From 9e8c2ec9f33944e8b02c6f1549eb3e85d58c5511 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:40:06 -0400 Subject: [PATCH] import sssd-2.4.0-9.el8 --- .gitignore | 2 +- .sssd.metadata | 2 +- ...sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch | 64 + .../0001-ad_gpo_ndr.c-more-ndr-updates.patch | 114 - SOURCES/0002-KCM-perf-improvements.patch | 3226 ++++ ...avoid-endian-issues-in-network-tests.patch | 39 - ...3-DEBUG-journal_send-was-made-static.patch | 29 + ...config-check-alternative-config-file.patch | 137 - ...program-identifier-as-seen-in-syslog.patch | 71 + ...child-process-log-files-when-require.patch | 664 - ...ew-exec_child-_ex-interface-in-tests.patch | 64 - ...re-domain-config-does-not-leak-into-.patch | 36 + ...rmanent-entries-in-users-groups-rese.patch | 60 - ...D_SUBDOMAINS-flag-for-get_next_domai.patch | 106 + ...re-short-names-are-added-to-sub-doma.patch | 443 + ...007-util-inotify-fixed-CLANG_WARNING.patch | 46 - ...che-do-not-use-default_domain_suffix.patch | 154 + ...ixed-bug-in-inotify-event-processing.patch | 97 - SOURCES/0009-Replaced-enter-with-insert.patch | 46 - ...ase64-encoded-secret-on-upgrade-path.patch | 43 + ...erve-errno-during-_nss_sss_end-calls.patch | 166 - ...roups-are-filtered-during-initgroups.patch | 112 + SOURCES/0011-ifp-fix-use-after-free.patch | 36 + ...ilover-to-subdomain-override-lookups.patch | 43 - .../0012-GPO-fix-link-order-in-a-SOM.patch | 132 - ...-ifp-fix-original-fix-use-after-free.patch | 38 + ...ss-use-unique-id-for-gdm-choice-list.patch | 68 + ...-sysdb_update_subdomains-more-robust.patch | 58 - ...ad_master_domain_-to-ad_domain_info_.patch | 334 - ...authtok-add-label-to-Smartcard-token.patch | 1072 + ...ertificate-label-to-reply-to-pam_sss.patch | 208 + ...0015-sysdb-make-new_subdomain-public.patch | 117 - ...et_root_id_ctx-to-ads_get_dom_id_ctx.patch | 89 - ...016-add-tests-multiple-certs-same-id.patch | 265 + ...used-trust_type-from-ad_subdom_store.patch | 44 - ...rovider_be-Add-random-offset-default.patch | 53 + ...18-ad-add-ad_check_domain_-send-recv.patch | 283 - ...018-data_provider_be-MAN-page-update.patch | 59 + ...root-directly-if-not-present-on-loca.patch | 281 - SOURCES/0019-logs-review.patch | 3410 ++++ ...invalid-selinux-context-for-homedirs.patch | 44 - .../0020-sss_format.h-include-config.h.patch | 31 + .../0021-packet-add-sss_packet_set_body.patch | 59 + ...pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch | 37 - ...omain-store-hostname-and-keytab-path.patch | 119 + ...s-special-handling-for-gdm-smartcard.patch | 80 - ...dd-helper-to-call-user-by-upn-search.patch | 70 + ...e-old-certificate-data-is-removed-be.patch | 36 - .../0024-pam-fix-typo-in-debug-message.patch | 27 + SOURCES/0024-systemtap-Missing-a-comma.patch | 34 - ...5-pam-add-pam_gssapi_services-option.patch | 280 + ...efault-pwfield-only-for-sssd-shadowu.patch | 94 - .../0026-files-allow-root-membership.patch | 291 - ...-pam-add-pam_gssapi_check_upn-option.patch | 250 + ...-error-for-cache-only-lookups-as-fat.patch | 42 - ...gss-module-for-gssapi-authentication.patch | 1866 ++ ...cache_req-to-return-ERR_OFFLINE-if-a.patch | 100 + ...of-free-and-data-tables-were-made-co.patch | 193 - ...-NSS-make-memcache-size-configurable.patch | 543 - ...R_OFFLINE-if-we-fail-to-get-informat.patch | 58 + ...030-NSS-avoid-excessive-log-messages.patch | 83 - ...s-translate-ERR_OFFLINE-to-EHOSTDOWN.patch | 51 + ...ebug-during-mem-cache-initialization.patch | 101 - SOURCES/0031-autofs-disable-fast-reply.patch | 61 + ...-errors-for-different-protocol-versi.patch | 168 + ...ed-log-message-in-case-cache-is-full.patch | 53 - ...cache-size-configurable-in-megabytes.patch | 189 - ...0033-configure-check-for-stdatomic.h.patch | 28 + ...q-ignore-autofs-not-configured-error.patch | 131 + SOURCES/0034-mem-cache-comment-added.patch | 38 - ...mem-cache-always-cleanup-old-content.patch | 262 - ...ix-memory-leak-while-reloading-lists.patch | 100 + ...o-not-try-to-del-non-existing-sender.patch | 38 + ...ated-translations-to-include-new-sou.patch | 16083 ---------------- ...ion-files-Japanese-Chinese-China-Fre.patch | 1537 -- ...sapi-fix-implicit-conversion-warning.patch | 34 + ...am_gssapi_services-to-NULL-in-domain.patch | 34 + ...config-check-alternative-snippet-dir.patch | 63 - ...-certmap-sanitize-LDAP-search-filter.patch | 651 - ...9-pam_sss_gssapi-fix-coverity-issues.patch | 133 + ...forcing-GPO-rule-restriction-on-user.patch | 42 - ...do-not-add-to-external-groups-in-IPA.patch | 40 + ...0041-man-clarify-AD-certificate-rule.patch | 33 - ...allback-to-schedule_get_domains_task.patch | 199 + ...w-prompting-options-in-configuration.patch | 72 - ...ificate-maps-at-the-end-of-initial-d.patch | 64 + ...US-set-sbus_name-before-dp_init_send.patch | 134 + ...ild-switch-default-ocsp_dgst-to-sha1.patch | 77 - ...po_implicit_deny-when-evaluation-rul.patch | 181 - ...ss-support-authentication-indicators.patch | 655 + ...ch-by-low-usn-value-to-improve-perfo.patch | 121 + ...-modifytimestamp-debugging-leftovers.patch | 34 + ...0047-ssh-restore-default-debug-level.patch | 49 + SOURCES/0048-pot-update-pot-files.patch | 2230 +++ ...e-translations-for-the-2.4.1-release.patch | 6893 +++++++ SOURCES/0050-pot-update-pot-files.patch | 1940 ++ SOURCES/0051-po-update-translations.patch | 729 + SPECS/sssd.spec | 167 +- 98 files changed, 26342 insertions(+), 23721 deletions(-) create mode 100644 SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch delete mode 100644 SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch create mode 100644 SOURCES/0002-KCM-perf-improvements.patch delete mode 100644 SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch create mode 100644 SOURCES/0003-DEBUG-journal_send-was-made-static.patch delete mode 100644 SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch create mode 100644 SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch delete mode 100644 SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch delete mode 100644 SOURCES/0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch create mode 100644 SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch delete mode 100644 SOURCES/0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch create mode 100644 SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch create mode 100644 SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch delete mode 100644 SOURCES/0007-util-inotify-fixed-CLANG_WARNING.patch create mode 100644 SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch delete mode 100644 SOURCES/0008-util-inotify-fixed-bug-in-inotify-event-processing.patch delete mode 100644 SOURCES/0009-Replaced-enter-with-insert.patch create mode 100644 SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch delete mode 100644 SOURCES/0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch create mode 100644 SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch create mode 100644 SOURCES/0011-ifp-fix-use-after-free.patch delete mode 100644 SOURCES/0011-ipa-add-failover-to-subdomain-override-lookups.patch delete mode 100644 SOURCES/0012-GPO-fix-link-order-in-a-SOM.patch create mode 100644 SOURCES/0012-ifp-fix-original-fix-use-after-free.patch create mode 100644 SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch delete mode 100644 SOURCES/0013-sysdb-make-sysdb_update_subdomains-more-robust.patch delete mode 100644 SOURCES/0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch create mode 100644 SOURCES/0014-authtok-add-label-to-Smartcard-token.patch create mode 100644 SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch delete mode 100644 SOURCES/0015-sysdb-make-new_subdomain-public.patch delete mode 100644 SOURCES/0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch create mode 100644 SOURCES/0016-add-tests-multiple-certs-same-id.patch delete mode 100644 SOURCES/0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch create mode 100644 SOURCES/0017-data_provider_be-Add-random-offset-default.patch delete mode 100644 SOURCES/0018-ad-add-ad_check_domain_-send-recv.patch create mode 100644 SOURCES/0018-data_provider_be-MAN-page-update.patch delete mode 100644 SOURCES/0019-ad-check-forest-root-directly-if-not-present-on-loca.patch create mode 100644 SOURCES/0019-logs-review.patch delete mode 100644 SOURCES/0020-man-Document-invalid-selinux-context-for-homedirs.patch create mode 100644 SOURCES/0020-sss_format.h-include-config.h.patch create mode 100644 SOURCES/0021-packet-add-sss_packet_set_body.patch delete mode 100644 SOURCES/0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch create mode 100644 SOURCES/0022-domain-store-hostname-and-keytab-path.patch delete mode 100644 SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch create mode 100644 SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch delete mode 100644 SOURCES/0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch create mode 100644 SOURCES/0024-pam-fix-typo-in-debug-message.patch delete mode 100644 SOURCES/0024-systemtap-Missing-a-comma.patch create mode 100644 SOURCES/0025-pam-add-pam_gssapi_services-option.patch delete mode 100644 SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch delete mode 100644 SOURCES/0026-files-allow-root-membership.patch create mode 100644 SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch delete mode 100644 SOURCES/0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch create mode 100644 SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch create mode 100644 SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch delete mode 100644 SOURCES/0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch delete mode 100644 SOURCES/0029-NSS-make-memcache-size-configurable.patch create mode 100644 SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch delete mode 100644 SOURCES/0030-NSS-avoid-excessive-log-messages.patch create mode 100644 SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch delete mode 100644 SOURCES/0031-NSS-enhanced-debug-during-mem-cache-initialization.patch create mode 100644 SOURCES/0031-autofs-disable-fast-reply.patch create mode 100644 SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch delete mode 100644 SOURCES/0032-mem-cache-added-log-message-in-case-cache-is-full.patch delete mode 100644 SOURCES/0033-NSS-make-memcache-size-configurable-in-megabytes.patch create mode 100644 SOURCES/0033-configure-check-for-stdatomic.h.patch create mode 100644 SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch delete mode 100644 SOURCES/0034-mem-cache-comment-added.patch delete mode 100644 SOURCES/0035-mem-cache-always-cleanup-old-content.patch create mode 100644 SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch create mode 100644 SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch delete mode 100644 SOURCES/0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch delete mode 100644 SOURCES/0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch create mode 100644 SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch create mode 100644 SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch delete mode 100644 SOURCES/0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch delete mode 100644 SOURCES/0039-certmap-sanitize-LDAP-search-filter.patch create mode 100644 SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch delete mode 100644 SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch create mode 100644 SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch delete mode 100644 SOURCES/0041-man-clarify-AD-certificate-rule.patch create mode 100644 SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch delete mode 100644 SOURCES/0042-config-allow-prompting-options-in-configuration.patch create mode 100644 SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch create mode 100644 SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch delete mode 100644 SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch delete mode 100644 SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch create mode 100644 SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch create mode 100644 SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch create mode 100644 SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch create mode 100644 SOURCES/0047-ssh-restore-default-debug-level.patch create mode 100644 SOURCES/0048-pot-update-pot-files.patch create mode 100644 SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch create mode 100644 SOURCES/0050-pot-update-pot-files.patch create mode 100644 SOURCES/0051-po-update-translations.patch diff --git a/.gitignore b/.gitignore index 5e4ac2c..56d81dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sssd-2.3.0.tar.gz +SOURCES/sssd-2.4.0.tar.gz diff --git a/.sssd.metadata b/.sssd.metadata index 1dea3e7..54e9039 100644 --- a/.sssd.metadata +++ b/.sssd.metadata @@ -1 +1 @@ -61b8704c33ea80104fa9d94017c704e333c3c552 SOURCES/sssd-2.3.0.tar.gz +abcf616bf894d54623bf2541afdc7018e5d150aa SOURCES/sssd-2.4.0.tar.gz diff --git a/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch b/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch new file mode 100644 index 0000000..bc47f70 --- /dev/null +++ b/SOURCES/0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch @@ -0,0 +1,64 @@ +From ff24d1538af88f83d0a3cc2817952cf70e7ca580 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Sun, 22 Nov 2020 17:44:07 +0100 +Subject: [PATCH] SYSDB: merge_res_sysdb_attrs() fixed to avoid NULL ptr in + msgs[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This helps to avoid sssd_be segfaults at be_refresh_get_values_ex() due to NULL +ptrs in results of sysdb_search_with_ts_attr() + +Resolves: https://github.com/SSSD/sssd/issues/5412 + +Reviewed-by: Pavel Březina +--- + src/db/sysdb_search.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index e616fd5bc..4ff65c1ae 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -221,6 +221,7 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + const char *attrs[]) + { + errno_t ret; ++ size_t ts_cache_res_count = 0; + struct ldb_result *ts_cache_res = NULL; + + if (ts_res == NULL || ctx->ldb_ts == NULL) { +@@ -231,7 +232,6 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + if (ts_cache_res == NULL) { + return ENOMEM; + } +- ts_cache_res->count = ts_res->count; + ts_cache_res->msgs = talloc_zero_array(ts_cache_res, + struct ldb_message *, + ts_res->count); +@@ -244,15 +244,18 @@ static errno_t merge_res_sysdb_attrs(TALLOC_CTX *mem_ctx, + ret = merge_msg_sysdb_attrs(ts_cache_res->msgs, + ctx, + ts_res->msgs[c], +- &ts_cache_res->msgs[c], attrs); +- if (ret != EOK) { ++ &ts_cache_res->msgs[ts_cache_res_count], ++ attrs); ++ if ((ret != EOK) || (ts_cache_res->msgs[ts_cache_res_count] == NULL)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot merge sysdb cache values for %s\n", + ldb_dn_get_linearized(ts_res->msgs[c]->dn)); +- /* non-fatal, we just get only the non-timestamp attrs */ ++ /* non-fatal, just skip */ + continue; + } ++ ts_cache_res_count += 1; + } ++ ts_cache_res->count = ts_cache_res_count; + + *_ts_cache_res = ts_cache_res; + return EOK; +-- +2.21.3 + diff --git a/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch b/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch deleted file mode 100644 index 52ba2f4..0000000 --- a/SOURCES/0001-ad_gpo_ndr.c-more-ndr-updates.patch +++ /dev/null @@ -1,114 +0,0 @@ -From a7c755672cd277497da3df4714f6d9457b6ac5ae Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 28 May 2020 15:02:43 +0200 -Subject: [PATCH] ad_gpo_ndr.c: more ndr updates -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch add another update to the ndr code which was previously -updated by commit c031adde4f532f39845a0efd78693600f1f8b2f4 and -1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc. - -As missing update in ndr_pull_security_ace() cased -a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was -added to prevent similar issues in future. - -Resolves: https://github.com/SSSD/sssd/issues/5183 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_gpo_ndr.c | 1 + - src/tests/cmocka/test_ad_gpo.c | 57 ++++++++++++++++++++++++++++++++++ - 2 files changed, 58 insertions(+) - -diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c -index acd7b77c8..71d6d40f2 100644 ---- a/src/providers/ad/ad_gpo_ndr.c -+++ b/src/providers/ad/ad_gpo_ndr.c -@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *ndr, - ndr->offset += pad; - } - if (ndr_flags & NDR_BUFFERS) { -+ NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); - NDR_CHECK(ndr_pull_security_ace_object_ctr - (ndr, NDR_BUFFERS, &r->object)); - } -diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c -index 97f70408a..d1f7a6915 100644 ---- a/src/tests/cmocka/test_ad_gpo.c -+++ b/src/tests/cmocka/test_ad_gpo.c -@@ -347,6 +347,60 @@ void test_ad_gpo_ace_includes_host_sid_true(void **state) - group_size, ace_dom_sid, true); - } - -+uint8_t test_sid_data[] = { -+0x01, 0x00, 0x04, 0x9c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+0x14, 0x00, 0x00, 0x00, 0x04, 0x00, 0x34, 0x01, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, -+0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, -+0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x0a, 0x24, 0x00, 0xff, 0x00, 0x0f, 0x00, -+0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0xda, 0x0e, 0xba, 0x60, -+0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, -+0xbd, 0x00, 0x0e, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, -+0xda, 0x0e, 0xba, 0x60, 0x0f, 0xa2, 0xf4, 0x55, 0xb5, 0x57, 0x47, 0xf8, 0x00, 0x02, 0x00, 0x00, -+0x00, 0x0a, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, -+0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0xff, 0x00, 0x0f, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x12, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, -+0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x0b, 0x00, 0x00, 0x00, 0x05, 0x02, 0x28, 0x00, -+0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x8f, 0xfd, 0xac, 0xed, 0xb3, 0xff, 0xd1, 0x11, -+0xb4, 0x1d, 0x00, 0xa0, 0xc9, 0x68, 0xf9, 0x39, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, -+0x0b, 0x00, 0x00, 0x00, 0x00, 0x02, 0x14, 0x00, 0x94, 0x00, 0x02, 0x00, 0x01, 0x01, 0x00, 0x00, -+0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00 -+}; -+ -+void test_ad_gpo_parse_sd(void **state) -+{ -+ int ret; -+ struct security_descriptor *sd = NULL; -+ -+ ret = ad_gpo_parse_sd(test_ctx, NULL, 0, &sd); -+ assert_int_equal(ret, EINVAL); -+ -+ ret = ad_gpo_parse_sd(test_ctx, test_sid_data, sizeof(test_sid_data), &sd); -+ assert_int_equal(ret, EOK); -+ assert_non_null(sd); -+ assert_int_equal(sd->revision, 1); -+ assert_int_equal(sd->type, 39940); -+ assert_null(sd->owner_sid); -+ assert_null(sd->group_sid); -+ assert_null(sd->sacl); -+ assert_non_null(sd->dacl); -+ assert_int_equal(sd->dacl->revision, 4); -+ assert_int_equal(sd->dacl->size, 308); -+ assert_int_equal(sd->dacl->num_aces, 10); -+ assert_int_equal(sd->dacl->aces[0].type, 0); -+ assert_int_equal(sd->dacl->aces[0].flags, 0); -+ assert_int_equal(sd->dacl->aces[0].size, 36); -+ assert_int_equal(sd->dacl->aces[0].access_mask, 917693); -+ /* There are more components and ACEs in the security_descriptor struct -+ * which are not checked here. */ -+ -+ talloc_free(sd); -+} -+ - int main(int argc, const char *argv[]) - { - poptContext pc; -@@ -385,6 +439,9 @@ int main(int argc, const char *argv[]) - cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_host_sid_true, - ad_gpo_test_setup, - ad_gpo_test_teardown), -+ cmocka_unit_test_setup_teardown(test_ad_gpo_parse_sd, -+ ad_gpo_test_setup, -+ ad_gpo_test_teardown), - }; - - /* Set debug level to invalid value so we can decide if -d 0 was used. */ --- -2.21.1 - diff --git a/SOURCES/0002-KCM-perf-improvements.patch b/SOURCES/0002-KCM-perf-improvements.patch new file mode 100644 index 0000000..3734ebe --- /dev/null +++ b/SOURCES/0002-KCM-perf-improvements.patch @@ -0,0 +1,3226 @@ +From 19c0cfe38670cc56219f0d9acdc2b3363e92616c Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 4 Dec 2020 12:09:57 +0100 +Subject: [PATCH] Squashed commit of the following: +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 325de5a5bb97ba026be6d22492bea8ab2605f1b5 +Author: Pavel Březina +Date: Thu Nov 26 12:07:06 2020 +0100 + + secrets: remove base64 enctype + + This was added as part of KCM performance improvements but never used. + Ldb is fully capable of holding binary data without the need for base64 + encoding so this is not needed. + + Reviewed-by: Alexey Tikhonov + +commit 39277cdadd317b0ab86cdd37de0616bc3eecbe6a +Author: Pavel Březina +Date: Thu Nov 26 11:55:39 2020 +0100 + + secrets: move attrs names to macros + + Reviewed-by: Alexey Tikhonov + +commit 9c1b51d057390fb5b26151f814a480911cda4cc9 +Author: Pavel Březina +Date: Thu Nov 26 11:47:24 2020 +0100 + + secrets: default to "plaintext" if "enctype" attr is missing + + This is a sane fallback behavior, however it should not happen since + the attribute should be always present. + + Reviewed-by: Alexey Tikhonov + +commit bf127d4f3f42e5b2afe25e512211439bc12a9904 +Author: Pavel Březina +Date: Tue Nov 3 13:35:33 2020 +0100 + + secrets: fix may_payload_size exceeded debug message + + The unit is bytes (B) not bits (b) and the conversion of the input + payload size to KiB was wrong (multiplying bytes * 1024). + + Reviewed-by: Alexey Tikhonov + +commit c3b314db57c34f64aaca7d74e76a9a955288bb51 +Author: Pavel Březina +Date: Mon Oct 19 12:40:07 2020 +0200 + + kcm: store credentials list in hash table to avoid cache lookups + + Iteration over ccache requires CRED_UUID_LIST and then calling + CRED_BY_UUID for each uuid in the obtained list. Each CRED_BY_UUID + operation invoked ldb_search and decryption. This was a substantional + bottle neck. + + Resolves: https://github.com/SSSD/sssd/issues/5349 + + :fixes: KCM performance has improved dramatically for cases where + large amount of credentials are stored in the ccache. + + Reviewed-by: Alexey Tikhonov + +commit a370553c90c2ed6df3b94c169c4960a6f978031f +Author: Pavel Březina +Date: Thu Oct 29 14:57:53 2020 +0100 + + sss_ptr_hash: fix double free for circular dependencies + + If the hash table delete callback deletes the stored item, + we can end up in double free in case when we try to override + an existing item (hash_enter(key) where key already exists). + + ```c + static void delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, + void *pvt) + { + talloc_free(item->value.ptr); + } + + hash_enter(key); + hash_enter(key); + ``` + + The doble free it self is fine, since it is done via talloc destructor + and talloc can cope with that. However, the hash table fails to store + the new entry because hash_delete is called twice. + + ``` + _sss_ptr_hash_add -> hash_enter -> hash_delete(old) -> delete_cb -> sss_ptr_hash_value_destructor -> hash_delete + ``` + + Reviewed-by: Alexey Tikhonov + +commit 241ee30da12f564803793ee2b14c1522aabd9235 +Author: Pavel Březina +Date: Fri Oct 16 15:36:51 2020 +0200 + + kcm: add per-connection data to be shared between requests + + Resolves: https://github.com/SSSD/sssd/issues/5349 + + Reviewed-by: Alexey Tikhonov + +commit 194447d35c11eb914f54719491dc5cfaab01b9a1 +Author: Pavel Březina +Date: Tue Oct 27 16:21:31 2020 +0100 + + kcm: use binary format to store ccache instead of json + + JSON is computationally complex and the parser is a bottleneck which + consumes about 10% of time. It also create the ccache unnecessary + large because it requires lots of unneded character and base64 + encoding. + + Binary format is fast, simple and small. + + This is backwards compatible and there is no need to destroy existing + ccache. It will be stored in binary format at first write to the cache. + + Resolves: https://github.com/SSSD/sssd/issues/5349 + + Reviewed-by: Alexey Tikhonov + +commit f17740d831e16449495fff4ec57cc4800aaac83d +Author: Pavel Březina +Date: Tue Oct 27 17:09:43 2020 +0100 + + kcm: add spaces around operators in kcmsrv_ccache_key.c + + Reviewed-by: Alexey Tikhonov + +commit 15069a647ed6c7f1ead42baa1d421d953c9bc557 +Author: Pavel Březina +Date: Tue Oct 27 16:37:05 2020 +0100 + + kcm: avoid suppression of cppcheck warning + + Reviewed-by: Alexey Tikhonov + +commit e63a15038ac9c186626e4fdf681a6492031d1e40 +Author: Pavel Březina +Date: Tue Oct 27 16:18:11 2020 +0100 + + kcm: move sec key parser to separate file so it can be shared + + Reviewed-by: Alexey Tikhonov + +commit 9b1631defdcaa3ea7e87889eb136e7fa935ab4ce +Author: Pavel Březina +Date: Thu Oct 22 13:34:52 2020 +0200 + + kcm: add json suffix to existing searialization functions + + Reviewed-by: Alexey Tikhonov + +commit b6cc661b9f4162e590137430e945aa321fc13121 +Author: Pavel Březina +Date: Fri Oct 23 13:10:13 2020 +0200 + + iobuf: add more iobuf functions + + These will be used in later patches. + + Reviewed-by: Alexey Tikhonov + +commit ed08ba0023e63024bf1c52ae3f6596b9d804d0a5 +Author: Pavel Březina +Date: Thu Oct 22 12:18:38 2020 +0200 + + secrets: accept binary data instead of string + + Currently, both KCM and secrets responders store JSON formatted string + in the secrets database. One of the next commits makes KCM to store + binary format instead of JSON string to improve performance. We need + to be able to distinguish the formats to keep KCM update compatible + with existing ccache and also to keep secrets responder working. + + Secrets responder test had to be ammended to fit into a new maximum + payload which is now reduced by one byte for the secrets responder + to hold the ending zero of a secret string. + + This is a corner case in a long deprecated responder that is not even + built by default and has no known consumers so it is fine to fast fix + the test. + + Reviewed-by: Alexey Tikhonov + +commit 908c15af9a9f8f0556a588e368e4a0b2e24ace1b +Author: Pavel Březina +Date: Thu Oct 22 11:18:12 2020 +0200 + + secrets: allow to specify secret's data format + + Currently, both KCM and secrets responders store JSON formatted string + in the secrets database. One of the next commits makes KCM to store + binary format instead of JSON string to improve performance. We need + to be able to distinguish the formats to keep KCM update compatible + with existing ccache and also to keep secrets responder working. + + Reviewed-by: Alexey Tikhonov + +commit 74fdaa64b27e88a6e0f153f8cb59989c572d4294 +Author: Pavel Březina +Date: Tue Oct 27 16:45:22 2020 +0100 + + kcm: avoid multiple debug messages if sss_sec_put fails + + sec_put() already logs a message if the underlaying function fails + so this debug message is really unnecessary. + + Reviewed-by: Alexey Tikhonov + +commit b8f28d9aa9d862cf504691c9c3f92941a63fb0a4 +Author: Pavel Březina +Date: Mon Oct 19 12:59:48 2020 +0200 + + kcm: disable encryption + + Encryption was a huge bottleneck for the secdb backend. This is + backwards compatible and there is no need to destroy existing + ccache. It will be stored unencrypted at first write to the cache. + + Note that the encryption did not provide any security as the cache + is accessible only by root and the master key is stored together + with the cache. So once someone gains access to the file it can + be easily decrypted. Additionaly, there was also no encryption at + the memory level. + + Resolves: https://github.com/SSSD/sssd/issues/5349 + + Reviewed-by: Alexey Tikhonov + +commit 8edcea8c377e85d037e83065c1904fa4b92c4a39 +Author: Pavel Březina +Date: Fri Oct 16 15:33:42 2020 +0200 + + kcm: avoid name confusion in GET_CRED_UUID_LIST handlers + + The function name did not follow best practices and it got easily confused + with `kcm_op_get_cred_by_uuid_getbyname_done`. + + ``` + kcm_op_get_cred_uuid_getbyname_done + kcm_op_get_cred_by_uuid_getbyname_done + ``` + + Reviewed-by: Alexey Tikhonov + +commit 47a316c850107f12d406f27abb216e26383dfab7 +Author: Pavel Březina +Date: Mon Sep 14 12:44:57 2020 +0200 + + kcm: fix typos in debug messages + + Reviewed-by: Alexey Tikhonov +--- + Makefile.am | 14 +- + src/responder/kcm/kcmsrv_ccache.c | 66 ++++ + src/responder/kcm/kcmsrv_ccache.h | 47 ++- + src/responder/kcm/kcmsrv_ccache_binary.c | 308 ++++++++++++++++++ + src/responder/kcm/kcmsrv_ccache_json.c | 149 +-------- + src/responder/kcm/kcmsrv_ccache_key.c | 144 ++++++++ + src/responder/kcm/kcmsrv_ccache_mem.c | 30 +- + src/responder/kcm/kcmsrv_ccache_secdb.c | 128 +++----- + src/responder/kcm/kcmsrv_ccache_secrets.c | 9 +- + src/responder/kcm/kcmsrv_cmd.c | 23 +- + src/responder/kcm/kcmsrv_ops.c | 252 ++++++++++---- + src/responder/kcm/kcmsrv_ops.h | 8 + + src/responder/secrets/local.c | 5 +- + src/shared/safealign.h | 4 + + ...n_marshalling.c => test_kcm_marshalling.c} | 147 +++++++-- + src/tests/cmocka/test_sss_ptr_hash.c | 39 +++ + src/tests/cmocka/test_utils.c | 3 + + src/tests/cmocka/test_utils.h | 1 + + src/tests/intg/test_secrets.py | 3 +- + src/tests/multihost/basic/test_kcm.py | 12 +- + src/util/secrets/sec_pvt.h | 2 +- + src/util/secrets/secrets.c | 290 ++++++++++++----- + src/util/secrets/secrets.h | 20 +- + src/util/sss_iobuf.c | 141 ++++++++ + src/util/sss_iobuf.h | 46 +++ + src/util/sss_ptr_hash.c | 20 ++ + 26 files changed, 1457 insertions(+), 454 deletions(-) + create mode 100644 src/responder/kcm/kcmsrv_ccache_binary.c + create mode 100644 src/responder/kcm/kcmsrv_ccache_key.c + rename src/tests/cmocka/{test_kcm_json_marshalling.c => test_kcm_marshalling.c} (71%) + +diff --git a/Makefile.am b/Makefile.am +index 97aa1ec66..430b4e842 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -311,7 +311,7 @@ endif # HAVE_INOTIFY + + if BUILD_KCM + non_interactive_cmocka_based_tests += \ +- test_kcm_json \ ++ test_kcm_marshalling \ + test_kcm_queue \ + $(NULL) + endif # BUILD_KCM +@@ -1817,8 +1817,10 @@ sssd_kcm_SOURCES = \ + src/responder/kcm/kcm.c \ + src/responder/kcm/kcmsrv_cmd.c \ + src/responder/kcm/kcmsrv_ccache.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache_secdb.c \ + src/responder/kcm/kcmsrv_ops.c \ + src/responder/kcm/kcmsrv_op_queue.c \ +@@ -3927,18 +3929,20 @@ test_sssd_krb5_locator_plugin_LDADD = \ + $(NULL) + + if BUILD_KCM +-test_kcm_json_SOURCES = \ +- src/tests/cmocka/test_kcm_json_marshalling.c \ ++test_kcm_marshalling_SOURCES = \ ++ src/tests/cmocka/test_kcm_marshalling.c \ ++ src/responder/kcm/kcmsrv_ccache_binary.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ ++ src/responder/kcm/kcmsrv_ccache_key.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +-test_kcm_json_CFLAGS = \ ++test_kcm_marshalling_CFLAGS = \ + $(AM_CFLAGS) \ + $(UUID_CFLAGS) \ + $(NULL) +-test_kcm_json_LDADD = \ ++test_kcm_marshalling_LDADD = \ + $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index 66e2752ba..60eacd451 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -28,6 +28,9 @@ + #include "responder/kcm/kcmsrv_ccache_pvt.h" + #include "responder/kcm/kcmsrv_ccache_be.h" + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd); ++ + static int kcm_cc_destructor(struct kcm_ccache *cc) + { + if (cc == NULL) { +@@ -94,6 +97,33 @@ done: + return ret; + } + ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc) ++{ ++ struct kcm_ccache *dup; ++ struct kcm_cred *crd_dup; ++ struct kcm_cred *crd; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (dup == NULL) { ++ return NULL; ++ } ++ memcpy(dup, cc, sizeof(struct kcm_ccache)); ++ ++ dup->creds = NULL; ++ DLIST_FOR_EACH(crd, cc->creds) { ++ crd_dup = kcm_cred_dup(dup, crd); ++ if (crd_dup == NULL) { ++ talloc_free(dup); ++ return NULL; ++ } ++ ++ DLIST_ADD(dup->creds, crd_dup); ++ } ++ ++ return dup; ++} ++ + const char *kcm_cc_get_name(struct kcm_ccache *cc) + { + return cc ? cc->name : NULL; +@@ -204,6 +234,22 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + return kcreds; + } + ++static struct kcm_cred *kcm_cred_dup(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *crd) ++{ ++ struct kcm_cred *dup; ++ ++ dup = talloc_zero(mem_ctx, struct kcm_cred); ++ if (dup == NULL) { ++ return NULL; ++ } ++ ++ uuid_copy(dup->uuid, crd->uuid); ++ dup->cred_blob = crd->cred_blob; ++ ++ return dup; ++} ++ + /* Add a cred to ccache */ + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd) +@@ -213,6 +259,26 @@ errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + return EOK; + } + ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client) ++{ ++ errno_t ret; ++ ++ ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ /* We rely on sssd-secrets only searching the user's subtree so we ++ * set the ownership to the client ++ */ ++ cc->owner.uid = cli_creds_get_uid(client); ++ cc->owner.gid = cli_creds_get_gid(client); ++ ++ return EOK; ++} ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid) + { + if (crd == NULL) { +diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h +index d629923fa..77cf8f61d 100644 +--- a/src/responder/kcm/kcmsrv_ccache.h ++++ b/src/responder/kcm/kcmsrv_ccache.h +@@ -72,6 +72,13 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + krb5_principal princ, + struct kcm_ccache **_cc); + ++/* ++ * Duplicate the ccache. Only ccache and credentials are duplicated, ++ * but their data are a shallow copy. ++ */ ++struct kcm_ccache *kcm_cc_dup(TALLOC_CTX *mem_ctx, ++ const struct kcm_ccache *cc); ++ + /* + * Returns true if a client can access a ccache. + * +@@ -100,6 +107,11 @@ struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd); + ++/* Set cc header information from sec key and client */ ++errno_t kcm_cc_set_header(struct kcm_ccache *cc, ++ const char *sec_key, ++ struct cli_creds *client); ++ + errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid); + + /* +@@ -320,6 +332,11 @@ bool sec_key_match_name(const char *sec_key, + bool sec_key_match_uuid(const char *sec_key, + uuid_t uuid); + ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid); ++ + const char *sec_key_get_name(const char *sec_key); + + errno_t sec_key_get_uuid(const char *sec_key, +@@ -333,16 +350,30 @@ const char *sec_key_create(TALLOC_CTX *mem_ctx, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc); ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc); + + /* Convert a kcm_ccache to a key-value pair to be stored in secrets */ +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload); ++ ++/* ++ * sec_key is a concatenation of the ccache's UUID and name ++ * sec_value is the binary representation of ccache. ++ */ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, + struct cli_creds *client, +- struct sss_iobuf **_payload); ++ struct kcm_ccache **_cc); ++ ++/* Convert a kcm_ccache to its binary representation. */ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload); + + #endif /* _KCMSRV_CCACHE_H_ */ +diff --git a/src/responder/kcm/kcmsrv_ccache_binary.c b/src/responder/kcm/kcmsrv_ccache_binary.c +new file mode 100644 +index 000000000..7bfdbf13b +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_binary.c +@@ -0,0 +1,308 @@ ++/* ++ Authors: ++ Pavel Březina ++ ++ Copyright (C) 2020 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "util/util_creds.h" ++#include "util/crypto/sss_crypto.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++static errno_t krb_data_to_bin(krb5_data *data, struct sss_iobuf *buf) ++{ ++ return sss_iobuf_write_varlen(buf, (uint8_t *)data->data, data->length); ++} ++ ++static errno_t princ_to_bin(krb5_principal princ, struct sss_iobuf *buf) ++{ ++ errno_t ret; ++ ++ if (princ == NULL) { ++ return sss_iobuf_write_uint8(buf, 0); ++ } ++ ++ /* Mark that principal is not empty. */ ++ ret = sss_iobuf_write_uint8(buf, 1); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = krb_data_to_bin(&princ->realm, buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (krb5_int32 i = 0; i < princ->length; i++) { ++ ret = krb_data_to_bin(&princ->data[i], buf); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++static errno_t creds_to_bin(struct kcm_cred *creds, struct sss_iobuf *buf) ++{ ++ struct kcm_cred *crd; ++ uint32_t count = 0; ++ errno_t ret; ++ ++ DLIST_FOR_EACH(crd, creds) { ++ count++; ++ } ++ ++ ret = sss_iobuf_write_uint32(buf, count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ DLIST_FOR_EACH(crd, creds) { ++ ret = sss_iobuf_write_len(buf, (uint8_t *)crd->uuid, sizeof(uuid_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_write_iobuf(buf, crd->cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++errno_t kcm_ccache_to_sec_input_binary(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload) ++{ ++ struct sss_iobuf *buf; ++ errno_t ret; ++ ++ buf = sss_iobuf_init_empty(mem_ctx, sizeof(krb5_principal_data), 0); ++ if (buf == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = sss_iobuf_write_int32(buf, cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = princ_to_bin(cc->client, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = creds_to_bin(cc->creds, buf); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_payload = buf; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(buf); ++ } ++ ++ return ret; ++} ++ ++static errno_t bin_to_krb_data(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_data *out) ++{ ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(mem_ctx, buf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out->magic = 0; ++ out->data = (char*)data; ++ out->length = len; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_princ(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ krb5_principal *_princ) ++{ ++ krb5_principal princ; ++ uint8_t non_empty; ++ krb5_int32 i; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint8(buf, &non_empty); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (non_empty == 0) { ++ *_princ = NULL; ++ return EOK; ++ } ++ ++ princ = talloc_zero(mem_ctx, struct krb5_principal_data); ++ if (princ == NULL) { ++ return ENOMEM; ++ } ++ princ->magic = KV5M_PRINCIPAL; ++ ++ ret = bin_to_krb_data(princ, buf, &princ->realm); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->type); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_int32(buf, &princ->length); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ princ->data = talloc_zero_array(princ, krb5_data, princ->length); ++ if (princ->length > 0 && princ->data == NULL) { ++ return ENOMEM; ++ } ++ ++ for (i = 0; i < princ->length; i++) { ++ ret = bin_to_krb_data(princ, buf, &princ->data[i]); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ *_princ = princ; ++ ++ return EOK; ++} ++ ++static errno_t bin_to_creds(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *buf, ++ struct kcm_cred **_creds) ++{ ++ struct kcm_cred *creds = NULL; ++ struct kcm_cred *crd; ++ struct sss_iobuf *cred_blob; ++ uint32_t count; ++ uuid_t uuid; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_uint32(buf, &count); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ for (uint32_t i = 0; i < count; i++) { ++ ret = sss_iobuf_read_len(buf, sizeof(uuid_t), (uint8_t*)uuid); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sss_iobuf_read_iobuf(NULL, buf, &cred_blob); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ crd = kcm_cred_new(mem_ctx, uuid, cred_blob); ++ if (crd == NULL) { ++ talloc_free(cred_blob); ++ return ENOMEM; ++ } ++ ++ DLIST_ADD(creds, crd); ++ } ++ ++ *_creds = creds; ++ ++ return EOK; ++} ++ ++errno_t sec_kv_to_ccache_binary(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ struct sss_iobuf *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) ++{ ++ struct kcm_ccache *cc; ++ errno_t ret; ++ ++ cc = talloc_zero(mem_ctx, struct kcm_ccache); ++ if (cc == NULL) { ++ return ENOMEM; ++ } ++ ++ ret = kcm_cc_set_header(cc, sec_key, client); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ ret = sss_iobuf_read_int32(sec_value, &cc->kdc_offset); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_princ(cc, sec_value, &cc->client); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = bin_to_creds(cc, sec_value, &cc->creds); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_cc = cc; ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ talloc_free(cc); ++ } ++ ++ return ret; ++} +diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c +index f78e9f58c..e790cbea3 100644 +--- a/src/responder/kcm/kcmsrv_ccache_json.c ++++ b/src/responder/kcm/kcmsrv_ccache_json.c +@@ -37,12 +37,6 @@ + */ + #define KS_JSON_VERSION 1 + +-/* +- * The secrets store is a key-value store at heart. We store the UUID +- * and the name in the key to allow easy lookups be either key +- */ +-#define SEC_KEY_SEPARATOR '-' +- + /* Compat definition of json_array_foreach for older systems */ + #ifndef json_array_foreach + #define json_array_foreach(array, idx, value) \ +@@ -51,119 +45,6 @@ + idx++) + #endif + +-const char *sec_key_create(TALLOC_CTX *mem_ctx, +- const char *name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- uuid_unparse(uuid, uuid_str); +- return talloc_asprintf(mem_ctx, +- "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); +-} +- +-static bool sec_key_valid(const char *sec_key) +-{ +- if (sec_key == NULL) { +- return false; +- } +- +- if (strlen(sec_key) < UUID_STR_SIZE + 1) { +- /* One char for separator (at UUID_STR_SIZE, because strlen doesn't +- * include the '\0', but UUID_STR_SIZE does) and at least one for +- * the name */ +- DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); +- return false; +- } +- +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return false; +- } +- +- return true; +-} +- +-static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char **_name, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); +- if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); +- return EINVAL; +- } +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- +- *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); +- if (*_name == NULL) { +- return ENOMEM; +- } +- uuid_parse(uuid_str, uuid); +- +- return EOK; +-} +- +-errno_t sec_key_get_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- char uuid_str[UUID_STR_SIZE]; +- +- if (!sec_key_valid(sec_key)) { +- return EINVAL; +- } +- +- strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); +- uuid_str[UUID_STR_SIZE-1] = '\0'; +- uuid_parse(uuid_str, uuid); +- return EOK; +-} +- +-const char *sec_key_get_name(const char *sec_key) +-{ +- if (!sec_key_valid(sec_key)) { +- return NULL; +- } +- +- return sec_key + UUID_STR_SIZE; +-} +- +-bool sec_key_match_name(const char *sec_key, +- const char *name) +-{ +- if (!sec_key_valid(sec_key) || name == NULL) { +- return false; +- } +- +- return strcmp(sec_key + UUID_STR_SIZE, name) == 0; +-} +- +-bool sec_key_match_uuid(const char *sec_key, +- uuid_t uuid) +-{ +- errno_t ret; +- uuid_t key_uuid; +- +- /* `key_uuid` is output arg and isn't read in sec_key_get_uuid() but +- * since libuuid is opaque for cppcheck it generates false positive here +- */ +- /* cppcheck-suppress uninitvar */ +- ret = sec_key_get_uuid(sec_key, key_uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); +- return false; +- } +- +- return uuid_compare(key_uuid, uuid) == 0; +-} +- + /* + * Creates an array of principal elements that will be used later + * in the form of: +@@ -460,10 +341,9 @@ static errno_t ccache_to_sec_val(TALLOC_CTX *mem_ctx, + return EOK; + } + +-errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *cc, +- struct cli_creds *client, +- struct sss_iobuf **_payload) ++errno_t kcm_ccache_to_sec_input_json(TALLOC_CTX *mem_ctx, ++ struct kcm_ccache *cc, ++ struct sss_iobuf **_payload) + { + errno_t ret; + const char *value; +@@ -897,11 +777,11 @@ static errno_t sec_json_value_to_ccache(struct kcm_ccache *cc, + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +-errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, +- const char *sec_key, +- const char *sec_value, +- struct cli_creds *client, +- struct kcm_ccache **_cc) ++errno_t sec_kv_to_ccache_json(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char *sec_value, ++ struct cli_creds *client, ++ struct kcm_ccache **_cc) + { + errno_t ret; + json_t *root = NULL; +@@ -911,7 +791,7 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + ret = sec_value_to_json(sec_value, &root); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot store secret to JSN [%d]: %s\n", ++ "Cannot store secret to JSON [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +@@ -928,16 +808,9 @@ errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* We rely on sssd-secrets only searching the user's subtree so we +- * set the ownership to the client +- */ +- cc->owner.uid = cli_creds_get_uid(client); +- cc->owner.gid = cli_creds_get_gid(client); +- +- ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); ++ ret = kcm_cc_set_header(cc, sec_key, client); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannt parse secret key [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot store ccache header [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_key.c b/src/responder/kcm/kcmsrv_ccache_key.c +new file mode 100644 +index 000000000..59d60453c +--- /dev/null ++++ b/src/responder/kcm/kcmsrv_ccache_key.c +@@ -0,0 +1,144 @@ ++/* ++ SSSD ++ ++ Copyright (C) Red Hat, 2020 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include "util/util.h" ++#include "responder/kcm/kcmsrv_ccache_pvt.h" ++ ++/* ++ * The secrets store is a key-value store at heart. We store the UUID ++ * and the name in the key to allow easy lookups by either part. ++ */ ++#define SEC_KEY_SEPARATOR '-' ++ ++const char *sec_key_create(TALLOC_CTX *mem_ctx, ++ const char *name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ uuid_unparse(uuid, uuid_str); ++ return talloc_asprintf(mem_ctx, ++ "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); ++} ++ ++static bool sec_key_valid(const char *sec_key) ++{ ++ if (sec_key == NULL) { ++ return false; ++ } ++ ++ if (strlen(sec_key) < UUID_STR_SIZE + 1) { ++ /* One char for separator (at UUID_STR_SIZE, because strlen doesn't ++ * include the '\0', but UUID_STR_SIZE does) and at least one for ++ * the name */ ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); ++ return false; ++ } ++ ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return false; ++ } ++ ++ return true; ++} ++ ++errno_t sec_key_parse(TALLOC_CTX *mem_ctx, ++ const char *sec_key, ++ const char **_name, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, sizeof(uuid_str) - 1); ++ if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); ++ return EINVAL; ++ } ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; ++ ++ *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); ++ if (*_name == NULL) { ++ return ENOMEM; ++ } ++ uuid_parse(uuid_str, uuid); ++ ++ return EOK; ++} ++ ++errno_t sec_key_get_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ char uuid_str[UUID_STR_SIZE]; ++ ++ if (!sec_key_valid(sec_key)) { ++ return EINVAL; ++ } ++ ++ strncpy(uuid_str, sec_key, UUID_STR_SIZE - 1); ++ uuid_str[UUID_STR_SIZE - 1] = '\0'; ++ uuid_parse(uuid_str, uuid); ++ return EOK; ++} ++ ++const char *sec_key_get_name(const char *sec_key) ++{ ++ if (!sec_key_valid(sec_key)) { ++ return NULL; ++ } ++ ++ return sec_key + UUID_STR_SIZE; ++} ++ ++bool sec_key_match_name(const char *sec_key, ++ const char *name) ++{ ++ if (!sec_key_valid(sec_key) || name == NULL) { ++ return false; ++ } ++ ++ return strcmp(sec_key + UUID_STR_SIZE, name) == 0; ++} ++ ++bool sec_key_match_uuid(const char *sec_key, ++ uuid_t uuid) ++{ ++ errno_t ret; ++ uuid_t key_uuid; ++ ++ /* Clear uuid value to avoid cppcheck warning. */ ++ uuid_clear(key_uuid); ++ ++ ret = sec_key_get_uuid(sec_key, key_uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); ++ return false; ++ } ++ ++ return uuid_compare(key_uuid, uuid) == 0; ++} +diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c +index baa698054..0e3a7b239 100644 +--- a/src/responder/kcm/kcmsrv_ccache_mem.c ++++ b/src/responder/kcm/kcmsrv_ccache_mem.c +@@ -49,24 +49,6 @@ struct ccdb_mem { + unsigned int nextid; + }; + +-/* In order to provide a consistent interface, we need to let the caller +- * of getbyXXX own the ccache, therefore the memory back end returns a shallow +- * copy of the ccache +- */ +-static struct kcm_ccache *kcm_ccache_dup(TALLOC_CTX *mem_ctx, +- struct kcm_ccache *in) +-{ +- struct kcm_ccache *out; +- +- out = talloc_zero(mem_ctx, struct kcm_ccache); +- if (out == NULL) { +- return NULL; +- } +- memcpy(out, in, sizeof(struct kcm_ccache)); +- +- return out; +-} +- + static struct ccache_mem_wrap *memdb_get_by_uuid(struct ccdb_mem *memdb, + struct cli_creds *client, + uuid_t uuid) +@@ -417,7 +399,11 @@ static struct tevent_req *ccdb_mem_getbyuuid_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +@@ -470,7 +456,11 @@ static struct tevent_req *ccdb_mem_getbyname_send(TALLOC_CTX *mem_ctx, + + ccwrap = memdb_get_by_name(memdb, client, name); + if (ccwrap != NULL) { +- state->cc = kcm_ccache_dup(state, ccwrap->cc); ++ /* In order to provide a consistent interface, we need to let the caller ++ * of getbyXXX own the ccache, therefore the memory back end returns a shallow ++ * copy of the ccache ++ */ ++ state->cc = kcm_cc_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index ed1c8247f..726711ac4 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -35,15 +35,16 @@ + #define KCM_SECDB_CCACHE_FMT KCM_SECDB_BASE_FMT"ccache/" + #define KCM_SECDB_DFL_FMT KCM_SECDB_BASE_FMT"default" + +-static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf **_buf) ++static errno_t sec_get(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf **_buf, ++ char **_datatype) + { + errno_t ret; + TALLOC_CTX *tmp_ctx; +- char *b64_sec; ++ char *datatype; + uint8_t *data; +- size_t data_size; ++ size_t len; + struct sss_iobuf *buf; + + tmp_ctx = talloc_new(mem_ctx); +@@ -51,101 +52,61 @@ static errno_t sec_get_b64(TALLOC_CTX *mem_ctx, + return ENOMEM; + } + +- ret = sss_sec_get(tmp_ctx, req, &b64_sec); ++ ret = sss_sec_get(tmp_ctx, req, &data, &len, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the secret [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- data = sss_base64_decode(tmp_ctx, b64_sec, &data_size); +- if (data == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); +- ret = EIO; +- goto done; +- } +- +- buf = sss_iobuf_init_readonly(tmp_ctx, data, data_size); ++ buf = sss_iobuf_init_steal(tmp_ctx, data, len); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); + ret = EIO; + goto done; + } + +- ret = EOK; + *_buf = talloc_steal(mem_ctx, buf); ++ if (_datatype != NULL) { ++ *_datatype = talloc_steal(mem_ctx, datatype); ++ } ++ ++ ret = EOK; ++ + done: + talloc_free(tmp_ctx); + return ret; + } + +-static errno_t sec_put_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_put(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; + +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } +- +- ret = sss_sec_put(req, secret); ++ ret = sss_sec_put(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +-static errno_t sec_update_b64(TALLOC_CTX *mem_ctx, +- struct sss_sec_req *req, +- struct sss_iobuf *buf) ++static errno_t sec_update(TALLOC_CTX *mem_ctx, ++ struct sss_sec_req *req, ++ struct sss_iobuf *buf) + { + errno_t ret; +- TALLOC_CTX *tmp_ctx; +- char *secret; +- +- tmp_ctx = talloc_new(mem_ctx); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- secret = sss_base64_encode(tmp_ctx, +- sss_iobuf_get_data(buf), +- sss_iobuf_get_size(buf)); +- if (secret == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot encode secret to base64\n"); +- ret = EIO; +- goto done; +- } + +- ret = sss_sec_update(req, secret); ++ ret = sss_sec_update(req, sss_iobuf_get_data(buf), sss_iobuf_get_size(buf), ++ SSS_SEC_PLAINTEXT, "binary"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write the secret [%d]: %s\n", ret, sss_strerror(ret)); +- goto done; + } + +- ret = EOK; +-done: +- talloc_free(tmp_ctx); + return ret; + } + +@@ -206,7 +167,7 @@ static errno_t kcm_ccache_to_secdb_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(mem_ctx, cc, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to a secret [%d][%s]\n", ret, sss_strerror(ret)); +@@ -480,6 +441,7 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc = NULL; + struct sss_sec_req *sreq = NULL; + struct sss_iobuf *ccbuf; ++ char *datatype; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { +@@ -493,22 +455,23 @@ static errno_t secdb_get_cc(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = sec_get_b64(tmp_ctx, sreq, &ccbuf); ++ ret = sec_get(tmp_ctx, sreq, &ccbuf, &datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the secret [%d][%s]\n", ret, sss_strerror(ret)); + goto done; + } + +- ret = sec_kv_to_ccache(tmp_ctx, +- secdb_key, +- (const char *) sss_iobuf_get_data(ccbuf), +- client, +- &cc); ++ if (strcmp(datatype, "binary") == 0) { ++ ret = sec_kv_to_ccache_binary(tmp_ctx, secdb_key, ccbuf, client, &cc); ++ } else { ++ ret = sec_kv_to_ccache_json(tmp_ctx, secdb_key, ++ (const char *)sss_iobuf_get_data(ccbuf), ++ client, &cc); ++ } + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert %s data to ccache " ++ "[%d]: %s\n", datatype, ret, sss_strerror(ret)); + goto done; + } + +@@ -746,11 +709,11 @@ static struct tevent_req *ccdb_secdb_set_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sss_sec_get(state, sreq, &cur_default); ++ ret = sss_sec_get(state, sreq, (uint8_t**)&cur_default, NULL, NULL); + if (ret == ENOENT) { +- ret = sec_put_b64(state, sreq, iobuf); ++ ret = sec_put(state, sreq, iobuf); + } else if (ret == EOK) { +- ret = sec_update_b64(state, sreq, iobuf); ++ ret = sec_update(state, sreq, iobuf); + } + + if (ret != EOK) { +@@ -804,7 +767,7 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_get_b64(state, sreq, &dfl_iobuf); ++ ret = sec_get(state, sreq, &dfl_iobuf, NULL); + if (ret == ENOENT) { + uuid_clear(state->uuid); + ret = EOK; +@@ -1230,9 +1193,8 @@ static struct tevent_req *ccdb_secdb_create_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_put_b64(state, ccache_req, ccache_payload); ++ ret = sec_put(state, ccache_req, ccache_payload); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + goto immediate; + } + +@@ -1298,7 +1260,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1308,7 +1270,7 @@ static struct tevent_req *ccdb_secdb_mod_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +@@ -1374,7 +1336,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = kcm_ccache_to_sec_input(state, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_binary(state, cc, &payload); + if (ret != EOK) { + goto immediate; + } +@@ -1384,7 +1346,7 @@ static struct tevent_req *ccdb_secdb_store_cred_send(TALLOC_CTX *mem_ctx, + goto immediate; + } + +- ret = sec_update_b64(state, sreq, payload); ++ ret = sec_update(state, sreq, payload); + if (ret != EOK) { + goto immediate; + } +diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c +index 440ab3bb9..f3d69842c 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secrets.c ++++ b/src/responder/kcm/kcmsrv_ccache_secrets.c +@@ -195,7 +195,7 @@ static errno_t kcm_ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + goto done; + } + +- ret = kcm_ccache_to_sec_input(mem_ctx, cc, client, &payload); ++ ret = kcm_ccache_to_sec_input_json(mem_ctx, cc, &payload); + if (ret != EOK) { + goto done; + } +@@ -489,11 +489,8 @@ static void sec_get_done(struct tevent_req *subreq) + return; + } + +- ret = sec_kv_to_ccache(state, +- state->sec_key, +- sec_value, +- state->client, +- &state->cc); ++ ret = sec_kv_to_ccache_json(state, state->sec_key, sec_value, state->client, ++ &state->cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", +diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c +index 421bf4bc5..a1aa9aa20 100644 +--- a/src/responder/kcm/kcmsrv_cmd.c ++++ b/src/responder/kcm/kcmsrv_cmd.c +@@ -314,7 +314,7 @@ static void kcm_reply_error(struct cli_ctx *cctx, + krb5_error_code kerr; + + DEBUG(SSSDBG_OP_FAILURE, +- "KCM operation returs failure [%d]: %s\n", ++ "KCM operation returns failure [%d]: %s\n", + retcode, sss_strerror(retcode)); + kerr = sss2krb5_error(retcode); + +@@ -373,13 +373,16 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, + { + struct tevent_req *req; + struct cli_ctx *cctx; ++ struct kcm_conn_data *conn_data; + + cctx = req_ctx->cctx; ++ conn_data = talloc_get_type(cctx->state_ctx, struct kcm_conn_data); + + req = kcm_cmd_send(req_ctx, + cctx->ev, + kctx->qctx, + req_ctx->kctx->kcm_data, ++ conn_data, + req_ctx->cctx->creds, + &req_ctx->op_io.request, + req_ctx->op_io.op); +@@ -492,7 +495,7 @@ static void kcm_recv(struct cli_ctx *cctx) + int ret; + + kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + if (req == NULL) { + /* A new request comes in, setup data structures. */ + req = kcm_new_req(cctx, kctx); +@@ -503,7 +506,17 @@ static void kcm_recv(struct cli_ctx *cctx) + return; + } + +- cctx->state_ctx = req; ++ cctx->protocol_ctx = req; ++ } ++ ++ /* Shared data between requests that originates in the same connection. */ ++ if (cctx->state_ctx == NULL) { ++ cctx->state_ctx = talloc_zero(cctx, struct kcm_conn_data); ++ if (cctx->state_ctx == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up client state\n"); ++ talloc_free(cctx); ++ return; ++ } + } + + ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); +@@ -558,7 +571,7 @@ static int kcm_send_data(struct cli_ctx *cctx) + struct kcm_req_ctx *req; + errno_t ret; + +- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); ++ req = talloc_get_type(cctx->protocol_ctx, struct kcm_req_ctx); + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_len); + if (ret != EOK) { +@@ -604,7 +617,7 @@ static void kcm_send(struct cli_ctx *cctx) + DEBUG(SSSDBG_TRACE_INTERNAL, "All data sent!\n"); + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); +- talloc_zfree(cctx->state_ctx); ++ talloc_zfree(cctx->protocol_ctx); + return; + } + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index 6ac66c150..f458c724b 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -22,9 +22,11 @@ + #include "config.h" + + #include ++#include + + #include "util/sss_iobuf.h" + #include "util/sss_krb5.h" ++#include "util/sss_ptr_hash.h" + #include "util/util_creds.h" + #include "responder/kcm/kcm.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -38,6 +40,7 @@ + + struct kcm_op_ctx { + struct kcm_resp_ctx *kcm_data; ++ struct kcm_conn_data *conn_data; + struct cli_creds *client; + + struct sss_iobuf *input; +@@ -86,6 +89,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op) +@@ -135,6 +139,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + } + + state->op_ctx->kcm_data = kcm_data; ++ state->op_ctx->conn_data = conn_data; + state->op_ctx->client = client; + + state->op_ctx->input = sss_iobuf_init_readonly(state->op_ctx, +@@ -1071,8 +1076,75 @@ static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static void ++kcm_creds_table_delete_cb(hash_entry_t *item, ++ hash_destroy_enum deltype, ++ void *pvt) ++{ ++ /* Delete the old credential if it is being overwritten. */ ++ talloc_free(item->value.ptr); ++} ++ ++/* Store credentials in a hash table. ++ * ++ * If the table already exist we add the new credentials to the table and ++ * overwrite the ones that already exist. This allows us to correctly serve ++ * also parallel GET_CRED_UUID_LIST requests from the same connection since ++ * it will have its own uuid list and cursor on the client side and we make ++ * all uuid (old, updated and newly added) available. ++ */ ++static errno_t ++kcm_creds_to_table(TALLOC_CTX *mem_ctx, ++ struct kcm_cred *creds, ++ hash_table_t **_table) ++{ ++ char str[UUID_STR_SIZE]; ++ uuid_t uuid; ++ errno_t ret; ++ ++ if (*_table == NULL) { ++ *_table = sss_ptr_hash_create(mem_ctx, kcm_creds_table_delete_cb, NULL); ++ if (*_table == NULL) { ++ return ENOMEM; ++ } ++ } ++ ++ for (struct kcm_cred *crd = creds; ++ crd != NULL; ++ crd = kcm_cc_next_cred(crd)) { ++ ret = kcm_cred_get_uuid(crd, uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Credential has no UUID, skipping\n"); ++ continue; ++ } ++ uuid_unparse(uuid, str); ++ ++ ret = sss_ptr_hash_add_or_override(*_table, str, crd, struct kcm_cred); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ talloc_steal(*_table, crd); ++ } ++ ++ return EOK; ++} ++ ++static struct kcm_cred * ++kcm_creds_lookup(hash_table_t *table, uuid_t uuid) ++{ ++ char str[UUID_STR_SIZE]; ++ ++ if (uuid == NULL) { ++ return NULL; ++ } ++ ++ uuid_unparse(uuid, str); ++ return sss_ptr_hash_lookup(table, str, struct kcm_cred); ++} ++ + /* (name) -> (uuid, ...) */ +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq); ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq); + + static struct tevent_req * + kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, +@@ -1106,7 +1178,7 @@ kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, + ret = ENOMEM; + goto immediate; + } +- tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_getbyname_done, req); ++ tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_list_getbyname_done, req); + return req; + + immediate: +@@ -1115,17 +1187,20 @@ immediate: + return req; + } + +-static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) ++static void kcm_op_get_cred_uuid_list_getbyname_done(struct tevent_req *subreq) + { + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; ++ struct kcm_conn_data *conn_data; + uuid_t uuid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + ++ conn_data = state->op_ctx->conn_data; ++ + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { +@@ -1137,12 +1212,20 @@ static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) + } + + if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ DEBUG(SSSDBG_MINOR_FAILURE, "No ccache by that name\n"); + state->op_ret = ERR_NO_CREDS; + tevent_req_done(req); + return; + } + ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ tevent_req_error(req, ret); ++ return; ++ } ++ + for (crd = kcm_cc_get_cred(cc); + crd != NULL; + crd = kcm_cc_next_cred(crd)) { +@@ -1169,6 +1252,34 @@ static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) + tevent_req_done(req); + } + ++static errno_t ++kcm_op_get_cred_by_uuid_reply(struct kcm_cred *crd, ++ struct sss_iobuf *reply) ++{ ++ struct sss_iobuf *cred_blob; ++ errno_t ret; ++ ++ cred_blob = kcm_cred_get_creds(crd); ++ if (cred_blob == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); ++ return ERR_NO_CREDS; ++ } ++ ++ ret = sss_iobuf_write_len(reply, sss_iobuf_get_data(cred_blob), ++ sss_iobuf_get_size(cred_blob)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot write ccache blob [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ } ++ ++ return ret; ++} ++ ++struct kcm_op_get_cred_by_uuid_state { ++ struct kcm_op_common_state common; ++ uuid_t uuid; ++}; ++ + /* (name, uuid) -> (cred) */ + static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq); + +@@ -1179,20 +1290,51 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + { + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; +- struct kcm_op_common_state *state = NULL; ++ struct kcm_op_get_cred_by_uuid_state *state; ++ struct kcm_cred *crd; + errno_t ret; + const char *name; + +- req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); ++ req = tevent_req_create(mem_ctx, &state, ++ struct kcm_op_get_cred_by_uuid_state); + if (req == NULL) { + return NULL; + } +- state->op_ctx = op_ctx; ++ state->common.op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } ++ ++ ret = sss_iobuf_read_len(state->common.op_ctx->input, UUID_BYTES, ++ state->uuid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Cannot read input UUID [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto immediate; ++ } ++ ++ if (op_ctx->conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(op_ctx->conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ /* This should not happen, it can only happen if wrong UUID was ++ * requested which suggests bug in the caller application. */ ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ ret = EOK; ++ goto immediate; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, op_ctx->reply); ++ if (ret == ERR_NO_CREDS) { ++ state->common.op_ret = ret; ++ ret = EOK; ++ } ++ goto immediate; ++ } ++ } ++ + DEBUG(SSSDBG_TRACE_LIBS, "Returning creds by UUID for %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, +@@ -1207,7 +1349,11 @@ kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + return req; + + immediate: +- tevent_req_error(req, ret); ++ if (ret == EOK) { ++ tevent_req_done(req); ++ } else { ++ tevent_req_error(req, ret); ++ } + tevent_req_post(req, ev); + return req; + } +@@ -1216,14 +1362,14 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); +- struct kcm_op_common_state *state = tevent_req_data(req, +- struct kcm_op_common_state); ++ struct kcm_op_get_cred_by_uuid_state *state = tevent_req_data(req, ++ struct kcm_op_get_cred_by_uuid_state); + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; +- uuid_t uuid_in; +- uuid_t uuid; +- struct sss_iobuf *cred_blob; ++ struct kcm_conn_data *conn_data; ++ ++ conn_data = state->common.op_ctx->conn_data; + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); +@@ -1235,67 +1381,43 @@ static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) + return; + } + +- if (cc == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); +- state->op_ret = ERR_NO_MATCHING_CREDS; +- tevent_req_done(req); +- return; +- } +- +- ret = sss_iobuf_read_len(state->op_ctx->input, +- UUID_BYTES, uuid_in); ++ ret = kcm_creds_to_table(conn_data, kcm_cc_get_cred(cc), &conn_data->creds); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot read input UUID [%d]: %s\n", +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to build credentials hash table " ++ "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + +- for (crd = kcm_cc_get_cred(cc); +- crd != NULL; +- crd = kcm_cc_next_cred(crd)) { +- ret = kcm_cred_get_uuid(crd, uuid); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot get UUID from creds, skipping\n"); +- continue; ++ if (conn_data->creds != NULL) { ++ crd = kcm_creds_lookup(conn_data->creds, state->uuid); ++ if (crd == NULL) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); ++ kcm_debug_uuid(state->uuid); ++ state->common.op_ret = ERR_KCM_CC_END; ++ } else { ++ ret = kcm_op_get_cred_by_uuid_reply(crd, state->common.op_ctx->reply); ++ if (ret != EOK && ret != ERR_NO_CREDS) { ++ tevent_req_error(req, ret); ++ return; ++ } ++ state->common.op_ret = ret; + } +- +- if (uuid_compare(uuid, uuid_in) == 0) { +- break; +- } +- kcm_debug_uuid(uuid); + } + +- if (crd == NULL) { +- state->op_ret = ERR_KCM_CC_END; +- DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); +- tevent_req_done(req); +- return; +- } ++ tevent_req_done(req); ++} + +- cred_blob = kcm_cred_get_creds(crd); +- if (cred_blob == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); +- state->op_ret = ERR_NO_CREDS; +- tevent_req_done(req); +- return; +- } ++static errno_t kcm_op_get_cred_by_uuid_recv(struct tevent_req *req, ++ uint32_t *_op_ret) ++{ ++ struct kcm_op_get_cred_by_uuid_state *state; + +- ret = sss_iobuf_write_len(state->op_ctx->reply, +- sss_iobuf_get_data(cred_blob), +- sss_iobuf_get_size(cred_blob)); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Cannot write ccache blob [%d]: %s\n", +- ret, sss_strerror(ret)); +- tevent_req_error(req, ret); +- return; +- } ++ state = tevent_req_data(req, struct kcm_op_get_cred_by_uuid_state); + +- state->op_ret = EOK; +- tevent_req_done(req); ++ TEVENT_REQ_RETURN_ON_ERROR(req); ++ *_op_ret = state->common.op_ret; ++ return EOK; + } + + /* (name, flags, credtag) -> () */ +@@ -1468,7 +1590,7 @@ static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq) + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "Cannot get ccahe by UUID [%d]: %s\n", ++ "Cannot get ccache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; +@@ -2153,7 +2275,7 @@ static struct kcm_op kcm_optable[] = { + { "RETRIEVE", NULL, NULL }, + { "GET_PRINCIPAL", kcm_op_get_principal_send, NULL }, + { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list_send, NULL }, +- { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, NULL }, ++ { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, kcm_op_get_cred_by_uuid_recv }, + { "REMOVE_CRED", kcm_op_remove_cred_send, NULL }, + { "SET_FLAGS", NULL, NULL }, + { "CHOWN", NULL, NULL }, +diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h +index 67d9f8602..ab6c13791 100644 +--- a/src/responder/kcm/kcmsrv_ops.h ++++ b/src/responder/kcm/kcmsrv_ops.h +@@ -24,6 +24,7 @@ + + #include "config.h" + ++#include + #include + #include "util/sss_iobuf.h" + #include "responder/kcm/kcmsrv_pvt.h" +@@ -32,10 +33,17 @@ struct kcm_op; + struct kcm_op *kcm_get_opt(uint16_t opcode); + const char *kcm_opt_name(struct kcm_op *op); + ++struct kcm_conn_data { ++ /* Credentials obtained by GET_CRED_UUID_LIST. We use to improve performance ++ * by avoiding ccache lookups in GET_CRED_BY_UUID. */ ++ hash_table_t *creds; ++}; ++ + struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, ++ struct kcm_conn_data *conn_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op); +diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c +index eb37c08b7..252ef3a1d 100644 +--- a/src/responder/secrets/local.c ++++ b/src/responder/secrets/local.c +@@ -134,7 +134,7 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + break; + } + +- ret = sss_sec_get(state, ssec_req, &secret); ++ ret = sss_sec_get(state, ssec_req, (uint8_t**)&secret, NULL, NULL); + if (ret) goto done; + + if (body_is_json) { +@@ -168,7 +168,8 @@ static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + } + if (ret) goto done; + +- ret = sss_sec_put(ssec_req, secret); ++ ret = sss_sec_put(ssec_req, (uint8_t *)secret, strlen(secret) + 1, ++ SSS_SEC_MASTERKEY, "simple"); + if (ret) goto done; + break; + +diff --git a/src/shared/safealign.h b/src/shared/safealign.h +index b00c37f5b..35909faa2 100644 +--- a/src/shared/safealign.h ++++ b/src/shared/safealign.h +@@ -97,6 +97,10 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) + #define SAFEALIGN_SETMEM_UINT16(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) + ++/* SAFEALIGN_SETMEM_UINT8(void *dest, uint8_t value, size_t *pctr) */ ++#define SAFEALIGN_SETMEM_UINT8(dest, value, pctr) \ ++ SAFEALIGN_SETMEM_VALUE(dest, value, uint8_t, pctr) ++ + /* These macros are the same as their equivalents without _CHECK suffix, + * but additionally make the caller return EINVAL immediately if *pctr + * would exceed len. */ +diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_marshalling.c +similarity index 71% +rename from src/tests/cmocka/test_kcm_json_marshalling.c +rename to src/tests/cmocka/test_kcm_marshalling.c +index 48ee92bd6..cebebac80 100644 +--- a/src/tests/cmocka/test_kcm_json_marshalling.c ++++ b/src/tests/cmocka/test_kcm_marshalling.c +@@ -154,7 +154,7 @@ static void assert_cc_equal(struct kcm_ccache *cc1, + assert_cc_offset_equal(cc1, cc2); + } + +-static void test_kcm_ccache_marshall_unmarshall(void **state) ++static void test_kcm_ccache_marshall_unmarshall_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -182,10 +182,7 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + &cc); + assert_int_equal(ret, EOK); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -196,25 +193,19 @@ static void test_kcm_ccache_marshall_unmarshall(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); + + /* This key is exactly one byte shorter than it should be */ +- ret = sec_kv_to_ccache(test_ctx, +- TEST_UUID_STR"-", +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, TEST_UUID_STR "-", (const char *)data, ++ &owner, &cc2); + assert_int_equal(ret, EINVAL); + } + +-static void test_kcm_ccache_no_princ(void **state) ++static void test_kcm_ccache_no_princ_json(void **state) + { + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); +@@ -246,10 +237,7 @@ static void test_kcm_ccache_no_princ(void **state) + princ = kcm_cc_get_client_principal(cc); + assert_null(princ); + +- ret = kcm_ccache_to_sec_input(test_ctx, +- cc, +- &owner, +- &payload); ++ ret = kcm_ccache_to_sec_input_json(test_ctx, cc, &payload); + assert_int_equal(ret, EOK); + + data = sss_iobuf_get_data(payload); +@@ -260,11 +248,110 @@ static void test_kcm_ccache_no_princ(void **state) + key = sec_key_create(test_ctx, name, uuid); + assert_non_null(key); + +- ret = sec_kv_to_ccache(test_ctx, +- key, +- (const char *) data, +- &owner, +- &cc2); ++ ret = sec_kv_to_ccache_json(test_ctx, key, (const char *)data, &owner, ++ &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++} ++ ++static void test_kcm_ccache_marshall_unmarshall_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ struct kcm_ccache *cc; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *name; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ test_ctx->princ, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); ++ assert_int_equal(ret, EOK); ++ ++ assert_cc_equal(cc, cc2); ++ ++ /* This key is exactly one byte shorter than it should be */ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, TEST_UUID_STR "-", payload, &owner, ++ &cc2); ++ assert_int_equal(ret, EINVAL); ++} ++ ++static void test_kcm_ccache_no_princ_binary(void **state) ++{ ++ struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, ++ struct kcm_marshalling_test_ctx); ++ errno_t ret; ++ struct cli_creds owner; ++ const char *name; ++ struct kcm_ccache *cc; ++ krb5_principal princ; ++ struct kcm_ccache *cc2; ++ struct sss_iobuf *payload; ++ const char *key; ++ uint8_t *data; ++ uuid_t uuid; ++ ++ owner.ucred.uid = getuid(); ++ owner.ucred.gid = getuid(); ++ ++ name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); ++ assert_non_null(name); ++ ++ ret = kcm_cc_new(test_ctx, ++ test_ctx->kctx, ++ &owner, ++ name, ++ NULL, ++ &cc); ++ assert_int_equal(ret, EOK); ++ ++ princ = kcm_cc_get_client_principal(cc); ++ assert_null(princ); ++ ++ ret = kcm_ccache_to_sec_input_binary(test_ctx, cc, &payload); ++ assert_int_equal(ret, EOK); ++ ++ data = sss_iobuf_get_data(payload); ++ assert_non_null(data); ++ ++ ret = kcm_cc_get_uuid(cc, uuid); ++ assert_int_equal(ret, EOK); ++ key = sec_key_create(test_ctx, name, uuid); ++ assert_non_null(key); ++ ++ sss_iobuf_cursor_reset(payload); ++ ret = sec_kv_to_ccache_binary(test_ctx, key, payload, &owner, &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); +@@ -340,10 +427,16 @@ int main(int argc, const char *argv[]) + }; + + const struct CMUnitTest tests[] = { +- cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_binary, ++ setup_kcm_marshalling, ++ teardown_kcm_marshalling), ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), +- cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ, ++ cmocka_unit_test_setup_teardown(test_kcm_ccache_no_princ_json, + setup_kcm_marshalling, + teardown_kcm_marshalling), + cmocka_unit_test(test_sec_key_get_uuid), +diff --git a/src/tests/cmocka/test_sss_ptr_hash.c b/src/tests/cmocka/test_sss_ptr_hash.c +index 1458238f5..31cf8b705 100644 +--- a/src/tests/cmocka/test_sss_ptr_hash.c ++++ b/src/tests/cmocka/test_sss_ptr_hash.c +@@ -91,6 +91,45 @@ void test_sss_ptr_hash_with_free_cb(void **state) + assert_int_equal(free_counter, MAX_ENTRIES_AMOUNT*2); + } + ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state) ++{ ++ hash_table_t *table; ++ int free_counter = 0; ++ unsigned long count; ++ char *payload; ++ char *value; ++ errno_t ret; ++ ++ table = sss_ptr_hash_create(global_talloc_context, ++ free_payload_cb, ++ &free_counter); ++ assert_non_null(table); ++ ++ payload = talloc_strdup(table, "test_value1"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ ++ payload = talloc_strdup(table, "test_value2"); ++ assert_non_null(payload); ++ talloc_set_name_const(payload, "char"); ++ ret = sss_ptr_hash_add_or_override(table, "test", payload, char); ++ assert_int_equal(ret, 0); ++ count = hash_count(table); ++ assert_int_equal(count, 1); ++ value = sss_ptr_hash_lookup(table, "test", char); ++ assert_ptr_equal(value, payload); ++ ++ talloc_free(table); ++ assert_int_equal(free_counter, 2); ++} ++ + struct table_wrapper + { + hash_table_t **table; +diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c +index d77a972c1..d258622fb 100644 +--- a/src/tests/cmocka/test_utils.c ++++ b/src/tests/cmocka/test_utils.c +@@ -2144,6 +2144,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_free_cb, + setup_leak_tests, + teardown_leak_tests), ++ cmocka_unit_test_setup_teardown(test_sss_ptr_hash_overwrite_with_free_cb, ++ setup_leak_tests, ++ teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_ptr_hash_with_lookup_cb, + setup_leak_tests, + teardown_leak_tests), +diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h +index 44b9479f9..458bcb750 100644 +--- a/src/tests/cmocka/test_utils.h ++++ b/src/tests/cmocka/test_utils.h +@@ -35,6 +35,7 @@ void test_concatenate_string_array(void **state); + + /* from src/tests/cmocka/test_sss_ptr_hash.c */ + void test_sss_ptr_hash_with_free_cb(void **state); ++void test_sss_ptr_hash_overwrite_with_free_cb(void **state); + void test_sss_ptr_hash_with_lookup_cb(void **state); + void test_sss_ptr_hash_without_cb(void **state); + +diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py +index 00933fb34..18d722c13 100644 +--- a/src/tests/intg/test_secrets.py ++++ b/src/tests/intg/test_secrets.py +@@ -438,7 +438,8 @@ def run_quota_test(cli, max_secrets, max_payload_size): + KILOBYTE = 1024 + kb_payload_size = max_payload_size * KILOBYTE + +- sec_value = "x" * kb_payload_size ++ # Adjust payload size to hold terminal zero byte. ++ sec_value = "x" * (kb_payload_size - 1) + + cli.set_secret("foo", sec_value) + +diff --git a/src/tests/multihost/basic/test_kcm.py b/src/tests/multihost/basic/test_kcm.py +index e5d315827..6f65431f8 100644 +--- a/src/tests/multihost/basic/test_kcm.py ++++ b/src/tests/multihost/basic/test_kcm.py +@@ -310,6 +310,12 @@ class TestSanityKCM(object): + set_param(multihost, 'kcm', 'max_ccache_size', '1') + self._restart_kcm(multihost) + +- with pytest.raises(paramiko.ssh_exception.AuthenticationException): +- ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, +- username='foo3', password='Secret123') ++ # We use kinit to exceed the maximum ccache size as it creates payload ++ # of 1280 bytes by acquiring tgt and also some control credentials. ++ # SSH authentication is not sufficient as it stores only tgt. ++ ssh_foo3 = SSHClient(multihost.master[0].sys_hostname, ++ username='foo3', password='Secret123') ++ (_, _, exit_status) = ssh_foo3.execute_cmd( ++ 'kinit foo3@EXAMPLE.TEST', 'Secret123' ++ ) ++ assert exit_status != 0 +diff --git a/src/util/secrets/sec_pvt.h b/src/util/secrets/sec_pvt.h +index 92e2b8b25..0e77a660e 100644 +--- a/src/util/secrets/sec_pvt.h ++++ b/src/util/secrets/sec_pvt.h +@@ -33,7 +33,7 @@ + #define SSS_SEC_KCM_BASEPATH "/kcm/" + + struct sss_sec_data { +- char *data; ++ uint8_t *data; + size_t length; + }; + +diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c +index d701face0..c6310b585 100644 +--- a/src/util/secrets/secrets.c ++++ b/src/util/secrets/secrets.c +@@ -36,9 +36,14 @@ + #define SECRETS_BASEDN "cn=secrets" + #define KCM_BASEDN "cn=kcm" + +-#define LOCAL_SIMPLE_FILTER "(type=simple)" ++#define LOCAL_SIMPLE_FILTER "(|(type=simple)(type=binary))" + #define LOCAL_CONTAINER_FILTER "(type=container)" + ++#define SEC_ATTR_SECRET "secret" ++#define SEC_ATTR_ENCTYPE "enctype" ++#define SEC_ATTR_TYPE "type" ++#define SEC_ATTR_CTIME "creationTime" ++ + typedef int (*url_mapper_fn)(TALLOC_CTX *mem_ctx, + const char *url, + uid_t client, +@@ -63,90 +68,136 @@ static struct sss_sec_quota default_kcm_quota = { + .containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + }; + +-static int local_decrypt(struct sss_sec_ctx *sctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, +- char **plain_secret) ++static const char *sss_sec_enctype_to_str(enum sss_sec_enctype enctype) + { +- char *output; ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ return "plaintext"; ++ case SSS_SEC_MASTERKEY: ++ return "masterkey"; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Bug: unknown encryption type %d\n", ++ enctype); ++ return "unknown"; ++ } ++} + +- if (enctype && strcmp(enctype, "masterkey") == 0) { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); ++static enum sss_sec_enctype sss_sec_str_to_enctype(const char *str) ++{ ++ if (strcmp("plaintext", str) == 0) { ++ return SSS_SEC_PLAINTEXT; ++ } + +- struct sss_sec_data _secret; +- size_t outlen; +- int ret; ++ if (strcmp("masterkey", str) == 0) { ++ return SSS_SEC_MASTERKEY; ++ } ++ ++ return SSS_SEC_ENCTYPE_SENTINEL; ++} + +- _secret.data = (char *)sss_base64_decode(mem_ctx, secret, +- &_secret.length); ++static int local_decrypt(struct sss_sec_ctx *sctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) ++{ ++ struct sss_sec_data _secret; ++ uint8_t *output; ++ size_t output_len; ++ int ret; ++ ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; ++ break; ++ case SSS_SEC_MASTERKEY: ++ _secret.data = (uint8_t *)sss_base64_decode(mem_ctx, ++ (const char *)secret, ++ &_secret.length); + if (!_secret.data) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n"); + return EINVAL; + } + ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sctx->master_key.data, ++ sctx->master_key.data, + sctx->master_key.length, +- (uint8_t *)_secret.data, _secret.length, +- (uint8_t **)&output, &outlen); ++ _secret.data, _secret.length, ++ &output, &output_len); + talloc_free(_secret.data); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); ++ return EINVAL; ++ } + +- if (((strnlen(output, outlen) + 1) != outlen) || +- output[outlen - 1] != '\0') { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Output length mismatch or output not NULL-terminated\n"); +- talloc_free(output); +- return EIO; +- } +- } else { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Unexpected enctype (not 'masterkey')\n"); +- output = talloc_strdup(mem_ctx, secret); +- if (!output) return ENOMEM; ++ if (output == NULL) { ++ return ENOMEM; + } + +- *plain_secret = output; ++ *_output = output; ++ *_output_len = output_len; ++ + return EOK; + } + +-static int local_encrypt(struct sss_sec_ctx *sec_ctx, TALLOC_CTX *mem_ctx, +- const char *secret, const char *enctype, +- char **ciphertext) ++static int local_encrypt(struct sss_sec_ctx *sec_ctx, ++ TALLOC_CTX *mem_ctx, ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ uint8_t **_output, ++ size_t *_output_len) + { + struct sss_sec_data _secret; +- char *output; ++ uint8_t *output; ++ size_t output_len; ++ char *b64; + int ret; + +- if (enctype == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); +- return EINVAL; +- } ++ switch (enctype) { ++ case SSS_SEC_PLAINTEXT: ++ output = talloc_memdup(mem_ctx, secret, secret_len); ++ output_len = secret_len; ++ break; ++ case SSS_SEC_MASTERKEY: ++ ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, ++ sec_ctx->master_key.data, ++ sec_ctx->master_key.length, ++ secret, secret_len, ++ &_secret.data, &_secret.length); ++ if (ret) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); ++ return ret; ++ } + +- if (strcmp(enctype, "masterkey") != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype); ++ b64 = sss_base64_encode(mem_ctx, _secret.data, _secret.length); ++ output = (uint8_t*)b64; ++ output_len = strlen(b64) + 1; ++ talloc_free(_secret.data); ++ break; ++ default: ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%d'\n", enctype); + return EINVAL; + } + +- ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, +- (uint8_t *)sec_ctx->master_key.data, +- sec_ctx->master_key.length, +- (const uint8_t *)secret, strlen(secret) + 1, +- (uint8_t **)&_secret.data, &_secret.length); +- if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); +- return ret; ++ if (output == NULL) { ++ return ENOMEM; + } + +- output = sss_base64_encode(mem_ctx, +- (uint8_t *)_secret.data, _secret.length); +- talloc_free(_secret.data); +- if (!output) return ENOMEM; ++ *_output = output; ++ *_output_len = output_len; + +- *ciphertext = output; + return EOK; + } + +@@ -338,14 +389,14 @@ static int local_check_max_payload_size(struct sss_sec_req *req, + return EOK; + } + +- max_payload_size = req->quota->max_payload_size * 1024; /* kb */ ++ max_payload_size = req->quota->max_payload_size * 1024; /* KiB */ + if (payload_size > max_payload_size) { + DEBUG(SSSDBG_OP_FAILURE, +- "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " +- "payload size [%d kb (%d)]\n", +- payload_size * 1024, /* kb */ ++ "Secrets' payload size [%d KiB (%d B)] exceeds the maximum " ++ "allowed payload size [%d KiB (%d B)]\n", ++ payload_size / 1024, /* KiB */ + payload_size, +- req->quota->max_payload_size, /* kb */ ++ req->quota->max_payload_size, /* KiB */ + max_payload_size); + + return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; +@@ -404,7 +455,7 @@ static int local_db_create(struct sss_sec_req *req) + ret = local_db_check_containers_nest_level(req, msg->dn); + if (ret != EOK) goto done; + +- ret = ldb_msg_add_string(msg, "type", "container"); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, "container"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:container [%d]: %s\n", +@@ -412,7 +463,7 @@ static int local_db_create(struct sss_sec_req *req) + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -892,7 +943,7 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + size_t *_num_keys) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, NULL }; + struct ldb_result *res; + char **keys; + int ret; +@@ -951,13 +1002,21 @@ done: + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret) ++ uint8_t **_secret, ++ size_t *_secret_len, ++ char **_datatype) + { + TALLOC_CTX *tmp_ctx; +- static const char *attrs[] = { "secret", "enctype", NULL }; ++ static const char *attrs[] = { SEC_ATTR_SECRET, SEC_ATTR_ENCTYPE, ++ SEC_ATTR_TYPE, NULL }; + struct ldb_result *res; +- const char *attr_secret; ++ const struct ldb_val *attr_secret; + const char *attr_enctype; ++ const char *attr_datatype; ++ enum sss_sec_enctype enctype; ++ char *datatype; ++ uint8_t *secret; ++ size_t secret_len; + int ret; + + if (req == NULL || _secret == NULL) { +@@ -996,21 +1055,38 @@ errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + +- attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL); ++ attr_secret = ldb_msg_find_ldb_val(res->msgs[0], SEC_ATTR_SECRET); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; + goto done; + } + +- attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); ++ attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_ENCTYPE, ++ "plaintext"); ++ enctype = sss_sec_str_to_enctype(attr_enctype); ++ ret = local_decrypt(req->sctx, tmp_ctx, attr_secret->data, ++ attr_secret->length, enctype, &secret, &secret_len); ++ if (ret) goto done; + +- if (attr_enctype) { +- ret = local_decrypt(req->sctx, mem_ctx, attr_secret, attr_enctype, _secret); +- if (ret) goto done; +- } else { +- *_secret = talloc_strdup(mem_ctx, attr_secret); ++ if (_datatype != NULL) { ++ attr_datatype = ldb_msg_find_attr_as_string(res->msgs[0], SEC_ATTR_TYPE, ++ "simple"); ++ datatype = talloc_strdup(tmp_ctx, attr_datatype); ++ if (datatype == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ *_datatype = talloc_steal(mem_ctx, datatype); + } ++ ++ *_secret = talloc_steal(mem_ctx, secret); ++ ++ if (_secret_len) { ++ *_secret_len = secret_len; ++ } ++ + ret = EOK; + + done: +@@ -1019,11 +1095,13 @@ done: + } + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret) ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1064,7 +1142,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1072,22 +1150,24 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +- ret = ldb_msg_add_string(msg, "type", "simple"); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, +- "ldb_msg_add_string failed adding type:simple [%d]: %s\n", +- ret, sss_strerror(ret)); ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); + goto done; + } + +- ret = ldb_msg_add_string(msg, "enctype", enctype); ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", +@@ -1095,7 +1175,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", +@@ -1103,7 +1183,7 @@ errno_t sss_sec_put(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); ++ ret = ldb_msg_add_fmt(msg, SEC_ATTR_CTIME, "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", +@@ -1132,11 +1212,13 @@ done: + } + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret) ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ const char *datatype) + { + struct ldb_message *msg; +- const char *enctype = "masterkey"; +- char *enc_secret; ++ struct ldb_val enc_secret; + int ret; + + if (req == NULL || secret == NULL) { +@@ -1177,7 +1259,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_check_max_payload_size(req, strlen(secret)); ++ ret = local_check_max_payload_size(req, secret_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", +@@ -1185,15 +1267,49 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = local_encrypt(req->sctx, msg, secret, enctype, &enc_secret); ++ ret = local_encrypt(req->sctx, msg, secret, secret_len, enctype, ++ &enc_secret.data, &enc_secret.length); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_ENCTYPE, LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, SEC_ATTR_ENCTYPE, ++ sss_sec_enctype_to_str(enctype)); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding enctype [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_TYPE, LDB_FLAG_MOD_REPLACE, NULL); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = ldb_msg_add_string(msg, SEC_ATTR_TYPE, datatype); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "ldb_msg_add_string failed adding type:%s [%d]: %s\n", ++ datatype, ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* FIXME - should we have a lastUpdate timestamp? */ +- ret = ldb_msg_add_empty(msg, "secret", LDB_FLAG_MOD_REPLACE, NULL); ++ ret = ldb_msg_add_empty(msg, SEC_ATTR_SECRET, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(ret)); +@@ -1201,7 +1317,7 @@ errno_t sss_sec_update(struct sss_sec_req *req, + goto done; + } + +- ret = ldb_msg_add_string(msg, "secret", enc_secret); ++ ret = ldb_msg_add_value(msg, SEC_ATTR_SECRET, &enc_secret, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(ret)); +diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h +index 9cf397516..f79bfaa4b 100644 +--- a/src/util/secrets/secrets.h ++++ b/src/util/secrets/secrets.h +@@ -43,6 +43,12 @@ + #define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 + #define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 + ++enum sss_sec_enctype { ++ SSS_SEC_PLAINTEXT, ++ SSS_SEC_MASTERKEY, ++ SSS_SEC_ENCTYPE_SENTINEL ++}; ++ + struct sss_sec_ctx; + + struct sss_sec_req; +@@ -88,13 +94,21 @@ errno_t sss_sec_list(TALLOC_CTX *mem_ctx, + + errno_t sss_sec_get(TALLOC_CTX *mem_ctx, + struct sss_sec_req *req, +- char **_secret); ++ uint8_t **_secret, ++ size_t *_secret_len, ++ char **_datatype); + + errno_t sss_sec_put(struct sss_sec_req *req, +- const char *secret); ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_update(struct sss_sec_req *req, +- const char *secret); ++ uint8_t *secret, ++ size_t secret_len, ++ enum sss_sec_enctype enctype, ++ const char *datatype); + + errno_t sss_sec_create_container(struct sss_sec_req *req); + +diff --git a/src/util/sss_iobuf.c b/src/util/sss_iobuf.c +index 518713e4c..3056a7b0d 100644 +--- a/src/util/sss_iobuf.c ++++ b/src/util/sss_iobuf.c +@@ -66,6 +66,30 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + return iobuf; + } + ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size) ++{ ++ struct sss_iobuf *iobuf; ++ ++ iobuf = talloc_zero(mem_ctx, struct sss_iobuf); ++ if (iobuf == NULL) { ++ return NULL; ++ } ++ ++ iobuf->data = talloc_steal(iobuf, data); ++ iobuf->size = size; ++ iobuf->capacity = size; ++ iobuf->dp = 0; ++ ++ return iobuf; ++} ++ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf) ++{ ++ iobuf->dp = 0; ++} ++ + size_t sss_iobuf_get_len(struct sss_iobuf *iobuf) + { + if (iobuf == NULL) { +@@ -223,6 +247,109 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len) ++{ ++ uint8_t *out; ++ uint32_t len; ++ size_t slen; ++ errno_t ret; ++ ++ if (iobuf == NULL || _out == NULL || _len == NULL) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_read_uint32(iobuf, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ *_out = NULL; ++ *_len = 0; ++ return EOK; ++ } ++ ++ out = talloc_array(mem_ctx, uint8_t, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ slen = len; ++ ret = sss_iobuf_read_len(iobuf, slen, out); ++ if (ret != EOK) { ++ talloc_free(out); ++ return ret; ++ } ++ ++ *_out = out; ++ *_len = slen; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len) ++{ ++ errno_t ret; ++ ++ if (iobuf == NULL || (data == NULL && len != 0)) { ++ return EINVAL; ++ } ++ ++ ret = sss_iobuf_write_uint32(iobuf, len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ if (len == 0) { ++ return EOK; ++ } ++ ++ return sss_iobuf_write_len(iobuf, data, len); ++} ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out) ++{ ++ struct sss_iobuf *out; ++ uint8_t *data; ++ size_t len; ++ errno_t ret; ++ ++ ret = sss_iobuf_read_varlen(NULL, iobuf, &data, &len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ out = sss_iobuf_init_steal(mem_ctx, data, len); ++ if (out == NULL) { ++ return ENOMEM; ++ } ++ ++ *_out = out; ++ ++ return EOK; ++} ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data) ++{ ++ return sss_iobuf_write_varlen(iobuf, data->data, data->size); ++} ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val) ++{ ++ SAFEALIGN_COPY_UINT8_CHECK(_val, iobuf_ptr(iobuf), ++ iobuf->capacity, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val) + { +@@ -239,6 +366,20 @@ errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, + return EOK; + } + ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val) ++{ ++ errno_t ret; ++ ++ ret = ensure_bytes(iobuf, sizeof(uint8_t)); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ SAFEALIGN_SETMEM_UINT8(iobuf_ptr(iobuf), val, &iobuf->dp); ++ return EOK; ++} ++ + errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, + uint32_t val) + { +diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h +index cc3dfd1e9..159fbc0b9 100644 +--- a/src/util/sss_iobuf.h ++++ b/src/util/sss_iobuf.h +@@ -50,6 +50,29 @@ struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + const uint8_t *data, + size_t size); + ++/* ++ * @brief Allocate an IO buffer with a fixed size, stealing input data. ++ * ++ * This function is useful for parsing an input buffer from an existing ++ * buffer pointed to by data. ++ * ++ * The iobuf assumes ownership of the data buffer. ++ * ++ * @param[in] mem_ctx The talloc context that owns the iobuf ++ * @param[in] data The data to initialize the IO buffer with. ++ * @param[in] size The size of the data buffer ++ * ++ * @return The newly created buffer on success or NULL on an error. ++ */ ++struct sss_iobuf *sss_iobuf_init_steal(TALLOC_CTX *mem_ctx, ++ uint8_t *data, ++ size_t size); ++ ++/* ++ * @brief Reset internal cursor of the IO buffer (seek to the start) ++ */ ++void sss_iobuf_cursor_reset(struct sss_iobuf *iobuf); ++ + /* + * @brief Returns the number of bytes currently stored in the iobuf + * +@@ -131,6 +154,28 @@ errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + uint8_t *buf, + size_t len); + ++errno_t sss_iobuf_read_varlen(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ uint8_t **_out, ++ size_t *_len); ++ ++errno_t sss_iobuf_write_varlen(struct sss_iobuf *iobuf, ++ uint8_t *data, ++ size_t len); ++ ++errno_t sss_iobuf_read_iobuf(TALLOC_CTX *mem_ctx, ++ struct sss_iobuf *iobuf, ++ struct sss_iobuf **_out); ++ ++errno_t sss_iobuf_write_iobuf(struct sss_iobuf *iobuf, ++ struct sss_iobuf *data); ++ ++errno_t sss_iobuf_read_uint8(struct sss_iobuf *iobuf, ++ uint8_t *_val); ++ ++errno_t sss_iobuf_write_uint8(struct sss_iobuf *iobuf, ++ uint8_t val); ++ + errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val); + +@@ -148,4 +193,5 @@ errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, + + errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, + const char *str); ++ + #endif /* __SSS_IOBUF_H_ */ +diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c +index 6409236c7..e3805dac4 100644 +--- a/src/util/sss_ptr_hash.c ++++ b/src/util/sss_ptr_hash.c +@@ -54,6 +54,7 @@ struct sss_ptr_hash_value { + hash_table_t *table; + const char *key; + void *payload; ++ bool delete_in_progress; + }; + + static int +@@ -61,12 +62,22 @@ sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) + { + hash_key_t table_key; + ++ /* Do not call hash_delete() if we got here from hash delete callback when ++ * the callback calls talloc_free(payload) which frees the value. This ++ * should not happen since talloc will avoid circular free but let's be ++ * over protective here. */ ++ if (value->delete_in_progress) { ++ return 0; ++ } ++ ++ value->delete_in_progress = true; + if (value->table && value->key) { + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, value->key); + if (hash_delete(value->table, &table_key) != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed to delete entry with key '%s'\n", value->key); ++ value->delete_in_progress = false; + } + } + +@@ -127,6 +138,15 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, + callback_entry.key = item->key; + callback_entry.value.type = HASH_VALUE_PTR; + callback_entry.value.ptr = value->payload; ++ ++ /* Delete the value in case this callback has been called directly ++ * from dhash (overwriting existing entry) instead of hash_delete() ++ * in value's destructor. */ ++ if (!value->delete_in_progress) { ++ talloc_set_destructor(value, NULL); ++ talloc_free(value); ++ } ++ + /* Even if execution is already in the context of + * talloc_free(payload) -> talloc_free(value) -> ... + * there still might be legitimate reasons to execute callback. +-- +2.21.3 + diff --git a/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch b/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch deleted file mode 100644 index 9a6d266..0000000 --- a/SOURCES/0002-test-avoid-endian-issues-in-network-tests.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 532b75c937d767caf60bb00f1a525ae7f6c70cc6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Wed, 20 May 2020 12:07:13 +0200 -Subject: [PATCH] test: avoid endian issues in network tests - -Reviewed-by: Alexey Tikhonov ---- - src/tests/cmocka/test_nss_srv.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c -index 2c91d0a23..3cd7809cf 100644 ---- a/src/tests/cmocka/test_nss_srv.c -+++ b/src/tests/cmocka/test_nss_srv.c -@@ -35,6 +35,7 @@ - #include "util/util_sss_idmap.h" - #include "util/crypto/sss_crypto.h" - #include "util/crypto/nss/nss_util.h" -+#include "util/sss_endian.h" - #include "db/sysdb_private.h" /* new_subdomain() */ - #include "db/sysdb_iphosts.h" - #include "db/sysdb_ipnetworks.h" -@@ -5308,7 +5309,13 @@ struct netent test_netent = { - .n_name = discard_const("test_network"), - .n_aliases = discard_const(test_netent_aliases), - .n_addrtype = AF_INET, -+#if (__BYTE_ORDER == __LITTLE_ENDIAN) - .n_net = 0x04030201 /* 1.2.3.4 */ -+#elif (__BYTE_ORDER == __BIG_ENDIAN) -+ .n_net = 0x01020304 /* 1.2.3.4 */ -+#else -+ #error "unknow endianess" -+#endif - }; - - static void mock_input_netbyname(const char *name) --- -2.21.1 - diff --git a/SOURCES/0003-DEBUG-journal_send-was-made-static.patch b/SOURCES/0003-DEBUG-journal_send-was-made-static.patch new file mode 100644 index 0000000..faa9c9e --- /dev/null +++ b/SOURCES/0003-DEBUG-journal_send-was-made-static.patch @@ -0,0 +1,29 @@ +From 833034f5332d2492d413a9c97fded1480b58bf14 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 21 Oct 2020 18:47:32 +0200 +Subject: [PATCH 3/4] DEBUG: journal_send() was made static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Tomáš Halman +--- + src/util/debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/debug.c b/src/util/debug.c +index 1d5f75e4d..c162987b9 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -201,7 +201,7 @@ static void debug_printf(const char *format, ...) + } + + #ifdef WITH_JOURNALD +-errno_t journal_send(const char *file, ++static errno_t journal_send(const char *file, + long line, + const char *function, + int level, +-- +2.21.3 + diff --git a/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch b/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch deleted file mode 100644 index 9934c57..0000000 --- a/SOURCES/0003-sssctl-sssctl-config-check-alternative-config-file.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 61f4aaa56ea876fb75c1366c938818b7799408ab Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Wed, 29 Apr 2020 16:40:36 +0200 -Subject: [PATCH] sssctl: sssctl config-check alternative config file - -The sssctl config-check now allows to specify alternative config -file so it can be tested before rewriting system configuration. - - sssctl config-check -c ./sssd.conf - -Configuration snippets are looked up in the same place under -conf.d directory. It would be in ./conf.d/ for the example above. - -Resolves: -https://github.com/SSSD/sssd/issues/5142 - -Reviewed-by: Pawel Polawski ---- - src/confdb/confdb.h | 6 ++-- - src/tools/sssctl/sssctl_config.c | 56 ++++++++++++++++++++++++++++---- - 2 files changed, 53 insertions(+), 9 deletions(-) - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index 0a5593232..a2b58e12a 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -40,8 +40,10 @@ - - #define CONFDB_DEFAULT_CFG_FILE_VER 2 - #define CONFDB_FILE "config.ldb" --#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" --#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d" -+#define SSSD_CONFIG_FILE_NAME "sssd.conf" -+#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/"SSSD_CONFIG_FILE_NAME -+#define CONFDB_DEFAULT_CONFIG_DIR_NAME "conf.d" -+#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/"CONFDB_DEFAULT_CONFIG_DIR_NAME - #define SSSD_MIN_ID 1 - #define SSSD_LOCAL_MINID 1000 - #define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" -diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c -index 74395b61c..de9f3de6e 100644 ---- a/src/tools/sssctl/sssctl_config.c -+++ b/src/tools/sssctl/sssctl_config.c -@@ -34,6 +34,29 @@ - - - #ifdef HAVE_LIBINI_CONFIG_V1_3 -+ -+static char *sssctl_config_snippet_path(TALLOC_CTX *ctx, const char *path) -+{ -+ char *tmp = NULL; -+ const char delimiter = '/'; -+ char *dpos = NULL; -+ -+ tmp = talloc_strdup(ctx, path); -+ if (!tmp) { -+ return NULL; -+ } -+ -+ dpos = strrchr(tmp, delimiter); -+ if (dpos != NULL) { -+ ++dpos; -+ *dpos = '\0'; -+ } else { -+ *tmp = '\0'; -+ } -+ -+ return talloc_strdup_append(tmp, CONFDB_DEFAULT_CONFIG_DIR_NAME); -+} -+ - errno_t sssctl_config_check(struct sss_cmdline *cmdline, - struct sss_tool_ctx *tool_ctx, - void *pvt) -@@ -47,8 +70,15 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, - size_t num_ra_error, num_ra_success; - char **strs = NULL; - TALLOC_CTX *tmp_ctx = NULL; -- -- ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); -+ const char *config_path = NULL; -+ const char *config_snippet_path = NULL; -+ struct poptOption long_options[] = { -+ {"config", 'c', POPT_ARG_STRING, &config_path, -+ 0, _("Specify a non-default config file"), NULL}, -+ POPT_TABLEEND -+ }; -+ -+ ret = sss_tool_popt(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); - return ret; -@@ -62,17 +92,29 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, - goto done; - } - -+ if (config_path != NULL) { -+ config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path); -+ if (config_snippet_path == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ } else { -+ config_path = SSSD_CONFIG_FILE; -+ config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR; -+ } -+ - ret = sss_ini_read_sssd_conf(init_data, -- SSSD_CONFIG_FILE, -- CONFDB_DEFAULT_CONFIG_DIR); -+ config_path, -+ config_snippet_path); - - if (ret == ERR_INI_OPEN_FAILED) { -- PRINT("Failed to open %s\n", SSSD_CONFIG_FILE); -+ PRINT("Failed to open %s\n", config_path); - goto done; - } - - if (!sss_ini_exists(init_data)) { -- PRINT("File %1$s does not exist.\n", SSSD_CONFIG_FILE); -+ PRINT("File %1$s does not exist.\n", config_path); - } - - if (ret == ERR_INI_INVALID_PERMISSION) { -@@ -83,7 +125,7 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, - - if (ret == ERR_INI_PARSE_FAILED) { - PRINT("Failed to load configuration from %s.\n", -- SSSD_CONFIG_FILE); -+ config_path); - goto done; - } - --- -2.21.1 - diff --git a/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch b/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch new file mode 100644 index 0000000..8352ea6 --- /dev/null +++ b/SOURCES/0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch @@ -0,0 +1,71 @@ +From 18233532b72e62452eac6886652fa633ba055d8c Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 21 Oct 2020 19:20:03 +0200 +Subject: [PATCH 4/4] DEBUG: fixes program identifier as seen in syslog +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 225fe9950f2807d5fb226f6b3be1ff4cefd731f0 changed `debug_prg_name` +to accomodate needs of own SSSD logs, but this affected journal/syslog +as well. + +This patch amends situation: + - journal messages gets "umbrella" identifier "sssd[]" + - syslog uses default which is program name + +Resolves: https://github.com/SSSD/sssd/issues/5384 + +Reviewed-by: Tomáš Halman +--- + src/util/debug.c | 2 +- + src/util/sss_log.c | 12 +++--------- + 2 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/src/util/debug.c b/src/util/debug.c +index c162987b9..f05b26500 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -250,7 +250,7 @@ static errno_t journal_send(const char *file, + "MESSAGE=%s", message, + "PRIORITY=%i", LOG_DEBUG, + "SSSD_DOMAIN=%s", domain, +- "SSSD_PRG_NAME=%s", debug_prg_name, ++ "SSSD_PRG_NAME=sssd[%s]", debug_prg_name, + "SSSD_DEBUG_LEVEL=%x", level, + NULL); + ret = -res; +diff --git a/src/util/sss_log.c b/src/util/sss_log.c +index 48e73dbea..c6b7435c6 100644 +--- a/src/util/sss_log.c ++++ b/src/util/sss_log.c +@@ -107,7 +107,7 @@ static void sss_log_internal(int priority, int facility, const char *format, + "SSSD_DOMAIN=%s", domain, + "PRIORITY=%i", syslog_priority, + "SYSLOG_FACILITY=%i", LOG_FAC(facility), +- "SYSLOG_IDENTIFIER=%s", debug_prg_name, ++ "SYSLOG_IDENTIFIER=sssd[%s]", debug_prg_name, + NULL); + + free(message); +@@ -118,15 +118,9 @@ static void sss_log_internal(int priority, int facility, const char *format, + static void sss_log_internal(int priority, int facility, const char *format, + va_list ap) + { +- int syslog_priority; +- +- syslog_priority = sss_to_syslog(priority); +- +- openlog(debug_prg_name, 0, facility); +- +- vsyslog(syslog_priority, format, ap); ++ int syslog_priority = sss_to_syslog(priority); + +- closelog(); ++ vsyslog(facility|syslog_priority, format, ap); + } + + #endif /* WITH_JOURNALD */ +-- +2.21.3 + diff --git a/SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch b/SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch deleted file mode 100644 index 00814b7..0000000 --- a/SOURCES/0004-DEBUG-only-open-child-process-log-files-when-require.patch +++ /dev/null @@ -1,664 +0,0 @@ -From 375887543daf26003ff7d900cf6a69d0c0b58523 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 27 May 2020 22:33:50 +0200 -Subject: [PATCH] DEBUG: only open child process log files when required - -There was no reason to keep child process log files open permanently. - -This patch: - - helps to avoid issue when SIGHUP was ignored for child process logs; - - somewhat reduces code duplication. - -Resolves: https://github.com/SSSD/sssd/issues/4667 - -Reviewed-by: Pawel Polawski ---- - src/providers/ad/ad_gpo.c | 17 +++-------------- - src/providers/ad/ad_init.c | 7 ------- - src/providers/ad/ad_machine_pw_renewal.c | 2 +- - src/providers/ipa/ipa_init.c | 7 ------- - src/providers/ipa/ipa_selinux.c | 17 +---------------- - src/providers/krb5/krb5_child_handler.c | 2 +- - src/providers/krb5/krb5_common.h | 1 - - src/providers/krb5/krb5_init_shared.c | 8 -------- - src/providers/ldap/ldap_common.c | 3 --- - src/providers/ldap/ldap_common.h | 6 ------ - src/providers/ldap/ldap_init.c | 7 ------- - src/providers/ldap/sdap_child_helpers.c | 10 +--------- - src/responder/pam/pamsrv.c | 1 - - src/responder/pam/pamsrv.h | 2 -- - src/responder/pam/pamsrv_cmd.c | 2 +- - src/responder/pam/pamsrv_p11.c | 9 ++------- - src/responder/ssh/ssh_private.h | 1 - - src/responder/ssh/ssh_reply.c | 4 ++-- - src/responder/ssh/sshsrv.c | 10 ---------- - src/tests/cmocka/test_cert_utils.c | 12 ++++++------ - src/util/cert.h | 2 +- - src/util/cert/cert_common_p11_child.c | 9 ++++----- - src/util/child_common.c | 21 +++++++++++++++++---- - src/util/child_common.h | 6 ++---- - 24 files changed, 42 insertions(+), 124 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index f17917552..bbe8d8a1e 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -99,15 +99,14 @@ - #define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child" - #endif - -+#define GPO_CHILD_LOG_FILE "gpo_child" -+ - /* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */ - #ifndef INI_PARSE_IGNORE_NON_KVP - #define INI_PARSE_IGNORE_NON_KVP 0 - #warning INI_PARSE_IGNORE_NON_KVP not defined. - #endif - --/* fd used by the gpo_child process for logging */ --int gpo_child_debug_fd = -1; -- - /* == common data structures and declarations ============================= */ - - struct gp_som { -@@ -1618,13 +1617,6 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, - return ret; - } - --#define GPO_CHILD_LOG_FILE "gpo_child" -- --static errno_t gpo_child_init(void) --{ -- return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd); --} -- - /* - * This function retrieves the raw policy_setting_value for the input key from - * the GPO_Result object in the sysdb cache. It then parses the raw value and -@@ -1808,9 +1800,6 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, - hash_value_t val; - enum gpo_map_type gpo_map_type; - -- /* setup logging for gpo child */ -- gpo_child_init(); -- - req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state); - if (req == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); -@@ -4763,7 +4752,7 @@ gpo_fork_child(struct tevent_req *req) - if (pid == 0) { /* child */ - exec_child_ex(state, - pipefd_to_child, pipefd_from_child, -- GPO_CHILD, gpo_child_debug_fd, NULL, false, -+ GPO_CHILD, GPO_CHILD_LOG_FILE, NULL, false, - STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO); - - /* We should never get here */ -diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c -index 05535fcb0..704e63a06 100644 ---- a/src/providers/ad/ad_init.c -+++ b/src/providers/ad/ad_init.c -@@ -402,13 +402,6 @@ static errno_t ad_init_misc(struct be_ctx *be_ctx, - - sdap_id_ctx->opts->sdom->pvt = ad_id_ctx; - -- ret = sdap_setup_child(); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n", -- ret, sss_strerror(ret)); -- return ret; -- } -- - ret = ad_init_srv_plugin(be_ctx, ad_options); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n", -diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c -index e0db5fad5..ce9bbe6f3 100644 ---- a/src/providers/ad/ad_machine_pw_renewal.c -+++ b/src/providers/ad/ad_machine_pw_renewal.c -@@ -185,7 +185,7 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx, - child_pid = fork(); - if (child_pid == 0) { /* child */ - exec_child_ex(state, pipefd_to_child, pipefd_from_child, -- renewal_data->prog_path, -1, -+ renewal_data->prog_path, NULL, - extra_args, true, - STDIN_FILENO, STDERR_FILENO); - -diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c -index cdfd11d7a..d8d592653 100644 ---- a/src/providers/ipa/ipa_init.c -+++ b/src/providers/ipa/ipa_init.c -@@ -571,13 +571,6 @@ static errno_t ipa_init_misc(struct be_ctx *be_ctx, - return ret; - } - -- ret = sdap_setup_child(); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n", -- ret, sss_strerror(ret)); -- return ret; -- } -- - if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) { - ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx); - if (ret != EOK) { -diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c -index 630f68ad5..9ae37b90d 100644 ---- a/src/providers/ipa/ipa_selinux.c -+++ b/src/providers/ipa/ipa_selinux.c -@@ -51,9 +51,6 @@ - - #include - --/* fd used by the selinux_child process for logging */ --int selinux_child_debug_fd = -1; -- - static struct tevent_req * - ipa_get_selinux_send(TALLOC_CTX *mem_ctx, - struct be_ctx *be_ctx, -@@ -565,7 +562,6 @@ struct selinux_child_state { - struct child_io_fds *io; - }; - --static errno_t selinux_child_init(void); - static errno_t selinux_child_create_buffer(struct selinux_child_state *state); - static errno_t selinux_fork_child(struct selinux_child_state *state); - static void selinux_child_step(struct tevent_req *subreq); -@@ -602,12 +598,6 @@ static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx, - state->io->read_from_child_fd = -1; - talloc_set_destructor((void *) state->io, child_io_destructor); - -- ret = selinux_child_init(); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n"); -- goto immediately; -- } -- - ret = selinux_child_create_buffer(state); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n"); -@@ -638,11 +628,6 @@ immediately: - return req; - } - --static errno_t selinux_child_init(void) --{ -- return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd); --} -- - static errno_t selinux_child_create_buffer(struct selinux_child_state *state) - { - size_t rp; -@@ -712,7 +697,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) - - if (pid == 0) { /* child */ - exec_child(state, pipefd_to_child, pipefd_from_child, -- SELINUX_CHILD, selinux_child_debug_fd); -+ SELINUX_CHILD, SELINUX_CHILD_LOG_FILE); - DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", - ret, sss_strerror(ret)); - return ret; -diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c -index b7fb54499..8546285b2 100644 ---- a/src/providers/krb5/krb5_child_handler.c -+++ b/src/providers/krb5/krb5_child_handler.c -@@ -465,7 +465,7 @@ static errno_t fork_child(struct tevent_req *req) - if (pid == 0) { /* child */ - exec_child_ex(state, - pipefd_to_child, pipefd_from_child, -- KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd, -+ KRB5_CHILD, KRB5_CHILD_LOG_FILE, - krb5_child_extra_args, false, - STDIN_FILENO, STDOUT_FILENO); - -diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h -index 493d12e5f..f198e2684 100644 ---- a/src/providers/krb5/krb5_common.h -+++ b/src/providers/krb5/krb5_common.h -@@ -124,7 +124,6 @@ struct krb5_ctx { - struct dp_option *opts; - struct krb5_service *service; - struct krb5_service *kpasswd_service; -- int child_debug_fd; - - sss_regexp_t *illegal_path_re; - -diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c -index afe15b365..ea3d32805 100644 ---- a/src/providers/krb5/krb5_init_shared.c -+++ b/src/providers/krb5/krb5_init_shared.c -@@ -71,14 +71,6 @@ errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, - goto done; - } - -- krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */ -- ret = child_debug_init(KRB5_CHILD_LOG_FILE, -- &krb5_auth_ctx->child_debug_fd); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n"); -- goto done; -- } -- - ret = parse_krb5_map_user(krb5_auth_ctx, - dp_opt_get_cstring(krb5_auth_ctx->opts, - KRB5_MAP_USER), -diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c -index 9d7806a2f..2133db36f 100644 ---- a/src/providers/ldap/ldap_common.c -+++ b/src/providers/ldap/ldap_common.c -@@ -35,9 +35,6 @@ - - #include "providers/ldap/sdap_idmap.h" - --/* a fd the child process would log into */ --int ldap_child_debug_fd = -1; -- - errno_t ldap_id_setup_tasks(struct sdap_id_ctx *ctx) - { - return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom, -diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h -index 63ee5dd84..13e6d4871 100644 ---- a/src/providers/ldap/ldap_common.h -+++ b/src/providers/ldap/ldap_common.h -@@ -44,9 +44,6 @@ - - #define LDAP_ENUM_PURGE_TIMEOUT 10800 - --/* a fd the child process would log into */ --extern int ldap_child_debug_fd; -- - struct sdap_id_ctx; - - struct sdap_id_conn_ctx { -@@ -342,9 +339,6 @@ sdap_ipnetwork_handler_recv(TALLOC_CTX *mem_ctx, - struct tevent_req *req, - struct dp_reply_std *data); - --/* setup child logging */ --int sdap_setup_child(void); -- - - errno_t string_to_shadowpw_days(const char *s, long *d); - -diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c -index 1be5d13de..de64e5985 100644 ---- a/src/providers/ldap/ldap_init.c -+++ b/src/providers/ldap/ldap_init.c -@@ -419,13 +419,6 @@ static errno_t ldap_init_misc(struct be_ctx *be_ctx, - return ret; - } - -- ret = sdap_setup_child(); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n", -- ret, sss_strerror(ret)); -- return ret; -- } -- - /* Setup SRV lookup plugin */ - ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL); - if (ret != EOK) { -diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c -index a03d28c9c..9d25aea8b 100644 ---- a/src/providers/ldap/sdap_child_helpers.c -+++ b/src/providers/ldap/sdap_child_helpers.c -@@ -111,7 +111,7 @@ static errno_t sdap_fork_child(struct tevent_context *ev, - if (pid == 0) { /* child */ - exec_child(child, - pipefd_to_child, pipefd_from_child, -- LDAP_CHILD, ldap_child_debug_fd); -+ LDAP_CHILD, LDAP_CHILD_LOG_FILE); - - /* We should never get here */ - DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n"); -@@ -512,11 +512,3 @@ static errno_t set_tgt_child_timeout(struct tevent_req *req, - - return EOK; - } -- -- -- --/* Setup child logging */ --int sdap_setup_child(void) --{ -- return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd); --} -diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c -index a4c9ebbbb..dde44a472 100644 ---- a/src/responder/pam/pamsrv.c -+++ b/src/responder/pam/pamsrv.c -@@ -277,7 +277,6 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, - goto done; - } - -- pctx->p11_child_debug_fd = -1; - if (pctx->cert_auth) { - ret = p11_child_init(pctx); - if (ret != EOK) { -diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h -index 24bd9764d..478d91b93 100644 ---- a/src/responder/pam/pamsrv.h -+++ b/src/responder/pam/pamsrv.h -@@ -54,7 +54,6 @@ struct pam_ctx { - char **app_services; - - bool cert_auth; -- int p11_child_debug_fd; - char *nss_db; - struct sss_certmap_ctx *sss_certmap_ctx; - char **smartcard_services; -@@ -110,7 +109,6 @@ void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count, - - struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- int child_debug_fd, - const char *nss_db, - time_t timeout, - const char *verify_opts, -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index ddde9eda2..1cd901f15 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1404,7 +1404,7 @@ static errno_t check_cert(TALLOC_CTX *mctx, - return ret; - } - -- req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd, -+ req = pam_check_cert_send(mctx, ev, - pctx->nss_db, p11_child_timeout, - cert_verification_opts, pctx->sss_certmap_ctx, - uri, pd); -diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c -index 8e276b200..3f0afaeff 100644 ---- a/src/responder/pam/pamsrv_p11.c -+++ b/src/responder/pam/pamsrv_p11.c -@@ -242,7 +242,7 @@ errno_t p11_child_init(struct pam_ctx *pctx) - return ret; - } - -- return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd); -+ return EOK; - } - - static inline bool -@@ -705,7 +705,6 @@ static void p11_child_timeout(struct tevent_context *ev, - - struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- int child_debug_fd, - const char *nss_db, - time_t timeout, - const char *verify_opts, -@@ -838,14 +837,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, - goto done; - } - -- if (child_debug_fd == -1) { -- child_debug_fd = STDERR_FILENO; -- } -- - child_pid = fork(); - if (child_pid == 0) { /* child */ - exec_child_ex(state, pipefd_to_child, pipefd_from_child, -- P11_CHILD_PATH, child_debug_fd, extra_args, false, -+ P11_CHILD_PATH, P11_CHILD_LOG_FILE, extra_args, false, - STDIN_FILENO, STDOUT_FILENO); - - /* We should never get here */ -diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h -index 028ccd616..5aa7e37d6 100644 ---- a/src/responder/ssh/ssh_private.h -+++ b/src/responder/ssh/ssh_private.h -@@ -36,7 +36,6 @@ struct ssh_ctx { - char *ca_db; - bool use_cert_keys; - -- int p11_child_debug_fd; - time_t certmap_last_read; - struct sss_certmap_ctx *sss_certmap_ctx; - char **cert_rules; -diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c -index 97914266d..edeb28765 100644 ---- a/src/responder/ssh/ssh_reply.c -+++ b/src/responder/ssh/ssh_reply.c -@@ -249,7 +249,7 @@ struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx, - : state->user_cert_override; - - subreq = cert_to_ssh_key_send(state, state->ev, -- state->ssh_ctx->p11_child_debug_fd, -+ P11_CHILD_LOG_FILE, - state->p11_child_timeout, - state->ssh_ctx->ca_db, - state->ssh_ctx->sss_certmap_ctx, -@@ -335,7 +335,7 @@ void ssh_get_output_keys_done(struct tevent_req *subreq) - goto done; - } - -- subreq = cert_to_ssh_key_send(state, state->ev, -1, -+ subreq = cert_to_ssh_key_send(state, state->ev, NULL, - state->p11_child_timeout, - state->ssh_ctx->ca_db, - state->ssh_ctx->sss_certmap_ctx, -diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c -index 7765e91b8..6072a702c 100644 ---- a/src/responder/ssh/sshsrv.c -+++ b/src/responder/ssh/sshsrv.c -@@ -126,16 +126,6 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, - goto fail; - } - -- ssh_ctx->p11_child_debug_fd = -1; -- if (ssh_ctx->use_cert_keys) { -- ret = child_debug_init(P11_CHILD_LOG_FILE, -- &ssh_ctx->p11_child_debug_fd); -- if (ret != EOK) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "Failed to setup p11_child logging, ignored.\n"); -- } -- } -- - ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); -diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c -index 848ed1a8d..1ff20576a 100644 ---- a/src/tests/cmocka/test_cert_utils.c -+++ b/src/tests/cmocka/test_cert_utils.c -@@ -391,7 +391,7 @@ void test_cert_to_ssh_key_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - #else -@@ -465,7 +465,7 @@ void test_cert_to_ssh_2keys_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - #else -@@ -548,7 +548,7 @@ void test_cert_to_ssh_2keys_invalid_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - #else -@@ -614,7 +614,7 @@ void test_ec_cert_to_ssh_key_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_ECC_CA/p11_ecc_nssdb", - #else -@@ -691,7 +691,7 @@ void test_cert_to_ssh_2keys_with_certmap_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - #else -@@ -769,7 +769,7 @@ void test_cert_to_ssh_2keys_with_certmap_2_send(void **state) - ev = tevent_context_init(ts); - assert_non_null(ev); - -- req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, -+ req = cert_to_ssh_key_send(ts, ev, NULL, P11_CHILD_TIMEOUT, - #ifdef HAVE_NSS - "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", - #else -diff --git a/src/util/cert.h b/src/util/cert.h -index d038a99f6..16dda37b3 100644 ---- a/src/util/cert.h -+++ b/src/util/cert.h -@@ -57,7 +57,7 @@ errno_t get_ssh_key_from_derb64(TALLOC_CTX *mem_ctx, const char *derb64, - - struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- int child_debug_fd, time_t timeout, -+ const char *logfile, time_t timeout, - const char *ca_db, - struct sss_certmap_ctx *sss_certmap_ctx, - size_t cert_count, -diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c -index 1846ff89a..18a331f23 100644 ---- a/src/util/cert/cert_common_p11_child.c -+++ b/src/util/cert/cert_common_p11_child.c -@@ -24,7 +24,7 @@ - - struct cert_to_ssh_key_state { - struct tevent_context *ev; -- int child_debug_fd; -+ const char *logfile; - time_t timeout; - const char **extra_args; - const char **certs; -@@ -45,7 +45,7 @@ static void cert_to_ssh_key_done(int child_status, - - struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -- int child_debug_fd, time_t timeout, -+ const char *logfile, time_t timeout, - const char *ca_db, - struct sss_certmap_ctx *sss_certmap_ctx, - size_t cert_count, -@@ -70,8 +70,7 @@ struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, - } - - state->ev = ev; -- state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO -- : child_debug_fd; -+ state->logfile = logfile; - state->timeout = timeout; - state->io = talloc(state, struct child_io_fds); - if (state->io == NULL) { -@@ -205,7 +204,7 @@ static errno_t cert_to_ssh_key_step(struct tevent_req *req) - child_pid = fork(); - if (child_pid == 0) { /* child */ - exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH, -- state->child_debug_fd, state->extra_args, false, -+ state->logfile, state->extra_args, false, - STDIN_FILENO, STDOUT_FILENO); - /* We should never get here */ - DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n"); -diff --git a/src/util/child_common.c b/src/util/child_common.c -index 3a07580c2..5cac725ca 100644 ---- a/src/util/child_common.c -+++ b/src/util/child_common.c -@@ -47,6 +47,8 @@ struct sss_child_ctx { - struct sss_sigchild_ctx *sigchld_ctx; - }; - -+static errno_t child_debug_init(const char *logfile, int *debug_fd); -+ - static void sss_child_handler(struct tevent_context *ev, - struct tevent_signal *se, - int signum, -@@ -725,13 +727,24 @@ fail: - - void exec_child_ex(TALLOC_CTX *mem_ctx, - int *pipefd_to_child, int *pipefd_from_child, -- const char *binary, int debug_fd, -+ const char *binary, const char *logfile, - const char *extra_argv[], bool extra_args_only, - int child_in_fd, int child_out_fd) - { - int ret; - errno_t err; - char **argv; -+ int debug_fd = -1; -+ -+ if (logfile) { -+ ret = child_debug_init(logfile, &debug_fd); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "child_debug_init() failed.\n"); -+ exit(EXIT_FAILURE); -+ } -+ } else { -+ debug_fd = STDERR_FILENO; -+ } - - close(pipefd_to_child[1]); - ret = dup2(pipefd_to_child[0], child_in_fd); -@@ -767,10 +780,10 @@ void exec_child_ex(TALLOC_CTX *mem_ctx, - - void exec_child(TALLOC_CTX *mem_ctx, - int *pipefd_to_child, int *pipefd_from_child, -- const char *binary, int debug_fd) -+ const char *binary, const char *logfile) - { - exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child, -- binary, debug_fd, NULL, false, -+ binary, logfile, NULL, false, - STDIN_FILENO, STDOUT_FILENO); - } - -@@ -803,7 +816,7 @@ int child_io_destructor(void *ptr) - return EOK; - } - --errno_t child_debug_init(const char *logfile, int *debug_fd) -+static errno_t child_debug_init(const char *logfile, int *debug_fd) - { - int ret; - FILE *debug_filep; -diff --git a/src/util/child_common.h b/src/util/child_common.h -index 37116e2a7..92d66a500 100644 ---- a/src/util/child_common.h -+++ b/src/util/child_common.h -@@ -106,7 +106,7 @@ void fd_nonblocking(int fd); - /* Never returns EOK, ether returns an error, or doesn't return on success */ - void exec_child_ex(TALLOC_CTX *mem_ctx, - int *pipefd_to_child, int *pipefd_from_child, -- const char *binary, int debug_fd, -+ const char *binary, const char *logfile, - const char *extra_argv[], bool extra_args_only, - int child_in_fd, int child_out_fd); - -@@ -115,10 +115,8 @@ void exec_child_ex(TALLOC_CTX *mem_ctx, - */ - void exec_child(TALLOC_CTX *mem_ctx, - int *pipefd_to_child, int *pipefd_from_child, -- const char *binary, int debug_fd); -+ const char *binary, const char *logfile); - - int child_io_destructor(void *ptr); - --errno_t child_debug_init(const char *logfile, int *debug_fd); -- - #endif /* __CHILD_COMMON_H__ */ --- -2.21.3 - diff --git a/SOURCES/0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch b/SOURCES/0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch deleted file mode 100644 index f1dc851..0000000 --- a/SOURCES/0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e58853f9ce63fae0c8b219b79be65c760a2f3e7e Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 5 Jun 2020 13:57:59 +0200 -Subject: [PATCH] DEBUG: use new exec_child(_ex) interface in tests - -Resolves: https://github.com/SSSD/sssd/issues/4667 - -Reviewed-by: Alexey Tikhonov ---- - src/tests/cmocka/test_child_common.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c -index 5cf460b50..87cae3405 100644 ---- a/src/tests/cmocka/test_child_common.c -+++ b/src/tests/cmocka/test_child_common.c -@@ -97,7 +97,7 @@ void test_exec_child(void **state) - exec_child(child_tctx, - child_tctx->pipefd_to_child, - child_tctx->pipefd_from_child, -- CHILD_DIR"/"TEST_BIN, 2); -+ CHILD_DIR"/"TEST_BIN, NULL); - } else { - do { - errno = 0; -@@ -168,7 +168,7 @@ static void extra_args_test(struct child_test_ctx *child_tctx, - exec_child_ex(child_tctx, - child_tctx->pipefd_to_child, - child_tctx->pipefd_from_child, -- CHILD_DIR"/"TEST_BIN, 2, extra_args, -+ CHILD_DIR"/"TEST_BIN, NULL, extra_args, - extra_args_only, - STDIN_FILENO, STDOUT_FILENO); - } else { -@@ -291,7 +291,7 @@ void test_exec_child_handler(void **state) - exec_child(child_tctx, - child_tctx->pipefd_to_child, - child_tctx->pipefd_from_child, -- CHILD_DIR"/"TEST_BIN, 2); -+ CHILD_DIR"/"TEST_BIN, NULL); - } - - ret = child_handler_setup(child_tctx->test_ctx->ev, child_pid, -@@ -341,7 +341,7 @@ void test_exec_child_echo(void **state) - exec_child_ex(child_tctx, - child_tctx->pipefd_to_child, - child_tctx->pipefd_from_child, -- CHILD_DIR"/"TEST_BIN, 2, NULL, false, -+ CHILD_DIR"/"TEST_BIN, NULL, NULL, false, - STDIN_FILENO, 3); - } - -@@ -474,7 +474,7 @@ void test_sss_child(void **state) - exec_child(child_tctx, - child_tctx->pipefd_to_child, - child_tctx->pipefd_from_child, -- CHILD_DIR"/"TEST_BIN, 2); -+ CHILD_DIR"/"TEST_BIN, NULL); - } - - ret = sss_child_register(child_tctx, sc_ctx, --- -2.21.3 - diff --git a/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch b/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch new file mode 100644 index 0000000..8aeda8b --- /dev/null +++ b/SOURCES/0005-negcache-make-sure-domain-config-does-not-leak-into-.patch @@ -0,0 +1,36 @@ +From 0e1bcf77bd73baa0fea64830eb1f4f65a63c7afe Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 8 Oct 2020 12:18:41 +0200 +Subject: [PATCH 5/8] negcache: make sure domain config does not leak into + global + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/negcache.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index ce1c0ab8c..139218420 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -1050,6 +1050,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + } + } + ++ talloc_zfree(filter_list); + /* Populate non domain-specific negative cache user entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_USERS, &filter_list); +@@ -1185,6 +1186,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + } + } + ++ talloc_zfree(filter_list); + /* Populate non domain-specific negative cache group entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_GROUPS, &filter_list); +-- +2.21.3 + diff --git a/SOURCES/0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch b/SOURCES/0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch deleted file mode 100644 index fb1911d..0000000 --- a/SOURCES/0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 88e92967a7b4e3e4501b17f21812467effa331c7 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 16 Jun 2020 13:51:28 +0200 -Subject: [PATCH] NEGCACHE: skip permanent entries in [users/groups] reset -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Files provider calling `sss_ncache_reset_[users/groups]()` -during cache rebuilding was breaking neg-cache prepopulation. - -Resolves: https://github.com/SSSD/sssd/issues/1024 - -Reviewed-by: Tomáš Halman ---- - src/responder/common/negcache.c | 9 +++++++++ - src/responder/common/negcache.h | 1 + - 2 files changed, 10 insertions(+) - -diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c -index d9545aef6..ce1c0ab8c 100644 ---- a/src/responder/common/negcache.c -+++ b/src/responder/common/negcache.c -@@ -900,12 +900,21 @@ static int delete_prefix(struct tdb_context *tdb, - TDB_DATA key, TDB_DATA data, void *state) - { - const char *prefix = (const char *) state; -+ unsigned long long int timestamp; -+ char *ep = NULL; - - if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) { - /* not interested in this key */ - return 0; - } - -+ errno = 0; -+ timestamp = strtoull((const char *)data.dptr, &ep, 10); -+ if ((errno == 0) && (*ep == '\0') && (timestamp == 0)) { -+ /* skip permanent entries */ -+ return 0; -+ } -+ - return tdb_delete(tdb, key); - } - -diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h -index a80412215..4dcfb5e8f 100644 ---- a/src/responder/common/negcache.h -+++ b/src/responder/common/negcache.h -@@ -146,6 +146,7 @@ int sss_ncache_set_locate_uid(struct sss_nc_ctx *ctx, - uid_t uid); - - int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx); -+/* sss_ncache_reset_[users/groups] skips permanent entries */ - int sss_ncache_reset_users(struct sss_nc_ctx *ctx); - int sss_ncache_reset_groups(struct sss_nc_ctx *ctx); - --- -2.21.3 - diff --git a/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch b/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch new file mode 100644 index 0000000..e3aeec3 --- /dev/null +++ b/SOURCES/0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch @@ -0,0 +1,106 @@ +From 385af99ff4d5a75d0c1edc9ad830da3eb7478295 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 8 Oct 2020 17:57:29 +0200 +Subject: [PATCH 6/8] utils: add SSS_GND_SUBDOMAINS flag for get_next_domain() + +To allow to only iterate over a singel domain an its sub-domains a new +flag is added to get_next_domain(). + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +--- + src/tests/cmocka/test_utils.c | 31 +++++++++++++++++++++++++++++++ + src/util/domain_info_utils.c | 10 +++++++--- + src/util/util.h | 4 ++++ + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c +index 945f5cb44..d77a972c1 100644 +--- a/src/tests/cmocka/test_utils.c ++++ b/src/tests/cmocka/test_utils.c +@@ -877,6 +877,37 @@ static void test_get_next_domain_flags(void **state) + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); ++ ++ /* Descend only to subdomains */ ++ gnd_flags = SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED; ++ ++ dom = get_next_domain(test_ctx->dom_list, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub1a"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_null(dom); ++ ++ dom = find_domain_by_name_ex(test_ctx->dom_list, "dom2", true, ++ SSS_GND_ALL_DOMAINS); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "dom2"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub2a"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_non_null(dom); ++ assert_string_equal(dom->name, "sub2b"); ++ ++ dom = get_next_domain(dom, gnd_flags); ++ assert_null(dom); ++ ++ /* Expect NULL if the domain has no sub-domains */ ++ test_ctx->dom_list->subdomains = NULL; ++ dom = get_next_domain(test_ctx->dom_list, gnd_flags); ++ assert_null(dom); + } + + struct name_init_test_ctx { +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index aa3582f03..4d4726daa 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -39,16 +39,20 @@ struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags) + { + struct sss_domain_info *dom; +- bool descend = gnd_flags & SSS_GND_DESCEND; ++ bool descend = gnd_flags & (SSS_GND_DESCEND | SSS_GND_SUBDOMAINS); + bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED; ++ bool only_subdomains = gnd_flags & SSS_GND_SUBDOMAINS; + + dom = domain; + while (dom) { + if (descend && dom->subdomains) { + dom = dom->subdomains; +- } else if (dom->next) { ++ } else if (dom->next && only_subdomains && IS_SUBDOMAIN(dom)) { + dom = dom->next; +- } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) { ++ } else if (dom->next && !only_subdomains) { ++ dom = dom->next; ++ } else if (descend && !only_subdomains && IS_SUBDOMAIN(dom) ++ && dom->parent->next) { + dom = dom->parent->next; + } else { + dom = NULL; +diff --git a/src/util/util.h b/src/util/util.h +index fbcac5cd0..581c0edfb 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -565,7 +565,11 @@ struct sss_domain_info *get_domains_head(struct sss_domain_info *domain); + + #define SSS_GND_DESCEND 0x01 + #define SSS_GND_INCLUDE_DISABLED 0x02 ++/* Descend to sub-domains of current domain but do not go to next parent */ ++#define SSS_GND_SUBDOMAINS 0x04 + #define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED) ++#define SSS_GND_ALL_SUBDOMAINS (SSS_GND_SUBDOMAINS | SSS_GND_INCLUDE_DISABLED) ++ + struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags); + struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain, +-- +2.21.3 + diff --git a/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch b/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch new file mode 100644 index 0000000..9d405fc --- /dev/null +++ b/SOURCES/0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch @@ -0,0 +1,443 @@ +From 0dc81a52e2836010974e9f71b1f3e47c20fd498d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Oct 2020 11:56:21 +0200 +Subject: [PATCH 7/8] negcache: make sure short names are added to sub-domains + +If short names are used with filter_users or filter_groups in a +[domain/...] section they should be added to the sub-domains of this +domain as well. + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/negcache.c | 105 +++++++------ + src/tests/cmocka/test_negcache.c | 254 +++++++++++++++++++++++++++++++ + 2 files changed, 312 insertions(+), 47 deletions(-) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index 139218420..9ee39ce3e 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -971,6 +971,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + char *name = NULL; + struct sss_domain_info *dom = NULL; + struct sss_domain_info *domain_list = rctx->domains; ++ struct sss_domain_info *ddom; + char *domainname = NULL; + char *conf_path = NULL; + TALLOC_CTX *tmpctx = talloc_new(NULL); +@@ -1013,39 +1014,44 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + continue; + } + +- if (domainname && strcmp(domainname, dom->name)) { +- DEBUG(SSSDBG_TRACE_FUNC, +- "Mismatch between domain name (%s) and name " +- "set in FQN (%s), assuming %s is UPN\n", +- dom->name, domainname, filter_list[i]); +- ret = sss_ncache_set_upn(ncache, true, dom, filter_list[i]); ++ /* Check domain and its sub-domains */ ++ for (ddom = dom; ddom != NULL; ++ ddom = get_next_domain(ddom, SSS_GND_ALL_SUBDOMAINS)) { ++ ++ if (domainname && strcmp(domainname, ddom->name)) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Mismatch between domain name (%s) and name " ++ "set in FQN (%s), assuming %s is UPN\n", ++ ddom->name, domainname, filter_list[i]); ++ ret = sss_ncache_set_upn(ncache, true, ddom, filter_list[i]); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sss_ncache_set_upn failed (%d [%s]), ignored\n", ++ ret, sss_strerror(ret)); ++ } ++ continue; ++ } ++ ++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); ++ if (fqname == NULL) { ++ continue; ++ } ++ ++ ret = sss_ncache_set_upn(ncache, true, ddom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ncache_set_upn failed (%d [%s]), ignored\n", + ret, sss_strerror(ret)); + } +- continue; +- } +- +- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); +- if (fqname == NULL) { +- continue; +- } +- +- ret = sss_ncache_set_upn(ncache, true, dom, fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "sss_ncache_set_upn failed (%d [%s]), ignored\n", +- ret, sss_strerror(ret)); +- } +- ret = sss_ncache_set_user(ncache, true, dom, fqname); +- talloc_zfree(fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to store permanent user filter for [%s]" +- " (%d [%s])\n", filter_list[i], +- ret, sss_strerror(ret)); +- continue; ++ ret = sss_ncache_set_user(ncache, true, ddom, fqname); ++ talloc_zfree(fqname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to store permanent user filter for [%s]" ++ " (%d [%s])\n", filter_list[i], ++ ret, sss_strerror(ret)); ++ continue; ++ } + } + } + } +@@ -1161,27 +1167,32 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + continue; + } + +- if (domainname && strcmp(domainname, dom->name)) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Mismatch between domain name (%s) and name " +- "set in FQN (%s), skipping group %s\n", +- dom->name, domainname, name); +- continue; +- } ++ /* Check domain and its sub-domains */ ++ for (ddom = dom; ++ ddom != NULL && (ddom == dom || ddom->parent != NULL); ++ ddom = get_next_domain(ddom, SSS_GND_ALL_DOMAINS)) { ++ if (domainname && strcmp(domainname, ddom->name)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Mismatch between domain name (%s) and name " ++ "set in FQN (%s), skipping group %s\n", ++ ddom->name, domainname, name); ++ continue; ++ } + +- fqname = sss_create_internal_fqname(tmpctx, name, dom->name); +- if (fqname == NULL) { +- continue; +- } ++ fqname = sss_create_internal_fqname(tmpctx, name, ddom->name); ++ if (fqname == NULL) { ++ continue; ++ } + +- ret = sss_ncache_set_group(ncache, true, dom, fqname); +- talloc_zfree(fqname); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to store permanent group filter for [%s]" +- " (%d [%s])\n", filter_list[i], +- ret, strerror(ret)); +- continue; ++ ret = sss_ncache_set_group(ncache, true, ddom, fqname); ++ talloc_zfree(fqname); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to store permanent group filter for [%s]" ++ " (%d [%s])\n", filter_list[i], ++ ret, strerror(ret)); ++ continue; ++ } + } + } + } +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index b3a379227..fb306b110 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -119,6 +119,8 @@ static int setup(void **state) + int ret; + struct test_state *ts; + ++ test_dom_suite_setup(TESTS_PATH); ++ + ts = talloc(NULL, struct test_state); + assert_non_null(ts); + +@@ -133,6 +135,7 @@ static int setup(void **state) + static int teardown(void **state) + { + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); ++ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(ts); + return 0; + } +@@ -921,6 +924,255 @@ static void test_sss_ncache_reset_prepopulate(void **state) + assert_int_equal(ret, EEXIST); + } + ++/* The main purpose of test_sss_ncache_short_name_in_domain is to test that ++ * short names in the filter_users or filter_groups options in a [domain/...] ++ * section are properly added to the related sub-domains as well (if there are ++ * any) and not added to domains from other [domain/...] sections. For ++ * completeness entries with fully-qualified names of the parent and the ++ * sub-domain and the generic UPN are added as well. ++ * ++ * The result should of course be independent of the present domains. To ++ * verify this the domains are added one after the other and the negative ++ * cache is repopulated each time. ++ * ++ * With the given domains, users and group we have to following expectations: ++ * - the short name entry will be added to the domain and all sub-domains as ++ * name and as upn by expanding it to a fully-qualified name with the ++ * domain name or sub-domain name respectively ++ * - the fully-qualified name from the parent domain is added as name and upn ++ * to the parent domain and as upn to all sub-domains ++ * - the fully-qualified name from the sub-domain is added as name to the ++ * sub-domain and as upn to the parent and all sub-domains ++ * - the generic upn is nowhere added as name and as upn to the parent and all ++ * sub-domains ++ * - none of the names is added to a different parent domain ++ * ++ * The following table should illustrated the expectations: ++ * ++ * user (name): ++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom ++ *-----------------+-----------+-----------------------+--------------------------+------------ ++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING | MISSING ++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT | MISSING ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING ++ * ++ * user (upn): ++ * | shortuser | parentu@TEST_DOM_NAME | subdomu@subTEST_DOM_NAME | upn@upn.dom ++ *-----------------+-----------+-----------------------+--------------------------+------------ ++ * TEST_DOM_NAME | PRESENT | PRESENT | PRESENT | PRESENT ++ * subTEST_DOM_NAME| PRESENT | PRESENT | PRESENT | PRESENT ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING | MISSING ++ * ++ * ++ * ++ * groups: ++ * | shortgroup | parentg@TEST_DOM_NAME | subdomg@subTEST_DOM_NAME ++ *-----------------+------------+-----------------------+------------------------- ++ * TEST_DOM_NAME | PRESENT | PRESENT | MISSING ++ * subTEST_DOM_NAME| PRESENT | MISSING | PRESENT ++ * TEST_DOM_NAME2 | MISSING | MISSING | MISSING ++ * ++ * ++ * The following expect_*() implement checks for the expextations: ++ */ ++ ++static void expect_in_parent(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *dom) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, dom, "shortuser"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, dom, "shortuser@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "parentu"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, dom, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "subdomu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, dom, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom, "upn@upn.dom"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "shortgroup"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "parentg"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, dom, "subdomg"); ++ assert_int_equal(ret, ENOENT); ++} ++ ++static void expect_in_subdomain(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *sub_dom) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "shortuser"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "shortuser@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "subdomu"); ++ assert_int_equal(ret, EEXIST); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "upn@upn.dom"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_user_in_ncache(ncache, sub_dom, "parentu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, sub_dom, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, EEXIST); ++ ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "shortgroup"); ++ assert_int_equal(ret, EEXIST); ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "parentg"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, sub_dom, "subdomg"); ++ assert_int_equal(ret, EEXIST); ++} ++static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *dom2) ++{ ++ int ret; ++ ++ ret = check_user_in_ncache(ncache, dom2, "shortuser"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "shortuser"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "parentu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "parentu@"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "subdomu"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "subdomu@sub"TEST_DOM_NAME); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_user_in_ncache(ncache, dom2, "upn"); ++ assert_int_equal(ret, ENOENT); ++ ret = sss_ncache_check_upn(ncache, dom2, "upn@upn.dom"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "shortgroup"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "parentg"); ++ assert_int_equal(ret, ENOENT); ++ ++ ret = check_group_in_ncache(ncache, dom2, "subdomg"); ++ assert_int_equal(ret, ENOENT); ++} ++ ++static void test_sss_ncache_short_name_in_domain(void **state) ++{ ++ int ret; ++ struct test_state *ts; ++ struct tevent_context *ev; ++ struct sss_nc_ctx *ncache; ++ struct sss_test_ctx *tc; ++ struct sss_domain_info *dom; ++ struct sss_domain_info *dom2; ++ struct sss_domain_info *sub_dom; ++ ++ struct sss_test_conf_param params[] = { ++ { "filter_users", "shortuser, parentu@"TEST_DOM_NAME", " ++ "subdomu@sub"TEST_DOM_NAME", upn@upn.dom" }, ++ { "filter_groups", "shortgroup, parentg@"TEST_DOM_NAME", " ++ "subdomg@sub"TEST_DOM_NAME }, ++ { NULL, NULL }, ++ }; ++ ++ const char *nss_filter_users[] = { params[0].value, NULL}; ++ const char *nss_filter_groups[] = { params[1].value, NULL}; ++ ++ ts = talloc_get_type_abort(*state, struct test_state); ++ ++ ev = tevent_context_init(ts); ++ assert_non_null(ev); ++ ++ dom = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(dom); ++ dom->name = discard_const_p(char, TEST_DOM_NAME); ++ sss_domain_set_state(dom, DOM_ACTIVE); ++ ++ ts->nctx = mock_nctx(ts); ++ assert_non_null(ts->nctx); ++ ++ tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, ++ TEST_DOM_NAME, TEST_ID_PROVIDER, params); ++ assert_non_null(tc); ++ ++ ret = confdb_add_param(tc->confdb, true, "config/domain/"TEST_DOM_NAME, ++ "filter_users", nss_filter_users); ++ assert_int_equal(ret, EOK); ++ ++ ret = confdb_add_param(tc->confdb, true, "config/domain"TEST_DOM_NAME, ++ "filter_groups", nss_filter_groups); ++ assert_int_equal(ret, EOK); ++ ++ ncache = ts->ctx; ++ ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); ++ assert_non_null(ts->rctx); ++ ts->rctx->cdb = tc->confdb; ++ ++ ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); ++ assert_int_equal(ret, EOK); ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ /* Add another domain */ ++ dom2 = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(dom2); ++ dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); ++ sss_domain_set_state(dom2, DOM_ACTIVE); ++ dom->next = dom2; ++ dom2->names = dom->names; ++ ++ expect_in_parent(ncache, dom); ++ expect_no_entries_in_dom(ncache, dom2); ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ expect_in_parent(ncache, dom); ++ expect_no_entries_in_dom(ncache, dom2); ++ ++ /* Add a sub domain */ ++ sub_dom = talloc_zero(ts, struct sss_domain_info); ++ assert_non_null(sub_dom); ++ sub_dom->name = discard_const_p(char, "sub"TEST_DOM_NAME); ++ sss_domain_set_state(sub_dom, DOM_ACTIVE); ++ sub_dom->parent = dom; ++ dom->subdomains = sub_dom; ++ sub_dom->names = dom->names; ++ ++ ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); ++ assert_int_equal(ret, EOK); ++ ++ expect_in_parent(ncache, dom); ++ expect_in_subdomain(ncache, sub_dom); ++ expect_no_entries_in_dom(ncache, dom2); ++} ++ + static void test_sss_ncache_reset(void **state) + { + errno_t ret; +@@ -1083,6 +1335,8 @@ int main(void) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate, + setup, teardown), ++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, ++ setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, +-- +2.21.3 + diff --git a/SOURCES/0007-util-inotify-fixed-CLANG_WARNING.patch b/SOURCES/0007-util-inotify-fixed-CLANG_WARNING.patch deleted file mode 100644 index 442552a..0000000 --- a/SOURCES/0007-util-inotify-fixed-CLANG_WARNING.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 144e78dfebc0fd01feb6c11a37f81d01146cf33a Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 12 Jun 2020 19:10:33 +0200 -Subject: [PATCH] util/inotify: fixed CLANG_WARNING -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixed following warning: -``` -sssd-2.3.1/src/util/inotify.c:346:17: warning: Value stored to 'ret' is never read - # ret = EOK; - # ^ ~~~ -``` - -Reviewed-by: Tomáš Halman ---- - src/util/inotify.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/util/inotify.c b/src/util/inotify.c -index ffc15ad4d..cf3e3d84d 100644 ---- a/src/util/inotify.c -+++ b/src/util/inotify.c -@@ -319,7 +319,9 @@ static void snotify_internal_cb(struct tevent_context *ev, - - in_event = (const struct inotify_event *) ptr; - -- //debug_flags(in_event->mask, in_event->name); -+#if 0 -+ debug_flags(in_event->mask, in_event->name); -+#endif - - if (snctx->wctx->dir_wd == in_event->wd) { - ret = process_dir_event(snctx, in_event); -@@ -343,7 +345,6 @@ static void snotify_internal_cb(struct tevent_context *ev, - } else { - DEBUG(SSSDBG_MINOR_FAILURE, - "Unknown watch %d\n", in_event->wd); -- ret = EOK; - } - } - } --- -2.21.3 - diff --git a/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch b/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch new file mode 100644 index 0000000..17ce2db --- /dev/null +++ b/SOURCES/0008-negcache-do-not-use-default_domain_suffix.patch @@ -0,0 +1,154 @@ +From fa4b46e7de7297da3c0e37913eab8cba7f103629 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Oct 2020 15:26:39 +0200 +Subject: [PATCH 8/8] negcache: do not use default_domain_suffix + +When splitting the names from the filter_users and filter_groups options +do not use the default_domain_suffix because it will hide that the +original name is a short name and should be added everywhere. + +Additionally this patch fixes a typo where sss_parse_name() was used +instead of sss_parse_name_for_domains(). + +Resolves: https://github.com/SSSD/sssd/issues/5238 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/negcache.c | 29 +++++++++++++++-------------- + src/tests/cmocka/test_negcache.c | 22 ++++++++++++++++++++-- + 2 files changed, 35 insertions(+), 16 deletions(-) + +diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c +index 9ee39ce3e..59e8ad7e7 100644 +--- a/src/responder/common/negcache.c ++++ b/src/responder/common/negcache.c +@@ -1000,13 +1000,13 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, ++ NULL, + filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); ++ "Can add [%s] only as UPN to negcache because the " ++ "required domain is not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", +@@ -1066,12 +1066,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, filter_list[i], ++ NULL, filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); ++ "Can add [%s] only as UPN to negcache because the " ++ "required domain is not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", +@@ -1158,9 +1158,12 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + if (ret != EOK) goto done; + + for (i = 0; (filter_list && filter_list[i]); i++) { +- ret = sss_parse_name(tmpctx, dom->names, filter_list[i], +- &domainname, &name); ++ ret = sss_parse_name_for_domains(tmpctx, domain_list, ++ NULL, filter_list[i], ++ &domainname, &name); + if (ret != EOK) { ++ /* Groups do not have UPNs, so domain names, if present, ++ * must be known */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); +@@ -1207,13 +1210,11 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, +- rctx->default_domain, filter_list[i], ++ NULL, filter_list[i], + &domainname, &name); +- if (ret == EAGAIN) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Cannot add [%s] to negcache because the required or " +- "default domain are not known yet\n", filter_list[i]); +- } else if (ret != EOK) { ++ if (ret != EOK) { ++ /* Groups do not have UPNs, so domain names, if present, ++ * must be known */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); +diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c +index fb306b110..30218d52a 100644 +--- a/src/tests/cmocka/test_negcache.c ++++ b/src/tests/cmocka/test_negcache.c +@@ -933,7 +933,9 @@ static void test_sss_ncache_reset_prepopulate(void **state) + * + * The result should of course be independent of the present domains. To + * verify this the domains are added one after the other and the negative +- * cache is repopulated each time. ++ * cache is repopulated each time. The result should be also independent of ++ * the setting of default_domain_suffix option which is tested by ++ * test_sss_ncache_short_name_in_domain_with_prefix. + * + * With the given domains, users and group we have to following expectations: + * - the short name entry will be added to the domain and all sub-domains as +@@ -1081,7 +1083,8 @@ static void expect_no_entries_in_dom(struct sss_nc_ctx *ncache, + assert_int_equal(ret, ENOENT); + } + +-static void test_sss_ncache_short_name_in_domain(void **state) ++static void run_sss_ncache_short_name_in_domain(void **state, ++ bool use_default_domain_prefix) + { + int ret; + struct test_state *ts; +@@ -1131,6 +1134,9 @@ static void test_sss_ncache_short_name_in_domain(void **state) + ncache = ts->ctx; + ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + assert_non_null(ts->rctx); ++ if (use_default_domain_prefix) { ++ ts->rctx->default_domain = discard_const(TEST_DOM_NAME); ++ } + ts->rctx->cdb = tc->confdb; + + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); +@@ -1173,6 +1179,16 @@ static void test_sss_ncache_short_name_in_domain(void **state) + expect_no_entries_in_dom(ncache, dom2); + } + ++static void test_sss_ncache_short_name_in_domain(void **state) ++{ ++ run_sss_ncache_short_name_in_domain(state, false); ++} ++ ++static void test_sss_ncache_short_name_in_domain_with_prefix(void **state) ++{ ++ run_sss_ncache_short_name_in_domain(state, true); ++} ++ + static void test_sss_ncache_reset(void **state) + { + errno_t ret; +@@ -1337,6 +1353,8 @@ int main(void) + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain, + setup, teardown), ++ cmocka_unit_test_setup_teardown(test_sss_ncache_short_name_in_domain_with_prefix, ++ setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, +-- +2.21.3 + diff --git a/SOURCES/0008-util-inotify-fixed-bug-in-inotify-event-processing.patch b/SOURCES/0008-util-inotify-fixed-bug-in-inotify-event-processing.patch deleted file mode 100644 index 6ff905e..0000000 --- a/SOURCES/0008-util-inotify-fixed-bug-in-inotify-event-processing.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 0c5711f9bae1cb46d4cd3fbe5d86d8688087be13 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 12 Jun 2020 20:45:23 +0200 -Subject: [PATCH] util/inotify: fixed bug in inotify event processing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Error was spotted with the help of the following warning: -``` -Error: CLANG_WARNING: -sssd-2.3.1/src/util/inotify.c:327:21: warning: Value stored to 'rewatch' is never read - # rewatch = true; - # ^ ~~~~ -``` - -First part of the issue was that EAGAIN returned by the process_dir_event() -didn't trigger snotify_rewatch() (as suggested by the comments). -Fixing this part is already enough to resolve issue #1031 (as it was -reported). - -Another part of the issue was that process_file_event() return code wasn't -checked against EAGAIN (again, as suggested by the DEBUG message). -Strictly speaking, I'm not sure if this part is really required or -if processing DIR events would cover all cases, but rebuilding watches -on IN_IGNORED won't hurt. - -Resolves: https://github.com/SSSD/sssd/issues/1031 - -Reviewed-by: Tomáš Halman ---- - src/util/inotify.c | 30 +++++++++++++----------------- - 1 file changed, 13 insertions(+), 17 deletions(-) - -diff --git a/src/util/inotify.c b/src/util/inotify.c -index cf3e3d84d..a3c33eddb 100644 ---- a/src/util/inotify.c -+++ b/src/util/inotify.c -@@ -286,7 +286,7 @@ static void snotify_internal_cb(struct tevent_context *ev, - struct snotify_ctx *snctx; - ssize_t len; - errno_t ret; -- bool rewatch; -+ bool rewatch = false; - - snctx = talloc_get_type(data, struct snotify_ctx); - if (snctx == NULL) { -@@ -305,7 +305,7 @@ static void snotify_internal_cb(struct tevent_context *ev, - } else { - DEBUG(SSSDBG_TRACE_INTERNAL, "All inotify events processed\n"); - } -- return; -+ break; - } - - if ((size_t) len < sizeof(struct inotify_event)) { -@@ -325,26 +325,22 @@ static void snotify_internal_cb(struct tevent_context *ev, - - if (snctx->wctx->dir_wd == in_event->wd) { - ret = process_dir_event(snctx, in_event); -- if (ret == EAGAIN) { -- rewatch = true; -- /* Continue with the loop and read all the events from -- * this descriptor first, then rewatch when done -- */ -- } else if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Failed to process inotify event\n"); -- continue; -- } - } else if (snctx->wctx->file_wd == in_event->wd) { - ret = process_file_event(snctx, in_event); -- if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -- "Failed to process inotify event\n"); -- continue; -- } - } else { - DEBUG(SSSDBG_MINOR_FAILURE, - "Unknown watch %d\n", in_event->wd); -+ ret = EOK; -+ } -+ -+ if (ret == EAGAIN) { -+ rewatch = true; -+ /* Continue with the loop and read all the events from -+ * this descriptor first, then rewatch when done -+ */ -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "Failed to process inotify event\n"); - } - } - } --- -2.21.3 - diff --git a/SOURCES/0009-Replaced-enter-with-insert.patch b/SOURCES/0009-Replaced-enter-with-insert.patch deleted file mode 100644 index 400d261..0000000 --- a/SOURCES/0009-Replaced-enter-with-insert.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 02fbf47a85228c131f1b0575da091a01da700189 Mon Sep 17 00:00:00 2001 -From: vinay mishra -Date: Mon, 18 May 2020 10:32:55 +0530 -Subject: [PATCH] Replaced 'enter' with 'insert' - -Resolves: https://github.com/SSSD/sssd/issues/5164 - -Signed-off-by: vinay mishra - -Reviewed-by: Sumit Bose ---- - src/sss_client/pam_sss.c | 4 ++-- - src/tests/intg/test_pam_responder.py | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index d4f0a8917..69b440774 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -2422,8 +2422,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, - return PAM_SUCCESS; - } - --#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s" --#define SC_ENTER_FMT "Please enter smart card" -+#define SC_ENTER_LABEL_FMT "Please insert smart card labeled\n %s" -+#define SC_ENTER_FMT "Please insert smart card" - - static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi, - int retries, bool quiet_mode) -diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py -index 9b5e650ca..7a2458339 100644 ---- a/src/tests/intg/test_pam_responder.py -+++ b/src/tests/intg/test_pam_responder.py -@@ -512,7 +512,7 @@ def test_require_sc_auth_no_cert(simple_pam_cert_auth_no_cert, env_for_sssctl): - assert end_time > start_time and \ - (end_time - start_time) >= 20 and \ - (end_time - start_time) < 40 -- assert out.find("Please enter smart card\nPlease enter smart card") != -1 -+ assert out.find("Please insert smart card\nPlease insert smart card") != -1 - assert err.find("pam_authenticate for user [user1]: Authentication " + - "service cannot retrieve authentication info") != -1 - --- -2.21.3 - diff --git a/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch b/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch new file mode 100644 index 0000000..032f1c4 --- /dev/null +++ b/SOURCES/0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch @@ -0,0 +1,43 @@ +From 18b98836ef8e337992f0ecb239a32b9c3cedb750 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 9 Dec 2020 14:07:22 +0100 +Subject: [PATCH] kcm: decode base64 encoded secret on upgrade path + +Previous unefficient code encoded the secret multiple times: + secret -> base64 -> masterkey -> base64 + +To allow smooth upgrade for already existant ccache we need to also decode +the secret if it is still in the old format (type == simple). Otherwise +users are not able to log in. + +Resolves: https://github.com/SSSD/sssd/issues/5349 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 726711ac4..ea5c8f9ee 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -59,6 +59,16 @@ static errno_t sec_get(TALLOC_CTX *mem_ctx, + goto done; + } + ++ if (strcmp(datatype, "simple") == 0) { ++ /* The secret is stored in b64 encoding, we need to decode it first. */ ++ data = sss_base64_decode(tmp_ctx, (const char*)data, &len); ++ if (data == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode secret from base64\n"); ++ ret = EIO; ++ goto done; ++ } ++ } ++ + buf = sss_iobuf_init_steal(tmp_ctx, data, len); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init the iobuf\n"); +-- +2.21.3 + diff --git a/SOURCES/0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch b/SOURCES/0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch deleted file mode 100644 index 31c91ee..0000000 --- a/SOURCES/0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch +++ /dev/null @@ -1,166 +0,0 @@ -From aac4dbb17f3e19a2fbeefb38b3319827d3bf820e Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 13 May 2020 13:13:43 +0200 -Subject: [PATCH] NSS client: preserve errno during _nss_sss_end* calls - -glibc does not expect that errno is changed by some of the calls -provided by nss modules. This caused at least issues when -_nss_sss_endpwent() is called in compat mode. According to -https://pubs.opengroup.org/onlinepubs/9699919799/functions/endpwent.html -endpwent() should only set errno in the case of an error. Since there is -no other way to report an error we will set errno in the case of an -error but preserve it otherwise. This should cause no issues because -glibc is taking precautions as well tracked by -https://sourceware.org/bugzilla/show_bug.cgi?id=25976. - -To be on the safe side the other _nss_sss_end* calls will show the same -behavior. - -Resolves: https://github.com/SSSD/sssd/issues/5153 - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/nss_group.c | 3 +++ - src/sss_client/nss_hosts.c | 4 +++- - src/sss_client/nss_ipnetworks.c | 4 +++- - src/sss_client/nss_netgroup.c | 3 +++ - src/sss_client/nss_passwd.c | 3 +++ - src/sss_client/nss_services.c | 3 +++ - 6 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c -index 5ab2bdf78..4a201bf09 100644 ---- a/src/sss_client/nss_group.c -+++ b/src/sss_client/nss_group.c -@@ -735,6 +735,7 @@ enum nss_status _nss_sss_endgrent(void) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -745,6 +746,8 @@ enum nss_status _nss_sss_endgrent(void) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); -diff --git a/src/sss_client/nss_hosts.c b/src/sss_client/nss_hosts.c -index 5e279468b..aa2676286 100644 ---- a/src/sss_client/nss_hosts.c -+++ b/src/sss_client/nss_hosts.c -@@ -565,6 +565,7 @@ _nss_sss_endhostent(void) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -575,9 +576,10 @@ _nss_sss_endhostent(void) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); -- - return nret; - } -diff --git a/src/sss_client/nss_ipnetworks.c b/src/sss_client/nss_ipnetworks.c -index 15fee6039..08070499d 100644 ---- a/src/sss_client/nss_ipnetworks.c -+++ b/src/sss_client/nss_ipnetworks.c -@@ -510,6 +510,7 @@ _nss_sss_endnetent(void) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -520,10 +521,11 @@ _nss_sss_endnetent(void) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); -- - return nret; - } - -diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c -index 3a1834a31..2fc88f8ae 100644 ---- a/src/sss_client/nss_netgroup.c -+++ b/src/sss_client/nss_netgroup.c -@@ -309,6 +309,7 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -319,6 +320,8 @@ enum nss_status _nss_sss_endnetgrent(struct __netgrent *result) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); -diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c -index 96368bd6e..c386dd370 100644 ---- a/src/sss_client/nss_passwd.c -+++ b/src/sss_client/nss_passwd.c -@@ -455,6 +455,7 @@ enum nss_status _nss_sss_endpwent(void) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -465,6 +466,8 @@ enum nss_status _nss_sss_endpwent(void) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); -diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c -index 13cb4c3ab..f8c2092cb 100644 ---- a/src/sss_client/nss_services.c -+++ b/src/sss_client/nss_services.c -@@ -484,6 +484,7 @@ _nss_sss_endservent(void) - { - enum nss_status nret; - int errnop; -+ int saved_errno = errno; - - sss_nss_lock(); - -@@ -494,6 +495,8 @@ _nss_sss_endservent(void) - NULL, NULL, NULL, &errnop); - if (nret != NSS_STATUS_SUCCESS) { - errno = errnop; -+ } else { -+ errno = saved_errno; - } - - sss_nss_unlock(); --- -2.21.3 - diff --git a/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch b/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch new file mode 100644 index 0000000..8e76f9a --- /dev/null +++ b/SOURCES/0010-nss-check-if-groups-are-filtered-during-initgroups.patch @@ -0,0 +1,112 @@ +From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 17 Nov 2020 12:59:23 +0100 +Subject: [PATCH] nss: check if groups are filtered during initgroups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If groups are filtered, i.e. SSSD should not handle them, they should +not appear in the group list returned by an initgroups request. + +Resolves: https://github.com/SSSD/sssd/issues/5403 + +Reviewed-by: Pavel Březina +--- + src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++ + src/tests/intg/test_ldap.py | 12 +++++++++ + 2 files changed, 47 insertions(+) + +diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c +index 8f1d3fe81..135b392f7 100644 +--- a/src/responder/nss/nss_protocol_grent.c ++++ b/src/responder/nss/nss_protocol_grent.c +@@ -326,6 +326,34 @@ done: + return EOK; + } + ++static bool is_group_filtered(struct sss_nc_ctx *ncache, ++ struct sss_domain_info *domain, ++ const char *grp_name, gid_t gid) ++{ ++ int ret; ++ ++ if (grp_name == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Group with gid [%"SPRIgid"] has no name, this should never " ++ "happen, trying to continue without.\n", gid); ++ } else { ++ ret = sss_ncache_check_group(ncache, domain, grp_name); ++ if (ret == EEXIST) { ++ DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! " ++ "(negative cache)", grp_name); ++ return true; ++ } ++ } ++ ret = sss_ncache_check_gid(ncache, domain, gid); ++ if (ret == EEXIST) { ++ DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! " ++ "(negative cache)", gid); ++ return true; ++ } ++ ++ return false; ++} ++ + errno_t + nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, +@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + size_t body_len; + size_t rp; + gid_t gid; ++ const char *grp_name; + gid_t orig_gid; + errno_t ret; + int i; +@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, + 0); + posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); ++ grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, ++ NULL); + + if (gid == 0) { + if (posix != NULL && strcmp(posix, "FALSE") == 0) { +@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + } + } + ++ if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { ++ continue; ++ } ++ + SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp); + num_results++; + +diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py +index 194d7d9cc..6a78c960f 100644 +--- a/src/tests/intg/test_ldap.py ++++ b/src/tests/intg/test_ldap.py +@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter): + with pytest.raises(KeyError): + grp.getgrgid(14) + ++ # test initgroups - user1 is member of group_two_one_user_groups (2019) ++ # which is filtered out ++ (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001) ++ assert res == sssd_id.NssReturnCode.SUCCESS ++ ++ user_with_group_ids = [2001, 2012, 2015, 2017, 2018] ++ assert sorted(gids) == sorted(user_with_group_ids), \ ++ "result: %s\n expected %s" % ( ++ ", ".join(["%s" % s for s in sorted(gids)]), ++ ", ".join(["%s" % s for s in sorted(user_with_group_ids)]) ++ ) ++ + + @pytest.fixture + def sanity_nss_filter_cached(request, ldap_conn): +-- +2.21.3 + diff --git a/SOURCES/0011-ifp-fix-use-after-free.patch b/SOURCES/0011-ifp-fix-use-after-free.patch new file mode 100644 index 0000000..8e42b4d --- /dev/null +++ b/SOURCES/0011-ifp-fix-use-after-free.patch @@ -0,0 +1,36 @@ +From 81e757b7b1d69893b5725f9c148c55d89c779e7b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 3 Nov 2020 10:12:15 +0100 +Subject: [PATCH] ifp: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The variable fqdn is pointing to some data from state->res->msgs[0]. But +before fqdn is used in the next search state->res and the memory +hierarchy below is freed. As a result the location where fqdn is pointing +to might hold the expected data or other data and the search will fail +intermittently. + +Resolves: https://github.com/SSSD/sssd/issues/5382 + +Reviewed-by: Pavel Březina +--- + src/responder/ifp/ifpsrv_cmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c +index 9f20bf2db..d95618127 100644 +--- a/src/responder/ifp/ifpsrv_cmd.c ++++ b/src/responder/ifp/ifpsrv_cmd.c +@@ -128,6 +128,7 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) + tevent_req_error(req, ERR_INTERNAL); + return; + } ++ fqdn = talloc_steal(state, fqdn); + + if (state->search_type == SSS_DP_USER) { + /* throw away the result and perform attr search */ +-- +2.21.3 + diff --git a/SOURCES/0011-ipa-add-failover-to-subdomain-override-lookups.patch b/SOURCES/0011-ipa-add-failover-to-subdomain-override-lookups.patch deleted file mode 100644 index dc2b0e6..0000000 --- a/SOURCES/0011-ipa-add-failover-to-subdomain-override-lookups.patch +++ /dev/null @@ -1,43 +0,0 @@ -From df632eec450791559a4a7644f241964397c10ff9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 5 Jun 2020 13:59:25 +0200 -Subject: [PATCH] ipa: add failover to subdomain override lookups - -In the ipa_subdomain_account request failover handling was missing. - -Related to https://github.com/SSSD/sssd/issues/5075 - (was https://pagure.io/SSSD/sssd/issue/4114) - -Reviewed-by: Pawel Polawski ---- - src/providers/ipa/ipa_subdomains_id.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c -index 1224c7b73..36f32fae8 100644 ---- a/src/providers/ipa/ipa_subdomains_id.c -+++ b/src/providers/ipa/ipa_subdomains_id.c -@@ -208,6 +208,20 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) - &state->override_attrs); - talloc_zfree(subreq); - if (ret != EOK) { -+ ret = sdap_id_op_done(state->op, ret, &dp_error); -+ -+ if (dp_error == DP_ERR_OK && ret != EOK) { -+ /* retry */ -+ subreq = sdap_id_op_connect_send(state->op, state, &ret); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); -+ goto fail; -+ } -+ tevent_req_set_callback(subreq, ipa_subdomain_account_connected, -+ req); -+ return; -+ } -+ - DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); - goto fail; - } --- -2.21.3 - diff --git a/SOURCES/0012-GPO-fix-link-order-in-a-SOM.patch b/SOURCES/0012-GPO-fix-link-order-in-a-SOM.patch deleted file mode 100644 index 39b2e20..0000000 --- a/SOURCES/0012-GPO-fix-link-order-in-a-SOM.patch +++ /dev/null @@ -1,132 +0,0 @@ -From dce025b882db7247571b135e928afb47f069a60f Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 27 Feb 2020 06:54:21 +0100 -Subject: [PATCH] GPO: fix link order in a SOM - -GPOs of the same OU were applied in the wrong order. Details about how -GPOs should be processed can be found e.g. at -https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11) - -Resolves: https://github.com/SSSD/sssd/issues/5103 - -Reviewed-by: Alexey Tikhonov ---- - src/providers/ad/ad_gpo.c | 59 +++++++++++++++++++++++++++++---------- - 1 file changed, 45 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index bbe8d8a1e..1524c4bfc 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -3511,14 +3511,19 @@ ad_gpo_process_som_recv(struct tevent_req *req, - * - GPOs linked to an OU will be applied after GPOs linked to a Domain, - * which will be applied after GPOs linked to a Site. - * - multiple GPOs linked to a single SOM are applied in their link order -- * (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc). -+ * (i.e. 1st GPO linked to SOM is applied before 2nd GPO linked to SOM, etc). - * - enforced GPOs are applied after unenforced GPOs. - * - * As such, the _candidate_gpos output's dn fields looks like (in link order): -- * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}] -+ * [unenforced {Site, Domain, OU}; enforced {OU, Domain, Site}] - * - * Note that in the case of conflicting policy settings, GPOs appearing later -- * in the list will trump GPOs appearing earlier in the list. -+ * in the list will trump GPOs appearing earlier in the list. Therefore the -+ * enforced GPOs are applied in revers order after the unenforced GPOs to -+ * make sure the enforced setting form the highest level will be applied. -+ * -+ * GPO processing details can be found e.g. at -+ * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11) - */ - static errno_t - ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, -@@ -3542,6 +3547,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, - int i = 0; - int j = 0; - int ret; -+ size_t som_count = 0; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { -@@ -3568,6 +3574,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, - } - i++; - } -+ som_count = i; - - num_candidate_gpos = num_enforced + num_unenforced; - -@@ -3590,9 +3597,43 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, - goto done; - } - -+ i = som_count -1 ; -+ while (i >= 0) { -+ gp_som = som_list[i]; -+ -+ /* For unenforced_gpo_dns the most specific GPOs with the highest -+ * priority should be the last. We start with the top-level SOM and go -+ * down to the most specific one and add the unenforced following the -+ * gplink_list where the GPO with the highest priority comes last. */ -+ j = 0; -+ while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) { -+ gp_gplink = gp_som->gplink_list[j]; -+ -+ if (!gp_gplink->enforced) { -+ unenforced_gpo_dns[unenforced_idx] = -+ talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn); -+ -+ if (unenforced_gpo_dns[unenforced_idx] == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ unenforced_idx++; -+ } -+ j++; -+ } -+ i--; -+ } -+ - i = 0; - while (som_list[i]) { - gp_som = som_list[i]; -+ -+ /* For enforced GPOs we start processing with the most specific SOM to -+ * make sur enforced GPOs from higher levels override to lower level -+ * ones. According to the 'Group Policy Inheritance' tab in the -+ * Windows 'Goup Policy Management' utility in the same SOM the link -+ * order is still observed and an enforced GPO with a lower link order -+ * value still overrides an enforced GPO with a higher link order. */ - j = 0; - while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) { - gp_gplink = gp_som->gplink_list[j]; -@@ -3610,16 +3651,6 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, - goto done; - } - enforced_idx++; -- } else { -- -- unenforced_gpo_dns[unenforced_idx] = -- talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn); -- -- if (unenforced_gpo_dns[unenforced_idx] == NULL) { -- ret = ENOMEM; -- goto done; -- } -- unenforced_idx++; - } - j++; - } -@@ -3638,7 +3669,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, - } - - gpo_dn_idx = 0; -- for (i = num_unenforced - 1; i >= 0; i--) { -+ for (i = 0; i < num_unenforced; i++) { - candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo); - if (candidate_gpos[gpo_dn_idx] == NULL) { - ret = ENOMEM; --- -2.21.3 - diff --git a/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch b/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch new file mode 100644 index 0000000..8e87526 --- /dev/null +++ b/SOURCES/0012-ifp-fix-original-fix-use-after-free.patch @@ -0,0 +1,38 @@ +From 3b158934cbb8f87cbfaf1650389b8dcd654b92ca Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 19 Nov 2020 18:05:00 +0100 +Subject: [PATCH] ifp: fix original fix use-after-free + +The original fix stole the fqdn too earlier. Only for SSS_DP_USER +requests the steal is important. For other request where the first +result is returned to the caller the original version +might even cause issues since the name does not belong to the memory +hierarchy of the result anymore. + +Resolves: https://github.com/SSSD/sssd/issues/5382 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/ifp/ifpsrv_cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c +index d95618127..8cf1ec84c 100644 +--- a/src/responder/ifp/ifpsrv_cmd.c ++++ b/src/responder/ifp/ifpsrv_cmd.c +@@ -128,10 +128,10 @@ static void ifp_user_get_attr_done(struct tevent_req *subreq) + tevent_req_error(req, ERR_INTERNAL); + return; + } +- fqdn = talloc_steal(state, fqdn); + + if (state->search_type == SSS_DP_USER) { +- /* throw away the result and perform attr search */ ++ /* throw away the result but keep the fqdn and perform attr search */ ++ fqdn = talloc_steal(state, fqdn); + talloc_zfree(state->res); + + ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn, +-- +2.21.3 + diff --git a/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch b/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch new file mode 100644 index 0000000..c374782 --- /dev/null +++ b/SOURCES/0013-pam_sss-use-unique-id-for-gdm-choice-list.patch @@ -0,0 +1,68 @@ +From 1b9b7f5a635ede8eee90d13bfe0e1f87e51191a9 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 13 Nov 2020 12:59:39 +0100 +Subject: [PATCH 13/16] pam_sss: use unique id for gdm choice list + +Currently the key-id read from the Smartcard is used as key value for +the gdm choice list dialog. Since it might be possible that multiple +certificates use the same key and hence the same key-id this is not a +suitable value. + +With this patch the string representation of a numerical counter is used. + +Resolves: https://github.com/SSSD/sssd/issues/5400 + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/pam_sss.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index b844d257e..04dfdb55d 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -128,6 +128,7 @@ struct cert_auth_info { + char *key_id; + char *prompt_str; + char *pam_cert_user; ++ char *choice_list_id; + struct cert_auth_info *prev; + struct cert_auth_info *next; + }; +@@ -141,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai) + free(cai->module_name); + free(cai->key_id); + free(cai->prompt_str); ++ free(cai->choice_list_id); + free(cai); + } + } +@@ -1698,7 +1700,15 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi) + ret = ENOMEM; + goto done; + } +- request->list.items[c].key = cai->key_id; ++ free(cai->choice_list_id); ++ ret = asprintf(&cai->choice_list_id, "%zu", c); ++ if (ret == -1) { ++ cai->choice_list_id = NULL; ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ request->list.items[c].key = cai->choice_list_id; + request->list.items[c++].text = prompt; + } + +@@ -1719,7 +1729,7 @@ static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi) + } + + DLIST_FOR_EACH(cai, pi->cert_list) { +- if (strcmp(response->key, cai->key_id) == 0) { ++ if (strcmp(response->key, cai->choice_list_id) == 0) { + pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id); + pi->selected_cert = cai; + ret = 0; +-- +2.21.3 + diff --git a/SOURCES/0013-sysdb-make-sysdb_update_subdomains-more-robust.patch b/SOURCES/0013-sysdb-make-sysdb_update_subdomains-more-robust.patch deleted file mode 100644 index c16d932..0000000 --- a/SOURCES/0013-sysdb-make-sysdb_update_subdomains-more-robust.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 8ca799ea968e548337acb0300642a0d88f1bba9b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 7 May 2020 15:47:35 +0200 -Subject: [PATCH 13/19] sysdb: make sysdb_update_subdomains() more robust -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some NULL checks are added basically to allow that missing values can be -set later. - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/db/sysdb_subdomains.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c -index b170d1978..d256817a6 100644 ---- a/src/db/sysdb_subdomains.c -+++ b/src/db/sysdb_subdomains.c -@@ -421,7 +421,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, - } - - /* in theory these may change, but it should never happen */ -- if (strcasecmp(dom->realm, realm) != 0) { -+ if ((dom->realm == NULL && realm != NULL) -+ || (dom->realm != NULL && realm != NULL -+ && strcasecmp(dom->realm, realm) != 0)) { - DEBUG(SSSDBG_TRACE_INTERNAL, - "Realm name changed from [%s] to [%s]!\n", - dom->realm, realm); -@@ -432,7 +434,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, - goto done; - } - } -- if (strcasecmp(dom->flat_name, flat) != 0) { -+ if ((dom->flat_name == NULL && flat != NULL) -+ || (dom->flat_name != NULL && flat != NULL -+ && strcasecmp(dom->flat_name, flat) != 0)) { - DEBUG(SSSDBG_TRACE_INTERNAL, - "Flat name changed from [%s] to [%s]!\n", - dom->flat_name, flat); -@@ -443,7 +447,9 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain, - goto done; - } - } -- if (strcasecmp(dom->domain_id, id) != 0) { -+ if ((dom->domain_id == NULL && id != NULL) -+ || (dom->domain_id != NULL && id != NULL -+ && strcasecmp(dom->domain_id, id) != 0)) { - DEBUG(SSSDBG_TRACE_INTERNAL, - "Domain changed from [%s] to [%s]!\n", - dom->domain_id, id); --- -2.21.3 - diff --git a/SOURCES/0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch b/SOURCES/0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch deleted file mode 100644 index 5674c81..0000000 --- a/SOURCES/0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch +++ /dev/null @@ -1,334 +0,0 @@ -From d3089173dd8be85a83cf0236e116ba8e11326a6d Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 7 May 2020 16:51:02 +0200 -Subject: [PATCH 14/19] ad: rename ad_master_domain_* to ad_domain_info_* -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The ad_master_domain_{send|recv} are not specific to the master domain -so a more generic name seems to be suitable. - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_domain_info.c | 64 +++++++++++++++---------------- - src/providers/ad/ad_domain_info.h | 10 ++--- - src/providers/ad/ad_gpo.c | 8 ++-- - src/providers/ad/ad_id.c | 14 +++---- - src/providers/ad/ad_resolver.c | 8 ++-- - src/providers/ad/ad_subdomains.c | 8 ++-- - 6 files changed, 56 insertions(+), 56 deletions(-) - -diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c -index 5302c8083..52b2e2442 100644 ---- a/src/providers/ad/ad_domain_info.c -+++ b/src/providers/ad/ad_domain_info.c -@@ -175,7 +175,7 @@ done: - return ret; - } - --struct ad_master_domain_state { -+struct ad_domain_info_state { - struct tevent_context *ev; - struct sdap_id_conn_ctx *conn; - struct sdap_id_op *id_op; -@@ -191,22 +191,22 @@ struct ad_master_domain_state { - char *sid; - }; - --static errno_t ad_master_domain_next(struct tevent_req *req); --static void ad_master_domain_next_done(struct tevent_req *subreq); --static void ad_master_domain_netlogon_done(struct tevent_req *req); -+static errno_t ad_domain_info_next(struct tevent_req *req); -+static void ad_domain_info_next_done(struct tevent_req *subreq); -+static void ad_domain_info_netlogon_done(struct tevent_req *req); - - struct tevent_req * --ad_master_domain_send(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev, -- struct sdap_id_conn_ctx *conn, -- struct sdap_id_op *op, -- const char *dom_name) -+ad_domain_info_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct sdap_id_conn_ctx *conn, -+ struct sdap_id_op *op, -+ const char *dom_name) - { - errno_t ret; - struct tevent_req *req; -- struct ad_master_domain_state *state; -+ struct ad_domain_info_state *state; - -- req = tevent_req_create(mem_ctx, &state, struct ad_master_domain_state); -+ req = tevent_req_create(mem_ctx, &state, struct ad_domain_info_state); - if (!req) return NULL; - - state->ev = ev; -@@ -216,7 +216,7 @@ ad_master_domain_send(TALLOC_CTX *mem_ctx, - state->opts = conn->id_ctx->opts; - state->dom_name = dom_name; - -- ret = ad_master_domain_next(req); -+ ret = ad_domain_info_next(req); - if (ret != EOK && ret != EAGAIN) { - goto immediate; - } -@@ -234,14 +234,14 @@ immediate: - } - - static errno_t --ad_master_domain_next(struct tevent_req *req) -+ad_domain_info_next(struct tevent_req *req) - { - struct tevent_req *subreq; - struct sdap_search_base *base; - const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL}; - -- struct ad_master_domain_state *state = -- tevent_req_data(req, struct ad_master_domain_state); -+ struct ad_domain_info_state *state = -+ tevent_req_data(req, struct ad_domain_info_state); - - base = state->opts->sdom->search_bases[state->base_iter]; - if (base == NULL) { -@@ -261,13 +261,13 @@ ad_master_domain_next(struct tevent_req *req) - DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); - return ENOMEM; - } -- tevent_req_set_callback(subreq, ad_master_domain_next_done, req); -+ tevent_req_set_callback(subreq, ad_domain_info_next_done, req); - - return EAGAIN; - } - - static void --ad_master_domain_next_done(struct tevent_req *subreq) -+ad_domain_info_next_done(struct tevent_req *subreq) - { - errno_t ret; - size_t reply_count; -@@ -281,8 +281,8 @@ ad_master_domain_next_done(struct tevent_req *subreq) - - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); -- struct ad_master_domain_state *state = -- tevent_req_data(req, struct ad_master_domain_state); -+ struct ad_domain_info_state *state = -+ tevent_req_data(req, struct ad_domain_info_state); - - ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); - talloc_zfree(subreq); -@@ -293,7 +293,7 @@ ad_master_domain_next_done(struct tevent_req *subreq) - - if (reply_count == 0) { - state->base_iter++; -- ret = ad_master_domain_next(req); -+ ret = ad_domain_info_next(req); - if (ret == EAGAIN) { - /* Async request will get us back here again */ - return; -@@ -362,7 +362,7 @@ ad_master_domain_next_done(struct tevent_req *subreq) - goto done; - } - -- tevent_req_set_callback(subreq, ad_master_domain_netlogon_done, req); -+ tevent_req_set_callback(subreq, ad_domain_info_netlogon_done, req); - return; - - done: -@@ -370,7 +370,7 @@ done: - } - - static void --ad_master_domain_netlogon_done(struct tevent_req *subreq) -+ad_domain_info_netlogon_done(struct tevent_req *subreq) - { - int ret; - size_t reply_count; -@@ -378,8 +378,8 @@ ad_master_domain_netlogon_done(struct tevent_req *subreq) - - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); -- struct ad_master_domain_state *state = -- tevent_req_data(req, struct ad_master_domain_state); -+ struct ad_domain_info_state *state = -+ tevent_req_data(req, struct ad_domain_info_state); - - ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); - talloc_zfree(subreq); -@@ -422,15 +422,15 @@ done: - } - - errno_t --ad_master_domain_recv(struct tevent_req *req, -- TALLOC_CTX *mem_ctx, -- char **_flat, -- char **_id, -- char **_site, -- char **_forest) -+ad_domain_info_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ char **_flat, -+ char **_id, -+ char **_site, -+ char **_forest) - { -- struct ad_master_domain_state *state = tevent_req_data(req, -- struct ad_master_domain_state); -+ struct ad_domain_info_state *state = tevent_req_data(req, -+ struct ad_domain_info_state); - - TEVENT_REQ_RETURN_ON_ERROR(req); - -diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h -index b96e8a3c3..631e543f5 100644 ---- a/src/providers/ad/ad_domain_info.h -+++ b/src/providers/ad/ad_domain_info.h -@@ -22,22 +22,22 @@ - along with this program. If not, see . - */ - --#ifndef _AD_MASTER_DOMAIN_H_ --#define _AD_MASTER_DOMAIN_H_ -+#ifndef _AD_DOMAIN_INFO_H_ -+#define _AD_DOMAIN_INFO_H_ - - struct tevent_req * --ad_master_domain_send(TALLOC_CTX *mem_ctx, -+ad_domain_info_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sdap_id_conn_ctx *conn, - struct sdap_id_op *op, - const char *dom_name); - - errno_t --ad_master_domain_recv(struct tevent_req *req, -+ad_domain_info_recv(struct tevent_req *req, - TALLOC_CTX *mem_ctx, - char **_flat, - char **_id, - char **_site, - char **_forest); - --#endif /* _AD_MASTER_DOMAIN_H_ */ -+#endif /* _AD_DOMAIN_INFO_H_ */ -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 1524c4bfc..53560a754 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -3151,11 +3151,11 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, - goto immediately; - } - -- subreq = ad_master_domain_send(state, state->ev, conn, -- state->sdap_op, domain_name); -+ subreq = ad_domain_info_send(state, state->ev, conn, -+ state->sdap_op, domain_name); - - if (subreq == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n"); - ret = ENOMEM; - goto immediately; - } -@@ -3188,7 +3188,7 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq) - state = tevent_req_data(req, struct ad_gpo_process_som_state); - - /* gpo code only cares about the site name */ -- ret = ad_master_domain_recv(subreq, state, NULL, NULL, &site, NULL); -+ ret = ad_domain_info_recv(subreq, state, NULL, NULL, &site, NULL); - talloc_zfree(subreq); - - if (ret != EOK || site == NULL) { -diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c -index 84e5c42ac..ca6486e03 100644 ---- a/src/providers/ad/ad_id.c -+++ b/src/providers/ad/ad_id.c -@@ -663,12 +663,12 @@ ad_enumeration_conn_done(struct tevent_req *subreq) - return; - } - -- subreq = ad_master_domain_send(state, state->ev, -- state->id_ctx->ldap_ctx, -- state->sdap_op, -- state->sdom->dom->name); -+ subreq = ad_domain_info_send(state, state->ev, -+ state->id_ctx->ldap_ctx, -+ state->sdap_op, -+ state->sdom->dom->name); - if (subreq == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n"); - tevent_req_error(req, ret); - return; - } -@@ -687,8 +687,8 @@ ad_enumeration_master_done(struct tevent_req *subreq) - char *master_sid; - char *forest; - -- ret = ad_master_domain_recv(subreq, state, -- &flat_name, &master_sid, NULL, &forest); -+ ret = ad_domain_info_recv(subreq, state, -+ &flat_name, &master_sid, NULL, &forest); - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n"); -diff --git a/src/providers/ad/ad_resolver.c b/src/providers/ad/ad_resolver.c -index b58f08ecf..c87706094 100644 ---- a/src/providers/ad/ad_resolver.c -+++ b/src/providers/ad/ad_resolver.c -@@ -317,10 +317,10 @@ ad_resolver_enumeration_conn_done(struct tevent_req *subreq) - return; - } - -- subreq = ad_master_domain_send(state, state->ev, id_ctx->conn, -- state->sdap_op, state->sdom->dom->name); -+ subreq = ad_domain_info_send(state, state->ev, id_ctx->conn, -+ state->sdap_op, state->sdom->dom->name); - if (subreq == NULL) { -- DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "ad_domain_info_send failed.