simple access: refresh master domain info To correctly decide if an object is a member of the main sssd domain, a flat name is needed. However, the information may not be available when the module is inited so it may be necessary to refresh this data later while processing a request. Resolves: https://fedorahosted.org/sssd/ticket/2189

Resolve GIDs in the simple access provider Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX

Split simple_access_check function out Need to split out the function or new additions to the handler funtion will not allow simple access tests to compile anymore.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add group support to the simple access provider This patch adds simple_allow_groups and simple_deny_groups options to the simple access provider. It makes it possible to grant or deny access based on a user's group memberships within the domain. This patch makes one minor change to previous functionality: now all deny rules will supersede allow rules. Previously, if both simple_allow_users and simple_deny_users were set with the same value, the allow would win. https://fedorahosted.org/sssd/ticket/440

Add simple access provider