness is the default there. [1] http://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html#Parallel-Test-Harness [2] http://www.gnu.org/software/automake/manual/html_node/Serial-Test-Harness.html#Serial-Test-Harness Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

libipa_hbac: Move the library to src/lib/ipa_hbac Moving the library to the lib directory will force maintainers to think twice about changes, because it would be obvious this is a library. Also don't use includes from sssd source tree paths, but add the util path to Makefile's CFLAGS so that other projects can copy the hbac_evaluator.c file verbatim. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

build: detect endianness at configure time WORDS_BIGENDIAN, HAVE_BIG_ENDIAN and HAVE_LITTLE_ENDIAN are needed by Samba. See Samba's byteorder.h header for an example. Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL The AC_PROG_LIBTOOL macro is obsoleted since libtool 2.0 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Only install polkit rules if the directory is available Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

p11: allow p11_child to run completely unprivileged To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sbus: Check string arguments for valid UTF-8 strings libdbus abort()s when a string argument is not valid UTF-8. Since the arguments sometimes come from untrusted sources, it's better to check the string validity explicitly. Reviewed-by: Sumit Bose <sbose@redhat.com>

CONFIGURE: Bump AM_GNU_GETTEXT_VERSION The function gettext was not detected properly with strict cflags even thought it was part of glibc. sh$ CFLAGS="-Werror" ./configure sh$ grep gt_cv_func_gnugettext config.log gt_cv_func_gnugettext1_libc=no gt_cv_func_gnugettext1_libintl=no sh$ objdump -T /lib64/libc.so.6 | grep gettext 000000000002fc60 w DF .text 0000000000000010 GLIBC_2.2.5 dcngettext 000000000002dc70 w DF .text 000000000000000f GLIBC_2.2.5 dcgettext 000000000002fc80 w DF .text 0000000000000016 GLIBC_2.2.5 ngettext 000000000002dc90 w DF .text 000000000000000f GLIBC_2.2.5 gettext 000000000002dc70 g DF .text 000000000000000f GLIBC_2.2.5 __dcgettext 000000000002dc80 w DF .text 000000000000000a GLIBC_2.2.5 dgettext 000000000002dc80 g DF .text 000000000000000a GLIBC_2.2.5 __dgettext 000000000002fc70 w DF .text 000000000000000b GLIBC_2.2.5 dngettext Reviewed-by: Petr Cech <pcech@redhat.com>

TESTS: Add warning for unused result of leak check functions Reviewed-by: Petr Cech <pcech@redhat.com>

BUILD: Remove sudo doxygen file There aren't any documented files in directory src/sss_client/sudo/ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix detection of pthread with strict CFLAGS If the configure was called with stricter flags (-Werror=unused-variable) then configure script did not detect tread safe initialisation. As a result of this client code was not build with mutexes. conftest.c: In function 'main': conftest.c:39:17: error: unused variable 'm' [-Werror=unused-variable] pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; ^ cc1: all warnings being treated as errors configure:15331: $? = 1 configure:15338: WARNING: Pthread library not found! Clients will not be thread safe... Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFIGURE: Remove bashism There were errors in configure script when /bin/sh was not bash ./configure: 15889: test: xfedora: unexpected operator ./configure: 19981: test: xyes: unexpected operator ./configure: 23103: test: x1: unexpected operator The equality operator "==" works in bash but it's not a standard. The man page test(1) also does not mention it. There is only short version "=" STRING1 = STRING2 the strings are equal

AUTOMAKE: Disable portability warnings We already require GNU make extenstions to build manual pages. src/man/Makefile.am:46: warning: wildcard $(srcdir: non-POSIX variable name src/man/Makefile.am:46: (probably a GNU make extension) src/man/Makefile.am:125: warning: wildcard $(srcdir: non-POSIX variable name src/man/Makefile.am:125: (probably a GNU make extension) src/man/Makefile.am:128: warning: addprefix $(srcdir: non-POSIX variable name src/man/Makefile.am:128: (probably a GNU make extension) src/man/Makefile.am:128: warning: shell grep '\[type:docbook\]' $(PO4A_CONFIG: non-POSIX variable name src/man/Makefile.am:128: (probably a GNU make extension) src/man/Makefile.am:129: warning: filter-out $(CFG_PAGES: non-POSIX variable name src/man/Makefile.am:129: (probably a GNU make extension) Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

utils: add NSS version of cert utils Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

certs: add PEM/DER conversion utilities Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Fetch keytab for 1way trusts Uses the ipa-getkeytab call to retrieve keytabs for one-way trust relationships. https://fedorahosted.org/sssd/ticket/2636 Reviewed-by: Sumit Bose <sbose@redhat.com>