\n"); - tevent_req_error(req, ret); - return; - } -@@ -346,7 +346,7 @@ ad_resolver_enumeration_master_done(struct tevent_req *subreq) - char *forest; - struct ad_id_ctx *ad_id_ctx; - -- ret = ad_master_domain_recv(subreq, state, -+ ret = ad_domain_info_recv(subreq, state, - &flat_name, &master_sid, NULL, &forest); - talloc_zfree(subreq); - if (ret != EOK) { -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 06fbdb0ef..c53962283 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1756,8 +1756,8 @@ static void ad_subdomains_refresh_connect_done(struct tevent_req *subreq) - } - - /* connect to the DC we are a member of */ -- subreq = ad_master_domain_send(state, state->ev, state->id_ctx->conn, -- state->sdap_op, state->sd_ctx->domain_name); -+ subreq = ad_domain_info_send(state, state->ev, state->id_ctx->conn, -+ state->sdap_op, state->sd_ctx->domain_name); - if (subreq == NULL) { - tevent_req_error(req, ENOMEM); - return; -@@ -1779,8 +1779,8 @@ static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct ad_subdomains_refresh_state); - -- ret = ad_master_domain_recv(subreq, state, &flat_name, &master_sid, -- NULL, &state->forest); -+ ret = ad_domain_info_recv(subreq, state, &flat_name, &master_sid, -+ NULL, &state->forest); - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information " --- -2.21.3 - diff --git a/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch b/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch new file mode 100644 index 0000000..741fc5d --- /dev/null +++ b/SOURCES/0014-authtok-add-label-to-Smartcard-token.patch @@ -0,0 +1,1072 @@ +From 8b6be52e95e953ae0431676de0b8c8be7a3262bc Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 13 Nov 2020 18:05:14 +0100 +Subject: [PATCH 14/16] authtok: add label to Smartcard token + +The key-id might not be sufficient to identify a certificate on a +Smartcard since it is possible that multiple certificates will use the +same key. + +This patch adds the certificate label to the Smartcard authtok item to +resolve the ambiguity if the key-id is used for multiple certificates. + +Resolves: https://github.com/SSSD/sssd/issues/5400 + +Reviewed-by: Alexey Tikhonov +--- + src/p11_child/p11_child.h | 3 +- + src/p11_child/p11_child_common.c | 12 +++-- + src/p11_child/p11_child_openssl.c | 16 +++++-- + src/providers/krb5/krb5_child.c | 14 +++++- + src/responder/pam/pamsrv_cmd.c | 5 +- + src/responder/pam/pamsrv_p11.c | 8 +++- + src/sss_client/pam_sss.c | 3 ++ + src/tests/cmocka/test_authtok.c | 36 +++++++++------ + src/tests/cmocka/test_pam_srv.c | 65 ++++++++++++++------------ + src/util/authtok-utils.c | 30 ++++++++++-- + src/util/authtok-utils.h | 11 ++++- + src/util/authtok.c | 77 +++++++++++++++++++++++++------ + src/util/authtok.h | 14 +++++- + 13 files changed, 214 insertions(+), 80 deletions(-) + +diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h +index 0b53e70c5..9c0cefe05 100644 +--- a/src/p11_child/p11_child.h ++++ b/src/p11_child/p11_child.h +@@ -68,7 +68,8 @@ bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64); + errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + enum op_mode mode, const char *pin, + const char *module_name_in, const char *token_name_in, +- const char *key_id_in, const char *uri, char **_multi); ++ const char *key_id_in, const char *label, ++ const char *uri, char **_multi); + + errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **cert_verify_opts); +diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c +index 236d7dac4..f17de1a9e 100644 +--- a/src/p11_child/p11_child_common.c ++++ b/src/p11_child/p11_child_common.c +@@ -60,7 +60,8 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, + bool wait_for_card, + const char *cert_b64, const char *pin, + const char *module_name, const char *token_name, +- const char *key_id, const char *uri, char **multi) ++ const char *key_id, const char *label, const char *uri, ++ char **multi) + { + int ret; + struct p11_ctx *p11_ctx; +@@ -91,7 +92,7 @@ static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, + } + } else { + ret = do_card(mem_ctx, p11_ctx, mode, pin, +- module_name, token_name, key_id, uri, multi); ++ module_name, token_name, key_id, label, uri, multi); + } + + done: +@@ -158,6 +159,7 @@ int main(int argc, const char *argv[]) + char *module_name = NULL; + char *token_name = NULL; + char *key_id = NULL; ++ char *label = NULL; + char *cert_b64 = NULL; + bool wait_for_card = false; + char *uri = NULL; +@@ -194,6 +196,8 @@ int main(int argc, const char *argv[]) + _("Token name for authentication"), NULL}, + {"key_id", 0, POPT_ARG_STRING, &key_id, 0, + _("Key ID for authentication"), NULL}, ++ {"label", 0, POPT_ARG_STRING, &label, 0, ++ _("Label for authentication"), NULL}, + {"certificate", 0, POPT_ARG_STRING, &cert_b64, 0, + _("certificate to verify, base64 encoded"), NULL}, + {"uri", 0, POPT_ARG_STRING, &uri, 0, +@@ -340,6 +344,7 @@ int main(int argc, const char *argv[]) + } + talloc_steal(main_ctx, debug_prg_name); + ++ /* We do not require the label, but it is recommended */ + if (mode == OP_AUTH && (module_name == NULL || token_name == NULL + || key_id == NULL)) { + DEBUG(SSSDBG_FATAL_FAILURE, +@@ -369,7 +374,8 @@ int main(int argc, const char *argv[]) + } + + ret = do_work(main_ctx, mode, ca_db, cert_verify_opts, wait_for_card, +- cert_b64, pin, module_name, token_name, key_id, uri, &multi); ++ cert_b64, pin, module_name, token_name, key_id, label, uri, ++ &multi); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n"); + goto fail; +diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c +index 04b3e1467..d81a1a9ea 100644 +--- a/src/p11_child/p11_child_openssl.c ++++ b/src/p11_child/p11_child_openssl.c +@@ -1587,7 +1587,8 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id) + errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + enum op_mode mode, const char *pin, + const char *module_name_in, const char *token_name_in, +- const char *key_id_in, const char *uri_str, char **_multi) ++ const char *key_id_in, const char *label_in, ++ const char *uri_str, char **_multi) + { + int ret; + size_t c; +@@ -1845,11 +1846,13 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + DLIST_FOR_EACH(item, all_cert_list) { + /* Check if we found the certificates we needed for authentication or + * the requested ones for pre-auth. For authentication all attributes +- * must be given and match, for pre-auth only the given ones must +- * match. */ +- DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n", ++ * except the label must be given and match. The label is optional for ++ * authentication but if given it must match as well. For pre-auth ++ * only the given ones must match. */ ++ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s %s.\n", + module_name_in, module_file_name, token_name_in, token_name, +- key_id_in, item->id); ++ key_id_in, label_in == NULL ? "- no label given-" : label_in, ++ item->id); + + if ((mode == OP_AUTH + && module_name_in != NULL +@@ -1857,6 +1860,9 @@ errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + && key_id_in != NULL + && item->id != NULL + && strcmp(key_id_in, item->id) == 0 ++ && (label_in == NULL ++ || (label_in != NULL && item->label != NULL ++ && strcmp(label_in, item->label) == 0)) + && strcmp(token_name_in, token_name) == 0 + && strcmp(module_name_in, module_file_name) == 0) + || (mode == OP_PREAUTH +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 6e2bf6d75..cab7b27a2 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -714,7 +714,7 @@ static krb5_error_code answer_pkinit(krb5_context ctx, + kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL, + &token_name, NULL, + &module_name, NULL, +- NULL, NULL); ++ NULL, NULL, NULL, NULL); + if (kerr != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_get_sc failed.\n"); +@@ -1226,11 +1226,12 @@ static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, + const char *token_name; + const char *module_name; + const char *key_id; ++ const char *label; + + ret = sss_authtok_get_sc(authtok, NULL, NULL, + &token_name, NULL, + &module_name, NULL, +- &key_id, NULL); ++ &key_id, NULL, &label, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + return ret; +@@ -1267,6 +1268,15 @@ static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, + } + } + ++ if (label != NULL && *label != '\0') { ++ identity = talloc_asprintf_append(identity, ":certlabel=%s", label); ++ if (identity == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "talloc_asprintf_append failed.\n"); ++ return ENOMEM; ++ } ++ } ++ + *_identity = identity; + + DEBUG(SSSDBG_TRACE_ALL, "Using pkinit identity [%s].\n", identity); +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 9ea488be4..d3f092b2b 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1258,7 +1258,7 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p + || sss_authtok_get_type(pd->authtok) + == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { + ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, NULL, NULL, NULL, +- NULL, &key_id, NULL); ++ NULL, &key_id, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + goto done; +@@ -2274,7 +2274,8 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) + SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0, + sss_cai_get_token_name(preq->current_cert), 0, + sss_cai_get_module_name(preq->current_cert), 0, +- sss_cai_get_key_id(preq->current_cert), 0); ++ sss_cai_get_key_id(preq->current_cert), 0, ++ sss_cai_get_label(preq->current_cert), 0); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_set_sc failed, Smartcard " +diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c +index abc987804..23f94927a 100644 +--- a/src/responder/pam/pamsrv_p11.c ++++ b/src/responder/pam/pamsrv_p11.c +@@ -727,6 +727,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + const char *module_name = NULL; + const char *token_name = NULL; + const char *key_id = NULL; ++ const char *label = NULL; + + req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state); + if (req == NULL) { +@@ -766,7 +767,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { + ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, &token_name, NULL, +- &module_name, NULL, &key_id, NULL); ++ &module_name, NULL, &key_id, NULL, ++ &label, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + goto done; +@@ -784,6 +786,10 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + extra_args[arg_c++] = key_id; + extra_args[arg_c++] = "--key_id"; + } ++ if (label != NULL && *label != '\0') { ++ extra_args[arg_c++] = label; ++ extra_args[arg_c++] = "--label"; ++ } + } + + if (pd->cmd == SSS_PAM_AUTHENTICATE) { +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index 04dfdb55d..cffbfa770 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -126,6 +126,7 @@ struct cert_auth_info { + char *token_name; + char *module_name; + char *key_id; ++ char *label; + char *prompt_str; + char *pam_cert_user; + char *choice_list_id; +@@ -1962,6 +1963,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, + cai->module_name, 0, + cai->key_id, 0, ++ cai->label, 0, + NULL, 0, &needed_size); + if (ret != EAGAIN) { + D(("sss_auth_pack_sc_blob failed.")); +@@ -1979,6 +1981,7 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) + ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, + cai->module_name, 0, + cai->key_id, 0, ++ cai->label, 0, + (uint8_t *) pi->pam_authtok, needed_size, + &needed_size); + if (ret != EOK) { +diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c +index a8f5bdee7..a31014eb6 100644 +--- a/src/tests/cmocka/test_authtok.c ++++ b/src/tests/cmocka/test_authtok.c +@@ -451,25 +451,27 @@ void test_sss_authtok_sc_blobs(void **state) + size_t module_name_len; + const char *key_id; + size_t key_id_len; ++ const char *label; ++ size_t label_len; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, +- NULL, 0, &needed_size); ++ "stuvw", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + buf = talloc_size(ts, needed_size); + assert_non_null(buf); + + ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, +- buf, needed_size, &needed_size); ++ "stuvw", 0, buf, needed_size, &needed_size); + assert_int_equal(ret, EOK); + + #if __BYTE_ORDER == __LITTLE_ENDIAN +- assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0abc\0defg\0hijkl\0mnopqr\0", ++ assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0\6\0\0\0abc\0defg\0hijkl\0mnopqr\0stuvw\0", + needed_size); + #else +- assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7abc\0defg\0hijkl\0mnopqr\0", ++ assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0\6abc\0defg\0hijkl\0mnopqr\0stuvw\0", + needed_size); + #endif + +@@ -485,7 +487,8 @@ void test_sss_authtok_sc_blobs(void **state) + ret = sss_authtok_get_sc(ts->authtoken, &pin, &pin_len, + &token_name, &token_name_len, + &module_name, &module_name_len, +- &key_id, &key_id_len); ++ &key_id, &key_id_len, ++ &label, &label_len); + assert_int_equal(ret, EOK); + assert_int_equal(pin_len, 3); + assert_string_equal(pin, "abc"); +@@ -495,11 +498,14 @@ void test_sss_authtok_sc_blobs(void **state) + assert_string_equal(module_name, "hijkl"); + assert_int_equal(key_id_len, 6); + assert_string_equal(key_id, "mnopqr"); ++ assert_int_equal(label_len, 5); ++ assert_string_equal(label, "stuvw"); + + ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, + &token_name, &token_name_len, + &module_name, &module_name_len, +- &key_id, &key_id_len); ++ &key_id, &key_id_len, ++ &label, &label_len); + assert_int_equal(ret, EOK); + assert_int_equal(token_name_len, 4); + assert_string_equal(token_name, "defg"); +@@ -507,15 +513,19 @@ void test_sss_authtok_sc_blobs(void **state) + assert_string_equal(module_name, "hijkl"); + assert_int_equal(key_id_len, 6); + assert_string_equal(key_id, "mnopqr"); ++ assert_int_equal(label_len, 5); ++ assert_string_equal(label, "stuvw"); + + ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, + &token_name, NULL, + &module_name, NULL, +- &key_id, NULL); ++ &key_id, NULL, ++ &label, NULL); + assert_int_equal(ret, EOK); + assert_string_equal(token_name, "defg"); + assert_string_equal(module_name, "hijkl"); + assert_string_equal(key_id, "mnopqr"); ++ assert_string_equal(label, "stuvw"); + + sss_authtok_set_empty(ts->authtoken); + talloc_free(buf); +@@ -608,14 +618,14 @@ void test_sss_authtok_sc_pin(void **state) + assert_int_equal(sss_authtok_get_type(ts->authtoken), + SSS_AUTHTOK_TYPE_SC_PIN); + size = sss_authtok_get_size(ts->authtoken); +- assert_int_equal(size, 28); ++ assert_int_equal(size, 33); + #if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), +- "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0", ++ "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0\0", + size); + #else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), +- "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0", ++ "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0\0", + size); + #endif + +@@ -624,14 +634,14 @@ void test_sss_authtok_sc_pin(void **state) + assert_int_equal(sss_authtok_get_type(ts->authtoken), + SSS_AUTHTOK_TYPE_SC_PIN); + size = sss_authtok_get_size(ts->authtoken); +- assert_int_equal(size, 25); ++ assert_int_equal(size, 30); + #if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), +- "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0", ++ "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0\0", + size); + #else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), +- "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0", ++ "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0\0", + size); + #endif + +diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c +index 326deaf1f..cb05042de 100644 +--- a/src/tests/cmocka/test_pam_srv.c ++++ b/src/tests/cmocka/test_pam_srv.c +@@ -536,7 +536,7 @@ static void mock_input_pam(TALLOC_CTX *mem_ctx, + static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, + const char *pin, const char *token_name, + const char *module_name, const char *key_id, +- const char *service, ++ const char *label, const char *service, + acct_cb_t acct_cb, const char *cert) + { + size_t buf_size; +@@ -556,14 +556,14 @@ static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, + + if (pin != NULL) { + ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, +- key_id, 0, NULL, 0, &needed_size); ++ key_id, 0, label, 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + pi.pam_authtok = malloc(needed_size); + assert_non_null(pi.pam_authtok); + + ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, +- key_id, 0, ++ key_id, 0, label, 0, + (uint8_t *)pi.pam_authtok, needed_size, + &needed_size); + assert_int_equal(ret, EOK); +@@ -1766,7 +1766,7 @@ void test_pam_preauth_no_logon_name(void **state) + int ret; + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, +- NULL); ++ NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -1862,7 +1862,7 @@ void test_pam_preauth_cert_nocert(void **state) + unsetenv("SOFTHSM2_CONF"); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- NULL, NULL); ++ NULL, NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2004,7 +2004,7 @@ void test_pam_preauth_cert_nomatch(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, NULL); ++ NULL, test_lookup_by_cert_cb, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2026,7 +2026,7 @@ void test_pam_preauth_cert_match(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2048,7 +2048,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state) + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + +- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, ++ mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + "gdm-smartcard", test_lookup_by_cert_cb, + SSSD_TEST_CERT_0001); + +@@ -2072,7 +2072,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_wrong_user_cb, ++ NULL, test_lookup_by_cert_wrong_user_cb, + SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); +@@ -2104,7 +2104,7 @@ void test_pam_preauth_cert_no_logon_name(void **state) + * request will be done with the username found by the certificate + * lookup. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + mock_account_recv_simple(); + mock_parse_inp("pamuser", NULL, EOK); + mock_parse_inp("pamuser", NULL, EOK); +@@ -2134,7 +2134,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state) + * during pre-auth and there is no need for an extra mocked response as in + * test_pam_preauth_cert_no_logon_name. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2155,7 +2155,7 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state) + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + +- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, ++ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); +@@ -2178,7 +2178,7 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + pam_test_ctx->rctx->domains->user_name_hint = true; + +- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, ++ mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); +@@ -2201,7 +2201,7 @@ void test_pam_preauth_no_cert_no_logon_name(void **state) + set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, +- NULL); ++ NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2223,7 +2223,7 @@ void test_pam_preauth_cert_no_logon_name_no_match(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, NULL); ++ NULL, test_lookup_by_cert_cb, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2252,7 +2252,8 @@ void test_pam_cert_auth(void **state) + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + TEST_MODULE_NAME, +- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", ++ "SSSD test cert 0001", NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); +@@ -2289,7 +2290,8 @@ void test_pam_ecc_cert_auth(void **state) + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", + "SSSD Test ECC Token", + TEST_MODULE_NAME, +- "190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB", NULL, ++ "190E513C9A3DFAACDE5D2D0592F0FDFF559C10CB", ++ "SSSD test ECC cert 0001", NULL, + test_lookup_by_cert_cb, SSSD_TEST_ECC_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); +@@ -2324,7 +2326,8 @@ void test_pam_cert_auth_no_logon_name(void **state) + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", + TEST_MODULE_NAME, +- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", ++ "SSSD test cert 0001", NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + mock_account_recv_simple(); +@@ -2360,7 +2363,7 @@ void test_pam_cert_auth_no_logon_name_no_key_id(void **state) + * to the user entry the lookup by certificate will already find the user + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", +- TEST_MODULE_NAME, NULL, NULL, ++ TEST_MODULE_NAME, NULL, NULL, NULL, + NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); +@@ -2387,7 +2390,8 @@ void test_pam_cert_auth_double_cert(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + TEST_MODULE_NAME, +- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", ++ "SSSD test cert 0001", NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); +@@ -2416,7 +2420,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state) + ret = test_lookup_by_cert_cb(discard_const(SSSD_TEST_CERT_0001)); + assert_int_equal(ret, EOK); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, NULL); ++ NULL, test_lookup_by_cert_cb, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2439,7 +2443,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb_2nd_cert_same_user, ++ NULL, test_lookup_by_cert_cb_2nd_cert_same_user, + SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); +@@ -2464,7 +2468,8 @@ void test_pam_cert_auth_2certs_one_mapping(void **state) + + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + TEST_MODULE_NAME, +- "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, ++ "C554C9F82C2A9D58B70921C143304153A8A42F17", ++ "SSSD test cert 0001", NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); +@@ -2498,7 +2503,7 @@ void test_pam_cert_preauth_uri_token1(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2528,7 +2533,7 @@ void test_pam_cert_preauth_uri_token2(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2tokens.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0002); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0002); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2567,7 +2572,7 @@ void test_pam_preauth_expired_crl_file(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- NULL, NULL); ++ NULL, NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2599,7 +2604,7 @@ void test_pam_preauth_expired_crl_file_soft(void **state) + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0001); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2632,7 +2637,7 @@ void test_pam_preauth_ocsp(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- NULL, NULL); ++ NULL, NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2674,7 +2679,7 @@ void test_pam_preauth_ocsp_no_ocsp(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +@@ -2708,7 +2713,7 @@ void test_pam_preauth_ocsp_soft_ocsp(void **state) + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_ocsp.conf")); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, +- test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); ++ NULL, test_lookup_by_cert_cb, SSSD_TEST_CERT_0005); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c +index e50f86741..e76bd17c5 100644 +--- a/src/util/authtok-utils.c ++++ b/src/util/authtok-utils.c +@@ -77,6 +77,7 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len, ++ const char *label, size_t label_len, + uint8_t *buf, size_t buf_len, + size_t *_sc_blob_len) + { +@@ -88,7 +89,8 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + || (pin_len != 0 && pin == NULL) + || (token_name_len != 0 && token_name == NULL) + || (module_name_len != 0 && module_name == NULL) +- || (key_id_len != 0 && key_id == NULL)) { ++ || (key_id_len != 0 && key_id == NULL) ++ || (label_len != 0 && label == NULL)) { + return EINVAL; + } + +@@ -113,6 +115,11 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + key_id_len = 0; + } + ++ if (label == NULL) { ++ label = ""; ++ label_len = 0; ++ } ++ + /* len should not include the trailing \0 */ + if (pin_len == 0 || pin[pin_len - 1] == '\0') { + pin_len = strlen(pin); +@@ -130,8 +137,12 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + key_id_len = strlen(key_id); + } + +- *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len + 4 +- + 4 * sizeof(uint32_t); ++ if (label_len == 0 || label[label_len - 1] == '\0') { ++ label_len = strlen(label); ++ } ++ ++ *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len ++ + label_len + 5 + 5 * sizeof(uint32_t); + if (buf == NULL || buf_len < *_sc_blob_len) { + return EAGAIN; + } +@@ -145,6 +156,8 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) key_id_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); ++ tmp_uint32_t = (uint32_t) label_len + 1; ++ SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + + memcpy(buf + c, pin, pin_len); + buf[c + pin_len] = '\0'; +@@ -160,6 +173,10 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + + memcpy(buf + c, key_id, key_id_len); + buf[c + key_id_len] = '\0'; ++ c += key_id_len +1; ++ ++ memcpy(buf + c, label, label_len); ++ buf[c + label_len] = '\0'; + + return 0; + } +@@ -171,6 +188,7 @@ const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) + uint32_t token_name_len; + uint32_t module_name_len; + uint32_t key_id_len; ++ uint32_t label_len; + + if (blob == NULL || blob_len == 0) { + return NULL; +@@ -184,9 +202,11 @@ const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len) + SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); ++ SAFEALIGN_COPY_UINT32(&label_len, blob + c, &c); + +- if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len +- + module_name_len + key_id_len) { ++ if (blob_len != 5 * sizeof(uint32_t) + pin_len + token_name_len ++ + module_name_len + key_id_len ++ + label_len) { + return NULL; + } + +diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h +index 714c8187e..f3b268f78 100644 +--- a/src/util/authtok-utils.h ++++ b/src/util/authtok-utils.h +@@ -39,6 +39,9 @@ + * @param[in] key_id Key ID of the certificate + * @param[in] key_id_len Length of the key id of the certificate, if 0 + * strlen() will be called internally ++ * @param[in] label Label of the certificate ++ * @param[in] label_len Length of the label of the certificate, if 0 ++ * strlen() will be called internally + * @param[in] buf memory buffer of size buf_len, may be NULL + * @param[in] buf_len size of memory buffer buf + * +@@ -53,6 +56,7 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len, ++ const char *label, size_t label_len, + uint8_t *buf, size_t buf_len, + size_t *_sc_blob_len); + /** +@@ -112,6 +116,10 @@ errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, + * @param[out] _token_name_len Length of the token name + * @param[out] _module_name Name of PKCS#11 module, null terminated + * @param[out] _module_name_len Length of the module name ++ * @param[out] _key_id Key ID of the certificate, null terminated ++ * @param[out] _key_id_len Length of the key ID ++ * @param[out] _labe l Label of the certificate, null terminated ++ * @param[out] _label_len Length of the label + * + * @return EOK on success + * EINVAL if input data is not consistent +@@ -122,7 +130,8 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + char **pin, size_t *_pin_len, + char **token_name, size_t *_token_name_len, + char **module_name, size_t *_module_name_len, +- char **key_id, size_t *_key_id_len); ++ char **key_id, size_t *_key_id_len, ++ char **label, size_t *_label_len); + + /** + * @brief Return a pointer to the PIN string in the memory buffer +diff --git a/src/util/authtok.c b/src/util/authtok.c +index f8b44d6d6..7254ed1da 100644 +--- a/src/util/authtok.c ++++ b/src/util/authtok.c +@@ -503,7 +503,8 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, +- const char *key_id, size_t key_id_len) ++ const char *key_id, size_t key_id_len, ++ const char *label, size_t label_len) + { + int ret; + size_t needed_size; +@@ -518,7 +519,7 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + + ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, + module_name, module_name_len, +- key_id, key_id_len, NULL, 0, ++ key_id, key_id_len, label, label_len, NULL, 0, + &needed_size); + if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); +@@ -533,7 +534,7 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + + ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, + module_name, module_name_len, +- key_id, key_id_len, tok->data, ++ key_id, key_id_len, label, label_len, tok->data, + needed_size, &needed_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); +@@ -560,6 +561,8 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + size_t module_name_len; + char *key_id = NULL; + size_t key_id_len; ++ char *label = NULL; ++ size_t label_len; + TALLOC_CTX *tmp_ctx; + + if (tok == NULL) { +@@ -579,7 +582,7 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len, + &token_name, &token_name_len, + &module_name, &module_name_len, +- &key_id, &key_id_len); ++ &key_id, &key_id_len, &label, &label_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n"); + goto done; +@@ -588,7 +591,7 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len, + token_name, token_name_len, + module_name, module_name_len, +- key_id, key_id_len); ++ key_id, key_id_len, label, label_len); + + done: + talloc_free(tmp_ctx); +@@ -607,7 +610,7 @@ errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin, + } + + return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len, +- NULL, 0, NULL, 0, NULL, 0); ++ NULL, 0, NULL, 0, NULL, 0, NULL, 0); + } + + errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin, +@@ -625,7 +628,8 @@ errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin, + return ENOENT; + case SSS_AUTHTOK_TYPE_SC_PIN: + ret = sss_authtok_get_sc(tok, &pin, &pin_len, +- NULL, NULL, NULL, NULL, NULL, NULL); ++ NULL, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + return ret; +@@ -663,13 +667,15 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + char **pin, size_t *_pin_len, + char **token_name, size_t *_token_name_len, + char **module_name, size_t *_module_name_len, +- char **key_id, size_t *_key_id_len) ++ char **key_id, size_t *_key_id_len, ++ char **label, size_t *_label_len) + { + size_t c; + uint32_t pin_len; + uint32_t token_name_len; + uint32_t module_name_len; + uint32_t key_id_len; ++ uint32_t label_len; + + c = 0; + +@@ -678,14 +684,16 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + token_name_len = 0; + module_name_len = 0; + key_id_len = 0; ++ label_len = 0; + } else if (blob_len > 0 + && strnlen((const char *) blob, blob_len) == blob_len - 1) { + pin_len = blob_len; + token_name_len = 0; + module_name_len = 0; + key_id_len = 0; ++ label_len = 0; + } else { +- if (blob_len < 4 * sizeof(uint32_t)) { ++ if (blob_len < 5 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } +@@ -694,9 +702,11 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); ++ SAFEALIGN_COPY_UINT32(&label_len, blob + c, &c); + +- if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len +- + module_name_len + key_id_len) { ++ if (blob_len != 5 * sizeof(uint32_t) + pin_len + token_name_len ++ + module_name_len + key_id_len ++ + label_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } +@@ -756,6 +766,25 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + *key_id = NULL; + } + ++ if (label_len != 0) { ++ *label = talloc_strndup(mem_ctx, ++ (const char *) blob + c + pin_len ++ + token_name_len ++ + module_name_len ++ + key_id_len, ++ label_len); ++ if (*label == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); ++ talloc_free(*pin); ++ talloc_free(*token_name); ++ talloc_free(*module_name); ++ talloc_free(*key_id); ++ return ENOMEM; ++ } ++ } else { ++ *label = NULL; ++ } ++ + /* Re-calculate length for the case where \0 was missing in the blob */ + if (_pin_len != NULL) { + *_pin_len = (*pin == NULL) ? 0 : strlen(*pin); +@@ -771,6 +800,10 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id); + } + ++ if (_label_len != NULL) { ++ *_label_len = (*label == NULL) ? 0 : strlen(*label); ++ } ++ + return EOK; + } + +@@ -778,13 +811,15 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + const char **_pin, size_t *_pin_len, + const char **_token_name, size_t *_token_name_len, + const char **_module_name, size_t *_module_name_len, +- const char **_key_id, size_t *_key_id_len) ++ const char **_key_id, size_t *_key_id_len, ++ const char **_label, size_t *_label_len) + { + size_t c = 0; + size_t pin_len; + size_t token_name_len; + size_t module_name_len; + size_t key_id_len; ++ size_t label_len; + uint32_t tmp_uint32_t; + + if (!tok) { +@@ -796,7 +831,7 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; + } + +- if (tok->length < 4 * sizeof(uint32_t)) { ++ if (tok->length < 5 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } +@@ -809,9 +844,12 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + module_name_len = tmp_uint32_t -1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + key_id_len = tmp_uint32_t -1; ++ SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); ++ label_len = tmp_uint32_t -1; + +- if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len +- + module_name_len + key_id_len) { ++ if (tok->length != 5 * sizeof(uint32_t) + 5 + pin_len + token_name_len ++ + module_name_len + key_id_len ++ + label_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } +@@ -846,5 +884,14 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + *_key_id_len = key_id_len; + } + ++ if (_label != NULL) { ++ *_label = (const char *) tok->data + c + pin_len + 1 ++ + token_name_len + 1 + module_name_len + 1 ++ + key_id_len + 1; ++ } ++ if (_label_len != NULL) { ++ *_label_len = label_len; ++ } ++ + return EOK; + } +diff --git a/src/util/authtok.h b/src/util/authtok.h +index f70c9da13..6fd3e9ef0 100644 +--- a/src/util/authtok.h ++++ b/src/util/authtok.h +@@ -296,6 +296,10 @@ void sss_authtok_set_sc_keypad(struct sss_auth_token *tok); + * terminated string containing the PKCS#11 key id + * @param key_id_len The length of the key id string, if set to 0 it will be + * calculated ++ * @param label A pointer to a const char *, that will point to a null ++ * terminated string containing the PKCS#11 label ++ * @param label_len The length of the label string, if set to 0 it will be ++ * calculated + * + * @return EOK on success + * EINVAL unexpected or inval input +@@ -306,7 +310,8 @@ errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, +- const char *key_id, size_t key_id_len); ++ const char *key_id, size_t key_id_len, ++ const char *label, size_t label_len); + /** + * @brief Set a Smart Card authentication data, replacing any previous data + * +@@ -342,6 +347,10 @@ errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + * a null terminated string holding the PKCS#11 + * key id, may not be modified or freed + * @param[out] _key_id_len Length of the PKCS#11 key id ++ * @param[out] _label A pointer to a const char *, that will point to ++ * a null terminated string holding the PKCS#11 ++ * label, may not be modified or freed ++ * @param[out] _label_len Length of the PKCS#11 label + * + * Any of the output pointers may be NULL if the caller does not need the + * specific item. +@@ -356,7 +365,8 @@ errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + const char **_pin, size_t *_pin_len, + const char **_token_name, size_t *_token_name_len, + const char **_module_name, size_t *_module_name_len, +- const char **_key_id, size_t *_key_id_len); ++ const char **_key_id, size_t *_key_id_len, ++ const char **_label, size_t *_label_len); + + + /** +-- +2.21.3 + diff --git a/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch b/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch new file mode 100644 index 0000000..88fcc9f --- /dev/null +++ b/SOURCES/0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch @@ -0,0 +1,208 @@ +From b8800d3e1b43f2eb28b2df7adb2bcb323bf2d1f1 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Sat, 14 Nov 2020 17:52:35 +0100 +Subject: [PATCH 15/16] pam_sss: add certificate label to reply to pam_sss + +Add the certificate label to the data send back and forth to the pam +module to avoid the ambiguity if two certificates use the same key. + +Resolves: https://github.com/SSSD/sssd/issues/5400 + +Reviewed-by: Alexey Tikhonov +--- + src/responder/pam/pamsrv_p11.c | 13 ++++++++++--- + src/sss_client/pam_sss.c | 15 +++++++++++++++ + src/tests/cmocka/test_pam_srv.c | 20 ++++++++++++++++---- + 3 files changed, 41 insertions(+), 7 deletions(-) + +diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c +index 23f94927a..e1fd72e64 100644 +--- a/src/responder/pam/pamsrv_p11.c ++++ b/src/responder/pam/pamsrv_p11.c +@@ -1086,11 +1086,13 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, + const char *token_name; + const char *module_name; + const char *key_id; ++ const char *label; + char *prompt; + size_t user_len; + size_t token_len; + size_t module_len; + size_t key_id_len; ++ size_t label_len; + size_t prompt_len; + size_t nss_name_len; + const char *username = ""; +@@ -1113,16 +1115,18 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, + token_name = sss_cai_get_token_name(cert_info); + module_name = sss_cai_get_module_name(cert_info); + key_id = sss_cai_get_key_id(cert_info); ++ label = sss_cai_get_label(cert_info); + + user_len = strlen(username) + 1; + token_len = strlen(token_name) + 1; + module_len = strlen(module_name) + 1; + key_id_len = strlen(key_id) + 1; ++ label_len = strlen(label) + 1; + prompt_len = strlen(prompt) + 1; + nss_name_len = strlen(nss_username) +1; + +- msg_len = user_len + token_len + module_len + key_id_len + prompt_len +- + nss_name_len; ++ msg_len = user_len + token_len + module_len + key_id_len + label_len ++ + prompt_len + nss_name_len; + + msg = talloc_zero_size(mem_ctx, msg_len); + if (msg == NULL) { +@@ -1136,8 +1140,11 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, + memcpy(msg + user_len + token_len, module_name, module_len); + memcpy(msg + user_len + token_len + module_len, key_id, key_id_len); + memcpy(msg + user_len + token_len + module_len + key_id_len, ++ label, label_len); ++ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len, + prompt, prompt_len); +- memcpy(msg + user_len + token_len + module_len + key_id_len + prompt_len, ++ memcpy(msg + user_len + token_len + module_len + key_id_len + label_len ++ + prompt_len, + nss_username, nss_name_len); + talloc_free(prompt); + +diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c +index cffbfa770..c539d6de6 100644 +--- a/src/sss_client/pam_sss.c ++++ b/src/sss_client/pam_sss.c +@@ -142,6 +142,7 @@ static void free_cai(struct cert_auth_info *cai) + free(cai->token_name); + free(cai->module_name); + free(cai->key_id); ++ free(cai->label); + free(cai->prompt_str); + free(cai->choice_list_id); + free(cai); +@@ -936,6 +937,20 @@ static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len, + goto done; + } + ++ cai->label = strdup((char *) &buf[*p + offset]); ++ if (cai->label == NULL) { ++ D(("strdup failed")); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ offset += strlen(cai->label) + 1; ++ if (offset >= len) { ++ D(("Cert message size mismatch")); ++ ret = EINVAL; ++ goto done; ++ } ++ + cai->prompt_str = strdup((char *) &buf[*p + offset]); + if (cai->prompt_str == NULL) { + D(("strdup failed")); +diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c +index cb05042de..5506fbf34 100644 +--- a/src/tests/cmocka/test_pam_srv.c ++++ b/src/tests/cmocka/test_pam_srv.c +@@ -62,13 +62,16 @@ + #define TEST_TOKEN_NAME "SSSD Test Token" + #define TEST_TOKEN2_NAME "SSSD Test Token Number 2" + #define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" ++#define TEST_LABEL "SSSD test cert 0001" + #define TEST_MODULE_NAME SOFTHSM2_PATH + #define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" + #define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" + #define TEST5_PROMPT "SSSD test cert 0005\nCN=SSSD test cert 0005,OU=SSSD test,O=SSSD" + + #define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9" ++#define TEST2_LABEL "SSSD test cert 0002" + #define TEST5_KEY_ID "1195833C424AB00297F582FC43FFFFAB47A64CC9" ++#define TEST5_LABEL "SSSD test cert 0005" + + static char CACHED_AUTH_TIMEOUT_STR[] = "4"; + static const int CACHED_AUTH_TIMEOUT = 4; +@@ -673,6 +676,7 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, + + sizeof(TEST_TOKEN_NAME) + + sizeof(TEST_MODULE_NAME) + + sizeof(TEST_KEY_ID) ++ + sizeof(TEST_LABEL) + + sizeof(TEST_PROMPT) + + sizeof("pamuser"))); + +@@ -692,6 +696,10 @@ static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, + assert_string_equal(body + rp, TEST_KEY_ID); + rp += sizeof(TEST_KEY_ID); + ++ assert_int_equal(*(body + rp + sizeof(TEST_LABEL) - 1), 0); ++ assert_string_equal(body + rp, TEST_LABEL); ++ rp += sizeof(TEST_LABEL); ++ + assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0); + assert_string_equal(body + rp, TEST_PROMPT); + rp += sizeof(TEST_PROMPT); +@@ -740,6 +748,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, + TEST_TOKEN_NAME, + TEST_MODULE_NAME, + TEST_KEY_ID, ++ TEST_LABEL, + TEST_PROMPT, + NULL, + NULL }; +@@ -749,6 +758,7 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, + TEST_TOKEN_NAME, + TEST_MODULE_NAME, + TEST2_KEY_ID, ++ TEST2_LABEL, + TEST2_PROMPT, + NULL, + NULL }; +@@ -756,10 +766,10 @@ static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, + assert_int_equal(status, 0); + + check_strings[0] = name; +- check_strings[5] = nss_name; ++ check_strings[6] = nss_name; + check_len = check_string_array_len(check_strings); + check2_strings[0] = name; +- check2_strings[5] = nss_name; ++ check2_strings[6] = nss_name; + check2_len = check_string_array_len(check2_strings); + + +@@ -843,6 +853,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body, + TEST_TOKEN2_NAME, + TEST_MODULE_NAME, + TEST2_KEY_ID, ++ TEST2_LABEL, + TEST2_PROMPT, + NULL, + NULL }; +@@ -850,7 +861,7 @@ static int test_pam_cert2_token2_check_ex(uint32_t status, uint8_t *body, + assert_int_equal(status, 0); + + check2_strings[0] = name; +- check2_strings[5] = nss_name; ++ check2_strings[6] = nss_name; + check2_len = check_string_array_len(check2_strings); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); +@@ -895,7 +906,7 @@ static int test_pam_cert_X_token_X_check_ex(uint32_t status, uint8_t *body, + assert_int_equal(status, 0); + + check_strings[0] = name; +- check_strings[5] = nss_name; ++ check_strings[6] = nss_name; + check_len = check_string_array_len(check_strings); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); +@@ -946,6 +957,7 @@ static int test_pam_cert5_check(uint32_t status, uint8_t *body, size_t blen) + TEST_TOKEN_NAME, + TEST_MODULE_NAME, + TEST5_KEY_ID, ++ TEST5_LABEL, + TEST5_PROMPT, + NULL, + NULL }; +-- +2.21.3 + diff --git a/SOURCES/0015-sysdb-make-new_subdomain-public.patch b/SOURCES/0015-sysdb-make-new_subdomain-public.patch deleted file mode 100644 index 1c3a146..0000000 --- a/SOURCES/0015-sysdb-make-new_subdomain-public.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 9aa26f6514220bae3b3314f830e3e3f95fab2cf9 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 7 May 2020 21:18:13 +0200 -Subject: [PATCH 15/19] sysdb: make new_subdomain() public -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/db/sysdb.h | 18 ++++++++++++++++++ - src/db/sysdb_private.h | 19 ------------------- - src/tests/cmocka/test_negcache.c | 1 - - src/tests/cmocka/test_nss_srv.c | 1 - - src/tests/cmocka/test_responder_cache_req.c | 1 - - 5 files changed, 18 insertions(+), 22 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 64e546f5b..e4ed10b54 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -562,6 +562,24 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name); - errno_t sysdb_subdomain_content_delete(struct sysdb_ctx *sysdb, - const char *name); - -+/* The utility function to create a subdomain sss_domain_info object is handy -+ * for unit tests, so it should be available in a headerr. -+ */ -+struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, -+ struct sss_domain_info *parent, -+ const char *name, -+ const char *realm, -+ const char *flat_name, -+ const char *id, -+ enum sss_domain_mpg_mode mpg_mode, -+ bool enumerate, -+ const char *forest, -+ const char **upn_suffixes, -+ uint32_t trust_direction, -+ struct confdb_ctx *confdb, -+ bool enabled); -+ -+ - errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - size_t *range_count, - struct range_info ***range_list); -diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h -index 3302919a6..70fe3fa18 100644 ---- a/src/db/sysdb_private.h -+++ b/src/db/sysdb_private.h -@@ -196,25 +196,6 @@ int sysdb_replace_ulong(struct ldb_message *msg, - int sysdb_delete_ulong(struct ldb_message *msg, - const char *attr, unsigned long value); - --/* The utility function to create a subdomain sss_domain_info object is handy -- * for unit tests, so it should be available in a header, but not a public util -- * one, because the only interface for the daemon itself should be adding -- * the sysdb domain object and calling sysdb_update_subdomains() -- */ --struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, -- struct sss_domain_info *parent, -- const char *name, -- const char *realm, -- const char *flat_name, -- const char *id, -- enum sss_domain_mpg_mode mpg_mode, -- bool enumerate, -- const char *forest, -- const char **upn_suffixes, -- uint32_t trust_direction, -- struct confdb_ctx *confdb, -- bool enabled); -- - /* Helper functions to deal with the timestamp cache should not be used - * outside the sysdb itself. The timestamp cache should be completely - * opaque to the sysdb consumers -diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c -index 3ed1cb14a..b3a379227 100644 ---- a/src/tests/cmocka/test_negcache.c -+++ b/src/tests/cmocka/test_negcache.c -@@ -38,7 +38,6 @@ - #include "util/util_sss_idmap.h" - #include "lib/idmap/sss_idmap.h" - #include "util/util.h" --#include "db/sysdb_private.h" - #include "responder/common/responder.h" - #include "responder/common/negcache.h" - -diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c -index 3cd7809cf..99ba02a80 100644 ---- a/src/tests/cmocka/test_nss_srv.c -+++ b/src/tests/cmocka/test_nss_srv.c -@@ -36,7 +36,6 @@ - #include "util/crypto/sss_crypto.h" - #include "util/crypto/nss/nss_util.h" - #include "util/sss_endian.h" --#include "db/sysdb_private.h" /* new_subdomain() */ - #include "db/sysdb_iphosts.h" - #include "db/sysdb_ipnetworks.h" - -diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c -index 2611c589b..68a651240 100644 ---- a/src/tests/cmocka/test_responder_cache_req.c -+++ b/src/tests/cmocka/test_responder_cache_req.c -@@ -27,7 +27,6 @@ - #include "tests/cmocka/common_mock_resp.h" - #include "db/sysdb.h" - #include "responder/common/cache_req/cache_req.h" --#include "db/sysdb_private.h" /* new_subdomain() */ - - #define TESTS_PATH "tp_" BASE_FILE_STEM - #define TEST_CONF_DB "test_responder_cache_req_conf.ldb" --- -2.21.3 - diff --git a/SOURCES/0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch b/SOURCES/0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch deleted file mode 100644 index a71043c..0000000 --- a/SOURCES/0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 2bad4d4b299440d33919a9fdb8c4d75814583e12 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 7 May 2020 21:24:42 +0200 -Subject: [PATCH 16/19] ad: rename ads_get_root_id_ctx() to ads_get_dom_id_ctx -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since the function can be used to get the id ctx of any domain the -'root' is removed from the name. - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index c53962283..a9a552ff7 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -1231,37 +1231,37 @@ static errno_t ad_get_slave_domain_recv(struct tevent_req *req) - } - - static struct ad_id_ctx * --ads_get_root_id_ctx(struct be_ctx *be_ctx, -- struct ad_id_ctx *ad_id_ctx, -- struct sss_domain_info *root_domain, -- struct sdap_options *opts) -+ads_get_dom_id_ctx(struct be_ctx *be_ctx, -+ struct ad_id_ctx *ad_id_ctx, -+ struct sss_domain_info *domain, -+ struct sdap_options *opts) - { - errno_t ret; - struct sdap_domain *sdom; -- struct ad_id_ctx *root_id_ctx; -+ struct ad_id_ctx *dom_id_ctx; - -- sdom = sdap_domain_get(opts, root_domain); -+ sdom = sdap_domain_get(opts, domain); - if (sdom == NULL) { - DEBUG(SSSDBG_OP_FAILURE, -- "Cannot get the sdom for %s!\n", root_domain->name); -+ "Cannot get the sdom for %s!\n", domain->name); - return NULL; - } - - if (sdom->pvt == NULL) { -- ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, root_domain, -- &root_id_ctx); -+ ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, domain, -+ &dom_id_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "ad_subdom_ad_ctx_new failed.\n"); - return NULL; - } - -- sdom->pvt = root_id_ctx; -+ sdom->pvt = dom_id_ctx; - } else { -- root_id_ctx = sdom->pvt; -+ dom_id_ctx = sdom->pvt; - } - -- root_id_ctx->ldap_ctx->ignore_mark_offline = true; -- return root_id_ctx; -+ dom_id_ctx->ldap_ctx->ignore_mark_offline = true; -+ return dom_id_ctx; - } - - struct ad_get_root_domain_state { -@@ -1403,9 +1403,9 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - goto done; - } - -- state->root_id_ctx = ads_get_root_id_ctx(state->be_ctx, -- state->sd_ctx->ad_id_ctx, -- root_domain, state->opts); -+ state->root_id_ctx = ads_get_dom_id_ctx(state->be_ctx, -+ state->sd_ctx->ad_id_ctx, -+ root_domain, state->opts); - if (state->root_id_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot create id ctx for the root domain\n"); - ret = EFAULT; --- -2.21.3 - diff --git a/SOURCES/0016-add-tests-multiple-certs-same-id.patch b/SOURCES/0016-add-tests-multiple-certs-same-id.patch new file mode 100644 index 0000000..cd9cefd --- /dev/null +++ b/SOURCES/0016-add-tests-multiple-certs-same-id.patch @@ -0,0 +1,265 @@ +From f633f37e712cb0f7524a2ee257e15f34468149b4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 3 Nov 2020 09:58:52 +0100 +Subject: [PATCH 16/16] add tests multiple certs same id + +Add unit test for the case that two certificates use the same key. + +Resolves: https://github.com/SSSD/sssd/issues/5400 + +Reviewed-by: Alexey Tikhonov +--- + src/tests/cmocka/test_pam_srv.c | 116 +++++++++++++++++++ + src/tests/test_CA/Makefile.am | 26 ++++- + src/tests/test_CA/SSSD_test_cert_0006.config | 20 ++++ + 3 files changed, 161 insertions(+), 1 deletion(-) + create mode 100644 src/tests/test_CA/SSSD_test_cert_0006.config + +diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c +index 5506fbf34..8ca5abd43 100644 +--- a/src/tests/cmocka/test_pam_srv.c ++++ b/src/tests/cmocka/test_pam_srv.c +@@ -40,12 +40,14 @@ + #include "tests/test_CA/SSSD_test_cert_x509_0001.h" + #include "tests/test_CA/SSSD_test_cert_x509_0002.h" + #include "tests/test_CA/SSSD_test_cert_x509_0005.h" ++#include "tests/test_CA/SSSD_test_cert_x509_0006.h" + + #include "tests/test_ECC_CA/SSSD_test_ECC_cert_x509_0001.h" + #else + #define SSSD_TEST_CERT_0001 "" + #define SSSD_TEST_CERT_0002 "" + #define SSSD_TEST_CERT_0005 "" ++#define SSSD_TEST_CERT_0006 "" + + #define SSSD_TEST_ECC_CERT_0001 "" + #endif +@@ -1093,6 +1095,13 @@ static int test_pam_creds_insufficient_check(uint32_t status, + return EOK; + } + ++static int test_pam_auth_err_check(uint32_t status, uint8_t *body, size_t blen) ++{ ++ /* PAM_AUTH_ERR is returned for different types of error, we use different ++ * names for the check functions to make the purpose more clear. */ ++ return test_pam_wrong_pw_offline_auth_check(status, body, blen); ++} ++ + static int test_pam_user_unknown_check(uint32_t status, + uint8_t *body, size_t blen) + { +@@ -2500,6 +2509,107 @@ void test_pam_cert_auth_2certs_one_mapping(void **state) + assert_int_equal(ret, EOK); + } + ++/* The following three tests cover a use case where multiple certificates are ++ * using the same key-pair. According to PKCS#11 specs "The CKA_ID field is ++ * intended to distinguish among multiple keys. In the case of public and ++ * private keys, this field assists in handling multiple keys held by the same ++ * subject; the key identifier for a public key and its corresponding private ++ * key should be the same. The key identifier should also be the same as for ++ * the corresponding certificate, if one exists. Cryptoki does not enforce ++ * these associations, however." As a result certificates sharing the same ++ * key-pair will have the same id on the Smartcard. This means a second ++ * parameter is needed to distinguish them. We use the label here. ++ * ++ * The first test makes sure authentication fails is the label is missing, the ++ * second and third test make sure that each certificate can be selected with ++ * the proper label. */ ++void test_pam_cert_auth_2certs_same_id_no_label(void **state) ++{ ++ int ret; ++ ++ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); ++ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); ++ ++ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", ++ TEST_MODULE_NAME, ++ "11111111", ++ NULL, NULL, ++ NULL, SSSD_TEST_CERT_0001); ++ ++ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); ++ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); ++ ++ /* Assume backend cannot handle Smartcard credentials */ ++ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; ++ ++ set_cmd_cb(test_pam_auth_err_check); ++ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, ++ pam_test_ctx->pam_cmds); ++ assert_int_equal(ret, EOK); ++ ++ /* Wait until the test finishes with EOK */ ++ ret = test_ev_loop(pam_test_ctx->tctx); ++ assert_int_equal(ret, EOK); ++} ++ ++void test_pam_cert_auth_2certs_same_id_with_label_1(void **state) ++{ ++ int ret; ++ ++ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); ++ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); ++ ++ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", ++ TEST_MODULE_NAME, ++ "11111111", ++ "SSSD test cert 0001", NULL, ++ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001); ++ ++ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); ++ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); ++ ++ /* Assume backend cannot handle Smartcard credentials */ ++ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; ++ ++ set_cmd_cb(test_pam_simple_check_success); ++ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, ++ pam_test_ctx->pam_cmds); ++ assert_int_equal(ret, EOK); ++ ++ /* Wait until the test finishes with EOK */ ++ ret = test_ev_loop(pam_test_ctx->tctx); ++ assert_int_equal(ret, EOK); ++} ++ ++void test_pam_cert_auth_2certs_same_id_with_label_6(void **state) ++{ ++ int ret; ++ ++ set_cert_auth_param(pam_test_ctx->pctx, CA_DB); ++ putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_2certs_same_id.conf")); ++ ++ mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", ++ TEST_MODULE_NAME, ++ "11111111", ++ "SSSD test cert 0006", NULL, ++ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0006); ++ ++ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); ++ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); ++ ++ /* Assume backend cannot handle Smartcard credentials */ ++ pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; ++ ++ set_cmd_cb(test_pam_simple_check_success); ++ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, ++ pam_test_ctx->pam_cmds); ++ assert_int_equal(ret, EOK); ++ ++ /* Wait until the test finishes with EOK */ ++ ret = test_ev_loop(pam_test_ctx->tctx); ++ assert_int_equal(ret, EOK); ++} ++ + void test_pam_cert_preauth_uri_token1(void **state) + { + int ret; +@@ -3179,6 +3289,12 @@ int main(int argc, const char *argv[]) + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_one_mapping, + pam_test_setup, pam_test_teardown), ++ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_no_label, ++ pam_test_setup, pam_test_teardown), ++ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_1, ++ pam_test_setup, pam_test_teardown), ++ cmocka_unit_test_setup_teardown(test_pam_cert_auth_2certs_same_id_with_label_6, ++ pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, +diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am +index 0e0122737..8765d0fd6 100644 +--- a/src/tests/test_CA/Makefile.am ++++ b/src/tests/test_CA/Makefile.am +@@ -6,6 +6,7 @@ dist_noinst_DATA = \ + SSSD_test_cert_0003.config \ + SSSD_test_cert_0004.config \ + SSSD_test_cert_0005.config \ ++ SSSD_test_cert_0006.config \ + SSSD_test_cert_key_0001.pem \ + SSSD_test_cert_key_0002.pem \ + SSSD_test_cert_key_0003.pem \ +@@ -25,7 +26,7 @@ pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) + pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) + pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) + +-extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp ++extra = softhsm2_none softhsm2_one softhsm2_two softhsm2_2tokens softhsm2_ocsp softhsm2_2certs_same_id + if HAVE_FAKETIME + extra += SSSD_test_CA_expired_crl.pem + endif +@@ -41,6 +42,14 @@ $(pwdfile): + SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial + $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ + ++# SSSD_test_cert_0006 should use the same key as SSSD_test_cert_0001 ++.INTERMEDIATE: SSSD_test_cert_req_0006.pem ++SSSD_test_cert_req_0006.pem: $(srcdir)/SSSD_test_cert_key_0001.pem $(srcdir)/SSSD_test_cert_0006.config ++ if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_0006.config) -eq 0 ]; then \ ++ $(OPENSSL) req -new -nodes -key $< -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \ ++ else \ ++ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_0006.config -out $@ ; \ ++ fi + + SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config + if [ $(shell grep -c req_exts $(srcdir)/SSSD_test_cert_$*.config) -eq 0 ]; then \ +@@ -52,6 +61,9 @@ SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test + SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem + $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ + ++SSSD_test_cert_pkcs12_0006.pem: SSSD_test_cert_x509_0006.pem $(srcdir)/SSSD_test_cert_key_0001.pem $(pwdfile) ++ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_0006.pem -inkey $(srcdir)/SSSD_test_cert_key_0001.pem -nodes -passout file:$(pwdfile) -out $@ ++ + SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) + $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ + +@@ -130,6 +142,18 @@ softhsm2_ocsp.conf: + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + ++softhsm2_2certs_same_id: softhsm2_2certs_same_id.conf SSSD_test_cert_x509_0001.pem SSSD_test_cert_x509_0006.pem ++ mkdir $@ ++ SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free ++ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0006.pem --login --label 'SSSD test cert 0006' --id '11111111' ++ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id '11111111' ++ GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id '11111111' ++ ++softhsm2_2certs_same_id.conf: ++ @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_2certs_same_id" > $@ ++ @echo "objectstore.backend = file" >> $@ ++ @echo "slots.removable = true" >> $@ ++ + CLEANFILES = \ + index.txt index.txt.attr \ + index.txt.attr.old index.txt.old \ +diff --git a/src/tests/test_CA/SSSD_test_cert_0006.config b/src/tests/test_CA/SSSD_test_cert_0006.config +new file mode 100644 +index 000000000..762de55cd +--- /dev/null ++++ b/src/tests/test_CA/SSSD_test_cert_0006.config +@@ -0,0 +1,20 @@ ++# This certificate is used in ++# - src/tests/cmocka/test_pam_srv.c ++# and should use the same key-pair as SSSD_test_cert_0001 ++[ req ] ++distinguished_name = req_distinguished_name ++prompt = no ++ ++[ req_distinguished_name ] ++O = SSSD ++OU = SSSD test ++CN = SSSD test cert 0006 ++ ++[ req_exts ] ++basicConstraints = CA:FALSE ++nsCertType = client, email ++nsComment = "SSSD test Certificate" ++subjectKeyIdentifier = hash ++keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment ++extendedKeyUsage = clientAuth, emailProtection ++subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://github.com/SSSD/sssd// +-- +2.21.3 + diff --git a/SOURCES/0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch b/SOURCES/0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch deleted file mode 100644 index 4b519b7..0000000 --- a/SOURCES/0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 8c642a542245a9f9fde5c2de9c96082b4c0d0963 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 11 May 2020 21:26:13 +0200 -Subject: [PATCH 17/19] ad: remove unused trust_type from ad_subdom_store() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index a9a552ff7..198f5c916 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -576,7 +576,6 @@ ad_subdom_store(struct confdb_ctx *cdb, - enum idmap_error_code err; - struct ldb_message_element *el; - char *sid_str = NULL; -- uint32_t trust_type; - enum sss_domain_mpg_mode mpg_mode; - enum sss_domain_mpg_mode default_mpg_mode; - -@@ -586,13 +585,6 @@ ad_subdom_store(struct confdb_ctx *cdb, - goto done; - } - -- ret = sysdb_attrs_get_uint32_t(subdom_attrs, AD_AT_TRUST_TYPE, -- &trust_type); -- if (ret != EOK) { -- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_uint32_t failed.\n"); -- goto done; -- } -- - ret = sysdb_attrs_get_string(subdom_attrs, AD_AT_TRUST_PARTNER, &name); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "failed to get subdomain name\n"); --- -2.21.3 - diff --git a/SOURCES/0017-data_provider_be-Add-random-offset-default.patch b/SOURCES/0017-data_provider_be-Add-random-offset-default.patch new file mode 100644 index 0000000..7574eec --- /dev/null +++ b/SOURCES/0017-data_provider_be-Add-random-offset-default.patch @@ -0,0 +1,53 @@ +From 1e9abd508ea5627465d528788645d4dbe53d7d31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= +Date: Wed, 2 Dec 2020 03:00:26 +0100 +Subject: [PATCH 17/18] data_provider_be: Add random offset default + +Replace hardcoded default value of 30 with more meaningful +OFFLINE_TIMEOUT_RANDOM_OFFSET define. + +This value is used to calculate task timeout during offline +status checking by formula (from SSSD MAN page): + +new_interval = (old_interval * 2) + random_offset + +As it is explicite mentioned in documentation it should +be expressed in the code similar way. + +Reviewed-by: Iker Pedrosa +--- + src/providers/data_provider_be.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index 4c10d6b48..10421c6b4 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -51,6 +51,7 @@ + #define ONLINE_CB_RETRY 3 + #define ONLINE_CB_RETRY_MAX_DELAY 4 + ++#define OFFLINE_TIMEOUT_RANDOM_OFFSET 30 + #define OFFLINE_TIMEOUT_DEFAULT 60 + #define OFFLINE_TIMEOUT_MAX_DEFAULT 3600 + +@@ -152,9 +153,13 @@ void be_mark_offline(struct be_ctx *ctx) + offline_timeout = get_offline_timeout(ctx); + offline_timeout_max = get_offline_timeout_max(ctx); + +- ret = be_ptask_create_sync(ctx, ctx, +- offline_timeout, offline_timeout, +- offline_timeout, 30, offline_timeout, ++ ret = be_ptask_create_sync(ctx, ++ ctx, ++ offline_timeout, ++ offline_timeout, ++ offline_timeout, ++ OFFLINE_TIMEOUT_RANDOM_OFFSET, ++ offline_timeout, + offline_timeout_max, + try_to_go_online, + ctx, "Check if online (periodic)", +-- +2.21.3 + diff --git a/SOURCES/0018-ad-add-ad_check_domain_-send-recv.patch b/SOURCES/0018-ad-add-ad_check_domain_-send-recv.patch deleted file mode 100644 index 23486f2..0000000 --- a/SOURCES/0018-ad-add-ad_check_domain_-send-recv.patch +++ /dev/null @@ -1,283 +0,0 @@ -From 3ae3286d61ed796f0be7a1d72157af3687bc04a5 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 7 May 2020 21:26:16 +0200 -Subject: [PATCH 18/19] ad: add ad_check_domain_{send|recv} -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This new request tries to get the basic domain information like domain -SID and NetBIOS domain name for a domain given by the name. To achieve -this the needed data is added to general domain structure and the SDAP -domain structure. If the domain data cannot be looked up the data is -removed again. - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 251 +++++++++++++++++++++++++++++++ - 1 file changed, 251 insertions(+) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 198f5c916..299aa7391 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -2143,3 +2143,254 @@ errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx, - - return EOK; - } -+ -+struct ad_check_domain_state { -+ struct tevent_context *ev; -+ struct be_ctx *be_ctx; -+ struct sdap_id_op *sdap_op; -+ struct ad_id_ctx *dom_id_ctx; -+ struct sdap_options *opts; -+ -+ const char *dom_name; -+ struct sss_domain_info *dom; -+ struct sss_domain_info *parent; -+ struct sdap_domain *sdom; -+ -+ char *flat; -+ char *site; -+ char *forest; -+ char *sid; -+}; -+ -+static void ad_check_domain_connect_done(struct tevent_req *subreq); -+static void ad_check_domain_done(struct tevent_req *subreq); -+ -+static int ad_check_domain_destructor(void *mem) -+{ -+ struct ad_check_domain_state *state = talloc_get_type(mem, -+ struct ad_check_domain_state); -+ -+ if (state->sdom != NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "Removing sdap domain [%s].\n", -+ state->dom->name); -+ sdap_domain_remove(state->opts, state->dom); -+ /* terminate all requests for this subdomain so we can free it */ -+ dp_terminate_domain_requests(state->be_ctx->provider, state->dom->name); -+ talloc_zfree(state->sdom); -+ } -+ -+ if (state->dom != NULL) { -+ DEBUG(SSSDBG_TRACE_ALL, "Removing domain [%s].\n", state->dom->name); -+ sss_domain_set_state(state->dom, DOM_DISABLED); -+ DLIST_REMOVE(state->be_ctx->domain->subdomains, state->dom); -+ talloc_zfree(state->dom); -+ } -+ -+ return 0; -+} -+ -+struct tevent_req * -+ad_check_domain_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct be_ctx *be_ctx, -+ struct ad_id_ctx *ad_id_ctx, -+ const char *dom_name, -+ const char *parent_dom_name) -+{ -+ errno_t ret; -+ struct tevent_req *req; -+ struct tevent_req *subreq; -+ struct ad_check_domain_state *state; -+ -+ req = tevent_req_create(mem_ctx, &state, struct ad_check_domain_state); -+ if (req == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); -+ return NULL; -+ } -+ -+ state->ev = ev; -+ state->be_ctx = be_ctx; -+ state->opts = ad_id_ctx->sdap_id_ctx->opts; -+ state->dom_name = dom_name; -+ state->parent = NULL; -+ state->sdom = NULL; -+ -+ state->dom = find_domain_by_name(be_ctx->domain, dom_name, true); -+ if (state->dom == NULL) { -+ state->parent = find_domain_by_name(be_ctx->domain, parent_dom_name, -+ true); -+ if (state->parent == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Failed to find domain object for domain [%s].\n", -+ parent_dom_name); -+ ret = ENOENT; -+ goto immediately; -+ } -+ -+ state->dom = new_subdomain(state->parent, state->parent, dom_name, -+ dom_name, NULL, NULL, MPG_DISABLED, false, -+ state->parent->forest, -+ NULL, 0, be_ctx->cdb, true); -+ if (state->dom == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "new_subdomain() failed.\n"); -+ ret = EINVAL; -+ goto immediately; -+ } -+ -+ talloc_set_destructor((TALLOC_CTX *) state, ad_check_domain_destructor); -+ -+ DLIST_ADD_END(state->parent->subdomains, state->dom, -+ struct sss_domain_info *); -+ -+ ret = sdap_domain_add(state->opts, state->dom, &state->sdom); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_domain_subdom_add failed.\n"); -+ goto immediately; -+ } -+ -+ ret = ad_set_search_bases(ad_id_ctx->ad_options->id, state->sdom); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to set ldap search bases for " -+ "domain '%s'. Will try to use automatically detected search " -+ "bases.", state->sdom->dom->name); -+ } -+ -+ } -+ -+ state->dom_id_ctx = ads_get_dom_id_ctx(be_ctx, ad_id_ctx, state->dom, -+ state->opts); -+ if (state->dom_id_ctx == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "ads_get_dom_id_ctx() failed.\n"); -+ ret = EINVAL; -+ goto immediately; -+ } -+ -+ state->sdap_op = sdap_id_op_create(state, -+ state->dom_id_ctx->sdap_id_ctx->conn->conn_cache); -+ if (state->sdap_op == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); -+ ret = ENOMEM; -+ goto immediately; -+ } -+ -+ subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed " -+ "[%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } -+ -+ tevent_req_set_callback(subreq, ad_check_domain_connect_done, req); -+ -+ return req; -+ -+immediately: -+ if (ret == EOK) { -+ tevent_req_done(req); -+ } else { -+ tevent_req_error(req, ret); -+ } -+ tevent_req_post(req, ev); -+ -+ return req; -+} -+ -+static void ad_check_domain_connect_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req; -+ struct ad_check_domain_state *state; -+ int ret; -+ int dp_error; -+ -+ req = tevent_req_callback_data(subreq, struct tevent_req); -+ state = tevent_req_data(req, struct ad_check_domain_state); -+ -+ ret = sdap_id_op_connect_recv(subreq, &dp_error); -+ talloc_zfree(subreq); -+ -+ if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP " -+ "[%d]: %s\n", ret, sss_strerror(ret)); -+ if (dp_error == DP_ERR_OFFLINE) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "No AD server is available, " -+ "cannot get the subdomain list while offline\n"); -+ ret = ERR_OFFLINE; -+ } -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ subreq = ad_domain_info_send(state, state->ev, -+ state->dom_id_ctx->sdap_id_ctx->conn, -+ state->sdap_op, state->dom_name); -+ -+ tevent_req_set_callback(subreq, ad_check_domain_done, req); -+ -+ return; -+} -+ -+static void ad_check_domain_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req; -+ struct ad_check_domain_state *state; -+ errno_t ret; -+ -+ -+ req = tevent_req_callback_data(subreq, struct tevent_req); -+ state = tevent_req_data(req, struct ad_check_domain_state); -+ -+ ret = ad_domain_info_recv(subreq, state, &state->flat, &state->sid, -+ &state->site, &state->forest); -+ talloc_zfree(subreq); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup domain information " -+ "[%d]: %s\n", ret, sss_strerror(ret)); -+ goto done; -+ } -+ DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s.\n", state->flat, state->sid, -+ state->site, state->forest); -+ -+ /* New domain was successfully checked, remove destructor. */ -+ talloc_set_destructor(state, NULL); -+ -+ ret = EOK; -+ -+done: -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ tevent_req_done(req); -+} -+ -+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx, -+ struct tevent_req *req, -+ char **_flat, -+ char **_id, -+ char **_site, -+ char **_forest) -+{ -+ struct ad_check_domain_state *state = tevent_req_data(req, -+ struct ad_check_domain_state); -+ -+ TEVENT_REQ_RETURN_ON_ERROR(req); -+ -+ if (_flat) { -+ *_flat = talloc_steal(mem_ctx, state->flat); -+ } -+ -+ if (_site) { -+ *_site = talloc_steal(mem_ctx, state->site); -+ } -+ -+ if (_forest) { -+ *_forest = talloc_steal(mem_ctx, state->forest); -+ } -+ -+ if (_id) { -+ *_id = talloc_steal(mem_ctx, state->sid); -+ } -+ -+ return EOK; -+} --- -2.21.3 - diff --git a/SOURCES/0018-data_provider_be-MAN-page-update.patch b/SOURCES/0018-data_provider_be-MAN-page-update.patch new file mode 100644 index 0000000..15e4168 --- /dev/null +++ b/SOURCES/0018-data_provider_be-MAN-page-update.patch @@ -0,0 +1,59 @@ +From 171b664ec4a7c94583b35597bd7e1e72bf89d217 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= +Date: Wed, 2 Dec 2020 03:10:50 +0100 +Subject: [PATCH 18/18] data_provider_be: MAN page update + +Updated description of parameters: +* offline_timeout +* offline_timeout_max + +MAN page now explains that in some circumstances +corelation of offline_timeout and offline_timeout_max values +may lead to offline checking interval not incrementing. +This is a false positive error as in fact the value +just saturates almost instantly. + +Reviewed-by: Iker Pedrosa +--- + src/man/sssd.conf.5.xml | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index d637e2eaa..8b330de58 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -739,12 +739,12 @@ + offline_timeout + random_offset + + +- The random offset can increment up to 30 seconds. ++ The random offset value is from 0 to 30. + After each unsuccessful attempt to go online, + the new interval is recalculated by the following: + + +- new_interval = old_interval*2 + random_offset ++ new_interval = (old_interval * 2) + random_offset + + + Note that the maximum length of each interval +@@ -769,6 +769,16 @@ + + A value of 0 disables the incrementing behaviour. + ++ ++ The value of this parameter should be set in correlation ++ to offline_timeout parameter value. ++ ++ ++ With offline_timeout set to 60 (default value) there is no point ++ in setting offlinet_timeout_max to less than 120 as it will ++ saturate instantly. General rule here should be to set ++ offline_timeout_max to at least 4 times offline_timeout. ++ + + Although a value between 0 and offline_timeout may be + specified, it has the effect of overriding the +-- +2.21.3 + diff --git a/SOURCES/0019-ad-check-forest-root-directly-if-not-present-on-loca.patch b/SOURCES/0019-ad-check-forest-root-directly-if-not-present-on-loca.patch deleted file mode 100644 index d1c4eb9..0000000 --- a/SOURCES/0019-ad-check-forest-root-directly-if-not-present-on-loca.patch +++ /dev/null @@ -1,281 +0,0 @@ -From e25e1e9228a6108d8e94f2e99f3004e6cbfc3349 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 12 May 2020 16:55:32 +0200 -Subject: [PATCH 19/19] ad: check forest root directly if not present on local - DC -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the information about the forest root domain cannot be read from the -local domain-controller it is tried to read it from a DC of the forest -root directly. - -Resolves: https://github.com/SSSD/sssd/issues/5151 - -Reviewed-by: Pavel Březina ---- - src/providers/ad/ad_subdomains.c | 184 +++++++++++++++++++++++++++---- - 1 file changed, 164 insertions(+), 20 deletions(-) - -diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c -index 299aa7391..7c6f51db7 100644 ---- a/src/providers/ad/ad_subdomains.c -+++ b/src/providers/ad/ad_subdomains.c -@@ -35,6 +35,10 @@ - #include - #include - -+/* Avoid that ldb_val is overwritten by data_blob.h */ -+#undef ldb_val -+#include -+ - /* Attributes of AD trusted domains */ - #define AD_AT_FLATNAME "flatName" - #define AD_AT_SID "securityIdentifier" -@@ -1258,15 +1262,37 @@ ads_get_dom_id_ctx(struct be_ctx *be_ctx, - - struct ad_get_root_domain_state { - struct ad_subdomains_ctx *sd_ctx; -+ struct tevent_context *ev; - struct be_ctx *be_ctx; - struct sdap_idmap_ctx *idmap_ctx; - struct sdap_options *opts; -+ const char *domain; -+ const char *forest; - -+ struct sysdb_attrs **reply; -+ size_t reply_count; - struct ad_id_ctx *root_id_ctx; - struct sysdb_attrs *root_domain_attrs; - }; - - static void ad_get_root_domain_done(struct tevent_req *subreq); -+static void ad_check_root_domain_done(struct tevent_req *subreq); -+static errno_t -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); -+ -+struct tevent_req * -+ad_check_domain_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct be_ctx *be_ctx, -+ struct ad_id_ctx *ad_id_ctx, -+ const char *dom_name, -+ const char *parent_dom_name); -+errno_t ad_check_domain_recv(TALLOC_CTX *mem_ctx, -+ struct tevent_req *req, -+ char **_flat, -+ char **_id, -+ char **_site, -+ char **_forest); - - static struct tevent_req * - ad_get_root_domain_send(TALLOC_CTX *mem_ctx, -@@ -1305,6 +1331,9 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx, - state->opts = opts = sd_ctx->sdap_id_ctx->opts; - state->be_ctx = sd_ctx->be_ctx; - state->idmap_ctx = opts->idmap_ctx; -+ state->ev = ev; -+ state->domain = domain; -+ state->forest = forest; - - filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest); - if (filter == NULL) { -@@ -1340,17 +1369,14 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - { - struct tevent_req *req; - struct ad_get_root_domain_state *state; -- struct sysdb_attrs **reply; -- struct sss_domain_info *root_domain; -- size_t reply_count; -- bool has_changes; - errno_t ret; - - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct ad_get_root_domain_state); - -- ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count, -- &reply); -+ ret = sdap_search_bases_return_first_recv(subreq, state, -+ &state->reply_count, -+ &state->reply); - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information " -@@ -1358,19 +1384,142 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - goto done; - } - -- if (reply_count == 0) { -- DEBUG(SSSDBG_OP_FAILURE, "No information provided for root domain\n"); -- ret = ENOENT; -- goto done; -- } else if (reply_count > 1) { -+ if (state->reply_count == 0) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "No information provided for root domain, trying directly.\n"); -+ subreq = ad_check_domain_send(state, state->ev, state->be_ctx, -+ state->sd_ctx->ad_id_ctx, state->forest, -+ state->domain); -+ if (subreq == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "ad_check_domain_send() failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ tevent_req_set_callback(subreq, ad_check_root_domain_done, req); -+ return; -+ } else if (state->reply_count > 1) { - DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, " - "domain list might be incomplete!\n"); - ret = ERR_MALFORMED_ENTRY; - goto done; - } - -+ ret = ad_get_root_domain_refresh(state); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); -+ } -+ -+done: -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ tevent_req_done(req); -+} -+ -+static void ad_check_root_domain_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req; -+ struct ad_get_root_domain_state *state; -+ errno_t ret; -+ char *flat = NULL; -+ char *id = NULL; -+ enum idmap_error_code err; -+ struct ldb_val id_val; -+ -+ req = tevent_req_callback_data(subreq, struct tevent_req); -+ state = tevent_req_data(req, struct ad_get_root_domain_state); -+ -+ ret = ad_check_domain_recv(state, subreq, &flat, &id, NULL, NULL); -+ talloc_zfree(subreq); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Unable to check forest root information " -+ "[%d]: %s\n", ret, sss_strerror(ret)); -+ goto done; -+ } -+ -+ if (flat == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "NetBIOS name of forest root not available.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ if (id == NULL) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Domain SID of forest root not available.\n"); -+ ret = EINVAL; -+ goto done; -+ } -+ -+ state->reply = talloc_array(state, struct sysdb_attrs *, 1); -+ if (state->reply == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "talloc_array() failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ state->reply[0] = sysdb_new_attrs(state->reply); -+ if (state->reply[0] == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs() failed.\n"); -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_FLATNAME, flat); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(state->reply[0], AD_AT_TRUST_PARTNER, -+ state->forest); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); -+ goto done; -+ } -+ -+ err = sss_idmap_sid_to_bin_sid(state->idmap_ctx->map, id, -+ &id_val.data, &id_val.length); -+ if (err != IDMAP_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, -+ "Could not convert SID: [%s].\n", idmap_error_string(err)); -+ ret = EFAULT; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_val(state->reply[0], AD_AT_SID, &id_val); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string() failed.\n"); -+ goto done; -+ } -+ -+ state->reply_count = 1; -+ -+ ret = ad_get_root_domain_refresh(state); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); -+ } -+ -+done: -+ if (ret != EOK) { -+ tevent_req_error(req, ret); -+ return; -+ } -+ -+ tevent_req_done(req); -+} -+ -+static errno_t -+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) -+{ -+ struct sss_domain_info *root_domain; -+ bool has_changes; -+ errno_t ret; -+ - ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts, -- reply, reply_count, true, -+ state->reply, state->reply_count, true, - &state->sd_ctx->last_refreshed, - &has_changes); - if (ret != EOK) { -@@ -1387,8 +1536,8 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - } - } - -- state->root_domain_attrs = reply[0]; -- root_domain = ads_get_root_domain(state->be_ctx, reply[0]); -+ state->root_domain_attrs = state->reply[0]; -+ root_domain = ads_get_root_domain(state->be_ctx, state->reply[0]); - if (root_domain == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n"); - ret = EFAULT; -@@ -1407,12 +1556,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) - ret = EOK; - - done: -- if (ret != EOK) { -- tevent_req_error(req, ret); -- return; -- } -- -- tevent_req_done(req); -+ return ret; - } - - static errno_t ad_get_root_domain_recv(TALLOC_CTX *mem_ctx, --- -2.21.3 - diff --git a/SOURCES/0019-logs-review.patch b/SOURCES/0019-logs-review.patch new file mode 100644 index 0000000..54fc132 --- /dev/null +++ b/SOURCES/0019-logs-review.patch @@ -0,0 +1,3410 @@ +From 69ef1cf763fca6b2c7174ddacf3f510c73cc27e6 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 28 Dec 2020 19:36:48 +0100 +Subject: [PATCH] Squashed commit of the following: + +commit bd2f38abe95645b9b16b12d12dac6008b0d2a03b +Author: Alexey Tikhonov +Date: Tue Dec 15 18:47:25 2020 +0100 + + UTIL: find_domain_by_object_name_ex() changed log level + + It's up to user of this function to judge if fail to parse fqname is + a critical error. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 0db68a1f95612fcbad18ca8107a4b170f446dd59 +Author: Alexey Tikhonov +Date: Tue Dec 15 17:26:09 2020 +0100 + + LDAP: sdap_save_grpmem(): log level changed + + There are legitimate reasons when sdap_save_grpmem() can be called + with `ignore_group_members = true` + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 00e3ac4a4f9b6c8da27daa3ed8c18664c99256bb +Author: Alexey Tikhonov +Date: Sun Dec 13 23:21:37 2020 +0100 + + LDAP: reduce log level in case of fail to store members of missing group (it might be built-in skipped intentionally) + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit dba7de0db3cbaee43ef06a1b7c847fbcf48f3708 +Author: Alexey Tikhonov +Date: Sun Dec 13 22:37:44 2020 +0100 + + SYSDB: changed logging in sysdb_get_real_name() + + Missing cache entry isn't an error. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit e86599ba079611ed324ff1493a7173d11c1a7961 +Author: Alexey Tikhonov +Date: Sun Dec 13 22:22:36 2020 +0100 + + IPA: changed logging in ipa_get_subdom_acct_send() + + Frontends do not know what kind of lookup the backends support + so it is expected that they might send unsupported requests. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit bf873598a9d4ac8256b20859c0d92fb509861b6b +Author: Alexey Tikhonov +Date: Sun Dec 13 20:29:07 2020 +0100 + + IPA: ignore failed group search in certain cases + + It's currently expected to see those messages with sudo or HBAC rules in play. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 60b17be9e4f4865fe1774076808a6c783a7ec906 +Author: Alexey Tikhonov +Date: Sun Dec 13 19:36:56 2020 +0100 + + SYSDB: changed log level in sysdb_update_members_ex() + + Fail to add already existing member isn't critical. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 9390af3c2d1b33e2b5ded0ea0c6c436b9776cedc +Author: Alexey Tikhonov +Date: Sat Dec 12 21:29:06 2020 +0100 + + IPA: reduce log level in apply_subdomain_homedir() + + Missing UID for SYSDB_GROUP_CLASS is not an error + (see commit message of e66517dcf63f1d4aaf866c22371dac7740ce0a48 for + additional details) + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 9215cf4e2519d5f085bf97f26a74d499090e46e1 +Author: Alexey Tikhonov +Date: Sat Dec 12 20:46:40 2020 +0100 + + CERTMAP: removed stray debug message + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 0986cf6ced8c4e09b8031d19eddffca679aca30c +Author: Alexey Tikhonov +Date: Thu Dec 3 21:06:31 2020 +0100 + + UTIL: fixed bug in server_setup() that prevented setting debug level to 0 explicitly + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 644453f8d93540a91236683015f3418d29c6d95a +Author: Alexey Tikhonov +Date: Tue Dec 1 13:03:03 2020 +0100 + + LOGS: default log level changed to <= SSSDBG_OP_FAILURE + + :config: New default value of `debug_level` is 0x0070 + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 4fe060abbe958c2f9b5aa44e489620063029aa0b +Author: Alexey Tikhonov +Date: Mon Nov 30 22:19:46 2020 +0100 + + FILES: reduced debug level in refresh_override_attrs() if case "No overrides, nothing to do" + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 29f243fd5b256efe3c7f4e4f0940c7d0ae6b4fa1 +Author: Alexey Tikhonov +Date: Mon Nov 30 22:07:01 2020 +0100 + + AD: reduced log level in case check_if_pac_is_available() can't find user entry. This is typical situation when, for example, INITGROUPS lookup is executed for uncached user. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit ed6ec569780ad8203c4990faed5a9f0dc27dd12b +Author: Alexey Tikhonov +Date: Mon Nov 30 21:13:28 2020 +0100 + + SDAP: reduced log level in case group without members + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 26fdc3c8f0ae6493442ea291d9bf36ba148ef209 +Author: Alexey Tikhonov +Date: Mon Nov 30 21:06:19 2020 +0100 + + CACHE_REQ: reduced log level in cache_req_object_by_name_well_known() Non fqdn input isn't necessarily an error here. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit a7b145b99b9f71ad3d02251fff5b587041c9f1ab +Author: Alexey Tikhonov +Date: Mon Nov 30 20:27:44 2020 +0100 + + LDAP: reduced log level in hosts_get_done() + + Absent host in LDAP server isn't SSSD failure. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 6e3b4d745fc8d2de14d69aa30bc21aa549a435f8 +Author: Alexey Tikhonov +Date: Mon Nov 30 16:45:51 2020 +0100 + + SBUS: reduced log level in case of unexpected signal + + Most probably module is not fully initialized yet. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 90dae38d7442757b8a51f91a6ba3fb83f99320a1 +Author: Alexey Tikhonov +Date: Mon Nov 30 11:39:56 2020 +0100 + + RESPONDER: reduce log level in sss_parse_inp_done() in case of "Unknown domain" since this might be search by UPN + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 69aa3e8c4b82a06e45ba59eb1c17af252aa971ce +Author: Alexey Tikhonov +Date: Mon Nov 30 01:05:52 2020 +0100 + + DP: do not log failure in case provider doesn't support check_online method + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 1af89925e62cccacb2957f55b16988a5e71fe5e1 +Author: Alexey Tikhonov +Date: Mon Nov 30 00:28:08 2020 +0100 + + IPA: corrected confusing message + + Log message like: + ``` + sysdb_getpwnam() got more users than expected. Expected [1], got [0] + ``` + looks a bit confusing. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit a419b7e673d2de571d873b79be31b1ae2fa89832 +Author: Alexey Tikhonov +Date: Mon Nov 30 00:13:31 2020 +0100 + + SSS_IFACE: corrected misleading return code + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 99e44d9db41f5bb56281ed65d815c32139195931 +Author: Alexey Tikhonov +Date: Sun Nov 29 22:55:07 2020 +0100 + + LDAP: added missed \n in log message + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 52dc85540e621b00f358fea94e2e390d580948d8 +Author: Alexey Tikhonov +Date: Sun Nov 29 21:42:08 2020 +0100 + + SYSDB: reduce log level in sysdb_update_members_ex() in case failed attempt to DEL unexisting attribute + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit a7b6413d9fb870f51f09955bdceee01952442c63 +Author: Alexey Tikhonov +Date: Sun Nov 29 21:32:46 2020 +0100 + + UTIL: sss_ldb_error_to_errno() improved + + LDB_ERR_NO_SUCH_ATTRIBUTE error code was added to mapping and log level + for unknown error code was reduced. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit ac22859006b5658017b2720ca3e02d34c5beecdd +Author: Alexey Tikhonov +Date: Sun Nov 29 17:03:58 2020 +0100 + + PAM: reduce log level in may_do_cert_auth() + + Reduce log level in may_do_cert_auth() as this is not a critical failure + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 5068655a67f88cb1730f28689c5effee264321ad +Author: Alexey Tikhonov +Date: Fri Nov 27 21:45:53 2020 +0100 + + UTIL: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 3cbd0465b52f9bbb7e20b0b12e154f51bab0866e +Author: Alexey Tikhonov +Date: Fri Nov 27 21:12:16 2020 +0100 + + PAM: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit f028253ff87bf11ed034ad5acf1f67e8863bed60 +Author: Alexey Tikhonov +Date: Fri Nov 27 20:59:13 2020 +0100 + + NSS: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit f457a1a69240381ad7637a09dc66c1aeb78e1d18 +Author: Alexey Tikhonov +Date: Fri Nov 27 20:33:11 2020 +0100 + + IFP: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 058644f2ef6d1958db657d371158d2df7798dd49 +Author: Alexey Tikhonov +Date: Fri Nov 27 20:21:55 2020 +0100 + + RESPONDER: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 01ba32f250a0e51771471c52440c11f6f05f2a48 +Author: Alexey Tikhonov +Date: Fri Nov 27 20:15:22 2020 +0100 + + CACHE_REQ: debug message correction + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 018c08acbb3bbb836c9acefaf5c384eb9231a60a +Author: Alexey Tikhonov +Date: Fri Nov 27 20:05:06 2020 +0100 + + AUTOFS: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit fb052a4c9843ce518a7202d842c43631f8bbfd2d +Author: Alexey Tikhonov +Date: Fri Nov 27 19:57:00 2020 +0100 + + RESOLV: debug message correction + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit d91409df456f9ad7aad39d0cad0ed053cf1f3653 +Author: Alexey Tikhonov +Date: Fri Nov 27 19:49:14 2020 +0100 + + PROXY: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit ff8f44ce2d2eedb098d980793a949f7f7e55576a +Author: Alexey Tikhonov +Date: Fri Nov 20 19:46:28 2020 +0100 + + LDAP: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 9244820af59ba6b947cf9aa1269d03bb6f2e4f38 +Author: Alexey Tikhonov +Date: Fri Nov 20 19:22:36 2020 +0100 + + KRB5: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 667b983aaee380c50d50ef07542b004e60041581 +Author: Alexey Tikhonov +Date: Thu Nov 19 18:31:28 2020 +0100 + + IPA: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 2f70695a874dcb84d4b86773138a5a6b6259958f +Author: Alexey Tikhonov +Date: Wed Nov 18 22:12:21 2020 +0100 + + DP: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit d6f6f053d7a97a220b52ce92fd653eef8cec5a74 +Author: Alexey Tikhonov +Date: Wed Nov 18 21:37:38 2020 +0100 + + AD: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 85d8adc4d24f09e47f2a9c0fa595d90c61036b18 +Author: Alexey Tikhonov +Date: Wed Nov 18 19:09:33 2020 +0100 + + P11_CHILD: severity level of few debug messages adjusted + + Severity level of few debug messages was adjusted and journal message + in case of disabled certificate verification was added. + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit fe0530ef96baa8fd39ce6b87c0c760e17c5eb6f8 +Author: Alexey Tikhonov +Date: Wed Nov 18 16:28:43 2020 +0100 + + MONITOR: severity level of few debug messages adjusted + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit daa5454f870a5436a554091a1333cc8be0cbc566 +Author: Alexey Tikhonov +Date: Wed Nov 18 16:02:23 2020 +0100 + + SYSDB:views: few debug message corrections + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 82dc14b027f9115cabafce71d2b385d5c7d1dd4f +Author: Alexey Tikhonov +Date: Wed Nov 18 15:56:46 2020 +0100 + + SYSDB:upgrade: debug message corrected + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit e731368ed9cea9b35d0ae654e1534084c6ef4642 +Author: Alexey Tikhonov +Date: Wed Nov 18 15:50:08 2020 +0100 + + SYSDB:service: severity level of few debug messages adjusted + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit f55c9599068c43037a8b666af92ba9b8a044f735 +Author: Alexey Tikhonov +Date: Wed Nov 18 15:32:21 2020 +0100 + + SYSDB:selinux: debug message severity level was adjusted + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 744582419abfd6e5665315748d44e732f1d56f13 +Author: Alexey Tikhonov +Date: Wed Nov 18 15:30:45 2020 +0100 + + SYSDB:search: few debug messages were corrected + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit 033c31a2a4994367edea1ded8303a0d2dbc59b1c +Author: Alexey Tikhonov +Date: Wed Nov 18 15:19:46 2020 +0100 + + SYSDB:ops: few debug messages were corrected + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit a73df70ee0bcc8f1b80a2e20132592724bd5f675 +Author: Alexey Tikhonov +Date: Wed Nov 18 13:19:25 2020 +0100 + + SYSDB:ipnetworks: severity level of few debug messages adjusted + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit b4acf71d0a81aeeb2754645d2798ce1e927121f3 +Author: Alexey Tikhonov +Date: Mon Nov 16 21:18:14 2020 +0100 + + SYSDB:iphosts: severity level of few debug messages adjusted + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit d8af1db84b48193a546bbeec84a7dd7e2b132244 +Author: Alexey Tikhonov +Date: Mon Nov 16 20:05:12 2020 +0100 + + SYSDB:sudo: changed debug message to be consistent + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit df723cb98b406b0262f04d0e43e8e5bf0030074f +Author: Alexey Tikhonov +Date: Mon Nov 16 19:10:41 2020 +0100 + + SYSDB: wrong debug message corrected + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose + +commit e350d917e6d48c1d13502ab2849d3e2a0815215e +Author: Alexey Tikhonov +Date: Mon Nov 16 18:13:26 2020 +0100 + + SYSDB:autofs: cosmetic updates + + Reviewed-by: Pawel Polawski + Reviewed-by: Sumit Bose +--- + src/db/sysdb.c | 2 +- + src/db/sysdb_autofs.c | 4 +- + src/db/sysdb_iphosts.c | 10 ++--- + src/db/sysdb_ipnetworks.c | 6 +-- + src/db/sysdb_ops.c | 37 ++++++++++++------ + src/db/sysdb_search.c | 17 ++++++--- + src/db/sysdb_selinux.c | 2 +- + src/db/sysdb_services.c | 6 +-- + src/db/sysdb_sudo.c | 3 +- + src/db/sysdb_upgrade.c | 2 +- + src/db/sysdb_views.c | 6 +-- + src/lib/certmap/sss_certmap_krb5_match.c | 1 - + src/man/include/debug_levels.xml | 3 +- + src/man/include/debug_levels_tools.xml | 3 +- + src/monitor/monitor.c | 14 +++---- + src/p11_child/p11_child_common.c | 2 +- + src/p11_child/p11_child_common_utils.c | 3 ++ + src/p11_child/p11_child_openssl.c | 4 +- + src/providers/ad/ad_cldap_ping.c | 2 +- + src/providers/ad/ad_common.c | 7 ++-- + src/providers/ad/ad_dyndns.c | 6 +-- + src/providers/ad/ad_gpo.c | 16 +++++--- + src/providers/ad/ad_machine_pw_renewal.c | 7 ++-- + src/providers/ad/ad_pac.c | 6 ++- + src/providers/ad/ad_subdomains.c | 2 +- + src/providers/be_dyndns.c | 3 +- + src/providers/be_ptask.c | 2 +- + src/providers/be_refresh.c | 3 +- + src/providers/data_provider/dp.c | 4 +- + src/providers/data_provider/dp_target_sudo.c | 10 +++-- + src/providers/data_provider_be.c | 5 +-- + src/providers/data_provider_fo.c | 2 +- + src/providers/data_provider_opts.c | 6 +-- + src/providers/data_provider_req.h | 1 + + src/providers/files/files_ops.c | 2 +- + src/providers/ipa/ipa_access.c | 2 +- + src/providers/ipa/ipa_common.c | 5 +-- + src/providers/ipa/ipa_hbac_common.c | 2 +- + src/providers/ipa/ipa_hbac_services.c | 4 +- + src/providers/ipa/ipa_hbac_users.c | 4 +- + src/providers/ipa/ipa_id.c | 2 +- + src/providers/ipa/ipa_init.c | 4 +- + src/providers/ipa/ipa_s2n_exop.c | 3 +- + src/providers/ipa/ipa_selinux.c | 4 +- + src/providers/ipa/ipa_session.c | 4 +- + src/providers/ipa/ipa_subdomains_ext_groups.c | 3 +- + src/providers/ipa/ipa_subdomains_id.c | 38 +++++++++++++------ + src/providers/ipa/ipa_subdomains_server.c | 11 +++--- + src/providers/ipa/ipa_sudo.c | 14 +++---- + src/providers/ipa/ipa_sudo_async.c | 10 ++--- + src/providers/ipa/ipa_sudo_conversion.c | 6 +-- + src/providers/ipa/ipa_views.c | 4 +- + src/providers/krb5/krb5_access.c | 3 +- + src/providers/krb5/krb5_auth.c | 4 +- + src/providers/krb5/krb5_child.c | 25 ++++++------ + src/providers/krb5/krb5_child_handler.c | 4 +- + src/providers/krb5/krb5_common.c | 6 +-- + .../krb5/krb5_delayed_online_authentication.c | 4 +- + src/providers/krb5/krb5_renew_tgt.c | 4 +- + src/providers/krb5/krb5_utils.c | 2 +- + src/providers/ldap/ldap_auth.c | 12 +++--- + src/providers/ldap/ldap_child.c | 2 +- + src/providers/ldap/ldap_init.c | 4 +- + src/providers/ldap/ldap_options.c | 8 ++-- + src/providers/ldap/sdap.c | 28 +++++++++----- + src/providers/ldap/sdap_access.c | 11 +++--- + src/providers/ldap/sdap_async.c | 9 +++-- + src/providers/ldap/sdap_async_autofs.c | 2 +- + src/providers/ldap/sdap_async_connection.c | 6 +-- + src/providers/ldap/sdap_async_groups.c | 27 ++++++++----- + src/providers/ldap/sdap_async_initgroups.c | 6 ++- + src/providers/ldap/sdap_async_initgroups_ad.c | 2 +- + src/providers/ldap/sdap_async_sudo.c | 4 +- + src/providers/ldap/sdap_child_helpers.c | 6 +-- + src/providers/ldap/sdap_hostid.c | 2 +- + src/providers/ldap/sdap_id_op.c | 2 +- + src/providers/proxy/proxy_auth.c | 6 +-- + src/providers/proxy/proxy_child.c | 8 ++-- + src/providers/proxy/proxy_client.c | 2 +- + src/providers/proxy/proxy_id.c | 6 +-- + src/resolv/async_resolv.c | 2 +- + src/responder/autofs/autofssrv.c | 2 +- + src/responder/autofs/autofssrv_cmd.c | 6 +-- + src/responder/common/cache_req/cache_req.c | 2 +- + .../plugins/cache_req_object_by_name.c | 4 +- + src/responder/common/responder_common.c | 4 +- + src/responder/common/responder_get_domains.c | 2 +- + src/responder/common/responder_iface.c | 4 +- + src/responder/ifp/ifp_iface/ifp_iface.c | 2 +- + src/responder/ifp/ifpsrv.c | 8 ++-- + src/responder/ifp/ifpsrv_util.c | 2 +- + src/responder/nss/nss_cmd.c | 20 +++++----- + src/responder/nss/nss_iface.c | 4 +- + src/responder/nss/nss_protocol_netgr.c | 2 +- + src/responder/nss/nsssrv.c | 2 +- + src/responder/pam/pamsrv_cmd.c | 2 +- + src/responder/pam/pamsrv_p11.c | 4 +- + src/sbus/router/sbus_router_handler.c | 3 +- + src/sss_iface/sss_iface.c | 4 +- + src/util/child_common.c | 2 +- + src/util/debug.h | 4 +- + src/util/domain_info_utils.c | 2 +- + src/util/server.c | 15 +++++--- + src/util/sss_sockets.c | 2 +- + src/util/string_utils.c | 2 +- + src/util/util_errors.c | 3 +- + 106 files changed, 364 insertions(+), 279 deletions(-) + +diff --git a/src/db/sysdb.c b/src/db/sysdb.c +index d0052d99b..d78991e36 100644 +--- a/src/db/sysdb.c ++++ b/src/db/sysdb.c +@@ -1489,7 +1489,7 @@ errno_t sysdb_attrs_primary_name(struct sysdb_ctx *sysdb, + * decide which name is correct. + */ + DEBUG(SSSDBG_CRIT_FAILURE, +- "Cannot save entry. Unable to determine groupname\n"); ++ "Can't match the name to the RDN\n"); + ret = EINVAL; + goto done; + } +diff --git a/src/db/sysdb_autofs.c b/src/db/sysdb_autofs.c +index 413b00722..1febdaec5 100644 +--- a/src/db/sysdb_autofs.c ++++ b/src/db/sysdb_autofs.c +@@ -243,14 +243,14 @@ sysdb_get_map_byname(TALLOC_CTX *mem_ctx, + "Error looking up autofs map [%s]\n", safe_map_name); + goto done; + } else if (ret == ENOENT) { +- DEBUG(SSSDBG_TRACE_FUNC, "No such map\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "No such map [%s]\n", safe_map_name); + *_map = NULL; + goto done; + } + + if (count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "More than one map named %s\n", safe_map_name); ++ "More than one map named [%s]\n", safe_map_name); + goto done; + } + +diff --git a/src/db/sysdb_iphosts.c b/src/db/sysdb_iphosts.c +index b82279787..d3ee8f1a9 100644 +--- a/src/db/sysdb_iphosts.c ++++ b/src/db/sysdb_iphosts.c +@@ -222,14 +222,14 @@ sysdb_store_host(struct sss_domain_info *domain, + * sort it out. + */ + for (j = 0; j < res->count; j++) { +- DEBUG(SSSDBG_TRACE_FUNC, ++ DEBUG(SSSDBG_CRIT_FAILURE, + "Corrupt cache entry [%s] detected. Deleting\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[j]->dn)); + + ret = sysdb_delete_entry(sysdb, res->msgs[j]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete corrupt cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[j]->dn)); +@@ -262,7 +262,7 @@ sysdb_store_host(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[0]->dn)); +@@ -298,7 +298,7 @@ sysdb_store_host(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete corrupt cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[i]->dn)); +@@ -318,7 +318,7 @@ sysdb_store_host(struct sss_domain_info *domain, + /* Delete the entry from the previous pass */ + ret = sysdb_delete_entry(sysdb, update_dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + update_dn)); +diff --git a/src/db/sysdb_ipnetworks.c b/src/db/sysdb_ipnetworks.c +index 326f984b7..9da4d9b23 100644 +--- a/src/db/sysdb_ipnetworks.c ++++ b/src/db/sysdb_ipnetworks.c +@@ -261,7 +261,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[0]->dn)); +@@ -296,7 +296,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete corrupt cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[i]->dn)); +@@ -315,7 +315,7 @@ sysdb_store_ipnetwork(struct sss_domain_info *domain, + /* Delete the entry from the previous pass */ + ret = sysdb_delete_entry(sysdb, update_dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + update_dn)); +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 3412b9cd1..585708abe 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -157,7 +157,7 @@ static int sysdb_delete_cache_entry(struct ldb_context *ldb, + /* fall through */ + SSS_ATTRIBUTE_FALLTHROUGH; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s (%d); error message: [%s]\n", + ldb_strerror(ret), ret, ldb_errstring(ldb)); + return sysdb_error_to_errno(ret); + } +@@ -3420,7 +3420,7 @@ int sysdb_search_custom(TALLOC_CTX *mem_ctx, + goto done; + } + if (!ldb_dn_validate(basedn)) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create DN.