RESPONDER: Removing ncache from pac_ctx This patch switches ncache from pac_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pac_ctx It removes neg_timeout parameter from pac responder. Timeout is handled by internall structure of negative cache. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

PAC: only save PAC blob into the cache Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Include external headers with #include <foo.h> I find it more readable to include headers from outside the sssd tree with <foo.h>, not "foo.h". The latter should be used for in-tree headers only.

PAC: handle non-POSIX groups in cache Since the DN of the group is used to remove a membership it is not necessary to check if the GID is valid.

PAC: if user entry already exists keep it Currently the PAC responder deletes a user entry and recreates it if some attributes seems to be different. Two of the attributes where the home directory and the shell of the user. Those two attributes are not available from the PAC but where generates by the PAC responder. The corresponding ID provider might have better means to determine those attributes, e.g. read them from LDAP, so we shouldn't change them here. The third attribute is the user name. Since the PAC responder does lookups only based on the UID we can wait until the ID provider updates the entry. Fixes https://fedorahosted.org/sssd/ticket/1996

Enhance PAC responder for AD users This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558

Fix and rename get_my_domain_data() The task of get_my_domain_data() is to read some information about the configured domain from the cache. While the sysdb interface was redesigned some changes changed the behaviour so that the data of the domain of the current request was read. If this domain is a sub-domain the wrong data was read. As a result group-memberships of the configured domain were not taken into account. The original code didn't made it easy to see that always the parent domain should be used here, because there was no comment indication this and the function name get_my_domain_data() didn't made it clear either. Additionally to fixing the issue this patch also adds a comment and rename the function to get_parent_domain_data(). Fixes https://fedorahosted.org/sssd/ticket/1888

Remove unused functions

Refactor gid handling in the PAC responder Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain.

PAC responder: check if existing user differs If some of the Posix attributes of an user existing in the cache differ from the data given in the current PAC the old user entry is drop and a new one is created with the data from the PAC.

Save domain and GID for groups from the configured domain Currently users from subdomains can only be members of groups from the configured domain and to access those groups a pointer to the domain struct of the configured domain is used. This patch sets the dom_grp member of struct pac_grp to point to the domain struct of the configured for groups from this domain. This is a first step to allow group membership for groups from subdomains as well. For those groups a pointer to the related subdomain structure will be saved.

Add find_domain_by_id() Currently domains can only be searched by name in the global domain list. To make it easier to find the domain for a given SID find_domain_by_id() which returns a pointer to the domain or subdomain entry in the global domain list if a matching id was found.

Use struct pac_grp instead of gid_t for groups from PAC To be able to handle groupmemberships from other domains more data than just the gid must be kept for groups given in the PAC.

RESPONDERS: Create a common file with service names and versions The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/

Add diff_gid_lists() with test This patch adds a new call which compares a list of current GIDs with a list of new GIDs and return a list of GIDs which are currently missing and must be added and another list of GIDs which are not used anymore and must be deleted. The method is the same as used by diff_string_lists().

pac responder: add user principal and name alias to cached user object The principal name for the user is generated with the user name and the domain from the PAC. It is stored in the cache so that if e.g. can be used by password authentication. Additionally the name alias is stored to allow case-insensitive searches.

Add range support to PAC responder

PAC responder: add some utility functions

PAC responder: add basic infrastructure This adds only the basic outline of the PAC responder, it won't support any operations, it will just start and initialize itself.