Fix minor spelling mistakes in providers/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add parameter --logger to daemons Different binary handled information about logging differently e,g, --debug-to-files --debug-to-stderr And logging to journald was a special case of previous options (!debug_file && !debug_to_stderr). It was also tied to the monitor option "--daemon" and therefore loggind to stderr was used in interactive mode + systemd Type=notify. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DP: Log to syslog whether it's online or offline Instead of requiring that admins enable and look at our logs, let's log to syslog what's the DP status. Resolves: https://pagure.io/SSSD/sssd/issue/3307 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Fix the output type used in dp_req_recv_ptr() Related: https://pagure.io/SSSD/sssd/issue/3307 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Update viewname for all providers Call sysdb_master_domain_update for backend domain upon initialization to make view information available for later use by session recording code, which will need to access overridden user and group names. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Load override_space into be_ctx Add loading and storing the override_space configuration option to data provider. That will be needed for formatting output user and group names for matching against session recording configuration. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Add session recording conf loading Add session recording configuration loading to the data provider initialization. To be used for matching users and groups with session recording enabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Remove signal.h from util/util.h signal.h is not used directly by util/util.h. The header file signal.h must be included in 19 files and after removing it from util.h it had to be added only to 12 missing files. And util.util.h is included in 381 files Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

UTIL: Add a new domain state called DOM_INCONSISTENT This is a new domain state that indicates to the responder that it should always send a DP request because the provider is rebuilding the cache. Currently it will be only used by the files provider when it is updating the cache to make sure sssd always returns current data and updating the cache from files is not as racy. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SBUS: Add a time_t pointer to the sbus_connection The idea of this commit is to provide a way to update the time of the last request coming from/going to the responders through sbus. For now it's not used anywhere as all the functions that will pass their time_t to the sbus_connection are currently passing NULL. It will be used by follow-up patches. Related: https://fedorahosted.org/sssd/ticket/3245 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MONITOR: Pass the service type to the RegisterService method Passing the service type to the RegisterService method will help us in the future, for socket-activation, as we will need to differentiate cases where the service being registered is still not in the services' list but is a valid case and has to be added there as it was socket-activated. Related: https://fedorahosted.org/sssd/ticket/2243 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MONITOR: Remove unused shutDown sbus method The shutDown method has not been used or set for a long time. Trim the internal interface by removing all references to this internal method. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

MONITOR: Remove deprecated pong sbus method The pong method is deprecated since we started using the watchdog. Since this is dead code, it makes sense to just remove it. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PROVIDERS: Setting right {u,g}id if unprivileged be_ctx had talloc_zero() initialized uid and gid which was used in function dp_init(). Therefore back-end was every time started as root and therefore non-root responders could not communicate with back-end due to wrong permission of unix sockets. This patch sets right uid and gid to data-providers if sssd runs as non-root user. Resolves: https://fedorahosted.org/sssd/ticket/3077 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_refresh.h to be_refresh.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_ptask to be_ptask Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Print warning when the handler is not configured We would previously only print the generic warning, not the user-supplied error message. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>

DEBUG: Add missing new lines Reviewed-by: Petr Cech <pcech@redhat.com>

DP: Reduce code duplication in Data Provider handlers Instead of setting the three same variables over again, add a structure be_sbus_reply_data with a default initializer BE_SBUS_REPLY_DATA_INIT. The handlers can then set the structure to BE_SBUS_REPLY_DATA_INIT on declaration or set a particular value with be_sbus_reply_data_set. The handler can also reply to the message (typically on failure state) with be_sbus_req_reply_data() Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Do not confuse static analysers with dead code Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Check callback messages for valid UTF-8 https://fedorahosted.org/sssd/ticket/2861 Messages passed from Data Provider to responder must be valid UTF-8 strings. Because providers might not be completely under our control, we need to check if the messages we receive are valid UTF-8 and if they are not, use a fallback. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Drop dp_pam_err_to_string Resolves: https://fedorahosted.org/sssd/ticket/2861 All back end requests were using pam_strerror() to print additional info about why request failed. Since pam_strerror() returns localized message and we don't know the locale beforehand, this message failed to be transferred through D-Bus, resulting in a crash. Reviewed-by: Sumit Bose <sbose@redhat.com>