Add integration tests Add "intgcheck" make target. Update CI to use it. The "intgcheck" target configures and builds sssd in a sub-directory, installs it into a prefix in another sub-directory, and then makes the "intgcheck-installed" target from within src/tests/intg in that separate build. The "intgcheck-installed" target in src/tests/intg runs py.test for all tests it can find in that directory, under fakeroot and nss_wrapper/uid_wrapper environments emulating running under root. It also adds the value of INTGCHECK_PYTEST_ARGS environment/make variable to the py.test command line. You can use it to pass additional py.test options, such as specifying a subset of tests to run. See "py.test --help" output. There are only two test suites in src/tests/intg at the moment: ent_test.py and ldap_test.py. The ent_test.py runs tests on ent.py - a module of assertion functions for checking entries in NSS database (passwd and group), for use in actual tests. The ent_test.py suite can be used as ent.py usage reference. The ldap_test.py suite sets up and starts a slapd instance, adds a few user and group entries, configures and starts sssd and verifies that those users and groups are retrieved correctly using various NSS functions. The tests are very basic at the moment. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

AD GPO: Change default to "enforcing" When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Write hints about optional python bindings Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Add possibility to build python{2,3} bindings Resolves: https://fedorahosted.org/sssd/ticket/2574 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

BUILD: Use python-config for detection *FLAGS The script python-config was not available in older versions of python. This patch simplify detection of python CFLAGS and LDFLAGS and increase minimal required version of python to 2.6 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice Macro AC_PROG_MKDIR_P need to be used just conditionally This patch also fixes fallback of macro MKDIR_P Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Remove strict requirements of python2 * fix hashbangs * remove strict requirements of python2 in build system Resolves: https://fedorahosted.org/sssd/ticket/2017 Reviewed-by: Petr Viktorin <pviktori@redhat.com>

RESOLV: Add an internal function to read TTL from a DNS packet Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Add a config option for sssd user, own private directories as the user Adds a new configure-time option that lets you select the user to run SSSD as. The default is 'root' for backwards compatibility. The directories the deamon stores its private data at are also created as owned by this user during install time. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

build: call AC_BUILD_AUX_DIR before anything else sssd's configure.ac (abridged) contains these lines: AC_INIT([sssd], ...) m4_ifdef([AC_USE_SYSTEM_EXTENSIONS], [AC_USE_SYSTEM_EXTENSIONS], [AC_GNU_SOURCE]) AC_CONFIG_AUX_DIR([build]) When turned into configure, this will be emitted: ac_aux_dir= for ac_dir in build "$srcdir"/build; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break However, with automake commit v1.14.1-36-g7bc5927, this will be emitted instead: ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break As configure no longer looks into build/ for install-sh, running ./configure fails: configure: error: cannot find install-sh, install.sh, or shtool in "." "./.." "./../.." I think the error is that someone placed AC_BUILD_AUX_DIR too late. Move it upwards. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Add a test to change user IDs Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Detect nss_wrapper and uid_wrapper during configure Unit testing the utilities to become another user requires the use of the cwrap libraries. This patch augments our build system with macros to detect the nss_wrapper and and uid_wrapper libraries. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Use $(MKDIR_P) in Makefile.am It was suggested by the Fedora automake maintainer to use the autoconf macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is more portable and might actually expand to something else than "mkdir -p" on some platforms (usually it would be a variant of install.sh) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient: avoid collision with Samba version Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

libwbclient: make build optional Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NFSv4 client: add to build system Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com>

libwbclient: SSSD implementation This patch implements the libwbclient API for Samba daemons and utilities. The main purpose is to map Active Directory users and groups identified by their SID to POSIX users and groups identified by their POSIX UIDs and GIDs respectively. The API is not fully implemented because SSSD does not support some AD features like WINS or NTLM. Additionally this implementation has its focus on the file-server use case and hence does not implement some features which might be needed for a domain controller use case. Some API calls are generic and independent of the backend like e.g. converting binary SIDs and GUIDs into a string representation and back or memory allocation and deallocation. These parts are taken from the original Samba sources together with copyright and authors. Files with'_sssd' as part of the name contain the SSSD related calls. Resolves: https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD-GPO: Store policy settings in local files Reviewed-by: Sumit Bose <sbose@redhat.com>

