AD admin account I use for trust setup is getting audited - what specific permissions does the AD user need to have for trust setup?
by Chris Dagdigian
Hi folks,
Tried to find this in the FreeIPA and RHEL IDM docs but could not find
my answer with any specificity ...
I have a user account called "idmbind" inside an AD controller for a
domain that we integrate with our linux fleet in AWS
Because this domain is non-essential and we had full control we got lazy
and just made the "idmbind" account as privileged as possible -- it's
currently part of the "Domain Admin" and "Enterprise Admin" groups
Now that crunch time is over we are auditing all our AD user accounts.
I've been specifically asked:
"Does your idmbind user really need Enterprise Admin group membership?"
"Does your idmbind user really need Domain Admin group membership?"
Is there a concise answer somewhere on what permissions/roles the local
AD user account needs to have when we use that username and password to
set up 1-way and 2-way trusts with FreeIPA? The docs and screenshots
show the words "domain administrator" but I'm wondering if the
requirements are more specific.
I figure "Domain Admin yes, Enterprise Admin no" may be the proper
answer but looking for a more authoritative voice, thanks!
Chris
4 years
Problem with upgrade
by Alessandro Perucchi
Hello everyone,
We were using Freeipa on Fedora 24. And we are in the process to upgrade to
Fedora 28.
We have a cluster of 2 nodes (freeipa-01 and freeipa-02).
I am trying to upgrade one server after the other, from one release to the
next.
Basically:
freeipa-01 Fedora 24 -> Fedora 25
freeipa-02 Fedora 24 -> Fedora 25
freeipa-02 Fedora 25 -> Fedora 26
freeipa-01 Fedora 25 -> Fedora 26
freeipa-01 Fedora 26 -> Fedora 27
freeipa-02 Fedora 26 -> Fedora 27
freeipa-02 Fedora 27 -> Fedora 28
freeipa-01 Fedora 27 -> Fedora 28
Since Fedora doesn’t support to jump from one version to another, except
one release at the time.
My idea is to check that once a server is upgraded, then everything is
stable, before going to the next server, and try to be as near as possible
from a version point of view between the 2 freeipa node cluster.
Today <http://airmail.calendar/2018-06-12%2012:00:00%20CEST>, I could
upgrade without problems from Fedora 24 -> Fedora 25 on both nodes
(freeipa-01 and freeipa-02).
In trying to upgrade to Fedora 26, I got some problems, the main problem is
that the upgrade of ldap 389 is not successful, and the one from IPA either.
After investigating a long moment, I have found that ns-slapd listen only
to IPv6, on UDP, and NOT on IPv4 and TCP.
Here is what I have:
[root@freeipa-02 lib]# lsof -Pni |grep slap
ns-slapd 21005 dirsrv 9u IPv6 1617283379 <//1617283379> 0t0
UDP *:389
ns-slapd 21005 dirsrv 77u IPv4 1617321218 <//1617321218> 0t0
TCP 10.100.0.102:60646->10.100.0.101:389 (ESTABLISHED)
ns-slapd 21005 dirsrv 81u IPv4 1617317640 <//1617317640> 0t0
TCP 10.100.0.102:60648->10.100.0.101:389 (ESTABLISHED)
So, I decided to look at the file dse.ldif, and found that the entry
"nsslapd-port” was set to “0” and no “nsslapd-listenhost” was not set at
all.
I have then added the line
nsslapd-listenhost: 0.0.0.0
and changed the nsslapd-port to look like:
nsslap-port: 389
And after doing a
systemctl stop dirsrv@DOM-LOCAL ; systemctl start dirsrv@DOM-LOCAL
No changes… all modification on my dse.ldif were gone.
I stopped again the dirsrv, did again my changes on dse.ldif, and run the
following command:
/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-DOM-LOCAL -i
/var/run/dirsrv/slapd-DOM-LOCAL.pid
and now, I have the following:
[root@freeipa-02 updates]# lsof -Pni |grep 389
ns-slapd 78507 dirsrv 10u IPv6 1681165214 <//1681165214> 0t0
UDP *:389
ns-slapd 78507 dirsrv 11u IPv4 1681165216 <//1681165216> 0t0
TCP *:389 (LISTEN)
ns-slapd 78507 dirsrv 114u IPv4 1684131928 <//1684131928> 0t0
TCP 10.100.0.102:389->10.100.0.110:36828 (ESTABLISHED)
So my questions are:
- how to change the dse.ldif file?
- Is there another way to ensure that the port that listen is TCP / 389 on
IPv4?
- Is there something that needs to be done between Fedora 25 and 26?
Knowing that I will go to Fedora 28, is there something that I need to be
aware of?
- Anything that can help me generally with my upgrade path?
Best regards,
Alessandro
4 years
ipa operation errors from a client, but not servers
by Kat
Anyone seen this before? Can't find anything in searches.
(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)
On a client, running RHEL 7.4, and IPA server is RHEL 7.5
$ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, in run
api.finalize()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592,
in load_plugins
for package in self.packages:
File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 945,
in packages
import ipaclient.remote_plugins
File
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
line 14, in <module>
from ipaclient.plugins.rpcclient import rpcclient
File
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", line
32, in <module>
from ipalib.rpc import xmlclient, jsonclient
File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in
<module>
import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred
Same command on another host (client) - works flawlessly, but it is same
software.
Ideas?
Kat
4 years
How to list groups an external user is a member of?
by Marc Boorshtein
Looking through the API, I see that I can list the external members of
a group via group_show but is there a way to list all the groups an
external user is a member of without enumerating all groups and just
looking for the external users? For instance when I'm logged in as an
external user and type "id" the user's memberships in both AD and IPA
are listed.
Thanks
4 years
Announcing SSSD 1.16.2
by Jakub Hrozek
SSSD 1.16.2
===========
The SSSD team is proud to announce the release of version 1.16.2 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The smart card authentication, or in more general certificate authentication
code now supports OpenSSL in addition to previously supported NSS (#3489).
In addition, the SSH responder can now return public SSH keys derived from
the public keys stored in a X.509 certificate. Please refer to the
``ssh_use_certificate_keys`` option in the man pages.