BE: Add IFP to known clients This gets rid of confusing debug message: [be_client_destructor] (0x0020): Unknown client removed ... Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout https://fedorahosted.org/sssd/ticket/2637 Adds a new Data Provider function be_mark_dom_offline() that is a replacement for be_mark_offline(). When called, the function would either set the whole back end offline, just like be_mark_offline or just set the subdomain status to inactive. When a subdomain is inactive, there is a singleton timed task that would re-set the subdomin after offline_timeout seconds. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DATA_PROVIDER: BE_REQ as string in log message Add be_req2str() for translation BE_REQ to string. So we will have || Got request for [0x1001][FAST BE_REQ_USER][1][name=celestian] instead of || Got request for [0x1001][1][name=celestian] Function be_req2str() is used in data provider and in responder too. So this patch create new header file data_provider_req.h which delivers function be_req2str() and definitions of BE_REQ_*. Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Pavel Reichl <preichl@redhat.com>

DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP Related: https://fedorahosted.org/sssd/ticket/2553 Extends the Data Provider interface and the responder<->Data provider interface with wildcard lookups. The patch uses a new "wildcard" prefix rather than reusing the existing user/group prefixes. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP/IPA: add user lookup by certificate Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

DP: Set extra_value to NULL for enum requests Some providers, notably IPA, rely on extra_value to be either a useful value or NULL. In enumeration, however, extra_value was random. Set the extra_value pointer explicitly to NULL to make it clear that it's not used for enumeration and also use talloc_zero as future-proof. Resolves: https://fedorahosted.org/sssd/ticket/2659 Reviewed-by: Sumit Bose <sbose@redhat.com>

Add pre-auth request Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: print the pam status as string, too On several places, let's add a pam_strerror() call so that it's easier to debug user problems. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>

add missing '\n' in debug messages Also reformat debug strings not to exceed 80 columns long lines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: add new iface via sbus_conn_register_iface() Rename sbus_conn_add_interface() to sbus_conn_register_iface() and remove sbus_new_interface() calls since it is just one more unnecessary call outside the sbus code. The function sbus_new_interface() is made static and used directly in sbus_conn_register_iface(). The name was chosen to better describe what the function is doing. That it registers an interface on a given object path. The same interface can be used with different paths so it is not really about adding an interface. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BE: Fix a debug message Reviewed-by: Pavel Reichl <preichl@redhat.com>

BE: Become a regular user after initialization Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com>

BE: Make struct bet_queue_item private to sssd_be Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

BE: Own the sbus socket as the SSSD user In some cases, the back end might still be running as root, but the responder would be running unprivileged. In this case, we need to allow connecting from the SSSD user ID. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SBUS: Chown the sbus socket if needed When setting up the sbus server, we might need to chown the sbus socket to make sure non-root peers, running as the SSSD user are able to access the file. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SSSD: Add the options to specify a UID and GID to run as Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>

UTIL: Do not depend on monitor code Just moves code around. There should be a way to use the server.c module without linking the monitor code. Reviewed-by: Pavel Reichl <preichl@redhat.com>

DP: Print a type as hexadecimal number in debug message. All request from nss responder, start in domain log with debug message in function be_get_account_info e.g. [be_get_account_info] (0x0100): Got request for [4099][1][name=user1] [be_get_account_info] (0x0100): Got request for [4098][1][name=group1] [be_get_account_info] (0x0100): Got request for [4097][1][name=user1] The 1st number is type, which is defined as hexadecimal nuber in header file src/providers/data_provider.h #define BE_REQ_USER 0x0001 #define BE_REQ_GROUP 0x0002 #define BE_REQ_INITGROUPS 0x0003 ... This patch changes formatting from decimal representation to hexadecimal; so you needn't convert it in head while analysing log files. Reviewed-by: Pavel Reichl <preichl@redhat.com>

sudo: work with correct D-Bus iterator Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

be_get_account_info change level of debug message Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BE: Handle SIGUSR2 It was possible to send SIGUSR1 and to both sssd and sssd_be processes, but only possible to send SIGUSR2 to sssd. This patches fixes the dichotomy by making the sssd_be process handle SIGUSR2 as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Dan Lavu <dlavu@redhat.com>