BUILD: Add the DBus service activation The system bus has the ability to start services on demant. This patch adds the sysbus service activation file that, currently, only calls the sss_signal tool to signal the monitor. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFIGURE: Prefer python2 The configure script failed with python3 checking for python... /usr/bin/python checking for python version... 3.3 checking for python platform... linux checking for python script directory... ${prefix}/lib/python3.3/site-packages checking for python extension module directory... ${exec_prefix}/lib64/python3.3/site-packages checking for headers required to compile python extensions... File "<string>", line 1 import sys; print sys.prefix ^ SyntaxError: invalid syntax File "<string>", line 1 import sys; print sys.exec_prefix ^ SyntaxError: invalid syntax not found configure: error: Could not find python headers Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

sss_sifp: build https://fedorahosted.org/sssd/ticket/2254 Reviewed-by: Sumit Bose <sbose@redhat.com>

AUTOCONF: Move detection of samba libraries to one file Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: add libsmbclient to makefiles Reviewed-by: Sumit Bose <sbose@redhat.com>

CONFIGURE: Remove duplicate detection of pam The same test is in file src/external/pam.m4 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Make samba4 libraries optional Samba 4 libraries are necessary for building {ad, ipa} provider, but samba4 needn't be available on older distributions. This patch add possibility to build SSSD without {ad, ipa} provider and thus without Samba 4 libraries. The script configure have new argument --with-samba with default value yes. Reviewed-by: Michal Židek <mzidek@redhat.com>

sss_config: build Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Makefile: Use alternative method to replace *bindir https://www.gnu.org/software/autoconf/manual/autoconf-2.67/html_node/Installation-Directory-Variables.html Most of these variables have values that rely on prefix or exec_prefix. It is deliberate that the directory output variables keep them unexpanded: typically ‘@sbindir@’ is replaced by ‘${exec_prefix}/sbin’, not ‘/usr/local/sbin’. This behavior is mandated by the GNU Coding Standards. Installation directory variables (sbindir, pkgdatadir ...) should be used only in makefiles. Similarly, we should not rely on AC_CONFIG_FILES to replace sbindir and friends in shell scripts and other files; instead, let make manage their replacement. Resolves: https://fedorahosted.org/sssd/ticket/2293 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.

Remove --with-distro-version Remove support for "--with-distro-version" configure option as unused. The option was added in August 2011 (d3da1c1). As of now nothing seems to use it. Packaging checked: rpm, deb, pacman, ebuilds, FreeBSD ports. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Simplify enabling journald on installed systems systemd supports overrides of the standard service file to be placed in /etc/systemd/system/<service>.service.d/ With this patch, we will install a commented-out override file to /etc that will instruct the user on how to enable logging to journald. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BUILD: Explicitly link libsss_ad.so with sasl libs If openldap is not built with sasl support libsss_ad.so will not be linked with libsasl2 although sasl_client_init is called by function ad_sasl_initialize.

Add CIFS idmap plugin https://fedorahosted.org/sssd/ticket/1534

Add journald support

Enable printf format string checking https://fedorahosted.org/sssd/ticket/1945

AUTOTOOLS: More robust detection of inotify. We checked only header file "sys/inotify" for detection whether inotify works. Some platforms do not have built in inotify, but contain library, which provides inotify-compatible interface. This patch adds more robust detection of inotify in configuration time and appends linker flags to Makefile if inotify is provided by library.

AUTOTOOLS: Refactor unicode library detection If $libdir is not in default library path libunistring cannot be found. (pkg-config can not be used in this case). This patch helps to search libunistring in "$libdir" directory. In refactoring part, indentation was updated to be more readable and some duplicated parts were removed.

AUTOMAKE: Use portable way to link with dlopen

CONFIGURE: Get rid of bashism

UTIL: Create new wraper header file sss_endian.h Some platform have header file endian.h and anothers have sys/endian.h. We nedd to use conditional build to handle it correctly, therefore new header file sss_endian.h was created.

