FILES: Skip files that are not created yet In order to avoid complex ordering logic, even if one file is updated, we flush all the entries. In theory, we could only flush the individual file and all the files preceding it, but it's safer to just create a complete mirror every time. And this can be problematic if one of the files we try to update is not created yet during the update. This can happen e.g. when a file is not created during early boot. To solve this, try to be very defensive and always flush the whole database, ignore ENOENT errors, but abort on all other errors. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Reset the domain status back even on errors The block that resets the domain status was only called on success, so on error, the domain would have been permanently stuck in an inconsistent state. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Reduce code duplication Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch The snotify_ctx structures were unused, are completely opaque (their only value is that if they are freed, the watches disappear which the files provider never does). And moreover, since the patches to support multiple files, the watches were overwritten with subsequent assignments. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Handle files provider sources Setup watches on passwd and group files provided with the files provider options passwd_files and group_files lists Resolves: https://pagure.io/SSSD/sssd/issue/3402 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

files: refresh override attributes after re-read Currently the files provider refreshes the cached user and group data by deleting all objects and adding them again. This might not be the most efficient way performance wise but helps to avoid additional code for updates. To handle overrides efficiently the override data is stored in a separate sub-tree and attributes with the DNs link the original and the override object together. During the removal of the users and groups this attribute pointing to the override is removed from the original attribute as well. To make sure overrides are still applied after a refresh the attribute is added back after the original objects are read from the source files. Resolves https://pagure.io/SSSD/sssd/issue/3391 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

FILES: Remove unnecessary check "grp_iter->gr_mem" is an array of strings and not just a string. We tried to compare first string to NULL (acctually '\0') But after that we iterated over the array to find count of members and we check for NULL one more time. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

FILES: Fix reallocation logic There were two bugs in the files provider reallocation logic: 1) the reallocated array was not NULL-terminated properly 2) talloc_get_size was used in place of talloc_array_length This bug could have resulted in a crash when the passwd or groups file contained more than FILES_REALLOC_CHUNK entries. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

FILES: Add the files provider Adds a new provider type "files". The provider watches the UNIX password and group databases for changes using inotify and propagates its contents to the sysdb. The files provider is only built on platforms that support the inotify interface, polling or loading the entries on-deman is not supported. During initialization, the files are loaded from the environment variables SSS_FILES_PASSWD and SSS_FILES_GROUP, defaulting to /etc/passwd and /etc/group respectively. Loading the files from environment variables is mostly implemented for tests that need to load nss_wrapped files. The files provider is a bit different from other provider types in the sense that it always enumerates full contents of the database. Therefore, the requests from Data Provider are always just replied to with success. Enumerating the contents is done in full at the moment, all users and all groups are removed and added anew. Modifying the passwd and group databses should be rare enough for this to be justified and we can optimize the code later. Since with large databases, the cache update might take a bit of time, we signal the responders to disable the files domain once we receive the inotify notification and re-enable the files domain after the update is finished. The idea is that the NSS configuration would still contain "files" after "sss" so that if the domain is disabled, libc would fall back to a direct "files" lookup. Resolves: https://fedorahosted.org/sssd/ticket/3262 Reviewed-by: Pavel Březina <pbrezina@redhat.com>