Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exop 1 #7739

Closed
wants to merge 842 commits into from
Closed

Exop 1 #7739

wants to merge 842 commits into from

Conversation

shridhargadekar
Copy link
Contributor

No description provided.

pbrezina and others added 30 commits June 6, 2024 13:14
make distcheck yields the following error because pidpath is currently hardcoded to
/run/sssd (with the run directory hardcoded) and prefix is not correctly applied.

```
autoreconf -if && ./configure && make distcheck/usr/bin/mkdir: cannot create directory '/run/sssd': Permission denied
make[5]: *** [Makefile:47801: installsssddirs] Error 1
```

```
2024-06-04T16:35:23.1627995Z /usr/bin/mkdir -p \
2024-06-04T16:35:23.1628921Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/include \
2024-06-04T16:35:23.1629987Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \
2024-06-04T16:35:23.1631024Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/bin \
2024-06-04T16:35:23.1632011Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/sbin \
2024-06-04T16:35:23.1632919Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/man \
2024-06-04T16:35:23.1633620Z     /run/sssd \
2024-06-04T16:35:23.1634262Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1635121Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/ldb \
2024-06-04T16:35:23.1635921Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system.d \
2024-06-04T16:35:23.1636710Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system-services \
2024-06-04T16:35:23.1637387Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1637936Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \
2024-06-04T16:35:23.1638495Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd \
2024-06-04T16:35:23.1639022Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \
2024-06-04T16:35:23.1639592Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd/modules \
2024-06-04T16:35:23.1640407Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/var/lib/sss/pipes/private \
2024-06-04T16:35:23.1641288Z     /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd/krb5-snippets \
```

Reviewed-by: Alexey Tikhonov <[email protected]>
sub_id_ranges needed to be fixed : This is because of ABI change in libsubid library.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Scott Poore <[email protected]>
We released a new SSSD beta version as 2.10.0-beta1, unfortunately
this caused issues in the rpm build system as this value is set as
the Version field but dash is not allowed in this field therefore
`make rpms` was broken.

Fedora guidelines requires to use ~ as a prerelease separator so
two NVR versions compare correctly. For example:

* 2.10.0 < 2.10.0-beta1
* 2.10.0~beta1 < 2.10.0

We will follow this guideline to make `make rpms` work again and
to avoid any further rpm issues. Next GitHub release will also
follow this guideline.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
This does not work on Fedora 41, it looks like it is not supported
by dnf5.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Add the test case of passkey where we are checking
TGT of user after successful auth with IPA server.

Also add the fixture to update the [email protected]
file from server to make sure umockdev-run authenticate
the user without showing data mis match error.

Signed-off-by: Madhuri Upadhye <[email protected]>

Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Scott Poore <[email protected]>
Sssd switched from sss_ssh_knownhostsproxy to sss_ssh_knownhosts

Reviewed-by: Jakub Vávra <[email protected]>
Drop duplicate tests that has fallen in disrepair on RHEL 10 instead
of maintaining them.

Reviewed-by: Madhuri Upadhye <[email protected]>
authselect was not selected for sssd

Reviewed-by: Jakub Vávra <[email protected]>
as a safety measure for a case where administrator could be tempted
to set SUID bit to support some legacy/3rd party PAM module.

Reviewed-by: Sumit Bose <[email protected]>
No of file descriptors should be same or close to same as before and after modifying krb5_child

Reviewed-by: Jakub Vávra <[email protected]>
"sbus-dp_example1" was a unix socket of DBUS server maintained
in every backend. Now we moved to single SBUS server in "monitor"
so backends don't create own DBUS servers anymore.

Reviewed-by: Madhuri Upadhye <[email protected]>
C++ code compilation error due to the return value from void function
. Adding 'return NULL'

Reviewed-by: Anuj Borah <[email protected]>
Should fix test_more_than_one_cn.

Reviewed-by: Madhuri Upadhye <[email protected]>
due to missing privileges: `sssd_be` runs unprivileged and can't
touch config in /etc
Ideally it should be moved to privileged helper process. For a time
being just reduce log level to avoid backtraces in logs.

Reviewed-by: Iker Pedrosa <[email protected]>
pytest-mh logs will be collected automatically per test on failure
so there is no reason to collect everything in single file. Having
logs per test will be easier to debug.

The test log is stored in:
artifacts/tests/$testname/test.log

Reviewed-by: Jakub Vávra <[email protected]>
In case of failure, show-capture=yes (default) also prints all caputured
pytest-mh logs. Showing these logs in pytest output just makes it more
difficult to locate the failed assertion. The logs are stored in file
for each failed test so we do not need to see them in pytest output
to debug the issue.

Reviewed-by: Jakub Vávra <[email protected]>
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.

