ipa: remove SYSDB_USER_CERT from sub-domain users If there are no certificates returned for a sub-domain user from the IPA server to the client we should make sure they are not present in the client's cache anymore and remove the whole attribute from the cached user entry. Related to https://pagure.io/SSSD/sssd/issue/3603 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Remove sshPublicKey attribute when it's not set Similary to what has been for the SSSD's server, we have to explicitly remove the 'sshPublicKey' attribute from an override in case it's not set, otherwise we may end up in a situation where a ssh key is removed from IPA but it'll still be present in the SSSD's client cache, allowing then users to ssh to a machine even having a key that has already been removed from IPA. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com>

ipa: compare DNs instead of group names in ipa_s2n_save_objects() If group names are used to compare the current list of group memberships returned by the server with the one from the cache some groups might end up in the wrong result list if group names are overridden. This ambiguity can be resolved by using the DNs of the cached objects. Related to https://pagure.io/SSSD/sssd/issue/3579 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: use cache searches in get_groups_dns() If the group name is overridden in the default view we have to search for the name and cannot construct it because the extdom plugin will return the overridden name but the DN of the related group object in the cache will contain the original name. Related to https://pagure.io/SSSD/sssd/issue/3579 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

ipa: check for SYSDB_OVERRIDE_DN in process_members and get_group_dn_list process_members() and get_group_dn_list() are used on an IPA client to determine a list of users or groups which are missing in the cache and are needed to properly add a group or user object to the cache respectively. If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN must be set for all user and group objects to indicate that it was already checked if there is an id-override defined for the object or not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after a view name change. To make sure the cache is in a consistent state with this patch user and group entries without SYSDB_OVERRIDE_DN are considered as missing is a non-default view is assigned to the client. Related to https://pagure.io/SSSD/sssd/issue/3579 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: Return from function after marking a request as finished Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: Avoid using uninitialized ret value when skipping entries from the joined domain Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

ipa: filter IPA users from extdom lookups by certificate The extdom lookup by certificate will return the names of all matching users, both from the IPA and trusted domains. The IPA users from the list should not be looked up via the extdom plugin because they are already lookup up directly. Additionally the lookup might fail and cause an error which might prevent that the remaining users from the list are looked up. Resolves https://pagure.io/SSSD/sssd/issue/3407 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Improve s2n debug message for missing ipaNTSecurityIdentifier This patch improves the log message to be more information for the SSSD user troubleshooting issues. If the IDM POSIX group used for AD trust HBAC/SUDO operation is missing the ipaNTSecurityIdentifier it can cause client s2n operations failures resolving the group which resulted in the inability to login for the AD user. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Improve DEBUG message if a group has no ipaNTSecurityIdentifier There was an issue in a production deployment where the admin selected a GID outside the IDM range for a group that contained a user from the trusted domain. This resulted in not adding a SID for the IPA group, which in turn meant the group couldn't be resolved on the client. This patch just improves the DEBUG message so that it's clearer for the admins where the issue is. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ipa_s2n_get_acct_info_send: provide correct req_input name To avoid crash. Resolves: https://pagure.io/SSSD/sssd/issue/3358 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: lookup AD users by certificates on IPA clients Get a list of users mapped to a certificate back from the IPA server, look them up and store them together with the certificate used for the search as mapped attribute to the cache. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add mapped attributes to user from trusted domains Allow the usage of the mapped attribute for the lookup of AD users on IPA clients as already used for the normal LDAP lookup. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Enhance debug logging for ipa s2n operations Add log messages to provide useful debug logging surrounding IPA client extended operations to the IPA Server during AD trust requests to retrieve information. Print more details about the objects requested and received during the ipa_s2n operations. This will improve log analysis and troubleshooting efforts during AD trust user and group resolution failures on IPA clients, such as missing groups. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Add s2n request to string function Add a function to convert request_types to string allowing the ability to print request type information for ipa_s2n functions during IPA client operations. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Parse qualified names when guessing AD user principal Most AD users store their UPN in an attribute. If they don't, or the sssd was configured (typically in earlier versions to work around a bug) to not look at the principal attribute, then sssd is supposed to guess the attribute. That currently doesn't work in 1.14, because the username is already qualified and then we also append the realm name to it. We need to parse the simple username from the qualified name first. The issue can be reproduced simply by authenticating as the Administrator account in IPA-AD trust setups. Resolves: https://fedorahosted.org/sssd/ticket/3127 Reviewed-by: Sumit Bose <sbose@redhat.com>

