tests: add tests for netlogon_get_domain_info Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DP: rename be_acct_req to dp_id_data Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: use krb5_keytab for subdomain initialization During the initialization of AD subdomains parameters like the SASL auth id are determined. Since subdomains use a default set of the AD specific configuration options the default keytab will be used. If krb5_keytab is set in sssd.conf for the AD domain this keytab should be used for the subdomains (domains of the same AD forest) as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

test_ad_common: Include missing header if building with NSS There was a compile time warning if building with NSS crypto libraries. src/tests/cmocka/test_ad_common.c: In function ‘main’: src/tests/cmocka/test_ad_common.c:873:5: error: implicit declaration of function ‘nspr_nss_cleanu’ [-Werror=implicit-function-declaration] nspr_nss_cleanup(); ^~~~~~~~~~~~~~~~ Reviewed-by: Pavel Reichl <preichl@redhat.com>

AD: process PAC during initgroups request If there is a recently attached PAC blob in the cached user entry the PAC data is used to update the group memberships data of the user. If there is no PAC attached or if it is too old the other configured methods will be used. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

TESTS: global_talloc_context push/pop remove Push/pop global_talloc_context into check_leaks is redudant. It is done in leak_check_setup() and leak_check_teardown() functions in src/tests/check_leaks. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

AD: Remove unused memory context from ad_user_conn_list Reviewed-by: Petr Cech <pcech@redhat.com>

AD: Consolidate connection list construction on ad_common.c Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Provide common connection list construction functions https://fedorahosted.org/sssd/ticket/2810 Provides a new AD common function ad_ldap_conn_list() that creates a list of AD connection to use along with properties to avoid mistakes when manually constructing these lists. Reviewed-by: Sumit Bose <sbose@redhat.com>

test_ad_common: Use unique directory for keytabs This patch also improved cleanup. The functions test_ad_create_2way_trust_options created keytab which was used by other following tests test_ldap_conn_list, test_conn_list. The keytab was not removed at the end of al tests. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD: Add ad_create_1way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 For one-way trusts we can assume that AD domain is the same as the Kerberis realm. On the other hand, SASL realm and keytab path are specified, unlike two-way trusts that use the system keytab. Includes a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: Set up AD domain in ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Removed code duplication. Amends unit test to make sure we don't regress. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Split off ad_create_default_options Related: https://fedorahosted.org/sssd/ticket/2638 Make the function reusable and add a simple unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Rename ad_create_default_options to ad_create_2way_trust_options Related: https://fedorahosted.org/sssd/ticket/2638 Better reflects what's going on in the function. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: Always get domain-specific ID connection ad_get_dom_ldap_conn() assumed that ad_ctx->ldap_ctx always points at the LDAP connection for the primary domain, however it turns out that this is not always the case. It's currently unclear why, but this connection can sometimes be pointing at a subdomain. Since the value of subdom_id_ctx->ldap_ctx always points to the correct domain (including the primary domain case), there's no benefit to trying to shortcut to the ad_ctx->ldap_ctx when performing this lookup. This patch also makes a minor tweak to the tests so that the primary domain passes the sdap_domain_get() check for validity (since it needs to have a private member assigned). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

tests: convert all unit tests to cmocka 1.0 or later All tests now use the cmocka-1.0-compatible API. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

TOOLS: Always debug to stderr https://fedorahosted.org/sssd/ticket/2348 Programs that are supposed to only be executed on the foreground should log to stderr automatically. Reviewed-by: Michal Židek <mzidek@redhat.com>

AD: Enable fallback to LDAP of trusted domain Since we have the LDAP port of a trusted AD GC always available now, we can always perform a fallback.

AD: Add a new option to turn off GC lookups SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.

AD: Add a utility function to create list of connections ad_id.c and ad_access.c used the same block of code. With the upcoming option to disable GC lookups, we should unify the code in a function to avoid breaking one of the code paths. The same applies for the LDAP connection to the trusted AD DC. Includes a unit test.