Exit offline mode only if server is available. This patch adds periodic check to test if backend can exit offline mode and only marks backend as not offline if server for the service is available. Prior to this patch we marked backend as not offline if the offline_timeout was reached without checking for the server availability and when the next request failed again we switched back to the offline mode. This caused significant slowdowns in some edge cases. Fixes: https://fedorahosted.org/sssd/ticket/2355 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

ptask: Add backoff feature to the ptask api. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

ptask: Allow adding random_offset to scheduled execution time Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sudo: use dbus array for rules refresh D-Bus only supports 255 signatures which caused a segmentation fault when sudo responder tried to refresh more rules at once. Resolves: https://fedorahosted.org/sssd/ticket/2387 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IFP: Provide a SBUS method to reconnect to sysbus Introduces a new method implemented only by the IFP responder. When this method is received, the responder attempts to reconnect to the system bus, if not connected already. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD Provider: bugfix use-after-free Resolves: https://fedorahosted.org/sssd/ticket/2322 Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Remove unused 'force' parameter from the subdomain handler The force argument was unused and made the code more complex than required. Moreover, the force argument would have made the subdomain handler behave differently than other identity domains -- when the front end decides it's time to update the domains, the back end should just update them. Handling multiple concurrent requests from multiple responders (typically after startup) is handled at the generic back end level (see be_queue_request). Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IFP: Re-add the InfoPipe server Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.

sbus: Add the sbus_request_parse_or_finish() method Some DBus types returned from dbus_message_get_args() require memory to be released when done. We automatically attach these to the talloc struct sbus_request memory context in this function. This accepts varargs similar to dbus_message_get_args(), which are rather awkward. However instead of reworking them completely, future generated marshalling code will replace most uses of these varargs. If parsing the dbus message fails, then it responds to the DBus caller with an appropriate error such as o.f.D.Error.InvalidArgs. In these cases (ie: when it returns FALSE) the sbus_request is finished. Migrated some, but not all, uses of dbus_message_get_args() to the new function. Some instances have uncommon semantics such as terminating the connection upon failure to parse a message. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: Refactor how we export DBus interfaces Most importantly, stop using per connection private data. This doesn't scale when you have more than one thing exporting or exported on a connection. Remove struct sbus_interface and expand sbus_conn_add_interface() function. Remove various struct sbus_interface args to connection initialization functions and make callers use sbus_conn_add_interface() directly. The old method was optimized for exporting one interface on a connection. We'll have connections that export zero, one or more interfaces. To export an interface on a DBus server, call sbus_conn_add_interface() from within the sbus_server_conn_init_fn. To export an interface on a DBus client, call sbus_conn_add_interface() after sbus_new_connection() returns. As before struct sbus_interface represents an object exported via DBus. However it is now talloc allocated. One can set instance data on the struct sbus_interface. This instance data is passed to the various handlers and used in their implementation. However, we now have type safe interface exporting in the various high level sss_process_init() sss_monitor_init() and so on. Introspection support was not in use, and is now gone until we implement it using the metadata (future patch). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: Add struct sbus_request to represent a DBus invocation struct sbus_request represents a request from a dbus client being handled by a dbus server implementation. The struct contains the message, connection and method (and in the future teh property) which is being requested. In the future it will contain caller information as well. sbus_request is a talloc memory context, and is a good place to attach any allocations and memory specific to the request. Each handler accepts an sbus_request. If a handler returns EOK, it is assumed that the handler will finish the request. Any of the sbus_request_*finish() methods can be used to complete the request and send back a reply. sbus_request_return_and_finish() uses the same argument varargs syntax as dbus_message_append_args(), which isn't a great syntax. Document it a bit, but don't try to redesign: The marshalling work (will follow this patch set) will remove the need to use varargs for most DBus implementation code. This patch migrates the monitor and data provider dbus code to use sbus_request, but does not try to rework the talloc context's to use it. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

