IPA/AD: check auth ctx before using it In e6b6b9fa79c67d7d2698bc7e33d2e2f6bb53d483 a feature was introduced to set the 'canonicalize' option in the system-wide Kerberos configuration according to the settings in SSSD if the AD or IPA provider were used. Unfortunately the patch implied that the auth provider is the same as the id provider which might not always be the case. A different auth provider caused a crash in the backend which is fixed by this patch. Resolves https://fedorahosted.org/sssd/ticket/3234 Reviewed-by: Petr Cech <pcech@redhat.com>

IPA: Initialize a boolean control value without this patch, valgrind was reporting: ==30955== Conditional jump or move depends on uninitialised value(s) ==30955== at 0xDBBACC3: ipa_subdomains_slave_search_done (ipa_subdomains.c:1111) ==30955== by 0xE73B34D: sdap_search_bases_ex_done (sdap_ops.c:222) ==30955== by 0xE6FFA98: sdap_get_generic_done (sdap_async.c:1872) ==30955== by 0xE6FF4E2: generic_ext_search_handler (sdap_async.c:1689) ==30955== by 0xE6FF840: sdap_get_and_parse_generic_done (sdap_async.c:1797) ==30955== by 0xE6FEFB5: sdap_get_generic_op_finished (sdap_async.c:1579) ==30955== by 0xE6FB1D2: sdap_process_message (sdap_async.c:353) ==30955== by 0xE6FAD51: sdap_process_result (sdap_async.c:197) ==30955== by 0xE6FAA14: sdap_ldap_next_result (sdap_async.c:145) ==30955== by 0x8E157FF: tevent_common_loop_timer_delay (tevent_timed.c:341) ==30955== by 0x8E16809: epoll_event_loop_once (tevent_epoll.c:911) ==30955== by 0x8E14F09: std_event_loop_once (tevent_standard.c:114) ==30955== Resolves: https://fedorahosted.org/sssd/ticket/3213 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

IPA: Changing of confusing debug message This debug message used to confuse our users. So this patch changes it. Old version: "Trust direction of %s is %s\n" New version: "Trust type of [%s]: %s\n" Resolves: https://fedorahosted.org/sssd/ticket/3090 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: enable enterprise principals if server supports them If there are alternative UPN suffixes found on the server we can safely assume that the IPA server supports enterprise principals. Resolves https://fedorahosted.org/sssd/ticket/3018 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: make subdomain calls aware of upn_suffixes sysdb_subdomain_store() and sysdb_update_subdomains() can now update upn_suffixes as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb: add UPN suffix support for the master domain sysdb_master_domain_update() and sysdb_master_domain_add_info() are now aware of the UPN suffix attribute. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: read ipaNTAdditionalSuffixes for master and trusted domains Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA/AD: globally set krb5 canonicalization flag If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: terminate properly if view name lookup fails Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name lookup is the last step in the subdomain lookup request. In case of an error the request should be finished and no previous step should be called again. Resolves https://fedorahosted.org/sssd/ticket/2993 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: invalidate override data if original view is missing If the idview name cannot be read from cache this either means that the cache was empty or the name wasn't written because of an error. In the case of an error SSSD would assume that the default view was used. If the new view is different from the default view the override data must be invalidated. Since the sysdb call to invalidate the override data would work with an empty cache as well and do nothing it is safe to call it on both cases. Related to https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: lookup idview name even if there is no master domain record Currently the IPA subdomain provider returns with a error if there is no master domain record found. Since this record contains data which is only needed to create a trust with AD, like e.g. the IPA domain SID, this record is only created by ipa-adtrust-install. But the idview name is read after the master domain record. To make the idview feature work with a plain FreeIPA setup without running ipa-adtrust-install the missing master domain record should be handled gracefully and the following lookup should run as well. Resolves https://fedorahosted.org/sssd/ticket/2960 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SDAP: Make it possible to silence errors from dereference https://fedorahosted.org/sssd/ticket/2791 When a modern IPA client is connected to an old (3.x) IPA server, the attribute dereferenced during the ID views lookup does not exist, which triggers an error during the dereference processing and also a confusing syslog message. This patch suppresses the syslog message. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: rename sdap_get_id_specific_filter More generic name is used now since it is not used only for id filters. Probably all references will be deleted when the code uses sdap_search_in_bases istead of custom search base iterators. Reviewed-by: Sumit Bose <sbose@redhat.com>

