cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: allow UPNs in SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME When adding support for UPNs, email addresses and aliases the SSS_NSS_GETSIDBYNAME and SSS_NSS_GETORIGBYNAME request were forgotten. This patch adds the missing support because it might be irritating if getpwnam() can resolve the name but the other requests fail. The same logic as for the plain user lookup is used, this add some code duplication which is expected to be removed when the nss responder will be switched to use the new cache_req code. Resolves https://fedorahosted.org/sssd/ticket/3194 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Remove unused functions When removing the old data provider I noticed that those functions are not used at all. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Use correct name for invalidating memory cache After refactoring of sysdb, we get and internal fully qualified name from backend in org.freedesktop.sssd.dataprovider_rev.initgrCheck Previously we got short name and we created fq name in nss_update_initgr_memcache. Memory cache still need to use short names if it was specified. This patch uses right name in different places. Reviewed-by: Petr Cech <pcech@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: use different neg cache name for UPN searches If Kerberos principals or email address have the same domain suffix as the domain itself the first user lookup by name might have already added the name to the negative cache and the second lookup by UPN/email will skip the domain because of the neg cache entry. To avoid this a special name with a '@' prefix is used here. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: continue with UPN/email search if name was not found Currently we only search for UPNs if the domain part of the name was not know, with Kerberos aliases and email addresses we have to do this even if the domain name is a know domain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: add user email to fill_orig() The IPA server must send the email address of a user to the clients to allow login by email. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

views: properly override group member names Resolves https://fedorahosted.org/sssd/ticket/2948 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Fix domain for UPN based lookups Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Fix NSS responder to cope with fully-qualified usernames Adds a utility function sized_output_name() which wraps the output_name() function and returns the sized_struct structure. This function is used when formatting the output name for the client, but also when saving/deleting the memory cache entries. Its sister function sized_member_name() is very similar, but infers the domain name from memberuid or ghost attribute. Because all names internally are used in the same format, the logic to append domain or format the usename for output in the fill_XXX() family of functions is much simpler. In general, adding a domain suffix no longer relies in the domain being a subdomain, but only the dom->fqnames The parse_member() function was removed because it is no longer required. The nss test was amended to store names in the internal fqdn format on input and checks for either shortnames or qualified names with the right format created using sss_tc_fqname() on output. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: expand_homedir_template manages usernames internally expand_homedir_template() can be considered an outward-facing interface, therefore the function and its input structure will accept the internal name format and parse it internally into a username and domain component. Reviewed-by: Sumit Bose <sbose@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss-idmap: add sss_nss_getnamebycert() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: add SSS_NSS_GETNAMEBYCERT request Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: return user certificate base64 encoded Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: include certificates in full result list Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from nss_ctx This patch switches ncache from nss_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Removing timeout from sss_ncache_check_* It removes timeout parameter from check functions of negative cache. Timeout is set ny init function and it is handled internally. API change: * int sss_ncache_check_...(struct sss_nc_ctx *ctx, int ttl, <----- timeout vanished struct sss_domain_info *dom, ...); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: Move a DEBUG message so that it's less confusing Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: do not skip cache check for netgoups When refresh_expired_interval was not zero, the NSS responder only refreshed netgroup cache using background periodic task and ignored SYSDB_CACHE_EXPIRE attribute. With this behaviour it was impossible to get new netgroup from remote server even after sss_cache tool was used to expire existing entry in the cache. Resolves: https://fedorahosted.org/sssd/ticket/2912 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: fix a use-after-free issue While handling well-known SIDs a debug statement tries to access memory that is already freed. This can be seen with the following output from valgrind. ==17600== Invalid read of size 4 ==17600== at 0x805ACC6: nss_cmd_getbysid (nsssrv_cmd.c:5458) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== by 0x45EF3BF: _tevent_loop_once (tevent.c:530) ==17600== by 0x45EF5AB: tevent_common_loop_wait (tevent.c:634) ==17600== by 0x45F326E: std_event_loop_wait (tevent_standard.c:140) ==17600== by 0x45EF647: _tevent_loop_wait (tevent.c:653) ==17600== Address 0x4b248a0 is 72 bytes inside a block of size 88 free'd ==17600== at 0x402C26D: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==17600== by 0x45FEC9E: _talloc_free_internal (talloc.c:1057) ==17600== by 0x45FEC9E: _talloc_free (talloc.c:1581) ==17600== by 0x8066085: sss_cmd_done (responder_cmd.c:93) ==17600== by 0x805A9B0: nss_check_well_known_sid (nsssrv_cmd.c:5382) ==17600== by 0x805AC86: nss_cmd_getbysid (nsssrv_cmd.c:5455) ==17600== by 0x805AF41: nss_cmd_getnamebysid (nsssrv_cmd.c:5509) ==17600== by 0x80662F4: sss_cmd_execute (responder_cmd.c:161) ==17600== by 0x8067015: client_cmd_execute (responder_common.c:249) ==17600== by 0x80671F5: client_recv (responder_common.c:283) ==17600== by 0x806741C: client_fd_handler (responder_common.c:335) ==17600== by 0x45F5112: epoll_event_loop (tevent_epoll.c:728) ==17600== by 0x45F5112: epoll_event_loop_once (tevent_epoll.c:926) ==17600== by 0x45F32EE: std_event_loop_once (tevent_standard.c:114) ==17600== The patch contains a change to the unit tests which frees the memory in the wrapper for sss_cmd_done() too. This allows to detect this kind of issue in the unit tests as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: send original name and id with local views if possible Resolves: https://fedorahosted.org/sssd/ticket/2833 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: fix UPN lookups for sub-domain users Reviewed-by: Sumit Bose <sbose@redhat.com>