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Syntactically invalid subtree DN.\n"); + ret = EINVAL; + goto done; + } +@@ -3463,7 +3463,7 @@ int sysdb_search_custom_by_name(TALLOC_CTX *mem_ctx, + goto done; + } + if (!ldb_dn_validate(basedn)) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create DN.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Syntactically invalid DN.\n"); + ret = EINVAL; + goto done; + } +@@ -3545,7 +3545,7 @@ errno_t sysdb_search_by_orig_dn(TALLOC_CTX *mem_ctx, + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Trying to perform a search by orig_dn using a " +- "non-supported type\n"); ++ "non-supported type %d\n", type); + ret = EINVAL; + goto done; + } +@@ -3690,8 +3690,9 @@ int sysdb_delete_custom(struct sss_domain_info *domain, + break; + + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "LDB Error: %s(%d)\nError Message: [%s]\n", +- ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "ldb_delete failed: %s (%d); error Message: [%s]\n", ++ ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); + ret = sysdb_error_to_errno(ret); + break; + } +@@ -4927,9 +4928,15 @@ static errno_t sysdb_update_members_ex(struct sss_domain_info *domain, + ret = sysdb_add_group_member(domain, add_groups[i], + member, type, is_dn); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Could not add member [%s] to group [%s]. " +- "Skipping.\n", member, add_groups[i]); ++ if (ret != EEXIST) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Could not add member [%s] to group [%s]. " ++ "Skipping.\n", member, add_groups[i]); ++ } else { ++ DEBUG(SSSDBG_FUNC_DATA, ++ "Group [%s] already has member [%s]. Skipping.\n", ++ add_groups[i], member); ++ } + /* Continue on, we should try to finish the rest */ + } + } +@@ -4941,9 +4948,15 @@ static errno_t sysdb_update_members_ex(struct sss_domain_info *domain, + ret = sysdb_remove_group_member(domain, del_groups[i], + member, type, is_dn); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Could not remove member [%s] from group [%s]. " +- "Skipping\n", member, del_groups[i]); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Could not remove member [%s] from group [%s]. " ++ "Skipping\n", member, del_groups[i]); ++ } else { ++ DEBUG(SSSDBG_FUNC_DATA, ++ "No member [%s] in group [%s]. " ++ "Skipping\n", member, del_groups[i]); ++ } + /* Continue on, we should try to finish the rest */ + } + } +diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c +index 4ff65c1ae..0cd8321cb 100644 +--- a/src/db/sysdb_search.c ++++ b/src/db/sysdb_search.c +@@ -2393,7 +2393,7 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, + } else if (mtype == SYSDB_MEMBER_GROUP) { + dn = sysdb_group_strdn(tmp_ctx, dom->name, name); + } else { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown member type\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unknown member type %d\n", mtype); + ret = EINVAL; + goto done; + } +@@ -2453,13 +2453,14 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, + tmp_str = ldb_msg_find_attr_as_string(direct_sysdb_groups[i], + SYSDB_NAME, NULL); + if (!tmp_str) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "A group with no name?\n"); + /* This should never happen, but if it does, just continue */ + continue; + } + + direct_parents[pi] = talloc_strdup(direct_parents, tmp_str); + if (!direct_parents[pi]) { +- DEBUG(SSSDBG_CRIT_FAILURE, "A group with no name?\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = EIO; + goto done; + } +@@ -2522,8 +2523,13 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, + } + if (ret != EOK) { + /* User cannot be found in cache */ +- DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", +- name_or_upn_or_sid); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to find user [%s] in cache: %d\n", ++ name_or_upn_or_sid, ret); ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, "User [%s] is missing in cache\n", ++ name_or_upn_or_sid); ++ } + goto done; + } + } else if (res->count == 1) { +@@ -2537,7 +2543,8 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, + + cname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (!cname) { +- DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name?\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "User '%s' without a name?\n", name_or_upn_or_sid); + ret = ENOENT; + goto done; + } +diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c +index 88ac88786..535411950 100644 +--- a/src/db/sysdb_selinux.c ++++ b/src/db/sysdb_selinux.c +@@ -234,7 +234,7 @@ errno_t sysdb_delete_usermaps(struct sss_domain_info *domain) + ret = sysdb_delete_recursive(sysdb, dn, true); + talloc_free(dn); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_recursive failed.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n"); + return ret; + } + +diff --git a/src/db/sysdb_services.c b/src/db/sysdb_services.c +index 8118fef00..ac17f4704 100644 +--- a/src/db/sysdb_services.c ++++ b/src/db/sysdb_services.c +@@ -252,7 +252,7 @@ sysdb_store_service(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[0]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[0]->dn)); +@@ -290,7 +290,7 @@ sysdb_store_service(struct sss_domain_info *domain, + + ret = sysdb_delete_entry(sysdb, res->msgs[i]->dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete corrupt cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + res->msgs[i]->dn)); +@@ -310,7 +310,7 @@ sysdb_store_service(struct sss_domain_info *domain, + /* Delete the entry from the previous pass */ + ret = sysdb_delete_entry(sysdb, update_dn, true); + if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Could not delete cache entry [%s]\n", + ldb_dn_canonical_string(tmp_ctx, + update_dn)); +diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c +index 03eec9c70..1626b612d 100644 +--- a/src/db/sysdb_sudo.c ++++ b/src/db/sysdb_sudo.c +@@ -480,7 +480,8 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, + sss_get_cased_name(sysdb_groupnames, groupname, + domain->case_sensitive); + if (sysdb_groupnames[num_groups] == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sss_get_cased_name() failed for '%s'\n", groupname); + continue; + } + num_groups++; +diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c +index 03a0e6173..99213260c 100644 +--- a/src/db/sysdb_upgrade.c ++++ b/src/db/sysdb_upgrade.c +@@ -2455,7 +2455,7 @@ int sysdb_upgrade_19(struct sysdb_ctx *sysdb, const char **ver) + + ret = add_object_category(sysdb->ldb, ctx); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "add_object_category failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "add_object_category failed: %d\n", ret); + goto done; + } + +diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c +index 00da74047..269dab70f 100644 +--- a/src/db/sysdb_views.c ++++ b/src/db/sysdb_views.c +@@ -556,12 +556,12 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Object to override does not exists.\n"); + } else { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry failed.\n"); + } + goto done; + } + if (count != 1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Base searched returned more than one object.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Base search returned more than one object.\n"); + ret = EINVAL; + goto done; + } +@@ -660,7 +660,7 @@ errno_t sysdb_store_override(struct sss_domain_info *domain, + SYSDB_OVERRIDE_GROUP_CLASS); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected object type.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected object type %d.\n", type); + ret = EINVAL; + goto done; + } +diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c +index 640930747..ab566ac99 100644 +--- a/src/lib/certmap/sss_certmap_krb5_match.c ++++ b/src/lib/certmap/sss_certmap_krb5_match.c +@@ -220,7 +220,6 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, + + for (c = 0; eku_list[c] != NULL; c++) { + for (k = 0; sss_ext_key_usage[k].name != NULL; k++) { +-CM_DEBUG(ctx, "[%s][%s].", eku_list[c], sss_ext_key_usage[k].name); + if (strcasecmp(eku_list[c], sss_ext_key_usage[k].name) == 0) { + comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, + sss_ext_key_usage[k].oid); +diff --git a/src/man/include/debug_levels.xml b/src/man/include/debug_levels.xml +index b5e13ba3e..0d9cc17be 100644 +--- a/src/man/include/debug_levels.xml ++++ b/src/man/include/debug_levels.xml +@@ -100,6 +100,7 @@ + introduced in 1.7.0. + + +- Default: 0 ++ Default: 0x0070 (i.e. fatal, critical and serious ++ failures; corresponds to setting 2 in decimal notation) + + +diff --git a/src/man/include/debug_levels_tools.xml b/src/man/include/debug_levels_tools.xml +index b592d50fc..46a3c7d29 100644 +--- a/src/man/include/debug_levels_tools.xml ++++ b/src/man/include/debug_levels_tools.xml +@@ -81,6 +81,7 @@ + introduced in 1.7.0. + + +- Default: 0 ++ Default: 0x0070 (i.e. fatal, critical and serious ++ failures; corresponds to setting 2 in decimal notation) + + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index d9da05a51..9c2381c81 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1435,7 +1435,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret) + DEBUG(SSSDBG_CRIT_FAILURE, + "Child [%s] terminated with a signal\n", svc->name); + } else { +- DEBUG(SSSDBG_FATAL_FAILURE, ++ DEBUG(SSSDBG_CRIT_FAILURE, + "Child [%s] did not exit cleanly\n", svc->name); + /* Forcibly kill this child */ + kill(-svc->pid, SIGKILL); +@@ -2059,7 +2059,7 @@ static void monitor_sbus_connected(struct tevent_req *req) + + ret = sbus_connection_add_path_map(ctx->sbus_conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +@@ -2271,7 +2271,7 @@ static void mt_svc_restart(struct tevent_context *ev, + add_new_provider(svc->mt_ctx, svc->name, svc->restarts + 1); + } else { + /* Invalid type? */ +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + "BUG: Invalid child process type [%d]\n", svc->type); + } + +@@ -2580,14 +2580,14 @@ int main(int argc, const char *argv[]) + switch (ret) { + case EPERM: + case EACCES: +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + CONF_FILE_PERM_ERROR_MSG, config_file); +- sss_log(SSS_LOG_ALERT, CONF_FILE_PERM_ERROR_MSG, config_file); ++ sss_log(SSS_LOG_CRIT, CONF_FILE_PERM_ERROR_MSG, config_file); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + "SSSD couldn't load the configuration database.\n"); +- sss_log(SSS_LOG_ALERT, ++ sss_log(SSS_LOG_CRIT, + "SSSD couldn't load the configuration database [%d]: %s.\n", + ret, strerror(ret)); + break; +diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c +index f17de1a9e..704ced4b6 100644 +--- a/src/p11_child/p11_child_common.c ++++ b/src/p11_child/p11_child_common.c +@@ -125,7 +125,7 @@ static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin) + + str = talloc_strndup(mem_ctx, (char *) buf, len); + if (str == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + +diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c +index 50cfebb4c..c5f324625 100644 +--- a/src/p11_child/p11_child_common_utils.c ++++ b/src/p11_child/p11_child_common_utils.c +@@ -107,6 +107,9 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + "Found 'no_verification' option, " + "disabling verification completely. " + "This should not be used in production.\n"); ++ sss_log(SSS_LOG_CRIT, ++ "Smart card certificate verification disabled completely. " ++ "This should not be used in production."); + cert_verify_opts->do_verification = false; + } else if (strncasecmp(opts[c], OCSP_DEFAUL_RESPONDER, + OCSP_DEFAUL_RESPONDER_LEN) == 0) { +diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c +index d81a1a9ea..879b05b65 100644 +--- a/src/p11_child/p11_child_openssl.c ++++ b/src/p11_child/p11_child_openssl.c +@@ -226,7 +226,7 @@ static char *get_issuer_subject_str(TALLOC_CTX *mem_ctx, X509 *cert) + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "BIO_new failed.\n"); + return NULL; + } + +@@ -591,7 +591,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, + ret = SSL_library_init(); + #endif + if (ret != 1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize OpenSSL.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to initialize OpenSSL.\n"); + return EIO; + } + +diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c +index ab234f4d7..7722af98a 100644 +--- a/src/providers/ad/ad_cldap_ping.c ++++ b/src/providers/ad/ad_cldap_ping.c +@@ -467,7 +467,7 @@ ad_cldap_ping_domain_send(TALLOC_CTX *mem_ctx, + domains[0] = discovery_domain; + domains[1] = NULL; + if (domains[0] == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Bad argument (discovery_domain)"); + ret = ENOMEM; + goto done; + } +diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c +index 624313942..eaa920ca0 100644 +--- a/src/providers/ad/ad_common.c ++++ b/src/providers/ad/ad_common.c +@@ -1072,15 +1072,14 @@ ad_resolve_callback(void *private_data, struct fo_server *server) + } + + if (!service->gc->uri) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to append to URI\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "NULL GC URI\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri); + + if (service->gc->sockaddr == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "resolv_get_sockaddr_address failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "NULL GC sockaddr\n"); + ret = EIO; + goto done; + } +@@ -1100,7 +1099,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server) + done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Error: [%s]\n", strerror(ret)); ++ "Error: %d [%s]\n", ret, strerror(ret)); + } + talloc_free(tmp_ctx); + return; +diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c +index 71ef16c0b..19fc8acef 100644 +--- a/src/providers/ad/ad_dyndns.c ++++ b/src/providers/ad/ad_dyndns.c +@@ -63,7 +63,7 @@ errno_t ad_dyndns_init(struct be_ctx *be_ctx, + */ + ret = ad_get_dyndns_options(be_ctx, ad_opts); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set AD options\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not get AD dyndns options\n"); + return ret; + } + +@@ -209,8 +209,8 @@ static void ad_dyndns_update_connect_done(struct tevent_req *subreq) + + ret = ldap_url_parse(ctx->service->sdap->uri, &lud); + if (ret != LDAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to parse ldap URI (%s)!\n", ctx->service->sdap->uri); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse ldap URI '%s': %d\n", ++ ctx->service->sdap->uri, ret); + ret = EINVAL; + goto done; + } +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 0eb5416ac..b15e0f345 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -671,7 +671,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, + + err = sss_idmap_sid_to_smb_sid(idmap_ctx, user_sid, &user_dom_sid); + if (err != IDMAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sss_idmap_sid_to_smb_sid() failed for user_sid '%s': %d\n", ++ user_sid, err); + return EFAULT; + } + +@@ -684,7 +686,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, + + err = sss_idmap_sid_to_smb_sid(idmap_ctx, host_sid, &host_dom_sid); + if (err != IDMAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sss_idmap_sid_to_smb_sid() failed for host_sid '%s': %d\n", ++ host_sid, err); + return EFAULT; + } + +@@ -698,7 +702,9 @@ ad_gpo_ace_includes_client_sid(const char *user_sid, + for (i = 0; i < group_size; i++) { + err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); + if (err != IDMAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "sss_idmap_sid_to_smb_sid() failed for group_sid '%s': %d\n", ++ group_sids[i], err); + return EFAULT; + } + included = ad_gpo_dom_sid_equal(&ace_dom_sid, group_dom_sid); +@@ -4777,14 +4783,14 @@ gpo_fork_child(struct tevent_req *req) + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, strerror(errno)); ++ "pipe (from) failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, strerror(errno)); ++ "pipe (to) failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + +diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c +index ce9bbe6f3..6e7137a86 100644 +--- a/src/providers/ad/ad_machine_pw_renewal.c ++++ b/src/providers/ad/ad_machine_pw_renewal.c +@@ -171,14 +171,14 @@ ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx, + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", ret, strerror(ret)); ++ "pipe (from) failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", ret, strerror(ret)); ++ "pipe (to) failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + +@@ -354,7 +354,8 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + } + + if (opt_list_size != 2) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Wrong number of renewal options.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Wrong number of renewal options %d\n", ++ opt_list_size); + ret = EINVAL; + goto done; + } +diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c +index 80424b44e..aff47304e 100644 +--- a/src/providers/ad/ad_pac.c ++++ b/src/providers/ad/ad_pac.c +@@ -120,7 +120,11 @@ errno_t check_if_pac_is_available(TALLOC_CTX *mem_ctx, + + ret = find_user_entry(mem_ctx, dom, ar, &msg); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n"); ++ if (ret == ENOENT) { ++ DEBUG(SSSDBG_FUNC_DATA, "find_user_entry didn't find user entry.\n"); ++ } else { ++ DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n"); ++ } + return ret; + } + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 4c457b7e5..f5b0be6c2 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -299,7 +299,7 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, + + subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom); + if (subdom_conf_path == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "subdomain_create_conf_path failed\n"); + return ENOMEM; + } + +diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c +index 2de3b11bb..1a304db37 100644 +--- a/src/providers/be_dyndns.c ++++ b/src/providers/be_dyndns.c +@@ -1111,7 +1111,8 @@ be_nsupdate_args(TALLOC_CTX *mem_ctx, + argc++; + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown nsupdate auth type\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown nsupdate auth type %d\n", auth_type); + goto fail; + } + +diff --git a/src/providers/be_ptask.c b/src/providers/be_ptask.c +index fb80909a0..fab9e21b8 100644 +--- a/src/providers/be_ptask.c ++++ b/src/providers/be_ptask.c +@@ -251,7 +251,7 @@ static void be_ptask_schedule(struct be_ptask *task, + task->timer = tevent_add_timer(task->ev, task, tv, be_ptask_execute, task); + if (task->timer == NULL) { + /* nothing we can do about it */ +- DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Unable to schedule task [%s]\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to schedule task [%s]\n", + task->name); + be_ptask_disable(task); + } +diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c +index 01cbf03e2..fdddf8bca 100644 +--- a/src/providers/be_refresh.c ++++ b/src/providers/be_refresh.c +@@ -125,7 +125,8 @@ static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx, + base_dn = sysdb_netgroup_base_dn(mem_ctx, domain); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Uknown or unsupported refresh type\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Uknown or unsupported refresh type %d\n", type); + return ERR_INTERNAL; + break; + } +diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c +index 0858c43d2..90324d74d 100644 +--- a/src/providers/data_provider/dp.c ++++ b/src/providers/data_provider/dp.c +@@ -109,7 +109,7 @@ dp_init_interface(struct data_provider *provider) + + ret = sbus_connection_add_path_map(provider->sbus_conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + } + +@@ -196,7 +196,7 @@ dp_init_send(TALLOC_CTX *mem_ctx, + (sbus_server_on_connection_cb)dp_client_init, + (sbus_server_on_connection_data)state->provider); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create subrequest!\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to create subrequest!\n"); + ret = ENOMEM; + goto done; + } +diff --git a/src/providers/data_provider/dp_target_sudo.c b/src/providers/data_provider/dp_target_sudo.c +index db14039c4..59e2358cc 100644 +--- a/src/providers/data_provider/dp_target_sudo.c ++++ b/src/providers/data_provider/dp_target_sudo.c +@@ -42,13 +42,13 @@ static errno_t dp_sudo_parse_message(TALLOC_CTX *mem_ctx, + + ret = sbus_iterator_read_u(read_iter, &dp_flags); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse the message (flags)!\n"); + return ret; + } + + ret = sbus_iterator_read_u(read_iter, &sudo_type); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse the message (type)!\n"); + return ret; + } + +@@ -66,13 +66,15 @@ static errno_t dp_sudo_parse_message(TALLOC_CTX *mem_ctx, + /* read rules_num */ + ret = sbus_iterator_read_u(read_iter, &num_rules); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to parse the message (num rules)!\n"); + return ret; + } + + ret = sbus_iterator_read_as(mem_ctx, read_iter, &rules); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to parse the message (rules)!\n"); + return ret; + } + break; +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index 10421c6b4..f059a3f96 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -407,7 +407,7 @@ static void check_if_online(struct be_ctx *be_ctx, int delay) + check_if_online_delayed, be_ctx); + + if (time_event == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_CRIT_FAILURE, + "Scheduling check_if_online_delayed failed.\n"); + goto failed; + } +@@ -420,7 +420,6 @@ static void check_if_online(struct be_ctx *be_ctx, int delay) + + failed: + be_ctx->check_online_ref_count--; +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to run a check_online test.\n"); + + if (be_ctx->check_online_ref_count == 0) { + reset_fo(be_ctx); +@@ -629,7 +628,7 @@ static void dp_initialized(struct tevent_req *req) + + ret = be_register_monitor_iface(be_ctx->mon_conn, be_ctx); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register monitor interface " ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register monitor interface " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c +index 8dc09f5b2..0dfbb04b0 100644 +--- a/src/providers/data_provider_fo.c ++++ b/src/providers/data_provider_fo.c +@@ -651,7 +651,7 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, + srvaddr = fo_get_server_hostent(state->srv); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "FATAL: No hostent available for server (%s)\n", ++ "No hostent available for server (%s)\n", + fo_get_server_str_name(state->srv)); + return EFAULT; + } +diff --git a/src/providers/data_provider_opts.c b/src/providers/data_provider_opts.c +index 9db43fc40..bb543ae4f 100644 +--- a/src/providers/data_provider_opts.c ++++ b/src/providers/data_provider_opts.c +@@ -233,7 +233,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to retrieve value for option (%s)\n", ++ "Failed to copy value for option (%s)\n", + opts[i].opt_name); + goto done; + } +@@ -249,7 +249,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to retrieve value for option (%s)\n", ++ "Failed to copy value for option (%s)\n", + opts[i].opt_name); + goto done; + } +@@ -265,7 +265,7 @@ static int dp_copy_options_ex(TALLOC_CTX *memctx, + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to retrieve value for option (%s)\n", ++ "Failed to copy value for option (%s)\n", + opts[i].opt_name); + goto done; + } +diff --git a/src/providers/data_provider_req.h b/src/providers/data_provider_req.h +index f2e05797f..75f7f9713 100644 +--- a/src/providers/data_provider_req.h ++++ b/src/providers/data_provider_req.h +@@ -39,6 +39,7 @@ + #define BE_REQ_USER_AND_GROUP 0x0012 + #define BE_REQ_BY_UUID 0x0013 + #define BE_REQ_BY_CERT 0x0014 ++#define BE_REQ__LAST BE_REQ_BY_CERT /* must be equal to max REQ number */ + #define BE_REQ_TYPE_MASK 0x00FF + + /** +diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c +index 59fc20692..54d2b4164 100644 +--- a/src/providers/files/files_ops.c ++++ b/src/providers/files/files_ops.c +@@ -395,7 +395,7 @@ static errno_t refresh_override_attrs(struct files_id_ctx *id_ctx, + override_attrs, &count, &msgs); + if (ret != EOK) { + if (ret == ENOENT) { +- DEBUG(SSSDBG_OP_FAILURE, "No overrides, nothing to do.\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "No overrides, nothing to do.\n"); + ret = EOK; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); +diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c +index 375b6f885..4a6727c97 100644 +--- a/src/providers/ipa/ipa_access.c ++++ b/src/providers/ipa/ipa_access.c +@@ -671,7 +671,7 @@ static void ipa_pam_access_handler_done(struct tevent_req *subreq) + talloc_free(subreq); + + if (ret == ENOENT) { +- DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC rules find, denying access\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC rules found, denying access\n"); + state->pd->pam_status = PAM_PERM_DENIED; + goto done; + } else if (ret != EOK) { +diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c +index 1211ba4c9..8cadb9249 100644 +--- a/src/providers/ipa/ipa_common.c ++++ b/src/providers/ipa/ipa_common.c +@@ -781,8 +781,7 @@ int ipa_get_auth_options(struct ipa_options *ipa_opts, + dp_opt_get_string(ipa_opts->auth, + KRB5_REALM)); + if (value == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n", +- ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -851,7 +850,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server) + srvaddr = fo_get_server_hostent(server); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "FATAL: No hostent available for server (%s)\n", ++ "No hostent available for server (%s)\n", + fo_get_server_str_name(server)); + talloc_free(tmp_ctx); + return; +diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c +index 31e53d24d..1fee41a36 100644 +--- a/src/providers/ipa/ipa_hbac_common.c ++++ b/src/providers/ipa/ipa_hbac_common.c +@@ -423,7 +423,7 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, + ret = sysdb_initgroups(tmp_ctx, domain, username, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret)); ++ "sysdb_initgroups() failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c +index 79088ff66..387e915cd 100644 +--- a/src/providers/ipa/ipa_hbac_services.c ++++ b/src/providers/ipa/ipa_hbac_services.c +@@ -487,7 +487,7 @@ hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, + /* Original DN matched a single service. Get the service name */ + name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); + if (name == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Attribute IPA_CN is missing!\n"); + ret = EFAULT; + goto done; + } +@@ -523,7 +523,7 @@ hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, + /* Original DN matched a single group. Get the groupname */ + name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); + if (name == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Attribute IPA_CN is missing!\n"); + ret = EFAULT; + goto done; + } +diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c +index 2801a3162..25850eac0 100644 +--- a/src/providers/ipa/ipa_hbac_users.c ++++ b/src/providers/ipa/ipa_hbac_users.c +@@ -124,7 +124,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, + if (strcasecmp("cn", account_comp_name) != 0) { + /* The third component name is not "cn" */ + DEBUG(SSSDBG_CRIT_FAILURE, +- "Expected cn in second component, got %s\n", account_comp_name); ++ "Expected cn in third component, got %s\n", account_comp_name); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } +@@ -135,7 +135,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, + account_comp_val->length) != 0) { + /* The third component value is not "accounts" */ + DEBUG(SSSDBG_CRIT_FAILURE, +- "Expected cn accounts second component, got %s\n", ++ "Expected accounts third component, got %s\n", + (const char *) account_comp_val->data); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; +diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c +index 9253514a3..2cbe0c9c7 100644 +--- a/src/providers/ipa/ipa_id.c ++++ b/src/providers/ipa/ipa_id.c +@@ -266,7 +266,7 @@ ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, + } + state->groups_id_attr = talloc_strdup(state, groups_id_attr); + if (state->groups_id_attr == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } +diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c +index a4d58e3bd..afdd6fdd0 100644 +--- a/src/providers/ipa/ipa_init.c ++++ b/src/providers/ipa/ipa_init.c +@@ -317,10 +317,10 @@ static errno_t ipa_init_client_mode(struct be_ctx *be_ctx, + ret = sysdb_get_view_name(ipa_id_ctx, be_ctx->domain->sysdb, + &ipa_id_ctx->view_name); + if (ret == ENOENT) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find view name in the cache. " ++ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find view name in the cache. " + "Will do online lookup later.\n"); + } else if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name() failed [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_get_view_name() failed [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index c3e1acb48..fb93c6233 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -2224,7 +2224,8 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) + + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected request type.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unexpected request type %d.\n", state->request_type); + ret = EINVAL; + goto done; + } +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index 5cb02de86..760349134 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -681,7 +681,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); ++ "pipe (from) failed [%d][%s].\n", errno, sss_strerror(errno)); + return ret; + } + +@@ -689,7 +689,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state) + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); ++ "pipe (to) failed [%d][%s].\n", errno, sss_strerror(errno)); + return ret; + } + +diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c +index 6672cb349..935393ccd 100644 +--- a/src/providers/ipa/ipa_session.c ++++ b/src/providers/ipa/ipa_session.c +@@ -570,7 +570,7 @@ ipa_pam_session_handler_done(struct tevent_req *subreq) + talloc_free(subreq); + + if (ret == ENOENT) { +- DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n"); ++ DEBUG(SSSDBG_FUNC_DATA, "No Desktop Profile rules found\n"); + if (!state->session_ctx->no_rules_found) { + state->session_ctx->no_rules_found = true; + state->session_ctx->last_request = time(NULL); +@@ -668,7 +668,7 @@ ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx, + + if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_getpwnam() got more users than expected. " ++ "sysdb_getpwnam() returned unexpected amount of users. " + "Expected [%d], got [%d]\n", 1, res->count); + ret = EINVAL; + goto done; +diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c +index c730c3317..790ae9d16 100644 +--- a/src/providers/ipa/ipa_subdomains_ext_groups.c ++++ b/src/providers/ipa/ipa_subdomains_ext_groups.c +@@ -840,7 +840,8 @@ static void ipa_add_ad_memberships_get_next(struct tevent_req *req) + } + + if (missing_groups) { +- DEBUG(SSSDBG_CRIT_FAILURE, "There are unresolved external group " ++ /* this might be HBAC or sudo rule */ ++ DEBUG(SSSDBG_FUNC_DATA, "There are unresolved external group " + "memberships even after all groups " + "have been looked up on the LDAP " + "server.\n"); +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 36f32fae8..46d496258 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -506,7 +506,13 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, + break; + default: + ret = EINVAL; +- DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n"); ++ if (state->entry_type > BE_REQ__LAST) { ++ DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type %d.\n", ++ state->entry_type); ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, "Unhandled sub-domain request type %d.\n", ++ state->entry_type); ++ } + } + if (ret != EOK) goto fail; + +@@ -1027,6 +1033,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + const char *homedir = NULL; + struct ldb_message_element *msg_el = NULL; + size_t c; ++ const char *category = NULL; ++ size_t length = 0; ++ bool user_class = true; + + msg_el = ldb_msg_find_element(msg, SYSDB_OBJECTCATEGORY); + if (msg_el == NULL) { +@@ -1039,12 +1048,15 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + * case of a MPG group lookup if SYSDB_OBJECTCATEGORY is SYSDB_GROUP_CLASS. + */ + for (c = 0; c < msg_el->num_values; c++) { +- if (strncmp(SYSDB_USER_CLASS, (const char *)msg_el->values[c].data, +- msg_el->values[c].length) == 0 +- || (sss_domain_is_mpg(dom) +- && strncmp(SYSDB_GROUP_CLASS, +- (const char *)msg_el->values[c].data, +- msg_el->values[c].length) == 0)) { ++ category = (const char *)msg_el->values[c].data; ++ length = msg_el->values[c].length; ++ if (strncmp(SYSDB_USER_CLASS, category, length) == 0) { ++ user_class = true; ++ break; ++ } ++ if (sss_domain_is_mpg(dom) ++ && strncmp(SYSDB_GROUP_CLASS, category, length) == 0) { ++ user_class = false; + break; + } + } +@@ -1064,8 +1076,12 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + + uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + if (uid == 0) { +- DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is not known.\n", +- fqname); ++ if (user_class) { ++ DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is unknown\n", fqname); ++ } else { ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "No UID for object [%s], perhaps mpg\n", fqname); ++ } + ret = ENOENT; + goto done; + } +@@ -1309,7 +1325,7 @@ ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) + + state->object_sid = talloc_strdup(state, sid); + if (state->object_sid == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto fail; + } +@@ -1521,7 +1537,7 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) + + state->ar->filter_value = talloc_strdup(state->ar, obj_name); + if (state->ar->filter_value == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + state->ar->filter_type = BE_FILTER_NAME; +diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c +index fcdd05322..deb2c2cee 100644 +--- a/src/providers/ipa/ipa_subdomains_server.c ++++ b/src/providers/ipa/ipa_subdomains_server.c +@@ -513,7 +513,7 @@ static void ipa_getkeytab_exec(const char *ccache, + + gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache); + if (gkt_env[0] == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to format KRB5CCNAME\n"); + exit(1); + } + +@@ -522,7 +522,7 @@ static void ipa_getkeytab_exec(const char *ccache, + ret = unlink(keytab_path); + if (ret == -1) { + ret = errno; +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to unlink the temporary ccname [%d][%s]\n", + ret, sss_strerror(ret)); + exit(1); +@@ -533,12 +533,12 @@ static void ipa_getkeytab_exec(const char *ccache, + "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL, + gkt_env); + +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + "execle returned %d, this shouldn't happen!\n", ret); + + /* The child should never end up here */ + ret = errno; +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_FATAL_FAILURE, + "execle failed [%d][%s].\n", ret, sss_strerror(ret)); + exit(1); + } +@@ -748,7 +748,8 @@ static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req) + + state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab); + if (state->new_keytab == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Cannot set up ipa_get_keytab. talloc_asprintf() failed\n"); + return ENOMEM; + } + +diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c +index 931770922..1b881d085 100644 +--- a/src/providers/ipa/ipa_sudo.c ++++ b/src/providers/ipa/ipa_sudo.c +@@ -223,7 +223,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, + ipa_sudorule_map, IPA_OPTS_SUDORULE, + &sudo_ctx->sudorule_map); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (rule) " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } +@@ -232,7 +232,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, + ipa_sudocmdgroup_map, IPA_OPTS_SUDOCMDGROUP, + &sudo_ctx->sudocmdgroup_map); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (cmdgroup) " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } +@@ -241,7 +241,7 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, + ipa_sudocmd_map, IPA_OPTS_SUDOCMD, + &sudo_ctx->sudocmd_map); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map (cmd) " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } +@@ -250,16 +250,16 @@ ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, + CONFDB_SUDO_THRESHOLD, CONFDB_DEFAULT_SUDO_THRESHOLD, + &sudo_ctx->sudocmd_threshold); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); +- return ret; ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not get sudo threshold\n"); ++ goto done; + } + + ret = sdap_parse_search_base(sudo_ctx, sudo_ctx->sdap_opts->basic, + SDAP_SUDO_SEARCH_BASE, + &sudo_ctx->sudo_sb); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); +- return ret; ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse sudo search base\n"); ++ goto done; + } + + ret = ipa_sudo_ptask_setup(be_ctx, sudo_ctx); +diff --git a/src/providers/ipa/ipa_sudo_async.c b/src/providers/ipa/ipa_sudo_async.c +index 1d7a69814..c531ecbf9 100644 +--- a/src/providers/ipa/ipa_sudo_async.c ++++ b/src/providers/ipa/ipa_sudo_async.c +@@ -520,7 +520,7 @@ ipa_sudo_fetch_addtl_cmdgroups_done(struct tevent_req *subreq) + goto done; + } + +- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu additional command groups\n", ++ DEBUG(SSSDBG_FUNC_DATA, "Received %zu additional command groups\n", + num_attrs); + + ret = ipa_sudo_filter_rules_bycmdgroups(state, state->domain, attrs, +@@ -609,7 +609,7 @@ ipa_sudo_fetch_rules_done(struct tevent_req *subreq) + goto done; + } + +- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", num_attrs); ++ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo rules\n", num_attrs); + + ret = ipa_sudo_conv_rules(state->conv, attrs, num_attrs); + if (ret != EOK) { +@@ -689,7 +689,7 @@ ipa_sudo_fetch_cmdgroups_done(struct tevent_req *subreq) + goto done; + } + +- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo command groups\n", ++ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo command groups\n", + num_attrs); + + ret = ipa_sudo_conv_cmdgroups(state->conv, attrs, num_attrs); +@@ -769,7 +769,7 @@ ipa_sudo_fetch_cmds_done(struct tevent_req *subreq) + goto done; + } + +- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo commands\n", num_attrs); ++ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo commands\n", num_attrs); + + ret = ipa_sudo_conv_cmds(state->conv, attrs, num_attrs); + if (ret != EOK) { +@@ -1109,7 +1109,7 @@ done: + if (in_transaction) { + sret = sysdb_transaction_cancel(state->sysdb); + if (sret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + +diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c +index b5fc49379..bd1ec72b3 100644 +--- a/src/providers/ipa/ipa_sudo_conversion.c ++++ b/src/providers/ipa/ipa_sudo_conversion.c +@@ -801,7 +801,7 @@ convert_host(TALLOC_CTX *mem_ctx, + *skip_entry = true; + return NULL; + } else if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } +@@ -841,7 +841,7 @@ convert_user(TALLOC_CTX *mem_ctx, + *skip_entry = true; + return NULL; + } else if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } +@@ -904,7 +904,7 @@ convert_group(TALLOC_CTX *mem_ctx, + *skip_entry = true; + return NULL; + } else if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } +diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c +index 2a918bdc8..e1090d03b 100644 +--- a/src/providers/ipa/ipa_views.c ++++ b/src/providers/ipa/ipa_views.c +@@ -232,7 +232,7 @@ static errno_t get_dp_id_data_for_xyz(TALLOC_CTX *mem_ctx, const char *val, + ar->filter_value = talloc_strdup(ar, val); + ar->domain = talloc_strdup(ar, domain_name); + if (ar->filter_value == NULL || ar->domain == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + talloc_free(ar); + return ENOMEM; + } +@@ -471,7 +471,7 @@ static void ipa_get_ad_override_done(struct tevent_req *subreq) + + ret = ipa_get_ad_override_qualify_name(state); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot qualify object name\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot qualify object name\n"); + goto fail; + } + +diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c +index be9068c0f..2ae5abe14 100644 +--- a/src/providers/krb5/krb5_access.c ++++ b/src/providers/krb5/krb5_access.c +@@ -78,7 +78,8 @@ struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, + } + + if (pd->cmd != SSS_PAM_ACCT_MGMT) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected pam task.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unexpected pam task %d.\n", pd->cmd); + ret = EINVAL; + goto done; + } +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index a1c0b3640..699c2467b 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -499,7 +499,7 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, + /* handle empty password gracefully */ + if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Illegal zero-length authtok for user [%s]\n", ++ "Illegal empty authtok for user [%s]\n", + pd->user); + state->pam_status = PAM_AUTH_ERR; + state->dp_err = DP_ERR_OK; +@@ -854,7 +854,7 @@ static void krb5_auth_done(struct tevent_req *subreq) + ret = EOK; + goto done; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM task\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM task %d\n", pd->cmd); + ret = EINVAL; + goto done; + } +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index cab7b27a2..06fdf7156 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -258,7 +258,7 @@ static void sss_krb5_expire_callback_func(krb5_context context, void *data, + + blob = talloc_array(kr->pd, uint32_t, 2); + if (blob == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + return; + } + +@@ -525,7 +525,8 @@ static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, + out_token, out_pin); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unsupported authtok type %d\n", sss_authtok_get_type(auth_tok)); + } + + return EINVAL; +@@ -1087,7 +1088,7 @@ static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error, + + buf = talloc_array(mem_ctx, uint8_t, size); + if (!buf) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Insufficient memory to create message.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed\n"); + return ENOMEM; + } + +@@ -1958,13 +1959,12 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) + &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "pack_user_info_chpass_error failed.\n"); ++ "pack_user_info_chpass_error failed [%d]\n", ret); + } else { + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len, + msg); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "pam_add_response failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + return kerr; +@@ -2036,13 +2036,12 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) + &user_resp_len, &user_resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "pack_user_info_chpass_error failed.\n"); ++ "pack_user_info_chpass_error failed [%d]\n", ret); + } else { + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, user_resp_len, + user_resp); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "pam_add_response failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + } +@@ -2448,7 +2447,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size, + + pd = create_pam_data(kr); + if (pd == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "create_pam_data failed.\n"); + return ENOMEM; + } + kr->pd = pd; +@@ -3110,7 +3109,7 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) + + kr->creds = calloc(1, sizeof(krb5_creds)); + if (kr->creds == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n"); + return ENOMEM; + } + +@@ -3345,7 +3344,7 @@ int main(int argc, const char *argv[]) + + kr = talloc_zero(NULL, struct krb5_req); + if (kr == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } +@@ -3403,7 +3402,7 @@ int main(int argc, const char *argv[]) + + ret = k5c_setup(kr, offline); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child_setup failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "k5c_setup failed.\n"); + goto done; + } + +diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c +index 37f4304e8..01777e22b 100644 +--- a/src/providers/krb5/krb5_child_handler.c ++++ b/src/providers/krb5/krb5_child_handler.c +@@ -449,14 +449,14 @@ static errno_t fork_child(struct tevent_req *req) + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, strerror(errno)); ++ "pipe (from) failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", errno, strerror(errno)); ++ "pipe (to) failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + +diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c +index 5c11c347b..316603946 100644 +--- a/src/providers/krb5/krb5_common.c ++++ b/src/providers/krb5/krb5_common.c +@@ -793,7 +793,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server) + + krb5_service = talloc_get_type(private_data, struct krb5_service); + if (!krb5_service) { +- DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Bad private_data\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Bad private_data\n"); + return; + } + +@@ -1110,7 +1110,7 @@ void remove_krb5_info_files_callback(void *pvt) + ctx->kdc_service_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "be_fo_run_callbacks_at_next_request failed, " ++ "be_fo_run_callbacks_at_next_request(kdc_service_name) failed, " + "krb5 info files will not be removed, because " + "it is unclear if they will be recreated properly.\n"); + return; +@@ -1120,7 +1120,7 @@ void remove_krb5_info_files_callback(void *pvt) + ctx->kpasswd_service_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "be_fo_run_callbacks_at_next_request failed, " ++ "be_fo_run_callbacks_at_next_request(kpasswd_service_name) failed, " + "krb5 info files will not be removed, because " + "it is unclear if they will be recreated properly.\n"); + return; +diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c +index 8572d1249..07d375b9d 100644 +--- a/src/providers/krb5/krb5_delayed_online_authentication.c ++++ b/src/providers/krb5/krb5_delayed_online_authentication.c +@@ -173,7 +173,7 @@ static errno_t authenticate_stored_users( + ret = hash_lookup(uid_table, &key, &value); + + if (ret == HASH_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is still logged in, " ++ DEBUG(SSSDBG_FUNC_DATA, "User [%s] is still logged in, " + "trying online authentication.\n", pd->user); + + auth_data = talloc_zero(deferred_auth_ctx->be_ctx, +@@ -193,7 +193,7 @@ static errno_t authenticate_stored_users( + } + } + } else { +- DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is not logged in anymore, " ++ DEBUG(SSSDBG_FUNC_DATA, "User [%s] is not logged in anymore, " + "discarding online authentication.\n", pd->user); + talloc_free(pd); + } +diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c +index 8b2159e92..d79e7c367 100644 +--- a/src/providers/krb5/krb5_renew_tgt.c ++++ b/src/providers/krb5/krb5_renew_tgt.c +@@ -405,7 +405,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) + + base_dn = sysdb_user_base_dn(tmp_ctx, renew_tgt_ctx->be_ctx->domain); + if (base_dn == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_base_dn failed.\n"); + ret = ENOMEM; + goto done; + } +@@ -440,7 +440,7 @@ static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) + + ret = sss_parse_internal_fqname(tmp_ctx, user_name, NULL, &user_dom); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse internal fqname [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; +diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c +index e3f8f2140..43056ba28 100644 +--- a/src/providers/krb5/krb5_utils.c ++++ b/src/providers/krb5/krb5_utils.c +@@ -287,7 +287,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + name = sss_output_name(tmp_ctx, kr->pd->user, case_sensitive, 0); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "sss_get_cased_name failed\n"); ++ "sss_output_name failed\n"); + goto done; + } + +diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c +index 89ff4ece0..42ef962b4 100644 +--- a/src/providers/ldap/ldap_auth.c ++++ b/src/providers/ldap/ldap_auth.c +@@ -64,7 +64,7 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time) + + data = talloc_array(pd, uint32_t, 2); + if (data == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + +@@ -249,7 +249,8 @@ errno_t check_pwexpire_policy(enum pwexpire pw_expire_type, + ret = EOK; + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown password expiration type %d.\n", pw_expire_type); + ret = EINVAL; + } + +@@ -1355,9 +1356,10 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + case PWEXPIRE_NONE: + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); +- state->pd->pam_status = PAM_SYSTEM_ERR; +- goto done; ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown password expiration type %d.\n", pw_expire_type); ++ state->pd->pam_status = PAM_SYSTEM_ERR; ++ goto done; + } + } + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index 84941c6e4..8580e2785 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -223,7 +223,7 @@ static int lc_verify_keytab_ex(const char *principal, + /* This should never happen. The API docs for this function + * specify only success for this function + */ +- DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not free keytab entry contents\n"); + /* This is non-fatal, so we'll continue here */ + } + +diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c +index cd589a7c0..2ad8680a1 100644 +--- a/src/providers/ldap/ldap_init.c ++++ b/src/providers/ldap/ldap_init.c +@@ -43,8 +43,8 @@ struct ldap_init_ctx { + }; + + /* Please use this only for short lists */ +-errno_t check_order_list_for_duplicates(char **list, +- bool case_sensitive) ++static errno_t check_order_list_for_duplicates(char **list, ++ bool case_sensitive) + { + size_t c; + size_t d; +diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c +index d06d3980e..bb51785fb 100644 +--- a/src/providers/ldap/ldap_options.c ++++ b/src/providers/ldap/ldap_options.c +@@ -408,14 +408,15 @@ int ldap_get_options(TALLOC_CTX *memctx, + sss_erase_talloc_mem_securely(cleartext); + talloc_free(cleartext); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_blob(authtok) failed.\n"); + goto done; + } + + ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE, + "password"); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "dp_opt_set_string(authtok_type) failed.\n"); + goto done; + } + } +@@ -629,7 +630,8 @@ int ldap_get_autofs_options(TALLOC_CTX *memctx, + default_entry_map = rfc2307bis_autofs_entry_map; + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown LDAP schema!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown LDAP schema %d!\n", opts->schema_type); + return EINVAL; + } + +diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c +index 7cb00480d..32c0144b9 100644 +--- a/src/providers/ldap/sdap.c ++++ b/src/providers/ldap/sdap.c +@@ -371,7 +371,7 @@ int sdap_get_map(TALLOC_CTX *memctx, + + if (map[i].def_name && !map[i].name) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to retrieve value for %s\n", map[i].opt_name); ++ "Failed to process value for %s\n", map[i].opt_name); + talloc_zfree(map); + return EINVAL; + } +@@ -532,7 +532,8 @@ int sdap_parse_entry(TALLOC_CTX *memctx, + if (!vals) { + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + if (lerrno != LDAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "ldap_get_values_len() failed: %d(%s)\n", + lerrno, sss_ldap_err2string(lerrno)); + ret = EIO; + goto done; +@@ -613,7 +614,7 @@ int sdap_parse_entry(TALLOC_CTX *memctx, + + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + if (lerrno) { +- DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_get_option() failed: %d(%s)\n", + lerrno, sss_ldap_err2string(lerrno)); + ret = EIO; + goto done; +@@ -884,7 +885,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; + } + else { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown value for tls_reqcert.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown value for tls_reqcert '%s'.\n", tls_opt); + return EINVAL; + } + /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, +@@ -893,7 +895,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + &ldap_opt_x_tls_require_cert); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(req_cert) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +@@ -903,7 +906,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(cacertfile) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +@@ -913,7 +917,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(cacertdir) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +@@ -923,7 +928,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(certfile) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +@@ -933,7 +939,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(keyfile) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +@@ -943,7 +950,8 @@ errno_t setup_tls_config(struct dp_option *basic_opts) + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); ++ "ldap_set_option(cipher) failed: %s\n", ++ sss_ldap_err2string(ret)); + return EIO; + } + } +diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c +index dd04ec512..8add97ba8 100644 +--- a/src/providers/ldap/sdap_access.c ++++ b/src/providers/ldap/sdap_access.c +@@ -317,7 +317,8 @@ static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state, + + default: + DEBUG(SSSDBG_CRIT_FAILURE, +- "Unexpected access rule type. Access denied.\n"); ++ "Unexpected access rule type %d. Access denied.\n", ++ state->access_ctx->access_rule[state->current_rule]); + ret = ERR_ACCESS_DENIED; + } + +@@ -1220,13 +1221,13 @@ static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain, + attrs = sysdb_new_attrs(NULL); + if (attrs == NULL) { + ret = ENOMEM; +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not create attrs\n"); + goto done; + } + + ret = sysdb_attrs_add_bool(attrs, attr_name, value); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attr value\n"); + goto done; + } + +@@ -1787,7 +1788,7 @@ errno_t sdap_access_ppolicy_step(struct tevent_req *req) + false); + + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_ppolicy_send failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); + ret = ENOMEM; + goto done; + } +@@ -1913,7 +1914,7 @@ static void sdap_access_ppolicy_step_done(struct tevent_req *subreq) + ret = sdap_access_decide_offline(state->cached_access); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, +- "sdap_get_generic_send() returned error [%d][%s]\n", ++ "sdap_id_op_done() returned error [%d][%s]\n", + ret, sss_strerror(ret)); + } + +diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c +index 68d5d44f8..cc77fb249 100644 +--- a/src/providers/ldap/sdap_async.c ++++ b/src/providers/ldap/sdap_async.c +@@ -749,7 +749,7 @@ sdap_modify_send(TALLOC_CTX *mem_ctx, + + ret = ldap_modify_ext(state->sh->ldap, dn, mods, NULL, NULL, &msgid); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to send operation!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_modify_ext() failed [%d]\n", ret); + goto done; + } + +@@ -2120,7 +2120,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, + + ret = ldap_create_deref_control_value(sh->ldap, ds, &derefval); + if (ret != LDAP_SUCCESS) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed: %s\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_create_deref_control_value failed: %s\n", + ldap_err2string(ret)); + return ret; + } +@@ -2129,7 +2129,7 @@ static int sdap_x_deref_create_control(struct sdap_handle *sh, + 1, &derefval, 1, ctrl); + ldap_memfree(derefval.bv_val); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed %d\n", ret); + return ret; + } + +@@ -2875,7 +2875,8 @@ static void sdap_deref_search_done(struct tevent_req *subreq) + &state->reply_count, &state->reply); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unknown deref method\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unknown deref method %d\n", state->deref_type); + tevent_req_error(req, EINVAL); + return; + } +diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c +index eaca0324e..ae2fa33e1 100644 +--- a/src/providers/ldap/sdap_async_autofs.c ++++ b/src/providers/ldap/sdap_async_autofs.c +@@ -720,7 +720,7 @@ sdap_autofs_setautomntent_send(TALLOC_CTX *memctx, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT)); + if (!subreq) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_automntmap_send failed\n"); + ret = ENOMEM; + goto fail; + } +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index 5f69cedcc..eead3f119 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -694,10 +694,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + LDAP_OPT_RESULT_CODE, &ldap_err); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_bind failed (couldn't get ldap error)\n"); ++ "ldap_sasl_bind failed (couldn't get ldap error)\n"); + ret = LDAP_LOCAL_ERROR; + } else { +- DEBUG(SSSDBG_CRIT_FAILURE, "ldap_bind failed (%d)[%s]\n", ++ DEBUG(SSSDBG_CRIT_FAILURE, "ldap_sasl_bind failed (%d)[%s]\n", + ldap_err, sss_ldap_err2string(ldap_err)); + ret = ldap_err; + } +@@ -988,7 +988,7 @@ static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx, + (*sdap_sasl_interact), state); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "ldap_sasl_bind failed (%d)[%s]\n", ++ "ldap_sasl_interactive_bind_s failed (%d)[%s]\n", + ret, sss_ldap_err2string(ret)); + + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, +diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c +index 5dbfd73c4..16c4a5f37 100644 +--- a/src/providers/ldap/sdap_async_groups.c ++++ b/src/providers/ldap/sdap_async_groups.c +@@ -883,10 +883,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, + const char *check_name; + + if (dom->ignore_group_members) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Group members are ignored, nothing to do. If you see this " \ +- "message it might indicate an error in the group processing " \ +- "logic.\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "Group members are ignored, nothing to do.\n"); + return EOK; + } + +@@ -978,7 +975,12 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, + ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); + if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "sysdb_remove_attrs failed for missing entry\n"); ++ } + goto fail; + } + } else { +@@ -1014,7 +1016,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, + return EOK; + + fail: +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to save members of group %s\n", group_name); + return ret; + } +@@ -1130,8 +1132,13 @@ static int sdap_save_groups(TALLOC_CTX *memctx, + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + if (ret) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Failed to store group %d members.\n", i); ++ if (ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to store group %d members: %d\n", i, ret); ++ } else { ++ DEBUG(SSSDBG_FUNC_DATA, ++ "Can't save members of missing group %d\n", i); ++ } + } else { + DEBUG(SSSDBG_TRACE_ALL, "Group %d members processed!\n", i); + } +@@ -1270,7 +1277,7 @@ sdap_process_group_send(TALLOC_CTX *memctx, + + /* Group without members */ + if (el->num_values == 0) { +- DEBUG(SSSDBG_OP_FAILURE, "No Members. Done!\n"); ++ DEBUG(SSSDBG_FUNC_DATA, "No Members. Done!\n"); + ret = EOK; + goto done; + } +@@ -2249,7 +2256,7 @@ static void sdap_nested_done(struct tevent_req *subreq) + + if (hash_count(state->missing_external) == 0) { + /* No external members. Processing complete */ +- DEBUG(SSSDBG_TRACE_INTERNAL, "No external members, done"); ++ DEBUG(SSSDBG_TRACE_INTERNAL, "No external members, done\n"); + tevent_req_done(req); + return; + } +diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c +index 4b5b36403..bf8f9482b 100644 +--- a/src/providers/ldap/sdap_async_initgroups.c ++++ b/src/providers/ldap/sdap_async_initgroups.c +@@ -345,7 +345,7 @@ int sdap_initgr_common_store(struct sysdb_ctx *sysdb, + add_groups, ldap_groups, + ldap_groups_count); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete users failed\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete groups failed\n"); + goto done; + } + } +@@ -1043,6 +1043,10 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) + state->groups[state->groups_cur] = talloc_steal(state->groups, + groups[0]); + state->groups_cur++; ++ } else if (count == 0) { ++ /* this might be HBAC or sudo rule */ ++ DEBUG(SSSDBG_FUNC_DATA, "Object %s not found. Skipping\n", ++ state->group_dns[state->cur]); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Search for group %s, returned %zu results. Skipping\n", +diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c +index eb3e779ed..80ac4c1f4 100644 +--- a/src/providers/ldap/sdap_async_initgroups_ad.c ++++ b/src/providers/ldap/sdap_async_initgroups_ad.c +@@ -378,7 +378,7 @@ static void sdap_ad_resolve_sids_done(struct tevent_req *subreq) + /* Group was not found, we will ignore the error and continue with + * next group. This may happen for example if the group is built-in, + * but a custom search base is provided. */ +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to resolve SID %s - will try next sid.\n", + state->current_sid); + } else if (ret != EOK || sdap_error != EOK || dp_error != DP_ERR_OK) { +diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c +index 5473e1df8..28b65b639 100644 +--- a/src/providers/ldap/sdap_async_sudo.c ++++ b/src/providers/ldap/sdap_async_sudo.c +@@ -111,7 +111,7 @@ static void sdap_sudo_load_sudoers_done(struct tevent_req *subreq) + return; + } + +- DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", ++ DEBUG(SSSDBG_FUNC_DATA, "Received %zu sudo rules\n", + state->num_rules); + + tevent_req_done(req); +@@ -665,7 +665,7 @@ done: + if (in_transaction) { + sret = sysdb_transaction_cancel(state->sysdb); + if (sret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + +diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c +index 9d25aea8b..480efc41b 100644 +--- a/src/providers/ldap/sdap_child_helpers.c ++++ b/src/providers/ldap/sdap_child_helpers.c +@@ -95,14 +95,14 @@ static errno_t sdap_fork_child(struct tevent_context *ev, + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", ret, strerror(ret)); ++ "pipe(from) failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "pipe failed [%d][%s].\n", ret, strerror(ret)); ++ "pipe(to) failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + +@@ -332,7 +332,7 @@ struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, + + ret = set_tgt_child_timeout(req, ev, timeout); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "activate_child_timeout_handler failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "set_tgt_child_timeout failed.\n"); + goto fail; + } + +diff --git a/src/providers/ldap/sdap_hostid.c b/src/providers/ldap/sdap_hostid.c +index d90a83854..ae8caaddb 100644 +--- a/src/providers/ldap/sdap_hostid.c ++++ b/src/providers/ldap/sdap_hostid.c +@@ -166,7 +166,7 @@ hosts_get_done(struct tevent_req *subreq) + } + + if (state->count == 0) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_FUNC_DATA, + "No host with name [%s] found.\n", state->name); + + ret = sysdb_delete_ssh_host(state->domain, state->name); +diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c +index 6c803f31d..b8d76f8a5 100644 +--- a/src/providers/ldap/sdap_id_op.c ++++ b/src/providers/ldap/sdap_id_op.c +@@ -563,7 +563,7 @@ static void sdap_id_op_connect_done(struct tevent_req *subreq) + "is enabled.\n"); + } else { + /* be is going offline as there is no more servers to try */ +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect, going offline (%d [%s])\n", + ret, strerror(ret)); + is_offline = true; +diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c +index 926ce98f4..0e6fc8ea8 100644 +--- a/src/providers/proxy/proxy_auth.c ++++ b/src/providers/proxy/proxy_auth.c +@@ -68,7 +68,7 @@ static struct tevent_req *proxy_child_send(TALLOC_CTX *mem_ctx, + + req = tevent_req_create(mem_ctx, &state, struct proxy_child_ctx); + if (req == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not send PAM request to child\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + +@@ -391,7 +391,7 @@ static void proxy_child_init_done(struct tevent_req *subreq) { + */ + sig_ctx = talloc_zero(child_ctx->auth_ctx, struct proxy_child_sig_ctx); + if(sig_ctx == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } +@@ -753,7 +753,7 @@ proxy_pam_handler_send(TALLOC_CTX *mem_ctx, + pd->pam_status = PAM_SUCCESS; + goto immediately; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported PAM task.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported PAM task %d\n", pd->cmd); + pd->pam_status = PAM_MODULE_UNKNOWN; + goto immediately; + } +diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c +index dc06f4669..bb96ec0f4 100644 +--- a/src/providers/proxy/proxy_child.c ++++ b/src/providers/proxy/proxy_child.c +@@ -270,7 +270,7 @@ static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) + } + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "unknown PAM call\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "unknown PAM call %d\n", pd->cmd); + pam_status=PAM_ABORT; + } + +@@ -383,13 +383,13 @@ proxy_cli_init(struct pc_ctx *ctx) + ret = sss_iface_connect_address(ctx, ctx->ev, sbus_cliname, sbus_address, + NULL, &ctx->conn); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to %s\n", sbus_address); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to connect to %s\n", sbus_address); + goto done; + } + + ret = sbus_connection_add_path_map(ctx->conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +@@ -580,7 +580,7 @@ int main(int argc, const char *argv[]) + return 3; + } + +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_IMPORTANT_INFO, + "Proxy child for domain [%s] started!\n", domain); + + /* loop on main */ +diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c +index 09ebf3bda..5a4fbcde1 100644 +--- a/src/providers/proxy/proxy_client.c ++++ b/src/providers/proxy/proxy_client.c +@@ -116,7 +116,7 @@ proxy_client_init(struct sbus_connection *conn, + + ret = sbus_connection_add_path_map(conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + } + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index 82394862c..f36386089 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -170,7 +170,7 @@ handle_getpw_result(enum nss_status status, struct passwd *pwd, + switch (status) { + case NSS_STATUS_NOTFOUND: + +- DEBUG(SSSDBG_MINOR_FAILURE, "User not found.\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "User not found.\n"); + *del_user = true; + break; + +@@ -979,9 +979,7 @@ static int get_gr_name(struct proxy_id_ctx *ctx, + grp = talloc(tmpctx, struct group); + if (!grp) { + ret = ENOMEM; +- DEBUG(SSSDBG_CRIT_FAILURE, +- "proxy -> getgrnam_r failed for '%s': [%d] %s\n", +- i_name, ret, strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc() failed\n"); + goto done; + } + +diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c +index 07f05ff17..294a4b882 100644 +--- a/src/resolv/async_resolv.c ++++ b/src/resolv/async_resolv.c +@@ -177,7 +177,7 @@ add_timeout_timer(struct tevent_context *ev, struct resolv_ctx *ctx) + ctx->timeout_watcher = tevent_add_timer(ev, ctx, tv, check_fd_timeouts, + ctx); + if (ctx->timeout_watcher == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer() failed\n"); + } + } + +diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c +index a802ed5d0..27de1b44a 100644 +--- a/src/responder/autofs/autofssrv.c ++++ b/src/responder/autofs/autofssrv.c +@@ -85,7 +85,7 @@ autofs_register_service_iface(struct autofs_ctx *autofs_ctx, + + ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" + "[%d]: %s\n", ret, sss_strerror(ret)); + } + +diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c +index 6d51e75ac..7c8090993 100644 +--- a/src/responder/autofs/autofssrv_cmd.c ++++ b/src/responder/autofs/autofssrv_cmd.c +@@ -477,7 +477,7 @@ sss_autofs_cmd_setautomntent(struct cli_ctx *cli_ctx) + autofs_ctx->rctx->ncache, 0, NULL, + cmd_ctx->mapname); + if (req == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_autofs_map_by_name_send failed\n"); + ret = ENOMEM; + goto done; + } +@@ -685,7 +685,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *cli_ctx) + + req = autofs_setent_send(cli_ctx, cli_ctx->ev, autofs_ctx, cmd_ctx->mapname); + if (req == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "autofs_setent_send failed\n"); + ret = ENOMEM; + goto done; + } +@@ -886,7 +886,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *cli_ctx) + cmd_ctx->mapname, + cmd_ctx->keyname); + if (req == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_autofs_entry_by_name_send failed\n"); + ret = ENOMEM; + goto done; + } +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 0c8538414..c6902f842 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -1187,7 +1187,7 @@ static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx, + subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain, + cr->data->name.input); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_inp_send() failed\n"); + return ENOMEM; + } + +diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c +index a740fbb8d..83d00f775 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@@ -47,8 +47,8 @@ cache_req_object_by_name_well_known(TALLOC_CTX *mem_ctx, + } + + if (domname == NULL || name == NULL) { +- CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, "Unable to split [%s] in " +- "name and odmain part. Skipping detection of " ++ CACHE_REQ_DEBUG(SSSDBG_FUNC_DATA, cr, "Unable to split [%s] in " ++ "name and domain part. Skipping detection of " + "well-known name.\n", data->name.input); + return ENOENT; + } +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index e8d298546..7061d018a 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -116,7 +116,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx) + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, +- "getsock failed [%d][%s].\n", ret, strerror(ret)); ++ "getsockopt failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + if (client_cred_len != sizeof(struct ucred)) { +@@ -805,7 +805,7 @@ sss_dp_on_reconnect(struct sbus_connection *conn, + SSS_BUS_PATH, + be_conn->cli_name); + if (req == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "sbus_call_dp_client_Register_send() failed\n"); + return; + } + +diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c +index 10939600d..e551b0fff 100644 +--- a/src/responder/common/responder_get_domains.c ++++ b/src/responder/common/responder_get_domains.c +@@ -630,7 +630,7 @@ static void sss_parse_inp_done(struct tevent_req *subreq) + state->rawinp, + &state->domname, &state->name); + if (ret == EAGAIN && state->domname != NULL && state->name == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, ++ DEBUG(SSSDBG_FUNC_DATA, + "Unknown domain in [%s]\n", state->rawinp); + state->error = ERR_DOMAIN_NOT_FOUND; + } else if (ret != EOK) { +diff --git a/src/responder/common/responder_iface.c b/src/responder/common/responder_iface.c +index 911cd6cc0..aaa765950 100644 +--- a/src/responder/common/responder_iface.c ++++ b/src/responder/common/responder_iface.c +@@ -127,7 +127,7 @@ sss_resp_register_sbus_iface(struct sbus_connection *conn, + + ret = sbus_connection_add_path_map(conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + } + +@@ -151,7 +151,7 @@ sss_resp_register_service_iface(struct resp_ctx *rctx) + + ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" + "[%d]: %s\n", ret, sss_strerror(ret)); + } + +diff --git a/src/responder/ifp/ifp_iface/ifp_iface.c b/src/responder/ifp/ifp_iface/ifp_iface.c +index a3385091b..833cf6843 100644 +--- a/src/responder/ifp/ifp_iface/ifp_iface.c ++++ b/src/responder/ifp/ifp_iface/ifp_iface.c +@@ -264,7 +264,7 @@ ifp_register_sbus_interface(struct sbus_connection *conn, + + ret = sbus_connection_add_path_map(conn, paths); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add paths [%d]: %s\n", ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to add paths [%d]: %s\n", + ret, sss_strerror(ret)); + } + +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 17d7692d3..7407ee07b 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -67,7 +67,7 @@ sysbus_init(TALLOC_CTX *mem_ctx, + sysbus = sbus_connect_system(mem_ctx, ev, dbus_name, + &ifp_ctx->rctx->last_request_time); + if (sysbus == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to system bus!\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to connect to system bus!\n"); + return ERR_NO_SYSBUS; + } + +@@ -75,13 +75,13 @@ sysbus_init(TALLOC_CTX *mem_ctx, + + ret = ifp_register_sbus_interface(sysbus, ifp_ctx); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not register interfaces\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not register interfaces\n"); + goto done; + } + + ret = ifp_register_nodes(ifp_ctx, sysbus); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Could not register nodes factories\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not register nodes factories\n"); + goto done; + } + +@@ -148,7 +148,7 @@ ifp_register_service_iface(struct ifp_ctx *ifp_ctx, + + ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" + "[%d]: %s\n", ret, sss_strerror(ret)); + } + +diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c +index ebc4c2118..3b3df7bc0 100644 +--- a/src/responder/ifp/ifpsrv_util.c ++++ b/src/responder/ifp/ifpsrv_util.c +@@ -341,7 +341,7 @@ immediately: + list_ctx->paths = talloc_realloc(list_ctx, list_ctx->paths, const char *, + list_ctx->paths_max + 1); + if (list_ctx->paths == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc() failed\n"); + ret = ENOMEM; + goto done; + } +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index eac955b4a..844776c5f 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -121,7 +121,7 @@ static errno_t nss_getby_name(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, memcache, rawname, 0); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -187,7 +187,7 @@ static errno_t nss_getby_id(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, memcache, NULL, id); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -240,7 +240,7 @@ static errno_t nss_getby_svc(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + return ENOMEM; + } + +@@ -376,7 +376,7 @@ static errno_t nss_getby_cert(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -433,7 +433,7 @@ static errno_t nss_getby_sid(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -488,7 +488,7 @@ static errno_t nss_getby_addr(struct cli_ctx *cli_ctx, + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, memcache, NULL, 0); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_get_object_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -640,7 +640,7 @@ static errno_t nss_setent(struct cli_ctx *cli_ctx, + + subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setent_send() failed\n"); + return ENOMEM; + } + +@@ -697,7 +697,7 @@ static errno_t nss_getent(struct cli_ctx *cli_ctx, + + subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create setent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setent_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -829,7 +829,7 @@ static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, + subreq = nss_setnetgrent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, + nss_ctx->netgrent, state_ctx->netgroup); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setnetgrent_send() failed\n"); + ret = ENOMEM; + goto done; + } +@@ -904,7 +904,7 @@ static errno_t nss_getnetgrent(struct cli_ctx *cli_ctx, + cmd_ctx->nss_ctx->netgrent, + cmd_ctx->state_ctx->netgroup); + if (subreq == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "nss_setnetgrent_send() failed\n"); + return ENOMEM; + } + +diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c +index a47b35fca..ab2ba926d 100644 +--- a/src/responder/nss/nss_iface.c ++++ b/src/responder/nss/nss_iface.c +@@ -67,7 +67,7 @@ nss_update_initgr_memcache(struct nss_ctx *nctx, + ret = sysdb_initgroups(tmp_ctx, dom, fq_name, &res); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Failed to make request to our cache! [%d][%s]\n", ++ "sysdb_initgroups() failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } +@@ -234,7 +234,7 @@ nss_register_backend_iface(struct sbus_connection *conn, + + ret = sbus_connection_add_path(conn, SSS_BUS_PATH, &iface); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" + "[%d]: %s\n", ret, sss_strerror(ret)); + } + +diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c +index 1e9959c72..274d43007 100644 +--- a/src/responder/nss/nss_protocol_netgr.c ++++ b/src/responder/nss/nss_protocol_netgr.c +@@ -159,7 +159,7 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, + ret = nss_protocol_fill_netgr_member(packet, entry, &rp); + break; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected value type!\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected value type %d!\n", entry->type); + ret = ERR_INTERNAL; + break; + } +diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c +index 31a2750b1..e80104e3d 100644 +--- a/src/responder/nss/nsssrv.c ++++ b/src/responder/nss/nsssrv.c +@@ -347,7 +347,7 @@ nss_register_service_iface(struct nss_ctx *nss_ctx, + + ret = sbus_connection_add_path(rctx->mon_conn, SSS_BUS_PATH, &iface_svc); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register service interface" ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register service interface" + "[%d]: %s\n", ret, sss_strerror(ret)); + } + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index d3f092b2b..c526f665b 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -138,7 +138,7 @@ static void inform_user(struct pam_data* pd, const char *pam_message) + ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "pack_user_info_account_expired failed.\n"); ++ "pack_user_info_msg failed.\n"); + } else { + ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); + if (ret != EOK) { +diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c +index e1fd72e64..bf285c264 100644 +--- a/src/responder/pam/pamsrv_p11.c ++++ b/src/responder/pam/pamsrv_p11.c +@@ -425,7 +425,7 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) + } + } + if (pctx->smartcard_services[c] == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_CONF_SETTINGS, + "Smartcard authentication for service [%s] not supported.\n", + pd->service); + return false; +@@ -810,7 +810,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + } else if (pd->cmd == SSS_PAM_PREAUTH) { + extra_args[arg_c++] = "--pre"; + } else { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d].\n", pd->cmd); + ret = EINVAL; + goto done; + } +diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c +index 91a84c51b..a92cf524b 100644 +--- a/src/sbus/router/sbus_router_handler.c ++++ b/src/sbus/router/sbus_router_handler.c +@@ -239,7 +239,8 @@ sbus_signal_handler(struct sbus_connection *conn, + list = sbus_router_listeners_lookup(router->listeners, meta->interface, + meta->member); + if (list == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "We do not listen to this signal!\n"); ++ /* Most probably not fully initialized yet */ ++ DEBUG(SSSDBG_FUNC_DATA, "We do not listen to this signal!\n"); + return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; + } + +diff --git a/src/sss_iface/sss_iface.c b/src/sss_iface/sss_iface.c +index e20c14fea..ed70e30eb 100644 +--- a/src/sss_iface/sss_iface.c ++++ b/src/sss_iface/sss_iface.c +@@ -116,8 +116,8 @@ sss_iface_connect_address(TALLOC_CTX *mem_ctx, + + conn = sbus_connect_private(mem_ctx, ev, address, + conn_name, last_request_time); +- if (conn == NULL) { +- return ENOMEM; ++ if (conn == NULL) { /* most probably sbus_dbus_connect_address() failed */ ++ return EFAULT; + } + + *_conn = conn; +diff --git a/src/util/child_common.c b/src/util/child_common.c +index 5cac725ca..7e8c30552 100644 +--- a/src/util/child_common.c ++++ b/src/util/child_common.c +@@ -768,7 +768,7 @@ void exec_child_ex(TALLOC_CTX *mem_ctx, + binary, extra_argv, extra_args_only, + &argv); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "prepare_child_argv.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "prepare_child_argv() failed.\n"); + exit(EXIT_FAILURE); + } + +diff --git a/src/util/debug.h b/src/util/debug.h +index 20db0f5e4..43d36720f 100644 +--- a/src/util/debug.h ++++ b/src/util/debug.h +@@ -91,8 +91,8 @@ int get_fd_from_debug_file(void); + /* enables all debug levels; + 0x0800 isn't used for historical reasons: 0x1FFF0 - 0x0800 = 0x1F7F0 + */ +-#define SSSDBG_MASK_ALL 0x1F7F0 +-#define SSSDBG_DEFAULT SSSDBG_FATAL_FAILURE ++#define SSSDBG_MASK_ALL 0x1F7F0 ++#define SSSDBG_DEFAULT (SSSDBG_FATAL_FAILURE|SSSDBG_CRIT_FAILURE|SSSDBG_OP_FAILURE) + + #define SSSDBG_TIMESTAMP_UNRESOLVED -1 + #define SSSDBG_TIMESTAMP_DEFAULT 1 +diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c +index 4d4726daa..57157861e 100644 +--- a/src/util/domain_info_utils.c ++++ b/src/util/domain_info_utils.c +@@ -207,7 +207,7 @@ find_domain_by_object_name_ex(struct sss_domain_info *domain, + ret = sss_parse_internal_fqname(tmp_ctx, object_name, + NULL, &domainname); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n", ++ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to parse name '%s' [%d]: %s\n", + object_name, ret, sss_strerror(ret)); + goto done; + } +diff --git a/src/util/server.c b/src/util/server.c +index b27cbc155..869ed62a6 100644 +--- a/src/util/server.c ++++ b/src/util/server.c +@@ -374,7 +374,7 @@ static void te_server_hup(struct tevent_context *ev, + struct logrotate_ctx *lctx = + talloc_get_type(private_data, struct logrotate_ctx); + +- DEBUG(SSSDBG_CRIT_FAILURE, "Received SIGHUP. Rotating logfiles.\n"); ++ DEBUG(SSSDBG_IMPORTANT_INFO, "Received SIGHUP. Rotating logfiles.\n"); + + ret = server_common_rotate_logs(lctx->confdb, lctx->confdb_path); + if (ret != EOK) { +@@ -462,6 +462,7 @@ int server_setup(const char *name, int flags, + int watchdog_interval; + pid_t my_pid; + char *pidfile_name; ++ int cfg_debug_level = SSSDBG_INVALID; + + my_pid = getpid(); + ret = setpgid(my_pid, my_pid); +@@ -588,20 +589,20 @@ int server_setup(const char *name, int flags, + /* set debug level if any in conf_entry */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_LEVEL, +- SSSDBG_UNRESOLVED, +- &debug_level); ++ SSSDBG_INVALID, ++ &cfg_debug_level); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + +- if (debug_level == SSSDBG_UNRESOLVED) { ++ if (cfg_debug_level == SSSDBG_INVALID) { + /* Check for the `debug` alias */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_LEVEL_ALIAS, + SSSDBG_DEFAULT, +- &debug_level); ++ &cfg_debug_level); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); +@@ -609,7 +610,7 @@ int server_setup(const char *name, int flags, + } + } + +- debug_level = debug_convert_old_level(debug_level); ++ debug_level = debug_convert_old_level(cfg_debug_level); + } + + /* same for debug timestamps */ +@@ -678,6 +679,8 @@ int server_setup(const char *name, int flags, + return ret; + } + } ++ DEBUG(SSSDBG_IMPORTANT_INFO, ++ "Starting with debug level = %#.4x\n", debug_level); + + /* Setup the internal watchdog */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, +diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c +index c6504ae13..8944e2c4e 100644 +--- a/src/util/sss_sockets.c ++++ b/src/util/sss_sockets.c +@@ -322,7 +322,7 @@ struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, + + ret = set_fcntl_flags(state->sd, FD_CLOEXEC, O_NONBLOCK); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "settting fd flags failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "setting fd flags failed.\n"); + goto fail; + } + +diff --git a/src/util/string_utils.c b/src/util/string_utils.c +index 1215ec96a..f54395a59 100644 +--- a/src/util/string_utils.c ++++ b/src/util/string_utils.c +@@ -90,7 +90,7 @@ errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf, + int ret; + + if (blob == NULL || str_buf == NULL || buf_size < GUID_STR_BUF_SIZE) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Buffer too small.\n"); ++ DEBUG(SSSDBG_OP_FAILURE, "Buffer too small.\n"); + return EINVAL; + } + +diff --git a/src/util/util_errors.c b/src/util/util_errors.c +index 05a66d293..b5c7419a9 100644 +--- a/src/util/util_errors.c ++++ b/src/util/util_errors.c +@@ -165,6 +165,7 @@ errno_t sss_ldb_error_to_errno(int ldberr) + case LDB_ERR_OPERATIONS_ERROR: + return EIO; + case LDB_ERR_NO_SUCH_OBJECT: ++ case LDB_ERR_NO_SUCH_ATTRIBUTE: + return ENOENT; + case LDB_ERR_BUSY: + return EBUSY; +@@ -174,7 +175,7 @@ errno_t sss_ldb_error_to_errno(int ldberr) + case LDB_ERR_INVALID_ATTRIBUTE_SYNTAX: + return EINVAL; + default: +- DEBUG(SSSDBG_CRIT_FAILURE, ++ DEBUG(SSSDBG_MINOR_FAILURE, + "LDB returned unexpected error: [%i]\n", + ldberr); + return EFAULT; +-- +2.21.3 + diff --git a/SOURCES/0020-man-Document-invalid-selinux-context-for-homedirs.patch b/SOURCES/0020-man-Document-invalid-selinux-context-for-homedirs.patch deleted file mode 100644 index 83826ef..0000000 --- a/SOURCES/0020-man-Document-invalid-selinux-context-for-homedirs.patch +++ /dev/null @@ -1,44 +0,0 @@ -From d8d743870c459b5ff283c89d78b70d1684bd19a9 Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Wed, 13 May 2020 09:45:56 +0200 -Subject: [PATCH] man: Document invalid selinux context for homedirs - -The default value of fallback_homedir expands into path, that is not -expected by selinux. Generally not only selinux might be affected by -this default value. This PR documents the issue and recommends -further steps. - -Resolves: -https://github.com/SSSD/sssd/issues/5155 - -Reviewed-by: Alexey Tikhonov ---- - src/man/include/ad_modified_defaults.xml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml -index 91623d57a..65c9a0140 100644 ---- a/src/man/include/ad_modified_defaults.xml -+++ b/src/man/include/ad_modified_defaults.xml -@@ -92,6 +92,18 @@ - this fallback behavior, you can explicitly - set "fallback_homedir = %o". - -+ -+ Note that the system typically expects a home directory -+ in /home/%u folder. If you decide to use a different -+ directory structure, some other parts of your system may -+ need adjustments. -+ -+ -+ For example automated creation of home directories in -+ combination with selinux requires selinux adjustment, -+ otherwise the home directory will be created with wrong -+ selinux context. -+ - - - --- -2.21.3 - diff --git a/SOURCES/0020-sss_format.h-include-config.h.patch b/SOURCES/0020-sss_format.h-include-config.h.patch new file mode 100644 index 0000000..e237096 --- /dev/null +++ b/SOURCES/0020-sss_format.h-include-config.h.patch @@ -0,0 +1,31 @@ +From 45f2eb57dc9068cba13099cab90f1be3f3455442 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 2 Oct 2020 14:04:24 +0200 +Subject: [PATCH 20/27] sss_format.h: include config.h + +config.h is required for the definitions to work correctly. Compilation +will fail if sss_format.h is included in a file that does not include +directly or indirectly config.h + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/util/sss_format.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/util/sss_format.h b/src/util/sss_format.h +index 5cf080842..9a3041704 100644 +--- a/src/util/sss_format.h ++++ b/src/util/sss_format.h +@@ -27,6 +27,8 @@ + #ifndef __SSS_FORMAT_H__ + #define __SSS_FORMAT_H__ + ++#include "config.h" ++ + #include + + /* key_serial_t is defined in keyutils.h as typedef int32_t */ +-- +2.21.3 + diff --git a/SOURCES/0021-packet-add-sss_packet_set_body.patch b/SOURCES/0021-packet-add-sss_packet_set_body.patch new file mode 100644 index 0000000..5311316 --- /dev/null +++ b/SOURCES/0021-packet-add-sss_packet_set_body.patch @@ -0,0 +1,59 @@ +From 3b0e48c33c6b43688ff46fed576266cfe6362595 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Oct 2020 13:25:17 +0200 +Subject: [PATCH 21/27] packet: add sss_packet_set_body + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/responder/common/responder_packet.c | 19 +++++++++++++++++++ + src/responder/common/responder_packet.h | 5 +++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c +index ab15b1dac..f56d92276 100644 +--- a/src/responder/common/responder_packet.c ++++ b/src/responder/common/responder_packet.c +@@ -302,6 +302,25 @@ void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen + *blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE; + } + ++errno_t sss_packet_set_body(struct sss_packet *packet, ++ uint8_t *body, ++ size_t blen) ++{ ++ uint8_t *pbody; ++ size_t plen; ++ errno_t ret; ++ ++ ret = sss_packet_grow(packet, blen); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ sss_packet_get_body(packet, &pbody, &plen); ++ memcpy(pbody, body, blen); ++ ++ return EOK; ++} ++ + void sss_packet_set_error(struct sss_packet *packet, int error) + { + SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error, +diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h +index afceb4aae..509a22a9a 100644 +--- a/src/responder/common/responder_packet.h ++++ b/src/responder/common/responder_packet.h +@@ -42,4 +42,9 @@ uint32_t sss_packet_get_status(struct sss_packet *packet); + void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen); + void sss_packet_set_error(struct sss_packet *packet, int error); + ++/* Grow packet and set its body. */ ++errno_t sss_packet_set_body(struct sss_packet *packet, ++ uint8_t *body, ++ size_t blen); ++ + #endif /* __SSSSRV_PACKET_H__ */ +-- +2.21.3 + diff --git a/SOURCES/0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch b/SOURCES/0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch deleted file mode 100644 index dcfcf7e..0000000 --- a/SOURCES/0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 26c794da31c215fef3e41429f6f13afdaf349bee Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 3 Jun 2020 20:35:04 +0200 -Subject: [PATCH 21/22] pam_sss: add SERVICE_IS_GDM_SMARTCARD - -Resolves: https://github.com/SSSD/sssd/issues/5190 - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/pam_sss.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 69b440774..7e59f0487 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -71,6 +71,8 @@ - #define DEBUG_MGS_LEN 1024 - #define MAX_AUTHTOK_SIZE (1024*1024) - #define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)") -+#define SERVICE_IS_GDM_SMARTCARD(pitem) (strcmp((pitem)->pam_service, \ -+ "gdm-smartcard") == 0) - - static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) { - va_list ap; -@@ -2580,7 +2582,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - return PAM_AUTHINFO_UNAVAIL; - } - -- if (strcmp(pi.pam_service, "gdm-smartcard") == 0 -+ if (SERVICE_IS_GDM_SMARTCARD(&pi) - || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) { - ret = check_login_token_name(pamh, &pi, retries, - quiet_mode); --- -2.21.3 - diff --git a/SOURCES/0022-domain-store-hostname-and-keytab-path.patch b/SOURCES/0022-domain-store-hostname-and-keytab-path.patch new file mode 100644 index 0000000..27628e6 --- /dev/null +++ b/SOURCES/0022-domain-store-hostname-and-keytab-path.patch @@ -0,0 +1,119 @@ +From 6715b31f2e12c7f76cfb477551cee46e697c7d51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 8 Oct 2020 13:25:58 +0200 +Subject: [PATCH 22/27] domain: store hostname and keytab path + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 45 +++++++++++++++++++++++++++++++++++++++ + src/confdb/confdb.h | 6 ++++++ + src/db/sysdb_subdomains.c | 12 +++++++++++ + 3 files changed, 63 insertions(+) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index d2fc018fd..f981ddf1e 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -871,6 +871,35 @@ done: + return ret; + } + ++static char *confdb_get_domain_hostname(TALLOC_CTX *mem_ctx, ++ struct ldb_result *res, ++ const char *provider) ++{ ++ char sys[HOST_NAME_MAX + 1] = {'\0'}; ++ const char *opt = NULL; ++ int ret; ++ ++ if (strcasecmp(provider, "ad") == 0) { ++ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ad_hostname", NULL); ++ } else if (strcasecmp(provider, "ipa") == 0) { ++ opt = ldb_msg_find_attr_as_string(res->msgs[0], "ipa_hostname", NULL); ++ } ++ ++ if (opt != NULL) { ++ return talloc_strdup(mem_ctx, opt); ++ } ++ ++ ret = gethostname(sys, sizeof(sys)); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get hostname [%d]: %s\n", ret, ++ sss_strerror(ret)); ++ return NULL; ++ } ++ ++ return talloc_strdup(mem_ctx, sys); ++} ++ + static int confdb_get_domain_internal(struct confdb_ctx *cdb, + TALLOC_CTX *mem_ctx, + const char *name, +@@ -1536,6 +1565,22 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + goto done; + } + ++ domain->hostname = confdb_get_domain_hostname(domain, res, domain->provider); ++ if (domain->hostname == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain hostname\n"); ++ goto done; ++ } ++ ++ domain->krb5_keytab = NULL; ++ tmp = ldb_msg_find_attr_as_string(res->msgs[0], "krb5_keytab", NULL); ++ if (tmp != NULL) { ++ domain->krb5_keytab = talloc_strdup(domain, tmp); ++ if (domain->krb5_keytab == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain keytab!