* The files provider now supports mirroring multiple passwd or group
files. This enhancement can be used to use the SSSD files provider instead
of the nss_altfiles module
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A memory handling issue in the ``nss_ex`` interface was fixed. This bug
would manifest in IPA environments with a trusted AD domain as a crash of
the ns-slapd process, because a ``ns-slapd`` plugin loads the ``nss_ex``
interface (#3715)
* Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
* The ``ad_site`` override is now honored in GPO code as well (#3646)
* Several potential crashes in the NSS responder's netgroup code were fixed
(#3679, #3731)
* A potential crash in the autofs responder's code was fixed (#3752)
* The LDAP provider now supports group renaming (#2653)
* The GPO access control code no longer returns an error if one of the
relevant GPO rules contained no SIDs at all (#3680)
* A memory leak in the IPA provider related to resolving external AD
groups was fixed (#3719)
* Setups that used multiple domains where one of the domains had its ID
space limited using the ``min_id/max_id`` options did not resolve requests
by ID properly (#3728)
* Overriding IDs or names did not work correctly when the domain resolution
order was set as well (#3595)
* A version mismatch between certain newer Samba versions (e.g. those shipped
in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further
prevent issues like this in the future, the correct interface is now detected
at build time (#3741)
* The files provider no longer returns a qualified name in case domain
resolution order is used (#3743)
* A race condition between evaluating IPA group memberships and AD group
memberships in setups with IPA-AD trusts that would have manifested as
randomly losing IPA group memberships assigned to an AD user was fixed
(#3744)
* Setting an SELinux login label was broken in setups where the domain
resolution order was used (#3740)
* SSSD start up issue on systems that use the libldb library with version
1.4.0 or newer was fixed.
Packaging Changes
-----------------
* Several new build requirements were added in order to support the OpenSSL
certificate authentication
Documentation Changes
---------------------
* The files provider gained two new configuration options ``passwd_files``
and ``group_files.`` These can be used to specify the additional files
to mirror.
* A new ``ssh_use_certificate_keys`` option toggles whether the SSH responder
would return public SSH keys derived from X.509 certificates.
* The ``local_negative_timeout`` option is now enabled by default. This
means that if SSSD fails to find a user in the configured domains,
but is then able to find the user with an NSS call such as getpwnam,
it would negatively cache the request for the duration of the
local_negative_timeout option.
Tickets Fixed
-------------
* `3752 <https://pagure.io/SSSD/sssd/issue/3752>`_ - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily due to a double free
* `3749 <https://pagure.io/SSSD/sssd/issue/3749>`_ - [RFE] sssd.conf should mention the FILES provider as valid config value for the 'id_provider'
* `3748 <https://pagure.io/SSSD/sssd/issue/3748>`_ - home dir disappear in sssd cache on the IPA master for AD users
* `3744 <https://pagure.io/SSSD/sssd/issue/3744>`_ - Race condition between concurrent initgroups requests can cause one of them to return incomplete information
* `3743 <https://pagure.io/SSSD/sssd/issue/3743>`_ - Weirdness when using files provider and domain resolution order
* `3742 <https://pagure.io/SSSD/sssd/issue/3742>`_ - Change of: User may not run sudo --> a password is required
* `3741 <https://pagure.io/SSSD/sssd/issue/3741>`_ - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION
* `3740 <https://pagure.io/SSSD/sssd/issue/3740>`_ - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map
* `3733 <https://pagure.io/SSSD/sssd/issue/3733>`_ - sssd fails to download known_hosts from freeipa
* `3728 <https://pagure.io/SSSD/sssd/issue/3728>`_ - Request by ID outside the min_id/max_id limit of a first domain does not reach the second domain
* `3726 <https://pagure.io/SSSD/sssd/issue/3726>`_ - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.
* `3725 <https://pagure.io/SSSD/sssd/issue/3725>`_ - sssd not honoring dyndns_server if the DNS update process is terminated with a signal
* `3719 <https://pagure.io/SSSD/sssd/issue/3719>`_ - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process
* `3715 <https://pagure.io/SSSD/sssd/issue/3715>`_ - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound?
* `3706 <https://pagure.io/SSSD/sssd/issue/3706>`_ - Hide debug message domain not found for well known sid
* `3694 <https://pagure.io/SSSD/sssd/issue/3694>`_ - externalUser sudo attribute must be fully-qualified
* `3684 <https://pagure.io/SSSD/sssd/issue/3684>`_ - A group is not updated if its member is removed with the cleanup task, but the group does not change
* `3680 <https://pagure.io/SSSD/sssd/issue/3680>`_ - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs
* `3679 <https://pagure.io/SSSD/sssd/issue/3679>`_ - Make nss netgroup requests more robust
* `3674 <https://pagure.io/SSSD/sssd/issue/3674>`_ - The tcurl module logs the payload
* `3671 <https://pagure.io/SSSD/sssd/issue/3671>`_ - KCM: Payload buffer is too small
* `3666 <https://pagure.io/SSSD/sssd/issue/3666>`_ - Fix usage of str.decode() in our tests
* `3664 <https://pagure.io/SSSD/sssd/issue/3664>`_ - LOGS: Improve debugging in case the PAM service is not mapped to any GPO rule
* `3660 <https://pagure.io/SSSD/sssd/issue/3660>`_ - confdb_expand_app_domains() always fails
* `3658 <https://pagure.io/SSSD/sssd/issue/3658>`_ - Application domain is not interpreted correctly
* `3656 <https://pagure.io/SSSD/sssd/issue/3656>`_ - PyErr_NewExceptionWithDoc configure check should not use cached results for different python versions
* `3646 <https://pagure.io/SSSD/sssd/issue/3646>`_ - SSSD's GPO code ignores ad_site option
* `3644 <https://pagure.io/SSSD/sssd/issue/3644>`_ - sss_groupshow no longer labels MPG groups
* `3634 <https://pagure.io/SSSD/sssd/issue/3634>`_ - sssctl COMMAND --help fails if sssd is not configured
* `3633 <https://pagure.io/SSSD/sssd/issue/3633>`_ - Reset the last_request_time when any activity happens on Secrets and KCM responders
* `3629 <https://pagure.io/SSSD/sssd/issue/3629>`_ - Implement sss_nss_getsidbyuid and sss_nss_etsidbygid for situations where customers define UID == GID
* `3619 <https://pagure.io/SSSD/sssd/issue/3619>`_ - Enable local_negative_timeout by default
* `3605 <https://pagure.io/SSSD/sssd/issue/3605>`_ - Fix pep8 issues on our python files.