DP: Reduce code duplication in the callback handlers Instead of calling sbus_request_return_and_finish() directly with the same checks copied over, add a be_sbus_reply() helper instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: Always re-fetch the keytab from the IPA server Even if a keytab for one-way trust exists, re-fetch the keytab again and try to use it. Fall back to the previous one if it exists. This is in order to allow the admin to re-establish the trust keytabs with a simple sssd restart. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SYSDB: prepare for LOCAL view Objects doesn't have to have overrideDN specified when using LOCAL view. Since the view is not stored on the server we do not want to contact LDAP therefore we special case LOCAL view saying that it is OK that this attribute is missing. Preparation for: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: Add is_default_view helper function Ticket: https://fedorahosted.org/sssd/ticket/2641 Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: Make constructing an IPA server mode context async Refactoring in preparation for requesting the keytab in future patches. Currently it's a fake async that just marks the request as done. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Read forest name for trusted forest roots as well This will reduce special-casing when establishing forest roots as all domains will contain the forest name. Additionally, AD subdomains already contain the forest name. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Include ipaNTTrustDirection in the attribute set for trusted domains Allows to distinguish the trust directions for trusted domains. For domains where we don't know the direction in server mode, we assume two-way trusts. Member domains do not have the direction, but rather the forest root direction is used. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Split two functions to new module ipa_subdomains_utils.c These functions will be later reused by the subdomains_server.c module. Splitting them into a separate subdomains_utils.c module will make sure there are no cyclic dependencies and the functions are testable in isolation. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Move server-mode functions to a separate module There is already quite a few functions that are server-mode specific and there will be even more with one-way trusts. Split the server-mode specific functions into a separate module. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Also update master domain when initializing subdom handler Updating master domain record from sysdb will ensure the flat name of the master domain record is up-to-date. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Fold ipa_subdom_enumerates into ipa_subdom_store Reduced code duplication Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Check master domain record before subdomain records For one-way trusts we need to know the flat name of the IPA domain when we process subdomains, hence we need to swap the processing order and read the master domain record sooner. Previsouly the order was: - ranges - subdomains - if on client, views - master Now the order is: - ranges - master - subdomains - if on client, views Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers Previously it was error-prone to move code around, because the functions that started next subdomain request were scattered together with moving to next base or assigning next base. This patch creates a wrappers for better readability. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Add realm to sysdb_master_domain_add_info Adding realm to both master domain and subdomain will make it easier to set and select forest roots. Even master domains can be forest members, it's preferable to avoid special-casing as much as possible. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

subdomains: Inherit cleanup period and tokengroup settings from parent domain Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>

IPA: do not fail if view name lookup failed on older versions Depending on the version 389ds return a different error code if the search for the view name failed because our dereference attribute ipaAssignedIDView is not known. Newer version return LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which is returned as EIO. In both cases we have to assume that the server is not view aware and keep the view name unset. Resolves https://fedorahosted.org/sssd/ticket/2650 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

subdom: Remove unused function get_flat_name_from_subdomain_name The function was added in 70eaade10feedd7845e39170d0b7eebf3a030af1 and is unused since b8d703cf3aba81800cf1b8ccca64bb00ef0b30f7 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: support for AD site override Override AD site found during DNS discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

IPA: only update view data if it really changed https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: make krb5 provider view aware https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: allow view name change at startup Currently some manual steps are needed on a FreeIPA to switch from one view to another. With this patch the IPA provider checks at startup if the view name changed and does the needed steps automatically. Besides saving the new view name this includes removing the old view data and marking the user and group entries as invalid. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: inherit ldap_user_extra_attrs to AD subdomains Currently the component of the IPA provider which reads the AD user and group attributes in ipa-server-mode uses default settings for the LDAP related attributes. As a result even if ldap_user_extra_attrs is defined in sssd.conf no extra attributes are read from AD. With the patch the value if ldap_user_extra_attrs is inherited to the AD subdomains to allow them to read extra attributes as well. Related to https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

ipa_subdomains_handler_master_done: initialize reply_count This patch should mainly silence a false-positive Coverity warning but since further processing depends on this variable I think it is a good idea anyways. Reviewed-by: Pavel Reichl <preichl@redhat.com>

ipa: fix issues with older servers not supporting views Older FreeIPA servers which do not know about the ipaAssignedIDView attribute will return an error during the LDAP dereference request because SSSD marks LDAP extensions as critical. In this case we keep the view name empty and skip override lookups. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

