nss: add a netgroup counter to struct nss_enum_index Netgroups are not looked up with the help of a single request but by calling setnetgrent(), getnetgrent() and endnetgrent() where getnetgrent() might be called multiple times depending on the number of netgroup elements. Since the caller does not provide a state the state has to be maintained by the SSSD nss responder. Besides the netgroup name this is mainly the number of elements already returned. This number is used to select the next element to return and currently it is assumed that there are not changes to the netgroup while the client is requesting the individual elements. But if e.g. the 3 nss calls are not used correctly or the netgroup is modified while the client is sending getnetgrent() calls the stored number might be out of range. To be on the safe side the stored number should be always compared with the current number of netgroup elements. Related to https://pagure.io/SSSD/sssd/issue/3679 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: make memcache_delete_entry() public Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Move shell options to common responder Move all the shell-related options from the NSS responder context to the common responder context, so they can be used by other responders for retrieving original user shell, when it is overrided for session recording. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Move sized_output_name() and sized_domain_name() into responder common code These functions are used to format a name into a format that the user configured for output, including case sensitiveness, replacing whitespace and qualified format. They were used only in the NSS responder, which typically returns strings to the NSS client library and then the user. But it makes sense to just reuse the same code in the IFP responder as well, since it does essentially the same job. The patch also renames sized_member_name to sized_domain_name. Previously, the function was only used to format a group member, the IFP responder would use the same function to format a group the user is a member of. Related to: https://pagure.io/SSSD/sssd/issue/3268 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFDB: Make pwfield configurable per-domain Previously, the pwfield option was only configurable at the NSS level. Because it's important for the files provider to report "x" as the pwfield instead of "*" which is the SSSD default, this commit makes the pwfield configurable at the domain level. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: rewrite nss responder so it uses cache_req Given the size of the current nss responder it was quite impossible to simply switch into using the cache_req interface, especially because most of the code was duplication of cache lookups. This patch completely rewrites the responder from scratch. The amount of code was reduced to less than a half lines of code with no code duplication, better documentation and better maintainability and readability. All functionality should be intact. *Code organization* All protocol (parsing input message and send a reply) is placed in nss_protocol.c. Functions that deals with creating a reply packet are placed into their specific nss_protocol_$object.c files. All supported commands are placed into nss_cmd.c. Functions that deals with cache req are in nss_get_object.c and nss_enum.c. *Code flow for non-enumeration* An nss_getby_$input-type is called for each non-enumeration command. This function parses the input message, creates a cache_req_data structure and issues nss_get_object that calls cache_req. When this request is done nss_getby_done make sure a reply is sent to the client. *Comments on enumeration* I made some effort to make sure enumeration shares the same code for users, groups, services and netgroups. Netgroups now uses nss negative cache instead of implementing its own. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>