views: allow ghost members for LOCAL view LOCAL view does not allow the case when both ghost member and user override is created so it is safe to allow ghost members for this view. Resolves: https://fedorahosted.org/sssd/ticket/2790 Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Fix use after free It can happed if there are two domains and user is not found in the first one. ==29279== Invalid read of size 1 ==29279== at 0x4C2CBA2: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A7AC4: talloc_strdup (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x11668A: nss_cmd_initgroups_search (nsssrv_cmd.c:4191) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) ==29279== Address 0xbbad240 is 96 bytes inside a block of size 106 free'd ==29279== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==29279== by 0x89A46E3: _talloc_free (in /usr/lib64/libtalloc.so.2.1.2) ==29279== by 0x116679: nss_cmd_initgroups_search (nsssrv_cmd.c:4190) ==29279== by 0x118B27: nss_cmd_getby_dp_callback (nsssrv_cmd.c:1208) ==29279== by 0x10F2B4: nsssrv_dp_send_acct_req_done (nsssrv_cmd.c:759) ==29279== by 0x126AFB: sss_dp_internal_get_done (responder_dp.c:802) ==29279== by 0x56EA861: ??? (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x56EDB50: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.4) ==29279== by 0x50721E1: sbus_dispatch (sssd_dbus_connection.c:96) ==29279== by 0x879B22E: tevent_common_loop_timer_delay (tevent_timed.c:341) ==29279== by 0x879C239: epoll_event_loop_once (tevent_epoll.c:911) ==29279== by 0x879A936: std_event_loop_once (tevent_standard.c:114) Resolves: https://fedorahosted.org/sssd/ticket/2749 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Initgr memory cache should work with fq names We need to stored two versions of name to the initgroups memory cache. Otherwise it could be stored many times if sssd is configured with case_sensitive = false. It would be impossible to invalidate all version of names after user login. As a result of this wrong user groups could be returned from initgroups memory cache. Therefore we store raw name provided by glibc function and internal sanitized fully qualified name, which is unique for particular user. This patch also increase average space for initgroups because there are also stored two quite long names in case of fq names. Resolves: https://fedorahosted.org/sssd/ticket/2712 Reviewed-by: Michal Židek <mzidek@redhat.com>