\n"); ++ goto done; ++ } ++ } ++ + domain->has_views = false; + domain->view_name = NULL; + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index fd6d76cde..54e3f7380 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -425,6 +425,12 @@ struct sss_domain_info { + /* Do not use the _output_fqnames property directly in new code, but rather + * use sss_domain_info_{get,set}_output_fqnames(). */ + bool output_fqnames; ++ ++ /* Hostname associated with this domain. */ ++ const char *hostname; ++ ++ /* Keytab used by this domain. */ ++ const char *krb5_keytab; + }; + + /** +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index d256817a6..5b42f9bdc 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -125,6 +125,18 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, + } + } + ++ dom->hostname = talloc_strdup(dom, parent->hostname); ++ if (dom->hostname == NULL && parent->hostname != NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy hostname.\n"); ++ goto fail; ++ } ++ ++ dom->krb5_keytab = talloc_strdup(dom, parent->krb5_keytab); ++ if (dom->krb5_keytab == NULL && parent->krb5_keytab != NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy krb5_keytab.\n"); ++ goto fail; ++ } ++ + dom->enumerate = enumerate; + dom->fqnames = true; + dom->mpg_mode = mpg_mode; +-- +2.21.3 + diff --git a/SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch b/SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch deleted file mode 100644 index fd8d83d..0000000 --- a/SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 3 Jun 2020 20:36:54 +0200 -Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard - -The gdm-smartcard service is special since it is triggered by the -presence of a Smartcard and even in the case of an error it will -immediately try again. To break this loop we should ask for an user -input and asking for a PIN is most straight forward and would show the -same behavior as pam_pkcs11. - -Additionally it does not make sense to fall back the a password prompt -for gdm-smartcard so also here a PIN prompt should be shown. - -Resolves: https://github.com/SSSD/sssd/issues/5190 - -Reviewed-by: Alexey Tikhonov ---- - src/sss_client/pam_sss.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index 7e59f0487..093e53af5 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) - struct pam_message m[2] = { { 0 }, { 0 } }; - struct pam_response *resp = NULL; - struct cert_auth_info *cai = pi->selected_cert; -+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"), -+ NULL, NULL, NULL, NULL, NULL }; - -- if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') { -+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { -+ cai = &empty_cai; -+ } else if (cai == NULL || cai->token_name == NULL -+ || *cai->token_name == '\0') { - return PAM_SYSTEM_ERR; - } - -@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, - } - } - ret = prompt_sc_pin(pamh, pi); -+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) { -+ /* Use pin prompt as fallback for gdm-smartcard */ -+ ret = prompt_sc_pin(pamh, pi); - } else { - ret = prompt_password(pamh, pi, _("Password: ")); - } -@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - { - int ret; - int pam_status; -- struct pam_items pi; -+ struct pam_items pi = { 0 }; - uint32_t flags = 0; - const int *exp_data; - int *pw_exp_data; -@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - /* - * Since we are only interested in the result message - * and will always use password authentication -- * as a fallback, errors can be ignored here. -+ * as a fallback (except for gdm-smartcard), -+ * errors can be ignored here. - */ - } - } -@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, - quiet_mode); - if (ret != PAM_SUCCESS) { - D(("check_login_token_name failed.\n")); -- return ret; - } - } - --- -2.21.3 - diff --git a/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch b/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch new file mode 100644 index 0000000..168f8b6 --- /dev/null +++ b/SOURCES/0023-cache_req-add-helper-to-call-user-by-upn-search.patch @@ -0,0 +1,70 @@ +From a3e2677f919c6b1b1649ad80cc3435b4bb2efc0d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 10 Dec 2020 19:28:58 +0100 +Subject: [PATCH 23/27] cache_req: add helper to call user by upn search + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/responder/common/cache_req/cache_req.h | 13 +++++++++++ + .../cache_req/plugins/cache_req_user_by_upn.c | 23 +++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h +index d36cb2d3b..d301a076e 100644 +--- a/src/responder/common/cache_req/cache_req.h ++++ b/src/responder/common/cache_req/cache_req.h +@@ -277,6 +277,19 @@ cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx, + #define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + ++struct tevent_req * ++cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct resp_ctx *rctx, ++ struct sss_nc_ctx *ncache, ++ int cache_refresh_percent, ++ enum cache_req_dom_type req_dom_type, ++ const char *domain, ++ const char *upn); ++ ++#define cache_req_user_by_upn_recv(mem_ctx, req, _result) \ ++ cache_req_single_domain_recv(mem_ctx, req, _result); ++ + struct tevent_req * + cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +index e08ab70ae..037994c8c 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c ++++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@@ -133,3 +133,26 @@ const struct cache_req_plugin cache_req_user_by_upn = { + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, + }; ++ ++struct tevent_req * ++cache_req_user_by_upn_send(TALLOC_CTX *mem_ctx, ++ struct tevent_context *ev, ++ struct resp_ctx *rctx, ++ struct sss_nc_ctx *ncache, ++ int cache_refresh_percent, ++ enum cache_req_dom_type req_dom_type, ++ const char *domain, ++ const char *upn) ++{ ++ struct cache_req_data *data; ++ ++ data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_UPN, upn); ++ if (data == NULL) { ++ return NULL; ++ } ++ ++ return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, ++ cache_refresh_percent, ++ req_dom_type, domain, ++ data); ++} +-- +2.21.3 + diff --git a/SOURCES/0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch b/SOURCES/0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch deleted file mode 100644 index 0f0b0ba..0000000 --- a/SOURCES/0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 31e57432537b9d248839159d83cfa9049faf192b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 19 Jun 2020 13:32:30 +0200 -Subject: [PATCH] pam_sss: make sure old certificate data is removed before - retry -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To avoid that certificates will be shown in the certificate selection -which are not available anymore they must be remove before a new request -to look up the certificates is send to SSSD's PAM responder. - -Resolves: https://github.com/SSSD/sssd/issues/5190 - -Reviewed-by: Pavel Březina ---- - src/sss_client/pam_sss.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index e3ad2c9b2..6a3ba2f50 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -2467,6 +2467,8 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi, - && strcmp(login_token_name, - pi->cert_list->token_name) != 0)) { - -+ free_cert_list(pi->cert_list); -+ pi->cert_list = NULL; - if (retries < 0) { - ret = PAM_AUTHINFO_UNAVAIL; - goto done; --- -2.21.3 - diff --git a/SOURCES/0024-pam-fix-typo-in-debug-message.patch b/SOURCES/0024-pam-fix-typo-in-debug-message.patch new file mode 100644 index 0000000..25167e1 --- /dev/null +++ b/SOURCES/0024-pam-fix-typo-in-debug-message.patch @@ -0,0 +1,27 @@ +From dcc42015f7ada1c4e4daed17e2c8087e29cb7616 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 1 Oct 2020 14:02:44 +0200 +Subject: [PATCH 24/27] pam: fix typo in debug message + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/responder/pam/pamsrv_cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 1d0251497..acbfc0c39 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1941,7 +1941,7 @@ static void pam_check_user_search_next(struct tevent_req *req) + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh " +- "data from the backened.\n"); ++ "data from the backend.\n"); + } + + DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n", +-- +2.21.3 + diff --git a/SOURCES/0024-systemtap-Missing-a-comma.patch b/SOURCES/0024-systemtap-Missing-a-comma.patch deleted file mode 100644 index b747c2a..0000000 --- a/SOURCES/0024-systemtap-Missing-a-comma.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 66029529fa0f0e2d16999f22294822deeec5f60b Mon Sep 17 00:00:00 2001 -From: Alejandro Visiedo -Date: Thu, 11 Jun 2020 00:36:04 +0200 -Subject: [PATCH] systemtap: Missing a comma - -sssd_functions.stp was missing a comma. - -Thanks to William Cohen for reporting the issue and the patch to fix it. - -https://bugzilla.redhat.com/show_bug.cgi?id=1840194 - -Resolves: https://github.com/SSSD/sssd/issues/5201 - -Reviewed-by: Pawel Polawski ---- - src/systemtap/sssd_functions.stp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp -index 1eb140ccf..01f553177 100644 ---- a/src/systemtap/sssd_functions.stp -+++ b/src/systemtap/sssd_functions.stp -@@ -7,7 +7,7 @@ global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3, - global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2, - METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5, - METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8, -- METHOD_RESOLVER_HANDLER=9 METHOD_SENTINEL=10 -+ METHOD_RESOLVER_HANDLER=9, METHOD_SENTINEL=10 - - function acct_req_desc(entry_type) - { --- -2.21.3 - diff --git a/SOURCES/0025-pam-add-pam_gssapi_services-option.patch b/SOURCES/0025-pam-add-pam_gssapi_services-option.patch new file mode 100644 index 0000000..7c90067 --- /dev/null +++ b/SOURCES/0025-pam-add-pam_gssapi_services-option.patch @@ -0,0 +1,280 @@ +From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 9 Oct 2020 13:03:54 +0200 +Subject: [PATCH 25/27] pam: add pam_gssapi_services option + +:config: Added `pam_gssapi_services` to list PAM services + that can authenticate using GSSAPI + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 12 +++++++++++ + src/confdb/confdb.h | 4 ++++ + src/config/SSSDConfig/sssdoptions.py | 1 + + src/config/SSSDConfigTest.py | 6 ++++-- + src/config/cfg_rules.ini | 3 +++ + src/config/etc/sssd.api.conf | 2 ++ + src/db/sysdb_subdomains.c | 13 ++++++++++++ + src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++ + src/responder/pam/pamsrv.c | 21 +++++++++++++++++++ + src/responder/pam/pamsrv.h | 3 +++ + 10 files changed, 93 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index f981ddf1e..7f1956d6d 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + } + } + ++ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, ++ "-"); ++ if (tmp != NULL) { ++ ret = split_on_separator(domain, tmp, ',', true, true, ++ &domain->gssapi_services, NULL); ++ if (ret != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES); ++ goto done; ++ } ++ } ++ + domain->has_views = false; + domain->view_name = NULL; + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 54e3f7380..7a3bc8bb5 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -144,6 +144,7 @@ + #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services" + #define CONFDB_PAM_P11_URI "p11_uri" + #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" ++#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" + + /* SUDO */ + #define CONFDB_SUDO_CONF_ENTRY "config/sudo" +@@ -431,6 +432,9 @@ struct sss_domain_info { + + /* Keytab used by this domain. */ + const char *krb5_keytab; ++ ++ /* List of PAM services that are allowed to authenticate with GSSAPI. */ ++ char **gssapi_services; + }; + + /** +diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py +index de96db6f4..f59fe8d9f 100644 +--- a/src/config/SSSDConfig/sssdoptions.py ++++ b/src/config/SSSDConfig/sssdoptions.py +@@ -104,6 +104,7 @@ class SSSDOptions(object): + 'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'), + 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), + 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), ++ 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), + + # [sudo] + 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 323be5ed3..21fffe1b6 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'full_name_format', + 're_expression', + 'cached_auth_timeout', +- 'auto_private_groups'] ++ 'auto_private_groups', ++ 'pam_gssapi_services'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'full_name_format', + 're_expression', + 'cached_auth_timeout', +- 'auto_private_groups'] ++ 'auto_private_groups', ++ 'pam_gssapi_services'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 773afd8bb..c6dfd5648 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -139,6 +139,7 @@ option = pam_p11_allowed_services + option = p11_wait_for_card_timeout + option = p11_uri + option = pam_initgroups_scheme ++option = pam_gssapi_services + + [rule/allowed_sudo_options] + validator = ini_allowed_options +@@ -437,6 +438,7 @@ option = wildcard_limit + option = full_name_format + option = re_expression + option = auto_private_groups ++option = pam_gssapi_services + + #Entry cache timeouts + option = entry_cache_user_timeout +@@ -831,6 +833,7 @@ option = ad_backup_server + option = ad_site + option = use_fully_qualified_names + option = auto_private_groups ++option = pam_gssapi_services + + [rule/sssd_checks] + validator = sssd_checks +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index 623160ffd..f46f3c46d 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false + p11_wait_for_card_timeout = int, None, false + p11_uri = str, None, false + pam_initgroups_scheme = str, None, false ++pam_gssapi_services = str, None, false + + [sudo] + # sudo service +@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false + full_name_format = str, None, false + re_expression = str, None, false + auto_private_groups = str, None, false ++pam_gssapi_services = str, None, false + + #Entry cache timeouts + entry_cache_user_timeout = int, None, false +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index 5b42f9bdc..bfc6df0f5 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, + dom->homedir_substr = parent->homedir_substr; + dom->override_gid = parent->override_gid; + ++ dom->gssapi_services = parent->gssapi_services; ++ + if (parent->sysdb == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); + goto fail; +@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb, + sd_conf_path, CONFDB_DOMAIN_FQ, + subdomain->fqnames ? "TRUE" : "FALSE"); + ++ /* allow to set pam_gssapi_services */ ++ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path, ++ CONFDB_PAM_GSSAPI_SERVICES, ++ &subdomain->gssapi_services); ++ if (ret != EOK && ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to get %s option for the subdomain: %s\n", ++ CONFDB_PAM_GSSAPI_SERVICES, subdomain->name); ++ goto done; ++ } ++ + ret = EOK; + done: + talloc_free(tmp_ctx); +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index d247400bf..db9dd4677 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 + + + ++ ++ pam_gssapi_services ++ ++ ++ Comma separated list of PAM services that are ++ allowed to try GSSAPI authentication using ++ pam_sss_gss.so module. ++ ++ ++ To disable GSSAPI authentication, set this option ++ to - (dash). ++ ++ ++ Note: This option can also be set per-domain which ++ overwrites the value in [pam] section. It can also ++ be set for trusted domain which overwrites the value ++ in the domain section. ++ ++ ++ Example: ++ ++pam_gssapi_services = sudo, sudo-i ++ ++ ++ ++ Default: - (GSSAPI authentication is disabled) ++ ++ ++ + + + +@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber + ad_backup_server, + ad_site, + use_fully_qualified_names ++ pam_gssapi_services + + For more details about these options see their individual description + in the manual page. +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 1f1ee608b..0492569c7 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + } + } + ++ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY, ++ CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Failed to determine gssapi services.\n"); ++ goto done; ++ } ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr, ++ CONFDB_PAM_GSSAPI_SERVICES); ++ ++ if (tmpstr != NULL) { ++ ret = split_on_separator(pctx, tmpstr, ',', true, true, ++ &pctx->gssapi_services, NULL); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "split_on_separator() failed [%d]: [%s].\n", ret, ++ sss_strerror(ret)); ++ goto done; ++ } ++ } ++ + /* The responder is initialized. Now tell it to the monitor. */ + ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, + SSS_PAM_SBUS_SERVICE_NAME, +diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h +index 24d307a14..730dee288 100644 +--- a/src/responder/pam/pamsrv.h ++++ b/src/responder/pam/pamsrv.h +@@ -62,6 +62,9 @@ struct pam_ctx { + int num_prompting_config_sections; + + enum pam_initgroups_scheme initgroups_scheme; ++ ++ /* List of PAM services that are allowed to authenticate with GSSAPI. */ ++ char **gssapi_services; + }; + + struct pam_auth_req { +-- +2.21.3 + diff --git a/SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch b/SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch deleted file mode 100644 index 2b71ccd..0000000 --- a/SOURCES/0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch +++ /dev/null @@ -1,94 +0,0 @@ -From ffb9ad1331ac5f5d9bf237666aff19f1def77871 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Fri, 26 Jun 2020 12:07:48 +0200 -Subject: [PATCH] proxy: use 'x' as default pwfield only for sssd-shadowutils - target - -To avoid regression for case where files is used for proxy but authentication -is handled by other module then pam_unix. E.g. auth_provider = krb - -This provides different solution to the ticket and improves the documentation. - -Resolves: -https://github.com/SSSD/sssd/issues/5129 - -Reviewed-by: Sumit Bose ---- - src/confdb/confdb.c | 25 ++++++++++++++++++++----- - src/man/sssd.conf.5.xml | 12 +++++++++--- - 2 files changed, 29 insertions(+), 8 deletions(-) - -diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c -index 65ad18dcf..c2daa9a2c 100644 ---- a/src/confdb/confdb.c -+++ b/src/confdb/confdb.c -@@ -872,7 +872,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - struct sss_domain_info *domain; - struct ldb_result *res; - TALLOC_CTX *tmp_ctx; -- const char *tmp; -+ const char *tmp, *tmp_pam_target, *tmp_auth; - int ret, val; - uint32_t entry_cache_timeout; - char *default_domain; -@@ -1030,13 +1030,28 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, - } - - if (domain->provider != NULL && strcasecmp(domain->provider, "proxy") == 0) { -- /* The password field must be reported as 'x' for proxy provider -- * using files library, else pam_unix won't -- * authenticate this entry. */ -+ /* The password field must be reported as 'x' for proxy provider -+ * using files library, else pam_unix won't authenticate this entry. -+ * We set this only for sssd-shadowutils target which can be used -+ * to authenticate with pam_unix only. Otherwise we let administrator -+ * to overwrite default * value with pwfield option to avoid regression -+ * on more common use case where remote authentication is required. */ - tmp = ldb_msg_find_attr_as_string(res->msgs[0], - CONFDB_PROXY_LIBNAME, - NULL); -- if (tmp != NULL && strcasecmp(tmp, "files") == 0) { -+ -+ tmp_auth = ldb_msg_find_attr_as_string(res->msgs[0], -+ CONFDB_DOMAIN_AUTH_PROVIDER, -+ NULL); -+ -+ tmp_pam_target = ldb_msg_find_attr_as_string(res->msgs[0], -+ CONFDB_PROXY_PAM_TARGET, -+ NULL); -+ -+ if (tmp != NULL && tmp_pam_target != NULL -+ && strcasecmp(tmp, "files") == 0 -+ && (tmp_auth == NULL || strcasecmp(tmp_auth, "proxy") == 0) -+ && strcmp(tmp_pam_target, "sssd-shadowutils") == 0) { - domain->pwfield = "x"; - } - } -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index cae24bb63..44b3b8f20 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1135,11 +1135,17 @@ fallback_homedir = /home/%u - password field. - - -- This option can also be set per-domain. -+ Default: * - - -- Default: * (remote domains) -- or x (the files domain) -+ Note: This option can also be set per-domain which -+ overwrites the value in [nss] section. -+ -+ -+ Default: not set (remote domains), -+ x (the files domain), -+ x (proxy domain with nss_files -+ and sssd-shadowutils target) - - - --- -2.21.3 - diff --git a/SOURCES/0026-files-allow-root-membership.patch b/SOURCES/0026-files-allow-root-membership.patch deleted file mode 100644 index 9356e0b..0000000 --- a/SOURCES/0026-files-allow-root-membership.patch +++ /dev/null @@ -1,291 +0,0 @@ -From 8969c43dc2d8d0800c2f0b509d078378db855622 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Tue, 23 Jun 2020 12:05:08 +0200 -Subject: [PATCH] files: allow root membership - -There are two use cases that do not work with files provider: - -1. User has primary GID 0: - -This is fine by itself since SSSD does not store this user in cache and it is -handled only by `nss_files` so the user (`tuser`) is returned correctly. The -problem is when you try to resolve group that the user is member of. In this -case that the membership is missing the group (but only if the user was -previously resolved and thus stored in negative cache). - -``` -tuser:x:1001:0::/home/tuser:/bin/bash -tuser:x:1001:tuser - -// tuser@files is ghost member of the group so it is returned because it is not in negative cache -$ getent group tuser -tuser:x:1001:tuser - -// expire memcache -// tuser@files is ghost member but not returned because it is in negative cache -$ id tuser // returned from nss_files -uid=1001(tuser) gid=0(root) groups=0(root),1001(tuser) -[pbrezina /dev/shm/sssd]$ getent group tuser -tuser:x:1001: -``` - -**2. root is member of other group** - -The root member is missing from the membership since it was filtered out by -negative cache. - -``` -tuser:x:1001:root - -$ id root -uid=0(root) gid=0(root) groups=0(root),1001(tuser) -[pbrezina /dev/shm/sssd]$ getent group tuser -tuser:x:1001: -``` - -In files provider, only the users that we do not want to managed are stored -as ghost member, therefore we can let nss_files handle group that has ghost -members. - -Tests are changed as well to work with this behavior. Users are added when -required and ghost are expected to return ENOENT. - -Resolves: -https://github.com/SSSD/sssd/issues/5170 - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nss_protocol_grent.c | 18 +++++++ - src/tests/intg/files_ops.py | 13 +++++ - src/tests/intg/test_files_provider.py | 73 ++++++++++++++++---------- - 3 files changed, 77 insertions(+), 27 deletions(-) - -diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c -index 9c443d0e7..6d8e71083 100644 ---- a/src/responder/nss/nss_protocol_grent.c -+++ b/src/responder/nss/nss_protocol_grent.c -@@ -141,6 +141,24 @@ nss_protocol_fill_members(struct sss_packet *packet, - members[0] = nss_get_group_members(domain, msg); - members[1] = nss_get_group_ghosts(domain, msg, group_name); - -+ if (is_files_provider(domain) && members[1] != NULL) { -+ /* If there is a ghost member in files provider it means that we -+ * did not store the user on purpose (e.g. it has uid or gid 0). -+ * Therefore nss_files does handle the user and therefore we -+ * must let nss_files to also handle this group in order to -+ * provide correct membership. */ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Unknown members found. nss_files will handle it.\n"); -+ -+ ret = sss_ncache_set_group(rctx->ncache, false, domain, group_name); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "sss_ncache_set_group failed.\n"); -+ } -+ -+ ret = ENOENT; -+ goto done; -+ } -+ - sss_packet_get_body(packet, &body, &body_len); - - num_members = 0; -diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py -index c1c4465e7..57959f501 100644 ---- a/src/tests/intg/files_ops.py -+++ b/src/tests/intg/files_ops.py -@@ -103,6 +103,13 @@ class FilesOps(object): - - contents = self._read_contents() - -+ def _has_line(self, key): -+ try: -+ self._get_named_line(key, self._read_contents()) -+ return True -+ except KeyError: -+ return False -+ - - class PasswdOps(FilesOps): - """ -@@ -132,6 +139,9 @@ class PasswdOps(FilesOps): - def userdel(self, name): - self._del_line(name) - -+ def userexist(self, name): -+ return self._has_line(name) -+ - - class GroupOps(FilesOps): - """ -@@ -158,3 +168,6 @@ class GroupOps(FilesOps): - - def groupdel(self, name): - self._del_line(name) -+ -+ def groupexist(self, name): -+ return self._has_line(name) -diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py -index 023333020..90be198c3 100644 ---- a/src/tests/intg/test_files_provider.py -+++ b/src/tests/intg/test_files_provider.py -@@ -60,11 +60,13 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010, - dir='/home/ov/user1', - shell='/bin/ov_user1_shell') - --ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001, -+ALT_USER1 = dict(name='alt_user1', passwd='x', uid=60001, gid=70001, - gecos='User for tests from alt files', - dir='/home/altuser1', - shell='/bin/bash') - -+ALL_USERS = [CANARY, USER1, USER2, OV_USER1, ALT_USER1] -+ - CANARY_GR = dict(name='canary', - gid=300001, - mem=[]) -@@ -365,21 +367,34 @@ def setup_pw_with_canary(passwd_ops_setup): - return setup_pw_with_list(passwd_ops_setup, [CANARY]) - - --def setup_gr_with_list(grp_ops, group_list): -+def add_group_members(pwd_ops, group): -+ members = {x['name']: x for x in ALL_USERS} -+ for member in group['mem']: -+ if pwd_ops.userexist(member): -+ continue -+ -+ pwd_ops.useradd(**members[member]) -+ -+ -+def setup_gr_with_list(pwd_ops, grp_ops, group_list): - for group in group_list: -+ add_group_members(pwd_ops, group) - grp_ops.groupadd(**group) -+ - ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR) - return grp_ops - - - @pytest.fixture --def add_group_with_canary(group_ops_setup): -- return setup_gr_with_list(group_ops_setup, [GROUP1, CANARY_GR]) -+def add_group_with_canary(passwd_ops_setup, group_ops_setup): -+ return setup_gr_with_list( -+ passwd_ops_setup, group_ops_setup, [GROUP1, CANARY_GR] -+ ) - - - @pytest.fixture --def setup_gr_with_canary(group_ops_setup): -- return setup_gr_with_list(group_ops_setup, [CANARY_GR]) -+def setup_gr_with_canary(passwd_ops_setup, group_ops_setup): -+ return setup_gr_with_list(passwd_ops_setup, group_ops_setup, [CANARY_GR]) - - - def poll_canary(fn, name, threshold=20): -@@ -766,7 +781,9 @@ def test_gid_zero_does_not_resolve(files_domain_only): - assert res == NssReturnCode.NOTFOUND - - --def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only): -+def test_add_remove_add_file_group( -+ setup_pw_with_canary, setup_gr_with_canary, files_domain_only -+): - """ - Test that removing a group is detected and the group - is removed from the sssd database. Similarly, an add -@@ -776,6 +793,7 @@ def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only): - res, group = call_sssd_getgrnam(GROUP1["name"]) - assert res == NssReturnCode.NOTFOUND - -+ add_group_members(setup_pw_with_canary, GROUP1) - setup_gr_with_canary.groupadd(**GROUP1) - check_group(GROUP1) - -@@ -817,8 +835,10 @@ def test_mod_group_gid(add_group_with_canary, files_domain_only): - - - @pytest.fixture --def add_group_nomem_with_canary(group_ops_setup): -- return setup_gr_with_list(group_ops_setup, [GROUP_NOMEM, CANARY_GR]) -+def add_group_nomem_with_canary(passwd_ops_setup, group_ops_setup): -+ return setup_gr_with_list( -+ passwd_ops_setup, group_ops_setup, [GROUP_NOMEM, CANARY_GR] -+ ) - - - def test_getgrnam_no_members(add_group_nomem_with_canary, files_domain_only): -@@ -911,16 +931,19 @@ def test_getgrnam_ghost(setup_pw_with_canary, - setup_gr_with_canary, - files_domain_only): - """ -- Test that a group with members while the members are not present -- are added as ghosts. This is also what nss_files does, getgrnam would -- return group members that do not exist as well. -+ Test that group if not found (and will be handled by nss_files) if there -+ are any ghost members. - """ - user_and_group_setup(setup_pw_with_canary, - setup_gr_with_canary, - [], - [GROUP12], - False) -- check_group(GROUP12) -+ -+ time.sleep(1) -+ res, group = call_sssd_getgrnam(GROUP12["name"]) -+ assert res == NssReturnCode.NOTFOUND -+ - for member in GROUP12['mem']: - res, _ = call_sssd_getpwnam(member) - assert res == NssReturnCode.NOTFOUND -@@ -932,7 +955,10 @@ def ghost_and_member_test(pw_ops, grp_ops, reverse): - [USER1], - [GROUP12], - reverse) -- check_group(GROUP12) -+ -+ time.sleep(1) -+ res, group = call_sssd_getgrnam(GROUP12["name"]) -+ assert res == NssReturnCode.NOTFOUND - - # We checked that the group added has the same members as group12, - # so both user1 and user2. Now check that user1 is a member of -@@ -1027,28 +1053,21 @@ def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, - modgroup = dict(GROUP_NOMEM) - modgroup['mem'] = ['user1', 'user2'] - add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) -- check_group(modgroup) -+ time.sleep(1) -+ res, group = call_sssd_getgrnam(modgroup['name']) -+ assert res == sssd_id.NssReturnCode.NOTFOUND - - modgroup['mem'] = ['user2'] - add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) -- check_group(modgroup) -+ time.sleep(1) -+ res, group = call_sssd_getgrnam(modgroup['name']) -+ assert res == sssd_id.NssReturnCode.NOTFOUND - - res, _ = call_sssd_getpwnam('user1') - assert res == NssReturnCode.NOTFOUND - res, _ = call_sssd_getpwnam('user2') - assert res == NssReturnCode.NOTFOUND - -- # Add this user and verify it's been added as a member -- pwd_ops.useradd(**USER2) -- # The negative cache might still have user2 from the previous request, -- # flushing the caches might help to prevent a failed lookup after adding -- # the user. -- subprocess.call(["sss_cache", "-E"]) -- res, groups = sssd_id_sync('user2') -- assert res == sssd_id.NssReturnCode.SUCCESS -- assert len(groups) == 2 -- assert 'group_nomem' in groups -- - - def realloc_users(pwd_ops, num): - # Intentionally not including the last one because --- -2.21.3 - diff --git a/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch b/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch new file mode 100644 index 0000000..6e59705 --- /dev/null +++ b/SOURCES/0026-pam-add-pam_gssapi_check_upn-option.patch @@ -0,0 +1,250 @@ +From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 10 Dec 2020 22:05:30 +0100 +Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option + +:config: Added `pam_gssapi_check_upn` to enforce authentication + only with principal that can be associated with target user. + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 10 ++++++++++ + src/confdb/confdb.h | 2 ++ + src/config/SSSDConfig/sssdoptions.py | 1 + + src/config/SSSDConfigTest.py | 6 ++++-- + src/config/cfg_rules.ini | 3 +++ + src/config/etc/sssd.api.conf | 2 ++ + src/db/sysdb_subdomains.c | 12 ++++++++++++ + src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++ + src/responder/pam/pamsrv.c | 9 +++++++++ + src/responder/pam/pamsrv.h | 1 + + 10 files changed, 70 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 7f1956d6d..2881ce5da 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + } + } + ++ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN, ++ NULL); ++ if (tmp != NULL) { ++ domain->gssapi_check_upn = talloc_strdup(domain, tmp); ++ if (domain->gssapi_check_upn == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ } ++ + domain->has_views = false; + domain->view_name = NULL; + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 7a3bc8bb5..036f9ecad 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -145,6 +145,7 @@ + #define CONFDB_PAM_P11_URI "p11_uri" + #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" + #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" ++#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" + + /* SUDO */ + #define CONFDB_SUDO_CONF_ENTRY "config/sudo" +@@ -435,6 +436,7 @@ struct sss_domain_info { + + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; ++ char *gssapi_check_upn; /* true | false | NULL */ + }; + + /** +diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py +index f59fe8d9f..5da52a937 100644 +--- a/src/config/SSSDConfig/sssdoptions.py ++++ b/src/config/SSSDConfig/sssdoptions.py +@@ -105,6 +105,7 @@ class SSSDOptions(object): + 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), + 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), + 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), ++ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), + + # [sudo] + 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index 21fffe1b6..ea4e4f6c9 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 're_expression', + 'cached_auth_timeout', + 'auto_private_groups', +- 'pam_gssapi_services'] ++ 'pam_gssapi_services', ++ 'pam_gssapi_check_upn'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 're_expression', + 'cached_auth_timeout', + 'auto_private_groups', +- 'pam_gssapi_services'] ++ 'pam_gssapi_services', ++ 'pam_gssapi_check_upn'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index c6dfd5648..6642c6321 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout + option = p11_uri + option = pam_initgroups_scheme + option = pam_gssapi_services ++option = pam_gssapi_check_upn + + [rule/allowed_sudo_options] + validator = ini_allowed_options +@@ -439,6 +440,7 @@ option = full_name_format + option = re_expression + option = auto_private_groups + option = pam_gssapi_services ++option = pam_gssapi_check_upn + + #Entry cache timeouts + option = entry_cache_user_timeout +@@ -834,6 +836,7 @@ option = ad_site + option = use_fully_qualified_names + option = auto_private_groups + option = pam_gssapi_services ++option = pam_gssapi_check_upn + + [rule/sssd_checks] + validator = sssd_checks +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index f46f3c46d..d3cad7380 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false + p11_uri = str, None, false + pam_initgroups_scheme = str, None, false + pam_gssapi_services = str, None, false ++pam_gssapi_check_upn = bool, None, false + + [sudo] + # sudo service +@@ -201,6 +202,7 @@ full_name_format = str, None, false + re_expression = str, None, false + auto_private_groups = str, None, false + pam_gssapi_services = str, None, false ++pam_gssapi_check_upn = bool, None, false + + #Entry cache timeouts + entry_cache_user_timeout = int, None, false +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index bfc6df0f5..03ba12164 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb, + goto done; + } + ++ /* allow to set pam_gssapi_check_upn */ ++ ret = confdb_get_string(confdb, subdomain, sd_conf_path, ++ CONFDB_PAM_GSSAPI_CHECK_UPN, ++ subdomain->parent->gssapi_check_upn, ++ &subdomain->gssapi_check_upn); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to get %s option for the subdomain: %s\n", ++ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name); ++ goto done; ++ } ++ + ret = EOK; + done: + talloc_free(tmp_ctx); +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index db9dd4677..d637e2eaa 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i + + + ++ ++ pam_gssapi_check_upn ++ ++ ++ If True, SSSD will require that the Kerberos user ++ principal that successfully authenticated through ++ GSSAPI can be associated with the user who is being ++ authenticated. Authentication will fail if the check ++ fails. ++ ++ ++ If False, every user that is able to obtained ++ required service ticket will be authenticated. ++ ++ ++ Note: This option can also be set per-domain which ++ overwrites the value in [pam] section. It can also ++ be set for trusted domain which overwrites the value ++ in the domain section. ++ ++ ++ Default: True ++ ++ ++ + + + +@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber + ad_site, + use_fully_qualified_names + pam_gssapi_services ++ pam_gssapi_check_upn + + For more details about these options see their individual description + in the manual page. +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 0492569c7..0db2824ff 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + } + } + ++ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, ++ CONFDB_PAM_GSSAPI_CHECK_UPN, true, ++ &pctx->gssapi_check_upn); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n", ++ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret)); ++ goto done; ++ } ++ + /* The responder is initialized. Now tell it to the monitor. */ + ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, + SSS_PAM_SBUS_SERVICE_NAME, +diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h +index 730dee288..bf4dd75b0 100644 +--- a/src/responder/pam/pamsrv.h ++++ b/src/responder/pam/pamsrv.h +@@ -65,6 +65,7 @@ struct pam_ctx { + + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; ++ bool gssapi_check_upn; + }; + + struct pam_auth_req { +-- +2.21.3 + diff --git a/SOURCES/0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch b/SOURCES/0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch deleted file mode 100644 index 1c4f461..0000000 --- a/SOURCES/0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 100839b64390d7010bfa28552fd9381ef4366496 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 26 Jun 2020 09:48:17 +0200 -Subject: [PATCH] PAM: do not treat error for cache-only lookups as fatal - -The original fatal error came from a time where at this place in the -code the response form the backend was checked and an error was clearly -fatal. - -Now we only check if the entry is in the cache and valid. An error would -mean that the backend is called to lookup or refresh the entry. So the -backend can change the state of the cache and make upcoming cache -lookups successful. So it makes sense to not only call the backend if -ENOENT is returned but for all kind of errors. - -Resolves https://pagure.io/SSSD/sssd/issue/4098 - -Reviewed-by: Pawel Polawski ---- - src/responder/pam/pamsrv_cmd.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c -index 1cd901f15..666131cb7 100644 ---- a/src/responder/pam/pamsrv_cmd.c -+++ b/src/responder/pam/pamsrv_cmd.c -@@ -1941,10 +1941,8 @@ static void pam_check_user_search_next(struct tevent_req *req) - ret = cache_req_single_domain_recv(preq, req, &result); - talloc_zfree(req); - if (ret != EOK && ret != ENOENT) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Fatal error, killing connection!\n"); -- talloc_zfree(preq->cctx); -- return; -+ DEBUG(SSSDBG_OP_FAILURE, "Cache lookup failed, trying to get fresh " -+ "data from the backened.\n"); - } - - DEBUG(SSSDBG_TRACE_ALL, "PAM initgroups scheme [%s].\n", --- -2.21.3 - diff --git a/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch b/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch new file mode 100644 index 0000000..baa7927 --- /dev/null +++ b/SOURCES/0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch @@ -0,0 +1,1866 @@ +From d09aa174b04a825979f31c61b05239de088a732f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 7 Jul 2020 11:05:37 +0200 +Subject: [PATCH 27/27] pam: add pam_sss_gss module for gssapi authentication + +:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI +:packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page + +Reviewed-by: Robbie Harwood +Reviewed-by: Sumit Bose +--- + Makefile.am | 33 +- + configure.ac | 1 + + contrib/sssd.spec.in | 2 + + src/external/libgssapi_krb5.m4 | 8 + + src/man/Makefile.am | 4 +- + src/man/pam_sss_gss.8.xml | 209 ++++++++ + src/responder/pam/pamsrv.h | 4 + + src/responder/pam/pamsrv_cmd.c | 2 + + src/responder/pam/pamsrv_gssapi.c | 792 +++++++++++++++++++++++++++++ + src/sss_client/pam_sss_gss.c | 588 +++++++++++++++++++++ + src/sss_client/pam_sss_gss.exports | 4 + + src/sss_client/sss_cli.h | 8 + + src/tests/dlopen-tests.c | 1 + + 13 files changed, 1653 insertions(+), 3 deletions(-) + create mode 100644 src/external/libgssapi_krb5.m4 + create mode 100644 src/man/pam_sss_gss.8.xml + create mode 100644 src/responder/pam/pamsrv_gssapi.c + create mode 100644 src/sss_client/pam_sss_gss.c + create mode 100644 src/sss_client/pam_sss_gss.exports + +diff --git a/Makefile.am b/Makefile.am +index 430b4e842..1c82776ab 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1585,12 +1585,14 @@ sssd_pam_SOURCES = \ + src/responder/pam/pamsrv_cmd.c \ + src/responder/pam/pamsrv_p11.c \ + src/responder/pam/pamsrv_dp.c \ ++ src/responder/pam/pamsrv_gssapi.c \ + src/responder/pam/pam_prompting_config.c \ + src/sss_client/pam_sss_prompt_config.c \ + src/responder/pam/pam_helpers.c \ + $(SSSD_RESPONDER_OBJ) + sssd_pam_CFLAGS = \ + $(AM_CFLAGS) \ ++ $(GSSAPI_KRB5_CFLAGS) \ + $(NULL) + sssd_pam_LDADD = \ + $(LIBADD_DL) \ +@@ -1599,6 +1601,7 @@ sssd_pam_LDADD = \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ ++ $(GSSAPI_KRB5_LIBS) \ + libsss_certmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_iface.la \ +@@ -2710,6 +2713,7 @@ pam_srv_tests_SOURCES = \ + src/sss_client/pam_message.c \ + src/responder/pam/pamsrv_cmd.c \ + src/responder/pam/pamsrv_p11.c \ ++ src/responder/pam/pamsrv_gssapi.c \ + src/responder/pam/pam_helpers.c \ + src/responder/pam/pamsrv_dp.c \ + src/responder/pam/pam_LOCAL_domain.c \ +@@ -2721,6 +2725,7 @@ pam_srv_tests_CFLAGS = \ + -I$(abs_builddir)/src \ + $(AM_CFLAGS) \ + $(CMOCKA_CFLAGS) \ ++ $(GSSAPI_KRB5_CFLAGS) \ + $(NULL) + pam_srv_tests_LDFLAGS = \ + -Wl,-wrap,sss_packet_get_body \ +@@ -2736,6 +2741,7 @@ pam_srv_tests_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ ++ $(GSSAPI_KRB5_LIBS) \ + libsss_test_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ +@@ -4149,6 +4155,28 @@ pam_sss_la_LDFLAGS = \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports + ++pamlib_LTLIBRARIES += pam_sss_gss.la ++pam_sss_gss_la_SOURCES = \ ++ src/sss_client/pam_sss_gss.c \ ++ src/sss_client/common.c \ ++ $(NULL) ++ ++pam_sss_gss_la_CFLAGS = \ ++ $(AM_CFLAGS) \ ++ $(GSSAPI_KRB5_CFLAGS) \ ++ $(NULL) ++ ++pam_sss_gss_la_LIBADD = \ ++ $(CLIENT_LIBS) \ ++ $(PAM_LIBS) \ ++ $(GSSAPI_KRB5_LIBS) \ ++ $(NULL) ++ ++pam_sss_gss_la_LDFLAGS = \ ++ -module \ ++ -avoid-version \ ++ -Wl,--version-script,$(srcdir)/src/sss_client/pam_sss_gss.exports ++ + if BUILD_SUDO + + libsss_sudo_la_SOURCES = \ +@@ -4187,7 +4215,10 @@ endif + + dist_noinst_DATA += \ + src/sss_client/sss_nss.exports \ +- src/sss_client/sss_pam.exports ++ src/sss_client/sss_pam.exports \ ++ src/sss_client/pam_sss_gss.exports \ ++ $(NULL) ++ + if BUILD_SUDO + dist_noinst_DATA += src/sss_client/sss_sudo.exports + endif +diff --git a/configure.ac b/configure.ac +index 0d24c4b35..75dc81d53 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -182,6 +182,7 @@ m4_include([src/external/libldb.m4]) + m4_include([src/external/libdhash.m4]) + m4_include([src/external/libcollection.m4]) + m4_include([src/external/libini_config.m4]) ++m4_include([src/external/libgssapi_krb5.m4]) + m4_include([src/external/pam.m4]) + m4_include([src/external/ldap.m4]) + m4_include([src/external/libpcre.m4]) +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index ed81da535..f7e5ce133 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1166,6 +1166,7 @@ done + %license src/sss_client/COPYING src/sss_client/COPYING.LESSER + /%{_lib}/libnss_sss.so.2 + /%{_lib}/security/pam_sss.so ++/%{_lib}/security/pam_sss_gss.so + %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so + %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so + %if (0%{?with_cifs_utils_plugin} == 1) +@@ -1178,6 +1179,7 @@ done + %dir %{_libdir}/%{name}/modules + %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so + %{_mandir}/man8/pam_sss.8* ++%{_mandir}/man8/pam_sss_gss.8* + %{_mandir}/man8/sssd_krb5_locator_plugin.8* + + %files -n libsss_sudo +diff --git a/src/external/libgssapi_krb5.m4 b/src/external/libgssapi_krb5.m4 +new file mode 100644 +index 000000000..67f3c464d +--- /dev/null ++++ b/src/external/libgssapi_krb5.m4 +@@ -0,0 +1,8 @@ ++AC_SUBST(GSSAPI_KRB5_CFLAGS) ++AC_SUBST(GSSAPI_KRB5_LIBS) ++ ++PKG_CHECK_MODULES(GSSAPI_KRB5, ++ krb5-gssapi, ++ , ++ AC_MSG_ERROR("Please install krb5-devel") ++ ) +diff --git a/src/man/Makefile.am b/src/man/Makefile.am +index 351ab8015..c6890a792 100644 +--- a/src/man/Makefile.am ++++ b/src/man/Makefile.am +@@ -69,8 +69,8 @@ man_MANS = \ + sssd.8 sssd.conf.5 sssd-ldap.5 sssd-ldap-attributes.5 \ + sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ + sssd_krb5_locator_plugin.8 \ +- pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ +- sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ ++ pam_sss.8 pam_sss_gss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \ ++ sss_seed.8 sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ + $(NULL) + + if BUILD_LOCAL_PROVIDER +diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml +new file mode 100644 +index 000000000..ce5b11bff +--- /dev/null ++++ b/src/man/pam_sss_gss.8.xml +@@ -0,0 +1,209 @@ ++ ++ ++ ++SSSD Manual pages ++ ++ ++ ++ ++ pam_sss_gss ++ 8 ++ ++ ++ ++ pam_sss_gss ++ PAM module for SSSD GSSAPI authentication ++ ++ ++ ++ ++ pam_sss_gss.so ++ ++ debug ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ pam_sss_gss.so authenticates user ++ over GSSAPI in cooperation with SSSD. ++ ++ ++ This module will try to authenticate the user using the GSSAPI ++ hostbased service name host@hostname which translates to ++ host/hostname@REALM Kerberos principal. The ++ REALM part of the Kerberos principal name is ++ derived by Kerberos internal mechanisms and it can be set explicitly ++ in configuration of [domain_realm] section in /etc/krb5.conf. ++ ++ ++ SSSD is used to provide desired service name and to validate the ++ user's credentials using GSSAPI calls. If the service ticket is ++ already present in the Kerberos credentials cache or if user's ++ ticket granting ticket can be used to get the correct service ticket ++ then the user will be authenticated. ++ ++ ++ If is True (default) then SSSD ++ requires that the credentials used to obtain the service tickets can ++ be associated with the user. This means that the principal that owns ++ the Kerberos credentials must match with the user principal name as ++ defined in LDAP. ++ ++ ++ To enable GSSAPI authentication in SSSD, set ++ option in [pam] or domain ++ section of sssd.conf. The service credentials need to be stored ++ in SSSD's keytab (it is already present if you use ipa or ad ++ provider). The keytab location can be set with ++ option. See ++ ++ sssd.conf ++ 5 ++ and ++ ++ sssd-krb5 ++ 5 ++ for more details on these options. ++ ++ ++ ++ ++ OPTIONS ++ ++ ++ ++ ++ ++ ++ Print debugging information. ++ ++ ++ ++ ++ ++ ++ MODULE TYPES PROVIDED ++ Only the module type is provided. ++ ++ ++ ++ RETURN VALUES ++ ++ ++ PAM_SUCCESS ++ ++ ++ The PAM operation finished successfully. ++ ++ ++ ++ ++ PAM_USER_UNKNOWN ++ ++ ++ The user is not known to the authentication service or ++ the GSSAPI authentication is not supported. ++ ++ ++ ++ ++ PAM_AUTH_ERR ++ ++ ++ Authentication failure. ++ ++ ++ ++ ++ PAM_AUTHINFO_UNAVAIL ++ ++ ++ Unable to access the authentication information. ++ This might be due to a network or hardware failure. ++ ++ ++ ++ ++ PAM_SYSTEM_ERR ++ ++ ++ A system error occurred. The SSSD log files may contain ++ additional information about the error. ++ ++ ++ ++ ++ ++ ++ ++ EXAMPLES ++ ++ The main use case is to provide password-less authentication in ++ sudo but without the need to disable authentication completely. ++ To achieve this, first enable GSSAPI authentication for sudo in ++ sssd.conf: ++ ++ ++[domain/MYDOMAIN] ++pam_gssapi_services = sudo, sudo-i ++ ++ ++ And then enable the module in desired PAM stack ++ (e.g. /etc/pam.d/sudo and /etc/pam.d/sudo-i). ++ ++ ++... ++auth sufficient pam_sss_gss.so ++... ++ ++ ++ ++ ++ TROUBLESHOOTING ++ ++ SSSD logs, pam_sss_gss debug output and syslog may contain helpful ++ information about the error. Here are some common issues: ++ ++ ++ 1. I have KRB5CCNAME environment variable set and the authentication ++ does not work: Depending on your sudo version, it is possible that ++ sudo does not pass this variable to the PAM environment. Try adding ++ KRB5CCNAME to in /etc/sudoers or in your ++ LDAP sudo rules default options. ++ ++ ++ 2. Authentication does not work and syslog contains "Server not ++ found in Kerberos database": Kerberos is probably not able to ++ resolve correct realm for the service ticket based on the hostname. ++ Try adding the hostname directly to ++ in /etc/krb5.conf like so: ++ ++ ++ 3. Authentication does not work and syslog contains "No Kerberos ++ credentials available": You don't have any credentials that can be ++ used to obtain the required service ticket. Use kinit or autheticate ++ over SSSD to acquire those credentials. ++ ++ ++ 4. Authentication does not work and SSSD sssd-pam log contains "User ++ with UPN [$UPN] was not found." or "UPN [$UPN] does not match target ++ user [$username].": You are using credentials that can not be mapped ++ to the user that is being authenticated. Try to use kswitch to ++ select different principal, make sure you authenticated with SSSD or ++ consider disabling . ++ ++ ++[domain_realm] ++.myhostname = MYREALM ++ ++ ++ ++ ++ ++ ++ +diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h +index bf4dd75b0..355329691 100644 +--- a/src/responder/pam/pamsrv.h ++++ b/src/responder/pam/pamsrv.h +@@ -145,4 +145,8 @@ errno_t pam_eval_prompting_config(struct pam_ctx *pctx, struct pam_data *pd); + + enum pam_initgroups_scheme pam_initgroups_string_to_enum(const char *str); + const char *pam_initgroup_enum_to_string(enum pam_initgroups_scheme scheme); ++ ++int pam_cmd_gssapi_init(struct cli_ctx *cli_ctx); ++int pam_cmd_gssapi_sec_ctx(struct cli_ctx *cctx); ++ + #endif /* __PAMSRV_H__ */ +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index acbfc0c39..9ea488be4 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -2401,6 +2401,8 @@ struct sss_cmd_table *get_pam_cmds(void) + {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok}, + {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim}, + {SSS_PAM_PREAUTH, pam_cmd_preauth}, ++ {SSS_GSSAPI_INIT, pam_cmd_gssapi_init}, ++ {SSS_GSSAPI_SEC_CTX, pam_cmd_gssapi_sec_ctx}, + {SSS_CLI_NULL, NULL} + }; + +diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c +new file mode 100644 +index 000000000..099675e1c +--- /dev/null ++++ b/src/responder/pam/pamsrv_gssapi.c +@@ -0,0 +1,792 @@ ++/* ++ Authors: ++ Pavel Březina ++ ++ Copyright (C) 2020 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "confdb/confdb.h" ++#include "db/sysdb.h" ++#include "responder/common/responder_packet.h" ++#include "responder/common/responder.h" ++#include "responder/common/cache_req/cache_req.h" ++#include "responder/pam/pamsrv.h" ++#include "sss_client/sss_cli.h" ++#include "util/util.h" ++#include "util/sss_utf8.h" ++ ++static errno_t read_str(size_t body_len, ++ uint8_t *body, ++ size_t *pctr, ++ const char **_str) ++{ ++ size_t i; ++ ++ for (i = *pctr; i < body_len && body[i] != 0; i++) { ++ /* counting */ ++ } ++ ++ if (i >= body_len) { ++ return EINVAL; ++ } ++ ++ if (!sss_utf8_check(&body[*pctr], i - *pctr)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Body is not UTF-8 string!\n"); ++ return EINVAL; ++ } ++ ++ *_str = (const char *)&body[*pctr]; ++ *pctr = i + 1; ++ ++ return EOK; ++} ++ ++static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx, ++ struct sss_domain_info *domain) ++{ ++ if (domain->gssapi_check_upn != NULL) { ++ if (strcasecmp(domain->gssapi_check_upn, "true") == 0) { ++ return true; ++ } ++ ++ if (strcasecmp(domain->gssapi_check_upn, "false") == 0) { ++ return false; ++ } ++ ++ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: %s\n", ++ CONFDB_PAM_GSSAPI_CHECK_UPN, domain->gssapi_check_upn); ++ return false; ++ } ++ ++ return pam_ctx->gssapi_check_upn; ++} ++ ++static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx, ++ struct sss_domain_info *domain, ++ const char *service) ++{ ++ char **list = pam_ctx->gssapi_services; ++ ++ if (domain->gssapi_services != NULL) { ++ list = domain->gssapi_services; ++ } ++ ++ if (strcmp(service, "-") == 0) { ++ /* Dash is used as a "not set" value to allow to explicitly disable ++ * gssapi auth for specific domain. Disallow this service to be safe. ++ */ ++ DEBUG(SSSDBG_TRACE_FUNC, "Dash - was used as a PAM service name. " ++ "GSSAPI authentication is not allowed.\n"); ++ return false; ++ } ++ ++ return string_in_list(service, list, true); ++} ++ ++static char *pam_gssapi_target(TALLOC_CTX *mem_ctx, ++ struct sss_domain_info *domain) ++{ ++ return talloc_asprintf(mem_ctx, "host@%s", domain->hostname); ++} ++ ++static const char *pam_gssapi_get_upn(struct cache_req_result *result) ++{ ++ if (result->count == 0) { ++ return NULL; ++ } ++ ++ /* Canonical UPN should be available if the user has kinited through SSSD. ++ * Use it as a hint for GSSAPI. Default to empty string so it may be ++ * more easily transffered over the wire. */ ++ return ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_CANONICAL_UPN, ""); ++} ++ ++static const char *pam_gssapi_get_name(struct cache_req_result *result) ++{ ++ if (result->count == 0) { ++ return NULL; ++ } ++ ++ /* Return username known to SSSD to make sure we authenticated as the same ++ * user after GSSAPI handshake. */ ++ return ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); ++} ++ ++static errno_t pam_gssapi_init_parse(struct cli_protocol *pctx, ++ const char **_service, ++ const char **_username) ++{ ++ size_t body_len; ++ size_t pctr = 0; ++ uint8_t *body; ++ errno_t ret; ++ ++ sss_packet_get_body(pctx->creq->in, &body, &body_len); ++ if (body == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input\n"); ++ return EINVAL; ++ } ++ ++ ret = read_str(body_len, body, &pctr, _service); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = read_str(body_len, body, &pctr, _username); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ return EOK; ++} ++ ++static errno_t pam_gssapi_init_reply(struct cli_protocol *pctx, ++ const char *domain, ++ const char *target, ++ const char *upn, ++ const char *username) ++{ ++ size_t reply_len; ++ size_t body_len; ++ size_t pctr; ++ uint8_t *body; ++ errno_t ret; ++ ++ ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), ++ &pctx->creq->out); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create a new packet [%d]; %s\n", ++ ret, sss_strerror(ret)); ++ return ret; ++ } ++ ++ reply_len = strlen(username) + 1; ++ reply_len += strlen(domain) + 1; ++ reply_len += strlen(target) + 1; ++ reply_len += strlen(upn) + 1; ++ ++ ret = sss_packet_grow(pctx->creq->out, reply_len); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create response: %s\n", ++ sss_strerror(ret)); ++ return ret; ++ } ++ ++ sss_packet_get_body(pctx->creq->out, &body, &body_len); ++ ++ pctr = 0; ++ SAFEALIGN_SETMEM_STRING(&body[pctr], username, strlen(username) + 1, &pctr); ++ SAFEALIGN_SETMEM_STRING(&body[pctr], domain, strlen(domain) + 1, &pctr); ++ SAFEALIGN_SETMEM_STRING(&body[pctr], target, strlen(target) + 1, &pctr); ++ SAFEALIGN_SETMEM_STRING(&body[pctr], upn, strlen(upn) + 1, &pctr); ++ ++ return EOK; ++} ++ ++struct gssapi_init_state { ++ struct cli_ctx *cli_ctx; ++ const char *username; ++ const char *service; ++}; ++ ++static void pam_cmd_gssapi_init_done(struct tevent_req *req); ++ ++int pam_cmd_gssapi_init(struct cli_ctx *cli_ctx) ++{ ++ struct gssapi_init_state *state; ++ struct cli_protocol *pctx; ++ struct tevent_req *req; ++ const char *username; ++ const char *service; ++ const char *attrs[] = { SYSDB_NAME, SYSDB_CANONICAL_UPN, NULL }; ++ errno_t ret; ++ ++ state = talloc_zero(cli_ctx, struct gssapi_init_state); ++ if (state == NULL) { ++ return ENOMEM; ++ } ++ ++ pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); ++ ++ ret = pam_gssapi_init_parse(pctx, &service, &username); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse input [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ state->cli_ctx = cli_ctx; ++ state->service = service; ++ state->username = username; ++ ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Requesting GSSAPI authentication of [%s] in service [%s]\n", ++ username, service); ++ ++ req = cache_req_user_by_name_attrs_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, ++ cli_ctx->rctx->ncache, 0, ++ NULL, username, attrs); ++ if (req == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ tevent_req_set_callback(req, pam_cmd_gssapi_init_done, state); ++ ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ sss_cmd_send_error(cli_ctx, ret); ++ sss_cmd_done(cli_ctx, NULL); ++ } ++ ++ return EOK; ++} ++ ++static void pam_cmd_gssapi_init_done(struct tevent_req *req) ++{ ++ struct gssapi_init_state *state; ++ struct cache_req_result *result; ++ struct cli_protocol *pctx; ++ struct pam_ctx *pam_ctx; ++ const char *username; ++ const char *upn; ++ char *target; ++ errno_t ret; ++ ++ state = tevent_req_callback_data(req, struct gssapi_init_state); ++ pctx = talloc_get_type(state->cli_ctx->protocol_ctx, struct cli_protocol); ++ pam_ctx = talloc_get_type(state->cli_ctx->rctx->pvt_ctx, struct pam_ctx); ++ ++ ret = cache_req_user_by_name_attrs_recv(state, req, &result); ++ talloc_zfree(req); ++ if (ret == ENOENT || ret == ERR_DOMAIN_NOT_FOUND) { ++ ret = ENOENT; ++ goto done; ++ } else if (ret != EOK) { ++ goto done; ++ } ++ ++ if (!pam_gssapi_allowed(pam_ctx, result->domain, state->service)) { ++ ret = ENOTSUP; ++ goto done; ++ } ++ ++ username = pam_gssapi_get_name(result); ++ if (username == NULL) { ++ /* User with no name? */ ++ ret = ERR_INTERNAL; ++ goto done; ++ } ++ ++ upn = pam_gssapi_get_upn(result); ++ if (upn == NULL) { ++ /* UPN hint may be an empty string, but not NULL. */ ++ ret = ERR_INTERNAL; ++ goto done; ++ } ++ ++ target = pam_gssapi_target(state, result->domain); ++ if (target == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Trying GSSAPI auth: User[%s], Domain[%s], UPN[%s], Target[%s]\n", ++ username, result->domain->name, upn, target); ++ ++ ret = pam_gssapi_init_reply(pctx, result->domain->name, target, upn, ++ username); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to construct reply [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++done: ++ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); ++ ++ if (ret == EOK) { ++ sss_packet_set_error(pctx->creq->out, EOK); ++ } else { ++ sss_cmd_send_error(state->cli_ctx, ret); ++ } ++ ++ sss_cmd_done(state->cli_ctx, state); ++} ++ ++static void gssapi_log_status(int type, OM_uint32 status_code) ++{ ++ OM_uint32 message_context = 0; ++ gss_buffer_desc buf; ++ OM_uint32 minor; ++ ++ do { ++ gss_display_status(&minor, status_code, type, GSS_C_NO_OID, ++ &message_context, &buf); ++ DEBUG(SSSDBG_OP_FAILURE, "GSSAPI: %.*s\n", (int)buf.length, ++ (char *)buf.value); ++ gss_release_buffer(&minor, &buf); ++ } while (message_context != 0); ++} ++ ++static void gssapi_log_error(OM_uint32 major, OM_uint32 minor) ++{ ++ gssapi_log_status(GSS_C_GSS_CODE, major); ++ gssapi_log_status(GSS_C_MECH_CODE, minor); ++} ++ ++static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name) ++{ ++ gss_buffer_desc buf; ++ OM_uint32 major; ++ OM_uint32 minor; ++ char *exported; ++ ++ major = gss_display_name(&minor, gss_name, &buf, NULL); ++ if (major != GSS_S_COMPLETE) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export name\n"); ++ return NULL; ++ } ++ ++ exported = talloc_strndup(mem_ctx, buf.value, buf.length); ++ gss_release_buffer(&minor, &buf); ++ ++ if (exported == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); ++ return NULL; ++ } ++ ++ return exported; ++} ++ ++struct gssapi_state { ++ struct cli_ctx *cli_ctx; ++ struct sss_domain_info *domain; ++ const char *username; ++ ++ char *authenticated_upn; ++ bool established; ++ gss_ctx_id_t ctx; ++}; ++ ++int gssapi_state_destructor(struct gssapi_state *state) ++{ ++ OM_uint32 minor; ++ ++ gss_delete_sec_context(&minor, &state->ctx, NULL); ++ ++ return 0; ++} ++ ++static struct gssapi_state *gssapi_get_state(struct cli_ctx *cli_ctx, ++ const char *username, ++ struct sss_domain_info *domain) ++{ ++ struct gssapi_state *state; ++ ++ state = talloc_get_type(cli_ctx->state_ctx, struct gssapi_state); ++ if (state != NULL) { ++ return state; ++ } ++ ++ state = talloc_zero(cli_ctx, struct gssapi_state); ++ if (state == NULL) { ++ return NULL; ++ } ++ ++ state->username = talloc_strdup(state, username); ++ if (state == NULL) { ++ talloc_free(state); ++ return NULL; ++ } ++ ++ state->domain = domain; ++ state->cli_ctx = cli_ctx; ++ state->ctx = GSS_C_NO_CONTEXT; ++ talloc_set_destructor(state, gssapi_state_destructor); ++ ++ cli_ctx->state_ctx = state; ++ ++ return state; ++} ++ ++static errno_t gssapi_get_creds(const char *keytab, ++ const char *target, ++ gss_cred_id_t *_creds) ++{ ++ gss_key_value_set_desc cstore = {0, NULL}; ++ gss_key_value_element_desc el; ++ gss_buffer_desc name_buf; ++ gss_name_t name = GSS_C_NO_NAME; ++ OM_uint32 major; ++ OM_uint32 minor; ++ errno_t ret; ++ ++ if (keytab != NULL) { ++ el.key = "keytab"; ++ el.value = keytab; ++ cstore.count = 1; ++ cstore.elements = ⪙ ++ } ++ ++ if (target != NULL) { ++ name_buf.value = discard_const(target); ++ name_buf.length = strlen(target); ++ ++ major = gss_import_name(&minor, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, ++ &name); ++ if (GSS_ERROR(major)) { ++ DEBUG(SSSDBG_OP_FAILURE, "Could not import name [%s] " ++ "[maj:0x%x, min:0x%x]\n", target, major, minor); ++ ++ gssapi_log_error(major, minor); ++ ++ ret = EIO; ++ goto done; ++ } ++ } ++ ++ major = gss_acquire_cred_from(&minor, name, GSS_C_INDEFINITE, ++ GSS_C_NO_OID_SET, GSS_C_ACCEPT, &cstore, ++ _creds, NULL, NULL); ++ if (GSS_ERROR(major)) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to read credentials from [%s] " ++ "[maj:0x%x, min:0x%x]\n", keytab ? keytab : "default", ++ major, minor); ++ ++ gssapi_log_error(major, minor); ++ ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = EOK; ++ ++done: ++ gss_release_name(&minor, &name); ++ ++ return ret; ++} ++ ++static errno_t ++gssapi_handshake(struct gssapi_state *state, ++ struct cli_protocol *pctx, ++ const char *keytab, ++ const char *target, ++ uint8_t *gss_data, ++ size_t gss_data_len) ++{ ++ OM_uint32 flags = GSS_C_MUTUAL_FLAG; ++ gss_buffer_desc output = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc input; ++ gss_name_t client_name; ++ gss_cred_id_t creds; ++ OM_uint32 ret_flags; ++ gss_OID mech_type; ++ OM_uint32 major; ++ OM_uint32 minor; ++ errno_t ret; ++ ++ input.value = gss_data; ++ input.length = gss_data_len; ++ ++ ret = gssapi_get_creds(keytab, target, &creds); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ major = gss_accept_sec_context(&minor, &state->ctx, creds, ++ &input, NULL, &client_name, &mech_type, ++ &output, &ret_flags, NULL, NULL); ++ if (major == GSS_S_CONTINUE_NEEDED || output.length > 0) { ++ ret = sss_packet_set_body(pctx->creq->out, output.value, output.length); ++ if (ret != EOK) { ++ goto done; ++ } ++ } ++ ++ if (GSS_ERROR(major)) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to establish GSS context " ++ "[maj:0x%x, min:0x%x]\n", major, minor); ++ ++ gssapi_log_error(major, minor); ++ ret = EIO; ++ goto done; ++ } ++ ++ if (major == GSS_S_CONTINUE_NEEDED) { ++ ret = EOK; ++ goto done; ++ } else if (major != GSS_S_COMPLETE) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to establish GSS context, unexpected " ++ "value: 0x%x\n", major); ++ ret = EIO; ++ goto done; ++ } ++ ++ if ((ret_flags & flags) != flags) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Negotiated context does not support requested flags\n"); ++ state->established = false; ++ ret = EIO; ++ goto done; ++ } ++ ++ state->authenticated_upn = gssapi_get_name(state, client_name); ++ if (state->authenticated_upn == NULL) { ++ state->established = false; ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n", ++ state->authenticated_upn); ++ ++ state->established = true; ++ ret = EOK; ++ ++done: ++ gss_release_cred(&minor, &creds); ++ gss_release_buffer(&minor, &output); ++ ++ return ret; ++} ++ ++static errno_t pam_cmd_gssapi_sec_ctx_parse(struct cli_protocol *pctx, ++ const char **_pam_service, ++ const char **_username, ++ const char **_domain, ++ uint8_t **_gss_data, ++ size_t *_gss_data_len) ++{ ++ size_t body_len; ++ uint8_t *body; ++ size_t pctr; ++ errno_t ret; ++ ++ sss_packet_get_body(pctx->creq->in, &body, &body_len); ++ if (body == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input\n"); ++ return EINVAL; ++ } ++ ++ pctr = 0; ++ ret = read_str(body_len, body, &pctr, _pam_service); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = read_str(body_len, body, &pctr, _username); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = read_str(body_len, body, &pctr, _domain); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ *_gss_data = (pctr == body_len) ? NULL : body + pctr; ++ *_gss_data_len = body_len - pctr; ++ ++ return EOK; ++} ++ ++static void pam_cmd_gssapi_sec_ctx_done(struct tevent_req *req); ++ ++int ++pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) ++{ ++ struct sss_domain_info *domain; ++ struct gssapi_state *state; ++ struct cli_protocol *pctx; ++ struct pam_ctx *pam_ctx; ++ struct tevent_req *req; ++ const char *pam_service; ++ const char *domain_name; ++ const char *username; ++ char *target; ++ size_t gss_data_len; ++ uint8_t *gss_data; ++ errno_t ret; ++ ++ pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); ++ pam_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct pam_ctx); ++ ++ ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), ++ &pctx->creq->out); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create a new packet [%d]; %s\n", ++ ret, sss_strerror(ret)); ++ return ret; ++ } ++ ++ ret = pam_cmd_gssapi_sec_ctx_parse(pctx, &pam_service, &username, ++ &domain_name, &gss_data, &gss_data_len); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Unable to parse input data [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ domain = find_domain_by_name(cli_ctx->rctx->domains, domain_name, false); ++ if (domain == NULL) { ++ ret = EINVAL; ++ goto done; ++ } ++ ++ if (!pam_gssapi_allowed(pam_ctx, domain, pam_service)) { ++ ret = ENOTSUP; ++ goto done; ++ } ++ ++ target = pam_gssapi_target(cli_ctx, domain); ++ if (target == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ state = gssapi_get_state(cli_ctx, username, domain); ++ if (state == NULL) { ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ if (strcmp(username, state->username) != 0 || state->domain != domain) { ++ /* This should not happen, but be paranoid. */ ++ DEBUG(SSSDBG_CRIT_FAILURE, "Different input user then who initiated " ++ "the request!\n"); ++ ret = EPERM; ++ goto done; ++ } ++ ++ if (state->established) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Security context is already established\n"); ++ ret = EPERM; ++ goto done; ++ } ++ ++ ret = gssapi_handshake(state, pctx, domain->krb5_keytab, target, gss_data, ++ gss_data_len); ++ if (ret != EOK || !state->established) { ++ goto done; ++ } ++ ++ if (!pam_gssapi_should_check_upn(pam_ctx, domain)) { ++ /* We are done. */ ++ goto done; ++ } ++ ++ /* We have established the security context. Now check the the principal ++ * used for authorization can be associated with the user. We have ++ * already done initgroups before so we could just search the sysdb ++ * directly, but use cache req to avoid looking up a possible expired ++ * object if the handshake took longer. */ ++ ++ DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n"); ++ ++ req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, ++ cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, ++ domain->name, state->authenticated_upn); ++ if (req == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ tevent_req_set_callback(req, pam_cmd_gssapi_sec_ctx_done, state); ++ ++ return EOK; ++ ++done: ++ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); ++ ++ if (ret == EOK) { ++ sss_packet_set_error(pctx->creq->out, EOK); ++ } else { ++ sss_cmd_send_error(cli_ctx, ret); ++ } ++ ++ sss_cmd_done(cli_ctx, NULL); ++ return EOK; ++} ++ ++static void pam_cmd_gssapi_sec_ctx_done(struct tevent_req *req) ++{ ++ struct gssapi_state *state; ++ struct cache_req_result *result; ++ struct cli_protocol *pctx; ++ const char *name; ++ errno_t ret; ++ ++ state = tevent_req_callback_data(req, struct gssapi_state); ++ pctx = talloc_get_type(state->cli_ctx->protocol_ctx, struct cli_protocol); ++ ++ ret = cache_req_user_by_upn_recv(state, req, &result); ++ talloc_zfree(req); ++ if (ret == ENOENT || ret == ERR_DOMAIN_NOT_FOUND) { ++ /* We have no match. Return failure. */ ++ DEBUG(SSSDBG_TRACE_FUNC, "User with UPN [%s] was not found. " ++ "Authentication failed.\n", state->authenticated_upn); ++ ret = EACCES; ++ goto done; ++ } else if (ret != EOK) { ++ /* Generic error. Return failure. */ ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user by UPN [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ /* Check that username match. */ ++ name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); ++ if (name == NULL || strcmp(name, state->username) != 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, "UPN [%s] does not match target user [%s]. " ++ "Authentication failed.\n", state->authenticated_upn, ++ state->username); ++ ret = EACCES; ++ goto done; ++ } ++ ++ DEBUG(SSSDBG_TRACE_FUNC, "User [%s] match UPN [%s]. Authentication was " ++ "successful.\n", state->username, state->authenticated_upn); ++ ++ ret = EOK; ++ ++done: ++ DEBUG(SSSDBG_TRACE_FUNC, "Returning [%d]: %s\n", ret, sss_strerror(ret)); ++ ++ if (ret == EOK) { ++ sss_packet_set_error(pctx->creq->out, EOK); ++ } else { ++ sss_cmd_send_error(state->cli_ctx, ret); ++ } ++ ++ sss_cmd_done(state->cli_ctx, state); ++} +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +new file mode 100644 +index 000000000..cd38db7da +--- /dev/null ++++ b/src/sss_client/pam_sss_gss.c +@@ -0,0 +1,588 @@ ++/* ++ Authors: ++ Pavel Březina ++ ++ Copyright (C) 2020 Red Hat ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "util/sss_format.h" ++#include "sss_client/sss_cli.h" ++ ++bool debug_enabled; ++ ++#define TRACE(pamh, fmt, ...) do { \ ++ if (debug_enabled) { \ ++ pam_info(pamh, "pam_sss_gss: " fmt, ## __VA_ARGS__); \ ++ } \ ++} while (0) ++ ++#define ERROR(pamh, fmt, ...) do { \ ++ if (debug_enabled) { \ ++ pam_error(pamh, "pam_sss_gss: " fmt, ## __VA_ARGS__); \ ++ pam_syslog(pamh, LOG_ERR, fmt, ## __VA_ARGS__); \ ++ } \ ++} while (0) ++ ++static bool switch_euid(pam_handle_t *pamh, uid_t current, uid_t desired) ++{ ++ int ret; ++ ++ TRACE(pamh, "Switching euid from %" SPRIuid " to %" SPRIuid, current, ++ desired); ++ ++ if (current == desired) { ++ return true; ++ } ++ ++ ret = seteuid(desired); ++ if (ret != 0) { ++ ERROR(pamh, "Unable to set euid to %" SPRIuid, desired); ++ return false; ++ } ++ ++ return true; ++} ++ ++static const char *get_item_as_string(pam_handle_t *pamh, int item) ++{ ++ const char *str; ++ int ret; ++ ++ ret = pam_get_item(pamh, item, (void *)&str); ++ if (ret != PAM_SUCCESS || str == NULL || str[0] == '\0') { ++ return NULL; ++ } ++ ++ return str; ++} ++ ++static errno_t string_to_gss_name(pam_handle_t *pamh, ++ const char *target, ++ gss_OID type, ++ gss_name_t *_name) ++{ ++ gss_buffer_desc name_buf; ++ OM_uint32 major; ++ OM_uint32 minor; ++ ++ name_buf.value = (void *)(uintptr_t)target; ++ name_buf.length = strlen(target); ++ major = gss_import_name(&minor, &name_buf, type, _name); ++ if (GSS_ERROR(major)) { ++ ERROR(pamh, "Could not convert target to GSS name"); ++ return EIO; ++ } ++ ++ return EOK; ++} ++ ++static void gssapi_log_status(pam_handle_t *pamh, ++ int type, ++ OM_uint32 status_code) ++{ ++ gss_buffer_desc buf; ++ OM_uint32 message_context; ++ OM_uint32 minor; ++ ++ message_context = 0; ++ do { ++ gss_display_status(&minor, status_code, type, GSS_C_NO_OID, ++ &message_context, &buf); ++ ERROR(pamh, "GSSAPI: %.*s", (int)buf.length, (char *)buf.value); ++ gss_release_buffer(&minor, &buf); ++ } while (message_context != 0); ++} ++ ++static void gssapi_log_error(pam_handle_t *pamh, ++ OM_uint32 major, ++ OM_uint32 minor) ++{ ++ gssapi_log_status(pamh, GSS_C_GSS_CODE, major); ++ gssapi_log_status(pamh, GSS_C_MECH_CODE, minor); ++} ++ ++static errno_t gssapi_get_creds(pam_handle_t *pamh, ++ const char *ccache, ++ const char *target, ++ const char *upn, ++ gss_cred_id_t *_creds) ++{ ++ gss_key_value_set_desc cstore = {0, NULL}; ++ gss_key_value_element_desc el; ++ gss_name_t name = GSS_C_NO_NAME; ++ OM_uint32 major; ++ OM_uint32 minor; ++ errno_t ret; ++ ++ if (upn != NULL && upn[0] != '\0') { ++ TRACE(pamh, "Acquiring credentials for principal [%s]", upn); ++ ret = string_to_gss_name(pamh, upn, GSS_C_NT_USER_NAME, &name); ++ if (ret != EOK) { ++ goto done; ++ } ++ } else { ++ TRACE(pamh, "Acquiring credentials, principal name will be derived"); ++ } ++ ++ if (ccache != NULL) { ++ el.key = "ccache"; ++ el.value = ccache; ++ cstore.count = 1; ++ cstore.elements = ⪙ ++ } ++ ++ major = gss_acquire_cred_from(&minor, name, GSS_C_INDEFINITE, ++ GSS_C_NO_OID_SET, GSS_C_INITIATE, ++ &cstore, _creds, NULL, NULL); ++ if (GSS_ERROR(major)) { ++ /* TODO: Do not hardcode the error code. */ ++ if (minor == 2529639053 && name != GSS_C_NO_NAME) { ++ /* Hint principal was not found. Try again and let GSSAPI choose. */ ++ TRACE(pamh, "Principal [%s] was not found in ccache", upn); ++ ret = gssapi_get_creds(pamh, ccache, target, NULL, _creds); ++ goto done; ++ } else { ++ ERROR(pamh, "Unable to read credentials from [%s] " ++ "[maj:0x%x, min:0x%x]", ccache == NULL ? "default" : ccache, ++ major, minor); ++ ++ gssapi_log_error(pamh, major, minor); ++ ret = EIO; ++ goto done; ++ } ++ } ++ ++ ret = EOK; ++ ++done: ++ gss_release_name(&minor, &name); ++ ++ return ret; ++} ++ ++static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, ++ const char *pam_service, ++ const char *pam_user, ++ uint8_t **_reply, ++ size_t *_reply_len) ++{ ++ struct sss_cli_req_data req_data; ++ size_t service_len; ++ size_t user_len; ++ uint8_t *data; ++ errno_t ret; ++ int ret_errno; ++ ++ if (pam_service == NULL || pam_user == NULL) { ++ return EINVAL; ++ } ++ ++ service_len = strlen(pam_service) + 1; ++ user_len = strlen(pam_user) + 1; ++ ++ req_data.len = (service_len + user_len) * sizeof(char); ++ data = (uint8_t*)malloc(req_data.len); ++ if (data == NULL) { ++ return ENOMEM; ++ } ++ ++ memcpy(data, pam_service, service_len); ++ memcpy(data + service_len, pam_user, user_len); ++ ++ req_data.data = data; ++ ++ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, ++ &ret_errno); ++ free(data); ++ if (ret != PAM_SUCCESS) { ++ if (ret_errno == ENOTSUP) { ++ TRACE(pamh, "GSSAPI authentication is not supported for user %s " ++ "and service %s", pam_user, pam_service); ++ return ret_errno; ++ } ++ ++ ERROR(pamh, "Communication error [%d, %d]: %s; %s", ret, ret_errno, ++ pam_strerror(pamh, ret), strerror(ret_errno)); ++ ++ return (ret_errno != EOK) ? ret_errno : EIO; ++ } ++ ++ return ret_errno; ++} ++ ++static errno_t sssd_gssapi_init_recv(uint8_t *reply, ++ size_t reply_len, ++ char **_username, ++ char **_domain, ++ char **_target, ++ char **_upn) ++{ ++ char *username = NULL; ++ char *domain = NULL; ++ char *target = NULL; ++ char *upn = NULL; ++ const char *buf; ++ size_t pctr = 0; ++ size_t dlen; ++ errno_t ret; ++ ++ username = malloc(reply_len * sizeof(char)); ++ domain = malloc(reply_len * sizeof(char)); ++ target = malloc(reply_len * sizeof(char)); ++ upn = malloc(reply_len * sizeof(char)); ++ if (username == NULL || domain == NULL || target == NULL || upn == NULL) { ++ return ENOMEM; ++ } ++ ++ buf = (const char*)reply; ++ ++ dlen = reply_len; ++ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &username, ++ NULL); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ dlen = reply_len; ++ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &domain, NULL); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ dlen = reply_len; ++ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &target, NULL); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ dlen = reply_len; ++ ret = sss_readrep_copy_string(buf, &pctr, &reply_len, &dlen, &upn, NULL); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ *_username = username; ++ *_domain = domain; ++ *_target = target; ++ *_upn = upn; ++ ++done: ++ if (ret != EOK) { ++ free(username); ++ free(domain); ++ free(target); ++ free(upn); ++ } ++ ++ return ret; ++} ++ ++static errno_t sssd_gssapi_init(pam_handle_t *pamh, ++ const char *pam_service, ++ const char *pam_user, ++ char **_username, ++ char **_domain, ++ char **_target, ++ char **_upn) ++{ ++ size_t reply_len; ++ uint8_t *reply; ++ errno_t ret; ++ ++ ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply, ++ &reply_len); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = sssd_gssapi_init_recv(reply, reply_len, _username, _domain, _target, ++ _upn); ++ free(reply); ++ ++ return ret; ++} ++ ++static errno_t sssd_establish_sec_ctx_send(pam_handle_t *pamh, ++ const char *pam_service, ++ const char *username, ++ const char *domain, ++ const void *gss_data, ++ size_t gss_data_len, ++ void **_reply, ++ size_t *_reply_len) ++{ ++ struct sss_cli_req_data req_data; ++ size_t username_len; ++ size_t service_len; ++ size_t domain_len; ++ uint8_t *data; ++ int ret_errno; ++ int ret; ++ ++ service_len = strlen(pam_service) + 1; ++ username_len = strlen(username) + 1; ++ domain_len = strlen(domain) + 1; ++ ++ req_data.len = (service_len + username_len + domain_len) * sizeof(char) ++ + gss_data_len; ++ data = malloc(req_data.len); ++ if (data == NULL) { ++ return ENOMEM; ++ } ++ ++ memcpy(data, pam_service, service_len); ++ memcpy(data + service_len, username, username_len); ++ memcpy(data + service_len + username_len, domain, domain_len); ++ memcpy(data + service_len + username_len + domain_len, gss_data, ++ gss_data_len); ++ ++ req_data.data = data; ++ ret = sss_pam_make_request(SSS_GSSAPI_SEC_CTX, &req_data, (uint8_t**)_reply, ++ _reply_len, &ret_errno); ++ free(data); ++ if (ret != PAM_SUCCESS) { ++ /* ENOTSUP should not happend here so let's keep it as generic error. */ ++ ERROR(pamh, "Communication error [%d, %d]: %s; %s", ret, ret_errno, ++ pam_strerror(pamh, ret), strerror(ret_errno)); ++ ++ return (ret_errno != EOK) ? ret_errno : EIO; ++ } ++ ++ return ret_errno; ++} ++ ++static int sssd_establish_sec_ctx(pam_handle_t *pamh, ++ const char *ccache, ++ const char *pam_service, ++ const char *username, ++ const char *domain, ++ const char *target, ++ const char *upn) ++{ ++ gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; ++ gss_buffer_desc input = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc output = GSS_C_EMPTY_BUFFER; ++ OM_uint32 flags = GSS_C_MUTUAL_FLAG; ++ gss_name_t gss_name; ++ gss_cred_id_t creds; ++ OM_uint32 ret_flags; ++ OM_uint32 major; ++ OM_uint32 minor; ++ int ret; ++ ++ ret = gssapi_get_creds(pamh, ccache, target, upn, &creds); ++ if (ret != EOK) { ++ return ret; ++ } ++ ++ ret = string_to_gss_name(pamh, target, GSS_C_NT_HOSTBASED_SERVICE, &gss_name); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ do { ++ major = gss_init_sec_context(&minor, creds, &ctx, ++ gss_name, GSS_C_NO_OID, flags, 0, NULL, ++ &input, NULL, &output, ++ &ret_flags, NULL); ++ ++ free(input.value); ++ memset(&input, 0, sizeof(gss_buffer_desc)); ++ ++ if (GSS_ERROR(major)) { ++ ERROR(pamh, "Unable to establish GSS context [maj:0x%x, min:0x%x]", ++ major, minor); ++ gssapi_log_error(pamh, major, minor); ++ ret = EIO; ++ goto done; ++ } else if (major == GSS_S_CONTINUE_NEEDED || output.length > 0) { ++ ret = sssd_establish_sec_ctx_send(pamh, pam_service, ++ username, domain, ++ output.value, output.length, ++ &input.value, &input.length); ++ gss_release_buffer(NULL, &output); ++ if (ret != EOK) { ++ goto done; ++ } ++ } ++ } while (major != GSS_S_COMPLETE); ++ ++ if ((ret_flags & flags) != flags) { ++ ERROR(pamh, "Negotiated context does not support requested flags\n"); ++ ret = EIO; ++ goto done; ++ } ++ ++ ret = EOK; ++ ++done: ++ gss_delete_sec_context(&minor, &ctx, NULL); ++ gss_release_name(&minor, &gss_name); ++ ++ return ret; ++} ++ ++static int errno_to_pam(pam_handle_t *pamh, errno_t ret) ++{ ++ switch (ret) { ++ case EOK: ++ TRACE(pamh, "Authentication successful"); ++ return PAM_SUCCESS; ++ case ENOENT: ++ TRACE(pamh, "User not found"); ++ return PAM_USER_UNKNOWN; ++ case ENOTSUP: ++ TRACE(pamh, "GSSAPI authentication is not enabled " ++ "for given user and service"); ++ return PAM_USER_UNKNOWN; ++ case ESSS_NO_SOCKET: ++ TRACE(pamh, "SSSD socket does not exist"); ++ return PAM_AUTHINFO_UNAVAIL; ++ case EPERM: ++ TRACE(pamh, "Authentication failed"); ++ return PAM_AUTH_ERR; ++ default: ++ TRACE(pamh, "System error [%d]: %s", ++ ret, strerror(ret)); ++ return PAM_SYSTEM_ERR; ++ } ++} ++ ++int pam_sm_authenticate(pam_handle_t *pamh, ++ int flags, ++ int argc, ++ const char **argv) ++{ ++ const char *pam_service; ++ const char *pam_user; ++ const char *ccache; ++ char *username = NULL; ++ char *domain = NULL; ++ char *target = NULL; ++ char *upn = NULL; ++ uid_t uid; ++ uid_t euid; ++ errno_t ret; ++ ++ debug_enabled = false; ++ for (int i = 0; i < argc; i++) { ++ if (strcmp(argv[i], "debug") == 0) { ++ debug_enabled = true; ++ break; ++ } ++ } ++ ++ ++ /* Get non-default ccache if specified, may be NULL. */ ++ ccache = getenv("KRB5CCNAME"); ++ ++ uid = getuid(); ++ euid = geteuid(); ++ ++ /* Read PAM data. */ ++ pam_service = get_item_as_string(pamh, PAM_SERVICE); ++ pam_user = get_item_as_string(pamh, PAM_USER); ++ if (pam_service == NULL || pam_user == NULL) { ++ ERROR(pamh, "Unable to get PAM data!"); ++ ret = EINVAL; ++ goto done; ++ } ++ ++ /* Initialize GSSAPI authentication with SSSD. Get user domain ++ * and target GSS service name. */ ++ TRACE(pamh, "Initializing GSSAPI authentication with SSSD"); ++ ret = sssd_gssapi_init(pamh, pam_service, pam_user, &username, &domain, ++ &target, &upn); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ /* PAM is often called from set-user-id applications (sudo, su). we want to ++ * make sure that we access credentials of the caller (real uid). */ ++ if (!switch_euid(pamh, euid, uid)) { ++ ret = EFAULT; ++ goto done; ++ } ++ ++ /* Authenticate the user by estabilishing security context. Authorization is ++ * expected to be done by other modules through pam_access. */ ++ TRACE(pamh, "Trying to establish security context"); ++ TRACE(pamh, "SSSD User name: %s", username); ++ TRACE(pamh, "User domain: %s", domain); ++ TRACE(pamh, "User principal: %s", upn); ++ TRACE(pamh, "Target name: %s", target); ++ TRACE(pamh, "Using ccache: %s", ccache == NULL ? "default" : ccache); ++ ret = sssd_establish_sec_ctx(pamh, ccache, pam_service, ++ username, domain, target, upn); ++ ++ /* Restore original euid. */ ++ if (!switch_euid(pamh, uid, euid)) { ++ ret = EFAULT; ++ goto done; ++ } ++ ++done: ++ sss_pam_close_fd(); ++ free(domain); ++ free(target); ++ free(upn); ++ ++ return errno_to_pam(pamh, ret); ++} ++ ++int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ return PAM_IGNORE; ++} ++ ++int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ return PAM_IGNORE; ++} ++ ++int pam_sm_open_session(pam_handle_t *pamh, ++ int flags, ++ int argc, ++ const char **argv) ++{ ++ return PAM_IGNORE; ++} ++ ++int pam_sm_close_session(pam_handle_t *pamh, ++ int flags, ++ int argc, ++ const char **argv) ++{ ++ return PAM_IGNORE; ++} ++ ++int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) ++{ ++ return PAM_IGNORE; ++} +diff --git a/src/sss_client/pam_sss_gss.exports b/src/sss_client/pam_sss_gss.exports +new file mode 100644 +index 000000000..9afa106be +--- /dev/null ++++ b/src/sss_client/pam_sss_gss.exports +@@ -0,0 +1,4 @@ ++{ ++ global: ++ *; ++}; +diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h +index d897f43b7..2c3c71bc4 100644 +--- a/src/sss_client/sss_cli.h ++++ b/src/sss_client/sss_cli.h +@@ -233,6 +233,8 @@ enum sss_cli_command { + * an authentication request to find + * out which authentication methods + * are available for the given user. */ ++ SSS_GSSAPI_INIT = 0x00FA, /**< Initialize GSSAPI authentication. */ ++ SSS_GSSAPI_SEC_CTX = 0x00FB, /**< Establish GSSAPI security ctx. */ + + /* PAC responder calls */ + SSS_PAC_ADD_PAC_USER = 0x0101, +@@ -721,4 +723,10 @@ errno_t sss_readrep_copy_string(const char *in, + char **out, + size_t *size); + ++enum pam_gssapi_cmd { ++ PAM_GSSAPI_GET_NAME, ++ PAM_GSSAPI_INIT, ++ PAM_GSSAPI_SENTINEL ++}; ++ + #endif /* _SSSCLI_H */ +diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c +index ccf52abe9..bffa02188 100644 +--- a/src/tests/dlopen-tests.c ++++ b/src/tests/dlopen-tests.c +@@ -47,6 +47,7 @@ struct so { + { "libnss_sss.so", { LIBPFX"libnss_sss.so", NULL } }, + { "libsss_certmap.so", { LIBPFX"libsss_certmap.so", NULL } }, + { "pam_sss.so", { LIBPFX"pam_sss.so", NULL } }, ++ { "pam_sss_gss.so", { LIBPFX"pam_sss_gss.so", NULL } }, + #ifdef BUILD_WITH_LIBSECRET + { "libsss_secrets.so", { LIBPFX"libsss_secrets.so", NULL } }, + #endif /* BUILD_WITH_LIBSECRET */ +-- +2.21.3 + diff --git a/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch b/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch new file mode 100644 index 0000000..dae8746 --- /dev/null +++ b/SOURCES/0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch @@ -0,0 +1,100 @@ +From 3f0ba4c2dcf9126b0f94bca4a056b516759d25c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 12:49:04 +0100 +Subject: [PATCH 13/18] cache_req: allow cache_req to return ERR_OFFLINE if all + dp request failed + +Reviewed-by: Alexey Tikhonov +--- + src/responder/common/cache_req/cache_req.c | 13 +++++++++++++ + src/responder/common/cache_req/cache_req.h | 4 ++++ + src/responder/common/cache_req/cache_req_data.c | 12 ++++++++++++ + src/responder/common/cache_req/cache_req_private.h | 3 +++ + 4 files changed, 32 insertions(+) + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index afb0e7cda..0c8538414 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -974,6 +974,13 @@ static void cache_req_search_domains_done(struct tevent_req *subreq) + case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + if (state->check_next == false) { ++ if (state->cr->data->propogate_offline_status && !state->dp_success) { ++ /* Not found and data provider request failed so we were ++ * unable to fetch the data. */ ++ ret = ERR_OFFLINE; ++ goto done; ++ } ++ + /* Not found. */ + ret = ENOENT; + goto done; +@@ -1002,6 +1009,12 @@ done: + case EAGAIN: + break; + default: ++ if (ret == ENOENT && state->cr->data->propogate_offline_status ++ && !state->dp_success) { ++ /* Not found and data provider request failed so we were ++ * unable to fetch the data. */ ++ ret = ERR_OFFLINE; ++ } + tevent_req_error(req, ret); + break; + } +diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h +index 72d4abe5e..d36cb2d3b 100644 +--- a/src/responder/common/cache_req/cache_req.h ++++ b/src/responder/common/cache_req/cache_req.h +@@ -171,6 +171,10 @@ void + cache_req_data_set_requested_domains(struct cache_req_data *data, + char **requested_domains); + ++void ++cache_req_data_set_propogate_offline_status(struct cache_req_data *data, ++ bool propogate_offline_status); ++ + enum cache_req_type + cache_req_data_get_type(struct cache_req_data *data); + +diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c +index 14c4ad14f..fe9f3db29 100644 +--- a/src/responder/common/cache_req/cache_req_data.c ++++ b/src/responder/common/cache_req/cache_req_data.c +@@ -455,6 +455,18 @@ cache_req_data_set_requested_domains(struct cache_req_data *data, + data->requested_domains = requested_domains; + } + ++void ++cache_req_data_set_propogate_offline_status(struct cache_req_data *data, ++ bool propogate_offline_status) ++{ ++ if (data == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n"); ++ return; ++ } ++ ++ data->propogate_offline_status = propogate_offline_status; ++} ++ + enum cache_req_type + cache_req_data_get_type(struct cache_req_data *data) + { +diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h +index bfca688b9..2d52e7600 100644 +--- a/src/responder/common/cache_req/cache_req_private.h ++++ b/src/responder/common/cache_req/cache_req_private.h +@@ -103,6 +103,9 @@ struct cache_req_data { + + /* if set, only search in the listed domains */ + char **requested_domains; ++ ++ /* if set, ERR_OFFLINE is returned if data provider is offline */ ++ bool propogate_offline_status; + }; + + struct tevent_req * +-- +2.21.3 + diff --git a/SOURCES/0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch b/SOURCES/0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch deleted file mode 100644 index fe893fb..0000000 --- a/SOURCES/0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch +++ /dev/null @@ -1,193 +0,0 @@ -From 2d90e642078c15f001b34a0a50a67fa6eac9a3b9 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 3 Mar 2020 18:44:11 +0100 -Subject: [PATCH 28/35] mem-cache: sizes of free and data tables were made - consistent - -Since size of "free table" didn't account for SSS_AVG_*_PAYLOAD factor -only small fraction of "data table" was actually used. -SSS_AVG_*_PAYLOAD differentiation for different payload types only -affected size of hash table and was removed as unjustified. - -Resolves: -https://github.com/SSSD/sssd/issues/5115 - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nsssrv.c | 22 +++++++++++------- - src/responder/nss/nsssrv_mmap_cache.c | 33 +++++++-------------------- - src/responder/nss/nsssrv_mmap_cache.h | 2 -- - src/util/mmap_cache.h | 3 --- - 4 files changed, 22 insertions(+), 38 deletions(-) - -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 87300058f..21d93ae77 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -83,10 +83,9 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, - return ret; - } - -- /* TODO: read cache sizes from configuration */ - DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n"); - ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, -- SSS_MC_CACHE_ELEMENTS, -+ -1, /* keep current size */ - (time_t) memcache_timeout, - &nctx->pwd_mc_ctx); - if (ret != EOK) { -@@ -96,7 +95,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, - } - - ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, -- SSS_MC_CACHE_ELEMENTS, -+ -1, /* keep current size */ - (time_t) memcache_timeout, - &nctx->grp_mc_ctx); - if (ret != EOK) { -@@ -106,7 +105,7 @@ nss_clear_memcache(TALLOC_CTX *mem_ctx, - } - - ret = sss_mmap_cache_reinit(nctx, nctx->mc_uid, nctx->mc_gid, -- SSS_MC_CACHE_ELEMENTS, -+ -1, /* keep current size */ - (time_t)memcache_timeout, - &nctx->initgr_mc_ctx); - if (ret != EOK) { -@@ -210,6 +209,11 @@ done: - - static int setup_memcaches(struct nss_ctx *nctx) - { -+ /* TODO: read cache sizes from configuration */ -+ static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */ -+ static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */ -+ static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */ -+ - int ret; - int memcache_timeout; - -@@ -239,11 +243,11 @@ static int setup_memcaches(struct nss_ctx *nctx) - return EOK; - } - -- /* TODO: read cache sizes from configuration */ - ret = sss_mmap_cache_init(nctx, "passwd", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_PASSWD, -- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, -+ SSS_MC_CACHE_PASSWD_SLOTS, -+ (time_t)memcache_timeout, - &nctx->pwd_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); -@@ -252,7 +256,8 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = sss_mmap_cache_init(nctx, "group", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_GROUP, -- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, -+ SSS_MC_CACHE_GROUP_SLOTS, -+ (time_t)memcache_timeout, - &nctx->grp_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); -@@ -261,7 +266,8 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = sss_mmap_cache_init(nctx, "initgroups", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_INITGROUPS, -- SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, -+ SSS_MC_CACHE_INITGROUP_SLOTS, -+ (time_t)memcache_timeout, - &nctx->initgr_mc_ctx); - if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); -diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c -index 69e767690..5e23bbe6f 100644 ---- a/src/responder/nss/nsssrv_mmap_cache.c -+++ b/src/responder/nss/nsssrv_mmap_cache.c -@@ -28,13 +28,6 @@ - #include "responder/nss/nss_private.h" - #include "responder/nss/nsssrv_mmap_cache.h" - --/* arbitrary (avg of my /etc/passwd) */ --#define SSS_AVG_PASSWD_PAYLOAD (MC_SLOT_SIZE * 4) --/* short group name and no gids (private user group */ --#define SSS_AVG_GROUP_PAYLOAD (MC_SLOT_SIZE * 3) --/* average place for 40 supplementary groups + 2 names */ --#define SSS_AVG_INITGROUP_PAYLOAD (MC_SLOT_SIZE * 5) -- - #define MC_NEXT_BARRIER(val) ((((val) + 1) & 0x00ffffff) | 0xf0000000) - - #define MC_RAISE_BARRIER(m) do { \ -@@ -1251,24 +1244,14 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - enum sss_mc_type type, size_t n_elem, - time_t timeout, struct sss_mc_ctx **mcc) - { -+ /* sss_mc_header alone occupies whole slot, -+ * so each entry takes 2 slots at the very least -+ */ -+ static const int PAYLOAD_FACTOR = 2; -+ - struct sss_mc_ctx *mc_ctx = NULL; -- int payload; - int ret, dret; - -- switch (type) { -- case SSS_MC_PASSWD: -- payload = SSS_AVG_PASSWD_PAYLOAD; -- break; -- case SSS_MC_GROUP: -- payload = SSS_AVG_GROUP_PAYLOAD; -- break; -- case SSS_MC_INITGROUPS: -- payload = SSS_AVG_INITGROUP_PAYLOAD; -- break; -- default: -- return EINVAL; -- } -- - mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx); - if (!mc_ctx) { - return ENOMEM; -@@ -1303,9 +1286,9 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - - /* hash table is double the size because it will store both forward and - * reverse keys (name/uid, name/gid, ..) */ -- mc_ctx->ht_size = MC_HT_SIZE(n_elem * 2); -- mc_ctx->dt_size = MC_DT_SIZE(n_elem, payload); -- mc_ctx->ft_size = MC_FT_SIZE(n_elem); -+ mc_ctx->ht_size = MC_HT_SIZE(2 * n_elem / PAYLOAD_FACTOR); -+ mc_ctx->dt_size = n_elem * MC_SLOT_SIZE; -+ mc_ctx->ft_size = n_elem / 8; /* 1 bit per slot */ - mc_ctx->mmap_size = MC_HEADER_SIZE + - MC_ALIGN64(mc_ctx->dt_size) + - MC_ALIGN64(mc_ctx->ft_size) + -diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h -index e06257949..c40af2fb4 100644 ---- a/src/responder/nss/nsssrv_mmap_cache.h -+++ b/src/responder/nss/nsssrv_mmap_cache.h -@@ -22,8 +22,6 @@ - #ifndef _NSSSRV_MMAP_CACHE_H_ - #define _NSSSRV_MMAP_CACHE_H_ - --#define SSS_MC_CACHE_ELEMENTS 50000 -- - struct sss_mc_ctx; - - enum sss_mc_type { -diff --git a/src/util/mmap_cache.h b/src/util/mmap_cache.h -index 63e096027..d3d92bc98 100644 ---- a/src/util/mmap_cache.h -+++ b/src/util/mmap_cache.h -@@ -40,9 +40,6 @@ typedef uint32_t rel_ptr_t; - - #define MC_HT_SIZE(elems) ( (elems) * MC_32 ) - #define MC_HT_ELEMS(size) ( (size) / MC_32 ) --#define MC_DT_SIZE(elems, payload) ( (elems) * (payload) ) --#define MC_FT_SIZE(elems) ( (elems) / 8 ) --/* ^^ 8 bits per byte so we need just elems/8 bytes to represent all blocks */ - - #define MC_PTR_ADD(ptr, bytes) (void *)((uint8_t *)(ptr) + (bytes)) - #define MC_PTR_DIFF(ptr, base) ((uint8_t *)(ptr) - (uint8_t *)(base)) --- -2.21.3 - diff --git a/SOURCES/0029-NSS-make-memcache-size-configurable.patch b/SOURCES/0029-NSS-make-memcache-size-configurable.patch deleted file mode 100644 index f69db08..0000000 --- a/SOURCES/0029-NSS-make-memcache-size-configurable.patch +++ /dev/null @@ -1,543 +0,0 @@ -From 80e7163b7bf512a45e2fa31494f3bdff9e9e2dce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 4 Mar 2020 16:26:18 +0100 -Subject: [PATCH 29/35] NSS: make memcache size configurable - -Added options to configure memcache size: -memcache_size_passwd -memcache_size_group -memcache_size_initgroups - -Related: -https://github.com/SSSD/sssd/issues/4578 - -Reviewed-by: Sumit Bose ---- - src/confdb/confdb.h | 3 + - src/config/SSSDConfig/sssdoptions.py | 3 + - src/config/cfg_rules.ini | 3 + - src/man/sssd.conf.5.xml | 78 +++++++++ - src/responder/nss/nsssrv.c | 104 ++++++++---- - src/tests/intg/test_memory_cache.py | 236 +++++++++++++++++++++++++++ - 6 files changed, 398 insertions(+), 29 deletions(-) - -diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h -index a5d35fd70..c96896da5 100644 ---- a/src/confdb/confdb.h -+++ b/src/confdb/confdb.h -@@ -115,6 +115,9 @@ - #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" - #define CONFDB_NSS_DEFAULT_SHELL "default_shell" - #define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout" -+#define CONFDB_NSS_MEMCACHE_SIZE_PASSWD "memcache_size_passwd" -+#define CONFDB_NSS_MEMCACHE_SIZE_GROUP "memcache_size_group" -+#define CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS "memcache_size_initgroups" - #define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring" - #define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home" - -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index 9c071f70a..16d85cfa3 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -72,6 +72,9 @@ class SSSDOptions(object): - 'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'), - 'default_shell': _('Shell to use if the provider does not list one'), - 'memcache_timeout': _('How long will be in-memory cache records valid'), -+ 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'), -+ 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'), -+ 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'), - 'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option ' - 'if the template contains the format string %H.'), - 'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered ' -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 1a7e2c5cd..2874ea048 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -92,6 +92,9 @@ option = shell_fallback - option = default_shell - option = get_domains_timeout - option = memcache_timeout -+option = memcache_size_passwd -+option = memcache_size_group -+option = memcache_size_initgroups - - [rule/allowed_pam_options] - validator = ini_allowed_options -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 9a9679a4b..9bc2e26e5 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1100,6 +1100,84 @@ fallback_homedir = /home/%u - - - -+ -+ memcache_size_passwd (integer) -+ -+ -+ Number of slots allocated inside fast in-memory -+ cache for passwd requests. Note that one entry -+ in fast in-memory cache can occupy more than one slot. -+ Setting the size to 0 will disable the passwd in-memory -+ cache. -+ -+ -+ Default: 200000 -+ -+ -+ WARNING: Disabled or too small in-memory cache can -+ have significant negative impact on SSSD's -+ performance. -+ -+ -+ NOTE: If the environment variable -+ SSS_NSS_USE_MEMCACHE is set to "NO", client -+ applications will not use the fast in-memory -+ cache. -+ -+ -+ -+ -+ memcache_size_group (integer) -+ -+ -+ Number of slots allocated inside fast in-memory -+ cache for group requests. Note that one entry -+ in fast in-memory cache can occupy more than one -+ slot. Setting the size to 0 will disable the group -+ in-memory cache. -+ -+ -+ Default: 150000 -+ -+ -+ WARNING: Disabled or too small in-memory cache can -+ have significant negative impact on SSSD's -+ performance. -+ -+ -+ NOTE: If the environment variable -+ SSS_NSS_USE_MEMCACHE is set to "NO", client -+ applications will not use the fast in-memory -+ cache. -+ -+ -+ -+ -+ memcache_size_initgroups (integer) -+ -+ -+ Number of slots allocated inside fast in-memory -+ cache for initgroups requests. Note that one entry -+ in fast in-memory cache can occupy more than one -+ slot. Setting the size to 0 will disable the -+ initgroups in-memory cache. -+ -+ -+ Default: 250000 -+ -+ -+ WARNING: Disabled or too small in-memory cache can -+ have significant negative impact on SSSD's -+ performance. -+ -+ -+ NOTE: If the environment variable -+ SSS_NSS_USE_MEMCACHE is set to "NO", client -+ applications will not use the fast in-memory -+ cache. -+ -+ -+ - - user_attributes (string) - -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 21d93ae77..0a201d3ae 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -209,13 +209,16 @@ done: - - static int setup_memcaches(struct nss_ctx *nctx) - { -- /* TODO: read cache sizes from configuration */ -+ /* Default memcache sizes */ - static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */ - static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */ - static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */ - - int ret; - int memcache_timeout; -+ int mc_size_passwd; -+ int mc_size_group; -+ int mc_size_initgroups; - - /* Remove the CLEAR_MC_FLAG file if exists. */ - ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG); -@@ -243,34 +246,77 @@ static int setup_memcaches(struct nss_ctx *nctx) - return EOK; - } - -- ret = sss_mmap_cache_init(nctx, "passwd", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_PASSWD, -- SSS_MC_CACHE_PASSWD_SLOTS, -- (time_t)memcache_timeout, -- &nctx->pwd_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); -- } -- -- ret = sss_mmap_cache_init(nctx, "group", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_GROUP, -- SSS_MC_CACHE_GROUP_SLOTS, -- (time_t)memcache_timeout, -- &nctx->grp_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); -- } -- -- ret = sss_mmap_cache_init(nctx, "initgroups", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_INITGROUPS, -- SSS_MC_CACHE_INITGROUP_SLOTS, -- (time_t)memcache_timeout, -- &nctx->initgr_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); -+ /* Get all memcache sizes from confdb (pwd, grp, initgr) */ -+ -+ ret = confdb_get_int(nctx->rctx->cdb, -+ CONFDB_NSS_CONF_ENTRY, -+ CONFDB_NSS_MEMCACHE_SIZE_PASSWD, -+ SSS_MC_CACHE_PASSWD_SLOTS, -+ &mc_size_passwd); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Failed to get 'memcache_size_passwd' option from confdb.