IPA: add view support and get view name Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: check ranges for collisions before saving them Fixes https://fedorahosted.org/sssd/ticket/2253 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

LDAP: Pass a private context to enumeration ptask instead of hardcoded connection Previously, the sdap-domain enumeration request used a single connection context to download all the data. Now we'd like to use different connections to download different objects, so the ID context is passed in and the request itself decides which connection to use for the sdap-domain enumeration.

responder: Set forest attribute in AD domains Resolves: https://fedorahosted.org/sssd/ticket/2160

IPA: fix for recent AD group membership changes

IPA: Call ipa_ad_subdom_refresh when server mode is initialized ipa_ad_subdom_refresh was called before IPA server context was initialized. On IPA server, this caused the code to dereference a NULL pointer and crash.

IPA: Refresh subdomain data structures on startup Write domain-mappings at startup and initialize internal data structures on provider startup, not only during updates.

SUBDOMAINS: Reuse cached results if DP is offline If Data Provider was unable to refresh the subdomain list, the sss_domain_info->subdomains list was NULL. Which meant that no DP request matched any known domain and hence offline authentication was not working correctly. Resolves: https://fedorahosted.org/sssd/ticket/2168

ipa: destroy cleanup task when subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: free sdap domain if subdomain is removed Resolves: https://fedorahosted.org/sssd/ticket/1968

dp: make subdomains refresh interval configurable This patch makes the refresh of available subdomains configurable. New option: subdomain_refresh_interval (undocumented) Resolves: https://fedorahosted.org/sssd/ticket/1968

sdap_idmap_domain_has_algorithmic_mapping: add domain name argument When libss_idmap was only used to algorithmically map a SID to a POSIX ID a domain SID was strictly necessary and the only information needed to find a domain. With the introduction of external mappings there are cases where a domain SID is not available. Currently we relied on the fact that external mapping was always used as a default if not specific information about the domain was found. The lead to extra CPU cycles and potentially confusing debug messages. Adding the domain name as a search parameter will avoid this.

subdomains: first destroy ptask then remove sdom be_ptask_destroy was unreachable since sdom is not present in the list of sdap domains any more.

IPA: add callback to reset subdomain timeouts Fixes https://fedorahosted.org/sssd/ticket/2030

IPA server mode: properly initialize ext_groups

Do not return DP_ERR_FATAL in case of success

ipa_server_mode: write capaths to krb5 include file If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

LDAP: sdap_id_setup_tasks accepts a custom enum request AD provider will override the default with its own.

IPA: Add forgotten declaration A conflict between two patches was not resolved correctly

IPA: enable enumeration if parent domain enumerates in server mode https://fedorahosted.org/sssd/ticket/1963

SYSDB: Store enumerate flag for subdomain

DB: remove unused realm parameter from sysdb_master_domain_add_info The parameter was not used at all.

IPA: Enable AD sites when in server mode https://fedorahosted.org/sssd/ticket/1964 Currently the AD sites are enabled unconditionally

Fix the default FQDN format Commit 52ae806bd17c3c00d70bd1aed437f10f5ae51a1c changed the default FQDN format by accident to the one we only ever user internally. This commit fixes the mistake.

IPA: warn if full_name_format is customized in server mode https://fedorahosted.org/sssd/ticket/2009 If the IPA server mode is on and the SSSD is running on the IPA server, then the server's extdom plugin calls getpwnam_r to read info about trusted users from the AD server and return them to the clients that called the extended operation. The SSSD returns the subdomain users fully-qualified, ie "user@domain" by default. The format of the fully qualified name is configurable. However, the extdom plugin returns the user name without the domain component. With this patch, when ipa_server_mode is on, warn if the full_name_format is set to a non-default value. That would prompt the admin to change the format if he changed it to something exotic.