mmap: Invalidate initgroups memory cache after any change Initgroups memory cache was invalidated only in case on removed user. it should be invalidated also after changes in group membership. Resolves: https://fedorahosted.org/sssd/ticket/2716 Reviewed-by: Michal Židek <mzidek@redhat.com>

nss: use negative cache for sid-by-id requests Since requests by ID are not assized to a specific domain SSSD might check the ID in domains where the ID does not exists even if the ID is already in the sysdb cache of the right domain. For requests where already a memory cache is available like e.g. getpwuid() and getgrgid() this has no negative impact because the requests are answered directly from the cache most of the time without hitting SSSD. As long as there is no use-case which does not use the memory cache those requests do not need an update. But for request like sid-by-id where currently no memory cache is available there are quite some additional costs especially for trusted domains. Resolves https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

negcache: allow domain name for UID and GID Related to https://fedorahosted.org/sssd/ticket/2731 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss_check_name_of_well_known_sid() improve name splitting Currently in the default configuration nss_check_name_of_well_known_sid() can only split fully-qualified names in the user@domain.name style. DOM\user style names will cause an error and terminate the whole request. With this patch both styles can be handled by default, additionally if the name could not be split nss_check_name_of_well_known_sid() returns ENOENT which can be handled more gracefully by the caller. Resolves https://fedorahosted.org/sssd/ticket/2717 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: Invalidate entry in initgr mmap cache If user is removed from sysdb cache then it should be also removed from initgroups memory cache. Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>

mmap_cache: Invalidate entry in right memory cache If group was not found in nss_cmd_getgrnam_search then we tied to invalidate entry in memory cache. But function delete_entry_from_memory cache only invalidated in passwd memory cache. Reviewed-by: Michal Židek <mzidek@redhat.com>

nss: Store entries in responder to initgr mmap cache Resolves: https://fedorahosted.org/sssd/ticket/2485 Reviewed-by: Michal Židek <mzidek@redhat.com>

nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE When SYSDB_INITGR_EXPIRE had default value (0) then value of SYSDB_CACHE_EXPIRE was used as initgroups expire attribute. The right apoach is already used in responder_cache_req.c Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NSS: check for overrides before calling backend Currently the flag that the input data in a user or group lookup request might be an override value is only set if no cached entry was found. If the cached entry of an object with overrides is expired and a request with the override value as input is processed the flag is not set and the backend might not be able to find the right entry on the server. Typically this should not happen because of mid-point refreshes. To reproduce this create a FreeIPA user and override the login name for a specific view. On a client which has this view applied call getent passwd overridename sss_cache -E getent passwd overridename The second getent command will still show the right output but in the logs a [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed message can be found for the second request. Related to https://fedorahosted.org/sssd/ticket/2642 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: Use negcache for getbysid requests Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Reset negcache after checking domains The NSS responder periodically re-checks subdomains. We need to reset the negative cache each time the check finishes to allow the negative cache to contain entries from different domains. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Fix a few typos in comments Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Handle ENOENT when doing initgroups by UPN https://fedorahosted.org/sssd/ticket/2598 We need to return an empty result in cases an initgroups lookup by UPN doesn't return anything. Please note testing with "id user" is not sufficient as id calls a getpwnam first. Reviewed-by: Pavel Reichl <preichl@redhat.com>

RESPONDERS: Warn to syslog about colliding objects Resolves: https://fedorahosted.org/sssd/ticket/2203 Reviewed-by: Pavel Reichl <preichl@redhat.com>

fill_id() fix LE/BE issue with wrong data type Related to https://fedorahosted.org/sssd/ticket/1588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: fix SID lookups Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss: Add original DN and memberOf to origbyname request IPA HBAC evaluation relies on the original values for DN and memberOf attributes. Resolves https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: refactor fill_orig() The two loops in fill_orig were almost identical. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: make fill_orig() multi-value aware Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