* `3595 <https://pagure.io/SSSD/sssd/issue/3595>`_ - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set
* `3558 <https://pagure.io/SSSD/sssd/issue/3558>`_ - sudo: report error when two rules share cn
* `3550 <https://pagure.io/SSSD/sssd/issue/3550>`_ - refresh_expired_interval does not work with netgrous in 1.15
* `3520 <https://pagure.io/SSSD/sssd/issue/3520>`_ - Files provider supports only BE_FILTER_ENUM
* `3469 <https://pagure.io/SSSD/sssd/issue/3469>`_ - extend sss-certmap man page regarding priority processing
* `3436 <https://pagure.io/SSSD/sssd/issue/3436>`_ - Certificates used in unit tests have limited lifetime
* `3402 <https://pagure.io/SSSD/sssd/issue/3402>`_ - Support alternative sources for the files provider
* `3335 <https://pagure.io/SSSD/sssd/issue/3335>`_ - GPO retrieval doesn't work if SMB1 is disabled
* `2653 <https://pagure.io/SSSD/sssd/issue/2653>`_ - Group renaming issue when "id_provider = ldap" is set.
Detailed Changelog
------------------
* Fabiano Fidêncio (77):
* TESTS: Fix E501 pep8 issues on test_ldap.py
* TESTS: Fix E20[12] pep8 issues on python-test.py
* TESTS: Fix E501 pep8 issues on python-test.py
* TESTS: Fix E251 pep8 issues on python-test.py
* TESTS: Fix E231 pep8 issues on python-test.py
* TESTS: Fix E265 pep8 issues on python-test.py
* TESTS: Fix E128 pep8 issues on python-test.py
* TESTS: Fix E302 pep8 issues on python-test.py
* TESTS: Fix W391 pep8 issues on python-test.py
* TESTS: Fix E228 pep8 issues on python-test.py
* TESTS: Fix E261 pep8 issues on python-test.py
* TESTS: Fix E701 pep8 issues on python-test.py
* TESTS: Fix E305 pep8 issues on python-test.py
* TESTS: Fix E20[12] pep8 issues on pysss_murmur-test.py
* TESTS: Fix E211 pep8 issues on pysss_murmur-test.py
* TESTS: Fix E20[12] pep8 issues on pyhbac-test.py
* TESTS: Fix E261 pep8 issues on pyhbac-test.py
* TESTS: Fix W391 pep8 issues on pyhbac-test.py
* TESTS: Fix E501 pep8 issues on pyhbac-test.py
* TESTS: Fix E302 pep8 issues on pyhbac-test.py
* TESTS: Fix E305 pep8 issues on pyhbac-test.py
* TESTS: Fix E711 pep8 issues on sssd_group.py
* TESTS: Fix E305 pep8 issues on sssd_netgroup.py
* TESTS: Fix E501 pep8 issues on utils.py
* TESTS: Fix E305 pep8 issues on conf.py
* CONTRIB: Fix E501 pep8 issues on sssd_gdb_plugin.py
* CONTRIB: Fix E305 pep8 issues on sssd_gdb_plugin.py
* TESTS: Fix E302 pep8 issues on test_enumeration.py
* TESTS: FIX E501 pep8 issues on pysss_murmur-test.py
* CI: Enable pep8 check
* CI: Ignore E722 pep8 issues on debian machines
* TESTS: Fix E501 pep8 issues on test_netgroup.py
* NSS: Remove dead code
* CONFDB: Start a ldb transaction from sss_ldb_modify_permissive()
* TOOLS: Take into consideration app domains
* TESTS: Move get_call_output() to util.py
* TESTS: Make get_call_output() more flexible about the stderr log
* TESTS: Add a basic test of `sssctl domain-list`
* KCM: Use json_loadb() when dealing with sss_iobuf data
* KCM: Remove mem_ctx from kcm_new_req()
* KCM: Introduce kcm_input_get_payload_len()
* KCM: Do not use 2048 as fixed size for the payload
* KCM: Adjust REPLY_MAX to the one used in krb5
* KCM: Fix typo in ccdb_sec_delete_list_done()
* KCM: Only print the number of found items after we have it
* SERVER: Tone down shutdown messages for socket-activated responders
* MAN: Improve docs about GC detection
* NSS: Add InvalidateGroupById handler
* DP: Add dp_sbus_invalidate_group_memcache()
* ERRORS: Add ERR_GID_DUPLICATED
* SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
* SDAP: Properly handle group id-collision when renaming incomplete groups
* SYSDB_OPS: Error out on id-collision when adding an incomplete group
* SECRETS: reset last_request_time on any activity
* KCM: reset last_request_time on any activity
* RESPONDER: Add sss_client_fd_handler()
* RESPONDER: Make use of sss_client_fd_handler()
* SECRETS: Make use of sss_client_fd_handler()
* KCM: Make use of sss_client_fd_handler()
* TESTS: Rename test_idle_timeout()
* TESTS: Add test for responder_idle_timeout
* TESTS: Fix typo in test_sysdb_domain_resolution_order_ops()
* SYSDB: Properly handle name/gid override when using domain resolution order
* TESTS: Increase test_resp_idle_timeout* timeout
* COVERITY: Add coverity support
* MAKE_SRPM: Add --output parameter
* Add .copr/Makefile
* CACHE_REQ: Don't force a fqname for files provider' output
* cache_req: Don't force a fqname for files provider output
* tests: Add a test for files provider + domain resolution order
* man: Users managed by the files provider don't have their output fully-qualified
* Revert "CACHE_REQ: Don't force a fqname for files provider' output"
* selinux_child: workaround fqnames when using DRO
* sudo_ldap: fix sudoHost=defaults -> cn=defaults in the filter
* Revert "sysdb custom: completely replace old object instead of merging it"
* sysdb_sudo: completely replace old object instead of merging it
* tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES
* Jakub Hrozek (33):
* Bumping the version to track 1.16.2 development
* IPA: Handle empty nisDomainName
* TESTS: Fix E266 pep8 issues on test_ldap.py
* TESTS: Fix E231 pep8 issues on test_session_recording.py
* TESTS: Fix E501 pep8 issues on test_session_recording.py
* TESTS: Fix E303 pep8 issues on test_ldap.py
* SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1
* IPA: Qualify the externalUser sudo attribute
* NSS: Adjust netgroup setnetgrent cache lifetime if midpoint refresh is used
* TESTS: Add a test for the multiple files feature
* SDAP: Improve a DEBUG message about GC detection
* LDAP: Augment the sdap_opts structure with a data provider pointer
* TESTS: Add an integration test for renaming incomplete groups during initgroups
* SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID
* MAN: Document which principal does the AD provider use
* FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch
* FILES: Reduce code duplication
* FILES: Reset the domain status back even on errors
* FILES: Skip files that are not created yet
* FILES: Only send the request for update if the files domain is inconsistent
* DYNDNS: Move the retry logic into a separate function