Resolves: SSSD#7411

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
Handle possibly missing ldap_child log.

Reviewed-by: Anuj Borah <[email protected]>
passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when
it should be root:root. Correcting it.

Fixes: 30daa0c ("spec: update to include passkey")

Signed-off-by: Iker Pedrosa <[email protected]>

Reviewed-by: Alexey Tikhonov <[email protected]>
even when built without '--with-extended-enumeration-support'

Reviewed-by: Dan Lavu <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Current the sssd initscripts always start as root. Non-systemd users
cannot use non-root mode. This allows the initscripts to run with
--with-sssd-user option

Signed-off-by: Christopher Byrne <[email protected]>

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
'make distcheck' fails because those paths didn't respect the prefix. To
avoid issues with standard prefixes like e.g. /usr, the prefix is only
added if it does not match the start of the systemd path.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
Instead of using the absolute path name '/usr/share' ${datadir} is used
to respect configure options and to make 'make distcheck' pass.

'polkitdir' is only used if SSSD was configured to run as 'sssd' user.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
sumit-bose and others added 29 commits November 9, 2024 10:46
This patch should avoid Coverity warnings like:

./src/sss_client/pam_sss.c:3075:17: alloc_arg: "get_authtok_for_password_change" allocates memory that is stored into "pi.first_factor".
./src/sss_client/pam_sss.c:3090:25: leaked_storage: Variable "pi" going out of scope leaks the storage "pi.first_factor" points to.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
With this patch SSSD will run the sub-domains request, if any, when
switching from offline to online state. Currently only the AD and the
IPA provider provide a sub-domains request. Besides trying to discover
the sub-domains the request will also refresh other domain wide
configurations, e.g. certificate mapping rules in the IPA provider case.
Given that it might not be clear how long the client was offline,
refreshing this data when going online makes sense.

Resolves: SSSD#7612

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
the following test cases are now covered in system/test_cache.py and
this can be removed.

* fixed assertion writes_to_both_databases tests
* added test detecting modification and deletion for groups
** test is a common user story and functional, changed priority to
critical
* added "integration" test invalidating user, group, netgroup objects

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Shridhar Gadekar <[email protected]>
There is minimal benefit to run these tests against all providers.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Shridhar Gadekar <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
This is required since a86ee64

Reviewed-by: Iker Pedrosa <[email protected]>
The default_domain_suffix is already handled in the generic cache
request code and the additional enforcement in the ssh responder might
cause issue if fully-qualified names are used as input.

With this change the ssh responder handles request data similar to the
nss responder e.g. in sss_nss_protocol_parse_name().

Resolves: SSSD#7671

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]>
:relnote: The option default_domain_suffix is deprecated. Consider using
the more flexible domain_resolution_order instead.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]>
Compare this structure to ipa_dyndns_opts, which is already compared
to ad_dyndns_opts.

Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
as those do not have to be the same

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override'
(that allows to bypass file write permission checks) shouldn't be required.

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
and raise to 'effective' when needed.

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
Take a note that usage of cap_dac_override + chown to create cache path
components could be changed to use cap_dac_override + (granted anyway) setuid,
but not sure if it's worth the trouble.

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
'sssd_nss' won't handle this request anyway.

Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
This is an addition to SSSD#7667

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Test transformation of bash-ldap-id-ldap-auth netgroup

Reviewed-by: Dan Lavu <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
Currently, the test will blindly fail if someone carelessly adds IPA to the topologies.

Reviewed-by: Pavel Březina <[email protected]>
Resolves: SSSD#7715

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Alexey Tikhonov <[email protected]>
OSError from 'sss_analyze error list'

PermissionError from 'sss_analyze request list' run without sudo

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
It looks like in current code the assumption is that the nsupdate
command can just send its debug output into the backend log by
duplicating the file descriptor. This won't work since the logs file is
opened with O_CLOEXEC so that it is closed when nsupdate is started.

Additionally it is questionable if this approach is a good idea because
it would lead to a random intermixing of debug information. This patch
collects the output on strderr of nsupdate separately and adds it into
the backend log similar to the input send to nsupdate.

Reviewed-by: Pavel Březina <[email protected]>
Reviewed-by: Tomáš Halman <[email protected]>
Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Jakub Vávra <[email protected]>
… empty

SSSD fails to store users if any of the requested attribute is empty

Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Jakub Vávra <[email protected]>
This fixes mh critical tests that are failing.

Reviewed-by: Shridhar Gadekar <[email protected]>
The new value for the ldap_pwmodify_mode option 'exop_force' is added to
existing test. A new test to illustrate the different behavior of 'exop'
and 'exop_force' is added.

Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Pavel Březina <[email protected]>
(cherry picked from commit deefe9a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.