SYSDB: sysdb_search_object_by_sid returns ENOENT sysdb_search_object_by_sid returns ENOENT if no results are found. Part od solution for: https://fedorahosted.org/sssd/ticket/1991 Fixes: https://fedorahosted.org/sssd/ticket/2520 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: nss_cmd_getbysid_search return ENOENT Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Fix warning enumerated type mixed with another type src/responder/nss/nsssrv_cmd.c:688: mixed_enum_type: enumerated type mixed with another type "enum sss_dp_acct_type" was mixed with type "int". ANSI C is not very strict in this. Reviewed-by: Michal Židek <mzidek@redhat.com>

Add ssh pubkey to origbyname request Since the IPA clients expects that the extdom plugin delivers the default view data for a given user this patch adds the public SSH key to the list of returned attributes of the getorigbyname request so that it can be send back to the clients. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sysdb_add_overrides_to_object: add new parameter and multi-value support With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: return user_attributes in origbyname request To allow IPA clients to offer special attributes of AD users form trusted domain the extdom plugin on the IPA server must send them to the clients. The extdom plugin already uses sss_nss_getorigbyname() to get attributes like the SID and the user principal name. This patch adds the attributes given by the NSS/IFP user_attributes option to the list of attributes returned by sss_nss_getorigbyname(). Fixes https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: disable midpoint refresh for netgroups Disable midpoint refresh for netgroups if periodical refresh of expired netgroups is enabled (refresh_expired_interval) Resolves: https://fedorahosted.org/sssd/ticket/2102 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: group enumeration fix The view/override patches introduced and issue with group enumeration where all groups are returned with the same name. This patch should fix it. Fixes: https://fedorahosted.org/sssd/ticket/2475 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: Possibility to use any shells in 'allowed_shells' Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

nss: make enumeration requests aware of views Reviewed-by: Pavel Březina <pbrezina@redhat.com>

sid2name: return name without views applied Make sure that the original name of an object without any overrides applied is returned by sid2name requests. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: add view support for getgr* requests Make group lookups view and override aware. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: add view support to initgroups request Make sysdb request view and override aware. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: add view support for getpwnam/getpwuid requests For user lookups view and override aware calls to search the cache and read attribute values are used. Relates to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

nss: add SSS_NSS_GETORIGBYNAME request This patch adds a new request to the nss responder which follows the same flow as a SSS_NSSGETSIDBYNAME request but returns more data than just the SID. The data is returned as pairs of \0-terminated strings where the first string is the sysdb attribute name and the second the corresponding value. The main use case is on the FreeIPA server to make additional user and group data available to the extdom plugin which then send this data to SSSD running on FreeIPA clients. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

NSS: UPN as a template expansion for homedir mappings Fixes: https://fedorahosted.org/sssd/ticket/2340 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

nss: Preserve case of group members Preserve case of group members in getgrnam when 'case_sensitive = preserving' is set. Fixes: https://fedorahosted.org/sssd/ticket/2453 Reviewed-by: Pavel Reichl <preichl@redhat.com>

name2sid: Check negative cache for users and groups Since we cannot know if a SID belongs to a user or a group a lookup should only fail if the given name is in both the negative cache for the users and the groups. Currently if the SID for a group called 'abc' should be looked up and the negative cache for the users contain an entry for 'abc' the request fails. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Use right domain for group members with fq names If we query group from subdomain it can contain users from different domains. All members from subdomain have fully qualified name, but member from main domain aren't. In function fill_members, we extracted name and domain with function fill_members. Later, we called function sss_fqname the first time with queried group domain and the second time with parsed domain. It caused following error in nss responder: [fill_members] (0x0040): Failed to generate a fully qualified name for member [user2_dom1@sssdad_tree.com] of group [group2_dom2@sssdad_tree.com]! Skipping The test test_nss_getgrnam_mix_dom_fqdn passed, because name of main domain and name of subdomain had the same length, Therefore there was not problem in function fill_members with calling sss_fqname with different domains. This patch also changes name of subdomain to prevent such problems in future. Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM, NSS: allow UPN login names With this patch the NSS and PAM responders can handle user principal names besides the fully qualified user names. User principal names are build from a user name and a domain suffix separated by an '@' sign. But the domain suffix does not necessarily has to be the same as the configured domain name in sssd.conf of the dynamically discovered DNS domain name of a domain. The typical use case is an Active Directory forest with lots of different domains. To not force the users to remember the name of the individual domain they belong to the AD administrator can set a common domain suffix for all users from all domains in the forest. This is typically the domain name used for emails to make it even more easy to the users to remember it. Since SSSD splits name and domain part at the '@' sign and the common domain suffix might not be resolvable by DNS or the given user is not a member of that domain (e.g. in the case where the forest root is used as common domain suffix) SSSD might fail to look up the user. With this patch the NSS and PAM responder will do an extra lookup for a UPN if the domain part of the given name is not known or the user was not found and the login name contained the '@' sign. Resolves https://fedorahosted.org/sssd/ticket/1749