* DYNDNS: Retry also on timeouts
* AD: Warn if the LDAP schema is overriden with the AD provider
* SYSDB: Only check non-POSIX groups for GID conflicts
* Do not keep allocating external groups on a long-lived context
* CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
* MAN: Fix the title of the session recording man page
* DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes
* LDAP: Do not use signal-unsafe calls in ldap_child SIGTERM handler
* AUTOFS: remove timed event if related object is removed
* RESPONDERS: Enable the local negative timeout by default
* LDAP: Suppress a loud debug message in case a built-in SID can't be resolved
* Updating the translations for the 1.16.2 release
* Justin Stephenson (3):
* DEBUG: Print simple allow and deny lists
* CONFDB: Add passwd_files and group_files options
* FILES: Handle files provider sources
* Lukas Slebodnik (21):
* CI: Add dbus into debian dependencies
* intg: convert results returned as bytes to strings
* SYSDB: Remove unused parameter from sysdb_cache_connect_helper
* SPEC: Add gcc to build dependencies
* UTIL: Use alternative way for detecting PyErr_NewExceptionWithDoc
* CONFIGURE: drop unused check
* SYSDB: Return ENOENT for mpg with local provider
* sysdb-tests: sysdb_search_group_by_name with local provider
* selinux_child: Allow to query sssd
* selinux_child: Fix crash with initialized key
* BUILD: Remove unnecessary flags from test_ipa_dn
* BUILD: Remove ldap libraries from SSSD_LIBS
* BUILD: Remove ldap libraries from TOOL_LIBS
* BUILD: Remove pcre libs from common _LIBS
* BUILD: Remove pcre from krb5_child
* BUILD: Remove libcollection form common libs
* BUILD: Reduce dependencies of sss_signal
* BUILD: Remove cares from sssd_secrets
* BUILD: Remove libini_config from common libs
* MONITOR: Do not use two configuration databases
* CI: Prepare for python3 -> python
* Michal Židek (6):
* AD: Missing header in ad_access.h
* GPO: Add ad_options to ad_gpo_process_som_state
* GPO: Use AD site override if set
* GPO: Fix bug with empty GPO rules
* GPO: DEBUG msg when GP to PAM mappings overlap
* GPO: Debugging default PAM service mapping
* Pavel Březina (3):
* sudo ldap: do not store rules without sudoHost attribute
* sysdb custom: completely replace old object instead of merging it
* sssctl: move check for version error to correct place
* Richard Sharpe (1):
* nss-imap: add sss_nss_getsidbyuid() and sss_nss_getsidbygid()
* Sumit Bose (38):
* intg: enhance netgroups test
* TESTS: simple CA to generate certificates for test
* TESTS: replace hardcoded certificates
* TESTS: remove NSS test databases
* test_ca: add empty index.txt.attr file
* nss: initialize nss_enum_index in nss_setnetgrent()
* nss: add a netgroup counter to struct nss_enum_index
* nss-idmap: do not set a limit
* nss-idmap: use right group list pointer after sss_get_ex()
* NSS: nss_clear_netgroup_hash_table() do not free data
* winbind idmap plugin: support inferface version 6
* winbind idmap plugin: fix detection
* p11_child: move verification into separate functions
* p11_child: add verification option
* utils: add get_ssh_key_from_cert()
* utils: move p11 child paths to util.h
* utils: add cert_to_ssh_key request
* tests: add test for cert_to_ssh_key request
* ssh: use cert_to_ssh_key request to verify certifcate and get keys
* ssh: add option ssh_use_certificate_keys and enhance man page
* utils: remove unused code from cert utils
* tests: add SSH responder tests
* p11_child: split common and NSS code into separate files
* p11_child: add OpenSSL support
* TESTS: make some cert auth checks order independent
* p11_child: allow tests to use OpenSSL version of p11_child
* certmap: fix issue found by Coverity in OpenSSL version
* SPEC/CI: enable openssl build for Debian and upcoming versions
* certmap: allow missing empty EKU in OpenSSL version
* KCM: be aware that size_t might have different size than other integers
* sysdb: add sysdb_getgrgid_attrs()
* ipa: use mpg aware group lookup in get_object_from_cache()
* ipa: allow mpg group objects in apply_subdomain_homedir()
* AD/LDAP: do not fall back to mpg user lookup on GC connection
* cifs idmap plugin: use new sss_nss_idmap calls
* winbind idmap plugin: use new sss_nss_idmap calls
* libwbclient-sssd: use new sss_nss_idmap calls
* pysss_nss_idmap: add python bindings for new sss_nss_idmap calls
* Thorsten Scherf (1):
* man: Add FILES as a valid config option for 'id_provider'
* Yuri Chornoivan (1):
* MAN: Fix minor typos
* amitkuma (1):
* sssctl: Showing help even when sssd not configured
* amitkumar50 (2):
* MAN: Add sss-certmap man page regarding priority processing
* MAN: Clarify how comments work in sssd.conf
4 years
Setting up fileserver using Samba shares and FreeIPA
by Kristian Petersen
I am trying to get a file server set up using RHEL 7.5, Samba, and Red Hat
IdM 4.5.0 I have an older file server that works and hav been using it as
a template for build this new one from scratch. However, right now I can't
get smb to start. I keep getting errors about ipasam.c in journalctl:
Jun 06 13:53:30 fileserver1.cpms.byu.edu smbd[11624]: kerberos error:
code=-1765328203, message=Keytab contains no suitable keys for cifs/
fileserver1.cpms.byu.edu(a)CPMS.BYU.EDU
Jun 06 13:53:31 fileserver1.cpms.byu.edu smbd[11624]: [2018/06/06
13:53:31.815713, 0] ipa_sam.c:4245(bind_callback_cleanup)
Jun 06 15:26:05 fileserver1.cpms.byu.edu smbd[12372]: Failed to get base
DN.
I have made sure that the cifs service is set up in IPA for fileserver1 and
did an ipa-getkeytab to get a keytab for the service on fileserver1 as well
which is why a was surprised to see a message about the keytab in the
journal.
A little earlier in the journal it also talks about being unable to do an
anonymous bind to LDAP. It doesn't surprise me that it failed, but I tried
supplying the LDAP bind creds using smbpasswd and that didn't seem to make
any difference. It still tries an anonymous bind anyway which will never
work.
I have also already set up a role for giving fileserver1 the permissions
necessary to allow it to read the ipaNTHash.
