LDAP: Augment the sdap_opts structure with a data provider pointer In order to be able to use the Data Provider methods from the SDAP code to e.g. invalidate memcache when needed, add a new field to the sdap_options structure with the data_provider structure pointer. Fill the pointer value for all LDAP-based providers. Related: https://pagure.io/SSSD/sssd/issue/2653 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD: Use the right sdap_domain for the forest root Each ad_id_ctx structure which represents a trusted AD domain contains a list of sdap_domain structures representing all the other domains. This is used to e.g. be able to reach another domain's ad_id_ctx and use its LDAP connection. However, the sdap search call that was searching for trusted domains in the forest that the root domain knows about, was unconditionally using the first sdap_domain structure in the list linked from the root_domain's ad_id_ctx structure. It should be noted that this search only happens in case the machine is joined to one of the non-root domains in the forest and searches the root domain explicitly. In case sdap_domain structures linked from the ad_id_ctx representing the root domain were ordered so that the first sdap_domain in the list was representing a different domain than the one linked from the ad_id_ctx, the sdap search would have used a wrong search base derived from the unexpected sdap_domain which would result in a referral being returned. This patch explicitly looks up the sdap_domain structure that corresponds to the root domain. Resolves: https://pagure.io/SSSD/sssd/issue/3594 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: Inherit the MPG setting from the main domain If the auto_private_groups option was set in the domain section for direct integration, it only had an effect on the joined domain, not any of the subdomains, so requesting a user from the child domain would look like this: $ id childuser@child.win.trust.test uid=30000(childuser@child.win.trust.test) gid=40000(usergroup@child.win.trust.test) groups=40000(usergroup@child.win.trust.test) The expected result, visible after this patch is: $ id childuser@child.win.trust.test uid=30000(childuser@child.win.trust.test) gid=30000(childuser@child.win.trust.test) groups=30000(childuser@child.win.trust.test),40000(usergroup@child.win.trust.test) Resolves: https://pagure.io/SSSD/sssd/issue/3613 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

AD: Remember last site discovered in sysdb This can speed up sssd startup. Resolves: https://pagure.io/SSSD/sssd/issue/3265 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Set udp_preference_limit=0 in krb5 snippet We add udp_preference_limit = 0 to krb5 snippet if ad provider is used. This option enable TCP connection before UDP, when sending a message to the KDC. Resolves: https://pagure.io/SSSD/sssd/issue/3254 Signed-off-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>

SDAP: Add sdap_domain_copy_search_bases Add function to copy search bases from one sdap_domain to another. Resolves: https://pagure.io/SSSD/sssd/issue/3435 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SDAP: Update parent sdap_list Update parent sdap_list with newly created subdomain sdap domain. Preiously, we inherited the parent sdap_list and used it also in the subdomain's context (this was introduced recently with commit c4ddb9ccab670f9c0d0377680237b62f9f91c496), but it caused problems that were difficult to debug (we somewhere rewrite part of the list incorrectly). This patch reverses to the previous bahavior, where every subdomain has it's own sdap_list, however this time the parrent domain's sdap_list is updated so that it has correct information about search bases of the child domains. We should ideally have just one sdap_list to avoid the updating completely, but this would require more refactoring in the sdap code. Resolves: https://pagure.io/SSSD/sssd/issue/3421 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD SUBDOMAINS: Fix search bases for child domains When using direct AD integration, child domains did not respect the sssd.conf configuration of search bases. There were few issues all of which are fixed in this small patch. First problem was that the sdap domain list was not properly inherited from the parent in the child domains and the children always created their own sdap domains lists that were disconnected from the parent context and never used. Second issue was that the child domain did not call the function to reinit the search bases after the sdap_domain was added to the list of sdap domains. This caused that child domains always used automatically detected search bases and never used the configured ones even though they were properly read into the ID options context attached to the subdomain. Also there has been an issue that the sdap search bases were rewritten by the new child domain initialization (this only happened with more than one child domain) because the sdap domain list was 'updated' every time a new child domain was initialized, which caused that only the main domain and the last child domain had proper search bases, the others only the auto-discovered ones (because they were overwritten with the 'update'). Resolves: https://pagure.io/SSSD/sssd/issue/3397 Reviewed-by: Sumit Bose <sbose@redhat.com>