Fix autotols warnings: macro xyz not found in library

BUILD: Use pkg-config to detect cmocka

init script: source /etc/sysconfig/sssd https://fedorahosted.org/sssd/ticket/1959

Configure SYSV init scripts properly Previously, these contained hard-coded paths. Now they are populated correctly by the configure script. https://fedorahosted.org/sssd/ticket/1986

subdomains: touch krb5.conf when creating new domain-realm mappings https://fedorahosted.org/sssd/ticket/1815

Check NSCD configuration file https://fedorahosted.org/sssd/ticket/1785 nscd.conf file is now checked for the presence of caching settings for databases controlled by SSSD. Syslog warning is now written only if NSCD is running with interfering configuration or if configuration file couldn't be loaded. New configure option added to support non-standard locations --with-nscd-conf=PATH (defaultly set to /etc/nscd.conf) This is just a workaround until the following bugzilla is resolved: https://bugzilla.redhat.com/show_bug.cgi?id=963908

Add client library for SID related lookups This patch add a library for client side lookups for a SID or with a SID through the calls: - sss_nss_getsidbyname - sss_nss_getsidbyid - sss_nss_getnamebysid - sss_nss_getidbysid The library is called libsss_nss_idmap and the contributed spec file will create two new packages libsss_nss_idmap and libsss_nss_idmap-devel.

DNS sites support - add AD SRV plugin https://fedorahosted.org/sssd/ticket/1032

Provide libnl3 support https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error.

sssd-1.8.0: work around a bug in cov-build from Coverity

Move signal.m4 from src/util to external

BUILD: Always run distcheck and RPM tests in /dev/shm Some of the tests (such as the sysdb tests) are highly I/O limited. By running them on a ramdisk, we can significantly speed up the test runs when doing a distcheck or RPM build. https://fedorahosted.org/sssd/ticket/1840

BUILD: Fix cmocka detection We were not properly detecting that cmocka was unavailable. It was expecting an empty value and getting "no" instead. This patch corrects the expectation, so we will now skip building and running cmocka tests on platforms that do not have it available. Also, we were missing the cmocka header files in the distribution tarball, so 'make distcheck' was failing.

Detect the presence of libcmocka during configure

TOOLS: Compile on old platforms such as RHEL5 Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag

Require ar in configure.ac This seems to be a change in recent autotools. I was getting a lot of messages such as: /usr/share/automake-1.12/am/ltlibrary.am: warning: 'libipa_hbac.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.12/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac'

Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo

Check if the SELinux login directory exists https://fedorahosted.org/sssd/ticket/1492

Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client https://fedorahosted.org/sssd/ticket/1460

libcrypto fully implemented Implemented working versions of the following functions for libcrypto: sss_base64_encode sss_base64_decode sss_hmac_sha1 sss_password_encrypt sss_password_decrypt test_encrypt_decrypt now expects EOK from libcrypto. test_hmac_sha1 now expects EOK from libcrypto. Added test_base64_encode to test base64 encoding implementation. Added test_base64_decode to test base64 decoding implementation. Signed-off-by: George McCollister <George.McCollister@gmail.com>

PAC client: add krb5 authdata plugin

PAC responder: add basic infrastructure This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.

Make krb5_ccname_template and krb5_ccachedir configurable

SSSDConfig: Make default config and schema file locations configurable https://fedorahosted.org/sssd/ticket/1008

Add idmap library

nsssrv: shared memory cache server initialization

Make sudo installation path configurable, install into libdir by default

BUILD: Introduce a --with-ssh config option

BUILD: Introduce a --with-autofs config option This would allow to select the autofs feature during build without having to select the other features.

SUDO: introduce a new config option --with-sudo At the time being the option is also turned on when --enable-all-experimental-features is specified. https://fedorahosted.org/sssd/ticket/1145

Use profiling Docbook XSLT only if available, fall back to normal

SUDO: Provide documentation for the SUDO API

Export libsss_sudo as a separate package

Add a configure switch to specify 3rd party app libraries location

make dist fixes Use pax format for tar as it is the only one that will succeed (albeit spitting warnings) to create a tar file if user UID values are above ~2M

SUDO integration - client common interface

Added sssd --version option https://fedorahosted.org/sssd/ticket/953

Allow using Glib for UTF8 support

BUILDSYS: Fix --without-manpages We weren't honoring the --without-manpages option, and this was causing builds to break. Note: 'make dist[check]' will not work if you have configured with --without-manpages because it will not be able to pre-generate the translation files necessary for tarball release.

