-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exop 1 #7739
Closed
Closed
Exop 1 #7739
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
make distcheck yields the following error because pidpath is currently hardcoded to /run/sssd (with the run directory hardcoded) and prefix is not correctly applied. ``` autoreconf -if && ./configure && make distcheck/usr/bin/mkdir: cannot create directory '/run/sssd': Permission denied make[5]: *** [Makefile:47801: installsssddirs] Error 1 ``` ``` 2024-06-04T16:35:23.1627995Z /usr/bin/mkdir -p \ 2024-06-04T16:35:23.1628921Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/include \ 2024-06-04T16:35:23.1629987Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \ 2024-06-04T16:35:23.1631024Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/bin \ 2024-06-04T16:35:23.1632011Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/sbin \ 2024-06-04T16:35:23.1632919Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/man \ 2024-06-04T16:35:23.1633620Z /run/sssd \ 2024-06-04T16:35:23.1634262Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \ 2024-06-04T16:35:23.1635121Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/ldb \ 2024-06-04T16:35:23.1635921Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system.d \ 2024-06-04T16:35:23.1636710Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/dbus-1/system-services \ 2024-06-04T16:35:23.1637387Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \ 2024-06-04T16:35:23.1637936Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd \ 2024-06-04T16:35:23.1638495Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd \ 2024-06-04T16:35:23.1639022Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib \ 2024-06-04T16:35:23.1639592Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/lib/sssd/modules \ 2024-06-04T16:35:23.1640407Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/var/lib/sss/pipes/private \ 2024-06-04T16:35:23.1641288Z /__w/sssd/sssd/x86_64/sssd-2.10.0/_inst/share/sssd/krb5-snippets \ ``` Reviewed-by: Alexey Tikhonov <[email protected]>
sub_id_ranges needed to be fixed : This is because of ABI change in libsubid library. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Scott Poore <[email protected]>
We released a new SSSD beta version as 2.10.0-beta1, unfortunately this caused issues in the rpm build system as this value is set as the Version field but dash is not allowed in this field therefore `make rpms` was broken. Fedora guidelines requires to use ~ as a prerelease separator so two NVR versions compare correctly. For example: * 2.10.0 < 2.10.0-beta1 * 2.10.0~beta1 < 2.10.0 We will follow this guideline to make `make rpms` work again and to avoid any further rpm issues. Next GitHub release will also follow this guideline. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
This does not work on Fedora 41, it looks like it is not supported by dnf5. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
Add the test case of passkey where we are checking TGT of user after successful auth with IPA server. Also add the fixture to update the [email protected] file from server to make sure umockdev-run authenticate the user without showing data mis match error. Signed-off-by: Madhuri Upadhye <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Scott Poore <[email protected]>
Reviewed-by: Madhuri Upadhye <[email protected]>
Sssd switched from sss_ssh_knownhostsproxy to sss_ssh_knownhosts Reviewed-by: Jakub Vávra <[email protected]>
Drop duplicate tests that has fallen in disrepair on RHEL 10 instead of maintaining them. Reviewed-by: Madhuri Upadhye <[email protected]>
authselect was not selected for sssd Reviewed-by: Jakub Vávra <[email protected]>
as a safety measure for a case where administrator could be tempted to set SUID bit to support some legacy/3rd party PAM module. Reviewed-by: Sumit Bose <[email protected]>
Reviewed-by: Madhuri Upadhye <[email protected]>
No of file descriptors should be same or close to same as before and after modifying krb5_child Reviewed-by: Jakub Vávra <[email protected]>
"sbus-dp_example1" was a unix socket of DBUS server maintained in every backend. Now we moved to single SBUS server in "monitor" so backends don't create own DBUS servers anymore. Reviewed-by: Madhuri Upadhye <[email protected]>
C++ code compilation error due to the return value from void function . Adding 'return NULL' Reviewed-by: Anuj Borah <[email protected]>
Should fix test_more_than_one_cn. Reviewed-by: Madhuri Upadhye <[email protected]>
due to missing privileges: `sssd_be` runs unprivileged and can't touch config in /etc Ideally it should be moved to privileged helper process. For a time being just reduce log level to avoid backtraces in logs. Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Alexey Tikhonov <[email protected]>
pytest-mh logs will be collected automatically per test on failure so there is no reason to collect everything in single file. Having logs per test will be easier to debug. The test log is stored in: artifacts/tests/$testname/test.log Reviewed-by: Jakub Vávra <[email protected]>
In case of failure, show-capture=yes (default) also prints all caputured pytest-mh logs. Showing these logs in pytest output just makes it more difficult to locate the failed assertion. The logs are stored in file for each failed test so we do not need to see them in pytest output to debug the issue. Reviewed-by: Jakub Vávra <[email protected]>
… prci Reviewed-by: Madhuri Upadhye <[email protected]>
Reviewed-by: Jakub Vávra <[email protected]>
The original primary SID is allocated on a temporary context and must be move to be longer living one to still be available when the SID is evaluated later in the code. Resolves: SSSD#7411 Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Handle possibly missing ldap_child log. Reviewed-by: Anuj Borah <[email protected]>
passkey_child owner was incorrectly set to $sssd_user:$sssd_user, when it should be root:root. Correcting it. Fixes: 30daa0c ("spec: update to include passkey") Signed-off-by: Iker Pedrosa <[email protected]> Reviewed-by: Alexey Tikhonov <[email protected]>
even when built without '--with-extended-enumeration-support' Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