ad: handle forest root not listed in ad_enabled_domains Although users and groups from the forest root should be ignored SSSD will still try to get information about the forest topology from a DC from the forest root. So even if the forest root domain is disabled we should makes sure it is usable for those searches. Resolves https://pagure.io/SSSD/sssd/issue/3361 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SUBDOMAINS: Allow use_fully_qualified_names for subdomains Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

UTIL: Introduce subdomain_create_conf_path() This is a utility function that replaces the create_subdom_conf_path(). Differently than the latter, it only takes one parameter and is going to be used in a few different places (thus adding it to util.h). Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukas Slebodnik <lslebodn@redhat.com>

SUBDOMAINS: Allow options ad(_backup)_server Allow following options in the subdomain section: ad_server ad_backup_server Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SUBDOMAINS: Configurable search bases Added new trusted domain section in the sssd.conf were the search bases for the trusted domain can be specified. Resolves: https://pagure.io/SSSD/sssd/issue/2599 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Use ad_domain to match forest root domain, not the configured domain from sssd.conf If the sssd.conf domain name was different from the joined domain name, but sssd was joined to the forest root, the AD subdomains code considered sssd joined to a non-root domain and tried to discover the forest root. This could be reproduced by joining sssd to a domain, for example win.trust.test but calling the sssd.conf domain otherwise, for example: [domain/addomain] ad_domain = win.trust.test This is/was a frequent use-case in the RHEL world, where authconfig often names the sssd.conf domain 'default'. Without the patch, the trusted domains were not detected. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 Reviewed-by: Petr Cech <pcech@redhat.com>

AD_PROVIDER: ad_enabled_domains - other then master We can skip looking up other domains if option ad_enabled_domains doesn't contain them. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD_PROVIDER: ad_enabled_domains - only master We can skip looking up other domains if option ad_enabled_domains contains only master domain. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD_PROVIDER: Initializing of ad_enabled_domains We add ad_enabled_domains into ad_subdomains_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2828 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

failover: mark subdomain service with sd_ prefix Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: netlogon_get_domain_info() allow missing arguments and empty results netlogon_get_domain_info() should not fail if not all parameters can be retrieved. It should be the responsibility of the caller to see if the needed data is available and act accordingly. Resolves: https://fedorahosted.org/sssd/ticket/3104 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA/AD: globally set krb5 canonicalization flag If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: inicialize root_domain_attrs field Resolves: https://fedorahosted.org/sssd/ticket/2805 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Set ignore_mark_offline=false when resolving AD root domain https://fedorahosted.org/sssd/ticket/2637 Avoid going offline in cases where SSSD is connected to a child domain but the root domain is not accessible. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: cleanup redundant #define statements Resolves: https://fedorahosted.org/sssd/ticket/2185 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Do not remove non-root domains when looking up root domain https://fedorahosted.org/sssd/ticket/2322 When the AD subdomains code looked up the root domain subsequently (after the domain list was already populated), the non-root domains might have been removed along with their respective tasks, because the root domain lookup only ever matched a single root domain. This could cause havoc especially during login when different lookups for different domains might be going on during user group refresh. Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD Provider: bug-fix uninitialized variable ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD Provider: Fix crash looking up forest on Samba 4 We were assuming that the forest had been looked up by netlogon, but this is not available on Samba 4 domains. We need to check that the forest is NULL and force the lookup. Resolves: https://fedorahosted.org/sssd/ticket/2311 Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: connect to forest root when downloading the list of subdomains https://fedorahosted.org/sssd/ticket/2285 Only the forest root has the knowledge about all the domains in the forest, the forest leaves only see themselves and the forest root. This patch switches to connecting to the forest root for downloading the trusted domains instead of the server we are connected to. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