providers: Fix types passed to dbus varargs functions Fix some incorrect types passed to dbus_message_get_args(), dbus_message_append_args() or functions accepting similar varargs and types. In particular sizeof(bool) != sizeof(dbus_bool_t) on most platforms. This probably only worked because the compiler was aligning stack variables and so writing off the end of one of them wasn't the end of the world. In addition fix cases where int != int32_t != uint32_t. Although these will work on many common platforms, assuming these are interchangeable is not cross platform safe. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sbus: Use constants to make dbus calls This allows us to remove duplicated information, and have the compiler check that when an method name is changed or removed the callers are updated. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

sbus: Rework sbus to use interface metadata and vtables Previous commits added support for interface metadata and handler vtables. This commit ports sbus_dbus_connection to use them. Port the internal uses of dbus to use the new scheme in a very minimal way. Further cleanup is possible here. This commit provides basic definitions of the internal dbus interfaces. The interfaces aren't fully defined, as the handlers will continue to unpack manually, and often overload DBus methods with different arguments (which is rather unorthodox, but not the end of the world). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

nss: Stop using one DBus interface with totally different methods This is an incorrect use of DBus, where we use a single interface name with completely different sets of methods. Easily fixed. Once the vtable stuff is in use then this would be automatically detected and fail to build. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

Add ldap_autofs_map_master_name option

confdb: Make offline timeout configurable Added and documented option offline_timeout. Resolves: https://fedorahosted.org/sssd/ticket/1718

be_spy_create: free be_req and not the long living data

dp: add function to terminate request of specific domain Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: set request domain Every request is attached to be_ctx->domain by default. We will change the domain to a subdomain if it is relevant. Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: store list of ongoing requests Resolves: https://fedorahosted.org/sssd/ticket/1968

Add unconditional online callbacks Currently online callbacks are only executed if the backend was offline before. This patch add a new class of callback which are always called if the backend gets a request to go online. They can be used e.g. to reset timeouts until a more sophisticated method (OpenLMI, sssctl) is available.

Include external headers with #include <foo.h> I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.

Check return values of setenv and unsetenv

BE: Log domain name to journald if available If the SSSD is compiled with journald support, then all sss_log() statements will include a new field called "SSSD_DOMAIN" that includes the domain name. Filtering only messages from the single domain is then as easy as: # journalctl SSSD_DOMAIN=foo.example.com

DP: Notify propperly when removing PAC responder Adds pac_cli be_client structure pointer, to indetify and log the PAC responder termination correctly.

Remove unused be_ctx->sigchld_ctx

back end: add refresh expired records periodic task https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.

Use queue for get_subdomains It does not make much sense to run multiple get_subdomains request in parallel because all requests will load the same information from the server. The IPA and AD provider already implement a short timeout to avoid the multiple requests are running to fast after each other. But if the timeout is over chances are that if two or more request come in fast the first request cannot update the timeout and request will run in parallel. To avoid this the requests are queued and send one after the other to the provider.

Add be request queue For some backend targets it might be not desirable to run requests in parallel but to serialize them. To avoid that each provider has to implement a queue for this target this patch implements a generic queue which collects incoming requests before they are send to the target.

Add secid filter to responder-dp protocol This patch add a new filter type to the data-provider interface which can be used for SID-based lookups.

Centralize resolv_init, remove resolv context list

Do not compile main() in DP if UNIT_TESTING is defined The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function

Provide a be_get_account_info_send function In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.

Use the correct memory context in be_req_create

dp: check whether hostid backend is configured before filing be request

Make struct be_req opaque

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Add be_req_create() helper

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove domain from be_req structure

Remove sysdb as a be request structure member The sysdb context is already available through the 'domain' context.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

set struct bet_info->bet_type

Invalidate user entry even if there are no groups Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.

Add domain argument to sysdb_initgroups()

Refactor single domain initialization Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.

