utils: add is_email_from_domain() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: make domain mapping content testable Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: fix [capaths] output the capaths for a single domain should be collected in a single sub-section in the MIT Kerberos configuration not spread over multiple one. See the capaths section of the krb5.conf man page for details. Resolves: https://fedorahosted.org/sssd/ticket/3103 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Remove unused functions The conversion to sysdb made several functions obsolete. Remove them. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Parse internal fqnames in find_domain_by_object_name Previously, the sss_parse_name function was used. That function is meant to parse SSSD input, mainly in responders, not internal object names. Reviewed-by: Sumit Bose <sbose@redhat.com>

IPA/AD: globally set krb5 canonicalization flag If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

utils: add sss_write_krb5_snippet_common() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

localauth: remove enable_only sssd from config snippet Resolves https://fedorahosted.org/sssd/ticket/2788 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTILS: More restrictive permissions in domain_info There are two occurances of creating temp. file under SSS_DFL_X_UMASK permissions which enable possibility to grant executable permission. After writting to those temp. files, they are renamed and they get 0644 permissions. So SSS_DFL_UMASK is good enough fot this case. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: Convert domain->disabled into tri-state with domain states Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>

SYSDB: Store trust direction for subdomains We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>

UTIL: Inherit ignore_group_members Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>

Add cache_credentials_minimal_first_factor_length config option Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: do not add domain name unconditionally Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

add missing '\n' in debug messages Also reformat debug strings not to exceed 80 columns long lines. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: properly handle mixed-case trusted domains In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

new_subdomain: copy view data from parent Since a view applies to the whole domain-subdomain tree the view data is copied from the parent the new created domains. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Always write capaths We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Do not change SSSD domains in get_domains_head When there was more than one SSSD domain configured, actions performed against domains later in the list would be incorrectly told to use the first domain as the base for locating subdomains. This was because we were rewinding the ->prev list on the sss_domain_info object, which is only intended to be used by confdb code. The correct approach was to use only the parent linkage, which would take us up to the top-level domain in this SSSD domain.

UTIL: rename find_subdomain_by_object_name The function was named "find_subdomain" yet it could find both main domain and subdomain. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

UTIL: rename find_subdomain_by_sid The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_sid/find_domain_by_sid/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: tokengroups do not work with id_provider=ldap With plain LDAP provider we already have a sdap_handle, so it should be possible that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be skipped and sdap_get_ad_tokengroups_send() can be already send with the sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should only fail if sdom->pvt == NULL and sh == NULL. if find_subdomain_by_sid() failed we can check if there is only one domain in the domain list (state->domain) and in this case continue with this domain since the LDAP provider does not know about sub-domains and hence can only have one configured domain. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

NSS: Add option to expand homedir template format LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853

refactor calls of sss_parse_name sss_parse_name now supports NULL as output parameters so existing calls passing arguments which were never read were substituted by NULL. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

UTIL: Inherit parent domain's default_shell Some override parameters were not inherited when creating subdomains. Especially with AD trusts, this gave strange results.

Enhance/add unit tests for find_subdomain_by_sid/name

find_subdomain_by_sid: skip domains with missing domain_id

Inherit ID limits of parent domains if set https://fedorahosted.org/sssd/ticket/2123 Previously, the subdomains were always unbound even if the administrator limited the ranges with min_id/max_id. This could have posed problems when running programs that scan the whole ID space, such as "groupadd -r".

ipa_server_mode: write capaths to krb5 include file If there are member domains in a trusted forest which are DNS-wise not proper children of the forest root the IPA KDC needs some help to determine the right authentication path. In general this should be done internally by the IPA KDC but this works requires more effort than letting sssd write the needed data to the include file for krb5.conf. If this functionality is available for the IPA KDC this patch might be removed from the sssd tree. Fixes https://fedorahosted.org/sssd/ticket/2093

IPA: store forest name for forest member domains In order to fix https://fedorahosted.org/sssd/ticket/2093 the name of the forest must be known for a member domain of the forest.

util: add get_domains_head() This function will return head of the domain list. Resolves: https://fedorahosted.org/sssd/ticket/2066

util: add find_subdomain_by_object_name() This function will parse object name into name and domain name part and return appropriate sss domain. Resolves: https://fedorahosted.org/sssd/ticket/2034

util: add find_subdomain_by_sid() This function takes domain SID (doesn't have the last component) or object SID (have all components) and returns subdomain. The subdomain is found by comparing domain->domainid with the SID. E.g. domain SID: S-1-5-21-3940105347-3434501867-2690409756 object SID: S-1-5-21-3940105347-3434501867-2690409756-513 Resolves: https://fedorahosted.org/sssd/ticket/2034

Add a new option to control subdomain enumeration

Read enumerate state for subdomains from cache The enumerate flag will be read from the cache for subdomains and the domain object will be created accordingly.

Read mpg state for subdomains from cache The mpg flag will be read from the cache for subdomains and the domain object will be created accordingly.

Add missing argument to DEBUG message

AD: Write out domain-realm mappings This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.

Improved readability of get_next_domain() https://fedorahosted.org/sssd/ticket/1812

get_next_domain() test dom->parent->next for NULL Otherwise dom may be set to NULL and we will segfault when dereferencing dom.

Introduce IS_SUBDOMAIN() macro Fixes https://fedorahosted.org/sssd/ticket/1766

Change the way domains are linked. - Use a double-linked list for domains and subdomains. - Never remove a subdomain, simply mark it as disabled if it becomes unused. - Rework the way subdomains are refreshed. Now sysdb_update_subdomains() actually updates the current subdomains and marks as disabled the ones not found in the sysdb or add new ones found. It never removes them. Removal of missing domains from sysdb is deferred to the providers, which will perform it at refresh time, for the ipa provider that is done by ipa_subdomains_write_mappings() now. sysdb_update_subdomains() is then used to update the memory hierarchy of the subdomains. - Removes sysdb_get_subdomains() - Removes copy_subdomain() - Add sysdb_subdomain_delete()

Add ability to disable domains

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

Avoid sysdb_subdom in sysdb_get_subdomains()

Add realm info to sss_domain_info

Stop creating fake sysdb contexts Now that the sysdb context does not contain anymore domain related data we can simply stop creating faxe sysdb context and just reference the parent context.

Move mpg flag to the domain where it belongs A sysdb contains now multiple domains, but the mpg property is a property of a specific domain not of the underlying database.

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

Refactor single domain initialization Bring it out of sysdb, which will slowly remove internal dependencies on domains and instead will always require them to be passed by callers.

Refactor the way subdomain accounts are saved The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.

Make sub-domains case-insensitive Currently the only type of supported sub-domains are AD domains which are not case-sensitive. To make it easier for Windows user we make sub-domains case-insensitive as well which allows to write the username in any case at the login prompt. If support for other types of sub-domains is added it might be necessary to set the case-sensitive flag based on the domain type.

Make re_expression and full_name_format per domain options * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663

Modify behavior of pam_pwd_expiration_warning New option pwd_expiration_warning is introduced which can be set per domain and can override the value specified by the original pam_pwd_expiration_warning. If the value of expiration warning is set to zero, the filter isn't apllied at all - if backend server returns the warning, it will be automatically displayed. Default value for Kerberos: 7 days Default value for LDAP: don't apply the filter Technical note: default value when creating the domain is -1. This is important so we can distinguish between "no value set" and 0. Without this possibility it would be impossible to set different values for LDAP and Kerberos provider.

Two fixes in responder subdomain code

New config option for subdomains subdomain_homedir - if set, it contains default value, can be overriden in further processing

Add conn_name to allow different names for domains and connections

Add some utility functions for subdomains