LDAP/IPA: add local email address to aliases Adding email-addresses from the local domain to the alias names is strictly not needed by might help to speed up lookups in the NSS responder. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Use internal fqname format instead of parsing NSS names Parsing the extdom plugin output is an "input" operation from the point of the IPA provider, so we need to parse the name and conversely, internally use only the qualified name. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: expand_homedir_template manages usernames internally expand_homedir_template() can be considered an outward-facing interface, therefore the function and its input structure will accept the internal name format and parse it internally into a username and domain component. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: allow lookups by cert in sub-domains on the client Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: save cert as blob in the cache The IPA extdom plugin returns the user certificate base64 encoded. Before the IPA client can store it in the cache it must be decoded so that it is stored as a binary as the certificate from other sources. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: resolve PAC for trusted users on IPA clients Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: ipa_s2n_get_list_send() allow other list types Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list* Reviewed-by: Pavel Březina <pbrezina@redhat.com>

ldap: remove originalMeberOf if there is no memberOf Since originalMemerberOf is not mapped directly to an original attribute and is handled specially it is not automatically removed if there is no memberOf in the original object anymore. This patch put originalMemerberOf on the list of attribute which should be removed in that case. Resolves https://fedorahosted.org/sssd/ticket/2917 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa_s2n_save_objects(): use configured user and group timeout Resolves https://fedorahosted.org/sssd/ticket/2899 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: fix override with the same name If the user name of a AD user is overridden with the name itself in an IPA override object SSSD adds this name twice to the alias list causing an ldb error when trying to write the user object to the cache. As a result the user is not available. This patch makes sure that there are no duplicated alias names. Resolves https://fedorahosted.org/sssd/ticket/2874 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Remove MPG groups if getgrgid was called before getpw() https://fedorahosted.org/sssd/ticket/2724 This bug only affects IPA clients that are connected to IPA servers with AD trust and ID mapping in effect. If an IPA client calls getgrgid() for an ID that matches a user, the user's private group would be returned and stored as a group entry. Subsequent queries for that user would fail, because MPG domains impose uniqueness restriction for both the ID and name space across groups and users. To work around that, we remove the UPG groups in MPG domains during a group lookup. Reviewed-by: Sumit Bose <sbose@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: do not add domain name unconditionally Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: update initgr expire timestamp conditionally Newer versions of the extdom plugin return the full list of group-memberships during user lookups. As a result the lifetime of the group-membership data is updates in those cases. But if the user is not looked up directly but is resolved as a group member during a group lookup SSSD does not resolve all group-membership of the user to avoid deep recursion and eventually a complete enumeration of the user and group base. In this case the lifetime of the group-memberships should not be updated because it might be incomplete. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: do initgroups if extdom exop supports it Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: fix segfault in ipa_s2n_exop can be triggered on demand by assigning a POSIX group with external members sudo privileges, then dropping the cache and doing a sudo -U <user> -l. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: use sysdb_attrs_add_string_safe to add group member The member list returned by the extdom plugin might contain some entries more than once. Although this is an issue on the server side to avoid ldb errors duplicates should be filtered out on the client as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: do not try to save override data for the default view For the default view all override data is available in the cached user or group object. Even if separate override data is available it should not be written into the cache. Resolves https://fedorahosted.org/sssd/ticket/2630 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: set EINVAL if dn can't be linearized Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: make sure output variable is set Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA idviews: check if view name is set When working with older FreeIPA releases the view name might not always been set. This patch add checks to might sure it is only dereferenced when set. Resolves https://fedorahosted.org/sssd/ticket/2604 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: make sure extdom expo data is available Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa: do not treat missing sub-domain users as error Resolves: https://fedorahosted.org/sssd/ticket/2444 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa_s2n_save_objects: properly handle fully-qualified group names Check if the given name is already fully-qualified instead of adding a domain name unconditionally. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: Use attr's dom for users, too The 'dom' pointer points to domain of the main object being saved. In case of group, dom points to the domain where the group resides. But when saving members, each members might be from a different domain, so we need to find every member's domain based on the attributes. Also don't use Yoda style in conditions. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: process_members() add ghosts only once Since ghost entries might not be properly removed on the IPA server (https://fedorahosted.org/sssd/ticket/2567) chances are that during extdom group lookups a single user is returned multiple time. This patch removes the duplicates before trying to write the data to the cache. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: properly handle mixed-case trusted domains In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: fix GID overrride for mpg domains When adding a user sysdb internally adds a value to SYSDB_GIDNUM for mpg domain which might cause conflicts with the one we added to users git GID overrides. With this patch the override GID is added after the user is created but in the same transaction Releted to https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST Since RESP_USER_GROUPLIST contains all group memberships it is effectively an initgroups request hence SYSDB_INITGR_EXPIRE will be set. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: resolve missing members Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: process_members() optionally return missing members list Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add missing break The current request already returned the SID, we do not need to request it separately. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: make version check more precise The call protected by the check does not only expect the version 1 of the extdom plugin is used but a specific response type as well. Since version 1 can return older response types as well we want to be on the safe side. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: do not look up overrides on client with default view The IPA extdom plugin returns the data with the default view already applied hence it is on needed to look up the override data if the client has the default view assigned. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: handle GID overrides for MPG domains on clients Resolves https://fedorahosted.org/sssd/ticket/2514 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: properly handle groups from different domains When groups are resolved on IPA clients as part of a user lookup not all groups have to be from the same domain as the used. This has to be checked to store the group object properly in the cache. Related to https://fedorahosted.org/sssd/ticket/2529 and https://fedorahosted.org/sssd/ticket/2524 Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: verify group memberships of trusted domain users Depending on the state of the cache group object a freshly created or updates user entry for a trusted domain user might already be a member of the group or not. This cache makes sure the requested user is a member of all groups returned from the extdom request. Special care has to be taken to cover cross-domain group-memberships properly. Resolves https://fedorahosted.org/sssd/ticket/2529 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Handle IPA groups returned from extop plugin Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Handle NULL members in process_members() Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ipa: improve error reporting for extdom LDAP exop This patch fixes a typo when calling ldap_parse_result() which prevented the server-side error message to be used and adds a hint that more information might be available on the server side. Fixes: https://fedorahosted.org/sssd/ticket/2456 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: search overrides for user and group requests If the name or the POSIX ID of a user or a group is overridden the search request for those objects have to check the overide objects first before looking up the original objects. This patch adds a new request for the IPA sub-domain users which checks the overrides first if - SSSD is running in ipa-server-mode and a name or a POSIX ID is searched, since we do not override the SIDs we can skip the search in the override tree here - if the responder indicates it has not found the corresponding object in the cache and the input might be an override name or ID and not the original one of an object. If an override object was found the SID is extracted from the anchor attribute and the original object is search by its SID. If no override object was found the original object is search with the original input and finally it is checked if an override object exits for the found object. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