NSS: check_cache() add extra option This patch adds a new parameter to check_cache() to allow to set the extra value which is send to the backend during lookup requests.

Make the space override responder-agnostic https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Only replace space with the specified substitution https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

case_sensitivity = preserving If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>

NSS: Replace spaces with specified string in names. This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

NSS: Refactor expand_homedir_template Function expand_homedir_template had lot of parameters. After adding new expand option, all function call should be rewritten, (usually argument NULL will be added) This patch wraps all necessary arguments to structure.

refactor calls of sss_parse_name sss_parse_name now supports NULL as output parameters so existing calls passing arguments which were never read were substituted by NULL. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Update DEBUG* invocations to use new levels Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

NSS: Fix DEBUG formatting of cmdctx->id Sometimes a UID/GID value was printed using the %d format specifier which caused overflows for very large values of ID. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

responder: Use SAFEALIGN macros where appropriate. https://fedorahosted.org/sssd/ticket/1359

Revert "NSS: add support for subdomain_homedir" This reverts commit 1dc7694a1cbc62b0d7e23cc1369579e5ce0071e8.

NSS: add support for subdomain_homedir Resolves: https://fedorahosted.org/sssd/ticket/2169

NSS: Use plain user name when expanding homedir

NSS: Don't use printf(3) on user provided strings. This also fixes several corner cases and crashers. It's not prudent to pass user input to (even admin) input as a format string to printf, and various distros now check for this. This can cause accessing memory incorrectly, and various also various libc abort()'s. In addition various assumptions were made about full_name_format that aren't necessarily the case if the user uses a more complex format. Use safe-printf.c implementation for formatting full_name_format. Adapt the NSS resolver so it doesn't barf on formatted strings that are shorter than expected given a full_name_format. Tests added and updated appropriately.

NSS: Compare bool with false, not 0

nss: check for Well-Known SIDs in SID based requests

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1)

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

NSS: Set packet length for initgroups Some groups could be skipped, but packet length was not trimmed. This is a reason why valgrind reported access to uninitialised bytes. Actually, it isn't a problem, because the first uint32 in body is number of sended gids. Resolves: https://fedorahosted.org/sssd/ticket/2138

free idmapped binary SIDs correctly Resolves: https://fedorahosted.org/sssd/ticket/2133

NSS: Fix parenthesis

NSS: Print FQDN for groups with mixed domain membership This patch is a workaround until https://fedorahosted.org/sssd/ticket/2129 is fixed properly. Consider a group entry such as: cn: subgroup@subdom ghost: someuser ghost: anotheruser@subdom Currently in order to print all group members as FQDN (which is the default for AD provider), the code needs to iterate over the ghost attributes and parse them into (name,domain) and optionally re-add the domain. The proper fix would be to store always just the FQDN in the hardcoded form of user@domain

nss: wait for initial subdomains request to finish AD provider downloads domain information and initalizes ID mapping during subdomains request. This information is necessary to lookup objects without POSIX attributes. We need to make sure that we postpone all responder requests until ID mapping is initialized in the provider. Resolves: https://fedorahosted.org/sssd/ticket/2092

NSS: Failure to store entry negative cache should not be fatal The only effect the failure to store a result to negative cache might have would be a slower lookup next time.