\n"); -+ return ret; -+ } -+ -+ ret = confdb_get_int(nctx->rctx->cdb, -+ CONFDB_NSS_CONF_ENTRY, -+ CONFDB_NSS_MEMCACHE_SIZE_GROUP, -+ SSS_MC_CACHE_GROUP_SLOTS, -+ &mc_size_group); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Failed to get 'memcache_size_group' option from confdb.\n"); -+ return ret; -+ } -+ -+ ret = confdb_get_int(nctx->rctx->cdb, -+ CONFDB_NSS_CONF_ENTRY, -+ CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS, -+ SSS_MC_CACHE_INITGROUP_SLOTS, -+ &mc_size_initgroups); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, -+ "Failed to get 'memcache_size_nitgroups' option from confdb.\n"); -+ return ret; -+ } -+ -+ /* Initialize the fast in-memory caches if they were not disabled */ -+ -+ if (mc_size_passwd != 0) { -+ ret = sss_mmap_cache_init(nctx, "passwd", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_PASSWD, -+ mc_size_passwd, -+ (time_t)memcache_timeout, -+ &nctx->pwd_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); -+ } -+ } -+ -+ if (mc_size_group != 0) { -+ ret = sss_mmap_cache_init(nctx, "group", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_GROUP, -+ mc_size_group, -+ (time_t)memcache_timeout, -+ &nctx->grp_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); -+ } -+ } -+ -+ if (mc_size_initgroups != 0) { -+ ret = sss_mmap_cache_init(nctx, "initgroups", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_INITGROUPS, -+ mc_size_initgroups, -+ (time_t)memcache_timeout, -+ &nctx->initgr_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); -+ } - } - - return EOK; -diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py -index 322f76fe0..6ed696e00 100644 ---- a/src/tests/intg/test_memory_cache.py -+++ b/src/tests/intg/test_memory_cache.py -@@ -135,6 +135,112 @@ def load_data_to_ldap(request, ldap_conn): - create_ldap_fixture(request, ldap_conn, ent_list) - - -+@pytest.fixture -+def disable_memcache_rfc2307(request, ldap_conn): -+ load_data_to_ldap(request, ldap_conn) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = LDAP -+ services = nss -+ -+ [nss] -+ memcache_size_group = 0 -+ memcache_size_passwd = 0 -+ memcache_size_initgroups = 0 -+ -+ [domain/LDAP] -+ ldap_auth_disable_tls_never_use_in_production = true -+ ldap_schema = rfc2307 -+ id_provider = ldap -+ auth_provider = ldap -+ sudo_provider = ldap -+ ldap_uri = {ldap_conn.ds_inst.ldap_url} -+ ldap_search_base = {ldap_conn.ds_inst.base_dn} -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+@pytest.fixture -+def disable_pwd_mc_rfc2307(request, ldap_conn): -+ load_data_to_ldap(request, ldap_conn) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = LDAP -+ services = nss -+ -+ [nss] -+ memcache_size_passwd = 0 -+ -+ [domain/LDAP] -+ ldap_auth_disable_tls_never_use_in_production = true -+ ldap_schema = rfc2307 -+ id_provider = ldap -+ auth_provider = ldap -+ sudo_provider = ldap -+ ldap_uri = {ldap_conn.ds_inst.ldap_url} -+ ldap_search_base = {ldap_conn.ds_inst.base_dn} -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+@pytest.fixture -+def disable_grp_mc_rfc2307(request, ldap_conn): -+ load_data_to_ldap(request, ldap_conn) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = LDAP -+ services = nss -+ -+ [nss] -+ memcache_size_group = 0 -+ -+ [domain/LDAP] -+ ldap_auth_disable_tls_never_use_in_production = true -+ ldap_schema = rfc2307 -+ id_provider = ldap -+ auth_provider = ldap -+ sudo_provider = ldap -+ ldap_uri = {ldap_conn.ds_inst.ldap_url} -+ ldap_search_base = {ldap_conn.ds_inst.base_dn} -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ -+@pytest.fixture -+def disable_initgr_mc_rfc2307(request, ldap_conn): -+ load_data_to_ldap(request, ldap_conn) -+ -+ conf = unindent("""\ -+ [sssd] -+ domains = LDAP -+ services = nss -+ -+ [nss] -+ memcache_size_initgroups = 0 -+ -+ [domain/LDAP] -+ ldap_auth_disable_tls_never_use_in_production = true -+ ldap_schema = rfc2307 -+ id_provider = ldap -+ auth_provider = ldap -+ sudo_provider = ldap -+ ldap_uri = {ldap_conn.ds_inst.ldap_url} -+ ldap_search_base = {ldap_conn.ds_inst.base_dn} -+ """).format(**locals()) -+ create_conf_fixture(request, conf) -+ create_sssd_fixture(request) -+ return None -+ -+ - @pytest.fixture - def sanity_rfc2307(request, ldap_conn): - load_data_to_ldap(request, ldap_conn) -@@ -354,6 +460,19 @@ def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307): - test_getgrnam_simple(ldap_conn, sanity_rfc2307) - - -+def test_getgrnam_simple_disabled_pwd_mc(ldap_conn, disable_pwd_mc_rfc2307): -+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307) -+ stop_sssd() -+ test_getgrnam_simple(ldap_conn, disable_pwd_mc_rfc2307) -+ -+ -+def test_getgrnam_simple_disabled_intitgr_mc(ldap_conn, -+ disable_initgr_mc_rfc2307): -+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307) -+ stop_sssd() -+ test_getgrnam_simple(ldap_conn, disable_initgr_mc_rfc2307) -+ -+ - def test_getgrnam_membership(ldap_conn, sanity_rfc2307): - ent.assert_group_by_name( - "group1", -@@ -919,3 +1038,120 @@ def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307): - grp.getgrnam('group1') - with pytest.raises(KeyError): - grp.getgrgid(2001) -+ -+ -+def test_disabled_mc(ldap_conn, disable_memcache_rfc2307): -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) -+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) -+ -+ assert_user_gids_equal('user1', [2000, 2001]) -+ -+ stop_sssd() -+ -+ # sssd is stopped and the memory cache is disabled; -+ # so pytest should not be able to find anything -+ with pytest.raises(KeyError): -+ pwd.getpwnam('user1') -+ with pytest.raises(KeyError): -+ pwd.getpwuid(1001) -+ -+ with pytest.raises(KeyError): -+ grp.getgrnam('group1') -+ with pytest.raises(KeyError): -+ grp.getgrgid(2001) -+ -+ with pytest.raises(KeyError): -+ (res, errno, gids) = sssd_id.get_user_gids('user1') -+ -+ -+def test_disabled_passwd_mc(ldap_conn, disable_pwd_mc_rfc2307): -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ assert_user_gids_equal('user1', [2000, 2001]) -+ -+ stop_sssd() -+ -+ # passwd cache is disabled -+ with pytest.raises(KeyError): -+ pwd.getpwnam('user1') -+ with pytest.raises(KeyError): -+ pwd.getpwuid(1001) -+ -+ # Initgroups looks up the user first, hence KeyError from the -+ # passwd database even if the initgroups cache is active. -+ with pytest.raises(KeyError): -+ (res, errno, gids) = sssd_id.get_user_gids('user1') -+ -+ -+def test_disabled_group_mc(ldap_conn, disable_grp_mc_rfc2307): -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) -+ ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) -+ -+ assert_user_gids_equal('user1', [2000, 2001]) -+ -+ stop_sssd() -+ -+ # group cache is disabled, other caches should work -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ with pytest.raises(KeyError): -+ grp.getgrnam('group1') -+ with pytest.raises(KeyError): -+ grp.getgrgid(2001) -+ -+ assert_user_gids_equal('user1', [2000, 2001]) -+ -+ -+def test_disabled_initgr_mc(ldap_conn, disable_initgr_mc_rfc2307): -+ # Even if initgroups is disabled, passwd should work -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ -+ stop_sssd() -+ -+ ent.assert_passwd_by_name( -+ 'user1', -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) -+ ent.assert_passwd_by_uid( -+ 1001, -+ dict(name='user1', passwd='*', uid=1001, gid=2001, -+ gecos='1001', shell='/bin/bash')) --- -2.21.3 - diff --git a/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch b/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch new file mode 100644 index 0000000..f29ff36 --- /dev/null +++ b/SOURCES/0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch @@ -0,0 +1,58 @@ +From e50258da70b67ff1b0f928e2e7875bc2fa32dfde Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 13:12:46 +0100 +Subject: [PATCH 14/18] autofs: return ERR_OFFLINE if we fail to get + information from backend and cache is empty + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 ++ + .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 ++ + .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index cb674add6..55c9fc8b0 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -142,6 +142,8 @@ cache_req_autofs_entry_by_name_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 3c08eaf4f..823eb3595 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -136,6 +136,8 @@ cache_req_autofs_map_by_name_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 1b5645fa0..3e47b1321 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -168,6 +168,8 @@ cache_req_autofs_map_entries_send(TALLOC_CTX *mem_ctx, + return NULL; + } + ++ cache_req_data_set_propogate_offline_status(data, true); ++ + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, +-- +2.21.3 + diff --git a/SOURCES/0030-NSS-avoid-excessive-log-messages.patch b/SOURCES/0030-NSS-avoid-excessive-log-messages.patch deleted file mode 100644 index 7ea31f3..0000000 --- a/SOURCES/0030-NSS-avoid-excessive-log-messages.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e12340e7d9efe5f272e58d69333c1c09c3bcc44d Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 4 Mar 2020 21:09:33 +0100 -Subject: [PATCH 30/35] NSS: avoid excessive log messages - - - do not log error message if mem-cache was disabled explicitly - - increase message severity in case of fail to store entry in mem-cache - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nss_protocol_grent.c | 12 +++++++----- - src/responder/nss/nss_protocol_pwent.c | 7 ++++--- - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c -index 2f6d869ef..8f1d3fe81 100644 ---- a/src/responder/nss/nss_protocol_grent.c -+++ b/src/responder/nss/nss_protocol_grent.c -@@ -292,16 +292,17 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, - num_results++; - - /* Do not store entry in memory cache during enumeration or when -- * requested. */ -+ * requested or if cache explicitly disabled. */ - if (!cmd_ctx->enumeration -- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { -+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) -+ && (nss_ctx->grp_mc_ctx != NULL)) { - members = (char *)&body[rp_members]; - members_size = body_len - rp_members; - ret = sss_mmap_cache_gr_store(&nss_ctx->grp_mc_ctx, name, &pwfield, - gid, num_members, members, - members_size); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Failed to store group %s (%s) in mem-cache [%d]: %s!\n", - name->str, result->domain->name, ret, sss_strerror(ret)); - } -@@ -423,7 +424,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - } - - if (nss_ctx->initgr_mc_ctx -- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { -+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) -+ && (nss_ctx->initgr_mc_ctx != NULL)) { - to_sized_string(&rawname, cmd_ctx->rawname); - to_sized_string(&unique_name, result->lookup_name); - -@@ -431,7 +433,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, - &unique_name, num_results, - body + 2 * sizeof(uint32_t)); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Failed to store initgroups %s (%s) in mem-cache [%d]: %s!\n", - rawname.str, domain->name, ret, sss_strerror(ret)); - sss_packet_set_size(packet, 0); -diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c -index 31fd01698..f9f3f0cf0 100644 ---- a/src/responder/nss/nss_protocol_pwent.c -+++ b/src/responder/nss/nss_protocol_pwent.c -@@ -301,13 +301,14 @@ nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, - num_results++; - - /* Do not store entry in memory cache during enumeration or when -- * requested. */ -+ * requested or if cache explicitly disabled. */ - if (!cmd_ctx->enumeration -- && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { -+ && ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) -+ && (nss_ctx->pwd_mc_ctx != NULL)) { - ret = sss_mmap_cache_pw_store(&nss_ctx->pwd_mc_ctx, name, &pwfield, - uid, gid, &gecos, &homedir, &shell); - if (ret != EOK) { -- DEBUG(SSSDBG_MINOR_FAILURE, -+ DEBUG(SSSDBG_OP_FAILURE, - "Failed to store user %s (%s) in mmap cache [%d]: %s!\n", - name->str, result->domain->name, ret, sss_strerror(ret)); - } --- -2.21.3 - diff --git a/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch b/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch new file mode 100644 index 0000000..c605483 --- /dev/null +++ b/SOURCES/0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch @@ -0,0 +1,51 @@ +From 9098108a7142513fa04afdf92a2c1b3ac002c56e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 6 Mar 2020 13:44:56 +0100 +Subject: [PATCH 15/18] autofs: translate ERR_OFFLINE to EHOSTDOWN + +So we do not publish internal error code. + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/common.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 902438c86..d29332939 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -44,6 +44,7 @@ + #define _(STRING) dgettext (PACKAGE, STRING) + #include "sss_cli.h" + #include "common_private.h" ++#include "util/util_errors.h" + + #if HAVE_PTHREAD + #include +@@ -1054,9 +1055,17 @@ int sss_autofs_make_request(enum sss_cli_command cmd, + uint8_t **repbuf, size_t *replen, + int *errnop) + { +- return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, +- repbuf, replen, errnop, +- SSS_AUTOFS_SOCKET_NAME); ++ enum sss_status status; ++ ++ status = sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, ++ repbuf, replen, errnop, ++ SSS_AUTOFS_SOCKET_NAME); ++ ++ if (*errnop == ERR_OFFLINE) { ++ *errnop = EHOSTDOWN; ++ } ++ ++ return status; + } + + int sss_ssh_make_request(enum sss_cli_command cmd, +-- +2.21.3 + diff --git a/SOURCES/0031-NSS-enhanced-debug-during-mem-cache-initialization.patch b/SOURCES/0031-NSS-enhanced-debug-during-mem-cache-initialization.patch deleted file mode 100644 index 270f768..0000000 --- a/SOURCES/0031-NSS-enhanced-debug-during-mem-cache-initialization.patch +++ /dev/null @@ -1,101 +0,0 @@ -From be8052bbb61c572702fe16e2850539f445dcc0e2 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 4 Mar 2020 22:13:52 +0100 -Subject: [PATCH 31/35] NSS: enhanced debug during mem-cache initialization - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nsssrv.c | 39 ++++++++++++++++++++++++++++++++------ - 1 file changed, 33 insertions(+), 6 deletions(-) - -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 0a201d3ae..42a63d9bb 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -255,7 +255,8 @@ static int setup_memcaches(struct nss_ctx *nctx) - &mc_size_passwd); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Failed to get 'memcache_size_passwd' option from confdb.\n"); -+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_PASSWD -+ "' option from confdb.\n"); - return ret; - } - -@@ -266,7 +267,8 @@ static int setup_memcaches(struct nss_ctx *nctx) - &mc_size_group); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Failed to get 'memcache_size_group' option from confdb.\n"); -+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_GROUP -+ "' option from confdb.\n"); - return ret; - } - -@@ -277,7 +279,8 @@ static int setup_memcaches(struct nss_ctx *nctx) - &mc_size_initgroups); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Failed to get 'memcache_size_nitgroups' option from confdb.\n"); -+ "Failed to get '"CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS -+ "' option from confdb.\n"); - return ret; - } - -@@ -291,8 +294,16 @@ static int setup_memcaches(struct nss_ctx *nctx) - (time_t)memcache_timeout, - &nctx->pwd_mc_ctx); - if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize passwd mmap cache: '%s'\n", -+ sss_strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n", -+ mc_size_passwd); - } -+ } else { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Passwd mmap cache is explicitly DISABLED\n"); - } - - if (mc_size_group != 0) { -@@ -303,8 +314,16 @@ static int setup_memcaches(struct nss_ctx *nctx) - (time_t)memcache_timeout, - &nctx->grp_mc_ctx); - if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize group mmap cache: '%s'\n", -+ sss_strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n", -+ mc_size_group); - } -+ } else { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Group mmap cache is explicitly DISABLED\n"); - } - - if (mc_size_initgroups != 0) { -@@ -315,8 +334,16 @@ static int setup_memcaches(struct nss_ctx *nctx) - (time_t)memcache_timeout, - &nctx->initgr_mc_ctx); - if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize initgroups mmap cache: '%s'\n", -+ sss_strerror(ret)); -+ } else { -+ DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n", -+ mc_size_initgroups); - } -+ } else { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Initgroups mmap cache is explicitly DISABLED\n"); - } - - return EOK; --- -2.21.3 - diff --git a/SOURCES/0031-autofs-disable-fast-reply.patch b/SOURCES/0031-autofs-disable-fast-reply.patch new file mode 100644 index 0000000..8706aec --- /dev/null +++ b/SOURCES/0031-autofs-disable-fast-reply.patch @@ -0,0 +1,61 @@ +From 34c519a4851194164befc150df8e768431e66405 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 22 Sep 2020 11:04:25 +0200 +Subject: [PATCH 16/18] autofs: disable fast reply + +If the backend is offline when autofs starts and reads auto.master map +we don't want to wait 60 seconds before the offline flag is reset. We +need to allow autofs to retry the call much sooner. + +Resolves: +https://github.com/SSSD/sssd/issues/3413 + +Reviewed-by: Alexey Tikhonov +--- + .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index 55c9fc8b0..cd2085187 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -84,7 +84,7 @@ cache_req_autofs_entry_by_name_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_GetEntry_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name, ++ 0, data->name.name, + data->autofs_entry_name); + } + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 823eb3595..9d9bc3a97 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -81,7 +81,7 @@ cache_req_autofs_map_by_name_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_GetMap_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name); ++ 0, data->name.name); + } + + bool +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 3e47b1321..ee0156b6a 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -113,7 +113,7 @@ cache_req_autofs_map_entries_dp_send(TALLOC_CTX *mem_ctx, + + return sbus_call_dp_autofs_Enumerate_send(mem_ctx, be_conn->conn, + be_conn->bus_name, SSS_BUS_PATH, +- DP_FAST_REPLY, data->name.name); ++ 0, data->name.name); + } + + bool +-- +2.21.3 + diff --git a/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch b/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch new file mode 100644 index 0000000..9188a5e --- /dev/null +++ b/SOURCES/0032-autofs-correlate-errors-for-different-protocol-versi.patch @@ -0,0 +1,168 @@ +From 8a22d4ad45f5fc8e888be693539495093c2b3c35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 4 Nov 2020 14:20:10 +0100 +Subject: [PATCH 17/18] autofs: correlate errors for different protocol + versions + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/autofs/autofs_test_client.c | 12 ++++++++ + src/sss_client/autofs/sss_autofs.c | 35 +++++++++++++++++++--- + src/sss_client/autofs/sss_autofs.exports | 9 +++--- + src/sss_client/autofs/sss_autofs_private.h | 5 ++++ + 4 files changed, 53 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c +index c5358233f..4b285151e 100644 +--- a/src/sss_client/autofs/autofs_test_client.c ++++ b/src/sss_client/autofs/autofs_test_client.c +@@ -45,10 +45,14 @@ int main(int argc, const char *argv[]) + char *value = NULL; + char *pc_key = NULL; + int pc_setent = 0; ++ int pc_protocol = 1; ++ unsigned int protocol; ++ unsigned int requested_protocol = 1; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL }, + { "only-setent", 's', POPT_ARG_VAL, &pc_setent, 1, "Run only setent, do not enumerate", NULL }, ++ { "protocol", 'p', POPT_ARG_INT, &pc_protocol, 0, "Protocol version", NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; +@@ -69,6 +73,14 @@ int main(int argc, const char *argv[]) + + poptFreeContext(pc); + ++ requested_protocol = pc_protocol; ++ protocol = _sss_auto_protocol_version(requested_protocol); ++ if (protocol != requested_protocol) { ++ fprintf(stderr, "Unsupported protocol version: %d -> %d\n", ++ requested_protocol, protocol); ++ exit(EXIT_FAILURE); ++ } ++ + ret = _sss_setautomntent(mapname, &ctx); + if (ret) { + fprintf(stderr, "setautomntent failed [%d]: %s\n", +diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c +index 482ff2c40..ef27cf895 100644 +--- a/src/sss_client/autofs/sss_autofs.c ++++ b/src/sss_client/autofs/sss_autofs.c +@@ -20,6 +20,7 @@ + + #include + #include ++#include + + #include "sss_client/autofs/sss_autofs_private.h" + #include "sss_client/sss_cli.h" +@@ -33,6 +34,32 @@ + /* How many entries shall _sss_getautomntent_r retrieve at once */ + #define GETAUTOMNTENT_MAX_ENTRIES 512 + ++static atomic_uint _protocol = 0; ++ ++unsigned int _sss_auto_protocol_version(unsigned int requested) ++{ ++ switch (requested) { ++ case 0: ++ /* EHOSTDOWN will be translated to ENOENT */ ++ _protocol = 0; ++ return 0; ++ default: ++ /* There is no other protocol version at this point. */ ++ _protocol = 1; ++ return 1; ++ } ++} ++ ++/* Returns correct errno based on autofs version expectations. */ ++static errno_t errnop_to_errno(int errnop) ++{ ++ if (errnop == EHOSTDOWN && _protocol == 0) { ++ return ENOENT; ++ } ++ ++ return errnop; ++} ++ + struct automtent { + char *mapname; + size_t cursor; +@@ -93,7 +120,7 @@ _sss_setautomntent(const char *mapname, void **context) + &repbuf, &replen, &errnop); + if (ret != SSS_STATUS_SUCCESS) { + free(name); +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -310,7 +337,7 @@ _sss_getautomntent_r(char **key, char **value, void *context) + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -408,7 +435,7 @@ _sss_getautomntbyname_r(const char *key, char **value, void *context) + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +@@ -467,7 +494,7 @@ _sss_endautomntent(void **context) + ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT, + NULL, NULL, NULL, &errnop); + if (ret != SSS_STATUS_SUCCESS) { +- ret = errnop; ++ ret = errnop_to_errno(errnop); + goto out; + } + +diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports +index f9ce8f5b2..ec61f715e 100644 +--- a/src/sss_client/autofs/sss_autofs.exports ++++ b/src/sss_client/autofs/sss_autofs.exports +@@ -2,10 +2,11 @@ EXPORTED { + + # public functions + global: +- _sss_setautomntent; +- _sss_getautomntent_r; +- _sss_getautomntbyname_r; +- _sss_endautomntent; ++ _sss_auto_protocol_version; ++ _sss_setautomntent; ++ _sss_getautomntent_r; ++ _sss_getautomntbyname_r; ++ _sss_endautomntent; + + # everything else is local + local: +diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h +index 6459c1cc7..7fd49db1d 100644 +--- a/src/sss_client/autofs/sss_autofs_private.h ++++ b/src/sss_client/autofs/sss_autofs_private.h +@@ -21,6 +21,11 @@ + #include + #include "util/util.h" + ++/** ++ * Choose an autofs protocol version to be used between autofs and sss_autofs. ++ */ ++unsigned int _sss_auto_protocol_version(unsigned int requested); ++ + /** + * Selects a map for processing. + */ +-- +2.21.3 + diff --git a/SOURCES/0032-mem-cache-added-log-message-in-case-cache-is-full.patch b/SOURCES/0032-mem-cache-added-log-message-in-case-cache-is-full.patch deleted file mode 100644 index e46c6e1..0000000 --- a/SOURCES/0032-mem-cache-added-log-message-in-case-cache-is-full.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2ad4aa8f265e02d01f77e5d29d8377d849c78d11 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 4 Mar 2020 22:33:17 +0100 -Subject: [PATCH 32/35] mem-cache: added log message in case cache is full - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nsssrv_mmap_cache.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c -index 5e23bbe6f..23df164da 100644 ---- a/src/responder/nss/nsssrv_mmap_cache.c -+++ b/src/responder/nss/nsssrv_mmap_cache.c -@@ -371,6 +371,20 @@ static bool sss_mc_is_valid_rec(struct sss_mc_ctx *mcc, struct sss_mc_rec *rec) - return true; - } - -+static const char *mc_type_to_str(enum sss_mc_type type) -+{ -+ switch (type) { -+ case SSS_MC_PASSWD: -+ return "PASSWD"; -+ case SSS_MC_GROUP: -+ return "GROUP"; -+ case SSS_MC_INITGROUPS: -+ return "INITGROUPS"; -+ default: -+ return "-UNKNOWN-"; -+ } -+} -+ - /* FIXME: This is a very simplistic, inefficient, memory allocator, - * it will just free the oldest entries regardless of expiration if it - * cycled the whole free bits map and found no empty slot */ -@@ -438,6 +452,14 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc, - } else { - cur = mcc->next_slot; - } -+ if (cur == 0) { -+ /* inform only once per full loop to avoid excessive spam */ -+ DEBUG(SSSDBG_IMPORTANT_INFO, "mmap cache of type '%s' is full\n", -+ mc_type_to_str(mcc->type)); -+ sss_log(SSS_LOG_NOTICE, "mmap cache of type '%s' is full, if you see " -+ "this message often then please consider increase of cache size", -+ mc_type_to_str(mcc->type)); -+ } - for (i = 0; i < num_slots; i++) { - MC_PROBE_BIT(mcc->free_table, cur + i, used); - if (used) { --- -2.21.3 - diff --git a/SOURCES/0033-NSS-make-memcache-size-configurable-in-megabytes.patch b/SOURCES/0033-NSS-make-memcache-size-configurable-in-megabytes.patch deleted file mode 100644 index ba3365f..0000000 --- a/SOURCES/0033-NSS-make-memcache-size-configurable-in-megabytes.patch +++ /dev/null @@ -1,189 +0,0 @@ -From b7f31936e21b109b5446c48513619cd87974be54 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 31 Mar 2020 22:57:25 +0200 -Subject: [PATCH 33/35] NSS: make memcache size configurable in megabytes - -Memcache size was made configurable in megabytes and not in slots -to hide internal implementation from users. - -Relates: https://github.com/SSSD/sssd/issues/5115 - -Reviewed-by: Sumit Bose ---- - src/config/SSSDConfig/sssdoptions.py | 6 ++--- - src/man/sssd.conf.5.xml | 33 +++++++++++++--------------- - src/responder/nss/nsssrv.c | 20 +++++++++-------- - 3 files changed, 29 insertions(+), 30 deletions(-) - -diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py -index 16d85cfa3..f57ad4b41 100644 ---- a/src/config/SSSDConfig/sssdoptions.py -+++ b/src/config/SSSDConfig/sssdoptions.py -@@ -72,9 +72,9 @@ class SSSDOptions(object): - 'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'), - 'default_shell': _('Shell to use if the provider does not list one'), - 'memcache_timeout': _('How long will be in-memory cache records valid'), -- 'memcache_size_passwd': _('Number of slots in fast in-memory cache for passwd requests'), -- 'memcache_size_group': _('Number of slots in fast in-memory cache for group requests'), -- 'memcache_size_initgroups': _('Number of slots in fast in-memory cache for initgroups requests'), -+ 'memcache_size_passwd': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'), -+ 'memcache_size_group': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'), -+ 'memcache_size_initgroups': _('Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'), - 'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option ' - 'if the template contains the format string %H.'), - 'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered ' -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 9bc2e26e5..874a09c49 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -1076,7 +1076,7 @@ fallback_homedir = /home/%u - - - -- memcache_timeout (int) -+ memcache_timeout (integer) - - - Specifies time in seconds for which records -@@ -1104,14 +1104,13 @@ fallback_homedir = /home/%u - memcache_size_passwd (integer) - - -- Number of slots allocated inside fast in-memory -- cache for passwd requests. Note that one entry -- in fast in-memory cache can occupy more than one slot. -- Setting the size to 0 will disable the passwd in-memory -- cache. -+ Size (in megabytes) of the data table allocated inside -+ fast in-memory cache for passwd requests. -+ Setting the size to 0 will disable the passwd -+ in-memory cache. - - -- Default: 200000 -+ Default: 8 - - - WARNING: Disabled or too small in-memory cache can -@@ -1130,14 +1129,13 @@ fallback_homedir = /home/%u - memcache_size_group (integer) - - -- Number of slots allocated inside fast in-memory -- cache for group requests. Note that one entry -- in fast in-memory cache can occupy more than one -- slot. Setting the size to 0 will disable the group -+ Size (in megabytes) of the data table allocated inside -+ fast in-memory cache for group requests. -+ Setting the size to 0 will disable the group - in-memory cache. - - -- Default: 150000 -+ Default: 6 - - - WARNING: Disabled or too small in-memory cache can -@@ -1156,14 +1154,13 @@ fallback_homedir = /home/%u - memcache_size_initgroups (integer) - - -- Number of slots allocated inside fast in-memory -- cache for initgroups requests. Note that one entry -- in fast in-memory cache can occupy more than one -- slot. Setting the size to 0 will disable the -- initgroups in-memory cache. -+ Size (in megabytes) of the data table allocated inside -+ fast in-memory cache for initgroups requests. -+ Setting the size to 0 will disable the initgroups -+ in-memory cache. - - -- Default: 250000 -+ Default: 10 - - - WARNING: Disabled or too small in-memory cache can -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 42a63d9bb..741e94aaa 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -34,6 +34,7 @@ - - #include "util/util.h" - #include "util/sss_ptr_hash.h" -+#include "util/mmap_cache.h" - #include "responder/nss/nss_private.h" - #include "responder/nss/nss_iface.h" - #include "responder/nss/nsssrv_mmap_cache.h" -@@ -210,9 +211,10 @@ done: - static int setup_memcaches(struct nss_ctx *nctx) - { - /* Default memcache sizes */ -- static const size_t SSS_MC_CACHE_PASSWD_SLOTS = 200000; /* 8mb */ -- static const size_t SSS_MC_CACHE_GROUP_SLOTS = 150000; /* 6mb */ -- static const size_t SSS_MC_CACHE_INITGROUP_SLOTS = 250000; /* 10mb */ -+ static const size_t SSS_MC_CACHE_SLOTS_PER_MB = 1024*1024/MC_SLOT_SIZE; -+ static const size_t SSS_MC_CACHE_PASSWD_SIZE = 8; -+ static const size_t SSS_MC_CACHE_GROUP_SIZE = 6; -+ static const size_t SSS_MC_CACHE_INITGROUP_SIZE = 10; - - int ret; - int memcache_timeout; -@@ -251,7 +253,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = confdb_get_int(nctx->rctx->cdb, - CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_MEMCACHE_SIZE_PASSWD, -- SSS_MC_CACHE_PASSWD_SLOTS, -+ SSS_MC_CACHE_PASSWD_SIZE, - &mc_size_passwd); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -@@ -263,7 +265,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = confdb_get_int(nctx->rctx->cdb, - CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_MEMCACHE_SIZE_GROUP, -- SSS_MC_CACHE_GROUP_SLOTS, -+ SSS_MC_CACHE_GROUP_SIZE, - &mc_size_group); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -@@ -275,7 +277,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = confdb_get_int(nctx->rctx->cdb, - CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_MEMCACHE_SIZE_INITGROUPS, -- SSS_MC_CACHE_INITGROUP_SLOTS, -+ SSS_MC_CACHE_INITGROUP_SIZE, - &mc_size_initgroups); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -@@ -290,7 +292,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = sss_mmap_cache_init(nctx, "passwd", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_PASSWD, -- mc_size_passwd, -+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB, - (time_t)memcache_timeout, - &nctx->pwd_mc_ctx); - if (ret) { -@@ -310,7 +312,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = sss_mmap_cache_init(nctx, "group", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_GROUP, -- mc_size_group, -+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB, - (time_t)memcache_timeout, - &nctx->grp_mc_ctx); - if (ret) { -@@ -330,7 +332,7 @@ static int setup_memcaches(struct nss_ctx *nctx) - ret = sss_mmap_cache_init(nctx, "initgroups", - nctx->mc_uid, nctx->mc_gid, - SSS_MC_INITGROUPS, -- mc_size_initgroups, -+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB, - (time_t)memcache_timeout, - &nctx->initgr_mc_ctx); - if (ret) { --- -2.21.3 - diff --git a/SOURCES/0033-configure-check-for-stdatomic.h.patch b/SOURCES/0033-configure-check-for-stdatomic.h.patch new file mode 100644 index 0000000..699c3f6 --- /dev/null +++ b/SOURCES/0033-configure-check-for-stdatomic.h.patch @@ -0,0 +1,28 @@ +From 075519bceca7a8f4fa28a0b7c538f2f50d552d13 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Thu, 26 Nov 2020 14:56:08 +0100 +Subject: [PATCH 18/18] configure: check for stdatomic.h + +Recent autofs patches adds dependency on automic_uint/_Atomic type from C11 +standard. This is supported in both gcc and clang for a long time now. + +Reviewed-by: Alexey Tikhonov +--- + configure.ac | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/configure.ac b/configure.ac +index 1af1d1785..0d24c4b35 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -42,6 +42,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) + AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + + AC_CHECK_HEADERS(stdint.h dlfcn.h) ++AC_CHECK_HEADERS([stdatomic.h],,AC_MSG_ERROR([C11 atomic types are not supported])) + AC_CONFIG_HEADER(config.h) + + AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) +-- +2.21.3 + diff --git a/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch b/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch new file mode 100644 index 0000000..5181137 --- /dev/null +++ b/SOURCES/0034-cache_req-ignore-autofs-not-configured-error.patch @@ -0,0 +1,131 @@ +From 2499bd145f566bfd73b8c7e284b910dd2b36c6d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 15 Jan 2021 12:04:38 +0100 +Subject: [PATCH] cache_req: ignore autofs not configured error + +Otherwise we return ERR_OFFLINE for domains where autofs provider is not +set (such as implicit files domain) which is undesirable. + +Steps to reproduce: +1. Enable implicit files domains and LDAP domain with autofs configured +2. Setup NFS server to export `/exports` with `/exports/home/test` +3. Add autofs mount points: +``` +dn: ou=mount,dc=ldap,dc=vm +ou: mount +objectClass: organizationalUnit +objectClass: top + +dn: nisMapName=auto.master,ou=mount,dc=ldap,dc=vm +objectClass: nisMap +objectClass: top +nisMapName: auto.master + +dn: cn=/export/home,nisMapName=auto.master,ou=mount,dc=ldap,dc=vm +objectClass: nisObject +objectClass: top +cn: /export/home +nisMapEntry: auto.home +nisMapName: auto.master + +dn: nisMapName=auto.home,ou=mount,dc=ldap,dc=vm +objectClass: nisMap +objectClass: top +nisMapName: auto.home + +dn: cn=/,nisMapName=auto.home,ou=mount,dc=ldap,dc=vm +objectClass: nisObject +objectClass: top +cn: / +nisMapEntry: -fstype=nfs,rw master.ldap.vm:/export/home/& +nisMapName: auto.home +``` +4. Run SSSD and autofs +5. cd to /exports/home/test + +The directory will not be mounted with the new autofs protocol. It +will succeed with the old protocol. In both versions, you'll see +that SSSD returned ERR_OFFLINE: + +``` +(2021-01-15 11:44:48): [be[implicit_files]] [sbus_issue_request_done] (0x0040): sssd.DataProvider.Autofs.GetEntry: Error [1432158215]: DP target is not configured +... +(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Looking up [auto.home:test] in cache +(2021-01-15 11:44:49): [autofs] [cache_req_search_cache] (0x0400): CR #3: Object [auto.home:test] was not found in cache +(2021-01-15 11:44:49): [autofs] [cache_req_search_ncache_add_to_domain] (0x2000): CR #3: This request type does not support negative cache +(2021-01-15 11:44:49): [autofs] [cache_req_process_result] (0x0400): CR #3: Finished: Error 1432158212: SSSD is offline +``` + +Reviewed-by: Alexey Tikhonov +--- + .../cache_req/plugins/cache_req_autofs_entry_by_name.c | 10 +++++++++- + .../cache_req/plugins/cache_req_autofs_map_by_name.c | 10 +++++++++- + .../cache_req/plugins/cache_req_autofs_map_entries.c | 10 +++++++++- + 3 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index cd2085187..f411fd351 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -92,7 +92,15 @@ bool + cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_GetEntry_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_GetEntry_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_entry_by_name = { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 9d9bc3a97..c22cf0c8e 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -88,7 +88,15 @@ bool + cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_GetMap_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_GetMap_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_map_by_name = { +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index ee0156b6a..4d9db6595 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -120,7 +120,15 @@ bool + cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) + { +- return sbus_call_dp_autofs_Enumerate_recv(subreq) == EOK; ++ errno_t ret; ++ ++ ret = sbus_call_dp_autofs_Enumerate_recv(subreq); ++ ++ if (ret == ERR_MISSING_DP_TARGET) { ++ ret = EOK; ++ } ++ ++ return ret == EOK; + } + + const struct cache_req_plugin cache_req_autofs_map_entries = { +-- +2.21.3 + diff --git a/SOURCES/0034-mem-cache-comment-added.patch b/SOURCES/0034-mem-cache-comment-added.patch deleted file mode 100644 index 05404fb..0000000 --- a/SOURCES/0034-mem-cache-comment-added.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b96b05bc40757b26f177e4093d7f4f5b96a0f7d0 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 3 Jul 2020 18:45:11 +0200 -Subject: [PATCH 34/35] mem-cache: comment added - -Added comment explaining usage of `mcc->next_slot` - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nsssrv_mmap_cache.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c -index 23df164da..71919e4ac 100644 ---- a/src/responder/nss/nsssrv_mmap_cache.c -+++ b/src/responder/nss/nsssrv_mmap_cache.c -@@ -65,7 +65,7 @@ struct sss_mc_ctx { - - uint8_t *free_table; /* free list bitmaps */ - uint32_t ft_size; /* size of free table */ -- uint32_t next_slot; /* the next slot after last allocation */ -+ uint32_t next_slot; /* the next slot after last allocation done via erasure */ - - uint8_t *data_table; /* data table address (in mmap) */ - uint32_t dt_size; /* size of data table */ -@@ -442,6 +442,9 @@ static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc, - if (cur == t) { - /* ok found num_slots consecutive free bits */ - *free_slot = cur - num_slots; -+ /* `mcc->next_slot` is not updated here intentionally. -+ * For details see discussion in https://github.com/SSSD/sssd/pull/999 -+ */ - return EOK; - } - } --- -2.21.3 - diff --git a/SOURCES/0035-mem-cache-always-cleanup-old-content.patch b/SOURCES/0035-mem-cache-always-cleanup-old-content.patch deleted file mode 100644 index af2e7ca..0000000 --- a/SOURCES/0035-mem-cache-always-cleanup-old-content.patch +++ /dev/null @@ -1,262 +0,0 @@ -From 484507bf20d27afd700d52c67651e6f08d1da1a3 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Jul 2020 11:34:12 +0200 -Subject: [PATCH 35/35] mem-cache: always cleanup old content - -(Try to) cleanup old files even if currently mem-cache is disabled. - -Reviewed-by: Sumit Bose ---- - src/responder/nss/nsssrv.c | 98 ++++++++++----------------- - src/responder/nss/nsssrv_mmap_cache.c | 74 ++++++++++++-------- - 2 files changed, 79 insertions(+), 93 deletions(-) - -diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c -index 741e94aaa..ffb1ca29d 100644 ---- a/src/responder/nss/nsssrv.c -+++ b/src/responder/nss/nsssrv.c -@@ -242,12 +242,6 @@ static int setup_memcaches(struct nss_ctx *nctx) - return ret; - } - -- if (memcache_timeout == 0) { -- DEBUG(SSSDBG_CONF_SETTINGS, -- "Fast in-memory cache will not be initialized."); -- return EOK; -- } -- - /* Get all memcache sizes from confdb (pwd, grp, initgr) */ - - ret = confdb_get_int(nctx->rctx->cdb, -@@ -288,64 +282,40 @@ static int setup_memcaches(struct nss_ctx *nctx) - - /* Initialize the fast in-memory caches if they were not disabled */ - -- if (mc_size_passwd != 0) { -- ret = sss_mmap_cache_init(nctx, "passwd", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_PASSWD, -- mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB, -- (time_t)memcache_timeout, -- &nctx->pwd_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to initialize passwd mmap cache: '%s'\n", -- sss_strerror(ret)); -- } else { -- DEBUG(SSSDBG_CONF_SETTINGS, "Passwd mmap cache size is %d\n", -- mc_size_passwd); -- } -- } else { -- DEBUG(SSSDBG_IMPORTANT_INFO, -- "Passwd mmap cache is explicitly DISABLED\n"); -- } -- -- if (mc_size_group != 0) { -- ret = sss_mmap_cache_init(nctx, "group", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_GROUP, -- mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB, -- (time_t)memcache_timeout, -- &nctx->grp_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to initialize group mmap cache: '%s'\n", -- sss_strerror(ret)); -- } else { -- DEBUG(SSSDBG_CONF_SETTINGS, "Group mmap cache size is %d\n", -- mc_size_group); -- } -- } else { -- DEBUG(SSSDBG_IMPORTANT_INFO, -- "Group mmap cache is explicitly DISABLED\n"); -- } -- -- if (mc_size_initgroups != 0) { -- ret = sss_mmap_cache_init(nctx, "initgroups", -- nctx->mc_uid, nctx->mc_gid, -- SSS_MC_INITGROUPS, -- mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB, -- (time_t)memcache_timeout, -- &nctx->initgr_mc_ctx); -- if (ret) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to initialize initgroups mmap cache: '%s'\n", -- sss_strerror(ret)); -- } else { -- DEBUG(SSSDBG_CONF_SETTINGS, "Initgroups mmap cache size is %d\n", -- mc_size_initgroups); -- } -- } else { -- DEBUG(SSSDBG_IMPORTANT_INFO, -- "Initgroups mmap cache is explicitly DISABLED\n"); -+ ret = sss_mmap_cache_init(nctx, "passwd", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_PASSWD, -+ mc_size_passwd * SSS_MC_CACHE_SLOTS_PER_MB, -+ (time_t)memcache_timeout, -+ &nctx->pwd_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize passwd mmap cache: '%s'\n", -+ sss_strerror(ret)); -+ } -+ -+ ret = sss_mmap_cache_init(nctx, "group", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_GROUP, -+ mc_size_group * SSS_MC_CACHE_SLOTS_PER_MB, -+ (time_t)memcache_timeout, -+ &nctx->grp_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize group mmap cache: '%s'\n", -+ sss_strerror(ret)); -+ } -+ -+ ret = sss_mmap_cache_init(nctx, "initgroups", -+ nctx->mc_uid, nctx->mc_gid, -+ SSS_MC_INITGROUPS, -+ mc_size_initgroups * SSS_MC_CACHE_SLOTS_PER_MB, -+ (time_t)memcache_timeout, -+ &nctx->initgr_mc_ctx); -+ if (ret) { -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Failed to initialize initgroups mmap cache: '%s'\n", -+ sss_strerror(ret)); - } - - return EOK; -diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c -index 71919e4ac..f66e76ce4 100644 ---- a/src/responder/nss/nsssrv_mmap_cache.c -+++ b/src/responder/nss/nsssrv_mmap_cache.c -@@ -1108,48 +1108,48 @@ static errno_t sss_mc_set_recycled(int fd) - return EOK; - } - --/* -- * When we (re)create a new file we must mark the current file as recycled -- * so active clients will abandon its use ASAP. -- * We unlink the current file and make a new one. -- */ --static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx) -+static void sss_mc_destroy_file(const char *filename) - { -- mode_t old_mask; -+ const useconds_t t = 50000; -+ const int retries = 3; - int ofd; -- int ret, uret; -- useconds_t t = 50000; -- int retries = 3; -+ int ret; - -- ofd = open(mc_ctx->file, O_RDWR); -+ ofd = open(filename, O_RDWR); - if (ofd != -1) { - ret = sss_br_lock_file(ofd, 0, 1, retries, t); - if (ret != EOK) { -- DEBUG(SSSDBG_FATAL_FAILURE, -- "Failed to lock file %s.\n", mc_ctx->file); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to lock file %s.\n", filename); - } - ret = sss_mc_set_recycled(ofd); - if (ret) { - DEBUG(SSSDBG_FATAL_FAILURE, "Failed to mark mmap file %s as" -- " recycled: %d(%s)\n", -- mc_ctx->file, ret, strerror(ret)); -+ " recycled: %d (%s)\n", -+ filename, ret, strerror(ret)); - } -- - close(ofd); - } else if (errno != ENOENT) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, -- "Failed to open old memory cache file %s: %d(%s).\n", -- mc_ctx->file, ret, strerror(ret)); -+ "Failed to open old memory cache file %s: %d (%s)\n", -+ filename, ret, strerror(ret)); - } - - errno = 0; -- ret = unlink(mc_ctx->file); -+ ret = unlink(filename); - if (ret == -1 && errno != ENOENT) { - ret = errno; -- DEBUG(SSSDBG_TRACE_FUNC, "Failed to rm mmap file %s: %d(%s)\n", -- mc_ctx->file, ret, strerror(ret)); -+ DEBUG(SSSDBG_TRACE_FUNC, "Failed to delete mmap file %s: %d (%s)\n", -+ filename, ret, strerror(ret)); - } -+} -+ -+static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx) -+{ -+ const useconds_t t = 50000; -+ const int retries = 3; -+ mode_t old_mask; -+ int ret, uret; - - /* temporarily relax umask as we need the file to be readable - * by everyone for now */ -@@ -1276,9 +1276,32 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - - struct sss_mc_ctx *mc_ctx = NULL; - int ret, dret; -+ char *filename; -+ -+ filename = talloc_asprintf(mem_ctx, "%s/%s", SSS_NSS_MCACHE_DIR, name); -+ if (!filename) { -+ return ENOMEM; -+ } -+ /* -+ * First of all mark the current file as recycled -+ * and unlink so active clients will abandon its use ASAP -+ */ -+ sss_mc_destroy_file(filename); -+ -+ if ((timeout == 0) || (n_elem == 0)) { -+ DEBUG(SSSDBG_IMPORTANT_INFO, -+ "Fast '%s' mmap cache is explicitly DISABLED\n", -+ mc_type_to_str(type)); -+ *mcc = NULL; -+ return EOK; -+ } -+ DEBUG(SSSDBG_CONF_SETTINGS, -+ "Fast '%s' mmap cache: timeout = %d, slots = %zu\n", -+ mc_type_to_str(type), (int)timeout, n_elem); - - mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx); - if (!mc_ctx) { -+ talloc_free(filename); - return ENOMEM; - } - mc_ctx->fd = -1; -@@ -1297,12 +1320,7 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - - mc_ctx->valid_time_slot = timeout; - -- mc_ctx->file = talloc_asprintf(mc_ctx, "%s/%s", -- SSS_NSS_MCACHE_DIR, name); -- if (!mc_ctx->file) { -- ret = ENOMEM; -- goto done; -- } -+ mc_ctx->file = talloc_steal(mc_ctx, filename); - - /* elements must always be multiple of 8 to make things easier to handle, - * so we increase by the necessary amount if they are not a multiple */ -@@ -1320,8 +1338,6 @@ errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, - MC_ALIGN64(mc_ctx->ht_size); - - -- /* for now ALWAYS create a new file on restart */ -- - ret = sss_mc_create_file(mc_ctx); - if (ret) { - goto done; --- -2.21.3 - diff --git a/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch b/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch new file mode 100644 index 0000000..5cd16fa --- /dev/null +++ b/SOURCES/0035-simple-fix-memory-leak-while-reloading-lists.patch @@ -0,0 +1,100 @@ +From 19c2c641e669ee1c08d6706c132625dc30e64609 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 12 Jan 2021 16:40:56 +0100 +Subject: [PATCH] simple: fix memory leak while reloading lists + +The simple access provider will reload the access and deny lists at +runtime to make sure that users and groups from domains which are +discovered at runtime are properly processed. + +While reloading the lists the original lists are not freed and an +intermediate list wasn't removed as well. + +Resolves: https://github.com/SSSD/sssd/issues/5456 + +:fixes: Memory leak in the simple access provider + +Reviewed-by: Alexey Tikhonov +--- + src/providers/simple/simple_access.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c +index 1868569b1..49226adf2 100644 +--- a/src/providers/simple/simple_access.c ++++ b/src/providers/simple/simple_access.c +@@ -117,17 +117,13 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + const char *name; + const char *option; + char **orig_list; +- char ***ctx_list; ++ char **ctx_list; + } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL}, + {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL}, + {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL}, + {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL}, + {NULL, NULL, NULL, NULL}}; + +- lists[0].ctx_list = &ctx->allow_users; +- lists[1].ctx_list = &ctx->deny_users; +- lists[2].ctx_list = &ctx->allow_groups; +- lists[3].ctx_list = &ctx->deny_groups; + + ret = sysdb_master_domain_update(bectx->domain); + if (ret != EOK) { +@@ -141,7 +137,6 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + lists[i].option, &lists[i].orig_list); + if (ret == ENOENT) { + DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name); +- *lists[i].ctx_list = NULL; + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n"); +@@ -149,7 +144,8 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + } + + ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list, +- lists[i].ctx_list); ++ &lists[i].ctx_list); ++ talloc_free(lists[i].orig_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n", + lists[i].name, ret, sss_strerror(ret)); +@@ -157,6 +153,18 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + } + } + ++ talloc_free(ctx->allow_users); ++ ctx->allow_users = talloc_steal(ctx, lists[0].ctx_list); ++ ++ talloc_free(ctx->deny_users); ++ ctx->deny_users = talloc_steal(ctx, lists[1].ctx_list); ++ ++ talloc_free(ctx->allow_groups); ++ ctx->allow_groups = talloc_steal(ctx, lists[2].ctx_list); ++ ++ talloc_free(ctx->deny_groups); ++ ctx->deny_groups = talloc_steal(ctx, lists[3].ctx_list); ++ + if (!ctx->allow_users && + !ctx->allow_groups && + !ctx->deny_users && +@@ -165,9 +173,15 @@ int simple_access_obtain_filter_lists(struct simple_ctx *ctx) + "No rules supplied for simple access provider. " + "Access will be granted for all users.\n"); + } ++ ++ + return EOK; + + failed: ++ for (i = 0; lists[i].name != NULL; i++) { ++ talloc_free(lists[i].ctx_list); ++ } ++ + return ret; + } + +-- +2.21.3 + diff --git a/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch b/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch new file mode 100644 index 0000000..d432682 --- /dev/null +++ b/SOURCES/0036-SBUS-do-not-try-to-del-non-existing-sender.patch @@ -0,0 +1,38 @@ +From bdf461c7577c458d7b2a785b2007c0ccae73e3f7 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 11 Jan 2021 18:28:02 +0100 +Subject: [PATCH] SBUS: do not try to del non existing sender +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/5425 + +Reviewed-by: Pavel Březina +--- + src/sbus/request/sbus_request_sender.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/sbus/request/sbus_request_sender.c b/src/sbus/request/sbus_request_sender.c +index cecb188b0..39cdec064 100644 +--- a/src/sbus/request/sbus_request_sender.c ++++ b/src/sbus/request/sbus_request_sender.c +@@ -101,10 +101,11 @@ void + sbus_senders_delete(hash_table_t *table, + const char *name) + { +- DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", +- name); +- +- sss_ptr_hash_delete(table, name, true); ++ if (sss_ptr_hash_has_key(table, name)) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing identity of sender [%s]\n", ++ name); ++ sss_ptr_hash_delete(table, name, true); ++ } + } + + errno_t +-- +2.21.3 + diff --git a/SOURCES/0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch b/SOURCES/0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch deleted file mode 100644 index 0623a83..0000000 --- a/SOURCES/0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch +++ /dev/null @@ -1,16083 +0,0 @@ -From 4fd05180b4c47a4ba6b23b2b82aa7b9589989f61 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 18 Jun 2020 11:52:01 +0200 -Subject: [PATCH] TRANSLATIONS: updated translations to include new source file -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some translations were previously missed when some code moved -to a new source file `src/config/SSSDConfig/sssdoptions.py` - -Reviewed-by: Pavel Březina ---- - po/fr.po | 4831 +++++++++++++++++++++++++++++---------------------- - po/ja.po | 4392 ++++++++++++++++++++++++++-------------------- - po/sssd.pot | 1862 +++++++++++++++++++- - po/zh_CN.po | 2538 +++++++++++++++++++++++---- - 4 files changed, 9195 insertions(+), 4428 deletions(-) - -diff --git a/po/fr.po b/po/fr.po -index 2dad196a1..198c757e8 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -15,2726 +15,3351 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-05-19 12:05+0200\n" --"PO-Revision-Date: 2020-05-19 10:07+0000\n" --"Last-Translator: Pavel Brezina \n" --"Language-Team: French (http://www.transifex.com/projects/p/sssd/language/" --"fr/)\n" --"Language: fr\n" -+"POT-Creation-Date: 2020-06-17 22:51+0200\n" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" -+"PO-Revision-Date: 2020-05-19 10:07+0000\n" -+"Last-Translator: Pavel Brezina \n" -+"Language-Team: French (http://www.transifex.com/projects/p/sssd/language/fr/" -+")\n" -+"Language: fr\n" - "Plural-Forms: nplurals=2; plural=(n > 1);\n" - "X-Generator: Zanata 4.6.2\n" - --#: src/monitor/monitor.c:2371 --msgid "Become a daemon (default)" --msgstr "Devenir un démon (par défaut)" -+#: src/config/SSSDConfig/sssdoptions.py:20 -+#: src/config/SSSDConfig/sssdoptions.py:21 -+msgid "Set the verbosity of the debug logging" -+msgstr "Définir le niveau de détails de la sortie de débogage" - --#: src/monitor/monitor.c:2373 --msgid "Run interactive (not a daemon)" --msgstr "Fonctionner en interactif (non démon)" -+#: src/config/SSSDConfig/sssdoptions.py:22 -+msgid "Include timestamps in debug logs" -+msgstr "Ajouter l'horodatage dans les fichiers de débogage" - --#: src/monitor/monitor.c:2376 --msgid "Disable netlink interface" --msgstr "Désactiver l'interface netlink" -+#: src/config/SSSDConfig/sssdoptions.py:23 -+msgid "Include microseconds in timestamps in debug logs" -+msgstr "" -+"Ajouter les microsecondes pour l'horodatage dans les journaux de débogage" - --#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_logs.c:310 --msgid "Specify a non-default config file" --msgstr "Définir un fichier de configuration différent de celui par défaut" -+#: src/config/SSSDConfig/sssdoptions.py:24 -+msgid "Write debug messages to logfiles" -+msgstr "Écrire les messages de débogage dans les journaux" - --#: src/monitor/monitor.c:2380 --msgid "Refresh the configuration database, then exit" --msgstr "Rafraîchissez la base de données de configuration, puis quittez" -+#: src/config/SSSDConfig/sssdoptions.py:25 -+msgid "Watchdog timeout before restarting service" -+msgstr "Délai de surveillance avant le redémarrage du service" - --#: src/monitor/monitor.c:2383 --msgid "Similar to --genconf, but only refreshes the given section" --msgstr "Semblable à --genconf, mais ne rafraîchit que la section donnée" -+#: src/config/SSSDConfig/sssdoptions.py:26 -+msgid "Command to start service" -+msgstr "Commande pour démarrer le service" - --#: src/monitor/monitor.c:2386 --msgid "Print version number and exit" --msgstr "Afficher le numéro de version et quitte" -+#: src/config/SSSDConfig/sssdoptions.py:27 -+msgid "Number of times to attempt connection to Data Providers" -+msgstr "Nombre d'essais pour tenter de se connecter au fournisseur de données" - --#: src/monitor/monitor.c:2532 --msgid "SSSD is already running\n" --msgstr "SSSD est déjà en cours d'exécution\n" -+#: src/config/SSSDConfig/sssdoptions.py:28 -+msgid "The number of file descriptors that may be opened by this responder" -+msgstr "" -+"Le nombre de descripteurs de fichiers qui peuvent être ouverts par ce " -+"répondeur" - --#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:638 --msgid "Debug level" --msgstr "Niveau de débogage" -+#: src/config/SSSDConfig/sssdoptions.py:29 -+msgid "Idle time before automatic disconnection of a client" -+msgstr "durée d'inactivité avant la déconnexion automatique d'un client" - --#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:640 --msgid "Add debug timestamps" --msgstr "Ajouter l'horodatage au débogage" -+#: src/config/SSSDConfig/sssdoptions.py:30 -+msgid "Idle time before automatic shutdown of the responder" -+msgstr "Temps d'inactivité avant l'arrêt automatique du répondeur" - --#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:642 --msgid "Show timestamps with microseconds" --msgstr "Afficher l'horodatage en microsecondes" -+#: src/config/SSSDConfig/sssdoptions.py:31 -+msgid "Always query all the caches before querying the Data Providers" -+msgstr "" -+"Interrogez toujours tous les caches avant d'interroger les fournisseurs de " -+"données" - --#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:644 --msgid "An open file descriptor for the debug logs" --msgstr "Un descripteur de fichier ouvert pour les journaux de débogage" -+#: src/config/SSSDConfig/sssdoptions.py:32 -+msgid "" -+"When SSSD switches to offline mode the amount of time before it tries to go " -+"back online will increase based upon the time spent disconnected. This value " -+"is in seconds and calculated by the following: offline_timeout + " -+"random_offset." -+msgstr "" - --#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:646 --msgid "Send the debug output to stderr directly." --msgstr "Envoyer la sortie de débogage directement vers l'erreur standard." -+#: src/config/SSSDConfig/sssdoptions.py:38 -+msgid "" -+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " -+"version 2." -+msgstr "" - --#: src/providers/krb5/krb5_child.c:3245 --msgid "The user to create FAST ccache as" --msgstr "L'utilisateur à utiliser pour la création du ccache FAST" -+#: src/config/SSSDConfig/sssdoptions.py:39 -+msgid "SSSD Services to start" -+msgstr "Services SSSD à démarrer" - --#: src/providers/krb5/krb5_child.c:3247 --msgid "The group to create FAST ccache as" --msgstr "Le groupe à utiliser pour la création du ccache FAST" -+#: src/config/SSSDConfig/sssdoptions.py:40 -+msgid "SSSD Domains to start" -+msgstr "Domaines SSSD à démarrer" - --#: src/providers/krb5/krb5_child.c:3249 --msgid "Kerberos realm to use" --msgstr "Domaine Kerberos à utiliser" -+#: src/config/SSSDConfig/sssdoptions.py:41 -+msgid "Timeout for messages sent over the SBUS" -+msgstr "Délai d'attente pour les messages à envoyer à travers SBUS" - --#: src/providers/krb5/krb5_child.c:3251 --msgid "Requested lifetime of the ticket" --msgstr "Demande de renouvellement à vie du billet" -+#: src/config/SSSDConfig/sssdoptions.py:42 -+msgid "Regex to parse username and domain" -+msgstr "Expression rationnelle d'analyse des noms d'utilisateur et de domaine" - --#: src/providers/krb5/krb5_child.c:3253 --msgid "Requested renewable lifetime of the ticket" --msgstr "Demande de renouvellement à vie du billet" -+#: src/config/SSSDConfig/sssdoptions.py:43 -+msgid "Printf-compatible format for displaying fully-qualified names" -+msgstr "Format compatible printf d'affichage des noms complétement qualifiés" - --#: src/providers/krb5/krb5_child.c:3255 --msgid "FAST options ('never', 'try', 'demand')" --msgstr "Options FAST ('never', 'try', 'demand')" -+#: src/config/SSSDConfig/sssdoptions.py:44 -+msgid "" -+"Directory on the filesystem where SSSD should store Kerberos replay cache " -+"files." -+msgstr "" -+"Répertoire du système de fichiers où SSSD doit stocker les fichiers de " -+"relecture de Kerberos." - --#: src/providers/krb5/krb5_child.c:3258 --msgid "Specifies the server principal to use for FAST" --msgstr "Spécifie le principal de serveur afin d'utiliser FAST." -+#: src/config/SSSDConfig/sssdoptions.py:45 -+msgid "Domain to add to names without a domain component." -+msgstr "Domaine à ajouter aux noms sans composant de nom de domaine." - --#: src/providers/krb5/krb5_child.c:3260 --msgid "Requests canonicalization of the principal name" --msgstr "Demande la canonisation du nom principal" -+#: src/config/SSSDConfig/sssdoptions.py:46 -+msgid "The user to drop privileges to" -+msgstr "L'utilisation vers lequel abandonner les privilèges" - --#: src/providers/krb5/krb5_child.c:3262 --msgid "Use custom version of krb5_get_init_creds_password" --msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password" -+#: src/config/SSSDConfig/sssdoptions.py:47 -+msgid "Tune certificate verification" -+msgstr "Régler la vérification du certificat" - --#: src/providers/data_provider_be.c:674 --msgid "Domain of the information provider (mandatory)" --msgstr "Domaine du fournisseur d'informations (obligatoire)" -+#: src/config/SSSDConfig/sssdoptions.py:48 -+msgid "All spaces in group or user names will be replaced with this character" -+msgstr "" -+"Tous les espaces dans les noms de groupes ou d'utilisateurs seront remplacés " -+"par ce caractère" - --#: src/sss_client/common.c:1079 --msgid "Privileged socket has wrong ownership or permissions." -+#: src/config/SSSDConfig/sssdoptions.py:49 -+msgid "Tune sssd to honor or ignore netlink state changes" -+msgstr "Régler sssd pour honorer ou ignorer les changements d'état du netlink" -+ -+#: src/config/SSSDConfig/sssdoptions.py:50 -+msgid "Enable or disable the implicit files domain" -+msgstr "Activer ou désactiver le domaine des fichiers implicites" -+ -+#: src/config/SSSDConfig/sssdoptions.py:51 -+msgid "A specific order of the domains to be looked up" -+msgstr "Un ordre spécifique des domaines à rechercher" -+ -+#: src/config/SSSDConfig/sssdoptions.py:52 -+msgid "" -+"Controls if SSSD should monitor the state of resolv.conf to identify when it " -+"needs to update its internal DNS resolver." - msgstr "" --"Le socket privilégié a de mauvaises permissions ou un mauvais propriétaire." - --#: src/sss_client/common.c:1082 --msgid "Public socket has wrong ownership or permissions." -+#: src/config/SSSDConfig/sssdoptions.py:54 -+msgid "" -+"SSSD monitors the state of resolv.conf to identify when it needs to update " -+"its internal DNS resolver. By default, we will attempt to use inotify for " -+"this, and will fall back to polling resolv.conf every five seconds if " -+"inotify cannot be used." - msgstr "" --"Le socket public a de mauvaises permissions ou un mauvais propriétaire." - --#: src/sss_client/common.c:1085 --msgid "Unexpected format of the server credential message." --msgstr "Le message du serveur de crédits a un format inattendu." -+#: src/config/SSSDConfig/sssdoptions.py:59 -+msgid "Enumeration cache timeout length (seconds)" -+msgstr "Délai d'attente du cache d'énumération (en secondes)" - --#: src/sss_client/common.c:1088 --msgid "SSSD is not run by root." --msgstr "SSSD n'est pas démarré par root." -+#: src/config/SSSDConfig/sssdoptions.py:60 -+msgid "Entry cache background update timeout length (seconds)" -+msgstr "" -+"Délai d'attente de mise à jour en arrière-plan de l'entrée de cache (en " -+"secondes)" - --#: src/sss_client/common.c:1091 --msgid "SSSD socket does not exist." --msgstr "La socket SSSD n'existe pas." -+#: src/config/SSSDConfig/sssdoptions.py:61 -+#: src/config/SSSDConfig/sssdoptions.py:112 -+msgid "Negative cache timeout length (seconds)" -+msgstr "Délai d'attente du cache négatif (en secondes)" - --#: src/sss_client/common.c:1094 --msgid "Cannot get stat of SSSD socket." --msgstr "Impossible d'obtenir le stat du socket SSSD." -+#: src/config/SSSDConfig/sssdoptions.py:62 -+msgid "Files negative cache timeout length (seconds)" -+msgstr "Délai d'attente du cache négatif (en secondes)" - --#: src/sss_client/common.c:1099 --msgid "An error occurred, but no description can be found." --msgstr "Une erreur est survenue mais aucune description n'est trouvée." -+#: src/config/SSSDConfig/sssdoptions.py:63 -+msgid "Users that SSSD should explicitly ignore" -+msgstr "Utilisateurs que SSSD doit explicitement ignorer" - --#: src/sss_client/common.c:1105 --msgid "Unexpected error while looking for an error description" --msgstr "Erreur inattendue lors de la recherche de la description de l'erreur" -+#: src/config/SSSDConfig/sssdoptions.py:64 -+msgid "Groups that SSSD should explicitly ignore" -+msgstr "Groupes que SSSD doit explicitement ignorer" - --#: src/sss_client/pam_sss.c:68 --msgid "Permission denied. " --msgstr "Accès refusé." -+#: src/config/SSSDConfig/sssdoptions.py:65 -+msgid "Should filtered users appear in groups" -+msgstr "Les utilisateurs filtrés doivent-ils apparaître dans les groupes" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 --#: src/sss_client/pam_sss.c:790 --msgid "Server message: " --msgstr "Message du serveur : " -+#: src/config/SSSDConfig/sssdoptions.py:66 -+msgid "The value of the password field the NSS provider should return" -+msgstr "Valeur du champ de mot de passe que le fournisseur NSS doit renvoyer" - --#: src/sss_client/pam_sss.c:297 --msgid "Passwords do not match" --msgstr "Les mots de passe ne correspondent pas" -+#: src/config/SSSDConfig/sssdoptions.py:67 -+msgid "Override homedir value from the identity provider with this value" -+msgstr "" -+"Remplacer par cette valeur celle du répertoire personnel obtenu avec le " -+"fournisseur d'identité" - --#: src/sss_client/pam_sss.c:485 --msgid "Password reset by root is not supported." -+#: src/config/SSSDConfig/sssdoptions.py:68 -+msgid "" -+"Substitute empty homedir value from the identity provider with this value" - msgstr "" --"La réinitialisation du mot de passe par root n'est pas prise en charge." -+"Substitution de la valeur homedir vide du fournisseur d'identité avec cette " -+"valeur" - --#: src/sss_client/pam_sss.c:526 --msgid "Authenticated with cached credentials" --msgstr "Authentifié avec les crédits mis en cache" -+#: src/config/SSSDConfig/sssdoptions.py:69 -+msgid "Override shell value from the identity provider with this value" -+msgstr "" -+"Écraser le shell donné par le fournisseur d'identité avec cette valeur" - --#: src/sss_client/pam_sss.c:527 --msgid ", your cached password will expire at: " --msgstr ", votre mot de passe en cache expirera à :" -+#: src/config/SSSDConfig/sssdoptions.py:70 -+msgid "The list of shells users are allowed to log in with" -+msgstr "" -+"Liste des interpréteurs de commandes utilisateurs autorisés pour se " -+"connecter" - --#: src/sss_client/pam_sss.c:557 --#, c-format --msgid "Your password has expired. You have %1$d grace login(s) remaining." -+#: src/config/SSSDConfig/sssdoptions.py:71 -+msgid "" -+"The list of shells that will be vetoed, and replaced with the fallback shell" - msgstr "" --"Votre mot de passe a expiré. Il vous reste %1$d connexion(s) autorisée(s)." -+"Liste des interpréteurs de commandes bannis et remplacés par celui par " -+"défaut" - --#: src/sss_client/pam_sss.c:603 --#, c-format --msgid "Your password will expire in %1$d %2$s." --msgstr "Votre mot de passe expirera dans %1$d %2$s." -+#: src/config/SSSDConfig/sssdoptions.py:72 -+msgid "" -+"If a shell stored in central directory is allowed but not available, use " -+"this fallback" -+msgstr "" -+"Si un interpréteur de commandes stocké dans l'annuaire central est autorisé " -+"mais indisponible, utiliser à défaut celui-ci" - --#: src/sss_client/pam_sss.c:652 --msgid "Authentication is denied until: " --msgstr "L'authentification est refusée jusque :" -+#: src/config/SSSDConfig/sssdoptions.py:73 -+msgid "Shell to use if the provider does not list one" -+msgstr "Shell à utiliser si le fournisseur n'en propose aucun" - --#: src/sss_client/pam_sss.c:673 --msgid "System is offline, password change not possible" -+#: src/config/SSSDConfig/sssdoptions.py:74 -+msgid "How long will be in-memory cache records valid" -+msgstr "Durée de maintien en cache des enregistrements valides" -+ -+#: src/config/SSSDConfig/sssdoptions.py:75 -+msgid "" -+"The value of this option will be used in the expansion of the " -+"override_homedir option if the template contains the format string %H." - msgstr "" --"Le système est hors-ligne, les modifications du mot de passe sont impossibles" - --#: src/sss_client/pam_sss.c:688 -+#: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" --"After changing the OTP password, you need to log out and back in order to " --"acquire a ticket" -+"Specifies time in seconds for which the list of subdomains will be " -+"considered valid." - msgstr "" --"Après avoir modifié le mot de passe OTP, vous devez vous déconnecter et vous " --"reconnecter afin d'acquérir un ticket" - --#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 --msgid "Password change failed. " --msgstr "Échec du changement de mot de passe." -+#: src/config/SSSDConfig/sssdoptions.py:79 -+msgid "" -+"The entry cache can be set to automatically update entries in the background " -+"if they are requested beyond a percentage of the entry_cache_timeout value " -+"for the domain." -+msgstr "" - --#: src/sss_client/pam_sss.c:2008 --msgid "New Password: " --msgstr "Nouveau mot de passe : " -+#: src/config/SSSDConfig/sssdoptions.py:84 -+msgid "How long to allow cached logins between online logins (days)" -+msgstr "" -+"Délai pendant lequel les connexions utilisant le cache sont autorisées entre " -+"deux connexions en ligne (en jours)" - --#: src/sss_client/pam_sss.c:2009 --msgid "Reenter new Password: " --msgstr "Retaper le nouveau mot de passe : " -+#: src/config/SSSDConfig/sssdoptions.py:85 -+msgid "How many failed logins attempts are allowed when offline" -+msgstr "Nombre d'échecs de connexions hors-ligne autorisés" - --#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 --msgid "First Factor: " --msgstr "Premier facteur :" -+#: src/config/SSSDConfig/sssdoptions.py:87 -+msgid "" -+"How long (minutes) to deny login after offline_failed_login_attempts has " -+"been reached" -+msgstr "" -+"Durée d'interdiction de connexion après que offline_failed_login_attempts " -+"est atteint (en minutes)" - --#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 --msgid "Second Factor (optional): " --msgstr "Deuxième facteur (facultatif) : " -+#: src/config/SSSDConfig/sssdoptions.py:88 -+msgid "What kind of messages are displayed to the user during authentication" -+msgstr "" -+"Quels types de messages sont affichés à l'utilisateur pendant " -+"l'authentification" - --#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 --msgid "Second Factor: " --msgstr "Second facteur :" -+#: src/config/SSSDConfig/sssdoptions.py:89 -+msgid "Filter PAM responses sent to the pam_sss" -+msgstr "Filtrez les réponses PAM envoyées à l'adresse pam_sss" - --#: src/sss_client/pam_sss.c:2190 --msgid "Password: " --msgstr "Mot de passe : " -+#: src/config/SSSDConfig/sssdoptions.py:90 -+msgid "How many seconds to keep identity information cached for PAM requests" -+msgstr "" -+"Durée en secondes pendant laquelle les informations d'identité sont gardées " -+"en cache pour les requêtes PAM" - --#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 --msgid "First Factor (Current Password): " --msgstr "Premier facteur (mot de passe actuel) : " -+#: src/config/SSSDConfig/sssdoptions.py:91 -+msgid "How many days before password expiration a warning should be displayed" -+msgstr "" -+"Nombre de jours précédent l'expiration du mot de passe avant lesquels un " -+"avertissement doit être affiché" - --#: src/sss_client/pam_sss.c:2349 --msgid "Current Password: " --msgstr "Mot de passe actuel : " -+#: src/config/SSSDConfig/sssdoptions.py:92 -+msgid "List of trusted uids or user's name" -+msgstr "Liste des uid ou noms d'utilisateurs dignes de confiance" - --#: src/sss_client/pam_sss.c:2704 --msgid "Password expired. Change your password now." --msgstr "Mot de passe expiré. Changez votre mot de passe maintenant." -+#: src/config/SSSDConfig/sssdoptions.py:93 -+msgid "List of domains accessible even for untrusted users." -+msgstr "" -+"Liste des domaines accessibles y compris par les utilisateurs non dignes de " -+"confiance" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 --#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 --#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 --#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 --#: src/tools/sss_cache.c:719 --msgid "The debug level to run with" --msgstr "Le niveau de débogage utilisé avec" -+#: src/config/SSSDConfig/sssdoptions.py:94 -+msgid "Message printed when user account is expired." -+msgstr "Message affiché lorsque le compte a expiré" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 --msgid "The SSSD domain to use" --msgstr "Le domaine SSSD à utiliser" -+#: src/config/SSSDConfig/sssdoptions.py:95 -+msgid "Message printed when user account is locked." -+msgstr "Message affiché lorsque le compte a expiré" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 --#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 --#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 --#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 --#: src/tools/sss_cache.c:765 --msgid "Error setting the locale\n" --msgstr "Erreur lors du paramétrage de la locale\n" -+#: src/config/SSSDConfig/sssdoptions.py:96 -+msgid "Allow certificate based/Smartcard authentication." -+msgstr "Autoriser l'authentification par certificat/carte à puce." - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 --msgid "Not enough memory\n" --msgstr "Mémoire insuffisante\n" -+#: src/config/SSSDConfig/sssdoptions.py:97 -+msgid "Path to certificate database with PKCS#11 modules." -+msgstr "" -+"Chemin d'accès à la base de données des certificats des modules PKCS#11." - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 --msgid "User not specified\n" --msgstr "Utilisateur non spécifié\n" -+#: src/config/SSSDConfig/sssdoptions.py:98 -+msgid "How many seconds will pam_sss wait for p11_child to finish" -+msgstr "Combien de secondes pam_sss attendra-t-il la fin de p11_child" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 --msgid "Error looking up public keys\n" --msgstr "Erreur lors de la recherche des clés publiques\n" -+#: src/config/SSSDConfig/sssdoptions.py:99 -+msgid "Which PAM services are permitted to contact application domains" -+msgstr "" -+"Quels services PAM sont autorisés à contacter les domaines d'application" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 --msgid "The port to use to connect to the host" --msgstr "Le port à utiliser pour se connecter à l'hôte" -+#: src/config/SSSDConfig/sssdoptions.py:100 -+msgid "Allowed services for using smartcards" -+msgstr "Services autorisés pour l'utilisation de cartes à puce" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 --msgid "Print the host ssh public keys" --msgstr "Imprimer les clés publiques ssh de l'hôte" -+#: src/config/SSSDConfig/sssdoptions.py:101 -+msgid "Additional timeout to wait for a card if requested" -+msgstr "" -+"Délai d'attente supplémentaire pour l'obtention d'une carte si demandé" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 --msgid "Invalid port\n" --msgstr "Port invalide\n" -+#: src/config/SSSDConfig/sssdoptions.py:102 -+msgid "" -+"PKCS#11 URI to restrict the selection of devices for Smartcard " -+"authentication" -+msgstr "" -+"URI PKCS#11 pour limiter la sélection des périphériques pour " -+"l'authentification par carte à puce" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 --msgid "Host not specified\n" --msgstr "Hôte non spécifié\n" -+#: src/config/SSSDConfig/sssdoptions.py:103 -+msgid "When shall the PAM responder force an initgroups request" -+msgstr "" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 --msgid "The path to the proxy command must be absolute\n" --msgstr "Le chemin vers la commande de proxy doit être absolue\n" -+#: src/config/SSSDConfig/sssdoptions.py:106 -+msgid "Whether to evaluate the time-based attributes in sudo rules" -+msgstr "" -+"Faut-il évaluer les attributs dépendants du temps dans les règles sudo" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 --#, c-format --msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" --msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "If true, SSSD will switch back to lower-wins ordering logic" -+msgstr "Si sur true, SSSD repasse en logique de commande à faible gain" - --#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 --msgid "The UID of the user" --msgstr "L'UID de l'utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "" -+"Maximum number of rules that can be refreshed at once. If this is exceeded, " -+"full refresh is performed." -+msgstr "" -+"Nombre maximum de règles pouvant être rafraîchies en même temps. En cas de " -+"dépassement, un rafraîchissement complet est effectué." - --#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 --msgid "The comment string" --msgstr "Phrase de commentaire" -+#: src/config/SSSDConfig/sssdoptions.py:115 -+msgid "Whether to hash host names and addresses in the known_hosts file" -+msgstr "" -+"Condenser ou non les noms de systèmes et adresses du fichier known_hosts" - --#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 --msgid "Home directory" --msgstr "Répertoire utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:116 -+msgid "" -+"How many seconds to keep a host in the known_hosts file after its host keys " -+"were requested" -+msgstr "" -+"Le nombre de secondes pour garder un hôte dans le fichier known_hosts après " -+"que ses clés d'hôte ont été demandées" - --#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 --msgid "Login shell" --msgstr "Interpréteur de commandes de connexion" -+#: src/config/SSSDConfig/sssdoptions.py:118 -+msgid "Path to storage of trusted CA certificates" -+msgstr "Chemin d'accès au stockage des certificats d'AC de confiance" - --#: src/tools/sss_useradd.c:53 --msgid "Groups" --msgstr "Groupes" -+#: src/config/SSSDConfig/sssdoptions.py:119 -+msgid "Allow to generate ssh-keys from certificates" -+msgstr "Permet de générer des ssh-keys à partir de certificats" - --#: src/tools/sss_useradd.c:54 --msgid "Create user's directory if it does not exist" --msgstr "Créer le repertoire utilisateur s'il n'existe pas" -+#: src/config/SSSDConfig/sssdoptions.py:120 -+msgid "" -+"Use the following matching rules to filter the certificates for ssh-key " -+"generation" -+msgstr "" -+"Utilisez les règles de correspondance suivantes pour filtrer les certificats " -+"pour la génération de clés ssh" - --#: src/tools/sss_useradd.c:55 --msgid "Never create user's directory, overrides config" --msgstr "Ne jamais créer de répertoire utilisateur, outrepasse la configuration" -+#: src/config/SSSDConfig/sssdoptions.py:124 -+msgid "List of UIDs or user names allowed to access the PAC responder" -+msgstr "" -+"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur PAC" - --#: src/tools/sss_useradd.c:56 --msgid "Specify an alternative skeleton directory" --msgstr "Spécifie un répertoire squelette alternatif" -+#: src/config/SSSDConfig/sssdoptions.py:125 -+msgid "How long the PAC data is considered valid" -+msgstr "Durée de validité des données du PAC" - --#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 --msgid "The SELinux user for user's login" --msgstr "L'utilisateur SELinux pour l'identifiant de l'utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:128 -+msgid "List of user attributes the InfoPipe is allowed to publish" -+msgstr "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier" - --#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 --#: src/tools/sss_usermod.c:92 --msgid "Specify group to add to\n" --msgstr "Définir le groupe à ajouter à\n" -+#: src/config/SSSDConfig/sssdoptions.py:131 -+msgid "The provider where the secrets will be stored in" -+msgstr "Le fournisseur où les secrets seront stockés" - --#: src/tools/sss_useradd.c:111 --msgid "Specify user to add\n" --msgstr "Définir l'utilisateur à ajouter à\n" -+#: src/config/SSSDConfig/sssdoptions.py:132 -+msgid "The maximum allowed number of nested containers" -+msgstr "Le nombre maximal de conteneurs imbriqués autorisés" - --#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 --#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 --#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 --#: src/tools/sss_usermod.c:162 --msgid "Error initializing the tools - no local domain\n" --msgstr "Erreur à l'initialisation des outils - aucun domaine local\n" -+#: src/config/SSSDConfig/sssdoptions.py:133 -+msgid "The maximum number of secrets that can be stored" -+msgstr "Le nombre maximum de secrets qui peuvent être stockés" - --#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 --#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 --#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 --#: src/tools/sss_usermod.c:164 --msgid "Error initializing the tools\n" --msgstr "Erreur à l'initialisation des outils\n" -+#: src/config/SSSDConfig/sssdoptions.py:134 -+msgid "The maximum number of secrets that can be stored per UID" -+msgstr "Le nombre maximum de secrets qui peuvent être stockés par UID" - --#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 --#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 --#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 --#: src/tools/sss_usermod.c:173 --msgid "Invalid domain specified in FQDN\n" --msgstr "Domaine invalide définit dans le FQDN\n" -+#: src/config/SSSDConfig/sssdoptions.py:135 -+msgid "The maximum payload size of a secret in kilobytes" -+msgstr "La taille maximale de la charge utile d'un secret en kilo-octets" - --#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 --#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 --#: src/tools/sss_usermod.c:226 --msgid "Internal error while parsing parameters\n" --msgstr "Erreur interne lors de l'analyse des paramètres\n" -+#: src/config/SSSDConfig/sssdoptions.py:137 -+msgid "The URL Custodia server is listening on" -+msgstr "L'URL du serveur Custodia est en écoute sur" - --#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 --#: src/tools/sss_usermod.c:235 --msgid "Groups must be in the same domain as user\n" --msgstr "Les groupes doivent être dans le même domaine que l'utilisateur\n" -+#: src/config/SSSDConfig/sssdoptions.py:138 -+msgid "The method to use when authenticating to a Custodia server" -+msgstr "" -+"La méthode à utiliser lors de l'authentification via un serveur Custodia" - --#: src/tools/sss_useradd.c:159 --#, c-format --msgid "Cannot find group %1$s in local domain\n" --msgstr "Impossible de trouver le groupe %1$s dans le domaine local\n" -+#: src/config/SSSDConfig/sssdoptions.py:139 -+msgid "" -+"The name of the headers that will be added into a HTTP request with the " -+"value defined in auth_header_value" -+msgstr "" -+"Le nom des en-têtes qui seront ajoutés dans une requête HTTP avec la valeur " -+"définie dans auth_header_value" - --#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 --msgid "Cannot set default values\n" --msgstr "Impossible de définir les valeurs par défaut\n" -+#: src/config/SSSDConfig/sssdoptions.py:141 -+msgid "The value sssd-secrets would use for auth_header_name" -+msgstr "La valeur que sssd-secrets utiliseraient pour auth_header_name" - --#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 --msgid "The selected UID is outside the allowed range\n" --msgstr "L'UID sélectionné est en dehors de la plage autorisée\n" -+#: src/config/SSSDConfig/sssdoptions.py:142 -+msgid "" -+"The list of the headers to forward to the Custodia server together with the " -+"request" -+msgstr "" -+"La liste des en-têtes à transmettre au serveur Custodia avec la requête" - --#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 --msgid "Cannot set SELinux login context\n" --msgstr "Impossible de définir le contexte de connexion SELinux\n" -+#: src/config/SSSDConfig/sssdoptions.py:143 -+msgid "" -+"The username to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "" -+"La méthode à utiliser lors de l'authentification via un serveur Custodia " -+"utilisant basic_auth" - --#: src/tools/sss_useradd.c:224 --msgid "Cannot get info about the user\n" --msgstr "Impossible de trouver les informations sur l'utilisateur\n" -+#: src/config/SSSDConfig/sssdoptions.py:144 -+msgid "" -+"The password to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "" -+"La méthode à utiliser lors de l'authentification via un serveur Custodia " -+"utilisant basic_auth" - --#: src/tools/sss_useradd.c:236 --msgid "User's home directory already exists, not copying data from skeldir\n" -+#: src/config/SSSDConfig/sssdoptions.py:145 -+msgid "" -+"If true peer's certificate is verified if proxy_url uses https protocol" - msgstr "" --"Le répertoire de l'utilisateur existe déjà, les données du répertoire " --"squelette ne sont pas copiées\n" -+"Le certificat pair true est vérifié si proxy_url utilise le protocole https" - --#: src/tools/sss_useradd.c:239 --#, c-format --msgid "Cannot create user's home directory: %1$s\n" --msgstr "Impossible de créer le répertoire de l'utilisateur : %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:146 -+msgid "" -+"If false peer's certificate may contain different hostname than proxy_url " -+"when https protocol is used" -+msgstr "" -+"Le certificat pair false peut contenir un nom d'hôte différent de proxy_url " -+"lorsque le protocole https est utilisé" - --#: src/tools/sss_useradd.c:250 --#, c-format --msgid "Cannot create user's mail spool: %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:148 -+msgid "Path to directory where certificate authority certificates are stored" -+msgstr "Chemin d'accès au répertoire où sont stockés les certificats CA" -+ -+#: src/config/SSSDConfig/sssdoptions.py:149 -+msgid "Path to file containing server's CA certificate" -+msgstr "Chemin d'accès au fichier contenant le certificat CA du serveur" -+ -+#: src/config/SSSDConfig/sssdoptions.py:150 -+msgid "Path to file containing client's certificate" -+msgstr "Chemin d'accès au fichier contenant le certificat du client" -+ -+#: src/config/SSSDConfig/sssdoptions.py:151 -+msgid "Path to file containing client's private key" -+msgstr "Chemin d'accès au fichier contenant la clé privée du client" -+ -+#: src/config/SSSDConfig/sssdoptions.py:154 -+msgid "" -+"One of the following strings specifying the scope of session recording: none " -+"- No users are recorded. some - Users/groups specified by users and groups " -+"options are recorded. all - All users are recorded." - msgstr "" --"Impossible de créer le répertoire de réception des messages électroniques " --"pour l'utilisateur : %1$s\n" - --#: src/tools/sss_useradd.c:270 --msgid "Could not allocate ID for the user - domain full?\n" -+#: src/config/SSSDConfig/sssdoptions.py:157 -+msgid "" -+"A comma-separated list of users which should have session recording enabled. " -+"Matches user names as returned by NSS. I.e. after the possible space " -+"replacement, case changes, etc." - msgstr "" --"L'identifiant de l'utilisateur ne peut pas être alloué - domaine plein ?\n" - --#: src/tools/sss_useradd.c:274 --msgid "A user or group with the same name or ID already exists\n" --msgstr "Un utilisateur ou groupe avec le même nom ou identifiant existe déjà\n" -+#: src/config/SSSDConfig/sssdoptions.py:159 -+msgid "" -+"A comma-separated list of groups, members of which should have session " -+"recording enabled. Matches group names as returned by NSS. I.e. after the " -+"possible space replacement, case changes, etc." -+msgstr "" - --#: src/tools/sss_useradd.c:280 --msgid "Transaction error. Could not add user.\n" --msgstr "Erreur de transaction. Impossible d'ajouter l'utilisateur.\n" -+#: src/config/SSSDConfig/sssdoptions.py:164 -+msgid "Identity provider" -+msgstr "Fournisseur d'identité" - --#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 --msgid "The GID of the group" --msgstr "Le GID du groupe" -+#: src/config/SSSDConfig/sssdoptions.py:165 -+msgid "Authentication provider" -+msgstr "Fournisseur d'authentification" - --#: src/tools/sss_groupadd.c:76 --msgid "Specify group to add\n" --msgstr "Définir le groupe à ajouter\n" -+#: src/config/SSSDConfig/sssdoptions.py:166 -+msgid "Access control provider" -+msgstr "Fournisseur de contrôle d'accès" - --#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 --msgid "The selected GID is outside the allowed range\n" --msgstr "Le GID choisit est en dehors de la plage autorisée\n" -+#: src/config/SSSDConfig/sssdoptions.py:167 -+msgid "Password change provider" -+msgstr "Fournisseur de changement de mot de passe" - --#: src/tools/sss_groupadd.c:143 --msgid "Could not allocate ID for the group - domain full?\n" --msgstr "Impossible d'allouer l'identifiant du groupe - domaine plein ?\n" -+#: src/config/SSSDConfig/sssdoptions.py:168 -+msgid "SUDO provider" -+msgstr "Fournisseur SUDO" - --#: src/tools/sss_groupadd.c:147 --msgid "A group with the same name or GID already exists\n" --msgstr "Un groupe avec le même nom ou GID existe déjà\n" -+#: src/config/SSSDConfig/sssdoptions.py:169 -+msgid "Autofs provider" -+msgstr "Fournisseur autofs" - --#: src/tools/sss_groupadd.c:153 --msgid "Transaction error. Could not add group.\n" --msgstr "Erreur de transaction. Impossible d'ajouter le groupe.\n" -+#: src/config/SSSDConfig/sssdoptions.py:170 -+msgid "Host identity provider" -+msgstr "Fournisseur d'identité de l'hôte" - --#: src/tools/sss_groupdel.c:70 --msgid "Specify group to delete\n" --msgstr "Spécifier le groupe à supprimer\n" -+#: src/config/SSSDConfig/sssdoptions.py:171 -+msgid "SELinux provider" -+msgstr "Fournisseur SELinux" - --#: src/tools/sss_groupdel.c:104 --#, c-format --msgid "Group %1$s is outside the defined ID range for domain\n" --msgstr "" --"Le groupe %1$s est en dehors de la plage d'identifiants définie pour le " --"domaine\n" -+#: src/config/SSSDConfig/sssdoptions.py:172 -+msgid "Session management provider" -+msgstr "Fournisseur de gestion de session" - --#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 --#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 --#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 --#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 --#, c-format --msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" -+#: src/config/SSSDConfig/sssdoptions.py:173 -+msgid "Resolver provider" - msgstr "" --"Échec de requête NSS (%1$d). L'entrée peut persister dans le cache en " --"mémoire.\n" - --#: src/tools/sss_groupdel.c:132 --msgid "" --"No such group in local domain. Removing groups only allowed in local " --"domain.\n" --msgstr "" --"Aucun groupe dans le domaine local. La suppression de groupes n'est " --"autorisée que dans le domaine local.\n" -+#: src/config/SSSDConfig/sssdoptions.py:176 -+msgid "Whether the domain is usable by the OS or by applications" -+msgstr "Si le domaine est utilisable par l'OS ou par des applications" - --#: src/tools/sss_groupdel.c:137 --msgid "Internal error. Could not remove group.\n" --msgstr "Erreur interne. Impossible de supprimer le groupe.