DP: invalidate all cached maps if a request for auto.master comes in If the Data Provider receives a request for the auto.master map, it passes on a flag to let the actual provider let know he should invalidate the existing maps

Add backchannel NSS provider query on initgr calls This is needed in order to assure the memcache is properly and promptly cleaned up if a user memberships change on login. The list of the current groups for the user is sourced before it is updated and sent to the NSS provider to verify if it has changed after the update call has been made.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613

backend: add PAC to the list of known clients

Include talloc log in our debug facility https://fedorahosted.org/sssd/ticket/1495

Make subdomain discovery less noisy Fixes https://fedorahosted.org/sssd/ticket/1517

backend: initialize sudo only when it is enabled in services https://fedorahosted.org/sssd/ticket/1458 When the responder is disabled and sudo_provider is set explicitly, a warning is print and the module will be initialized.

be_process_init(): free ctx on error

Abort PAM access phase if HBAC does not return PAM_SUCCESS

Subdomains: Send the DP reply in the correct format The DP was sending the reply in a format the responder did not expect, so the responder always failed to parse the message.

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

Use a more tractable name for subdomain request I am all for readable names, but there is a tradeof between expressing purpose and compactness.

Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.

Renamed session provider to selinux provider

Always free request in data provider PAM callback In case of error the request wasn't freed and the callback just ended.

sudo backend - add support for on demand refresh of specific rules

sudo backend - support only on demand full refresh

Move some debug lines to new debug log levels * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113

subdomains: Fix error handling in Data Provider The subdomains back end request was sending replies in a format the responder did not understand in case the request failed.

SSH: Add dp_get_host_send to common responder code Instead of using account_info request, creates a new ssh specific request. This improves code readability and will make the code more flexible in the future. https://fedorahosted.org/sssd/ticket/1176

Rename split_service_name_filter The function was used outside services code which was confusing due to its name. This patch renames it to sound more netrual.

DP: return correct error message when subdomains back end target is not configured The done handler uses the value of status, not ret.

Carry sysdb context and domain info in be_req structure

Basic support for subdomains in auth provider

Add domain name to get_account_info request

data provider: added subdomains

autofs: load the correct option

Catch cases where D-Bus connection is NULL https://fedorahosted.org/sssd/ticket/1270

DP: Reorganize memory hierarchy of requests This function alters the memory hierarchy of the be_req to ensure memory safety during shutdown. It creates a spy on the be_cli object so that it will free the be_req if the client is freed. It is generally allocated atop the private data context for the appropriate back-end against which it is being filed. https://fedorahosted.org/sssd/ticket/1226

Keep sysdb context in domain info struct

PAM: Don't send PAM_SYSTEM_INFO message if module unset We now have a session module that is only available for the IPA provider. We should not be logging noisily that other providers do not have the session provider configured. https://fedorahosted.org/sssd/ticket/1211

SSH: Save SSH host name aliases

Fix bad failure handling in be_sudo_handler() If the dbus_message_get_args() failed, we would have been dereferencing a NULL be_req. Coverity #12490

Remove dead code Coverity #12529

AUTOFS: IPA provider

SSH: Responder

DP: Add host info handler

Add session target in data provider

AUTOFS: Data Provider request

SUDO Integration - prepare data provider for new responder commands https://fedorahosted.org/sssd/ticket/1143

Use the new SUDO request in DP and sudo responder Also remove the old request implementation https://fedorahosted.org/sssd/ticket/1115

DP: Handle parsing extra results in be_get_account_info

SUDO Integration review issues

Move child_common routines to util

Add common SIGCHLD handling for providers.