NSS: Set UID and GID to negative cache after searching all domains https://fedorahosted.org/sssd/ticket/2090 Previously, when searching by UID or GID, the negative cache will only work in case the UID was searched for using fully qualified names.

Add missing new line in DEBUG message

NSS: Descend into subdomains if enumerate=true Since we now store the enumerate flag in sysdb for subdomains, we can always descend to all available subdomains and if they do not allow enumeration, simply skip them.

fill_initgr: add original primary GID if available In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027

Do not call sss_cmd_done in function check_cache. Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980

Remove branching to improve readability

Allow flat name in the FQname format https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.

Add utility functions for formatting fully-qualified names Instead of using printf-like functions directly, provide two wrappers that would encapsulate formatting the fully-qualified names. No functional change is present in this patch.

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

Add SID related calls to the NSS responder The patch adds 4 new calls to the NSS responder: - SSS_NSS_GETSIDBYNAME - SSS_NSS_GETSIDBYID - SSS_NSS_GETNAMEBYSID - SSS_NSS_GETIDBYSID to either return the SIDs of the requested object or map the SID to the name or the POSIX ID of the related object.

Remove unused TALLOC_CTX from responder_get_domain() Recent refactoring removed the need to copy the domain info data of sub-domains because the related objects will not be removed from memory anymore.

Refactoring: remove duplicated code in nss responder Different user and group lookup requests used nearly identical code, this patch unifies some of the related code paths.

Allow using flatname for subdomain home dir template https://fedorahosted.org/sssd/ticket/1609

Removing unused declaration of functions and variable. Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.

Use the same dbg level for all ncache hits. We used different debug levels for messages informing about negative cache hits (old levels 2,3,4). Now it is only SSSDBG_TRACE_FUNC (same level is used in nsssrv_services.c and proposed in the ticket bellow). https://fedorahosted.org/sssd/ticket/1771

Remove unused functions

Lower the DEBUG level if an entry cannot be deleted from memcache

Introduce IS_SUBDOMAIN() macro Fixes https://fedorahosted.org/sssd/ticket/1766

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

NSS: Add original homedir to home directory template options https://fedorahosted.org/sssd/ticket/1805

Invalidate user entry even if there are no groups Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.

NSS: invalidate memcache user entry on initgr, too https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.

Add domain argument to sysdb_initgroups()

Pass domain to sysdb_enum<pw/gr>ebt() functions

Pass domain to sysdb_get<pwu/grg><id() functions

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

sss_userdel and sss_groupdel with use_fully_qualified_names If use_fully_qualified_names is used, we need to pass fqdn to sss_mmap_cache_*_invalidate.

mmap cache: invalidate cache on fatal error If a fatal EFAULT error is returned by the internal function that frees used memory invalidate the whole cache and reinit it. This way we avoid further corruption and insure clients see consistent data. Also insure we use the right context in init() and we use talloc_zfree() in reinit so that if the init() later fails we do not leave around a pointer to free memory in the callers.

sssd_nss: Plug memory leaks A recent patch introduced a glaring memory leak in the routines that clean up memcache memory on initgroups calls.

sssd_nss: Remove entries from memory cache if not found in sysdb Functions nss_cmd_getXXnam remove entries from memory cache if not found in sysdb cache of a local domain.

Hook for mmap cache update on initgroup calls This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.

Hook to perform a mmap cache update from sssd_nss This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Add ignore_group_members option. https://fedorahosted.org/sssd/ticket/1376

Fix two errors in the nss responder One is a copy-and-paste error which was introduce by 1774ee9a61b9d691dadd1a0538f32bcdcc84f72f. The second fixes a missing explicit setting of the return value. In the case where we want fully qualified names ret contains the number of characters from the last snprintf() which is almost ever not 0.