IPA: Create and remove AD id_ctx for subdomains discovered in server mode When IPA server mode is on, then this patch will create an ad_id_ctx for each subdomain discovered in IPA provider. The ID context is needed to perform direct lookups using the AD provider. Subtask of: https://fedorahosted.org/sssd/ticket/1962

IPA: Initialize server mode ctx if server mode is on This patch introduces a new structure that holds information about a subdomain and its ad_id_ctx. This structure will be used only in server mode to make it possible to search subdomains with a particular ad_id_ctx. Subtask of: https://fedorahosted.org/sssd/ticket/1962

Save mpg state for subdomains The information of a subdomain will use magic private groups (mpg) or not will be stored together with other information about the domain in the cache.

IPA: read ranges before subdomains Since FreIPA will start to support external mapping for trusted domains as well the range type for the domain must be know before the domain object is created. The reason is that external mapping will not use magic private groups (mpg) while algorithmic mapping will use them.

Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

subdomains: touch krb5.conf when creating new domain-realm mappings https://fedorahosted.org/sssd/ticket/1815

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.

IPA: Check for ENOMEM

Make IPA SELinux provider aware of subdomain users Fixes https://fedorahosted.org/sssd/ticket/1892

Return error code from ipa_subdom_store

subdomains: replace invalid characters with underscore in krb5 mapping file name https://fedorahosted.org/sssd/ticket/1795 Only alpha-numeric chars, dashes and underscores are allowed in krb5 include directory.

Introduce IS_SUBDOMAIN() macro Fixes https://fedorahosted.org/sssd/ticket/1766

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

Remove sysdb_subdom completely struct sss_domain_info is always used to represent domains now. Adjust tests accordingly.

Refactor sysdb_master_domain_add_info()

Update main domain info in place

Avoid sysdb_subdom in sysdb_get_subdomains()

Possible null derefence in ipa_subdomains.c. Found by coverity. https://fedorahosted.org/sssd/ticket/1790

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque

Add be_req_create() helper

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.

Remove domain from be_req structure

Do not pass NULL to ipa_subdomain_retrieve()

Remove sysdb as a be request structure member The sysdb context is already available through the 'domain' context.

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

Add domain to some subdomain functions

Remove the sysdb_ctx_get_domain() function. We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).

Run IPA subdomain provider if IPA ID provider is configured To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613

Allow extdom exop to return flat domain name as well There are case where the extdom extended operation will return the flat or NetBIOS name of a domain instead of the DNS domain name. If this name is available for the current domain we accept it as well. Related to https://fedorahosted.org/sssd/ticket/1561

Consolidation of functions that make realm upper-case

IPA: Securely set umask for mkstemp in subdomain provider https://fedorahosted.org/sssd/ticket/1457

IPA: Do not attempt to close the same file twice https://fedorahosted.org/sssd/ticket/1456

Create a domain-realm mapping for krb5.conf to be included When new subdomains are discovered, the SSSD creates a file that includes the domain-realm mappings. This file can in turn be included in the krb5.conf using the includedir directive, such as: includedir /var/lib/sss/pubconf/realm_mappings

Add automatic periodic retrieval of subdomains

Add online callback to enumerate subdomains

Limit refreshes keeping track of last refresh time

Change refreshing of subdomains This patch keeps a local copy of the subdomains in the ipa subdomains plugin context. This has 2 advantages: 1. allows to check if anything changed w/o always hitting the sysdb. 2. later will allows us to dump this information w/o having to retrieve it again. The timestamp also allows to avoid refreshing too often.

Expose an initializer function from subdomain Instead of exporting internal structures, expose an initilizer function like the autofs code and initialize everything inside the ipa_subdomains.c file.

Add realm paramter to subdomain list This will be used later for setting domain_realm mappings in krb5.conf

Use a more tractable name for subdomain request I am all for readable names, but there is a tradeof between expressing purpose and compactness.

80 col and style fixes Something like this: sysdb = (be_req->sysdb)?be_req->sysdb:be_req->be_ctx->sysdb; really is not readable, and we always discourage using obfuscated C, please refrain in future.

Make structure initializer more readable

Fix wrong elements used in comparison

Change subdomain_info Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.

Remove dead code in ipa_subdomains_handler_done() Fixes https://fedorahosted.org/sssd/ticket/1410

Add support for ID ranges

IPA subdomains - ask for information about master domain The query is performed only if there is missing information in the cache. That means this should be done only once after restart when cache doesn't exist. All subsequent requests for subdomains won't include the request for master domain.

IPA: Add get-domains target