Current the sssd initscripts always start as root. Non-systemd users cannot use non-root mode. This allows the initscripts to run with --with-sssd-user option Signed-off-by: Christopher Byrne <[email protected]> Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
'make distcheck' fails because those paths didn't respect the prefix. To avoid issues with standard prefixes like e.g. /usr, the prefix is only added if it does not match the start of the systemd path. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
Instead of using the absolute path name '/usr/share' ${datadir} is used to respect configure options and to make 'make distcheck' pass. 'polkitdir' is only used if SSSD was configured to run as 'sssd' user. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
Reviewed-by: Alexey Tikhonov <[email protected]>
This patch should avoid Coverity warnings like: ./src/sss_client/pam_sss.c:3075:17: alloc_arg: "get_authtok_for_password_change" allocates memory that is stored into "pi.first_factor". ./src/sss_client/pam_sss.c:3090:25: leaked_storage: Variable "pi" going out of scope leaks the storage "pi.first_factor" points to. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
With this patch SSSD will run the sub-domains request, if any, when switching from offline to online state. Currently only the AD and the IPA provider provide a sub-domains request. Besides trying to discover the sub-domains the request will also refresh other domain wide configurations, e.g. certificate mapping rules in the IPA provider case. Given that it might not be clear how long the client was offline, refreshing this data when going online makes sense. Resolves: SSSD#7612 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>
the following test cases are now covered in system/test_cache.py and this can be removed. * fixed assertion writes_to_both_databases tests * added test detecting modification and deletion for groups ** test is a common user story and functional, changed priority to critical * added "integration" test invalidating user, group, netgroup objects Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Shridhar Gadekar <[email protected]>
There is minimal benefit to run these tests against all providers. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Shridhar Gadekar <[email protected]>
Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
This is required since a86ee64 Reviewed-by: Iker Pedrosa <[email protected]>
The default_domain_suffix is already handled in the generic cache request code and the additional enforcement in the ssh responder might cause issue if fully-qualified names are used as input. With this change the ssh responder handles request data similar to the nss responder e.g. in sss_nss_protocol_parse_name(). Resolves: SSSD#7671 Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]>
:relnote: The option default_domain_suffix is deprecated. Consider using the more flexible domain_resolution_order instead. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]>
The label `DP_OPT_DYNDNS_REFRESH_OFFSET` was introduced in https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.h#L55 but the corresponding option is missing in https://github.com/SSSD/sssd/blob/fb91349cfeba653942b32141f890e3de78b3fb13/src/providers/be_dyndns.c#L1200 This error was introduced by SSSD@35c35de Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
Compare this structure to ipa_dyndns_opts, which is already compared to ad_dyndns_opts. Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
as those do not have to be the same Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override' (that allows to bypass file write permission checks) shouldn't be required. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
and raise to 'effective' when needed. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
Take a note that usage of cap_dac_override + chown to create cache path components could be changed to use cap_dac_override + (granted anyway) setuid, but not sure if it's worth the trouble. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
'sssd_nss' won't handle this request anyway. Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Pavel Březina <[email protected]>
This is an addition to SSSD#7667 Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
Test transformation of bash-ldap-id-ldap-auth netgroup Reviewed-by: Dan Lavu <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
Reviewed-by: Sumit Bose <[email protected]>
Currently, the test will blindly fail if someone carelessly adds IPA to the topologies. Reviewed-by: Pavel Březina <[email protected]>
Resolves: SSSD#7715 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Alexey Tikhonov <[email protected]>
Reviewed-by: Shridhar Gadekar <[email protected]>
OSError from 'sss_analyze error list' PermissionError from 'sss_analyze request list' run without sudo Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
It looks like in current code the assumption is that the nsupdate command can just send its debug output into the backend log by duplicating the file descriptor. This won't work since the logs file is opened with O_CLOEXEC so that it is closed when nsupdate is started. Additionally it is questionable if this approach is a good idea because it would lead to a random intermixing of debug information. This patch collects the output on strderr of nsupdate separately and adds it into the backend log similar to the input send to nsupdate. Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Tomáš Halman <[email protected]>
Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
… empty SSSD fails to store users if any of the requested attribute is empty Reviewed-by: Iker Pedrosa <[email protected]> Reviewed-by: Jakub Vávra <[email protected]>
This fixes mh critical tests that are failing. Reviewed-by: Shridhar Gadekar <[email protected]>
The new value for the ldap_pwmodify_mode option 'exop_force' is added to existing test. A new test to illustrate the different behavior of 'exop' and 'exop_force' is added. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]> (cherry picked from commit deefe9a)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.