\n" -+#: src/config/SSSDConfig/sssdoptions.py:177 -+msgid "Minimum user ID" -+msgstr "Identifiant utilisateur minimum" - --#: src/tools/sss_groupmod.c:44 --msgid "Groups to add this group to" --msgstr "Groupes auxquels ce groupe sera ajouté" -+#: src/config/SSSDConfig/sssdoptions.py:178 -+msgid "Maximum user ID" -+msgstr "Identifiant utilisateur maximum" - --#: src/tools/sss_groupmod.c:46 --msgid "Groups to remove this group from" --msgstr "Groupes desquels ce groupe sera retiré" -+#: src/config/SSSDConfig/sssdoptions.py:179 -+msgid "Enable enumerating all users/groups" -+msgstr "Activer l'énumération de tous les utilisateurs/groupes" - --#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 --msgid "Specify group to remove from\n" --msgstr "Définir le groupe duquel supprimer\n" -+#: src/config/SSSDConfig/sssdoptions.py:180 -+msgid "Cache credentials for offline login" -+msgstr "Mettre en cache les crédits pour une connexion hors-ligne" - --#: src/tools/sss_groupmod.c:101 --msgid "Specify group to modify\n" --msgstr "Définir le groupe à modifier\n" -+#: src/config/SSSDConfig/sssdoptions.py:181 -+msgid "Display users/groups in fully-qualified form" -+msgstr "" -+"Afficher les utilisateurs/groupes dans un format complétement qualifié" - --#: src/tools/sss_groupmod.c:130 -+#: src/config/SSSDConfig/sssdoptions.py:182 -+msgid "Don't include group members in group lookups" -+msgstr "" -+"Ne pas inclure les membres des groupes dans les recherches de groupes." -+ -+#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:194 -+#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:199 -+msgid "Entry cache timeout length (seconds)" -+msgstr "Durée de validité des entrées en cache (en secondes)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:184 - msgid "" --"Cannot find group in local domain, modifying groups is allowed only in local " --"domain\n" -+"Restrict or prefer a specific address family when performing DNS lookups" - msgstr "" --"Impossible de trouver le groupe dans le domaine local, la modification des " --"groupes n'est autorisée que dans le domaine local\n" -+"Restreindre ou préférer une famille d'adresses lors des recherches DNS" - --#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 --msgid "Member groups must be in the same domain as parent group\n" -+#: src/config/SSSDConfig/sssdoptions.py:185 -+msgid "How long to keep cached entries after last successful login (days)" - msgstr "" --"Les membres du groupe doivent être dans le même domaine que le groupe " --"parent\n" -+"Durée de validité des entrées en cache après la dernière connexion réussie " -+"(en jours)" - --#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 --#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:186 - msgid "" --"Cannot find group %1$s in local domain, only groups in local domain are " --"allowed\n" -+"How long should SSSD talk to single DNS server before trying next server " -+"(miliseconds)" - msgstr "" --"Impossible de trouver le groupe %1$s dans le domaine local, seuls les " --"groupes du domaine local sont autorisés\n" -+"Combien de temps le SSSD doit-il parler à un seul serveur DNS avant " -+"d'essayer le serveur suivant (en millisecondes)" - --#: src/tools/sss_groupmod.c:257 --msgid "Could not modify group - check if member group names are correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:188 -+msgid "How long should keep trying to resolve single DNS query (seconds)" - msgstr "" --"Impossible de modifier le groupe - vérifier que les noms des groupes membres " --"sont corrects\n" -+"Combien de temps faut-il continuer à essayer de résoudre une seule requête " -+"DNS (en secondes)" - --#: src/tools/sss_groupmod.c:261 --msgid "Could not modify group - check if groupname is correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:189 -+msgid "How long to wait for replies from DNS when resolving servers (seconds)" - msgstr "" --"Impossible de modifier le groupe - vérifier que le nom du groupe est " --"correct\n" -+"Délai d'attente des réponses du DNS lors de la résolution des serveurs (en " -+"secondes)" - --#: src/tools/sss_groupmod.c:265 --msgid "Transaction error. Could not modify group.\n" --msgstr "Erreur de transaction. Impossible de modifier le groupe.\n" -+#: src/config/SSSDConfig/sssdoptions.py:190 -+msgid "The domain part of service discovery DNS query" -+msgstr "La partie domaine de la requête de découverte de service DNS" - --#: src/tools/sss_groupshow.c:616 --msgid "Magic Private " --msgstr "Magie privée" -+#: src/config/SSSDConfig/sssdoptions.py:191 -+msgid "Override GID value from the identity provider with this value" -+msgstr "Écraser la valeur du GID du fournisseur d'identité avec cette valeur" - --#: src/tools/sss_groupshow.c:615 --#, c-format --msgid "%1$s%2$sGroup: %3$s\n" --msgstr "%1$s%2$sGroup: %3$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:192 -+msgid "Treat usernames as case sensitive" -+msgstr "Considère les noms d'utilisateur comme casse dépendant" - --#: src/tools/sss_groupshow.c:618 --#, c-format --msgid "%1$sGID number: %2$d\n" --msgstr "%1$s GID numéro : %2$d\n" -+#: src/config/SSSDConfig/sssdoptions.py:200 -+msgid "How often should expired entries be refreshed in background" -+msgstr "Fréquence de rafraîchissement en arrière plan des entrées expirées" - --#: src/tools/sss_groupshow.c:620 --#, c-format --msgid "%1$sMember users: " --msgstr "Utilisateurs membres de %1$s :" -+#: src/config/SSSDConfig/sssdoptions.py:201 -+msgid "Whether to automatically update the client's DNS entry" -+msgstr "Choisir de mettre à jour automatiquement l'entrée DNS du client" - --#: src/tools/sss_groupshow.c:627 --#, c-format --msgid "" --"\n" --"%1$sIs a member of: " --msgstr "" --"\n" --"%1$s est membre de : " -+#: src/config/SSSDConfig/sssdoptions.py:202 -+#: src/config/SSSDConfig/sssdoptions.py:232 -+msgid "The TTL to apply to the client's DNS entry after updating it" -+msgstr "Le TTL à appliquer à l'entrée DNS du client après modification" - --#: src/tools/sss_groupshow.c:634 --#, c-format --msgid "" --"\n" --"%1$sMember groups: " -+#: src/config/SSSDConfig/sssdoptions.py:203 -+#: src/config/SSSDConfig/sssdoptions.py:233 -+msgid "The interface whose IP should be used for dynamic DNS updates" - msgstr "" --"\n" --"Groupes membres de %1$s : " -+"L'interface dont l'adresse IP doit être utilisée pour les mises à jour " -+"dynamiques du DNS" - --#: src/tools/sss_groupshow.c:670 --msgid "Print indirect group members recursively" --msgstr "Afficher les membres du groupe indirects récursivement" -+#: src/config/SSSDConfig/sssdoptions.py:204 -+msgid "How often to periodically update the client's DNS entry" -+msgstr "Fréquence de mise à jour automatique de l'entrée DNS du client" - --#: src/tools/sss_groupshow.c:704 --msgid "Specify group to show\n" --msgstr "Définir le groupe à afficher\n" -+#: src/config/SSSDConfig/sssdoptions.py:205 -+msgid "Whether the provider should explicitly update the PTR record as well" -+msgstr "" -+"Selon que le fournisseur doit aussi ou non mettre à jour explicitement " -+"l'enregistrement PTR" - --#: src/tools/sss_groupshow.c:744 --msgid "" --"No such group in local domain. Printing groups only allowed in local " --"domain.\n" -+#: src/config/SSSDConfig/sssdoptions.py:206 -+msgid "Whether the nsupdate utility should default to using TCP" -+msgstr "Selon que l'utilitaire nsupdate doit utiliser TCP par défaut" -+ -+#: src/config/SSSDConfig/sssdoptions.py:207 -+msgid "What kind of authentication should be used to perform the DNS update" - msgstr "" --"Aucun groupe dans le domaine local. L'affichage des groupes n'est autorisé " --"que dans le domaine local.\n" -+"Quel type d'authentification doit être utilisée pour effectuer la mise à " -+"jour DNS" - --#: src/tools/sss_groupshow.c:749 --msgid "Internal error. Could not print group.\n" --msgstr "Erreur interne. Impossible d'afficher le groupe.\n" -+#: src/config/SSSDConfig/sssdoptions.py:208 -+msgid "Override the DNS server used to perform the DNS update" -+msgstr "Remplace le serveur DNS utilisé pour effectuer la mise à jour du DNS" - --#: src/tools/sss_userdel.c:138 --msgid "Remove home directory and mail spool" --msgstr "Suppression du répertoire personnel et de gestion des mails" -+#: src/config/SSSDConfig/sssdoptions.py:209 -+msgid "Control enumeration of trusted domains" -+msgstr "Contrôle l'énumération des domaines approuvés" - --#: src/tools/sss_userdel.c:140 --msgid "Do not remove home directory and mail spool" --msgstr "Ne pas supprimer le répertoire personnel et de gestion des mails" -+#: src/config/SSSDConfig/sssdoptions.py:210 -+msgid "How often should subdomains list be refreshed" -+msgstr "Fréquence de rafraîchissement des sous-domaines" - --#: src/tools/sss_userdel.c:142 --msgid "Force removal of files not owned by the user" --msgstr "Forcer la suppression des fichiers n'appartenant pas à l'utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:211 -+msgid "List of options that should be inherited into a subdomain" -+msgstr "Listes des options qui doivent être héritées dans le sous-domaine" - --#: src/tools/sss_userdel.c:144 --msgid "Kill users' processes before removing him" --msgstr "Tuer les processus de l'utilisateur avant de le supprimer" -+#: src/config/SSSDConfig/sssdoptions.py:212 -+msgid "Default subdomain homedir value" -+msgstr "Valeur par défaut du sous-domaine homedir" - --#: src/tools/sss_userdel.c:190 --msgid "Specify user to delete\n" --msgstr "Définir l'utilisateur à supprimer\n" -+#: src/config/SSSDConfig/sssdoptions.py:213 -+msgid "How long can cached credentials be used for cached authentication" -+msgstr "" -+"Combien de temps les informations d'identification en cache peuvent-elles " -+"être utilisées pour l'authentification en cache" - --#: src/tools/sss_userdel.c:236 --#, c-format --msgid "User %1$s is outside the defined ID range for domain\n" -+#: src/config/SSSDConfig/sssdoptions.py:214 -+msgid "Whether to automatically create private groups for users" - msgstr "" --"L'utilisateur %1$s est en dehors de la plage d'identifiants définie pour le " --"domaine\n" -+"S'il faut créer automatiquement des groupes privés pour les utilisateurs" - --#: src/tools/sss_userdel.c:261 --msgid "Cannot reset SELinux login context\n" --msgstr "Impossible de réinitialiser le contexte de connexion SELinux\n" -- --#: src/tools/sss_userdel.c:273 --#, c-format --msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" -+#: src/config/SSSDConfig/sssdoptions.py:215 -+msgid "Display a warning N days before the password expires." - msgstr "" --"ATTENTION : l'utilisateur (uid %1$lu) était encore connecté lors de sa " --"suppression.\n" - --#: src/tools/sss_userdel.c:278 --msgid "Cannot determine if the user was logged in on this platform" -+#: src/config/SSSDConfig/sssdoptions.py:216 -+msgid "" -+"Various tags stored by the realmd configuration service for this domain." - msgstr "" --"Impossible de savoir si l'utilisateur était connecté sur cette plateforme" -- --#: src/tools/sss_userdel.c:283 --msgid "Error while checking if the user was logged in\n" --msgstr "Erreur en vérifiant si l'utilisateur était connecté\n" -- --#: src/tools/sss_userdel.c:290 --#, c-format --msgid "The post-delete command failed: %1$s\n" --msgstr "La commande post-suppression a échoué : %1$s\n" - --#: src/tools/sss_userdel.c:310 --msgid "Not removing home dir - not owned by user\n" -+#: src/config/SSSDConfig/sssdoptions.py:217 -+msgid "" -+"The provider which should handle fetching of subdomains. This value should " -+"be always the same as id_provider." - msgstr "" --"Le répertoire personnel n'est pas supprimé - l'utilisateur n'en est pas le " --"propriétaire\n" - --#: src/tools/sss_userdel.c:312 --#, c-format --msgid "Cannot remove homedir: %1$s\n" --msgstr "Impossible de supprimer le répertoire utilisateur : %1$s\n" -- --#: src/tools/sss_userdel.c:326 -+#: src/config/SSSDConfig/sssdoptions.py:219 - msgid "" --"No such user in local domain. Removing users only allowed in local domain.\n" -+"How many seconds to keep a host ssh key after refresh. IE how long to cache " -+"the host key for." - msgstr "" --"Aucun utilisateur dans le domaine local. La suppression des utilisateurs " --"n'est autorisée que dans le domaine local.\n" -- --#: src/tools/sss_userdel.c:331 --msgid "Internal error. Could not remove user.\n" --msgstr "Erreur interne. Impossible de supprimer l'utilisateur.\n" -- --#: src/tools/sss_usermod.c:49 --msgid "The GID of the user" --msgstr "Le GID de l'utilisateur" - --#: src/tools/sss_usermod.c:53 --msgid "Groups to add this user to" --msgstr "Groupes auxquels ajouter cet utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:221 -+msgid "" -+"If 2-Factor-Authentication (2FA) is used and credentials should be saved " -+"this value determines the minimal length the first authentication factor " -+"(long term password) must have to be saved as SHA512 hash into the cache." -+msgstr "" - --#: src/tools/sss_usermod.c:54 --msgid "Groups to remove this user from" --msgstr "Groupes auxquels enlever cet utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:227 -+msgid "IPA domain" -+msgstr "Domaine IPA" - --#: src/tools/sss_usermod.c:55 --msgid "Lock the account" --msgstr "Verrouiller le compte" -+#: src/config/SSSDConfig/sssdoptions.py:228 -+msgid "IPA server address" -+msgstr "Adresse du serveur IPA" - --#: src/tools/sss_usermod.c:56 --msgid "Unlock the account" --msgstr "Déverrouiller le compte" -+#: src/config/SSSDConfig/sssdoptions.py:229 -+msgid "Address of backup IPA server" -+msgstr "Adresse du serveur IPA de secours" - --#: src/tools/sss_usermod.c:57 --msgid "Add an attribute/value pair. The format is attrname=value." --msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." -+#: src/config/SSSDConfig/sssdoptions.py:230 -+msgid "IPA client hostname" -+msgstr "Nom de système du client IPA" - --#: src/tools/sss_usermod.c:58 --msgid "Delete an attribute/value pair. The format is attrname=value." -+#: src/config/SSSDConfig/sssdoptions.py:231 -+msgid "Whether to automatically update the client's DNS entry in FreeIPA" - msgstr "" --"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." -+"Choisir de mettre à jour automatiquement l'entrée DNS du client dans FreeIPA" - --#: src/tools/sss_usermod.c:59 -+#: src/config/SSSDConfig/sssdoptions.py:234 -+msgid "Search base for HBAC related objects" -+msgstr "Base de recherche pour les objets HBAC" -+ -+#: src/config/SSSDConfig/sssdoptions.py:235 - msgid "" --"Set an attribute to a name/value pair. The format is attrname=value. For " --"multi-valued attributes, the command replaces the values already present" --msgstr "" --"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " --"les attributs multi-valués, la commande remplace les valeurs déjà présentes." -+"The amount of time between lookups of the HBAC rules against the IPA server" -+msgstr "Délai entre les recherches de règles HBAC sur le serveur IPA" - --#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 --#: src/tools/sss_usermod.c:135 --msgid "Specify the attribute name/value pair(s)\n" --msgstr "Indiquer les paires nom d'attributs et valeurs.\n" -+#: src/config/SSSDConfig/sssdoptions.py:236 -+msgid "" -+"The amount of time in seconds between lookups of the SELinux maps against " -+"the IPA server" -+msgstr "Délai entre les recherches de cartes SELinux sur le serveur IPA" - --#: src/tools/sss_usermod.c:152 --msgid "Specify user to modify\n" --msgstr "Spécifier l'utilisateur à modifier\n" -+#: src/config/SSSDConfig/sssdoptions.py:238 -+msgid "If set to false, host argument given by PAM will be ignored" -+msgstr "Si mit à false, l’argument de l'hôte donné par PAM est ignoré" - --#: src/tools/sss_usermod.c:180 --msgid "" --"Cannot find user in local domain, modifying users is allowed only in local " --"domain\n" -+#: src/config/SSSDConfig/sssdoptions.py:239 -+msgid "The automounter location this IPA client is using" - msgstr "" --"Impossible de trouver l'utilisateur dans le domaine local, la modification " --"des utilisateurs n'est autorisée que dans le domaine local\n" -+"L'emplacement de la carte de montage automatique utilisée par le client IPA" - --#: src/tools/sss_usermod.c:322 --msgid "Could not modify user - check if group names are correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:240 -+msgid "Search base for object containing info about IPA domain" - msgstr "" --"Impossible de modifier l'utilisateur - vérifiez que les noms de groupe sont " --"corrects\n" -+"Base de recherche pour l'objet contenant les informations de base à propos " -+"du domaine IPA" - --#: src/tools/sss_usermod.c:326 --msgid "Could not modify user - user already member of groups?\n" -+#: src/config/SSSDConfig/sssdoptions.py:241 -+msgid "Search base for objects containing info about ID ranges" - msgstr "" --"Impossible de modifier l'utilisateur - l'utilisateur est déjà membre du " --"groupe ?\n" -+"Base de recherche pour les objets contenant les informations à propos des " -+"plages d'ID" - --#: src/tools/sss_usermod.c:330 --msgid "Transaction error. Could not modify user.\n" --msgstr "Erreur de transaction. Impossible de modifier l'utlisateur.\n" -+#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:296 -+msgid "Enable DNS sites - location based service discovery" -+msgstr "Activer les sites DNS - découverte de service basée sur l'emplacement" - --#: src/tools/sss_cache.c:245 --msgid "No cache object matched the specified search\n" --msgstr "Aucun object trouvé dans le cache pour la recherche spécifiée\n" -+#: src/config/SSSDConfig/sssdoptions.py:243 -+msgid "Search base for view containers" -+msgstr "Base de recherche des conteneurs de vues" - --#: src/tools/sss_cache.c:536 --#, c-format --msgid "Couldn't invalidate %1$s\n" --msgstr "Impossible d'invalider %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:244 -+msgid "Objectclass for view containers" -+msgstr "Classe d'objet pour les conteneurs de vues" - --#: src/tools/sss_cache.c:543 --#, c-format --msgid "Couldn't invalidate %1$s %2$s\n" --msgstr "Impossible d'invalider %1$s %2$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:245 -+msgid "Attribute with the name of the view" -+msgstr "Attribut avec le nom de la vue" - --#: src/tools/sss_cache.c:721 --msgid "Invalidate all cached entries" --msgstr "Invalidez toutes les entrées en cache" -+#: src/config/SSSDConfig/sssdoptions.py:246 -+msgid "Objectclass for override objects" -+msgstr "Classe d'objet surchargeant les objets" - --#: src/tools/sss_cache.c:723 --msgid "Invalidate particular user" --msgstr "Invalider un utilisateur spécifique" -+#: src/config/SSSDConfig/sssdoptions.py:247 -+msgid "Attribute with the reference to the original object" -+msgstr "Attribut faisant référence à l'objet originel " - --#: src/tools/sss_cache.c:725 --msgid "Invalidate all users" --msgstr "Invalider tous les utilisateurs" -+#: src/config/SSSDConfig/sssdoptions.py:248 -+msgid "Objectclass for user override objects" -+msgstr "Classe d'objet surchargeant les utilisateurs" - --#: src/tools/sss_cache.c:727 --msgid "Invalidate particular group" --msgstr "Invalider un groupe particulier" -+#: src/config/SSSDConfig/sssdoptions.py:249 -+msgid "Objectclass for group override objects" -+msgstr "Classe d'objet surchargeant les groupes" - --#: src/tools/sss_cache.c:729 --msgid "Invalidate all groups" --msgstr "Invalider tous les groupes" -+#: src/config/SSSDConfig/sssdoptions.py:250 -+msgid "Search base for Desktop Profile related objects" -+msgstr "Base de recherche pour les objets liés au Profil du Bureau" - --#: src/tools/sss_cache.c:731 --msgid "Invalidate particular netgroup" --msgstr "Invalider un groupe réseau particulier" -+#: src/config/SSSDConfig/sssdoptions.py:251 -+msgid "" -+"The amount of time in seconds between lookups of the Desktop Profile rules " -+"against the IPA server" -+msgstr "" -+"Le temps, en secondes, entre les consultations des règles du profil du " -+"bureau sur le serveur IPA" - --#: src/tools/sss_cache.c:733 --msgid "Invalidate all netgroups" --msgstr "Invalider tous les groupes réseau" -+#: src/config/SSSDConfig/sssdoptions.py:253 -+msgid "" -+"The amount of time in minutes between lookups of Desktop Profiles rules " -+"against the IPA server when the last request did not find any rule" -+msgstr "" -+"Le temps en minutes entre les consultations des règles de profile de bureau " -+"sur le serveur IPA lorsque la dernière requête n'a trouvé aucune règle" - --#: src/tools/sss_cache.c:735 --msgid "Invalidate particular service" --msgstr "Invalidation d'un service particulier" -+#: src/config/SSSDConfig/sssdoptions.py:256 -+msgid "The LDAP attribute that contains FQDN of the host." -+msgstr "" - --#: src/tools/sss_cache.c:737 --msgid "Invalidate all services" --msgstr "Invalidation de tous les services" -+#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:280 -+msgid "The object class of a host entry in LDAP." -+msgstr "" - --#: src/tools/sss_cache.c:740 --msgid "Invalidate particular autofs map" --msgstr "Invalidation d'une carte autofs particulière" -+#: src/config/SSSDConfig/sssdoptions.py:258 -+msgid "Use the given string as search base for host objects." -+msgstr "" - --#: src/tools/sss_cache.c:742 --msgid "Invalidate all autofs maps" --msgstr "Invalidation de toutes les cartes autofs" -+#: src/config/SSSDConfig/sssdoptions.py:259 -+msgid "The LDAP attribute that contains the host's SSH public keys." -+msgstr "" - --#: src/tools/sss_cache.c:746 --msgid "Invalidate particular SSH host" --msgstr "Invalider un hôte SSH particulier" -+#: src/config/SSSDConfig/sssdoptions.py:260 -+msgid "The LDAP attribute that contains NIS domain name of the netgroup." -+msgstr "" - --#: src/tools/sss_cache.c:748 --msgid "Invalidate all SSH hosts" --msgstr "Invalider tous les hôtes SSH" -+#: src/config/SSSDConfig/sssdoptions.py:261 -+msgid "The LDAP attribute that contains the names of the netgroup's members." -+msgstr "" - --#: src/tools/sss_cache.c:752 --msgid "Invalidate particular sudo rule" --msgstr "Invalider une règle sudo particulière" -+#: src/config/SSSDConfig/sssdoptions.py:262 -+msgid "" -+"The LDAP attribute that lists FQDNs of hosts and host groups that are " -+"members of the netgroup." -+msgstr "" - --#: src/tools/sss_cache.c:754 --msgid "Invalidate all cached sudo rules" --msgstr "Invalider toutes les règles sudo en cache" -+#: src/config/SSSDConfig/sssdoptions.py:264 -+msgid "" -+"The LDAP attribute that lists hosts and host groups that are direct members " -+"of the netgroup." -+msgstr "" - --#: src/tools/sss_cache.c:757 --msgid "Only invalidate entries from a particular domain" --msgstr "N'invalider des entrées que d'un domaine spécifique" -+#: src/config/SSSDConfig/sssdoptions.py:266 -+msgid "The LDAP attribute that lists netgroup's memberships." -+msgstr "" - --#: src/tools/sss_cache.c:811 -+#: src/config/SSSDConfig/sssdoptions.py:267 - msgid "" --"Unexpected argument(s) provided, options that invalidate a single object " --"only accept a single provided argument.\n" -+"The LDAP attribute that lists system users and groups that are direct " -+"members of the netgroup." - msgstr "" --"Argument(s) inattendu(s) fourni(s), les options qui invalident un seul objet " --"n'acceptent qu'un seul argument fourni.\n" - --#: src/tools/sss_cache.c:821 --msgid "Please select at least one object to invalidate\n" --msgstr "Merci de sélectionner au moins un objet à invalider\n" -+#: src/config/SSSDConfig/sssdoptions.py:269 -+msgid "The LDAP attribute that corresponds to the netgroup name." -+msgstr "" - --#: src/tools/sss_cache.c:904 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:270 -+msgid "The object class of a netgroup entry in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" --"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " --"use fully qualified name instead of --domain/-d parameter.\n" -+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." - msgstr "" --"Impossible d'ouvrir le domaine %1$s. Si le domaine est un sous-domaine " --"(domaine approuvé), utiliser le nom pleinement qualifié au lieu du paramètre " --"--domain/-d.\n" - --#: src/tools/sss_cache.c:909 --msgid "Could not open available domains\n" --msgstr "Impossible d'ouvrir aucun des domaines disponibles\n" -+#: src/config/SSSDConfig/sssdoptions.py:272 -+msgid "" -+"The LDAP attribute that contains whether or not is user map enabled for " -+"usage." -+msgstr "" - --#: src/tools/tools_util.c:202 --#, c-format --msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" -+#: src/config/SSSDConfig/sssdoptions.py:274 -+msgid "The LDAP attribute that contains host category such as 'all'." - msgstr "" --"Le nom « %1$s » ne semble pas être un FQDN (« %2$s = TRUE » est configuré)\n" - --#: src/tools/tools_util.c:309 --msgid "Out of memory\n" --msgstr "Mémoire saturée\n" -+#: src/config/SSSDConfig/sssdoptions.py:275 -+msgid "" -+"The LDAP attribute that contains all hosts / hostgroups this rule match " -+"against." -+msgstr "" - --#: src/tools/tools_util.h:40 --#, c-format --msgid "%1$s must be run as root\n" --msgstr "%1$s doit être lancé en tant que root\n" -+#: src/config/SSSDConfig/sssdoptions.py:277 -+msgid "" -+"The LDAP attribute that contains all users / groups this rule match against." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:35 --msgid "yes" --msgstr "oui" -+#: src/config/SSSDConfig/sssdoptions.py:279 -+msgid "The LDAP attribute that contains the name of SELinux usermap." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:37 --msgid "no" --msgstr "non" -+#: src/config/SSSDConfig/sssdoptions.py:281 -+msgid "" -+"The LDAP attribute that contains DN of HBAC rule which can be used for " -+"matching instead of memberUser and memberHost." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:39 --msgid "error" --msgstr "erreur" -+#: src/config/SSSDConfig/sssdoptions.py:283 -+msgid "The LDAP attribute that contains SELinux user string itself." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:42 --msgid "Invalid result." --msgstr "Résultat non valide." -+#: src/config/SSSDConfig/sssdoptions.py:284 -+msgid "The LDAP attribute that contains user category such as 'all'." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:78 --msgid "Unable to read user input\n" --msgstr "Impossible de lire l'entrée de l'utilisateur\n" -+#: src/config/SSSDConfig/sssdoptions.py:285 -+msgid "The LDAP attribute that contains unique ID of the user map." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:91 --#, c-format --msgid "Invalid input, please provide either '%s' or '%s'.\n" --msgstr "Entrée non valable, veuillez fournir %s ou %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:286 -+msgid "" -+"The option denotes that the SSSD is running on IPA server and should perform " -+"lookups of users and groups from trusted domains differently." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 --msgid "Error while executing external command\n" --msgstr "Erreur lors de l'exécution d'une commande externe\n" -+#: src/config/SSSDConfig/sssdoptions.py:288 -+msgid "Use the given string as search base for trusted domains." -+msgstr "" - --#: src/tools/sssctl/sssctl.c:156 --msgid "SSSD needs to be running. Start SSSD now?" --msgstr "Le SSSD doit être exécuté. Démarrer le SSSD maintenant ?" -+#: src/config/SSSDConfig/sssdoptions.py:291 -+msgid "Active Directory domain" -+msgstr "Domaine Active Directory" - --#: src/tools/sssctl/sssctl.c:195 --msgid "SSSD must not be running. Stop SSSD now?" --msgstr "" --"Le SSSD ne doit pas être en cours d'exécution. Arrêter le SSSD maintenant ?" -+#: src/config/SSSDConfig/sssdoptions.py:292 -+msgid "Enabled Active Directory domains" -+msgstr "Domaine d’Active Directory activés" - --#: src/tools/sssctl/sssctl.c:231 --msgid "SSSD needs to be restarted. Restart SSSD now?" --msgstr "Le SSSD doit être relancé. Redémarrer SSSD maintenant ?" -+#: src/config/SSSDConfig/sssdoptions.py:293 -+msgid "Active Directory server address" -+msgstr "Adresse du serveur Active Directory" - --#: src/tools/sssctl/sssctl_cache.c:31 --#, c-format --msgid " %s is not present in cache.\n" --msgstr " %s n'est pas présent dans le cache.\n" -+#: src/config/SSSDConfig/sssdoptions.py:294 -+msgid "Active Directory backup server address" -+msgstr "Adresse du serveur Active Directory de secours" - --#: src/tools/sssctl/sssctl_cache.c:33 --msgid "Name" --msgstr "Nom" -+#: src/config/SSSDConfig/sssdoptions.py:295 -+msgid "Active Directory client hostname" -+msgstr "Nom de système du client Active Directory" - --#: src/tools/sssctl/sssctl_cache.c:34 --msgid "Cache entry creation date" --msgstr "Date de création de l'entrée en cache" -+#: src/config/SSSDConfig/sssdoptions.py:297 -+#: src/config/SSSDConfig/sssdoptions.py:488 -+msgid "LDAP filter to determine access privileges" -+msgstr "Filtre LDAP pour déterminer les autorisations d'accès" - --#: src/tools/sssctl/sssctl_cache.c:35 --msgid "Cache entry last update time" --msgstr "Heure de la dernière mise à jour de l'entrée du cache" -- --#: src/tools/sssctl/sssctl_cache.c:36 --msgid "Cache entry expiration time" --msgstr "Temps d'expiration de l'entrée du cache" -- --#: src/tools/sssctl/sssctl_cache.c:37 --msgid "Cached in InfoPipe" --msgstr "Mise en cache dans InfoPipe" -- --#: src/tools/sssctl/sssctl_cache.c:522 --#, c-format --msgid "Error: Unable to get object [%d]: %s\n" --msgstr "Erreur : Impossible d'obtenir l'objet [%d] : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:298 -+msgid "Whether to use the Global Catalog for lookups" -+msgstr "Choisir d'utiliser ou non le catalogue global pour les recherches" - --#: src/tools/sssctl/sssctl_cache.c:538 --#, c-format --msgid "%s: Unable to read value [%d]: %s\n" --msgstr "%s: Impossible de lire la valeur [%d] : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:299 -+msgid "Operation mode for GPO-based access control" -+msgstr "Mode opératoire pour les contrôles d'accès basé sur les GPO" - --#: src/tools/sssctl/sssctl_cache.c:566 --msgid "Specify name." --msgstr "Indiquez le nom." -+#: src/config/SSSDConfig/sssdoptions.py:300 -+msgid "" -+"The amount of time between lookups of the GPO policy files against the AD " -+"server" -+msgstr "" -+"Durée entre les recherches de fichiers de politiques de GPO dans le serveur " -+"AD" - --#: src/tools/sssctl/sssctl_cache.c:576 --#, c-format --msgid "Unable to parse name %s.\n" --msgstr "Impossible d'analyser le nom %s.\n" -+#: src/config/SSSDConfig/sssdoptions.py:301 -+msgid "" -+"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " -+"settings" -+msgstr "" -+"Noms de services PAM correspondant à la configuration de la politique " -+"(Deny)InteractiveLogonRight de la GPO" - --#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 --msgid "Search by SID" --msgstr "Recherche par SID" -+#: src/config/SSSDConfig/sssdoptions.py:303 -+msgid "" -+"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " -+"policy settings" -+msgstr "" -+"Noms de services PAM correspondant à la configuration de la politique " -+"(Deny)RemoteInteractiveLogonRight de la GPO" - --#: src/tools/sssctl/sssctl_cache.c:603 --msgid "Search by user ID" --msgstr "Recherche par ID utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:305 -+msgid "" -+"PAM service names that map to the GPO (Deny)NetworkLogonRight policy " -+"settings" -+msgstr "" -+"Noms de services PAM correspondant à la configuration de la politique " -+"(Deny)NetworkLogonRight de la GPO" - --#: src/tools/sssctl/sssctl_cache.c:612 --msgid "Initgroups expiration time" --msgstr "Délai d'expiration des initgroups" -+#: src/config/SSSDConfig/sssdoptions.py:306 -+msgid "" -+"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" -+msgstr "" -+"Noms de services PAM correspondant à la configuration de la politique " -+"(Deny)BatchLogonRight de la GPO" - --#: src/tools/sssctl/sssctl_cache.c:650 --msgid "Search by group ID" --msgstr "Recherche par ID de groupe" -+#: src/config/SSSDConfig/sssdoptions.py:307 -+msgid "" -+"PAM service names that map to the GPO (Deny)ServiceLogonRight policy " -+"settings" -+msgstr "" -+"Noms de services PAM correspondant à la configuration de la politique " -+"(Deny)ServiceLogonRight de la GPO" - --#: src/tools/sssctl/sssctl_config.c:70 --#, c-format --msgid "Failed to open %s\n" --msgstr "N’a pas pu ouvrir %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:308 -+msgid "PAM service names for which GPO-based access is always granted" -+msgstr "" -+"Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " -+"toujours autorisés" - --#: src/tools/sssctl/sssctl_config.c:75 --#, c-format --msgid "File %1$s does not exist.\n" --msgstr "Le fichier %1$s n’existe pas.\n" -+#: src/config/SSSDConfig/sssdoptions.py:309 -+msgid "PAM service names for which GPO-based access is always denied" -+msgstr "" -+"Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " -+"toujours interdits" - --#: src/tools/sssctl/sssctl_config.c:79 -+#: src/config/SSSDConfig/sssdoptions.py:310 - msgid "" --"File ownership and permissions check failed. Expected root:root and 0600.\n" -+"Default logon right (or permit/deny) to use for unmapped PAM service names" - msgstr "" --"La vérification de la propriété et des permissions des fichiers a échoué. " --"Attendue : root:root et 0600.\n" -- --#: src/tools/sssctl/sssctl_config.c:85 --#, fuzzy, c-format --msgid "Failed to load configuration from %s.\n" --msgstr "Echec du chargement de la configuration à partir de %s.\n" -+"Droit de connexion par défaut (ou permission/interdiction) à utiliser pour " -+"les noms de services sans correspondance" - --#: src/tools/sssctl/sssctl_config.c:91 --msgid "Error while reading configuration directory.\n" --msgstr "Erreur lors de la lecture du répertoire de configuration.\n" -+#: src/config/SSSDConfig/sssdoptions.py:311 -+msgid "a particular site to be used by the client" -+msgstr "un site particulier utilisé par le client" - --#: src/tools/sssctl/sssctl_config.c:99 -+#: src/config/SSSDConfig/sssdoptions.py:312 - msgid "" --"There is no configuration. SSSD will use default configuration with files " --"provider.\n" -+"Maximum age in days before the machine account password should be renewed" - msgstr "" --"Il n'y a pas de configuration. SSSD utilisera la configuration par défaut " --"avec le fournisseur de fichiers.\n" -+"Âge maximum en jours avant que le mot de passe du compte de la machine ne " -+"soit renouvelé" - --#: src/tools/sssctl/sssctl_config.c:111 --msgid "Failed to run validators" --msgstr "Échec de l'exécution des validateurs" -+#: src/config/SSSDConfig/sssdoptions.py:314 -+msgid "Option for tuning the machine account renewal task" -+msgstr "Option de réglage de la tâche de renouvellement du compte machine" - --#: src/tools/sssctl/sssctl_config.c:115 --#, c-format --msgid "Issues identified by validators: %zu\n" --msgstr "Problèmes identifiés par les validateurs : %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:315 -+msgid "Whether to update the machine account password in the Samba database" -+msgstr "" - --#: src/tools/sssctl/sssctl_config.c:126 --#, c-format --msgid "Messages generated during configuration merging: %zu\n" --msgstr "Messages générés lors de la fusion des configurations : %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:317 -+msgid "Use LDAPS port for LDAP and Global Catalog requests" -+msgstr "Utiliser le port LDAPS pour les requêtes LDAP et Catalogue global" - --#: src/tools/sssctl/sssctl_config.c:137 --#, c-format --msgid "Used configuration snippet files: %zu\n" --msgstr "Fichiers de configuration utilisés : %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:320 -+#: src/config/SSSDConfig/sssdoptions.py:321 -+msgid "Kerberos server address" -+msgstr "Adresse du serveur Kerberos" - --#: src/tools/sssctl/sssctl_data.c:89 --#, c-format --msgid "Unable to create backup directory [%d]: %s" --msgstr "Impossible de créer le répertoire de sauvegarde [%d]: %s" -+#: src/config/SSSDConfig/sssdoptions.py:322 -+msgid "Kerberos backup server address" -+msgstr "Adresse du serveur Kerberos de secours" - --#: src/tools/sssctl/sssctl_data.c:95 --msgid "SSSD backup of local data already exists, override?" --msgstr "La sauvegarde SSSD des données locales existe déjà, la remplacer ?" -+#: src/config/SSSDConfig/sssdoptions.py:323 -+msgid "Kerberos realm" -+msgstr "Domaine Kerberos" - --#: src/tools/sssctl/sssctl_data.c:111 --msgid "Unable to export user overrides\n" --msgstr "Impossible d'exporter les substitutions d'utilisateur\n" -+#: src/config/SSSDConfig/sssdoptions.py:324 -+msgid "Authentication timeout" -+msgstr "Délai avant expiration de l'authentification" - --#: src/tools/sssctl/sssctl_data.c:118 --msgid "Unable to export group overrides\n" --msgstr "Impossible d'exporter les substitutions de groupes\n" -+#: src/config/SSSDConfig/sssdoptions.py:325 -+msgid "Whether to create kdcinfo files" -+msgstr "Choisir de créer ou non les fichiers kdcinfo" - --#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 --msgid "Override existing backup" --msgstr "Remplacer la sauvegarde existante" -+#: src/config/SSSDConfig/sssdoptions.py:326 -+msgid "Where to drop krb5 config snippets" -+msgstr "Où déposer les extraits de configuration krb5" - --#: src/tools/sssctl/sssctl_data.c:164 --msgid "Unable to import user overrides\n" --msgstr "Impossible d'importer les substitutions d'utilisateur\n" -+#: src/config/SSSDConfig/sssdoptions.py:329 -+msgid "Directory to store credential caches" -+msgstr "Répertoire pour stocker les caches de crédits" - --#: src/tools/sssctl/sssctl_data.c:173 --msgid "Unable to import group overrides\n" --msgstr "Impossible d'importer les substitutions de groupes\n" -+#: src/config/SSSDConfig/sssdoptions.py:330 -+msgid "Location of the user's credential cache" -+msgstr "Emplacement du cache de crédits de l'utilisateur" - --#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 --#: src/tools/sssctl/sssctl_domains.c:328 --msgid "Start SSSD if it is not running" --msgstr "Démarrer SSSD s'il n'est pas en cours d'exécution" -+#: src/config/SSSDConfig/sssdoptions.py:331 -+msgid "Location of the keytab to validate credentials" -+msgstr "Emplacement du fichier keytab de validation des crédits" - --#: src/tools/sssctl/sssctl_data.c:195 --msgid "Restart SSSD after data import" --msgstr "Redémarrer SSSD après l'importation des données" -+#: src/config/SSSDConfig/sssdoptions.py:332 -+msgid "Enable credential validation" -+msgstr "Activer la validation des crédits" - --#: src/tools/sssctl/sssctl_data.c:218 --msgid "Create clean cache files and import local data" --msgstr "Créer des fichiers de cache propres et importer des données locales" -+#: src/config/SSSDConfig/sssdoptions.py:333 -+msgid "Store password if offline for later online authentication" -+msgstr "" -+"Stocker le mot de passe, si hors-ligne, pour une authentification ultérieure " -+"en ligne" - --#: src/tools/sssctl/sssctl_data.c:219 --msgid "Stop SSSD before removing the cache" --msgstr "Arrêtez SSSD avant de supprimer le cache" -+#: src/config/SSSDConfig/sssdoptions.py:334 -+msgid "Renewable lifetime of the TGT" -+msgstr "Durée de vie renouvelable du TGT" - --#: src/tools/sssctl/sssctl_data.c:220 --msgid "Start SSSD when the cache is removed" --msgstr "Démarrer SSSD lorsque le cache est supprimé" -+#: src/config/SSSDConfig/sssdoptions.py:335 -+msgid "Lifetime of the TGT" -+msgstr "Durée de vie du TGT" - --#: src/tools/sssctl/sssctl_data.c:235 --msgid "Creating backup of local data...\n" --msgstr "Création d'une sauvegarde des données locales...\n" -+#: src/config/SSSDConfig/sssdoptions.py:336 -+msgid "Time between two checks for renewal" -+msgstr "Durée entre deux vérifications pour le renouvellement" - --#: src/tools/sssctl/sssctl_data.c:238 --msgid "Unable to create backup of local data, can not remove the cache.\n" --msgstr "" --"Impossible de créer une sauvegarde des données locales, impossible de " --"supprimer le cache.\n" -+#: src/config/SSSDConfig/sssdoptions.py:337 -+msgid "Enables FAST" -+msgstr "Active FAST" - --#: src/tools/sssctl/sssctl_data.c:243 --msgid "Removing cache files...\n" --msgstr "Suppression des fichiers de cache...\n" -+#: src/config/SSSDConfig/sssdoptions.py:338 -+msgid "Selects the principal to use for FAST" -+msgstr "Sélectionne le principal à utiliser avec FAST" - --#: src/tools/sssctl/sssctl_data.c:246 --msgid "Unable to remove cache files\n" --msgstr "Impossible de supprimer les fichiers de cache\n" -+#: src/config/SSSDConfig/sssdoptions.py:339 -+msgid "Enables principal canonicalization" -+msgstr "Active la canonisation du principal" - --#: src/tools/sssctl/sssctl_data.c:251 --msgid "Restoring local data...\n" --msgstr "Restauration des données locales...\n" -+#: src/config/SSSDConfig/sssdoptions.py:340 -+msgid "Enables enterprise principals" -+msgstr "Active les principals d'entreprise" - --#: src/tools/sssctl/sssctl_domains.c:83 --msgid "Show domain list including primary or trusted domain type" -+#: src/config/SSSDConfig/sssdoptions.py:341 -+msgid "A mapping from user names to Kerberos principal names" - msgstr "" --"Afficher la liste des domaines, y compris le type de domaine principal ou de " --"confiance" -+"Un mappage des noms d'utilisateurs vers les noms de principaux Kerberos" - --#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 --#: src/tools/sssctl/sssctl_user_checks.c:95 --msgid "Unable to connect to system bus!\n" --msgstr "Impossible de se connecter au bus système !\n" -+#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:345 -+msgid "Server where the change password service is running if not on the KDC" -+msgstr "" -+"Serveur où tourne le service de changement de mot de passe s'il n'est pas " -+"sur le KDC" - --#: src/tools/sssctl/sssctl_domains.c:167 --msgid "Online" --msgstr "En ligne" -+#: src/config/SSSDConfig/sssdoptions.py:348 -+msgid "ldap_uri, The URI of the LDAP server" -+msgstr "ldap_uri, l'adresse du serveur LDAP" - --#: src/tools/sssctl/sssctl_domains.c:167 --msgid "Offline" --msgstr "Hors ligne" -+#: src/config/SSSDConfig/sssdoptions.py:349 -+msgid "ldap_backup_uri, The URI of the LDAP server" -+msgstr "ldap_backup_uri, l'URI du serveur LDAP" - --#: src/tools/sssctl/sssctl_domains.c:167 --#, c-format --msgid "Online status: %s\n" --msgstr "Statut en ligne : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:350 -+msgid "The default base DN" -+msgstr "La base DN par défaut" - --#: src/tools/sssctl/sssctl_domains.c:213 --msgid "This domain has no active servers.\n" --msgstr "Ce domaine n'a pas de serveurs actifs.\n" -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "The Schema Type in use on the LDAP server, rfc2307" -+msgstr "Le type de schéma utilisé sur le serveur LDAP, rfc2307" - --#: src/tools/sssctl/sssctl_domains.c:218 --msgid "Active servers:\n" --msgstr "Serveurs actifs :\n" -+#: src/config/SSSDConfig/sssdoptions.py:352 -+msgid "Mode used to change user password" -+msgstr "Mode utilisé pour modifier le mot de passe utilisateur" - --#: src/tools/sssctl/sssctl_domains.c:230 --msgid "not connected" --msgstr "non connecté" -+#: src/config/SSSDConfig/sssdoptions.py:353 -+msgid "The default bind DN" -+msgstr "Le DN de connexion par défaut" - --#: src/tools/sssctl/sssctl_domains.c:267 --msgid "No servers discovered.\n" --msgstr "Aucun serveur découvert.\n" -+#: src/config/SSSDConfig/sssdoptions.py:354 -+msgid "The type of the authentication token of the default bind DN" -+msgstr "Le type de jeton d'authentification du DN de connexion par défaut" - --#: src/tools/sssctl/sssctl_domains.c:273 --#, c-format --msgid "Discovered %s servers:\n" --msgstr "%s serveurs découverts :\n" -+#: src/config/SSSDConfig/sssdoptions.py:355 -+msgid "The authentication token of the default bind DN" -+msgstr "Le jeton d'authentification du DN de connexion par défaut" - --#: src/tools/sssctl/sssctl_domains.c:285 --msgid "None so far.\n" --msgstr "Aucun pour l'instant.\n" -+#: src/config/SSSDConfig/sssdoptions.py:356 -+msgid "Length of time to attempt connection" -+msgstr "Durée pendant laquelle il sera tenté d'établir la connexion" - --#: src/tools/sssctl/sssctl_domains.c:325 --msgid "Show online status" --msgstr "Afficher le statut en ligne" -+#: src/config/SSSDConfig/sssdoptions.py:357 -+msgid "Length of time to attempt synchronous LDAP operations" -+msgstr "Durée pendant laquelle il sera tenté des opérations LDAP synchrones" - --#: src/tools/sssctl/sssctl_domains.c:326 --msgid "Show information about active server" --msgstr "Afficher les informations sur le serveur actif" -+#: src/config/SSSDConfig/sssdoptions.py:358 -+msgid "Length of time between attempts to reconnect while offline" -+msgstr "Durée d'attente entre deux essais de reconnexion en mode hors-ligne" - --#: src/tools/sssctl/sssctl_domains.c:327 --msgid "Show list of discovered servers" --msgstr "Afficher la liste des serveurs découverts" -+#: src/config/SSSDConfig/sssdoptions.py:359 -+msgid "Use only the upper case for realm names" -+msgstr "N'utiliser que des majuscules pour les noms de domaine" - --#: src/tools/sssctl/sssctl_domains.c:333 --msgid "Specify domain name." --msgstr "Indiquer le nom de domaine." -+#: src/config/SSSDConfig/sssdoptions.py:360 -+msgid "File that contains CA certificates" -+msgstr "Fichier contenant les certificats des CA" - --#: src/tools/sssctl/sssctl_domains.c:355 --msgid "Out of memory!\n" --msgstr "Plus de mémoire disponible !\n" -+#: src/config/SSSDConfig/sssdoptions.py:361 -+msgid "Path to CA certificate directory" -+msgstr "Chemin vers le répertoire de certificats des CA" - --#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 --msgid "Unable to get online status\n" --msgstr "Impossible d'obtenir le statut en ligne\n" -+#: src/config/SSSDConfig/sssdoptions.py:362 -+msgid "File that contains the client certificate" -+msgstr "Fichier contenant le certificat client" - --#: src/tools/sssctl/sssctl_domains.c:395 --msgid "Unable to get server list\n" --msgstr "Impossible d'obtenir la liste des serveurs\n" -+#: src/config/SSSDConfig/sssdoptions.py:363 -+msgid "File that contains the client key" -+msgstr "Fichier contenant la clé du client" - --#: src/tools/sssctl/sssctl_logs.c:46 --msgid "\n" --msgstr "\n" -+#: src/config/SSSDConfig/sssdoptions.py:364 -+msgid "List of possible ciphers suites" -+msgstr "Liste des suites de chiffrement possibles" - --#: src/tools/sssctl/sssctl_logs.c:236 --msgid "Delete log files instead of truncating" --msgstr "Supprimer les fichiers de log au lieu de tronquer" -+#: src/config/SSSDConfig/sssdoptions.py:365 -+msgid "Require TLS certificate verification" -+msgstr "Requiert une vérification de certificat TLS" - --#: src/tools/sssctl/sssctl_logs.c:247 --msgid "Deleting log files...\n" --msgstr "Suppression des fichiers journaux...\n" -+#: src/config/SSSDConfig/sssdoptions.py:366 -+msgid "Specify the sasl mechanism to use" -+msgstr "Spécifier le mécanisme SASL à utiliser" - --#: src/tools/sssctl/sssctl_logs.c:250 --msgid "Unable to remove log files\n" --msgstr "Impossible de supprimer les fichiers journaux\n" -+#: src/config/SSSDConfig/sssdoptions.py:367 -+msgid "Specify the sasl authorization id to use" -+msgstr "Spécifier l'identité d'authorisation SASL à utiliser" - --#: src/tools/sssctl/sssctl_logs.c:256 --msgid "Truncating log files...\n" --msgstr "Troncature des fichiers de journalisation...\n" -+#: src/config/SSSDConfig/sssdoptions.py:368 -+msgid "Specify the sasl authorization realm to use" -+msgstr "Spécifier le domaine d'authorisation SASL à utiliser" - --#: src/tools/sssctl/sssctl_logs.c:259 --msgid "Unable to truncate log files\n" --msgstr "Impossible de tronquer les fichiers de journalisation\n" -+#: src/config/SSSDConfig/sssdoptions.py:369 -+msgid "Specify the minimal SSF for LDAP sasl authorization" -+msgstr "Spécifie le minimum SSF pour l'autorisation sasl LDAP" - --#: src/tools/sssctl/sssctl_logs.c:285 --msgid "Out of memory!" --msgstr "Plus de mémoire disponible !" -+#: src/config/SSSDConfig/sssdoptions.py:370 -+msgid "Specify the maximal SSF for LDAP sasl authorization" -+msgstr "Spécifie le SFF maximal pour l'autorisation sasl LDAP" - --#: src/tools/sssctl/sssctl_logs.c:288 --#, c-format --msgid "Archiving log files into %s...\n" --msgstr "Archivage des fichiers journaux dans %s...\n" -+#: src/config/SSSDConfig/sssdoptions.py:371 -+msgid "Kerberos service keytab" -+msgstr "Service du fichier keytab de Kerberos" - --#: src/tools/sssctl/sssctl_logs.c:291 --msgid "Unable to archive log files\n" --msgstr "Impossible d'archiver les fichiers journaux\n" -+#: src/config/SSSDConfig/sssdoptions.py:372 -+msgid "Use Kerberos auth for LDAP connection" -+msgstr "Utiliser l'authentification Kerberos pour la connexion LDAP" - --#: src/tools/sssctl/sssctl_logs.c:316 --msgid "Specify debug level you want to set" --msgstr "Spécifiez le niveau de débogage que vous souhaitez définir" -+#: src/config/SSSDConfig/sssdoptions.py:373 -+msgid "Follow LDAP referrals" -+msgstr "Suivre les référents LDAP" - --#: src/tools/sssctl/sssctl_user_checks.c:117 --msgid "SSSD InfoPipe user lookup result:\n" --msgstr "Résultat de la recherche de l'utilisateur SSSD InfoPipe :\n" -+#: src/config/SSSDConfig/sssdoptions.py:374 -+msgid "Lifetime of TGT for LDAP connection" -+msgstr "Durée de vie du TGT pour la connexion LDAP" - --#: src/tools/sssctl/sssctl_user_checks.c:167 --#, c-format --msgid "dlopen failed with [%s].\n" --msgstr "dlopen a échoué avec [%s].\n" -+#: src/config/SSSDConfig/sssdoptions.py:375 -+msgid "How to dereference aliases" -+msgstr "Comment déréférencer les alias" - --#: src/tools/sssctl/sssctl_user_checks.c:174 --#, c-format --msgid "dlsym failed with [%s].\n" --msgstr "dlopen a échoué avec [%s].\n" -+#: src/config/SSSDConfig/sssdoptions.py:376 -+msgid "Service name for DNS service lookups" -+msgstr "Nom du service pour les recherches DNS" - --#: src/tools/sssctl/sssctl_user_checks.c:182 --msgid "malloc failed.\n" --msgstr "malloc a échoué.\n" -+#: src/config/SSSDConfig/sssdoptions.py:377 -+msgid "The number of records to retrieve in a single LDAP query" -+msgstr "Le nombre d'enregistrements à récupérer dans une requête LDAP unique" - --#: src/tools/sssctl/sssctl_user_checks.c:189 --#, c-format --msgid "sss_getpwnam_r failed with [%d].\n" --msgstr "sss_getpwnam_r a échoué avec [%d].\n" -+#: src/config/SSSDConfig/sssdoptions.py:378 -+msgid "The number of members that must be missing to trigger a full deref" -+msgstr "" -+"Nombre de membres qui doivent être manquants pour activer un déréférencement " -+"complet" - --#: src/tools/sssctl/sssctl_user_checks.c:194 --msgid "SSSD nss user lookup result:\n" --msgstr "Résultat de la recherche de l'utilisateur SSSD nss :\n" -+#: src/config/SSSDConfig/sssdoptions.py:379 -+msgid "" -+"Whether the LDAP library should perform a reverse lookup to canonicalize the " -+"host name during a SASL bind" -+msgstr "" -+"Est-ce que la bibliothèque LDAP doit effectuer une requête pour canoniser le " -+"nom d'hôte pendant une connexion SASL ?" - --#: src/tools/sssctl/sssctl_user_checks.c:195 --#, c-format --msgid " - user name: %s\n" --msgstr " - user name: %s\n" -- --#: src/tools/sssctl/sssctl_user_checks.c:196 --#, c-format --msgid " - user id: %d\n" --msgstr " - user id: %d\n" -- --#: src/tools/sssctl/sssctl_user_checks.c:197 --#, c-format --msgid " - group id: %d\n" --msgstr " - group id: %d\n" -+#: src/config/SSSDConfig/sssdoptions.py:381 -+msgid "" -+"Allows to retain local users as members of an LDAP group for servers that " -+"use the RFC2307 schema." -+msgstr "" - --#: src/tools/sssctl/sssctl_user_checks.c:198 --#, c-format --msgid " - gecos: %s\n" --msgstr " - gecos: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:384 -+msgid "entryUSN attribute" -+msgstr "attribut entryUSN" - --#: src/tools/sssctl/sssctl_user_checks.c:199 --#, c-format --msgid " - home directory: %s\n" --msgstr " - home directory: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:385 -+msgid "lastUSN attribute" -+msgstr "attribut lastUSN" - --#: src/tools/sssctl/sssctl_user_checks.c:200 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:387 - msgid "" --" - shell: %s\n" --"\n" -+"How long to retain a connection to the LDAP server before disconnecting" - msgstr "" --" - shell: %s\n" --"\n" -+"Combien de temps conserver la connexion au serveur LDAP avant de se " -+"déconnecter" - --#: src/tools/sssctl/sssctl_user_checks.c:232 --msgid "PAM action [auth|acct|setc|chau|open|clos], default: " --msgstr "Action PAM [auth|acct|setc|chau|open|clos], par défaut : " -+#: src/config/SSSDConfig/sssdoptions.py:390 -+msgid "Disable the LDAP paging control" -+msgstr "Désactiver le contrôle des pages LDAP" - --#: src/tools/sssctl/sssctl_user_checks.c:235 --msgid "PAM service, default: " --msgstr "Service PAM, par défaut : " -+#: src/config/SSSDConfig/sssdoptions.py:391 -+msgid "Disable Active Directory range retrieval" -+msgstr "Désactiver la récupération de plage Active Directory." - --#: src/tools/sssctl/sssctl_user_checks.c:240 --msgid "Specify user name." --msgstr "Spécifiez le nom d'utilisateur." -+#: src/config/SSSDConfig/sssdoptions.py:394 -+msgid "Length of time to wait for a search request" -+msgstr "Durée d'attente pour une requête de recherche" - --#: src/tools/sssctl/sssctl_user_checks.c:247 --#, c-format --msgid "" --"user: %s\n" --"action: %s\n" --"service: %s\n" --"\n" --msgstr "" --"utilisateur: %s\n" --"action: %s\n" --"service: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:395 -+msgid "Length of time to wait for a enumeration request" -+msgstr "Durée d'attente pour une requête d'énumération" - --#: src/tools/sssctl/sssctl_user_checks.c:252 --#, c-format --msgid "User name lookup with [%s] failed.\n" --msgstr "La recherche de nom d'utilisateur avec [%s] a échoué.\n" -+#: src/config/SSSDConfig/sssdoptions.py:396 -+msgid "Length of time between enumeration updates" -+msgstr "Durée entre deux mises à jour d'énumération" - --#: src/tools/sssctl/sssctl_user_checks.c:257 --#, c-format --msgid "InfoPipe User lookup with [%s] failed.\n" --msgstr "La recherche de l'utilisateur InfoPipe avec [%s] a échoué.\n" -+#: src/config/SSSDConfig/sssdoptions.py:397 -+msgid "Length of time between cache cleanups" -+msgstr "Durée entre les nettoyages de cache" - --#: src/tools/sssctl/sssctl_user_checks.c:263 --#, c-format --msgid "pam_start failed: %s\n" --msgstr "pam_start a échoué : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:398 -+msgid "Require TLS for ID lookups" -+msgstr "TLS est requis pour les recherches d'identifiants" - --#: src/tools/sssctl/sssctl_user_checks.c:268 --msgid "" --"testing pam_authenticate\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:399 -+msgid "Use ID-mapping of objectSID instead of pre-set IDs" - msgstr "" --"test de pam_authenticate\n" --"\n" -+"Utilisation de la correspondance d'ID pour les objectSID au lieu d'ID pré-" -+"établis" - --#: src/tools/sssctl/sssctl_user_checks.c:272 --#, c-format --msgid "pam_get_item failed: %s\n" --msgstr "pam_get_item a échoué : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:400 -+msgid "Base DN for user lookups" -+msgstr "Base DN pour les recherches d'utilisateurs" - --#: src/tools/sssctl/sssctl_user_checks.c:275 --#, c-format --msgid "" --"pam_authenticate for user [%s]: %s\n" --"\n" --msgstr "pam_authenticate pour l'utilisateur [%s] : %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:401 -+msgid "Scope of user lookups" -+msgstr "Scope des recherches d'utilisateurs" - --#: src/tools/sssctl/sssctl_user_checks.c:278 --msgid "" --"testing pam_chauthtok\n" --"\n" --msgstr "" --"test pam_chauthtok\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:402 -+msgid "Filter for user lookups" -+msgstr "Filtre pour les recherches d'utilisateurs" - --#: src/tools/sssctl/sssctl_user_checks.c:280 --#, c-format --msgid "" --"pam_chauthtok: %s\n" --"\n" --msgstr "" --"pam_chauthtok: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:403 -+msgid "Objectclass for users" -+msgstr "Classe d'objet pour les utilisateurs" - --#: src/tools/sssctl/sssctl_user_checks.c:282 --msgid "" --"testing pam_acct_mgmt\n" --"\n" --msgstr "" --"test de pam_acct_mgmt\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:404 -+msgid "Username attribute" -+msgstr "Attribut de nom d'utilisateur" - --#: src/tools/sssctl/sssctl_user_checks.c:284 --#, c-format --msgid "" --"pam_acct_mgmt: %s\n" --"\n" --msgstr "" --"pam_acct_mgmt: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:405 -+msgid "UID attribute" -+msgstr "Attribut UID" - --#: src/tools/sssctl/sssctl_user_checks.c:286 --msgid "" --"testing pam_setcred\n" --"\n" --msgstr "" --"test de pam_setcred\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:406 -+msgid "Primary GID attribute" -+msgstr "Attribut de GID primaire" - --#: src/tools/sssctl/sssctl_user_checks.c:288 --#, c-format --msgid "" --"pam_setcred: [%s]\n" --"\n" --msgstr "" --"pam_setcred: [%s]\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:407 -+msgid "GECOS attribute" -+msgstr "Attribut GECOS" - --#: src/tools/sssctl/sssctl_user_checks.c:290 --msgid "" --"testing pam_open_session\n" --"\n" --msgstr "" --"test pam_open_session\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:408 -+msgid "Home directory attribute" -+msgstr "Attribut de répertoire utilisateur" - --#: src/tools/sssctl/sssctl_user_checks.c:292 --#, c-format --msgid "" --"pam_open_session: %s\n" --"\n" --msgstr "" --"pam_open_session: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:409 -+msgid "Shell attribute" -+msgstr "Attribut d'interpréteur de commandes" - --#: src/tools/sssctl/sssctl_user_checks.c:294 --msgid "" --"testing pam_close_session\n" --"\n" --msgstr "" --"test pam_close_session\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:410 -+msgid "UUID attribute" -+msgstr "attribut UUID" - --#: src/tools/sssctl/sssctl_user_checks.c:296 --#, c-format --msgid "" --"pam_close_session: %s\n" --"\n" --msgstr "" --"pam_close_session: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:449 -+msgid "objectSID attribute" -+msgstr "attribut objectSID" - --#: src/tools/sssctl/sssctl_user_checks.c:298 --msgid "unknown action\n" --msgstr "action inconnue\n" -+#: src/config/SSSDConfig/sssdoptions.py:412 -+msgid "Active Directory primary group attribute for ID-mapping" -+msgstr "Groupe primaire Active Directory pour la correspondance d'ID" - --#: src/tools/sssctl/sssctl_user_checks.c:301 --msgid "PAM Environment:\n" --msgstr "Environnement PAM :\n" -+#: src/config/SSSDConfig/sssdoptions.py:413 -+msgid "User principal attribute (for Kerberos)" -+msgstr "Attribut d'utilisateur principal (pour Kerberos)" - --#: src/tools/sssctl/sssctl_user_checks.c:309 --msgid " - no env -\n" --msgstr " - no env -\n" -+#: src/config/SSSDConfig/sssdoptions.py:414 -+msgid "Full Name" -+msgstr "Nom complet" - --#: src/util/util.h:82 --msgid "The user ID to run the server as" --msgstr "L'identifiant utilisateur sous lequel faire tourner le serveur" -+#: src/config/SSSDConfig/sssdoptions.py:415 -+msgid "memberOf attribute" -+msgstr "Attribut memberOf" - --#: src/util/util.h:84 --msgid "The group ID to run the server as" --msgstr "L'identifiant de groupe sous lequel faire tourner le serveur" -+#: src/config/SSSDConfig/sssdoptions.py:416 -+msgid "Modification time attribute" -+msgstr "Attribut de date de modification" - --#: src/util/util.h:92 --msgid "Informs that the responder has been socket-activated" --msgstr "Informe que le répondeur a été activé par un socket" -+#: src/config/SSSDConfig/sssdoptions.py:417 -+msgid "shadowLastChange attribute" -+msgstr "Attribut shadowLastChange" - --#: src/util/util.h:94 --msgid "Informs that the responder has been dbus-activated" --msgstr "Informe que le répondeur a été activé par un dbus" -+#: src/config/SSSDConfig/sssdoptions.py:418 -+msgid "shadowMin attribute" -+msgstr "Attribut shadowMin" - --#~ msgid "Set the verbosity of the debug logging" --#~ msgstr "Définir le niveau de détails de la sortie de débogage" -+#: src/config/SSSDConfig/sssdoptions.py:419 -+msgid "shadowMax attribute" -+msgstr "Attribut shadowMax" - --#~ msgid "Include timestamps in debug logs" --#~ msgstr "Ajouter l'horodatage dans les fichiers de débogage" -+#: src/config/SSSDConfig/sssdoptions.py:420 -+msgid "shadowWarning attribute" -+msgstr "Attribut shadowWarning" - --#~ msgid "Include microseconds in timestamps in debug logs" --#~ msgstr "" --#~ "Ajouter les microsecondes pour l'horodatage dans les journaux de débogage" -+#: src/config/SSSDConfig/sssdoptions.py:421 -+msgid "shadowInactive attribute" -+msgstr "Attribut shadowInactive" - --#~ msgid "Write debug messages to logfiles" --#~ msgstr "Écrire les messages de débogage dans les journaux" -+#: src/config/SSSDConfig/sssdoptions.py:422 -+msgid "shadowExpire attribute" -+msgstr "Attribut shadowExpire" - --#~ msgid "Watchdog timeout before restarting service" --#~ msgstr "Délai de surveillance avant le redémarrage du service" -+#: src/config/SSSDConfig/sssdoptions.py:423 -+msgid "shadowFlag attribute" -+msgstr "Attribut shadowFlag" - --#~ msgid "Command to start service" --#~ msgstr "Commande pour démarrer le service" -+#: src/config/SSSDConfig/sssdoptions.py:424 -+msgid "Attribute listing authorized PAM services" -+msgstr "Attribut listant les services PAM autorisés" - --#~ msgid "Number of times to attempt connection to Data Providers" --#~ msgstr "" --#~ "Nombre d'essais pour tenter de se connecter au fournisseur de données" -+#: src/config/SSSDConfig/sssdoptions.py:425 -+msgid "Attribute listing authorized server hosts" -+msgstr "Attribut listant les hôtes de serveurs autorisés" - --#~ msgid "The number of file descriptors that may be opened by this responder" --#~ msgstr "" --#~ "Le nombre de descripteurs de fichiers qui peuvent être ouverts par ce " --#~ "répondeur" -+#: src/config/SSSDConfig/sssdoptions.py:426 -+msgid "Attribute listing authorized server rhosts" -+msgstr "Attribut listant les rhosts de serveurs autorisés" - --#~ msgid "Idle time before automatic disconnection of a client" --#~ msgstr "durée d'inactivité avant la déconnexion automatique d'un client" -+#: src/config/SSSDConfig/sssdoptions.py:427 -+msgid "krbLastPwdChange attribute" -+msgstr "Attribut krbLastPwdChange" - --#~ msgid "Idle time before automatic shutdown of the responder" --#~ msgstr "Temps d'inactivité avant l'arrêt automatique du répondeur" -+#: src/config/SSSDConfig/sssdoptions.py:428 -+msgid "krbPasswordExpiration attribute" -+msgstr "Attribut krbPasswordExpiration" - --#~ msgid "Always query all the caches before querying the Data Providers" --#~ msgstr "" --#~ "Interrogez toujours tous les caches avant d'interroger les fournisseurs " --#~ "de données" -+#: src/config/SSSDConfig/sssdoptions.py:429 -+msgid "Attribute indicating that server side password policies are active" -+msgstr "" -+"Attribut indiquant que la stratégie de mot de passe du serveur est active" -+ -+#: src/config/SSSDConfig/sssdoptions.py:430 -+msgid "accountExpires attribute of AD" -+msgstr "Attribut AD accountExpires" -+ -+#: src/config/SSSDConfig/sssdoptions.py:431 -+msgid "userAccountControl attribute of AD" -+msgstr "Attribut AD userAccountControl" -+ -+#: src/config/SSSDConfig/sssdoptions.py:432 -+msgid "nsAccountLock attribute" -+msgstr "Attribut nsAccountLock" - --#~ msgid "SSSD Services to start" --#~ msgstr "Services SSSD à démarrer" -+#: src/config/SSSDConfig/sssdoptions.py:433 -+msgid "loginDisabled attribute of NDS" -+msgstr "Attribut NDS loginDisabled" - --#~ msgid "SSSD Domains to start" --#~ msgstr "Domaines SSSD à démarrer" -+#: src/config/SSSDConfig/sssdoptions.py:434 -+msgid "loginExpirationTime attribute of NDS" -+msgstr "Attribut NDS loginExpirationTime" - --#~ msgid "Timeout for messages sent over the SBUS" --#~ msgstr "Délai d'attente pour les messages à envoyer à travers SBUS" -+#: src/config/SSSDConfig/sssdoptions.py:435 -+msgid "loginAllowedTimeMap attribute of NDS" -+msgstr "Attribut NDS loginAllowedTimeMap" - --#~ msgid "Regex to parse username and domain" --#~ msgstr "" --#~ "Expression rationnelle d'analyse des noms d'utilisateur et de domaine" -+#: src/config/SSSDConfig/sssdoptions.py:436 -+msgid "SSH public key attribute" -+msgstr "Attribut de clé public SSH" - --#~ msgid "Printf-compatible format for displaying fully-qualified names" --#~ msgstr "" --#~ "Format compatible printf d'affichage des noms complétement qualifiés" -+#: src/config/SSSDConfig/sssdoptions.py:437 -+msgid "attribute listing allowed authentication types for a user" -+msgstr "" -+"attribut énumérant les types d'authentification autorisés pour un " -+"utilisateur" -+ -+#: src/config/SSSDConfig/sssdoptions.py:438 -+msgid "attribute containing the X509 certificate of the user" -+msgstr "attribut contenant le certificat X509 de l'utilisateur" - --#~ msgid "" --#~ "Directory on the filesystem where SSSD should store Kerberos replay cache " --#~ "files." --#~ msgstr "" --#~ "Répertoire du système de fichiers où SSSD doit stocker les fichiers de " --#~ "relecture de Kerberos." -+#: src/config/SSSDConfig/sssdoptions.py:439 -+msgid "attribute containing the email address of the user" -+msgstr "attribut contenant l’adresse email de l'utilisateur" - --#~ msgid "Domain to add to names without a domain component." --#~ msgstr "Domaine à ajouter aux noms sans composant de nom de domaine." -+#: src/config/SSSDConfig/sssdoptions.py:440 -+msgid "A list of extra attributes to download along with the user entry" -+msgstr "" -+"Une liste des attributs supplémentaires à télécharger avec l'entrée de " -+"l'utilisateur" - --#~ msgid "The user to drop privileges to" --#~ msgstr "L'utilisation vers lequel abandonner les privilèges" -+#: src/config/SSSDConfig/sssdoptions.py:442 -+msgid "Base DN for group lookups" -+msgstr "DN de base pour les recherches de groupes" - --#~ msgid "Tune certificate verification" --#~ msgstr "Régler la vérification du certificat" -+#: src/config/SSSDConfig/sssdoptions.py:443 -+msgid "Objectclass for groups" -+msgstr "Classe d'objet pour les groupes" - --#~ msgid "" --#~ "All spaces in group or user names will be replaced with this character" --#~ msgstr "" --#~ "Tous les espaces dans les noms de groupes ou d'utilisateurs seront " --#~ "remplacés par ce caractère" -+#: src/config/SSSDConfig/sssdoptions.py:444 -+msgid "Group name" -+msgstr "Nom du groupe" - --#~ msgid "Tune sssd to honor or ignore netlink state changes" --#~ msgstr "" --#~ "Régler sssd pour honorer ou ignorer les changements d'état du netlink" -+#: src/config/SSSDConfig/sssdoptions.py:445 -+msgid "Group password" -+msgstr "Mot de passe du groupe" - --#~ msgid "Enable or disable the implicit files domain" --#~ msgstr "Activer ou désactiver le domaine des fichiers implicites" -+#: src/config/SSSDConfig/sssdoptions.py:446 -+msgid "GID attribute" -+msgstr "Attribut GID" - --#~ msgid "A specific order of the domains to be looked up" --#~ msgstr "Un ordre spécifique des domaines à rechercher" -+#: src/config/SSSDConfig/sssdoptions.py:447 -+msgid "Group member attribute" -+msgstr "Attribut membre du groupe" - --#~ msgid "Enumeration cache timeout length (seconds)" --#~ msgstr "Délai d'attente du cache d'énumération (en secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:448 -+msgid "Group UUID attribute" -+msgstr "attribut de l'UUID du groupe" - --#~ msgid "Entry cache background update timeout length (seconds)" --#~ msgstr "" --#~ "Délai d'attente de mise à jour en arrière-plan de l'entrée de cache (en " --#~ "secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:450 -+msgid "Modification time attribute for groups" -+msgstr "Attribut de date de modification pour les groupes" - --#~ msgid "Negative cache timeout length (seconds)" --#~ msgstr "Délai d'attente du cache négatif (en secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:451 -+msgid "Type of the group and other flags" -+msgstr "Type de groupe et autres indicateurs" - --#~ msgid "Files negative cache timeout length (seconds)" --#~ msgstr "Délai d'attente du cache négatif (en secondes)" -- --#~ msgid "Users that SSSD should explicitly ignore" --#~ msgstr "Utilisateurs que SSSD doit explicitement ignorer" -- --#~ msgid "Groups that SSSD should explicitly ignore" --#~ msgstr "Groupes que SSSD doit explicitement ignorer" -- --#~ msgid "Should filtered users appear in groups" --#~ msgstr "Les utilisateurs filtrés doivent-ils apparaître dans les groupes" -- --#~ msgid "The value of the password field the NSS provider should return" --#~ msgstr "" --#~ "Valeur du champ de mot de passe que le fournisseur NSS doit renvoyer" -- --#~ msgid "Override homedir value from the identity provider with this value" --#~ msgstr "" --#~ "Remplacer par cette valeur celle du répertoire personnel obtenu avec le " --#~ "fournisseur d'identité" -- --#~ msgid "" --#~ "Substitute empty homedir value from the identity provider with this value" --#~ msgstr "" --#~ "Substitution de la valeur homedir vide du fournisseur d'identité avec " --#~ "cette valeur" -+#: src/config/SSSDConfig/sssdoptions.py:452 -+msgid "The LDAP group external member attribute" -+msgstr "L'attribut de membre externe du groupe LDAP" - --#~ msgid "Override shell value from the identity provider with this value" --#~ msgstr "" --#~ "Écraser le shell donné par le fournisseur d'identité avec cette valeur" -+#: src/config/SSSDConfig/sssdoptions.py:453 -+msgid "Maximum nesting level SSSD will follow" -+msgstr "Le niveau d'imbrication maximal du SSSD suivra" - --#~ msgid "The list of shells users are allowed to log in with" --#~ msgstr "" --#~ "Liste des interpréteurs de commandes utilisateurs autorisés pour se " --#~ "connecter" -- --#~ msgid "" --#~ "The list of shells that will be vetoed, and replaced with the fallback " --#~ "shell" --#~ msgstr "" --#~ "Liste des interpréteurs de commandes bannis et remplacés par celui par " --#~ "défaut" -- --#~ msgid "" --#~ "If a shell stored in central directory is allowed but not available, use " --#~ "this fallback" --#~ msgstr "" --#~ "Si un interpréteur de commandes stocké dans l'annuaire central est " --#~ "autorisé mais indisponible, utiliser à défaut celui-ci" -- --#~ msgid "Shell to use if the provider does not list one" --#~ msgstr "Shell à utiliser si le fournisseur n'en propose aucun" -- --#~ msgid "How long will be in-memory cache records valid" --#~ msgstr "Durée de maintien en cache des enregistrements valides" -- --#~ msgid "List of user attributes the NSS responder is allowed to publish" --#~ msgstr "" --#~ "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier" -- --#~ msgid "How long to allow cached logins between online logins (days)" --#~ msgstr "" --#~ "Délai pendant lequel les connexions utilisant le cache sont autorisées " --#~ "entre deux connexions en ligne (en jours)" -- --#~ msgid "How many failed logins attempts are allowed when offline" --#~ msgstr "Nombre d'échecs de connexions hors-ligne autorisés" -- --#~ msgid "" --#~ "How long (minutes) to deny login after offline_failed_login_attempts has " --#~ "been reached" --#~ msgstr "" --#~ "Durée d'interdiction de connexion après que offline_failed_login_attempts " --#~ "est atteint (en minutes)" -- --#~ msgid "" --#~ "What kind of messages are displayed to the user during authentication" --#~ msgstr "" --#~ "Quels types de messages sont affichés à l'utilisateur pendant " --#~ "l'authentification" -- --#~ msgid "Filter PAM responses sent to the pam_sss" --#~ msgstr "Filtrez les réponses PAM envoyées à l'adresse pam_sss" -- --#~ msgid "" --#~ "How many seconds to keep identity information cached for PAM requests" --#~ msgstr "" --#~ "Durée en secondes pendant laquelle les informations d'identité sont " --#~ "gardées en cache pour les requêtes PAM" -- --#~ msgid "" --#~ "How many days before password expiration a warning should be displayed" --#~ msgstr "" --#~ "Nombre de jours précédent l'expiration du mot de passe avant lesquels un " --#~ "avertissement doit être affiché" -- --#~ msgid "List of trusted uids or user's name" --#~ msgstr "Liste des uid ou noms d'utilisateurs dignes de confiance" -- --#~ msgid "List of domains accessible even for untrusted users." --#~ msgstr "" --#~ "Liste des domaines accessibles y compris par les utilisateurs non dignes " --#~ "de confiance" -- --#~ msgid "Message printed when user account is expired." --#~ msgstr "Message affiché lorsque le compte a expiré" -- --#~ msgid "Message printed when user account is locked." --#~ msgstr "Message affiché lorsque le compte a expiré" -- --#~ msgid "Allow certificate based/Smartcard authentication." --#~ msgstr "Autoriser l'authentification par certificat/carte à puce." -- --#~ msgid "Path to certificate database with PKCS#11 modules." --#~ msgstr "" --#~ "Chemin d'accès à la base de données des certificats des modules PKCS#11." -- --#~ msgid "How many seconds will pam_sss wait for p11_child to finish" --#~ msgstr "Combien de secondes pam_sss attendra-t-il la fin de p11_child" -- --#~ msgid "Which PAM services are permitted to contact application domains" --#~ msgstr "" --#~ "Quels services PAM sont autorisés à contacter les domaines d'application" -- --#~ msgid "Allowed services for using smartcards" --#~ msgstr "Services autorisés pour l'utilisation de cartes à puce" -- --#~ msgid "Additional timeout to wait for a card if requested" --#~ msgstr "" --#~ "Délai d'attente supplémentaire pour l'obtention d'une carte si demandé" -- --#~ msgid "" --#~ "PKCS#11 URI to restrict the selection of devices for Smartcard " --#~ "authentication" --#~ msgstr "" --#~ "URI PKCS#11 pour limiter la sélection des périphériques pour " --#~ "l'authentification par carte à puce" -- --#~ msgid "Whether to evaluate the time-based attributes in sudo rules" --#~ msgstr "" --#~ "Faut-il évaluer les attributs dépendants du temps dans les règles sudo" -- --#~ msgid "If true, SSSD will switch back to lower-wins ordering logic" --#~ msgstr "Si sur true, SSSD repasse en logique de commande à faible gain" -- --#~ msgid "" --#~ "Maximum number of rules that can be refreshed at once. If this is " --#~ "exceeded, full refresh is performed." --#~ msgstr "" --#~ "Nombre maximum de règles pouvant être rafraîchies en même temps. En cas " --#~ "de dépassement, un rafraîchissement complet est effectué." -- --#~ msgid "Whether to hash host names and addresses in the known_hosts file" --#~ msgstr "" --#~ "Condenser ou non les noms de systèmes et adresses du fichier known_hosts" -- --#~ msgid "" --#~ "How many seconds to keep a host in the known_hosts file after its host " --#~ "keys were requested" --#~ msgstr "" --#~ "Le nombre de secondes pour garder un hôte dans le fichier known_hosts " --#~ "après que ses clés d'hôte ont été demandées" -- --#~ msgid "Path to storage of trusted CA certificates" --#~ msgstr "Chemin d'accès au stockage des certificats d'AC de confiance" -- --#~ msgid "Allow to generate ssh-keys from certificates" --#~ msgstr "Permet de générer des ssh-keys à partir de certificats" -- --#~ msgid "" --#~ "Use the following matching rules to filter the certificates for ssh-key " --#~ "generation" --#~ msgstr "" --#~ "Utilisez les règles de correspondance suivantes pour filtrer les " --#~ "certificats pour la génération de clés ssh" -- --#~ msgid "List of UIDs or user names allowed to access the PAC responder" --#~ msgstr "" --#~ "Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur PAC" -- --#~ msgid "How long the PAC data is considered valid" --#~ msgstr "Durée de validité des données du PAC" -- --#~ msgid "List of UIDs or user names allowed to access the InfoPipe responder" --#~ msgstr "" --#~ "Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur " --#~ "InfoPipe" -- --#~ msgid "List of user attributes the InfoPipe is allowed to publish" --#~ msgstr "" --#~ "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier" -- --#~ msgid "The provider where the secrets will be stored in" --#~ msgstr "Le fournisseur où les secrets seront stockés" -+#: src/config/SSSDConfig/sssdoptions.py:454 -+msgid "Filter for group lookups" -+msgstr "" - --#~ msgid "The maximum allowed number of nested containers" --#~ msgstr "Le nombre maximal de conteneurs imbriqués autorisés" -+#: src/config/SSSDConfig/sssdoptions.py:455 -+msgid "Scope of group lookups" -+msgstr "" - --#~ msgid "The maximum number of secrets that can be stored" --#~ msgstr "Le nombre maximum de secrets qui peuvent être stockés" -+#: src/config/SSSDConfig/sssdoptions.py:457 -+msgid "Base DN for netgroup lookups" -+msgstr "DN de base pour les recherches de netgroup" - --#~ msgid "The maximum number of secrets that can be stored per UID" --#~ msgstr "Le nombre maximum de secrets qui peuvent être stockés par UID" -+#: src/config/SSSDConfig/sssdoptions.py:458 -+msgid "Objectclass for netgroups" -+msgstr "Classe d'objet pour les groupes réseau" - --#~ msgid "The maximum payload size of a secret in kilobytes" --#~ msgstr "La taille maximale de la charge utile d'un secret en kilo-octets" -+#: src/config/SSSDConfig/sssdoptions.py:459 -+msgid "Netgroup name" -+msgstr "Nom du groupe réseau" - --#~ msgid "The URL Custodia server is listening on" --#~ msgstr "L'URL du serveur Custodia est en écoute sur" -+#: src/config/SSSDConfig/sssdoptions.py:460 -+msgid "Netgroups members attribute" -+msgstr "Attribut des membres des groupes réseau" - --#~ msgid "The method to use when authenticating to a Custodia server" --#~ msgstr "" --#~ "La méthode à utiliser lors de l'authentification via un serveur Custodia" -+#: src/config/SSSDConfig/sssdoptions.py:461 -+msgid "Netgroup triple attribute" -+msgstr "Attribut triplet du groupe réseau" - --#~ msgid "" --#~ "The name of the headers that will be added into a HTTP request with the " --#~ "value defined in auth_header_value" --#~ msgstr "" --#~ "Le nom des en-têtes qui seront ajoutés dans une requête HTTP avec la " --#~ "valeur définie dans auth_header_value" -+#: src/config/SSSDConfig/sssdoptions.py:462 -+msgid "Modification time attribute for netgroups" -+msgstr "Attribut date de modification pour les groupes réseau" - --#~ msgid "The value sssd-secrets would use for auth_header_name" --#~ msgstr "La valeur que sssd-secrets utiliseraient pour auth_header_name" -+#: src/config/SSSDConfig/sssdoptions.py:464 -+msgid "Base DN for service lookups" -+msgstr "Nom de domaine (DN) de base pour les recherches de service" - --#~ msgid "" --#~ "The list of the headers to forward to the Custodia server together with " --#~ "the request" --#~ msgstr "" --#~ "La liste des en-têtes à transmettre au serveur Custodia avec la requête" -+#: src/config/SSSDConfig/sssdoptions.py:465 -+msgid "Objectclass for services" -+msgstr "Classe objet pour les services" - --#~ msgid "" --#~ "The username to use when authenticating to a Custodia server using " --#~ "basic_auth" --#~ msgstr "" --#~ "La méthode à utiliser lors de l'authentification via un serveur Custodia " --#~ "utilisant basic_auth" -+#: src/config/SSSDConfig/sssdoptions.py:466 -+msgid "Service name attribute" -+msgstr "Attribut de nom de service" - --#~ msgid "" --#~ "The password to use when authenticating to a Custodia server using " --#~ "basic_auth" --#~ msgstr "" --#~ "La méthode à utiliser lors de l'authentification via un serveur Custodia " --#~ "utilisant basic_auth" -- --#~ msgid "" --#~ "If true peer's certificate is verified if proxy_url uses https protocol" --#~ msgstr "" --#~ "Le certificat pair true est vérifié si proxy_url utilise le protocole " --#~ "https" -- --#~ msgid "" --#~ "If false peer's certificate may contain different hostname than proxy_url " --#~ "when https protocol is used" --#~ msgstr "" --#~ "Le certificat pair false peut contenir un nom d'hôte différent de " --#~ "proxy_url lorsque le protocole https est utilisé" -- --#~ msgid "" --#~ "Path to directory where certificate authority certificates are stored" --#~ msgstr "Chemin d'accès au répertoire où sont stockés les certificats CA" -+#: src/config/SSSDConfig/sssdoptions.py:467 -+msgid "Service port attribute" -+msgstr "Attribut de port du service" - --#~ msgid "Path to file containing server's CA certificate" --#~ msgstr "Chemin d'accès au fichier contenant le certificat CA du serveur" -+#: src/config/SSSDConfig/sssdoptions.py:468 -+msgid "Service protocol attribute" -+msgstr "Attribut de service du protocole" - --#~ msgid "Path to file containing client's certificate" --#~ msgstr "Chemin d'accès au fichier contenant le certificat du client" -+#: src/config/SSSDConfig/sssdoptions.py:470 -+msgid "Lower bound for ID-mapping" -+msgstr "Limite inférieure pour la correspondance d'ID" - --#~ msgid "Path to file containing client's private key" --#~ msgstr "Chemin d'accès au fichier contenant la clé privée du client" -+#: src/config/SSSDConfig/sssdoptions.py:471 -+msgid "Upper bound for ID-mapping" -+msgstr "Limite supérieure pour la correspondance d'ID" - --#~ msgid "Identity provider" --#~ msgstr "Fournisseur d'identité" -+#: src/config/SSSDConfig/sssdoptions.py:472 -+msgid "Number of IDs for each slice when ID-mapping" -+msgstr "Nombre d'ID par tranche pour la correspondance d'ID" - --#~ msgid "Authentication provider" --#~ msgstr "Fournisseur d'authentification" -+#: src/config/SSSDConfig/sssdoptions.py:473 -+msgid "Use autorid-compatible algorithm for ID-mapping" -+msgstr "" -+"Utilisation d'un algorithme compatible autorid pour la correspondance d'ID" - --#~ msgid "Access control provider" --#~ msgstr "Fournisseur de contrôle d'accès" -+#: src/config/SSSDConfig/sssdoptions.py:474 -+msgid "Name of the default domain for ID-mapping" -+msgstr "Nom du domaine par défaut pour la correspondance d'ID" - --#~ msgid "Password change provider" --#~ msgstr "Fournisseur de changement de mot de passe" -+#: src/config/SSSDConfig/sssdoptions.py:475 -+msgid "SID of the default domain for ID-mapping" -+msgstr "SID du domaine par défaut pour la correspondance d'ID" - --#~ msgid "SUDO provider" --#~ msgstr "Fournisseur SUDO" -+#: src/config/SSSDConfig/sssdoptions.py:476 -+msgid "Number of secondary slices" -+msgstr "Nombre de tranches secondaires" - --#~ msgid "Autofs provider" --#~ msgstr "Fournisseur autofs" -+#: src/config/SSSDConfig/sssdoptions.py:478 -+msgid "Whether to use Token-Groups" -+msgstr "Choisir d'utiliser ou non les groupes de jetons" - --#~ msgid "Host identity provider" --#~ msgstr "Fournisseur d'identité de l'hôte" -+#: src/config/SSSDConfig/sssdoptions.py:479 -+msgid "Set lower boundary for allowed IDs from the LDAP server" -+msgstr "" -+"Définir la limite inférieure d'identifiants autorisés pour l'annuaire LDAP" - --#~ msgid "SELinux provider" --#~ msgstr "Fournisseur SELinux" -+#: src/config/SSSDConfig/sssdoptions.py:480 -+msgid "Set upper boundary for allowed IDs from the LDAP server" -+msgstr "" -+"Définir la limite supérieure d'identifiants autorisés pour l'annuaire LDAP" - --#~ msgid "Session management provider" --#~ msgstr "Fournisseur de gestion de session" -+#: src/config/SSSDConfig/sssdoptions.py:481 -+msgid "DN for ppolicy queries" -+msgstr "DN pour les requêtes sur ppolicy" - --#~ msgid "Whether the domain is usable by the OS or by applications" --#~ msgstr "Si le domaine est utilisable par l'OS ou par des applications" -+#: src/config/SSSDConfig/sssdoptions.py:482 -+msgid "How many maximum entries to fetch during a wildcard request" -+msgstr "Combien d'entrées maximum à récupérer lors d'une demande de wildcard" - --#~ msgid "Minimum user ID" --#~ msgstr "Identifiant utilisateur minimum" -+#: src/config/SSSDConfig/sssdoptions.py:485 -+msgid "Policy to evaluate the password expiration" -+msgstr "Stratégie d'évaluation de l'expiration du mot de passe" - --#~ msgid "Maximum user ID" --#~ msgstr "Identifiant utilisateur maximum" -+#: src/config/SSSDConfig/sssdoptions.py:489 -+msgid "Which attributes shall be used to evaluate if an account is expired" -+msgstr "Quels attributs utiliser pour déterminer si un compte a expiré" - --#~ msgid "Enable enumerating all users/groups" --#~ msgstr "Activer l'énumération de tous les utilisateurs/groupes" -+#: src/config/SSSDConfig/sssdoptions.py:490 -+msgid "Which rules should be used to evaluate access control" -+msgstr "Quelles règles utiliser pour évaluer le contrôle d'accès" - --#~ msgid "Cache credentials for offline login" --#~ msgstr "Mettre en cache les crédits pour une connexion hors-ligne" -+#: src/config/SSSDConfig/sssdoptions.py:493 -+msgid "URI of an LDAP server where password changes are allowed" -+msgstr "" -+"URI d'un serveur LDAP où les changements de mot de passe sont acceptés" - --#~ msgid "Display users/groups in fully-qualified form" --#~ msgstr "" --#~ "Afficher les utilisateurs/groupes dans un format complétement qualifié" -+#: src/config/SSSDConfig/sssdoptions.py:494 -+msgid "URI of a backup LDAP server where password changes are allowed" -+msgstr "" -+"URI d'un serveur LDAP de secours où sont autorisées les modifications de mot " -+"de passe" - --#~ msgid "Don't include group members in group lookups" --#~ msgstr "" --#~ "Ne pas inclure les membres des groupes dans les recherches de groupes." -+#: src/config/SSSDConfig/sssdoptions.py:495 -+msgid "DNS service name for LDAP password change server" -+msgstr "Nom du service DNS pour le serveur de changement de mot de passe LDAP" - --#~ msgid "Entry cache timeout length (seconds)" --#~ msgstr "Durée de validité des entrées en cache (en secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:496 -+msgid "" -+"Whether to update the ldap_user_shadow_last_change attribute after a " -+"password change" -+msgstr "" -+"Choix de mise à jour de l'attribut ldap_user_shadow_last_change après un " -+"changement de mot de passe" - --#~ msgid "" --#~ "Restrict or prefer a specific address family when performing DNS lookups" --#~ msgstr "" --#~ "Restreindre ou préférer une famille d'adresses lors des recherches DNS" -+#: src/config/SSSDConfig/sssdoptions.py:500 -+msgid "Base DN for sudo rules lookups" -+msgstr "Nom de domaine (DN) de base pour les recherches de règles sudo" - --#~ msgid "How long to keep cached entries after last successful login (days)" --#~ msgstr "" --#~ "Durée de validité des entrées en cache après la dernière connexion " --#~ "réussie (en jours)" -+#: src/config/SSSDConfig/sssdoptions.py:501 -+msgid "Automatic full refresh period" -+msgstr "Périodicité de rafraichissement total" - --#~ msgid "" --#~ "How long should SSSD talk to single DNS server before trying next server " --#~ "(miliseconds)" --#~ msgstr "" --#~ "Combien de temps le SSSD doit-il parler à un seul serveur DNS avant " --#~ "d'essayer le serveur suivant (en millisecondes)" -+#: src/config/SSSDConfig/sssdoptions.py:502 -+msgid "Automatic smart refresh period" -+msgstr "Périodicité de rafraichissement intelligent" - --#~ msgid "How long should keep trying to resolve single DNS query (seconds)" --#~ msgstr "" --#~ "Combien de temps faut-il continuer à essayer de résoudre une seule " --#~ "requête DNS (en secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:503 -+msgid "Whether to filter rules by hostname, IP addresses and network" -+msgstr "Filter ou non sur les noms de systèmes, adresses IP et réseaux" - --#~ msgid "" --#~ "How long to wait for replies from DNS when resolving servers (seconds)" --#~ msgstr "" --#~ "Délai d'attente des réponses du DNS lors de la résolution des serveurs " --#~ "(en secondes)" -+#: src/config/SSSDConfig/sssdoptions.py:504 -+msgid "" -+"Hostnames and/or fully qualified domain names of this machine to filter sudo " -+"rules" -+msgstr "" -+"Noms de systèmes et/ou noms pleinement qualifiés de cette machine pour " -+"filtrer les règles sudo" - --#~ msgid "The domain part of service discovery DNS query" --#~ msgstr "La partie domaine de la requête de découverte de service DNS" -+#: src/config/SSSDConfig/sssdoptions.py:505 -+msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" -+msgstr "" -+"Adresses ou réseaux IPv4 ou IPv6 de cette machine pour filtrer les règles " -+"sudo" - --#~ msgid "Override GID value from the identity provider with this value" --#~ msgstr "" --#~ "Écraser la valeur du GID du fournisseur d'identité avec cette valeur" -+#: src/config/SSSDConfig/sssdoptions.py:506 -+msgid "Whether to include rules that contains netgroup in host attribute" -+msgstr "" -+"Inclure ou non les règles qui contiennent un netgroup dans l'attribut host" - --#~ msgid "Treat usernames as case sensitive" --#~ msgstr "Considère les noms d'utilisateur comme casse dépendant" -+#: src/config/SSSDConfig/sssdoptions.py:507 -+msgid "" -+"Whether to include rules that contains regular expression in host attribute" -+msgstr "" -+"Inclure ou non les règles qui contiennent une expression rationnelle dans " -+"l'attribut host" - --#~ msgid "How often should expired entries be refreshed in background" --#~ msgstr "Fréquence de rafraîchissement en arrière plan des entrées expirées" -+#: src/config/SSSDConfig/sssdoptions.py:508 -+msgid "Object class for sudo rules" -+msgstr "Classe objet pour les règles sudo" - --#~ msgid "Whether to automatically update the client's DNS entry" --#~ msgstr "Choisir de mettre à jour automatiquement l'entrée DNS du client" -+#: src/config/SSSDConfig/sssdoptions.py:509 -+msgid "Name of attribute that is used as object class for sudo rules" -+msgstr "" -+"Nom de l'attribut qui est utilisé comme classe d'objet pour les règles sudo" - --#~ msgid "The TTL to apply to the client's DNS entry after updating it" --#~ msgstr "Le TTL à appliquer à l'entrée DNS du client après modification" -+#: src/config/SSSDConfig/sssdoptions.py:510 -+msgid "Sudo rule name" -+msgstr "Règle de nom sudo" - --#~ msgid "The interface whose IP should be used for dynamic DNS updates" --#~ msgstr "" --#~ "L'interface dont l'adresse IP doit être utilisée pour les mises à jour " --#~ "dynamiques du DNS" -+#: src/config/SSSDConfig/sssdoptions.py:511 -+msgid "Sudo rule command attribute" -+msgstr "Attribut de commande de règle sudo" - --#~ msgid "How often to periodically update the client's DNS entry" --#~ msgstr "Fréquence de mise à jour automatique de l'entrée DNS du client" -+#: src/config/SSSDConfig/sssdoptions.py:512 -+msgid "Sudo rule host attribute" -+msgstr "Attribut hôte de la règle sudo" - --#~ msgid "Whether the provider should explicitly update the PTR record as well" --#~ msgstr "" --#~ "Selon que le fournisseur doit aussi ou non mettre à jour explicitement " --#~ "l'enregistrement PTR" -+#: src/config/SSSDConfig/sssdoptions.py:513 -+msgid "Sudo rule user attribute" -+msgstr "Attribut utilisateur de la règle sudo" - --#~ msgid "Whether the nsupdate utility should default to using TCP" --#~ msgstr "Selon que l'utilitaire nsupdate doit utiliser TCP par défaut" -+#: src/config/SSSDConfig/sssdoptions.py:514 -+msgid "Sudo rule option attribute" -+msgstr "Attribut option de la règle sudo" - --#~ msgid "What kind of authentication should be used to perform the DNS update" --#~ msgstr "" --#~ "Quel type d'authentification doit être utilisée pour effectuer la mise à " --#~ "jour DNS" -+#: src/config/SSSDConfig/sssdoptions.py:515 -+msgid "Sudo rule runas attribute" -+msgstr "Attribut de règle sudo runas" - --#~ msgid "Override the DNS server used to perform the DNS update" --#~ msgstr "" --#~ "Remplace le serveur DNS utilisé pour effectuer la mise à jour du DNS" -+#: src/config/SSSDConfig/sssdoptions.py:516 -+msgid "Sudo rule runasuser attribute" -+msgstr "Attribut runasuser de la règle sudo" - --#~ msgid "Control enumeration of trusted domains" --#~ msgstr "Contrôle l'énumération des domaines approuvés" -+#: src/config/SSSDConfig/sssdoptions.py:517 -+msgid "Sudo rule runasgroup attribute" -+msgstr "Attribut runasgroup de la règle sudo" - --#~ msgid "How often should subdomains list be refreshed" --#~ msgstr "Fréquence de rafraîchissement des sous-domaines" -+#: src/config/SSSDConfig/sssdoptions.py:518 -+msgid "Sudo rule notbefore attribute" -+msgstr "Attribut notbefore de la règle sudo" - --#~ msgid "List of options that should be inherited into a subdomain" --#~ msgstr "Listes des options qui doivent être héritées dans le sous-domaine" -+#: src/config/SSSDConfig/sssdoptions.py:519 -+msgid "Sudo rule notafter attribute" -+msgstr "Attribut notafter de règle sudo" - --#~ msgid "Default subdomain homedir value" --#~ msgstr "Valeur par défaut du sous-domaine homedir" -+#: src/config/SSSDConfig/sssdoptions.py:520 -+msgid "Sudo rule order attribute" -+msgstr "Attribut d'ordre de règle sudo" - --#~ msgid "How long can cached credentials be used for cached authentication" --#~ msgstr "" --#~ "Combien de temps les informations d'identification en cache peuvent-elles " --#~ "être utilisées pour l'authentification en cache" -+#: src/config/SSSDConfig/sssdoptions.py:523 -+msgid "Object class for automounter maps" -+msgstr "Classe objet pour la carte de montage automatique" - --#~ msgid "Whether to automatically create private groups for users" --#~ msgstr "" --#~ "S'il faut créer automatiquement des groupes privés pour les utilisateurs" -+#: src/config/SSSDConfig/sssdoptions.py:524 -+msgid "Automounter map name attribute" -+msgstr "Nom de l'attribut de carte de montage automatique" - --#~ msgid "IPA domain" --#~ msgstr "Domaine IPA" -+#: src/config/SSSDConfig/sssdoptions.py:525 -+msgid "Object class for automounter map entries" -+msgstr "Classe objet pour l'entrée de référence de montage automatique" - --#~ msgid "IPA server address" --#~ msgstr "Adresse du serveur IPA" -+#: src/config/SSSDConfig/sssdoptions.py:526 -+msgid "Automounter map entry key attribute" -+msgstr "Attribut de clé d'entrée pour la carte de montage automatique" - --#~ msgid "Address of backup IPA server" --#~ msgstr "Adresse du serveur IPA de secours" -+#: src/config/SSSDConfig/sssdoptions.py:527 -+msgid "Automounter map entry value attribute" -+msgstr "Attribut de valeur pour la carte de montage automatique" - --#~ msgid "IPA client hostname" --#~ msgstr "Nom de système du client IPA" -+#: src/config/SSSDConfig/sssdoptions.py:528 -+msgid "Base DN for automounter map lookups" -+msgstr "Base DN pour les requêtes de carte de montage automatique" - --#~ msgid "Whether to automatically update the client's DNS entry in FreeIPA" --#~ msgstr "" --#~ "Choisir de mettre à jour automatiquement l'entrée DNS du client dans " --#~ "FreeIPA" -+#: src/config/SSSDConfig/sssdoptions.py:529 -+msgid "The name of the automount master map in LDAP." -+msgstr "" - --#~ msgid "Search base for HBAC related objects" --#~ msgstr "Base de recherche pour les objets HBAC" -+#: src/config/SSSDConfig/sssdoptions.py:532 -+msgid "Base DN for IP hosts lookups" -+msgstr "" - --#~ msgid "" --#~ "The amount of time between lookups of the HBAC rules against the IPA " --#~ "server" --#~ msgstr "Délai entre les recherches de règles HBAC sur le serveur IPA" -+#: src/config/SSSDConfig/sssdoptions.py:533 -+msgid "Object class for IP hosts" -+msgstr "" - --#~ msgid "" --#~ "The amount of time in seconds between lookups of the SELinux maps against " --#~ "the IPA server" --#~ msgstr "Délai entre les recherches de cartes SELinux sur le serveur IPA" -+#: src/config/SSSDConfig/sssdoptions.py:534 -+msgid "IP host name attribute" -+msgstr "" - --#~ msgid "If set to false, host argument given by PAM will be ignored" --#~ msgstr "Si mit à false, l’argument de l'hôte donné par PAM est ignoré" -+#: src/config/SSSDConfig/sssdoptions.py:535 -+msgid "IP host number (address) attribute" -+msgstr "" - --#~ msgid "The automounter location this IPA client is using" --#~ msgstr "" --#~ "L'emplacement de la carte de montage automatique utilisée par le client " --#~ "IPA" -+#: src/config/SSSDConfig/sssdoptions.py:536 -+msgid "IP host entryUSN attribute" -+msgstr "" - --#~ msgid "Search base for object containing info about IPA domain" --#~ msgstr "" --#~ "Base de recherche pour l'objet contenant les informations de base à " --#~ "propos du domaine IPA" -+#: src/config/SSSDConfig/sssdoptions.py:537 -+msgid "Base DN for IP networks lookups" -+msgstr "" - --#~ msgid "Search base for objects containing info about ID ranges" --#~ msgstr "" --#~ "Base de recherche pour les objets contenant les informations à propos des " --#~ "plages d'ID" -+#: src/config/SSSDConfig/sssdoptions.py:538 -+msgid "Object class for IP networks" -+msgstr "" - --#~ msgid "Enable DNS sites - location based service discovery" --#~ msgstr "" --#~ "Activer les sites DNS - découverte de service basée sur l'emplacement" -- --#~ msgid "Search base for view containers" --#~ msgstr "Base de recherche des conteneurs de vues" -- --#~ msgid "Objectclass for view containers" --#~ msgstr "Classe d'objet pour les conteneurs de vues" -- --#~ msgid "Attribute with the name of the view" --#~ msgstr "Attribut avec le nom de la vue" -- --#~ msgid "Objectclass for override objects" --#~ msgstr "Classe d'objet surchargeant les objets" -- --#~ msgid "Attribute with the reference to the original object" --#~ msgstr "Attribut faisant référence à l'objet originel " -- --#~ msgid "Objectclass for user override objects" --#~ msgstr "Classe d'objet surchargeant les utilisateurs" -- --#~ msgid "Objectclass for group override objects" --#~ msgstr "Classe d'objet surchargeant les groupes" -- --#~ msgid "Search base for Desktop Profile related objects" --#~ msgstr "Base de recherche pour les objets liés au Profil du Bureau" -- --#~ msgid "" --#~ "The amount of time in seconds between lookups of the Desktop Profile " --#~ "rules against the IPA server" --#~ msgstr "" --#~ "Le temps, en secondes, entre les consultations des règles du profil du " --#~ "bureau sur le serveur IPA" -- --#~ msgid "" --#~ "The amount of time in minutes between lookups of Desktop Profiles rules " --#~ "against the IPA server when the last request did not find any rule" --#~ msgstr "" --#~ "Le temps en minutes entre les consultations des règles de profile de " --#~ "bureau sur le serveur IPA lorsque la dernière requête n'a trouvé aucune " --#~ "règle" -- --#~ msgid "Active Directory domain" --#~ msgstr "Domaine Active Directory" -- --#~ msgid "Enabled Active Directory domains" --#~ msgstr "Domaine d’Active Directory activés" -- --#~ msgid "Active