AD: Establish cross-domain memberships after enumeration finishes Because domain enumeration currently works for each domain separately, the code has to establish cross-domain memberships after all domains are enumerated. The code works as follows: 1) check if any *sub*domains were enumerated. If not, do nothing 2) if any of the groups saved had more original members than sysdb members, check if members of these groups can be linked now that all users and groups are saved using the orig_member attribute of the group matched against originalDN member of the user. Related: https://fedorahosted.org/sssd/ticket/2142

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

AD: Store info on whether a subdomain is set to enumerate Depending on the state of the subdomain_enumerate variable, the newly created subdomain object is created with the right value of "enumerate" attribute in the sysdb.

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

AD: Refresh subdomain data structures on startup Previously, if no changes were done to the list of subdomains, the SSSD didn't update its list of sdap_domain mappings for the new subdomain. This resulted in errors as no id_ctx was present for the subdomain during lookup. This patch moves the block of code performed during update to a function of its own and calls it during provider initialization as well.

AD: use LDAP for group lookups The group memberships cannot be reliable retrieved from the Global Catalog. By default the memberOf attribute is not replicated to the GC at all and the member attribute is copied from the local LDAP instance to the GC running on the same host, but is only replicated to other GC instances for groups with universal scope. Additionally the tokenGroups attribute contains invalid SIDs when used with the GC for users from a different domains than the GC belongs to. As a result the requests which tries to resolve group-memberships of a AD user have to go to a LDAP server from the domain of the user. Fixes https://fedorahosted.org/sssd/ticket/2161 and https://fedorahosted.org/sssd/ticket/2148 as a side-effect.

SUBDOMAINS: Reuse cached results if DP is offline If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168

Initialize sid_str to NULL to avoid freeing random data If any function before failed, sss_idmap_free_sid() might have been called with random data.

free idmapped SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133

ad_subdom_store: check ID mapping of the domain not of the parent

ad: destroy ptasks when subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: free sdap domain if subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

AD: talk to GC first even for local domain objects Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.

ipa_server_mode: write capaths to krb5 include file If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

AD: Failure to get flat name is not fatal https://fedorahosted.org/sssd/ticket/2067 Some AD or AD-like servers do not contain the netlogon attribute in the master domain name. Instead of failing completely, we should just abort the master domain request and carry on. The only functionality we miss would be getting users by domain flat name.

AD: async request to retrieve master domain info Adds a reusable async request to download the master domain info.

util: add sss_idmap_talloc[_free] Remove code duplication.

SYSDB: Store enumerate flag for subdomain

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

AD: Move storing sdap_domain for subdomain to generic LDAP code Makes creating the sdap_domain structure for a subdomain reusable outside AD subdomain code where it was created initially. Subtask of: https://fedorahosted.org/sssd/ticket/1962

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

Use the correct talloc context when creating AD subdomains sdom was only ever guaranteed to be set when a new domain was being created. sditer is a valid pointer in both cases, so just use that.

AD: Store trusted AD domains as subdomains https://fedorahosted.org/sssd/ticket/364 Looks up trusted domain objects in the LDAP and stores them as AD subdomains. Currently only trusted domains that run NT5 or newer from the same forest are looked up and stored.

LDAP: new SDAP domain structure Previously an sdap_id_ctx was always tied to one domain with a single set of search bases. But with the introduction of Global Catalog lookups, primary domain and subdomains might have different search bases. This patch introduces a new structure sdap_domain that contains an sssd domain or subdomain and a set of search bases. With this patch, there is only one sdap_domain that describes the primary domain.

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

Fix return code for AD subdomain request

Fix segfault in AD Subdomains Module In function ad_subdomains_get_netlogon_done: If variable "reply_count" is zero then variable "reply" will not be initialized. Therefore we should not continue.

AD: read flat name and SID of the AD domain For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468