CACHE_REQ: Pull sessionRecording attrs from initgr After entires are retrieved by cache_req for user info requests (except initgr), overlay them with sessionRecording attribute retrieved from an initgr request made additionally for each entry. Do not do additional initgr requests with selective session recording enabled, if we don't have any group names to match against in session recording configuration. Only do user name matches instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Add session recording conf loading Add session recording configuration loading to the common responder initialization. To be used for substituting the user shell when session recording is enabled. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Make use of domainResolutionOrder domainResolutionOrder has been introduced in the previous commits and allows the admin to set up a specific order which the domains will be resolved during a lookup and with this patch we can take advantage of this. In order to have it working a new structure has been added (struct domain_resolution_order) to the responder context and will be used by the cache_req to perform the lookups based on this list. As the ipaDomainResolutionOrder may be set globally on IPA or per View, SSSD does respect the following precedence order: View > Globally. The way the list is built is quite simple, basically having the domains present on ipaDomainResolutionOrder as the first domains (in that specific order) and then appending the remaining domains to this list. The final result is a completely flat list with all the domains respecting the specified order (it's important to remember that the domains not specified won't follow any specific order, they're just "random" based on the domains list present in the responder context. Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CACHE_REQ: Move result manipulation into a separate module This patch is preparing the field for coming up patches where new lookup logic will be added. Taking this into consideration let's move the result manipulation code into a separate module and focus purely in the lookups logic in the main module. Related: https://pagure.io/sssd/sssd/issue/3001 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

RESPONDER: A sbus interface to reset negatively cached users and groups Adds two new responder sbus interface functions: ResetNegcacheUsers and ResetNegcacheGroups. These functions can be called by a Data Provider to signal to a responder that it should drop its negative cache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Add a responder sbus interface to set domain state Adds a generic responder s-bus interface that all responders implement. The interface currently contains methods that make it possible for a sssd domain to be marked as active or inconsistent by a back end. In the future, this commit will be superseded by sbus signals. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

cache_req: add host by name search Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

cache_req: add object by id This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add object by name This request returns either user or group object. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: return well known objects in object by sid Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for netgroups Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for services enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for service by port Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add support for service by name Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add group enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: add user enumeration Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Remove old data provider interface Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Responders: Add support for socket activation Add helper that uses systemd socket activation if available to accept a pre-listining socket at startup. Related: https://fedorahosted.org/sssd/ticket/2913 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: New interface for client registration This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TEST: New tests for negative caching of locals Negative cache has special timeout for local entities (users, groups). This patch adds new tests for such behaviour. The tests are based on cwrap. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDERS: Negative caching of local users This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Add build infrastructure for systemtap scripts Adds infrastructure that generatest the probes.h and probes.o from the dtrace probes.d file. The probes.d file is empty except for the provider name in this commit, its content will be added with later commits that actually add some content. The probes.d file is always distributed in the tarball so that distributions can optionally enable systemtap support. The generation is done using the "dtrace" command because the probes.d file is compatible with the Solaris dtrace format. Please see "man 1 dtrace" for more information on the dtrace format and the command line tool. In order to make libtool happy, a fake libtool object is generated. This hunk was taken from the libvirt code. The AM_V_GEN macro is used to make the build compatible with the silent build configuration. To enable systemtap probing, configure sssd with: --enable-systemtap In order to do so, the 'dtrace' command-line utility must be installed. On Fedora and RHEL, this package is installed as part of the "systemtap-sdt-devel" package. You'll also want the 'systemtap' package installed as well as the matching versions of kernel-devel and kernel-debuginfo on your machine. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

RESPONDERS: Negcache in resp_ctx preparing Preparation for initialization of negative cache in common responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

BUILD: Simplify build of cwrap tests It will compilation of 40 files. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Util: Improve code to get connection credentials Adds support to get SELINUX context and make code more abstract so that struct ucred (if availale) can be used w/o redefining uid,gid,pid to int32. Also gives a layer of indirection that may come handy if we want to improve the code further in the future. Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

BUILD: Remove SSS_CRYPTO_LIBS from common libraries The similarcahnge was done in main makefile by change 69b46c32357ccf1aab9c0bd6d1afa33a8724ad77 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Remove unused variables LIBCAPNG_{CFLAGS,LIBS} are not defined anywhere in sssd. It could be introduced as copy&paste error from different project. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

responder_common_tests: Removed unused libraries responder_common_tests does not use any function which requires to link with UNICODE linraries or with libsss_crypt Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert() Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss Reviewed-by: Michal Židek <mzidek@redhat.com>

sdap: properly handle binary objectGuid attribute Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix KRB5_CONF_PATH Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

BUILD: Fix linking cwrap tests with -Wl,--as-needed CCLD responder_common-tests .libs/libsss_util.so: undefined reference to `sss_base64_encode' .libs/libsss_util.so: undefined reference to `s3crypt_gen_salt' .libs/libsss_util.so: undefined reference to `sss_base64_decode' .libs/libsss_util.so: undefined reference to `s3crypt_sha512' collect2: error: ld returned 1 exit status Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Add a function to convert id_t from a number or a name We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

BUILD: Fix automake warning src/tests/cwrap/Makefile.am:45: warning: check_PROGRAMS was already defined in condition TRUE, which includes condition HAVE_CMOCKA and HAVE_NSS_WRAPPER and HAVE_UID_WRAPPER ... src/tests/cwrap/Makefile.am:41: ... 'check_PROGRAMS' previously defined here This patch also replace '\t' with spaces Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

TESTS: Unit tests for server_setup We changed server_setup, so we must make sure the function continues to work as expected. Reviewed-by: Pavel Reichl <preichl@redhat.com>

TESTS: Add -std=gnu99 to cwrap tests CFLAGS ../../../../src/tests/cwrap/../../../src/util/domain_info_utils.c: In function ‘subdomain_enumerates’: ../../../../src/tests/cwrap/../../../src/util/domain_info_utils.c:77:9: error: ‘for’ loop initial declarations are only allowed in C99 mode for (int i=0; parent->sd_enumerate[i]; i++) { ^ ../../../../src/tests/cwrap/../../../src/util/domain_info_utils.c:77:9: note: use option -std=c99 or -std=gnu99 to compile your code make[3]: *** [../../../src/util/server_tests-domain_info_utils.o] Error 1 Reviewed-by: Pavel Reichl <preichl@redhat.com>

TESTS: Add a test to change user IDs Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>