P.S.: Before I sent this email to the list I upgraded one of my IPA servers
to the new kernel in RHEL 7.5 and smb broke in what looks like the same way
on that machine as well. It makes me wonder if this isn't a kernel problem
rather than an IPA problem. The errors I got on that machine before
rolling back to a working snapshot are below:
Jun 06 16:27:05 ipa1.cpms.byu.edu smbd[12179]: kerberos error:
code=-1765328360, message=Preauthentication failed
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06
16:27:06.332266, 0] ipa_sam.c:4556(pdb_init_ipasam)
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: Failed to get base DN.
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: [2018/06/06
16:27:06.332318, 0]
../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
Jun 06 16:27:06 ipa1.cpms.byu.edu smbd[12179]: pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-CPMS-BYU-EDU.socket did not correctly
init
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
4 years
keycloak
by Andrew Meyer
what is the difference between keycloak and freeipa?
Is there a free version of this? Is that what ipsilon is? If not is there a repo for this?
4 years
Cannot log in as an AD user to FreeIPA client but can log in to server
by Bart
Hi all,
I've set up two FreeIPA servers without CA (I provided 3rd party certificates during the installation process). I also established trust to an AD domain as below:
ipa trust-add --type=ad AD.DOMAIN --external=True --all
I checked that I can successfully obtain cross-realm ticket (kvno -S host ...) as described below:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
I also can ssh to either of the two FreeIPA servers as user(a)ad.domain.
However, when I configured FreeIPA client and tried to ssh into it / su inside it as the same ad user then it fails (I cannot ssh, when I try to su - as the ad user it fails with user(a)ad.domain does not exist.
I increased sssd log level on both client and servers but I cannot find anything spooky there (but I might as well not know what to look for :)).
Can someone please advise on how to narrow this down?
4 years
double domain?
by Kat
hi
Where would be a good place to look in either sssd or somewhere in the
system if we are seeing a mixture of UserID lookups in this format:
username(a)domain.example.com <--- this makes sense
BUT - also seeing:
username@domain.example.com(a)domain.eexample.com <--- This does not??
I am very confused as to how this might be getting sent to PAM for the
lookups and because of it we see random PAM "System Error"s
I do have in krb5.conf
[domain_realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
prodhost1.domain.example.com = DOMAIN.EXAMPLE.COM
But this seems to have been set after the ipa-client-install - so I am a
little confused?
Any suggestions?
Kat
4 years
Announcing SSSD 1.16.1
by Jakub Hrozek
SSSD 1.16.1
===========
The SSSD team is proud to announce the release of version 1.16.1 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback
via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
—————
New Features
^^^^^^^^^^^^
* A new option ``auto_private_groups`` was added. If this option is
enabled, SSSD will automatically create user private groups based on
user's UID number. The GID number is ignored in this case. Please
see https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
for more details on the feature.
* The SSSD smart card integration now supports a special type of PAM
conversation implemented by GDM which allows the user to select the
appropriate smrt card certificate in GDM. Please refer to
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certifi...
for more details about this feature.
* A new API for accessing user and group information was added. This API
is similar to the tradiional Name Service Switch API, but allows
the consumer to talk to SSSD directly as well as to fine-tune
the query with e.g. how cache should be evaluated. Please see
https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html
for more information on the new API.
* The ``sssctl`` command line tool gained a new command ``access-report``,
which can generate who can access the client machine. Currently only generating
the report on an IPA client based on HBAC rules is supported. Please see
https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
for more information about this new feature.
* The ``hostid`` provider was moved from the IPA specific code to the generic
LDAP code. This allows SSH host keys to be access by the generic LDAP provider
as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page
for more details.
* Setting the ``memcache_timeout`` option to 0 disabled creating the
memory cache files altogether. This can be useful in cases there is a
bug in the memory cache that needs working around.
Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
* Several internal changes to how objects are stored in the cache improve
SSSD performance in environments with large number of objects of the same
type (e.g. many users, many groups). In particular, several useless indexes
were removed and the most common object types no longer use the indexed
``objectClass`` attribute, but use unindexed ``objectCategory`` instead
(#3503)
* In setups with ``id_provider=ad`` that use POSIX attributes which
are replicated to the Global Catalog, SSSD uses the Global Catalog to
determine which domain should be contacted for a by-ID lookup instead
of iterating over all domains. More details about this feature can
be found at
https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalo...
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A crash in ``sssd_nss`` that might have happened if a list of domains
was refreshed while a NSS lookup using this request was fixed (#3551)
* A potential crash in ``sssd_nss`` during netgroup lookup in case the
netgroup object kept in memory was already freed (#3523)
* Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes
in case one of them failed (#3562)
* A memory growth issue in ``sssd_nss`` that occured when an entry was
removed from the memory cache was fixed (#3588)
* Two potential memory growth issues in the ``sssd_be`` process that could
have hit configurations with ``id_provider=ad`` were fixed (#3639)
* The ``selinux_child`` process no longer crashes on a system where SSSD
is compiled with SELinux support, but at the same time, the SELinux policy
is not even installed on the machine (#3618)
* The memory cache consistency detection logic was fixed. This would prevent
printing false positive memory cache corruption messages (#3571)
* SSSD now remembers the last successfuly discovered AD site and use this
for DNS search to lookup a site and forest during the next lookup. This
prevents time outs in case SSSD was discovering the site using the global
list of DCs where some of the global DCs might be unreachable. (#3265)
* SSSD no longer starts the implicit file domain when configured with
``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented
SSSD from being used in setups that combine identities from UNIX files
together with authentication against a remote source unless a files
domain was explicitly configured (#3590)
* The IPA provider can handle switching between different ID views better
(#3579)
* Previously, the IPA provider kept SSH public keys and certificates from
an ID view in its cache and returned them even if the public key or
certificate was then removed from the override (#3602, #3603)
* FleetCommander profiles coming from IPA are applied even if they are
assigned globally (to ``category: ALL``), previously, only profiles
assigned to a host or a hostgroup were applied (#3449)
* It is now possible to reset an expired password for users with 2FA
authentication enabled (#3585)
* A bug in the AD provider which could have resulted in built-in AD groups
being incorrectly cached was fixed (#3610)
* The SSSD watchdog can now cope better with time drifts (#3285)
* The ``nss_sss`` NSS module's return codes for invalid cases were fixed
* A bug in the LDAP provider that prevented setups with id_provider=proxy
and auth_provider=ldap with LDAP servers that do not allow anonymous
binds from working was fixed (#3451)
Packaging Changes
-----------------
* The FleetCommander desktop profile path now uses stricter permissions,
751 instead of 755 (#3621)
* A new option ``--logger`` was added to the ``sssd(8)`` binary. This option
obsoletes old options such as ``--debug-to-files``, although the old options
are kept for backwards compatibility.