Allow setting the default_shell option per-domain as well https://fedorahosted.org/sssd/ticket/1583

Check for subdomains if getpwuid or getgrgid are the first requests Fixes https://fedorahosted.org/sssd/ticket/1561

nss_cmd_retpwent(): do not go into infinite loop if n < 0 https://fedorahosted.org/sssd/ticket/1551

Add new option default_domain_suffix

NSS: Add override_shell option If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087

Fix re_expression matching with subdomains This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

Ghost members - various small changes

Ghost members - NSS responder changes Since there are two attributes storing information about user memberships of the group we have to include both of them in results. This will apply only for objects that have ghost members (i.e. they contain the SYSDB_GHOST attribute). If an object has this attribute, values of this attribute are not projected to the memberuid attribute.

NSS: Fix segfault when mmap cache cannot be initialized

Use sized_string correctly in FQDN domains

NSS: keep a pointer to body after body is reallocated

Send the correct enumeration request https://fedorahosted.org/sssd/ticket/1329

NSS: Add default_shell option This option will allow administrators to set a default shell to be used if a user does not have one set in the identity provider. https://fedorahosted.org/sssd/ticket/1289

NSS: Add fallback_homedir option This option is similar to override_homedir, except that it will take effect only for users that do not have an explicit home directory specified in LDAP. https://fedorahosted.org/sssd/ticket/1250

NSS: fix returning group from cache

NSS: Check return code of sss_mmap_cache_gr_store

NSS: Only return data from initgroups once Do not let nss_cmd_initgroups_search() return data itself, but let the caller return data. This is more intuitive and more consistent with the rest of the nss_cmd_*_search() functions. Also fixes a typo - nss_cmd_initgroups_cb used to call getpw_send_reply instead of initgr_send_reply.

Lowercase group members in case-insensitive domains https://fedorahosted.org/sssd/ticket/1312

Moved expand_homedir_template() from NSS responder to utility code

Check sub-domains in nss_cmd_get{pwuid|grgid}_search()

Ask for subdomains in responder in the first request after startup

Retrieve subdomains if there is a request for fully qualified user

Modified responder_get_domain() Now it checks for subdomains as well as for the domain itself

Prevent printing NULL from DEBUG messages

nsssrv: add handling of memory cache group map

nsssrv: add handling of memory cache passwd map

Remove sysdb_get_ctx_from_list()

Avoid uninitialized value comparison Coverity #12526

Allocate setent structure on state, not on the client context https://fedorahosted.org/sssd/ticket/1189

Remove setent structure when callback is called

Fix group enumeration Also adds some more debugging and fixes a code style issue. https://fedorahosted.org/sssd/ticket/1182

Split the logic to check cache expiration into separate function

RESPONDERS: Refactor setent_req_list Makes the setent_add_ref() and setent_notify_*() functions more generic to be reusable by the autofs responder.

RESPONDERS: Provide a common sss_cmd_send_error function The common function could be reused in new responders

Refactor nss_cmd_send_empty

NSS: Add getservbyname and getservbyport support to the NSS Responder

Move sized_string declaration to utils

DP: Fix bugs in sss_dp_get_account_int The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

nsssrv: use sized_string in fill_grent

nsssrv: use sized_string in fill_pwent

nsssrv: add string manipulation helper the sized_string structure makes it easier to keep track of string lengths and makes passing around data more compat and readable.

Return user and group names lowercased in case insensitive domains

sss_get_cased_name utility function

Pass client context to sss_dp_get_account_send

Use the case sensitivity flag in responders

Responders: Split getting domain by name into separate function

Pass the correct private data into Data Provider callback

Ignore NULL-terminator when checking UTF8-validity Glib fails if the NULL-terminator is included when a length is specified.

RESPONDER: Refactor DP requests into tevent_req style

RESPONDER: Ensure that all input strings are valid UTF-8

sysdb refactoring: deleted domain variables in sysdb API The patch also updates code using modified functions. Tests have also been adjusted.