Unbreak ./configure ./configure at least from 1.5.13 is failing on Ubuntu Oneiric. The node ``Conditionals'' of automake manual states: Note that you must arrange for _every_ `AM_CONDITIONAL' to be invoked every time `configure' is run. If `AM_CONDITIONAL' is run conditionally (e.g., in a shell `if' statement), then the result will confuse `automake'. So the trick is to run AM_CONDITIONAL unconditionally.

Improve documentation of libipa_hbac

Add option to specify the kerberos replay cache dir Adds a configure option to set the distribution default as well as an sssd.conf option to override it. https://fedorahosted.org/sssd/ticket/980

sss_client: avoid leaking file descriptors If a pam or nss module is dlcolse()d and unloaded we were leaking the file descriptor used to communicate to sssd in the process. Make sure the fucntion used to close the socket file descriptor is called on dlclose() Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)

libipa_hbac: Support case-insensitive comparisons with UTF8

Fix python HBAC bindings for python <= 2.4 Several parts of the HBAC python bindings did not work with old Python versions, such as the one shipped in RHEL5. The changes include: * a compatibility wrapper around python set object * PyModule_AddIntMacro compat macro * Py_ssize_t compat definition * Do not use PyUnicode_FromFormat * several function prototypes and structures used to have "char arguments where they have "const char *" in recent versions. This caused compilation warnings this patch mitigates by using the discard_const hack on python 2.4

Add HBAC evaluator and tests

Remove unused defines from configure.ac

Set _GNU_SOURCE globally

Add new options to override shell value https://fedorahosted.org/sssd/ticket/742

Disable libcrypto code

Warn that some crypto features are implemented in NSS only

Require openssl-devel is libcrypto backend is selected

Only check systemd unit dir if systemd is selected

Provide a configuration option to use systemd unit file https://fedorahosted.org/sssd/ticket/837

Remove support for pre-1.1 netlink Netlink 1.0 and older is buggy and unreliable, occasionally causing tight-loops. We're no longer going to try to support it. https://fedorahosted.org/sssd/ticket/755

Make manual pages translatable Utilizes PO4A to extract translatable strings from Docbook XML sources and allows translators to submit ordinary .PO files. PO4A then generates translated Docbook documents that can be used to generate translated end user documentation. https://fedorahosted.org/sssd/ticket/297

sss_client: make code thread-safe Add mutexes around nss operations and serialize them. This is necessary because nss operations may have global state. For pam it is sufficient to protect socket operations instead. As pam functions use only the provided pam handler. Fixes: https://fedorahosted.org/sssd/ticket/640

Package systemd unit file So far, the systemd unit file is only packaged but not used in any of the packaged spec files. Fixes: #483

Add gentoo-specific init dir Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Add custom pam module dir Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Rewrite toplevel Makefile There is no longer a need to have nested Makefiles and configure scripts. This patch combines the src/ Makefile and configure.ac into the root.

Remove common directory All files formerly in common are now being built individually out of the ding-libs repository. git clone git://git.fedorahosted.org/git/ding-libs.git

Rename server/ directory to src/ Also update BUILD.txt

Eliminate separate build tree for sss_client

Remove replace

Add 'prerelease-srpms' target to Makefile This target is available only if building from a git checkout. It will automatically populate the PRERELEASE_VERSION in version.m4 with the current datestamp and git commit id for creating an SRPM.

Use version.m4 for setting the SSSD version This is the preferred way of setting the version in a file, as autotools will properly monitor this file for changes and rerun autoconf/configure when necessary to update the version. This means that we don't need to manually perform an autoreconf in order to build a new RPM

Add PRERELEASE_VERSION variable for use in sssd.spec.in This will add a second, optional line to the VERSION file that will be used by the automated build scripts to create snapshot versions.

configure cleanups - replaced mailing list address - let sssd base components read version from VERSION

Move RPM specfiles into contrib/ Support RHEL 5 in the spec file

Update version to 0.5.0 Update gettext strings

Update version to 0.4.1

Use freeipa-devel@redhat.com for bug reports

Convert top-level of SSSD to automake. Also update RPM spec and build procedures.