* The file ``/etc/systemd/system/sssd.service.d/journal.conf`` is not
installed anymore In order to change logging to journald, please use the
``--logger`` option. The logger is set using the
``Environment=DEBUG_LOGGER`` directive in the systemd unit files. The
default value is ``Environment=DEBUG_LOGGER=--logger=files``
Documentation Changes
---------------------
There are no notable documentation changes such as options changing default
values etc in this release.
Tickets Fixed
-------------
* `3648 <https://pagure.io/SSSD/sssd/issue/3648>`_ - Mention in the manpages that Fleet Commander does *not* work when SSSD is running as the unprivileged user
* `3639 <https://pagure.io/SSSD/sssd/issue/3639>`_ - sssd_be consumes more memory on RHEL 7.4 systems.
* `3627 <https://pagure.io/SSSD/sssd/issue/3627>`_ - MAN: Explain how does auto_private_groups affect subdomains
* `3621 <https://pagure.io/SSSD/sssd/issue/3621>`_ - FleetCommander integration must not require capability DAC_OVERRIDE
* `3618 <https://pagure.io/SSSD/sssd/issue/3618>`_ - selinux_child segfaults in a docker container
* `3615 <https://pagure.io/SSSD/sssd/issue/3615>`_ - Requesting an AD user's private group and then the user itself returns an emty homedir
* `3613 <https://pagure.io/SSSD/sssd/issue/3613>`_ - auto_private_groups does not work with trusted domains with direct AD integration
* `3610 <https://pagure.io/SSSD/sssd/issue/3610>`_ - AD provider - AD BUILTIN groups are cached with gidNumber = 0
* `3608 <https://pagure.io/SSSD/sssd/issue/3608>`_ - dbus-send unable to find user by CAC cert
* `3603 <https://pagure.io/SSSD/sssd/issue/3603>`_ - Certificate is not removed from cache when it's removed from the override
* `3602 <https://pagure.io/SSSD/sssd/issue/3602>`_ - SSH public key authentication keeps working after keys are removed from ID view
* `3601 <https://pagure.io/SSSD/sssd/issue/3601>`_ - race condition: sssd_be in a one-way trust accepts request before ipa-getkeytab finishes, marking the sssd offline
* `3599 <https://pagure.io/SSSD/sssd/issue/3599>`_ - getent output is not showing home directory for IPA AD trusted user
* `3594 <https://pagure.io/SSSD/sssd/issue/3594>`_ - sssd used wrong search base with wrong AD server
* `3592 <https://pagure.io/SSSD/sssd/issue/3592>`_ - Write a regression test for false possitive "corrupted" memory cache
* `3590 <https://pagure.io/SSSD/sssd/issue/3590>`_ - proxy to files does not work with implicit_files_domain
* `3588 <https://pagure.io/SSSD/sssd/issue/3588>`_ - sssd_nss consumes more memory until restarted or machine swaps
* `3586 <https://pagure.io/SSSD/sssd/issue/3586>`_ - Give a more detailed debug and system-log message if krb5_init_context() failed
* `3585 <https://pagure.io/SSSD/sssd/issue/3585>`_ - Reset password with two factor authentication fails
* `3579 <https://pagure.io/SSSD/sssd/issue/3579>`_ - SSSD fails to fetch group information after switching IPA client to a non-default view
* `3571 <https://pagure.io/SSSD/sssd/issue/3571>`_ - mmap cache: consistency check might fail if there are hash collisions
* `3570 <https://pagure.io/SSSD/sssd/issue/3570>`_ - The cache-req debug string representation uses a wrong format specifier for by-ID requests
* `3569 <https://pagure.io/SSSD/sssd/issue/3569>`_ - The cache_req code doesn't check the min_id/max_id boundaries for requests by ID
* `3564 <https://pagure.io/SSSD/sssd/issue/3564>`_ - Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True'
* `3563 <https://pagure.io/SSSD/sssd/issue/3563>`_ - Some sysdb tests fail because they expect a certain order of entries returned from ldb
* `3562 <https://pagure.io/SSSD/sssd/issue/3562>`_ - Use-after free if more sudo requests run and one of them fails, causing a fail-over to a next server
* `3560 <https://pagure.io/SSSD/sssd/issue/3560>`_ - Improve Smartcard integration if multiple certificates or multiple mapped identities are available
* `3551 <https://pagure.io/SSSD/sssd/issue/3551>`_ - Race condition between refreshing the cr_domain list and a request that is using the list can cause a segfault is sssd_nss
* `3547 <https://pagure.io/SSSD/sssd/issue/3547>`_ - data from ipa returned with id_provider=file
* `3545 <https://pagure.io/SSSD/sssd/issue/3545>`_ - SSSD creates bad override search filter due to AD Trust object with parenthesis
* `3539 <https://pagure.io/SSSD/sssd/issue/3539>`_ - Do not autostart the implicit files domain if sssd configures id_provider=proxy and proxy_target_files
* `3529 <https://pagure.io/SSSD/sssd/issue/3529>`_ - SSSD-kcm/secrets failed to restart during/after upgrade
* `3528 <https://pagure.io/SSSD/sssd/issue/3528>`_ - sssd refuses to start when pidfile is present, but the process is gone
* `3523 <https://pagure.io/SSSD/sssd/issue/3523>`_ - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout
* `3503 <https://pagure.io/SSSD/sssd/issue/3503>`_ - Do not index objectclass, add and index objectcategory instead
* `3496 <https://pagure.io/SSSD/sssd/issue/3496>`_ - [RFE] Add a configuration option to SSSD to disable the memory cache
* `3486 <https://pagure.io/SSSD/sssd/issue/3486>`_ - Improve `enumerate` documentation/troubleshooting guide
* `3484 <https://pagure.io/SSSD/sssd/issue/3484>`_ - MAN: Describe the constrains of ipa_server_mode better in the man page
* `3468 <https://pagure.io/SSSD/sssd/issue/3468>`_ - SSSD doesn't use AD global catalog for gidnumber lookup, resulting in unacceptable delay for large forests
* `3454 <https://pagure.io/SSSD/sssd/issue/3454>`_ - sssd-kcm crashes with multiple parallel requests
* `3451 <https://pagure.io/SSSD/sssd/issue/3451>`_ - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds.