views: get overrides during user and group lookups With this patch the IPA provider will check if overrides exists for the given view during the lookup of users and groups from trusted domains. In ipa-server-mode the default view is automatically applied and written to the cache. On IPA clients which use the extdom plugin for user and group lookups the override data is saved separately and the original object and the override data are linked with DN attributes for faster reference. Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: make IPA ID context available to extdom client code Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

add_v1_group_data: fix for empty members list Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Fix error handling after talloc_ber_flatten The function talloc_ber_flatten can return EFAULT, ENOMEM, EOK. But it was tested for -1. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: add support for new extdom plugin version Initially the extdom plugin was only used to translate SIDs of AD user and groups to names or POSIX IDs. On IPA clients group memberships were resolved with the help of the PAC in the Kerberos ticket which required that the user has logged in at least once. Home directory and the login shell were auto generated. The new version of the extdom plugin can return the complete list of group memberships of a user and the list of all members of a group. Additionally the gecos field, home directory and login shell are returned together with an optional list of key-value pairs for arbitrary data which is written unmodified to the cache. Fixes https://fedorahosted.org/sssd/ticket/2159 and https://fedorahosted.org/sssd/ticket/2041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

NSS: Refactor expand_homedir_template Function expand_homedir_template had lot of parameters. After adding new expand option, all function call should be rewritten, (usually argument NULL will be added) This patch wraps all necessary arguments to structure.

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Use sysdb_attrs_add_lc_name_alias to add case-insensitive alias

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

Include header file in implementation module. Declarations of public functions was in header files, but header files was not included in implementation file.

ipa_s2n_get_user_done: make sure ALIAS name is lower case Fixes https://fedorahosted.org/sssd/ticket/1630

ipa_s2n_get_user_done: free group_attrs as well

Use GID if subdomain is not MPG https://fedorahosted.org/sssd/ticket/2032 In non-MPG subdomains (such as those that manage their IDs manually with POSIX attributes), we need to set the GID ourself.

Add utility functions for formatting fully-qualified names Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.

Add SID related lookups to IPA subdomains This patch add the functionality to handle lookup by SIDs and lookups for SIDs to the subdomain branch of the IPA ID provider.

Use struct to hold different types of request parameters Currently the POSIX ID or the user name are passed in different parameters to some calls. The method will get cumbersome and error-prone if new parameters like, e.g. the SID, are added. This patch adds a union to hold the different kind of parameters.

Remove unused attribute list

Allow using flatname for subdomain home dir template https://fedorahosted.org/sssd/ticket/1609

Use common error facility instead of sdap_result Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired

Fix initialization of multiple variables

NSS: Add original homedir to home directory template options https://fedorahosted.org/sssd/ticket/1805

Add domain argument to sysdb_store_group() Also remove sysdb_store_domgroup()

Add domain argument to sysdb_store_user() Also remove sysdb_store_domuser()

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Make sub-domains case-insensitive Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.

subdomain-id: Generate homedir only for users not groups

Allow extdom exop to return flat domain name as well There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561

Add s2n extended operation