SUDO integration - data provider backend handler

Append PID to sbus server socket name, let clients use a symlink https://fedorahosted.org/sssd/ticket/1034

New DEBUG facility - SSSDBG_UNRESOLVED changed from -1 to 0 Removed: SSS_UNRESOLVED_DEBUG_LEVEL (completely replaced with SSSDBG_UNRESOLVED) Added new macro: CONVERT_AND_SET_DEBUG_LEVEL(new_value) Changes unresolved debug level value (SSSDBG_UNRESOLVED) from -1 to 0 so DEBUG macro could be reduced by one condition. Anyway, it has a minor effect, every time you want to load debug_level from command line parameters, you have to use following pattern: /* Set debug level to invalid value so we can deside if -d 0 was used. */ debug_level = SSSDBG_INVALID; pc = poptGetContext(argv[0], argc, argv, long_options, 0); while((opt = poptGetNextOpt(pc)) != -1) { ... } CONVERT_AND_SET_DEBUG_LEVEL(debug_level);

New DEBUG facility - conversion https://fedorahosted.org/sssd/ticket/925 Conversion of the old debug_level format to the new one. (only where it was necessary) Removed: SSS_DEFAULT_DEBUG_LEVEL (completely replaced with SSSDBG_DEFAULT)

Allow changing the log level without restart We will now re-read the confdb debug_level value when processing the monitor_common_logrotate() function, which occurs when the monitor receives a SIGHUP.

Create common sss_monitor_init() This was implemented almost identically for both the responders and the providers. It is easier to maintain as a single routine. This patch also adds the ability to provide a private context to attach to the sbus_connection for later use.

Remove unused be_check_online() SBUS call

Add a special filter type to handle enumerations

Run checks before resetting offline state Before setting the backend to online during a reset offline request the check_online method if the ID provider is called. If the check_online method returns that the ID provider is still not reachable the backend stays offline. Otherwise the backend is switched to online and the related callbacks are run. Additionally the check online test is called during the res_init request because a change in /etc/resolve.conf might also make a server reachable which was assumed offline before.

Print correct error messages for dp_err_to_string() All errnum values passed into this function throughout the code are PAM error codes, but we were passing them through strerror() to print them, which is only meaningful for ERRNO error codes. This patch changes dp_err_to_string() to use pam_strerror() and renames it to dp_pam_err_to_string() for clarity. https://fedorahosted.org/sssd/ticket/636

be_pam_handler(): Fix potential NULL dereference

Use netlink to detect going online Integrates libnl to detect adding routes. When a route is added, the offline status of all back ends is reset. This patch adds no heuristics to detect whether back end went offline. Fixes: #456

Add offline callbacks

Refactor data provider callbacks

Copy pam data from DBus message Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.

Fix error reporting for be_pam_handler

Revert "Copy pam data from DBus message" This reverts commit 2faf73eef14d66aeb345ffa38d0f53670fa8a9a1.

Copy pam data from DBus message Instead of just using references to the pam data inside of the DBus message the data is copied. New the DBus message can be freed at any time and the pam data is part of the memory hierarchy. Additionally it is possible to overwrite the authentication tokens in the DBus message, because it is not used elsewhere.

Add callback when the ID provider switches from offline to online Allow backends to set a callback in the be_ctx that should be invoked when the ID provider goes online. This can be used to perform regular maintenance tasks that are valid only when going online.

Better handle sdap_handle memory from callers. Always just mark the sdap_handle as not connected and let later _send() functions to take care of freeing the handle before reconnecting. Introduce restart functions to avoid calling _send() functions in _done() functions error paths as this would have the same effect as directly freeing the sdap_handle and cause access to freed memory in sdap_handle_release() By freeing sdap_handle only in the connection _recv() function we guarantee it can never be done within sdap_handle_release() but only in a following event.

Make ID provider init functions clearer Using sssm_*_init() as the name of the initialization function for identity providers was a holdover from earlier development when we thought we would only have a single "provider" entry in the config file. As we have now separated out the initialization functions for auth, chpass and access, we should rename sssm_*_init() to sssm_*_id_init() for a cleaner interface.

sysydb: Finally stop using a common event context This commit completes the migration to a synchronous sysdb

Reopen logs when SIGHUP is caught Upon receiving SIGHUP, the monitor signals all services to reopen their debug logs. It is also possible to signal individual services to reopen their particular files. Fixes: #332

Remove unnecessary "domain" parameter from DP registration This was a holdover from when the DP and the providers were unique processes. The NSS and PAM registrations do not need to send the domain, as it is not ambiguous which one they are talking to.

Rename server/ directory to src/ Also update BUILD.txt