* `3444 <https://pagure.io/SSSD/sssd/issue/3444>`_ - document information on why SSSD does not use host-based security filtering when processing AD GPOs
* `3433 <https://pagure.io/SSSD/sssd/issue/3433>`_ - SYSLOG_IDENTIFIER is different
* `3293 <https://pagure.io/SSSD/sssd/issue/3293>`_ - Log when SSSD authentication fails because when two IPA accounts share an email address
* `3285 <https://pagure.io/SSSD/sssd/issue/3285>`_ - SSSD needs restart after incorrect clock is corrected with AD
* `3265 <https://pagure.io/SSSD/sssd/issue/3265>`_ - [RFE] sssd should remember DNS sites from first search
* `3198 <https://pagure.io/SSSD/sssd/issue/3198>`_ - Incorrect error code returned from krb5_child for expired/locked user with id_provider AD
* `2976 <https://pagure.io/SSSD/sssd/issue/2976>`_ - sdap code can mark the whole sssd_be offline
* `2840 <https://pagure.io/SSSD/sssd/issue/2840>`_ - [RFE] Produce access control attestation report for IPA domains
* `2823 <https://pagure.io/SSSD/sssd/issue/2823>`_ - Integration tests: Use dbus-daemon in cwrap enviroment for test
* `2478 <https://pagure.io/SSSD/sssd/issue/2478>`_ - Provide sss_nss_* API to directly query SSSD instead of nsswitch.conf route
* `1872 <https://pagure.io/SSSD/sssd/issue/1872>`_ - [RFE] Support User Private Groups for main domains, too
* `1729 <https://pagure.io/SSSD/sssd/issue/1729>`_ - Enumerating large number of users makes sssd_be hog the cpu for a long time.
Detailed Changelog
------------------
* Andreas Schneider (1):
* Avoid double semicolon warnings on older compilers
* Carlos O'Donell (1):
* nss: Fix invalid enum nss_status return values.
* Fabiano Fidêncio (21):
* CACHE_REQ: Copy the cr_domain list for each request
* LDAP: Bind to the LDAP server also in the auth
* TOOLS: Double quote array expansions in sss_debuglevel
* TOOLS: Call "exec" for sss_debuglevel
* LDAP: Improve error treatment from sdap_cli_connect() in ldap_auth
* SYSDB: Remove code causing a covscan warning
* NSS: Fix covscan warning
* CACHE_REQ: Fix typo: cache_reg -> cache_req
* TOOLS: Fix typo: exist -> exists
* SYSDB: Return EOK in case a non-fatal issue happened
* SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set
* IPA: Remove sshPublicKey attribute when it's not set
* DESKPROFILE: Add checks for user and host category
* DESKPROFILE: Harden the permission of deskprofilepath
* DESKPROFILE: Soften umask for the domain's dir
* DESKPROFILE: Fix the permissions and soften the umask for user's dir
* DESKPROFILE: Use seteuid()/setegid() to create the profile
* DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir
* DESKPROFILE: Set the profile permissions to read-only
* PYSSS_MURMUR: Fix [-Wsign-compare] found by gcc
* DESKPROFILE: Document it doesn't work when run as unprivileged user
* Hristo Venev (1):
* providers: Move hostid from ipa to sdap, v2
* Jakub Hrozek (35):
* Update the version number to track 1.16.1 development
* CONFIG: Add a new option auto_private_groups
* CONFDB: Remove the obsolete option magic_private_groups
* SDAP: Allow the mpg flag for the main domain
* LDAP: Turn group request into user request for MPG domains if needed
* SYSDB: Prevent users and groups ID collision in MPG domains except for id_provider=local
* TESTS: Add integration tests for the auto_private_groups option
* RESP: Add some missing NULL checks
* TOOLS: Add a new sssctl command access-report
* SDAP: Split out utility function sdap_get_object_domain() from sdap_object_in_domain()
* LDAP: Extract the check whether to run a POSIX check to a function
* LDAP: Only run the POSIX check with a GC connection
* SDAP: Search with a NULL search base when looking up an ID in the Global Catalog
* SDAP: Rename sdap_posix_check to sdap_gc_posix_check
* DP: Create a new handler function getAccountDomain()
* AD: Implement a real getAccountDomain handler for the AD provider
* RESP: Expose DP method getAccountDomain() to responders
* NEGCACHE: Add API for setting and checking locate-account-domain requests
* TESTS: Add tests for the object-by-id cache_req interface
* CACHE_REQ: Export cache_req_search_ncache_add() as cache_req private interface
* CACHE_REQ: Add plugin methods required for the domain-locator request
* CACHE_REQ: Add a private request cache_req_locate_domain()
* CACHE_REQ: Implement the plugin methods that utilize the domain locator API
* CACHE_REQ: Use the domain-locator request to only search domains where the entry was found
* MAN: Document how the Global Catalog is used currently
* IPA: Include SYSDB_OBJECTCATEGORY, not OBJECTCLASS in cache search results
* MAN: Document that auth and access IPA and AD providers rely on id_provider being set to the same type
* MAN: Improve enumeration documentation
* MAN: Describe the constrains of ipa_server_mode better in the man page
* IPA: Delay the first periodic refresh of trusted domains
* AD: Inherit the MPG setting from the main domain
* SYSDB: Fix sysdb_search_by_name() for looking up groups in MPG domains
* SYSDB: Use sysdb_domain_dn instead of raw ldb_dn_new_fmt
* SYSDB: Read the ldb_message from loop's index counter when reading subdomain UPNs
* AD: Use the right sdap_domain for the forest root
* Lukas Slebodnik (51):
* KCM: Fix typo in comments
* CI: Ignore source file generated by systemtap
* UTIL: Add wrapper function to configure logger
* Add parameter --logger to daemons
* SYSTEMD: Replace parameter --debug-to-files with ${DEBUG_LOGGER}
* SYSTEMD: Add environment file to responder service files
* UTIL: Hide and deprecate parameter --debug-to-files
* KCM: Fix restart during/after upgrade
* BUILD: Properly expand variables in sssd-ifp.service
* SYSTEMD: Clean pid file in corner cases
* CHILD: Pass information about logger to children
* BUILD: Disable tests with know failures
* SPEC: Reduce build time dependencies
* sysdb-test: Fix warning may be used uninitialized
* responder: Fix talloc hierarchy in sized_output_name
* test_responder: Check memory leak in sized_output_name
* confdb: Move detection files to separate function
* confdb: Fix starting of implicit files domain
* confdb: Do not start implicit_files with proxy domain