Prevent segfault if vetoed_shells are specified without allowed_shells https://fedorahosted.org/sssd/ticket/954

Add vetoed_shells option There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Fix indexing of skipped groups https://fedorahosted.org/sssd/ticket/928

fix typos

Non-posix group processing - ldap provider and nss responder

Fix typo in initgroups negative cache check

Add new options to override shell value https://fedorahosted.org/sssd/ticket/742

Add a new option to override home directory value https://fedorahosted.org/sssd/ticket/551

Add a new option to override primary GID number https://fedorahosted.org/sssd/ticket/742

Fix regression where nonexistent entries were never added to the negative cache

Fix a regression with the negative cache in multi-domain configurations

Remove unused enumeration cache timeout checks The existence of the getent_ctx is used to track the enumeration cache timeout.

Post enumeration tevent request if needed

Return groups and users from all domains during enumeration

Always use talloc_zero() to allocate cmdctx

sysdb interface for adding fake users

sysdb interface for adding incomplete groups Useful for optimizing the initgroups operation.

Add netgroup support to the NSS responder

Split out some helper functions for the NSS responder Create a new private header and make some functions available for other object files.

Require explicit setting of callback context for check_cache Previously, it was implicitly using the nss_dom_ctx, but there are situations where we would want to send a different private context

Initgroups on a non-cached user should go to the data provider We were accidentally returning an error when sysdb_getpwnam() returned zero results internally in sysdb_initgroups(). The correct behavior here is to return EOK and a result object with zero entries.

Handle multiple simultaneous enumeration requests Previously, if a second enumeration request arrived while one was already being processed, each process would receive only a subset of the total number of available users or groups. This is because we were maintaining the response object as a global value in the NSS responder. The second request would come in, see that the data set was already populated, and start reading from wherever the cursor was currently pointed. With this patch, we now move the cursor to the client context instead of the global NSS context. Additionally, this patch completely rewrites the approach to enumerations in the tevent_req style. This makes it much easier to follow in the code. In order to ensure that a slow or malicious client cannot hold onto a reference for the setent result object indefinitely, we set an expiration on the object. We use the enum_cache_timeout here, since that is an appropriate value. If the timeout fires during the normal operation of the get*ent() loop of a client program, we will save the current values of the read index so that we can resume as soon as the object has been refreshed by an implicit setent call. Instead of deleting the enumeration result object immediately after the last in-progress client has read it, we'll keep the object around for the lifetime of enum_cache_timeout. This way, additional clients making enumeration requests can still access the results in-memory.

Dead assignments cleanup in NSS responder Various dead assignments were deleted, some return value inspections were added. Ticket: #588

Refactor the negative cache Rename functions from nss_ncache_* to sss_ncache_* Move negative cache to responder/common and rename as negcache.c/h

Ensure that all domains are checked for users/groups There was a bug in the negative cache checks (probably a leftover from when filter_users was global-only) that meant that if a user was filtered out of a domain, the remaining domains would not be checked for that user. (Same for groups/initgroups)

sysdb: convert sysdb_initgroups

Adjust fill_pwent and fill_grent fill_pwent should return the number of users actually processed. Otherwise in case of a recoverable error we may end up skipping a large chunk of users. fill_grent doesn't need to distinguish between number of entries and number of groups to process since we started adding memberuid. Remove remnants that are not useful anymore.

sysdb: convert sysdb_enumgrent

sysdb: convert sysdb_enumpwent

sysdb: convert sysdb_getgrgid

sysdb: convert sysdb_getgrnam

sysdb: convert sysdb_getpwuid

sysdb: convert sysdb_getpwnam

Fixed alignment problems in nss client/server I fixed a handful of alignment problems in sss_client and nss responder. Enumerating group and passwd with getgrent and getpwent now works correctly on ARM. Signed-off-by: George McCollister <georgem@novatech-llc.com>

Add forgotten \n in DEBUG statements Logs from confdb with missing '\n' in the DEBUG statements annoyed me so I decided to fix them. I also made a quick grep through the code and found other places so I fixed them too.

Rename server/ directory to src/ Also update BUILD.txt