* test_files_provider: Regression test for implicit_files + proxy
* SDAP: Fix typo in debug message
* Revert "intg: Disable add_remove tests"
* libnfsidmap: Use public plugin header file if available
* dyndns_tests: Fix unit test with missing features in nsupdate
* Remove unnecessary script for upgrading debug_levels
* Remove legacy script for upgrading sssd.conf
* BUILD: Add missing libs found by -Wl,-z,defs
* BUILD: Fix using of libdlopen_test_providers.so in tests
* SYSDB: Decrese debuglevel in sysdb_get_certmap
* KRB5: Pass special flag to krb5_child
* krb5_child: Distinguish between expired & disabled AD user
* AD: Suppress warning Wincompatible-pointer-types with sasl callbacks
* pysss: Drop unused parameter
* pysss: Suppress warning Wincompatible-pointer-types
* CRYPTO: Suppress warning Wstringop-truncation
* INOTIFY: Fix warning Wstringop-truncation
* SIFP: Suppress warning Wstringop-truncation
* CLIENT: Fix warning Wstringop-overflow
* pysss_murmur: Allow to have NUL character in python bindings
* TESTS: Extend code coverage for murmurhash3
* mmap_cache: Remove unnecessary memchr in client code
* test_memory_cache: Regression test for #3571
* SPEC: Fix systemd executions/requirements
* SPEC: Reduce changes between upstream and downstream
* intg: Build with optimisations and debug symbols
* intg: Do not prefer builddir in PATH
* intg: Install configuration for dbus daemon
* intg: Install wrapper for getsockopt
* intg: Add sample infopipe test in cwrap env
* IPA: Drop unused ifdef HAVE_SELINUX_LOGIN_DIR
* IPA: Fix typo in debug message in sssm_ipa_selinux_init
* Michal Židek (9):
* NSS: Move memcache setup to separate function
* NSS: Specify memcache_timeout=0 semantics
* MAN: Document memcache_timeout=0 meaning
* MAN: GPO Security Filtering limitation
* SYSDB: Better debugging for email conflicts
* TESTS: Order list of entries in some lists
* Revert "BUILD: Disable tests with know failures"
* SELINUX: Check if SELinux is managed in selinux_child
* util: Add sss\_ prefix to some functions
* Niranjan M.R (1):
* Initial revision of sssd pytest framework
* Pavel Březina (10):
* sudo: document background activity
* sudo: always use srv_opts from id context
* AD: Remember last site discovered
* sysdb: add functions to get/set client site
* AD: Remember last site discovered in sysdb
* dp: use void * to express empty output argument list
* dp: add method to refresh access control rules
* ipa: implement method to refresh HBAC rules
* ifp: add method to refresh access control rules in domain
* sssctl: call dbus instead of pam to refresh HBAC rules
* René Genz (12):
* Fix minor spelling mistakes
* README: Add link to docs repo
* Fix minor spelling mistakes
* Fix minor spelling mistakes in providers/*
* Fix minor spelling mistakes in responder/*
* Fix minor spelling mistakes in sss_client/*
* Fix minor spelling mistakes in tests/cmocka/*
* Fix minor spelling mistakes
* Fix minor spelling mistakes in tests/*
* Fix minor spelling mistakes in tests/multihost/*
* Fix minor spelling mistakes in PY files in tests/python/*
* Fix minor spelling mistakes and formatting in tests/python/*
* Sumit Bose (48):
* sss_client: create nss_common.h
* nss-idmap: add nss like calls with timeout and flags
* NSS: add \*_EX version of some requests
* NSS: add support for SSS_NSS_EX_FLAG_NO_CACHE
* CACHE_REQ: Add cache_req_data_set_bypass_dp()
* nss: make memcache_delete_entry() public
* NSS: add support for SSS_NSS_EX_FLAG_INVALIDATE_CACHE
* NSS/TESTS: add unit tests for \*_EX requests
* nss-idmap: add timeout version of old sss_nss_* calls
* nss-idmap: allow empty buffer with SSS_NSS_EX_FLAG_INVALIDATE_CACHE
* p11_child: return multiple certs
* PAM: handled multiple certs in the responder
* pam_sss: refactoring, use struct cert_auth_info
* p11_child: use options to select certificate for authentication
* pam: add prompt string for certificate authentication
* PAM: allow missing logon_name during certificate authentication
* p11_child: add descriptions for error codes to debug messages
* pam: filter certificates in the responder not in the child
* PAM: add certificate's label to the selection prompt
* NSS: Use enum_ctx as memory_context in _setnetgrent_set_timeout()
* mmap_cache: make checks independent of input size
* sysdb: be_refresh_get_values_ex() remove unused option
* sysdb: do not use objectClass for users and groups
* sysdb: do not use LDB_SCOPE_ONELEVEL
* sysdb: remove IDXONE and objectClass from users and groups
* krb5: show error message for krb5_init_context() failures
* UTIL: add find_domain_by_object_name_ex()
* ipa: handle users from different domains in ipa_resolve_user_list_send()
* overrides: fixes for sysdb_invalidate_overrides()
* ipa: check for SYSDB_OVERRIDE_DN in process_members and get_group_dn_list
* IPA: use cache searches in get_groups_dns()
* ipa: compare DNs instead of group names in ipa_s2n_save_objects()
* p11_child: make sure OCSP checks are done
* nss-idmap: allow NULL result in \*_timeout calls
* Revert "p11_child: make sure OCSP checks are done"
* p11_child: properly check results of CERT_VerifyCertificateNow
* ifp: use realloc in ifp_list_ctx_remaining_capacity()
* SDAP: skip builtin AD groups in sdap_save_grpmem()
* sysdb: add userMappedCertificate to the index
* krb5_child: check preauth types if password is expired
* pam_sss: password change with two factor authentication
* nss-idmap: check timed muted return code
* krb5: call krb5_auth_cache_creds() if a password is available
* DESKPROFILE: Fix 'Improper use of negative value'
* AD: sdap_get_ad_tokengroups_done() allocate temporary data on state
* AD: do not allocate temporary data on long living context
* ipa: remove SYSDB_USER_CERT from sub-domain users
* ipa: add SYSDB_USER_MAPPED_CERT for certs in idoverrides
* Thorsten Scherf (1):
* IPA: Fixed subdomain typo
* Victor Tapia (1):
* WATCHDOG: Restart providers with SIGUSR2 after time drift
* amitkuma (3):
* cache_req: Correction of cache_req debug string ID format
* cache: Check for max_id/min_id in cache_req
* MAN: Explain how does auto_private_groups affect subdomains
4 years