Directory server address" --#~ msgstr "Adresse du serveur Active Directory" -- --#~ msgid "Active Directory backup server address" --#~ msgstr "Adresse du serveur Active Directory de secours" -- --#~ msgid "Active Directory client hostname" --#~ msgstr "Nom de système du client Active Directory" -- --#~ msgid "LDAP filter to determine access privileges" --#~ msgstr "Filtre LDAP pour déterminer les autorisations d'accès" -- --#~ msgid "Whether to use the Global Catalog for lookups" --#~ msgstr "Choisir d'utiliser ou non le catalogue global pour les recherches" -- --#~ msgid "Operation mode for GPO-based access control" --#~ msgstr "Mode opératoire pour les contrôles d'accès basé sur les GPO" -- --#~ msgid "" --#~ "The amount of time between lookups of the GPO policy files against the AD " --#~ "server" --#~ msgstr "" --#~ "Durée entre les recherches de fichiers de politiques de GPO dans le " --#~ "serveur AD" -- --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "Noms de services PAM correspondant à la configuration de la politique " --#~ "(Deny)InteractiveLogonRight de la GPO" -+#: src/config/SSSDConfig/sssdoptions.py:539 -+msgid "IP network name attribute" -+msgstr "" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " --#~ "policy settings" --#~ msgstr "" --#~ "Noms de services PAM correspondant à la configuration de la politique " --#~ "(Deny)RemoteInteractiveLogonRight de la GPO" -+#: src/config/SSSDConfig/sssdoptions.py:540 -+msgid "IP network number (address) attribute" -+msgstr "" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)NetworkLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "Noms de services PAM correspondant à la configuration de la politique " --#~ "(Deny)NetworkLogonRight de la GPO" -+#: src/config/SSSDConfig/sssdoptions.py:541 -+msgid "IP network entryUSN attribute" -+msgstr "" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)BatchLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "Noms de services PAM correspondant à la configuration de la politique " --#~ "(Deny)BatchLogonRight de la GPO" -+#: src/config/SSSDConfig/sssdoptions.py:544 -+msgid "Comma separated list of allowed users" -+msgstr "Liste, séparée par des virgules, d'utilisateurs autorisés" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)ServiceLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "Noms de services PAM correspondant à la configuration de la politique " --#~ "(Deny)ServiceLogonRight de la GPO" -+#: src/config/SSSDConfig/sssdoptions.py:545 -+msgid "Comma separated list of prohibited users" -+msgstr "Liste, séparée par des virgules, d'utilisateurs interdits" - --#~ msgid "PAM service names for which GPO-based access is always granted" --#~ msgstr "" --#~ "Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " --#~ "toujours autorisés" -+#: src/config/SSSDConfig/sssdoptions.py:546 -+msgid "" -+"Comma separated list of groups that are allowed to log in. This applies only " -+"to groups within this SSSD domain. Local groups are not evaluated." -+msgstr "" - --#~ msgid "PAM service names for which GPO-based access is always denied" --#~ msgstr "" --#~ "Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " --#~ "toujours interdits" -+#: src/config/SSSDConfig/sssdoptions.py:548 -+msgid "" -+"Comma separated list of groups that are explicitly denied access. This " -+"applies only to groups within this SSSD domain. Local groups are not " -+"evaluated." -+msgstr "" - --#~ msgid "" --#~ "Default logon right (or permit/deny) to use for unmapped PAM service names" --#~ msgstr "" --#~ "Droit de connexion par défaut (ou permission/interdiction) à utiliser " --#~ "pour les noms de services sans correspondance" -+#: src/config/SSSDConfig/sssdoptions.py:552 -+msgid "Base for home directories" -+msgstr "Base pour les répertoires utilisateur" - --#~ msgid "a particular site to be used by the client" --#~ msgstr "un site particulier utilisé par le client" -+#: src/config/SSSDConfig/sssdoptions.py:553 -+msgid "Indicate if a home directory should be created for new users." -+msgstr "" - --#~ msgid "" --#~ "Maximum age in days before the machine account password should be renewed" --#~ msgstr "" --#~ "Âge maximum en jours avant que le mot de passe du compte de la machine ne " --#~ "soit renouvelé" -+#: src/config/SSSDConfig/sssdoptions.py:554 -+msgid "Indicate if a home directory should be removed for deleted users." -+msgstr "" - --#~ msgid "Option for tuning the machine account renewal task" --#~ msgstr "Option de réglage de la tâche de renouvellement du compte machine" -+#: src/config/SSSDConfig/sssdoptions.py:555 -+msgid "Specify the default permissions on a newly created home directory." -+msgstr "" - --#~ msgid "Kerberos server address" --#~ msgstr "Adresse du serveur Kerberos" -+#: src/config/SSSDConfig/sssdoptions.py:556 -+msgid "The skeleton directory." -+msgstr "" - --#~ msgid "Kerberos backup server address" --#~ msgstr "Adresse du serveur Kerberos de secours" -+#: src/config/SSSDConfig/sssdoptions.py:557 -+msgid "The mail spool directory." -+msgstr "" - --#~ msgid "Kerberos realm" --#~ msgstr "Domaine Kerberos" -+#: src/config/SSSDConfig/sssdoptions.py:558 -+msgid "The command that is run after a user is removed." -+msgstr "" - --#~ msgid "Authentication timeout" --#~ msgstr "Délai avant expiration de l'authentification" -+#: src/config/SSSDConfig/sssdoptions.py:561 -+msgid "The number of preforked proxy children." -+msgstr "Le nombre d'enfants proxy pré-fourche." - --#~ msgid "Whether to create kdcinfo files" --#~ msgstr "Choisir de créer ou non les fichiers kdcinfo" -+#: src/config/SSSDConfig/sssdoptions.py:564 -+msgid "The name of the NSS library to use" -+msgstr "Nom de la bibliothèque NSS à utiliser" - --#~ msgid "Where to drop krb5 config snippets" --#~ msgstr "Où déposer les extraits de configuration krb5" -+#: src/config/SSSDConfig/sssdoptions.py:565 -+msgid "The name of the NSS library to use for hosts and networks lookups" -+msgstr "" - --#~ msgid "Directory to store credential caches" --#~ msgstr "Répertoire pour stocker les caches de crédits" -+#: src/config/SSSDConfig/sssdoptions.py:566 -+msgid "Whether to look up canonical group name from cache if possible" -+msgstr "Rechercher le nom canonique du groupe dans le cache si possible" - --#~ msgid "Location of the user's credential cache" --#~ msgstr "Emplacement du cache de crédits de l'utilisateur" -+#: src/config/SSSDConfig/sssdoptions.py:569 -+msgid "PAM stack to use" -+msgstr "Pile PAM à utiliser" - --#~ msgid "Location of the keytab to validate credentials" --#~ msgstr "Emplacement du fichier keytab de validation des crédits" -+#: src/config/SSSDConfig/sssdoptions.py:572 -+msgid "Path of passwd file sources." -+msgstr "Chemin des sources des fichiers passwd." - --#~ msgid "Enable credential validation" --#~ msgstr "Activer la validation des crédits" -+#: src/config/SSSDConfig/sssdoptions.py:573 -+msgid "Path of group file sources." -+msgstr "Chemin des sources des fichiers de groupe." - --#~ msgid "Store password if offline for later online authentication" --#~ msgstr "" --#~ "Stocker le mot de passe, si hors-ligne, pour une authentification " --#~ "ultérieure en ligne" -+#: src/monitor/monitor.c:2371 -+msgid "Become a daemon (default)" -+msgstr "Devenir un démon (par défaut)" - --#~ msgid "Renewable lifetime of the TGT" --#~ msgstr "Durée de vie renouvelable du TGT" -+#: src/monitor/monitor.c:2373 -+msgid "Run interactive (not a daemon)" -+msgstr "Fonctionner en interactif (non démon)" - --#~ msgid "Lifetime of the TGT" --#~ msgstr "Durée de vie du TGT" -+#: src/monitor/monitor.c:2376 -+msgid "Disable netlink interface" -+msgstr "Désactiver l'interface netlink" - --#~ msgid "Time between two checks for renewal" --#~ msgstr "Durée entre deux vérifications pour le renouvellement" -+#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_config.c:77 -+#: src/tools/sssctl/sssctl_logs.c:310 -+msgid "Specify a non-default config file" -+msgstr "Définir un fichier de configuration différent de celui par défaut" - --#~ msgid "Enables FAST" --#~ msgstr "Active FAST" -+#: src/monitor/monitor.c:2380 -+msgid "Refresh the configuration database, then exit" -+msgstr "Rafraîchissez la base de données de configuration, puis quittez" - --#~ msgid "Selects the principal to use for FAST" --#~ msgstr "Sélectionne le principal à utiliser avec FAST" -+#: src/monitor/monitor.c:2383 -+msgid "Similar to --genconf, but only refreshes the given section" -+msgstr "Semblable à --genconf, mais ne rafraîchit que la section donnée" - --#~ msgid "Enables principal canonicalization" --#~ msgstr "Active la canonisation du principal" -+#: src/monitor/monitor.c:2386 -+msgid "Print version number and exit" -+msgstr "Afficher le numéro de version et quitte" - --#~ msgid "Enables enterprise principals" --#~ msgstr "Active les principals d'entreprise" -+#: src/monitor/monitor.c:2532 -+msgid "SSSD is already running\n" -+msgstr "SSSD est déjà en cours d'exécution\n" - --#~ msgid "A mapping from user names to Kerberos principal names" --#~ msgstr "" --#~ "Un mappage des noms d'utilisateurs vers les noms de principaux Kerberos" -+#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:638 -+msgid "Debug level" -+msgstr "Niveau de débogage" - --#~ msgid "" --#~ "Server where the change password service is running if not on the KDC" --#~ msgstr "" --#~ "Serveur où tourne le service de changement de mot de passe s'il n'est pas " --#~ "sur le KDC" -+#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:640 -+msgid "Add debug timestamps" -+msgstr "Ajouter l'horodatage au débogage" - --#~ msgid "ldap_uri, The URI of the LDAP server" --#~ msgstr "ldap_uri, l'adresse du serveur LDAP" -+#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:642 -+msgid "Show timestamps with microseconds" -+msgstr "Afficher l'horodatage en microsecondes" - --#~ msgid "ldap_backup_uri, The URI of the LDAP server" --#~ msgstr "ldap_backup_uri, l'URI du serveur LDAP" -+#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:644 -+msgid "An open file descriptor for the debug logs" -+msgstr "Un descripteur de fichier ouvert pour les journaux de débogage" - --#~ msgid "The default base DN" --#~ msgstr "La base DN par défaut" -+#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:646 -+msgid "Send the debug output to stderr directly." -+msgstr "Envoyer la sortie de débogage directement vers l'erreur standard." - --#~ msgid "The Schema Type in use on the LDAP server, rfc2307" --#~ msgstr "Le type de schéma utilisé sur le serveur LDAP, rfc2307" -+#: src/providers/krb5/krb5_child.c:3245 -+msgid "The user to create FAST ccache as" -+msgstr "L'utilisateur à utiliser pour la création du ccache FAST" - --#~ msgid "Mode used to change user password" --#~ msgstr "Mode utilisé pour modifier le mot de passe utilisateur" -+#: src/providers/krb5/krb5_child.c:3247 -+msgid "The group to create FAST ccache as" -+msgstr "Le groupe à utiliser pour la création du ccache FAST" - --#~ msgid "The default bind DN" --#~ msgstr "Le DN de connexion par défaut" -+#: src/providers/krb5/krb5_child.c:3249 -+msgid "Kerberos realm to use" -+msgstr "Domaine Kerberos à utiliser" - --#~ msgid "The type of the authentication token of the default bind DN" --#~ msgstr "Le type de jeton d'authentification du DN de connexion par défaut" -+#: src/providers/krb5/krb5_child.c:3251 -+msgid "Requested lifetime of the ticket" -+msgstr "Demande de renouvellement à vie du billet" - --#~ msgid "The authentication token of the default bind DN" --#~ msgstr "Le jeton d'authentification du DN de connexion par défaut" -+#: src/providers/krb5/krb5_child.c:3253 -+msgid "Requested renewable lifetime of the ticket" -+msgstr "Demande de renouvellement à vie du billet" - --#~ msgid "Length of time to attempt connection" --#~ msgstr "Durée pendant laquelle il sera tenté d'établir la connexion" -+#: src/providers/krb5/krb5_child.c:3255 -+msgid "FAST options ('never', 'try', 'demand')" -+msgstr "Options FAST ('never', 'try', 'demand')" - --#~ msgid "Length of time to attempt synchronous LDAP operations" --#~ msgstr "Durée pendant laquelle il sera tenté des opérations LDAP synchrones" -+#: src/providers/krb5/krb5_child.c:3258 -+msgid "Specifies the server principal to use for FAST" -+msgstr "Spécifie le principal de serveur afin d'utiliser FAST." - --#~ msgid "Length of time between attempts to reconnect while offline" --#~ msgstr "Durée d'attente entre deux essais de reconnexion en mode hors-ligne" -+#: src/providers/krb5/krb5_child.c:3260 -+msgid "Requests canonicalization of the principal name" -+msgstr "Demande la canonisation du nom principal" - --#~ msgid "Use only the upper case for realm names" --#~ msgstr "N'utiliser que des majuscules pour les noms de domaine" -+#: src/providers/krb5/krb5_child.c:3262 -+msgid "Use custom version of krb5_get_init_creds_password" -+msgstr "Utiliser la version personnalisée de krb5_get_init_creds_password" - --#~ msgid "File that contains CA certificates" --#~ msgstr "Fichier contenant les certificats des CA" -+#: src/providers/data_provider_be.c:674 -+msgid "Domain of the information provider (mandatory)" -+msgstr "Domaine du fournisseur d'informations (obligatoire)" -+ -+#: src/sss_client/common.c:1079 -+msgid "Privileged socket has wrong ownership or permissions." -+msgstr "" -+"Le socket privilégié a de mauvaises permissions ou un mauvais propriétaire." -+ -+#: src/sss_client/common.c:1082 -+msgid "Public socket has wrong ownership or permissions." -+msgstr "" -+"Le socket public a de mauvaises permissions ou un mauvais propriétaire." -+ -+#: src/sss_client/common.c:1085 -+msgid "Unexpected format of the server credential message." -+msgstr "Le message du serveur de crédits a un format inattendu." -+ -+#: src/sss_client/common.c:1088 -+msgid "SSSD is not run by root." -+msgstr "SSSD n'est pas démarré par root." -+ -+#: src/sss_client/common.c:1091 -+msgid "SSSD socket does not exist." -+msgstr "La socket SSSD n'existe pas." -+ -+#: src/sss_client/common.c:1094 -+msgid "Cannot get stat of SSSD socket." -+msgstr "Impossible d'obtenir le stat du socket SSSD." -+ -+#: src/sss_client/common.c:1099 -+msgid "An error occurred, but no description can be found." -+msgstr "Une erreur est survenue mais aucune description n'est trouvée." -+ -+#: src/sss_client/common.c:1105 -+msgid "Unexpected error while looking for an error description" -+msgstr "Erreur inattendue lors de la recherche de la description de l'erreur" -+ -+#: src/sss_client/pam_sss.c:68 -+msgid "Permission denied. " -+msgstr "Accès refusé." -+ -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 -+#: src/sss_client/pam_sss.c:792 -+msgid "Server message: " -+msgstr "Message du serveur : " -+ -+#: src/sss_client/pam_sss.c:299 -+msgid "Passwords do not match" -+msgstr "Les mots de passe ne correspondent pas" -+ -+#: src/sss_client/pam_sss.c:487 -+msgid "Password reset by root is not supported." -+msgstr "" -+"La réinitialisation du mot de passe par root n'est pas prise en charge." -+ -+#: src/sss_client/pam_sss.c:528 -+msgid "Authenticated with cached credentials" -+msgstr "Authentifié avec les crédits mis en cache" -+ -+#: src/sss_client/pam_sss.c:529 -+msgid ", your cached password will expire at: " -+msgstr ", votre mot de passe en cache expirera à :" -+ -+#: src/sss_client/pam_sss.c:559 -+#, c-format -+msgid "Your password has expired. You have %1$d grace login(s) remaining." -+msgstr "" -+"Votre mot de passe a expiré. Il vous reste %1$d connexion(s) autorisée(s)." -+ -+#: src/sss_client/pam_sss.c:605 -+#, c-format -+msgid "Your password will expire in %1$d %2$s." -+msgstr "Votre mot de passe expirera dans %1$d %2$s." -+ -+#: src/sss_client/pam_sss.c:654 -+msgid "Authentication is denied until: " -+msgstr "L'authentification est refusée jusque :" -+ -+#: src/sss_client/pam_sss.c:675 -+msgid "System is offline, password change not possible" -+msgstr "" -+"Le système est hors-ligne, les modifications du mot de passe sont " -+"impossibles" -+ -+#: src/sss_client/pam_sss.c:690 -+msgid "" -+"After changing the OTP password, you need to log out and back in order to " -+"acquire a ticket" -+msgstr "" -+"Après avoir modifié le mot de passe OTP, vous devez vous déconnecter et vous " -+"reconnecter afin d'acquérir un ticket" -+ -+#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 -+msgid "Password change failed. " -+msgstr "Échec du changement de mot de passe." -+ -+#: src/sss_client/pam_sss.c:2015 -+msgid "New Password: " -+msgstr "Nouveau mot de passe : " -+ -+#: src/sss_client/pam_sss.c:2016 -+msgid "Reenter new Password: " -+msgstr "Retaper le nouveau mot de passe : " -+ -+#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 -+msgid "First Factor: " -+msgstr "Premier facteur :" -+ -+#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 -+msgid "Second Factor (optional): " -+msgstr "Deuxième facteur (facultatif) : " -+ -+#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 -+msgid "Second Factor: " -+msgstr "Second facteur :" -+ -+#: src/sss_client/pam_sss.c:2200 -+msgid "Password: " -+msgstr "Mot de passe : " -+ -+#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 -+msgid "First Factor (Current Password): " -+msgstr "Premier facteur (mot de passe actuel) : " -+ -+#: src/sss_client/pam_sss.c:2359 -+msgid "Current Password: " -+msgstr "Mot de passe actuel : " -+ -+#: src/sss_client/pam_sss.c:2714 -+msgid "Password expired. Change your password now." -+msgstr "Mot de passe expiré. Changez votre mot de passe maintenant." -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 -+#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 -+#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -+#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 -+#: src/tools/sss_cache.c:719 -+msgid "The debug level to run with" -+msgstr "Le niveau de débogage utilisé avec" -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 -+msgid "The SSSD domain to use" -+msgstr "Le domaine SSSD à utiliser" -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 -+#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 -+#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -+#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 -+#: src/tools/sss_cache.c:765 -+msgid "Error setting the locale\n" -+msgstr "Erreur lors du paramétrage de la locale\n" -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 -+msgid "Not enough memory\n" -+msgstr "Mémoire insuffisante\n" -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 -+msgid "User not specified\n" -+msgstr "Utilisateur non spécifié\n" -+ -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 -+msgid "Error looking up public keys\n" -+msgstr "Erreur lors de la recherche des clés publiques\n" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 -+msgid "The port to use to connect to the host" -+msgstr "Le port à utiliser pour se connecter à l'hôte" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 -+msgid "Print the host ssh public keys" -+msgstr "Imprimer les clés publiques ssh de l'hôte" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 -+msgid "Invalid port\n" -+msgstr "Port invalide\n" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 -+msgid "Host not specified\n" -+msgstr "Hôte non spécifié\n" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 -+msgid "The path to the proxy command must be absolute\n" -+msgstr "Le chemin vers la commande de proxy doit être absolue\n" -+ -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 -+#, c-format -+msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" -+msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" -+ -+#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 -+msgid "The UID of the user" -+msgstr "L'UID de l'utilisateur" -+ -+#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 -+msgid "The comment string" -+msgstr "Phrase de commentaire" -+ -+#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 -+msgid "Home directory" -+msgstr "Répertoire utilisateur" -+ -+#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 -+msgid "Login shell" -+msgstr "Interpréteur de commandes de connexion" -+ -+#: src/tools/sss_useradd.c:53 -+msgid "Groups" -+msgstr "Groupes" -+ -+#: src/tools/sss_useradd.c:54 -+msgid "Create user's directory if it does not exist" -+msgstr "Créer le repertoire utilisateur s'il n'existe pas" -+ -+#: src/tools/sss_useradd.c:55 -+msgid "Never create user's directory, overrides config" -+msgstr "" -+"Ne jamais créer de répertoire utilisateur, outrepasse la configuration" -+ -+#: src/tools/sss_useradd.c:56 -+msgid "Specify an alternative skeleton directory" -+msgstr "Spécifie un répertoire squelette alternatif" -+ -+#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 -+msgid "The SELinux user for user's login" -+msgstr "L'utilisateur SELinux pour l'identifiant de l'utilisateur" -+ -+#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 -+#: src/tools/sss_usermod.c:92 -+msgid "Specify group to add to\n" -+msgstr "Définir le groupe à ajouter à\n" -+ -+#: src/tools/sss_useradd.c:111 -+msgid "Specify user to add\n" -+msgstr "Définir l'utilisateur à ajouter à\n" -+ -+#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 -+#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -+#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 -+#: src/tools/sss_usermod.c:162 -+msgid "Error initializing the tools - no local domain\n" -+msgstr "Erreur à l'initialisation des outils - aucun domaine local\n" -+ -+#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 -+#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -+#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 -+#: src/tools/sss_usermod.c:164 -+msgid "Error initializing the tools\n" -+msgstr "Erreur à l'initialisation des outils\n" -+ -+#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 -+#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -+#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 -+#: src/tools/sss_usermod.c:173 -+msgid "Invalid domain specified in FQDN\n" -+msgstr "Domaine invalide définit dans le FQDN\n" -+ -+#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 -+#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 -+#: src/tools/sss_usermod.c:226 -+msgid "Internal error while parsing parameters\n" -+msgstr "Erreur interne lors de l'analyse des paramètres\n" -+ -+#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 -+#: src/tools/sss_usermod.c:235 -+msgid "Groups must be in the same domain as user\n" -+msgstr "Les groupes doivent être dans le même domaine que l'utilisateur\n" -+ -+#: src/tools/sss_useradd.c:159 -+#, c-format -+msgid "Cannot find group %1$s in local domain\n" -+msgstr "Impossible de trouver le groupe %1$s dans le domaine local\n" -+ -+#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 -+msgid "Cannot set default values\n" -+msgstr "Impossible de définir les valeurs par défaut\n" -+ -+#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 -+msgid "The selected UID is outside the allowed range\n" -+msgstr "L'UID sélectionné est en dehors de la plage autorisée\n" -+ -+#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 -+msgid "Cannot set SELinux login context\n" -+msgstr "Impossible de définir le contexte de connexion SELinux\n" -+ -+#: src/tools/sss_useradd.c:224 -+msgid "Cannot get info about the user\n" -+msgstr "Impossible de trouver les informations sur l'utilisateur\n" -+ -+#: src/tools/sss_useradd.c:236 -+msgid "User's home directory already exists, not copying data from skeldir\n" -+msgstr "" -+"Le répertoire de l'utilisateur existe déjà, les données du répertoire " -+"squelette ne sont pas copiées\n" -+ -+#: src/tools/sss_useradd.c:239 -+#, c-format -+msgid "Cannot create user's home directory: %1$s\n" -+msgstr "Impossible de créer le répertoire de l'utilisateur : %1$s\n" -+ -+#: src/tools/sss_useradd.c:250 -+#, c-format -+msgid "Cannot create user's mail spool: %1$s\n" -+msgstr "" -+"Impossible de créer le répertoire de réception des messages électroniques " -+"pour l'utilisateur : %1$s\n" -+ -+#: src/tools/sss_useradd.c:270 -+msgid "Could not allocate ID for the user - domain full?\n" -+msgstr "" -+"L'identifiant de l'utilisateur ne peut pas être alloué - domaine plein ?\n" -+ -+#: src/tools/sss_useradd.c:274 -+msgid "A user or group with the same name or ID already exists\n" -+msgstr "Un utilisateur ou groupe avec le même nom ou identifiant existe déjà\n" -+ -+#: src/tools/sss_useradd.c:280 -+msgid "Transaction error. Could not add user.\n" -+msgstr "Erreur de transaction. Impossible d'ajouter l'utilisateur.\n" -+ -+#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 -+msgid "The GID of the group" -+msgstr "Le GID du groupe" -+ -+#: src/tools/sss_groupadd.c:76 -+msgid "Specify group to add\n" -+msgstr "Définir le groupe à ajouter\n" -+ -+#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 -+msgid "The selected GID is outside the allowed range\n" -+msgstr "Le GID choisit est en dehors de la plage autorisée\n" -+ -+#: src/tools/sss_groupadd.c:143 -+msgid "Could not allocate ID for the group - domain full?\n" -+msgstr "Impossible d'allouer l'identifiant du groupe - domaine plein ?\n" -+ -+#: src/tools/sss_groupadd.c:147 -+msgid "A group with the same name or GID already exists\n" -+msgstr "Un groupe avec le même nom ou GID existe déjà\n" -+ -+#: src/tools/sss_groupadd.c:153 -+msgid "Transaction error. Could not add group.\n" -+msgstr "Erreur de transaction. Impossible d'ajouter le groupe.\n" -+ -+#: src/tools/sss_groupdel.c:70 -+msgid "Specify group to delete\n" -+msgstr "Spécifier le groupe à supprimer\n" -+ -+#: src/tools/sss_groupdel.c:104 -+#, c-format -+msgid "Group %1$s is outside the defined ID range for domain\n" -+msgstr "" -+"Le groupe %1$s est en dehors de la plage d'identifiants définie pour le " -+"domaine\n" -+ -+#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 -+#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -+#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 -+#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 -+#, c-format -+msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" -+msgstr "" -+"Échec de requête NSS (%1$d). L'entrée peut persister dans le cache en " -+"mémoire.\n" -+ -+#: src/tools/sss_groupdel.c:132 -+msgid "" -+"No such group in local domain. Removing groups only allowed in local domain." -+"\n" -+msgstr "" -+"Aucun groupe dans le domaine local. La suppression de groupes n'est " -+"autorisée que dans le domaine local.\n" -+ -+#: src/tools/sss_groupdel.c:137 -+msgid "Internal error. Could not remove group.\n" -+msgstr "Erreur interne. Impossible de supprimer le groupe.\n" -+ -+#: src/tools/sss_groupmod.c:44 -+msgid "Groups to add this group to" -+msgstr "Groupes auxquels ce groupe sera ajouté" -+ -+#: src/tools/sss_groupmod.c:46 -+msgid "Groups to remove this group from" -+msgstr "Groupes desquels ce groupe sera retiré" -+ -+#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 -+msgid "Specify group to remove from\n" -+msgstr "Définir le groupe duquel supprimer\n" -+ -+#: src/tools/sss_groupmod.c:101 -+msgid "Specify group to modify\n" -+msgstr "Définir le groupe à modifier\n" -+ -+#: src/tools/sss_groupmod.c:130 -+msgid "" -+"Cannot find group in local domain, modifying groups is allowed only in local " -+"domain\n" -+msgstr "" -+"Impossible de trouver le groupe dans le domaine local, la modification des " -+"groupes n'est autorisée que dans le domaine local\n" -+ -+#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 -+msgid "Member groups must be in the same domain as parent group\n" -+msgstr "" -+"Les membres du groupe doivent être dans le même domaine que le groupe " -+"parent\n" -+ -+#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 -+#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 -+#, c-format -+msgid "" -+"Cannot find group %1$s in local domain, only groups in local domain are " -+"allowed\n" -+msgstr "" -+"Impossible de trouver le groupe %1$s dans le domaine local, seuls les " -+"groupes du domaine local sont autorisés\n" -+ -+#: src/tools/sss_groupmod.c:257 -+msgid "Could not modify group - check if member group names are correct\n" -+msgstr "" -+"Impossible de modifier le groupe - vérifier que les noms des groupes membres " -+"sont corrects\n" -+ -+#: src/tools/sss_groupmod.c:261 -+msgid "Could not modify group - check if groupname is correct\n" -+msgstr "" -+"Impossible de modifier le groupe - vérifier que le nom du groupe est " -+"correct\n" -+ -+#: src/tools/sss_groupmod.c:265 -+msgid "Transaction error. Could not modify group.\n" -+msgstr "Erreur de transaction. Impossible de modifier le groupe.\n" -+ -+#: src/tools/sss_groupshow.c:616 -+msgid "Magic Private " -+msgstr "Magie privée" -+ -+#: src/tools/sss_groupshow.c:615 -+#, c-format -+msgid "%1$s%2$sGroup: %3$s\n" -+msgstr "%1$s%2$sGroup: %3$s\n" -+ -+#: src/tools/sss_groupshow.c:618 -+#, c-format -+msgid "%1$sGID number: %2$d\n" -+msgstr "%1$s GID numéro : %2$d\n" -+ -+#: src/tools/sss_groupshow.c:620 -+#, c-format -+msgid "%1$sMember users: " -+msgstr "Utilisateurs membres de %1$s :" -+ -+#: src/tools/sss_groupshow.c:627 -+#, c-format -+msgid "\n" -+"%1$sIs a member of: " -+msgstr "\n" -+"%1$s est membre de : " -+ -+#: src/tools/sss_groupshow.c:634 -+#, c-format -+msgid "\n" -+"%1$sMember groups: " -+msgstr "\n" -+"Groupes membres de %1$s : " -+ -+#: src/tools/sss_groupshow.c:670 -+msgid "Print indirect group members recursively" -+msgstr "Afficher les membres du groupe indirects récursivement" -+ -+#: src/tools/sss_groupshow.c:704 -+msgid "Specify group to show\n" -+msgstr "Définir le groupe à afficher\n" -+ -+#: src/tools/sss_groupshow.c:744 -+msgid "" -+"No such group in local domain. Printing groups only allowed in local domain." -+"\n" -+msgstr "" -+"Aucun groupe dans le domaine local. L'affichage des groupes n'est autorisé " -+"que dans le domaine local.\n" -+ -+#: src/tools/sss_groupshow.c:749 -+msgid "Internal error. Could not print group.\n" -+msgstr "Erreur interne. Impossible d'afficher le groupe.\n" -+ -+#: src/tools/sss_userdel.c:138 -+msgid "Remove home directory and mail spool" -+msgstr "Suppression du répertoire personnel et de gestion des mails" -+ -+#: src/tools/sss_userdel.c:140 -+msgid "Do not remove home directory and mail spool" -+msgstr "Ne pas supprimer le répertoire personnel et de gestion des mails" -+ -+#: src/tools/sss_userdel.c:142 -+msgid "Force removal of files not owned by the user" -+msgstr "Forcer la suppression des fichiers n'appartenant pas à l'utilisateur" -+ -+#: src/tools/sss_userdel.c:144 -+msgid "Kill users' processes before removing him" -+msgstr "Tuer les processus de l'utilisateur avant de le supprimer" -+ -+#: src/tools/sss_userdel.c:190 -+msgid "Specify user to delete\n" -+msgstr "Définir l'utilisateur à supprimer\n" -+ -+#: src/tools/sss_userdel.c:236 -+#, c-format -+msgid "User %1$s is outside the defined ID range for domain\n" -+msgstr "" -+"L'utilisateur %1$s est en dehors de la plage d'identifiants définie pour le " -+"domaine\n" -+ -+#: src/tools/sss_userdel.c:261 -+msgid "Cannot reset SELinux login context\n" -+msgstr "Impossible de réinitialiser le contexte de connexion SELinux\n" -+ -+#: src/tools/sss_userdel.c:273 -+#, c-format -+msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" -+msgstr "" -+"ATTENTION : l'utilisateur (uid %1$lu) était encore connecté lors de sa " -+"suppression.\n" -+ -+#: src/tools/sss_userdel.c:278 -+msgid "Cannot determine if the user was logged in on this platform" -+msgstr "" -+"Impossible de savoir si l'utilisateur était connecté sur cette plateforme" -+ -+#: src/tools/sss_userdel.c:283 -+msgid "Error while checking if the user was logged in\n" -+msgstr "Erreur en vérifiant si l'utilisateur était connecté\n" -+ -+#: src/tools/sss_userdel.c:290 -+#, c-format -+msgid "The post-delete command failed: %1$s\n" -+msgstr "La commande post-suppression a échoué : %1$s\n" -+ -+#: src/tools/sss_userdel.c:310 -+msgid "Not removing home dir - not owned by user\n" -+msgstr "" -+"Le répertoire personnel n'est pas supprimé - l'utilisateur n'en est pas le " -+"propriétaire\n" -+ -+#: src/tools/sss_userdel.c:312 -+#, c-format -+msgid "Cannot remove homedir: %1$s\n" -+msgstr "Impossible de supprimer le répertoire utilisateur : %1$s\n" -+ -+#: src/tools/sss_userdel.c:326 -+msgid "" -+"No such user in local domain. Removing users only allowed in local domain.\n" -+msgstr "" -+"Aucun utilisateur dans le domaine local. La suppression des utilisateurs " -+"n'est autorisée que dans le domaine local.\n" -+ -+#: src/tools/sss_userdel.c:331 -+msgid "Internal error. Could not remove user.\n" -+msgstr "Erreur interne. Impossible de supprimer l'utilisateur.\n" -+ -+#: src/tools/sss_usermod.c:49 -+msgid "The GID of the user" -+msgstr "Le GID de l'utilisateur" -+ -+#: src/tools/sss_usermod.c:53 -+msgid "Groups to add this user to" -+msgstr "Groupes auxquels ajouter cet utilisateur" -+ -+#: src/tools/sss_usermod.c:54 -+msgid "Groups to remove this user from" -+msgstr "Groupes auxquels enlever cet utilisateur" -+ -+#: src/tools/sss_usermod.c:55 -+msgid "Lock the account" -+msgstr "Verrouiller le compte" -+ -+#: src/tools/sss_usermod.c:56 -+msgid "Unlock the account" -+msgstr "Déverrouiller le compte" -+ -+#: src/tools/sss_usermod.c:57 -+msgid "Add an attribute/value pair. The format is attrname=value." -+msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." -+ -+#: src/tools/sss_usermod.c:58 -+msgid "Delete an attribute/value pair. The format is attrname=value." -+msgstr "" -+"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." -+ -+#: src/tools/sss_usermod.c:59 -+msgid "" -+"Set an attribute to a name/value pair. The format is attrname=value. For " -+"multi-valued attributes, the command replaces the values already present" -+msgstr "" -+"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " -+"les attributs multi-valués, la commande remplace les valeurs déjà présentes." -+ -+#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 -+#: src/tools/sss_usermod.c:135 -+msgid "Specify the attribute name/value pair(s)\n" -+msgstr "Indiquer les paires nom d'attributs et valeurs.\n" -+ -+#: src/tools/sss_usermod.c:152 -+msgid "Specify user to modify\n" -+msgstr "Spécifier l'utilisateur à modifier\n" - --#~ msgid "Path to CA certificate directory" --#~ msgstr "Chemin vers le répertoire de certificats des CA" -+#: src/tools/sss_usermod.c:180 -+msgid "" -+"Cannot find user in local domain, modifying users is allowed only in local " -+"domain\n" -+msgstr "" -+"Impossible de trouver l'utilisateur dans le domaine local, la modification " -+"des utilisateurs n'est autorisée que dans le domaine local\n" - --#~ msgid "File that contains the client certificate" --#~ msgstr "Fichier contenant le certificat client" -+#: src/tools/sss_usermod.c:322 -+msgid "Could not modify user - check if group names are correct\n" -+msgstr "" -+"Impossible de modifier l'utilisateur - vérifiez que les noms de groupe sont " -+"corrects\n" - --#~ msgid "File that contains the client key" --#~ msgstr "Fichier contenant la clé du client" -+#: src/tools/sss_usermod.c:326 -+msgid "Could not modify user - user already member of groups?\n" -+msgstr "" -+"Impossible de modifier l'utilisateur - l'utilisateur est déjà membre du " -+"groupe ?\n" - --#~ msgid "List of possible ciphers suites" --#~ msgstr "Liste des suites de chiffrement possibles" -+#: src/tools/sss_usermod.c:330 -+msgid "Transaction error. Could not modify user.\n" -+msgstr "Erreur de transaction. Impossible de modifier l'utlisateur.\n" - --#~ msgid "Require TLS certificate verification" --#~ msgstr "Requiert une vérification de certificat TLS" -+#: src/tools/sss_cache.c:245 -+msgid "No cache object matched the specified search\n" -+msgstr "Aucun object trouvé dans le cache pour la recherche spécifiée\n" - --#~ msgid "Specify the sasl mechanism to use" --#~ msgstr "Spécifier le mécanisme SASL à utiliser" -+#: src/tools/sss_cache.c:536 -+#, c-format -+msgid "Couldn't invalidate %1$s\n" -+msgstr "Impossible d'invalider %1$s\n" - --#~ msgid "Specify the sasl authorization id to use" --#~ msgstr "Spécifier l'identité d'authorisation SASL à utiliser" -+#: src/tools/sss_cache.c:543 -+#, c-format -+msgid "Couldn't invalidate %1$s %2$s\n" -+msgstr "Impossible d'invalider %1$s %2$s\n" - --#~ msgid "Specify the sasl authorization realm to use" --#~ msgstr "Spécifier le domaine d'authorisation SASL à utiliser" -+#: src/tools/sss_cache.c:721 -+msgid "Invalidate all cached entries" -+msgstr "Invalidez toutes les entrées en cache" - --#~ msgid "Specify the minimal SSF for LDAP sasl authorization" --#~ msgstr "Spécifie le minimum SSF pour l'autorisation sasl LDAP" -+#: src/tools/sss_cache.c:723 -+msgid "Invalidate particular user" -+msgstr "Invalider un utilisateur spécifique" - --#~ msgid "Kerberos service keytab" --#~ msgstr "Service du fichier keytab de Kerberos" -+#: src/tools/sss_cache.c:725 -+msgid "Invalidate all users" -+msgstr "Invalider tous les utilisateurs" - --#~ msgid "Use Kerberos auth for LDAP connection" --#~ msgstr "Utiliser l'authentification Kerberos pour la connexion LDAP" -+#: src/tools/sss_cache.c:727 -+msgid "Invalidate particular group" -+msgstr "Invalider un groupe particulier" - --#~ msgid "Follow LDAP referrals" --#~ msgstr "Suivre les référents LDAP" -+#: src/tools/sss_cache.c:729 -+msgid "Invalidate all groups" -+msgstr "Invalider tous les groupes" - --#~ msgid "Lifetime of TGT for LDAP connection" --#~ msgstr "Durée de vie du TGT pour la connexion LDAP" -+#: src/tools/sss_cache.c:731 -+msgid "Invalidate particular netgroup" -+msgstr "Invalider un groupe réseau particulier" - --#~ msgid "How to dereference aliases" --#~ msgstr "Comment déréférencer les alias" -+#: src/tools/sss_cache.c:733 -+msgid "Invalidate all netgroups" -+msgstr "Invalider tous les groupes réseau" - --#~ msgid "Service name for DNS service lookups" --#~ msgstr "Nom du service pour les recherches DNS" -+#: src/tools/sss_cache.c:735 -+msgid "Invalidate particular service" -+msgstr "Invalidation d'un service particulier" - --#~ msgid "The number of records to retrieve in a single LDAP query" --#~ msgstr "" --#~ "Le nombre d'enregistrements à récupérer dans une requête LDAP unique" -+#: src/tools/sss_cache.c:737 -+msgid "Invalidate all services" -+msgstr "Invalidation de tous les services" - --#~ msgid "The number of members that must be missing to trigger a full deref" --#~ msgstr "" --#~ "Nombre de membres qui doivent être manquants pour activer un " --#~ "déréférencement complet" -+#: src/tools/sss_cache.c:740 -+msgid "Invalidate particular autofs map" -+msgstr "Invalidation d'une carte autofs particulière" - --#~ msgid "" --#~ "Whether the LDAP library should perform a reverse lookup to canonicalize " --#~ "the host name during a SASL bind" --#~ msgstr "" --#~ "Est-ce que la bibliothèque LDAP doit effectuer une requête pour canoniser " --#~ "le nom d'hôte pendant une connexion SASL ?" -+#: src/tools/sss_cache.c:742 -+msgid "Invalidate all autofs maps" -+msgstr "Invalidation de toutes les cartes autofs" - --#~ msgid "entryUSN attribute" --#~ msgstr "attribut entryUSN" -+#: src/tools/sss_cache.c:746 -+msgid "Invalidate particular SSH host" -+msgstr "Invalider un hôte SSH particulier" - --#~ msgid "lastUSN attribute" --#~ msgstr "attribut lastUSN" -+#: src/tools/sss_cache.c:748 -+msgid "Invalidate all SSH hosts" -+msgstr "Invalider tous les hôtes SSH" - --#~ msgid "" --#~ "How long to retain a connection to the LDAP server before disconnecting" --#~ msgstr "" --#~ "Combien de temps conserver la connexion au serveur LDAP avant de se " --#~ "déconnecter" -+#: src/tools/sss_cache.c:752 -+msgid "Invalidate particular sudo rule" -+msgstr "Invalider une règle sudo particulière" - --#~ msgid "Disable the LDAP paging control" --#~ msgstr "Désactiver le contrôle des pages LDAP" -+#: src/tools/sss_cache.c:754 -+msgid "Invalidate all cached sudo rules" -+msgstr "Invalider toutes les règles sudo en cache" - --#~ msgid "Disable Active Directory range retrieval" --#~ msgstr "Désactiver la récupération de plage Active Directory." -+#: src/tools/sss_cache.c:757 -+msgid "Only invalidate entries from a particular domain" -+msgstr "N'invalider des entrées que d'un domaine spécifique" - --#~ msgid "Length of time to wait for a search request" --#~ msgstr "Durée d'attente pour une requête de recherche" -+#: src/tools/sss_cache.c:811 -+msgid "" -+"Unexpected argument(s) provided, options that invalidate a single object " -+"only accept a single provided argument.\n" -+msgstr "" -+"Argument(s) inattendu(s) fourni(s), les options qui invalident un seul objet " -+"n'acceptent qu'un seul argument fourni.\n" - --#~ msgid "Length of time to wait for a enumeration request" --#~ msgstr "Durée d'attente pour une requête d'énumération" -+#: src/tools/sss_cache.c:821 -+msgid "Please select at least one object to invalidate\n" -+msgstr "Merci de sélectionner au moins un objet à invalider\n" - --#~ msgid "Length of time between enumeration updates" --#~ msgstr "Durée entre deux mises à jour d'énumération" -+#: src/tools/sss_cache.c:904 -+#, c-format -+msgid "" -+"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " -+"use fully qualified name instead of --domain/-d parameter.\n" -+msgstr "" -+"Impossible d'ouvrir le domaine %1$s. Si le domaine est un sous-domaine " -+"(domaine approuvé), utiliser le nom pleinement qualifié au lieu du paramètre " -+"--domain/-d.\n" - --#~ msgid "Length of time between cache cleanups" --#~ msgstr "Durée entre les nettoyages de cache" -+#: src/tools/sss_cache.c:909 -+msgid "Could not open available domains\n" -+msgstr "Impossible d'ouvrir aucun des domaines disponibles\n" - --#~ msgid "Require TLS for ID lookups" --#~ msgstr "TLS est requis pour les recherches d'identifiants" -+#: src/tools/tools_util.c:202 -+#, c-format -+msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" -+msgstr "" -+"Le nom « %1$s » ne semble pas être un FQDN (« %2$s = TRUE » est configuré)\n" - --#~ msgid "Use ID-mapping of objectSID instead of pre-set IDs" --#~ msgstr "" --#~ "Utilisation de la correspondance d'ID pour les objectSID au lieu d'ID pré-" --#~ "établis" -+#: src/tools/tools_util.c:309 -+msgid "Out of memory\n" -+msgstr "Mémoire saturée\n" - --#~ msgid "Base DN for user lookups" --#~ msgstr "Base DN pour les recherches d'utilisateurs" -+#: src/tools/tools_util.h:40 -+#, c-format -+msgid "%1$s must be run as root\n" -+msgstr "%1$s doit être lancé en tant que root\n" - --#~ msgid "Scope of user lookups" --#~ msgstr "Scope des recherches d'utilisateurs" -+#: src/tools/sssctl/sssctl.c:35 -+msgid "yes" -+msgstr "oui" - --#~ msgid "Filter for user lookups" --#~ msgstr "Filtre pour les recherches d'utilisateurs" -+#: src/tools/sssctl/sssctl.c:37 -+msgid "no" -+msgstr "non" - --#~ msgid "Objectclass for users" --#~ msgstr "Classe d'objet pour les utilisateurs" -+#: src/tools/sssctl/sssctl.c:39 -+msgid "error" -+msgstr "erreur" - --#~ msgid "Username attribute" --#~ msgstr "Attribut de nom d'utilisateur" -+#: src/tools/sssctl/sssctl.c:42 -+msgid "Invalid result." -+msgstr "Résultat non valide." - --#~ msgid "UID attribute" --#~ msgstr "Attribut UID" -+#: src/tools/sssctl/sssctl.c:78 -+msgid "Unable to read user input\n" -+msgstr "Impossible de lire l'entrée de l'utilisateur\n" - --#~ msgid "Primary GID attribute" --#~ msgstr "Attribut de GID primaire" -+#: src/tools/sssctl/sssctl.c:91 -+#, c-format -+msgid "Invalid input, please provide either '%s' or '%s'.\n" -+msgstr "Entrée non valable, veuillez fournir %s ou %s\n" - --#~ msgid "GECOS attribute" --#~ msgstr "Attribut GECOS" -+#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -+msgid "Error while executing external command\n" -+msgstr "Erreur lors de l'exécution d'une commande externe\n" - --#~ msgid "Home directory attribute" --#~ msgstr "Attribut de répertoire utilisateur" -+#: src/tools/sssctl/sssctl.c:156 -+msgid "SSSD needs to be running. Start SSSD now?" -+msgstr "Le SSSD doit être exécuté. Démarrer le SSSD maintenant ?" - --#~ msgid "Shell attribute" --#~ msgstr "Attribut d'interpréteur de commandes" -+#: src/tools/sssctl/sssctl.c:195 -+msgid "SSSD must not be running. Stop SSSD now?" -+msgstr "" -+"Le SSSD ne doit pas être en cours d'exécution. Arrêter le SSSD maintenant ?" - --#~ msgid "UUID attribute" --#~ msgstr "attribut UUID" -+#: src/tools/sssctl/sssctl.c:231 -+msgid "SSSD needs to be restarted. Restart SSSD now?" -+msgstr "Le SSSD doit être relancé. Redémarrer SSSD maintenant ?" - --#~ msgid "objectSID attribute" --#~ msgstr "attribut objectSID" -+#: src/tools/sssctl/sssctl_cache.c:31 -+#, c-format -+msgid " %s is not present in cache.\n" -+msgstr " %s n'est pas présent dans le cache.\n" - --#~ msgid "Active Directory primary group attribute for ID-mapping" --#~ msgstr "Groupe primaire Active Directory pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_cache.c:33 -+msgid "Name" -+msgstr "Nom" - --#~ msgid "User principal attribute (for Kerberos)" --#~ msgstr "Attribut d'utilisateur principal (pour Kerberos)" -+#: src/tools/sssctl/sssctl_cache.c:34 -+msgid "Cache entry creation date" -+msgstr "Date de création de l'entrée en cache" - --#~ msgid "Full Name" --#~ msgstr "Nom complet" -+#: src/tools/sssctl/sssctl_cache.c:35 -+msgid "Cache entry last update time" -+msgstr "Heure de la dernière mise à jour de l'entrée du cache" - --#~ msgid "memberOf attribute" --#~ msgstr "Attribut memberOf" -+#: src/tools/sssctl/sssctl_cache.c:36 -+msgid "Cache entry expiration time" -+msgstr "Temps d'expiration de l'entrée du cache" - --#~ msgid "Modification time attribute" --#~ msgstr "Attribut de date de modification" -+#: src/tools/sssctl/sssctl_cache.c:37 -+msgid "Cached in InfoPipe" -+msgstr "Mise en cache dans InfoPipe" - --#~ msgid "shadowLastChange attribute" --#~ msgstr "Attribut shadowLastChange" -+#: src/tools/sssctl/sssctl_cache.c:522 -+#, c-format -+msgid "Error: Unable to get object [%d]: %s\n" -+msgstr "Erreur : Impossible d'obtenir l'objet [%d] : %s\n" - --#~ msgid "shadowMin attribute" --#~ msgstr "Attribut shadowMin" -+#: src/tools/sssctl/sssctl_cache.c:538 -+#, c-format -+msgid "%s: Unable to read value [%d]: %s\n" -+msgstr "%s: Impossible de lire la valeur [%d] : %s\n" - --#~ msgid "shadowMax attribute" --#~ msgstr "Attribut shadowMax" -+#: src/tools/sssctl/sssctl_cache.c:566 -+msgid "Specify name." -+msgstr "Indiquez le nom." - --#~ msgid "shadowWarning attribute" --#~ msgstr "Attribut shadowWarning" -+#: src/tools/sssctl/sssctl_cache.c:576 -+#, c-format -+msgid "Unable to parse name %s.\n" -+msgstr "Impossible d'analyser le nom %s.\n" - --#~ msgid "shadowInactive attribute" --#~ msgstr "Attribut shadowInactive" -+#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 -+msgid "Search by SID" -+msgstr "Recherche par SID" - --#~ msgid "shadowExpire attribute" --#~ msgstr "Attribut shadowExpire" -+#: src/tools/sssctl/sssctl_cache.c:603 -+msgid "Search by user ID" -+msgstr "Recherche par ID utilisateur" - --#~ msgid "shadowFlag attribute" --#~ msgstr "Attribut shadowFlag" -+#: src/tools/sssctl/sssctl_cache.c:612 -+msgid "Initgroups expiration time" -+msgstr "Délai d'expiration des initgroups" - --#~ msgid "Attribute listing authorized PAM services" --#~ msgstr "Attribut listant les services PAM autorisés" -+#: src/tools/sssctl/sssctl_cache.c:650 -+msgid "Search by group ID" -+msgstr "Recherche par ID de groupe" - --#~ msgid "Attribute listing authorized server hosts" --#~ msgstr "Attribut listant les hôtes de serveurs autorisés" -+#: src/tools/sssctl/sssctl_config.c:112 -+#, c-format -+msgid "Failed to open %s\n" -+msgstr "N’a pas pu ouvrir %s\n" - --#~ msgid "Attribute listing authorized server rhosts" --#~ msgstr "Attribut listant les rhosts de serveurs autorisés" -+#: src/tools/sssctl/sssctl_config.c:117 -+#, c-format -+msgid "File %1$s does not exist.\n" -+msgstr "Le fichier %1$s n’existe pas.\n" - --#~ msgid "krbLastPwdChange attribute" --#~ msgstr "Attribut krbLastPwdChange" -+#: src/tools/sssctl/sssctl_config.c:121 -+msgid "" -+"File ownership and permissions check failed. Expected root:root and 0600.\n" -+msgstr "" -+"La vérification de la propriété et des permissions des fichiers a échoué. " -+"Attendue : root:root et 0600.\n" - --#~ msgid "krbPasswordExpiration attribute" --#~ msgstr "Attribut krbPasswordExpiration" -+#: src/tools/sssctl/sssctl_config.c:127 -+#, c-format -+msgid "Failed to load configuration from %s.\n" -+msgstr "" - --#~ msgid "Attribute indicating that server side password policies are active" --#~ msgstr "" --#~ "Attribut indiquant que la stratégie de mot de passe du serveur est active" -+#: src/tools/sssctl/sssctl_config.c:133 -+msgid "Error while reading configuration directory.\n" -+msgstr "Erreur lors de la lecture du répertoire de configuration.\n" - --#~ msgid "accountExpires attribute of AD" --#~ msgstr "Attribut AD accountExpires" -+#: src/tools/sssctl/sssctl_config.c:141 -+msgid "" -+"There is no configuration. SSSD will use default configuration with files " -+"provider.\n" -+msgstr "" -+"Il n'y a pas de configuration. SSSD utilisera la configuration par défaut " -+"avec le fournisseur de fichiers.\n" - --#~ msgid "userAccountControl attribute of AD" --#~ msgstr "Attribut AD userAccountControl" -+#: src/tools/sssctl/sssctl_config.c:153 -+msgid "Failed to run validators" -+msgstr "Échec de l'exécution des validateurs" - --#~ msgid "nsAccountLock attribute" --#~ msgstr "Attribut nsAccountLock" -+#: src/tools/sssctl/sssctl_config.c:157 -+#, c-format -+msgid "Issues identified by validators: %zu\n" -+msgstr "Problèmes identifiés par les validateurs : %zu\n" - --#~ msgid "loginDisabled attribute of NDS" --#~ msgstr "Attribut NDS loginDisabled" -+#: src/tools/sssctl/sssctl_config.c:168 -+#, c-format -+msgid "Messages generated during configuration merging: %zu\n" -+msgstr "Messages générés lors de la fusion des configurations : %zu\n" - --#~ msgid "loginExpirationTime attribute of NDS" --#~ msgstr "Attribut NDS loginExpirationTime" -+#: src/tools/sssctl/sssctl_config.c:179 -+#, c-format -+msgid "Used configuration snippet files: %zu\n" -+msgstr "Fichiers de configuration utilisés : %zu\n" - --#~ msgid "loginAllowedTimeMap attribute of NDS" --#~ msgstr "Attribut NDS loginAllowedTimeMap" -+#: src/tools/sssctl/sssctl_data.c:89 -+#, c-format -+msgid "Unable to create backup directory [%d]: %s" -+msgstr "Impossible de créer le répertoire de sauvegarde [%d]: %s" - --#~ msgid "SSH public key attribute" --#~ msgstr "Attribut de clé public SSH" -+#: src/tools/sssctl/sssctl_data.c:95 -+msgid "SSSD backup of local data already exists, override?" -+msgstr "La sauvegarde SSSD des données locales existe déjà, la remplacer ?" - --#~ msgid "attribute listing allowed authentication types for a user" --#~ msgstr "" --#~ "attribut énumérant les types d'authentification autorisés pour un " --#~ "utilisateur" -+#: src/tools/sssctl/sssctl_data.c:111 -+msgid "Unable to export user overrides\n" -+msgstr "Impossible d'exporter les substitutions d'utilisateur\n" - --#~ msgid "attribute containing the X509 certificate of the user" --#~ msgstr "attribut contenant le certificat X509 de l'utilisateur" -+#: src/tools/sssctl/sssctl_data.c:118 -+msgid "Unable to export group overrides\n" -+msgstr "Impossible d'exporter les substitutions de groupes\n" - --#~ msgid "attribute containing the email address of the user" --#~ msgstr "attribut contenant l’adresse email de l'utilisateur" -+#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 -+msgid "Override existing backup" -+msgstr "Remplacer la sauvegarde existante" - --#~ msgid "A list of extra attributes to download along with the user entry" --#~ msgstr "" --#~ "Une liste des attributs supplémentaires à télécharger avec l'entrée de " --#~ "l'utilisateur" -+#: src/tools/sssctl/sssctl_data.c:164 -+msgid "Unable to import user overrides\n" -+msgstr "Impossible d'importer les substitutions d'utilisateur\n" - --#~ msgid "Base DN for group lookups" --#~ msgstr "DN de base pour les recherches de groupes" -+#: src/tools/sssctl/sssctl_data.c:173 -+msgid "Unable to import group overrides\n" -+msgstr "Impossible d'importer les substitutions de groupes\n" - --#~ msgid "Objectclass for groups" --#~ msgstr "Classe d'objet pour les groupes" -+#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -+#: src/tools/sssctl/sssctl_domains.c:328 -+msgid "Start SSSD if it is not running" -+msgstr "Démarrer SSSD s'il n'est pas en cours d'exécution" - --#~ msgid "Group name" --#~ msgstr "Nom du groupe" -+#: src/tools/sssctl/sssctl_data.c:195 -+msgid "Restart SSSD after data import" -+msgstr "Redémarrer SSSD après l'importation des données" - --#~ msgid "Group password" --#~ msgstr "Mot de passe du groupe" -+#: src/tools/sssctl/sssctl_data.c:218 -+msgid "Create clean cache files and import local data" -+msgstr "Créer des fichiers de cache propres et importer des données locales" - --#~ msgid "GID attribute" --#~ msgstr "Attribut GID" -+#: src/tools/sssctl/sssctl_data.c:219 -+msgid "Stop SSSD before removing the cache" -+msgstr "Arrêtez SSSD avant de supprimer le cache" - --#~ msgid "Group member attribute" --#~ msgstr "Attribut membre du groupe" -+#: src/tools/sssctl/sssctl_data.c:220 -+msgid "Start SSSD when the cache is removed" -+msgstr "Démarrer SSSD lorsque le cache est supprimé" - --#~ msgid "Group UUID attribute" --#~ msgstr "attribut de l'UUID du groupe" -+#: src/tools/sssctl/sssctl_data.c:235 -+msgid "Creating backup of local data...\n" -+msgstr "Création d'une sauvegarde des données locales...\n" - --#~ msgid "Modification time attribute for groups" --#~ msgstr "Attribut de date de modification pour les groupes" -+#: src/tools/sssctl/sssctl_data.c:238 -+msgid "Unable to create backup of local data, can not remove the cache.\n" -+msgstr "" -+"Impossible de créer une sauvegarde des données locales, impossible de " -+"supprimer le cache.\n" - --#~ msgid "Type of the group and other flags" --#~ msgstr "Type de groupe et autres indicateurs" -+#: src/tools/sssctl/sssctl_data.c:243 -+msgid "Removing cache files...\n" -+msgstr "Suppression des fichiers de cache...\n" - --#~ msgid "The LDAP group external member attribute" --#~ msgstr "L'attribut de membre externe du groupe LDAP" -+#: src/tools/sssctl/sssctl_data.c:246 -+msgid "Unable to remove cache files\n" -+msgstr "Impossible de supprimer les fichiers de cache\n" - --#~ msgid "Maximum nesting level SSSD will follow" --#~ msgstr "Le niveau d'imbrication maximal du SSSD suivra" -+#: src/tools/sssctl/sssctl_data.c:251 -+msgid "Restoring local data...\n" -+msgstr "Restauration des données locales...\n" - --#~ msgid "Base DN for netgroup lookups" --#~ msgstr "DN de base pour les recherches de netgroup" -+#: src/tools/sssctl/sssctl_domains.c:83 -+msgid "Show domain list including primary or trusted domain type" -+msgstr "" -+"Afficher la liste des domaines, y compris le type de domaine principal ou de " -+"confiance" - --#~ msgid "Objectclass for netgroups" --#~ msgstr "Classe d'objet pour les groupes réseau" -+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 -+#: src/tools/sssctl/sssctl_user_checks.c:95 -+msgid "Unable to connect to system bus!\n" -+msgstr "Impossible de se connecter au bus système !\n" - --#~ msgid "Netgroup name" --#~ msgstr "Nom du groupe réseau" -+#: src/tools/sssctl/sssctl_domains.c:167 -+msgid "Online" -+msgstr "En ligne" - --#~ msgid "Netgroups members attribute" --#~ msgstr "Attribut des membres des groupes réseau" -+#: src/tools/sssctl/sssctl_domains.c:167 -+msgid "Offline" -+msgstr "Hors ligne" - --#~ msgid "Netgroup triple attribute" --#~ msgstr "Attribut triplet du groupe réseau" -+#: src/tools/sssctl/sssctl_domains.c:167 -+#, c-format -+msgid "Online status: %s\n" -+msgstr "Statut en ligne : %s\n" - --#~ msgid "Modification time attribute for netgroups" --#~ msgstr "Attribut date de modification pour les groupes réseau" -+#: src/tools/sssctl/sssctl_domains.c:213 -+msgid "This domain has no active servers.\n" -+msgstr "Ce domaine n'a pas de serveurs actifs.\n" - --#~ msgid "Base DN for service lookups" --#~ msgstr "Nom de domaine (DN) de base pour les recherches de service" -+#: src/tools/sssctl/sssctl_domains.c:218 -+msgid "Active servers:\n" -+msgstr "Serveurs actifs :\n" - --#~ msgid "Objectclass for services" --#~ msgstr "Classe objet pour les services" -+#: src/tools/sssctl/sssctl_domains.c:230 -+msgid "not connected" -+msgstr "non connecté" - --#~ msgid "Service name attribute" --#~ msgstr "Attribut de nom de service" -+#: src/tools/sssctl/sssctl_domains.c:267 -+msgid "No servers discovered.\n" -+msgstr "Aucun serveur découvert.\n" - --#~ msgid "Service port attribute" --#~ msgstr "Attribut de port du service" -+#: src/tools/sssctl/sssctl_domains.c:273 -+#, c-format -+msgid "Discovered %s servers:\n" -+msgstr "%s serveurs découverts :\n" - --#~ msgid "Service protocol attribute" --#~ msgstr "Attribut de service du protocole" -+#: src/tools/sssctl/sssctl_domains.c:285 -+msgid "None so far.\n" -+msgstr "Aucun pour l'instant.\n" - --#~ msgid "Lower bound for ID-mapping" --#~ msgstr "Limite inférieure pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:325 -+msgid "Show online status" -+msgstr "Afficher le statut en ligne" - --#~ msgid "Upper bound for ID-mapping" --#~ msgstr "Limite supérieure pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:326 -+msgid "Show information about active server" -+msgstr "Afficher les informations sur le serveur actif" - --#~ msgid "Number of IDs for each slice when ID-mapping" --#~ msgstr "Nombre d'ID par tranche pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:327 -+msgid "Show list of discovered servers" -+msgstr "Afficher la liste des serveurs découverts" - --#~ msgid "Use autorid-compatible algorithm for ID-mapping" --#~ msgstr "" --#~ "Utilisation d'un algorithme compatible autorid pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:333 -+msgid "Specify domain name." -+msgstr "Indiquer le nom de domaine." - --#~ msgid "Name of the default domain for ID-mapping" --#~ msgstr "Nom du domaine par défaut pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:355 -+msgid "Out of memory!\n" -+msgstr "Plus de mémoire disponible !\n" - --#~ msgid "SID of the default domain for ID-mapping" --#~ msgstr "SID du domaine par défaut pour la correspondance d'ID" -+#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 -+msgid "Unable to get online status\n" -+msgstr "Impossible d'obtenir le statut en ligne\n" - --#~ msgid "Number of secondary slices" --#~ msgstr "Nombre de tranches secondaires" -+#: src/tools/sssctl/sssctl_domains.c:395 -+msgid "Unable to get server list\n" -+msgstr "Impossible d'obtenir la liste des serveurs\n" - --#~ msgid "Whether to use Token-Groups" --#~ msgstr "Choisir d'utiliser ou non les groupes de jetons" -+#: src/tools/sssctl/sssctl_logs.c:46 -+msgid "\n" -+msgstr "\n" - --#~ msgid "Set lower boundary for allowed IDs from the LDAP server" --#~ msgstr "" --#~ "Définir la limite inférieure d'identifiants autorisés pour l'annuaire LDAP" -+#: src/tools/sssctl/sssctl_logs.c:236 -+msgid "Delete log files instead of truncating" -+msgstr "Supprimer les fichiers de log au lieu de tronquer" - --#~ msgid "Set upper boundary for allowed IDs from the LDAP server" --#~ msgstr "" --#~ "Définir la limite supérieure d'identifiants autorisés pour l'annuaire LDAP" -+#: src/tools/sssctl/sssctl_logs.c:247 -+msgid "Deleting log files...\n" -+msgstr "Suppression des fichiers journaux...\n" - --#~ msgid "DN for ppolicy queries" --#~ msgstr "DN pour les requêtes sur ppolicy" -+#: src/tools/sssctl/sssctl_logs.c:250 -+msgid "Unable to remove log files\n" -+msgstr "Impossible de supprimer les fichiers journaux\n" - --#~ msgid "How many maximum entries to fetch during a wildcard request" --#~ msgstr "" --#~ "Combien d'entrées maximum à récupérer lors d'une demande de wildcard" -+#: src/tools/sssctl/sssctl_logs.c:256 -+msgid "Truncating log files...\n" -+msgstr "Troncature des fichiers de journalisation...\n" - --#~ msgid "Policy to evaluate the password expiration" --#~ msgstr "Stratégie d'évaluation de l'expiration du mot de passe" -+#: src/tools/sssctl/sssctl_logs.c:259 -+msgid "Unable to truncate log files\n" -+msgstr "Impossible de tronquer les fichiers de journalisation\n" - --#~ msgid "Which attributes shall be used to evaluate if an account is expired" --#~ msgstr "Quels attributs utiliser pour déterminer si un compte a expiré" -+#: src/tools/sssctl/sssctl_logs.c:285 -+msgid "Out of memory!" -+msgstr "Plus de mémoire disponible !" - --#~ msgid "Which rules should be used to evaluate access control" --#~ msgstr "Quelles règles utiliser pour évaluer le contrôle d'accès" -+#: src/tools/sssctl/sssctl_logs.c:288 -+#, c-format -+msgid "Archiving log files into %s...\n" -+msgstr "Archivage des fichiers journaux dans %s...\n" - --#~ msgid "URI of an LDAP server where password changes are allowed" --#~ msgstr "" --#~ "URI d'un serveur LDAP où les changements de mot de passe sont acceptés" -+#: src/tools/sssctl/sssctl_logs.c:291 -+msgid "Unable to archive log files\n" -+msgstr "Impossible d'archiver les fichiers journaux\n" - --#~ msgid "URI of a backup LDAP server where password changes are allowed" --#~ msgstr "" --#~ "URI d'un serveur LDAP de secours où sont autorisées les modifications de " --#~ "mot de passe" -+#: src/tools/sssctl/sssctl_logs.c:316 -+msgid "Specify debug level you want to set" -+msgstr "Spécifiez le niveau de débogage que vous souhaitez définir" - --#~ msgid "DNS service name for LDAP password change server" --#~ msgstr "" --#~ "Nom du service DNS pour le serveur de changement de mot de passe LDAP" -+#: src/tools/sssctl/sssctl_user_checks.c:117 -+msgid "SSSD InfoPipe user lookup result:\n" -+msgstr "Résultat de la recherche de l'utilisateur SSSD InfoPipe :\n" - --#~ msgid "" --#~ "Whether to update the ldap_user_shadow_last_change attribute after a " --#~ "password change" --#~ msgstr "" --#~ "Choix de mise à jour de l'attribut ldap_user_shadow_last_change après un " --#~ "changement de mot de passe" -+#: src/tools/sssctl/sssctl_user_checks.c:167 -+#, c-format -+msgid "dlopen failed with [%s].\n" -+msgstr "dlopen a échoué avec [%s].\n" - --#~ msgid "Base DN for sudo rules lookups" --#~ msgstr "Nom de domaine (DN) de base pour les recherches de règles sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:174 -+#, c-format -+msgid "dlsym failed with [%s].\n" -+msgstr "dlopen a échoué avec [%s].\n" - --#~ msgid "Automatic full refresh period" --#~ msgstr "Périodicité de rafraichissement total" -+#: src/tools/sssctl/sssctl_user_checks.c:182 -+msgid "malloc failed.\n" -+msgstr "malloc a échoué.\n" - --#~ msgid "Automatic smart refresh period" --#~ msgstr "Périodicité de rafraichissement intelligent" -+#: src/tools/sssctl/sssctl_user_checks.c:189 -+#, c-format -+msgid "sss_getpwnam_r failed with [%d].\n" -+msgstr "sss_getpwnam_r a échoué avec [%d].\n" - --#~ msgid "Whether to filter rules by hostname, IP addresses and network" --#~ msgstr "Filter ou non sur les noms de systèmes, adresses IP et réseaux" -+#: src/tools/sssctl/sssctl_user_checks.c:194 -+msgid "SSSD nss user lookup result:\n" -+msgstr "Résultat de la recherche de l'utilisateur SSSD nss :\n" - --#~ msgid "" --#~ "Hostnames and/or fully qualified domain names of this machine to filter " --#~ "sudo rules" --#~ msgstr "" --#~ "Noms de systèmes et/ou noms pleinement qualifiés de cette machine pour " --#~ "filtrer les règles sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:195 -+#, c-format -+msgid " - user name: %s\n" -+msgstr " - user name: %s\n" - --#~ msgid "" --#~ "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" --#~ msgstr "" --#~ "Adresses ou réseaux IPv4 ou IPv6 de cette machine pour filtrer les règles " --#~ "sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:196 -+#, c-format -+msgid " - user id: %d\n" -+msgstr " - user id: %d\n" - --#~ msgid "Whether to include rules that contains netgroup in host attribute" --#~ msgstr "" --#~ "Inclure ou non les règles qui contiennent un netgroup dans l'attribut host" -+#: src/tools/sssctl/sssctl_user_checks.c:197 -+#, c-format -+msgid " - group id: %d\n" -+msgstr " - group id: %d\n" - --#~ msgid "" --#~ "Whether to include rules that contains regular expression in host " --#~ "attribute" --#~ msgstr "" --#~ "Inclure ou non les règles qui contiennent une expression rationnelle dans " --#~ "l'attribut host" -+#: src/tools/sssctl/sssctl_user_checks.c:198 -+#, c-format -+msgid " - gecos: %s\n" -+msgstr " - gecos: %s\n" - --#~ msgid "Object class for sudo rules" --#~ msgstr "Classe objet pour les règles sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:199 -+#, c-format -+msgid " - home directory: %s\n" -+msgstr " - home directory: %s\n" - --#~ msgid "Name of attribute that is used as object class for sudo rules" --#~ msgstr "" --#~ "Nom de l'attribut qui est utilisé comme classe d'objet pour les règles " --#~ "sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:200 -+#, c-format -+msgid " - shell: %s\n" -+"\n" -+msgstr " - shell: %s\n" -+"\n" - --#~ msgid "Sudo rule name" --#~ msgstr "Règle de nom sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:232 -+msgid "PAM action [auth|acct|setc|chau|open|clos], default: " -+msgstr "Action PAM [auth|acct|setc|chau|open|clos], par défaut : " - --#~ msgid "Sudo rule command attribute" --#~ msgstr "Attribut de commande de règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:235 -+msgid "PAM service, default: " -+msgstr "Service PAM, par défaut : " - --#~ msgid "Sudo rule host attribute" --#~ msgstr "Attribut hôte de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:240 -+msgid "Specify user name." -+msgstr "Spécifiez le nom d'utilisateur." - --#~ msgid "Sudo rule user attribute" --#~ msgstr "Attribut utilisateur de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:247 -+#, c-format -+msgid "user: %s\n" -+"action: %s\n" -+"service: %s\n" -+"\n" -+msgstr "utilisateur: %s\n" -+"action: %s\n" -+"service: %s\n" -+"\n" - --#~ msgid "Sudo rule option attribute" --#~ msgstr "Attribut option de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:252 -+#, c-format -+msgid "User name lookup with [%s] failed.\n" -+msgstr "La recherche de nom d'utilisateur avec [%s] a échoué.\n" - --#~ msgid "Sudo rule runas attribute" --#~ msgstr "Attribut de règle sudo runas" -+#: src/tools/sssctl/sssctl_user_checks.c:257 -+#, c-format -+msgid "InfoPipe User lookup with [%s] failed.\n" -+msgstr "La recherche de l'utilisateur InfoPipe avec [%s] a échoué.\n" - --#~ msgid "Sudo rule runasuser attribute" --#~ msgstr "Attribut runasuser de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:263 -+#, c-format -+msgid "pam_start failed: %s\n" -+msgstr "pam_start a échoué : %s\n" - --#~ msgid "Sudo rule runasgroup attribute" --#~ msgstr "Attribut runasgroup de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:268 -+msgid "testing pam_authenticate\n" -+"\n" -+msgstr "test de pam_authenticate\n" -+"\n" - --#~ msgid "Sudo rule notbefore attribute" --#~ msgstr "Attribut notbefore de la règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:272 -+#, c-format -+msgid "pam_get_item failed: %s\n" -+msgstr "pam_get_item a échoué : %s\n" - --#~ msgid "Sudo rule notafter attribute" --#~ msgstr "Attribut notafter de règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:275 -+#, c-format -+msgid "pam_authenticate for user [%s]: %s\n" -+"\n" -+msgstr "pam_authenticate pour l'utilisateur [%s] : %s\n" - --#~ msgid "Sudo rule order attribute" --#~ msgstr "Attribut d'ordre de règle sudo" -+#: src/tools/sssctl/sssctl_user_checks.c:278 -+msgid "testing pam_chauthtok\n" -+"\n" -+msgstr "test pam_chauthtok\n" -+"\n" - --#~ msgid "Object class for automounter maps" --#~ msgstr "Classe objet pour la carte de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:280 -+#, c-format -+msgid "pam_chauthtok: %s\n" -+"\n" -+msgstr "pam_chauthtok: %s\n" -+"\n" - --#~ msgid "Automounter map name attribute" --#~ msgstr "Nom de l'attribut de carte de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:282 -+msgid "testing pam_acct_mgmt\n" -+"\n" -+msgstr "test de pam_acct_mgmt\n" -+"\n" - --#~ msgid "Object class for automounter map entries" --#~ msgstr "Classe objet pour l'entrée de référence de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:284 -+#, c-format -+msgid "pam_acct_mgmt: %s\n" -+"\n" -+msgstr "pam_acct_mgmt: %s\n" -+"\n" - --#~ msgid "Automounter map entry key attribute" --#~ msgstr "Attribut de clé d'entrée pour la carte de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:286 -+msgid "testing pam_setcred\n" -+"\n" -+msgstr "test de pam_setcred\n" -+"\n" - --#~ msgid "Automounter map entry value attribute" --#~ msgstr "Attribut de valeur pour la carte de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:288 -+#, c-format -+msgid "pam_setcred: [%s]\n" -+"\n" -+msgstr "pam_setcred: [%s]\n" -+"\n" - --#~ msgid "Base DN for automounter map lookups" --#~ msgstr "Base DN pour les requêtes de carte de montage automatique" -+#: src/tools/sssctl/sssctl_user_checks.c:290 -+msgid "testing pam_open_session\n" -+"\n" -+msgstr "test pam_open_session\n" -+"\n" - --#~ msgid "Comma separated list of allowed users" --#~ msgstr "Liste, séparée par des virgules, d'utilisateurs autorisés" -+#: src/tools/sssctl/sssctl_user_checks.c:292 -+#, c-format -+msgid "pam_open_session: %s\n" -+"\n" -+msgstr "pam_open_session: %s\n" -+"\n" - --#~ msgid "Comma separated list of prohibited users" --#~ msgstr "Liste, séparée par des virgules, d'utilisateurs interdits" -+#: src/tools/sssctl/sssctl_user_checks.c:294 -+msgid "testing pam_close_session\n" -+"\n" -+msgstr "test pam_close_session\n" -+"\n" - --#~ msgid "Default shell, /bin/bash" --#~ msgstr "Interpréteur de commande par défaut : /bin/bash" -+#: src/tools/sssctl/sssctl_user_checks.c:296 -+#, c-format -+msgid "pam_close_session: %s\n" -+"\n" -+msgstr "pam_close_session: %s\n" -+"\n" - --#~ msgid "Base for home directories" --#~ msgstr "Base pour les répertoires utilisateur" -+#: src/tools/sssctl/sssctl_user_checks.c:298 -+msgid "unknown action\n" -+msgstr "action inconnue\n" - --#~ msgid "The number of preforked proxy children." --#~ msgstr "Le nombre d'enfants proxy pré-fourche." -+#: src/tools/sssctl/sssctl_user_checks.c:301 -+msgid "PAM Environment:\n" -+msgstr "Environnement PAM :\n" - --#~ msgid "The name of the NSS library to use" --#~ msgstr "Nom de la bibliothèque NSS à utiliser" -+#: src/tools/sssctl/sssctl_user_checks.c:309 -+msgid " - no env -\n" -+msgstr " - no env -\n" - --#~ msgid "Whether to look up canonical group name from cache if possible" --#~ msgstr "Rechercher le nom canonique du groupe dans le cache si possible" -+#: src/util/util.h:82 -+msgid "The user ID to run the server as" -+msgstr "L'identifiant utilisateur sous lequel faire tourner le serveur" - --#~ msgid "PAM stack to use" --#~ msgstr "Pile PAM à utiliser" -+#: src/util/util.h:84 -+msgid "The group ID to run the server as" -+msgstr "L'identifiant de groupe sous lequel faire tourner le serveur" - --#~ msgid "Path of passwd file sources." --#~ msgstr "Chemin des sources des fichiers passwd." -+#: src/util/util.h:92 -+msgid "Informs that the responder has been socket-activated" -+msgstr "Informe que le répondeur a été activé par un socket" - --#~ msgid "Path of group file sources." --#~ msgstr "Chemin des sources des fichiers de groupe." -+#: src/util/util.h:94 -+msgid "Informs that the responder has been dbus-activated" -+msgstr "Informe que le répondeur a été activé par un dbus" -diff --git a/po/ja.po b/po/ja.po -index 503ece1de..a5156184c 100644 ---- a/po/ja.po -+++ b/po/ja.po -@@ -12,2597 +12,3161 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-05-19 12:05+0200\n" --"PO-Revision-Date: 2020-05-19 10:06+0000\n" --"Last-Translator: Pavel Brezina \n" --"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" --"ja/)\n" --"Language: ja\n" -+"POT-Creation-Date: 2020-06-17 22:51+0200\n" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" -+"PO-Revision-Date: 2020-06-18 09:13+0000\n" -+"Last-Translator: Ludek Janda \n" -+"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" -+"ja/)\n" -+"Language: ja\n" - "Plural-Forms: nplurals=1; plural=0;\n" - "X-Generator: Zanata 4.6.2\n" - --#: src/monitor/monitor.c:2371 --msgid "Become a daemon (default)" --msgstr "デーモンとして実行(デフォルト)" -+#: src/config/SSSDConfig/sssdoptions.py:20 -+#: src/config/SSSDConfig/sssdoptions.py:21 -+msgid "Set the verbosity of the debug logging" -+msgstr "デバッグのロギングの冗長性を設定する" - --#: src/monitor/monitor.c:2373 --msgid "Run interactive (not a daemon)" --msgstr "対話的に実行(デーモンではない)" -+#: src/config/SSSDConfig/sssdoptions.py:22 -+msgid "Include timestamps in debug logs" -+msgstr "デバッグログにタイムスタンプを含める" - --#: src/monitor/monitor.c:2376 --msgid "Disable netlink interface" --msgstr "netlink インターフェースを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:23 -+msgid "Include microseconds in timestamps in debug logs" -+msgstr "デバッグログにミリ秒単位のタイムスタンプを含める" - --#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_logs.c:310 --msgid "Specify a non-default config file" --msgstr "非標準の設定ファイルの指定" -+#: src/config/SSSDConfig/sssdoptions.py:24 -+msgid "Write debug messages to logfiles" -+msgstr "デバッグメッセージをログファイルに書き込む" - --#: src/monitor/monitor.c:2380 --msgid "Refresh the configuration database, then exit" --msgstr "設定データベースをリフレッシュし、その後終了します" -+#: src/config/SSSDConfig/sssdoptions.py:25 -+msgid "Watchdog timeout before restarting service" -+msgstr "サービス再起動前の Watchdog タイムアウト" - --#: src/monitor/monitor.c:2383 --msgid "Similar to --genconf, but only refreshes the given section" --msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします" -+#: src/config/SSSDConfig/sssdoptions.py:26 -+msgid "Command to start service" -+msgstr "サービス開始のコマンド" - --#: src/monitor/monitor.c:2386 --msgid "Print version number and exit" --msgstr "バージョン番号を表示して終了する" -+#: src/config/SSSDConfig/sssdoptions.py:27 -+msgid "Number of times to attempt connection to Data Providers" -+msgstr "データプロバイダーの接続を試行する回数" - --#: src/monitor/monitor.c:2532 --msgid "SSSD is already running\n" --msgstr "SSSD はすでに実行中です\n" -+#: src/config/SSSDConfig/sssdoptions.py:28 -+msgid "The number of file descriptors that may be opened by this responder" -+msgstr "このレスポンダーににより開かれるファイル記述子の数" - --#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:638 --msgid "Debug level" --msgstr "デバッグレベル" -+#: src/config/SSSDConfig/sssdoptions.py:29 -+msgid "Idle time before automatic disconnection of a client" -+msgstr "クライアントの自動切断までのアイドル時間" - --#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:640 --msgid "Add debug timestamps" --msgstr "デバッグのタイムスタンプを追加する" -+#: src/config/SSSDConfig/sssdoptions.py:30 -+msgid "Idle time before automatic shutdown of the responder" -+msgstr "レスポンダーの自動シャットダウンまでのアイドル時間" - --#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:642 --msgid "Show timestamps with microseconds" --msgstr "タイムスタンプをミリ秒単位で表示する" -+#: src/config/SSSDConfig/sssdoptions.py:31 -+msgid "Always query all the caches before querying the Data Providers" -+msgstr "データプロバイダーをクエリーする前に、常にすべてのキャッシュをクエリーします" - --#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:644 --msgid "An open file descriptor for the debug logs" --msgstr "デバッグログのオープンファイルディスクリプター" -+#: src/config/SSSDConfig/sssdoptions.py:32 -+msgid "" -+"When SSSD switches to offline mode the amount of time before it tries to go " -+"back online will increase based upon the time spent disconnected. This value " -+"is in seconds and calculated by the following: offline_timeout + " -+"random_offset." -+msgstr "" - --#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:646 --msgid "Send the debug output to stderr directly." --msgstr "デバッグ出力を stderr に直接送信します。" -+#: src/config/SSSDConfig/sssdoptions.py:38 -+msgid "" -+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " -+"version 2." -+msgstr "" -+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " -+"version 2." - --#: src/providers/krb5/krb5_child.c:3245 --msgid "The user to create FAST ccache as" --msgstr "次のように FAST ccache を作成するユーザー" -+#: src/config/SSSDConfig/sssdoptions.py:39 -+msgid "SSSD Services to start" -+msgstr "開始する SSSD サービス" - --#: src/providers/krb5/krb5_child.c:3247 --msgid "The group to create FAST ccache as" --msgstr "次のように FAST ccache を作成するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:40 -+msgid "SSSD Domains to start" -+msgstr "開始する SSSD ドメイン" - --#: src/providers/krb5/krb5_child.c:3249 --msgid "Kerberos realm to use" --msgstr "使用する Kerberos レルム" -+#: src/config/SSSDConfig/sssdoptions.py:41 -+msgid "Timeout for messages sent over the SBUS" -+msgstr "SBUS 経由のメッセージ送信のタイムアウト" - --#: src/providers/krb5/krb5_child.c:3251 --msgid "Requested lifetime of the ticket" --msgstr "チケットの要求された有効期間" -+#: src/config/SSSDConfig/sssdoptions.py:42 -+msgid "Regex to parse username and domain" -+msgstr "ユーザー名とドメインを構文解析する正規表現" - --#: src/providers/krb5/krb5_child.c:3253 --msgid "Requested renewable lifetime of the ticket" --msgstr "チケットの要求された更新可能な有効期間" -+#: src/config/SSSDConfig/sssdoptions.py:43 -+msgid "Printf-compatible format for displaying fully-qualified names" -+msgstr "完全修飾名を表示するための printf 互換の形式" - --#: src/providers/krb5/krb5_child.c:3255 --msgid "FAST options ('never', 'try', 'demand')" --msgstr "FAST のオプション ('never'、'try'、'demand')" -+#: src/config/SSSDConfig/sssdoptions.py:44 -+msgid "" -+"Directory on the filesystem where SSSD should store Kerberos replay cache " -+"files." -+msgstr "SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムのディレクトリーです。" - --#: src/providers/krb5/krb5_child.c:3258 --msgid "Specifies the server principal to use for FAST" --msgstr "FAST で使用するサーバープリンシパルを指定します" -+#: src/config/SSSDConfig/sssdoptions.py:45 -+msgid "Domain to add to names without a domain component." -+msgstr "domain 要素なしで追加するドメインの名前。" - --#: src/providers/krb5/krb5_child.c:3260 --msgid "Requests canonicalization of the principal name" --msgstr "プリンシパル名の正規化を要求します" -+#: src/config/SSSDConfig/sssdoptions.py:46 -+msgid "The user to drop privileges to" -+msgstr "ユーザーが特権を停止します" - --#: src/providers/krb5/krb5_child.c:3262 --msgid "Use custom version of krb5_get_init_creds_password" --msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します" -+#: src/config/SSSDConfig/sssdoptions.py:47 -+msgid "Tune certificate verification" -+msgstr "証明書検証の調整" - --#: src/providers/data_provider_be.c:674 --msgid "Domain of the information provider (mandatory)" --msgstr "情報プロバイダーのドメイン (必須)" -+#: src/config/SSSDConfig/sssdoptions.py:48 -+msgid "All spaces in group or user names will be replaced with this character" -+msgstr "グループ名またはユーザー名のすべてのスペースは、この文字に置き換えられます" - --#: src/sss_client/common.c:1079 --msgid "Privileged socket has wrong ownership or permissions." --msgstr "特権ソケットの所有者またはパーミッションが誤っています。" -+#: src/config/SSSDConfig/sssdoptions.py:49 -+msgid "Tune sssd to honor or ignore netlink state changes" -+msgstr "SSSD を調整し、netlink の状態変更を尊重するか、または無視します" - --#: src/sss_client/common.c:1082 --msgid "Public socket has wrong ownership or permissions." --msgstr "公開ソケットの所有者またはパーミッションが誤っています。" -+#: src/config/SSSDConfig/sssdoptions.py:50 -+msgid "Enable or disable the implicit files domain" -+msgstr "暗黙のファイルドメインを有効化または無効化する" - --#: src/sss_client/common.c:1085 --msgid "Unexpected format of the server credential message." --msgstr "サーバーのクレデンシャルメッセージの予期しない形式です。" -+#: src/config/SSSDConfig/sssdoptions.py:51 -+msgid "A specific order of the domains to be looked up" -+msgstr "検索するドメインの特定の順番" - --#: src/sss_client/common.c:1088 --msgid "SSSD is not run by root." --msgstr "SSSD は root により実行されません。" -+#: src/config/SSSDConfig/sssdoptions.py:52 -+msgid "" -+"Controls if SSSD should monitor the state of resolv.conf to identify when it " -+"needs to update its internal DNS resolver." -+msgstr "" - --#: src/sss_client/common.c:1091 --msgid "SSSD socket does not exist." --msgstr "SSSD ソケットは存在しません。" -+#: src/config/SSSDConfig/sssdoptions.py:54 -+msgid "" -+"SSSD monitors the state of resolv.conf to identify when it needs to update " -+"its internal DNS resolver. By default, we will attempt to use inotify for " -+"this, and will fall back to polling resolv.conf every five seconds if " -+"inotify cannot be used." -+msgstr "" -+"SSSD monitors the state of resolv.conf to identify when it needs to update " -+"its internal DNS resolver. By default, we will attempt to use inotify for " -+"this, and will fall back to polling resolv.conf every five seconds if " -+"inotify cannot be used." - --#: src/sss_client/common.c:1094 --msgid "Cannot get stat of SSSD socket." --msgstr "SSSD ソケットの統計を取得できません。" -+#: src/config/SSSDConfig/sssdoptions.py:59 -+msgid "Enumeration cache timeout length (seconds)" -+msgstr "列挙キャッシュのタイムアウト(秒)" - --#: src/sss_client/common.c:1099 --msgid "An error occurred, but no description can be found." --msgstr "エラーが発生しましたが、説明がありませんでした。" -+#: src/config/SSSDConfig/sssdoptions.py:60 -+msgid "Entry cache background update timeout length (seconds)" -+msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" - --#: src/sss_client/common.c:1105 --msgid "Unexpected error while looking for an error description" --msgstr "エラーの説明を検索中に予期しないエラーが発生しました" -+#: src/config/SSSDConfig/sssdoptions.py:61 -+#: src/config/SSSDConfig/sssdoptions.py:112 -+msgid "Negative cache timeout length (seconds)" -+msgstr "ネガティブキャッシュのタイムアウト(秒)" - --#: src/sss_client/pam_sss.c:68 --msgid "Permission denied. " --msgstr "パーミッションが拒否されました。" -+#: src/config/SSSDConfig/sssdoptions.py:62 -+msgid "Files negative cache timeout length (seconds)" -+msgstr "ファイルネガティブキャッシュのタイムアウト時間(秒)" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 --#: src/sss_client/pam_sss.c:790 --msgid "Server message: " --msgstr "サーバーのメッセージ: " -+#: src/config/SSSDConfig/sssdoptions.py:63 -+msgid "Users that SSSD should explicitly ignore" -+msgstr "SSSD が明示的に無視するユーザー" - --#: src/sss_client/pam_sss.c:297 --msgid "Passwords do not match" --msgstr "パスワードが一致しません" -+#: src/config/SSSDConfig/sssdoptions.py:64 -+msgid "Groups that SSSD should explicitly ignore" -+msgstr "SSSD が明示的に無視するグループ" - --#: src/sss_client/pam_sss.c:485 --msgid "Password reset by root is not supported." --msgstr "root によるパスワードのリセットはサポートされません。" -+#: src/config/SSSDConfig/sssdoptions.py:65 -+msgid "Should filtered users appear in groups" -+msgstr "フィルターされたユーザーをグループに表示する" - --#: src/sss_client/pam_sss.c:526 --msgid "Authenticated with cached credentials" --msgstr "キャッシュされているクレデンシャルを用いて認証されました" -+#: src/config/SSSDConfig/sssdoptions.py:66 -+msgid "The value of the password field the NSS provider should return" -+msgstr "NSS プロバイダーが返すパスワード項目の値" - --#: src/sss_client/pam_sss.c:527 --msgid ", your cached password will expire at: " --msgstr "、キャッシュされたパスワードが失効します: " -+#: src/config/SSSDConfig/sssdoptions.py:67 -+msgid "Override homedir value from the identity provider with this value" -+msgstr "識別プロバイダーからのホームディレクトリーの値をこの値で上書きする" - --#: src/sss_client/pam_sss.c:557 --#, c-format --msgid "Your password has expired. You have %1$d grace login(s) remaining." --msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。" -+#: src/config/SSSDConfig/sssdoptions.py:68 -+msgid "" -+"Substitute empty homedir value from the identity provider with this value" -+msgstr "アイデンティティープロバイダーからの空のホームディレクトリーをこの値で置き換えます" - --#: src/sss_client/pam_sss.c:603 --#, c-format --msgid "Your password will expire in %1$d %2$s." --msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" -+#: src/config/SSSDConfig/sssdoptions.py:69 -+msgid "Override shell value from the identity provider with this value" -+msgstr "アイデンティティープロバイダーからのシェル値をこの値で上書きします" - --#: src/sss_client/pam_sss.c:652 --msgid "Authentication is denied until: " --msgstr "次まで認証が拒否されます: " -+#: src/config/SSSDConfig/sssdoptions.py:70 -+msgid "The list of shells users are allowed to log in with" -+msgstr "ユーザーがログインを許可されるシェルの一覧" - --#: src/sss_client/pam_sss.c:673 --msgid "System is offline, password change not possible" --msgstr "システムがオフラインです、パスワード変更ができません" -+#: src/config/SSSDConfig/sssdoptions.py:71 -+msgid "" -+"The list of shells that will be vetoed, and replaced with the fallback shell" -+msgstr "拒否されてフォールバックシェルで置き換えられるシェルの一覧" - --#: src/sss_client/pam_sss.c:688 -+#: src/config/SSSDConfig/sssdoptions.py:72 - msgid "" --"After changing the OTP password, you need to log out and back in order to " --"acquire a ticket" -+"If a shell stored in central directory is allowed but not available, use " -+"this fallback" -+msgstr "中央ディレクトリーに保存されたシェルが許可されるが、利用できない場合、このフォールバックを使用する" -+ -+#: src/config/SSSDConfig/sssdoptions.py:73 -+msgid "Shell to use if the provider does not list one" -+msgstr "プロバイダーが一覧に持っていないとき使用するシェル" -+ -+#: src/config/SSSDConfig/sssdoptions.py:74 -+msgid "How long will be in-memory cache records valid" -+msgstr "メモリー内のキャッシュレコードが有効な期間" -+ -+#: src/config/SSSDConfig/sssdoptions.py:75 -+msgid "" -+"The value of this option will be used in the expansion of the " -+"override_homedir option if the template contains the format string %H." - msgstr "" --"OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインす" --"る必要があります" - --#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 --msgid "Password change failed. " --msgstr "パスワードの変更に失敗しました。" -+#: src/config/SSSDConfig/sssdoptions.py:77 -+msgid "" -+"Specifies time in seconds for which the list of subdomains will be " -+"considered valid." -+msgstr "" - --#: src/sss_client/pam_sss.c:2008 --msgid "New Password: " --msgstr "新しいパスワード: " -+#: src/config/SSSDConfig/sssdoptions.py:79 -+msgid "" -+"The entry cache can be set to automatically update entries in the background " -+"if they are requested beyond a percentage of the entry_cache_timeout value " -+"for the domain." -+msgstr "" -+"The entry cache can be set to automatically update entries in the background " -+"if they are requested beyond a percentage of the entry_cache_timeout value " -+"for the domain." - --#: src/sss_client/pam_sss.c:2009 --msgid "Reenter new Password: " --msgstr "新しいパスワードの再入力: " -+#: src/config/SSSDConfig/sssdoptions.py:84 -+msgid "How long to allow cached logins between online logins (days)" -+msgstr "オンラインログイン中にキャッシュによるログインが許容される期間(日数)" - --#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 --msgid "First Factor: " --msgstr "1 番目の要素: " -+#: src/config/SSSDConfig/sssdoptions.py:85 -+msgid "How many failed logins attempts are allowed when offline" -+msgstr "オフラインの時に許容されるログイン試行失敗回数" - --#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 --msgid "Second Factor (optional): " --msgstr "2 番目の要素 (オプション): " -+#: src/config/SSSDConfig/sssdoptions.py:87 -+msgid "" -+"How long (minutes) to deny login after offline_failed_login_attempts has " -+"been reached" -+msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間(分)" - --#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 --msgid "Second Factor: " --msgstr "2 番目の要素: " -+#: src/config/SSSDConfig/sssdoptions.py:88 -+msgid "What kind of messages are displayed to the user during authentication" -+msgstr "認証中にユーザーに表示されるメッセージの種類" - --#: src/sss_client/pam_sss.c:2190 --msgid "Password: " --msgstr "パスワード: " -+#: src/config/SSSDConfig/sssdoptions.py:89 -+msgid "Filter PAM responses sent to the pam_sss" -+msgstr "pam_sss へ送信された PAM のレスポンスをフィルタリングします" - --#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 --msgid "First Factor (Current Password): " --msgstr "1 番目の要素 (現在のパスワード): " -+#: src/config/SSSDConfig/sssdoptions.py:90 -+msgid "How many seconds to keep identity information cached for PAM requests" -+msgstr "PAM 要求に対してキャッシュされた認証情報を保持する秒数" - --#: src/sss_client/pam_sss.c:2349 --msgid "Current Password: " --msgstr "現在のパスワード: " -+#: src/config/SSSDConfig/sssdoptions.py:91 -+msgid "How many days before password expiration a warning should be displayed" -+msgstr "警告が表示されるパスワード失効前の日数" - --#: src/sss_client/pam_sss.c:2704 --msgid "Password expired. Change your password now." --msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。" -+#: src/config/SSSDConfig/sssdoptions.py:92 -+msgid "List of trusted uids or user's name" -+msgstr "信頼できる UID またはユーザー名の一覧" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 --#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 --#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 --#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 --#: src/tools/sss_cache.c:719 --msgid "The debug level to run with" --msgstr "実行するデバッグレベル" -+#: src/config/SSSDConfig/sssdoptions.py:93 -+msgid "List of domains accessible even for untrusted users." -+msgstr "信頼できないユーザーでさえアクセス可能なドメインの一覧。" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 --msgid "The SSSD domain to use" --msgstr "使用する SSSD ドメイン" -+#: src/config/SSSDConfig/sssdoptions.py:94 -+msgid "Message printed when user account is expired." -+msgstr "ユーザーアカウントの有効期限が切れると、メッセージが印刷されます。" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 --#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 --#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 --#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 --#: src/tools/sss_cache.c:765 --msgid "Error setting the locale\n" --msgstr "ロケールの設定中にエラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:95 -+msgid "Message printed when user account is locked." -+msgstr "ユーザーアカウントがロックされると、メッセージが印刷されます。" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 --msgid "Not enough memory\n" --msgstr "十分なメモリーがありません\n" -+#: src/config/SSSDConfig/sssdoptions.py:96 -+msgid "Allow certificate based/Smartcard authentication." -+msgstr "証明書ベースまたはスマートカードによる認証を許可します。" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 --msgid "User not specified\n" --msgstr "ユーザーが指定されていません\n" -+#: src/config/SSSDConfig/sssdoptions.py:97 -+msgid "Path to certificate database with PKCS#11 modules." -+msgstr "PKCS#11 モジュールでの証明書データベースへのパス。" - --#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 --msgid "Error looking up public keys\n" --msgstr "公開鍵の検索中にエラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:98 -+msgid "How many seconds will pam_sss wait for p11_child to finish" -+msgstr "p11_child が完了するまでに pam_sss が待つ秒数" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 --msgid "The port to use to connect to the host" --msgstr "ホストへの接続に使用するポート" -+#: src/config/SSSDConfig/sssdoptions.py:99 -+msgid "Which PAM services are permitted to contact application domains" -+msgstr "アプリケーションドメインへの接続を許可される PAM サービスはどれか" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 --msgid "Print the host ssh public keys" --msgstr "ホスト SSH 公開鍵を印刷" -+#: src/config/SSSDConfig/sssdoptions.py:100 -+msgid "Allowed services for using smartcards" -+msgstr "スマートカードの使用が許可されたサービス" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 --msgid "Invalid port\n" --msgstr "無効なポート\n" -+#: src/config/SSSDConfig/sssdoptions.py:101 -+msgid "Additional timeout to wait for a card if requested" -+msgstr "要求された場合に、カードが待つ追加のタイムアウト" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 --msgid "Host not specified\n" --msgstr "ホストが指定されていません\n" -+#: src/config/SSSDConfig/sssdoptions.py:102 -+msgid "" -+"PKCS#11 URI to restrict the selection of devices for Smartcard " -+"authentication" -+msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI が制限" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 --msgid "The path to the proxy command must be absolute\n" --msgstr "プロキシコマンドへのパスは絶対パスにする必要があります\n" -+#: src/config/SSSDConfig/sssdoptions.py:103 -+msgid "When shall the PAM responder force an initgroups request" -+msgstr "" - --#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 --#, c-format --msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" --msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" -+#: src/config/SSSDConfig/sssdoptions.py:106 -+msgid "Whether to evaluate the time-based attributes in sudo rules" -+msgstr "sudo ルールにおいて時間による属性を評価するかどうか" - --#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 --msgid "The UID of the user" --msgstr "ユーザーの UID" -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "If true, SSSD will switch back to lower-wins ordering logic" -+msgstr "正しい場合、SSSD は小さい番号が優先される順位付けのロジックへ戻ります" - --#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 --msgid "The comment string" --msgstr "コメント文字列" -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "" -+"Maximum number of rules that can be refreshed at once. If this is exceeded, " -+"full refresh is performed." -+msgstr "一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュが実行されます。" - --#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 --msgid "Home directory" --msgstr "ホームディレクトリー" -+#: src/config/SSSDConfig/sssdoptions.py:115 -+msgid "Whether to hash host names and addresses in the known_hosts file" -+msgstr "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか" - --#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 --msgid "Login shell" --msgstr "ログインシェル" -+#: src/config/SSSDConfig/sssdoptions.py:116 -+msgid "" -+"How many seconds to keep a host in the known_hosts file after its host keys " -+"were requested" -+msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数" - --#: src/tools/sss_useradd.c:53 --msgid "Groups" --msgstr "グループ" -+#: src/config/SSSDConfig/sssdoptions.py:118 -+msgid "Path to storage of trusted CA certificates" -+msgstr "信頼された CA 証明書のストレージへのパス" - --#: src/tools/sss_useradd.c:54 --msgid "Create user's directory if it does not exist" --msgstr "ユーザーのディレクトリーが存在しなければ作成する" -+#: src/config/SSSDConfig/sssdoptions.py:119 -+msgid "Allow to generate ssh-keys from certificates" -+msgstr "証明書からの ssh-key の生成を許可します" - --#: src/tools/sss_useradd.c:55 --msgid "Never create user's directory, overrides config" --msgstr "ユーザーのディレクトリーを作成しない、設定を上書きする" -+#: src/config/SSSDConfig/sssdoptions.py:120 -+msgid "" -+"Use the following matching rules to filter the certificates for ssh-key " -+"generation" -+msgstr "以下の一致するルールを使用して、ssh-key 生成用の証明書をフィルタリングします" - --#: src/tools/sss_useradd.c:56 --msgid "Specify an alternative skeleton directory" --msgstr "代替のスケルトンディレクトリーを指定する" -+#: src/config/SSSDConfig/sssdoptions.py:124 -+msgid "List of UIDs or user names allowed to access the PAC responder" -+msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" - --#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 --msgid "The SELinux user for user's login" --msgstr "ユーザーのログインに対する SELinux ユーザー" -+#: src/config/SSSDConfig/sssdoptions.py:125 -+msgid "How long the PAC data is considered valid" -+msgstr "PAC データが有効とされる期間" - --#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 --#: src/tools/sss_usermod.c:92 --msgid "Specify group to add to\n" --msgstr "追加するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:128 -+msgid "List of user attributes the InfoPipe is allowed to publish" -+msgstr "InfoPipe がパブリッシュを許可されたユーザー属性の一覧" - --#: src/tools/sss_useradd.c:111 --msgid "Specify user to add\n" --msgstr "追加するユーザーを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:131 -+msgid "The provider where the secrets will be stored in" -+msgstr "シークレットが保存されるプロバイダー" - --#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 --#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 --#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 --#: src/tools/sss_usermod.c:162 --msgid "Error initializing the tools - no local domain\n" --msgstr "" --"ツールを初期化中にエラーが発生しました - ローカルドメインがありません\n" -+#: src/config/SSSDConfig/sssdoptions.py:132 -+msgid "The maximum allowed number of nested containers" -+msgstr "ネストされたコンテナーの最大許可数" - --#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 --#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 --#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 --#: src/tools/sss_usermod.c:164 --msgid "Error initializing the tools\n" --msgstr "ツールを初期化中にエラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:133 -+msgid "The maximum number of secrets that can be stored" -+msgstr "保存可能なシークレットの最大数" - --#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 --#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 --#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 --#: src/tools/sss_usermod.c:173 --msgid "Invalid domain specified in FQDN\n" --msgstr "FQDN で指定されたドメインが無効です\n" -+#: src/config/SSSDConfig/sssdoptions.py:134 -+msgid "The maximum number of secrets that can be stored per UID" -+msgstr "UID ごとに保存可能なシークレットの最大数" - --#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 --#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 --#: src/tools/sss_usermod.c:226 --msgid "Internal error while parsing parameters\n" --msgstr "パラメーターを解析中に内部エラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:135 -+msgid "The maximum payload size of a secret in kilobytes" -+msgstr "キロバイトでのシークレットの最大ペイロードサイズ" - --#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 --#: src/tools/sss_usermod.c:235 --msgid "Groups must be in the same domain as user\n" --msgstr "グループがユーザーと同じドメインになければいけません\n" -+#: src/config/SSSDConfig/sssdoptions.py:137 -+msgid "The URL Custodia server is listening on" -+msgstr "URL Custodia サーバーはリッスンしています" - --#: src/tools/sss_useradd.c:159 --#, c-format --msgid "Cannot find group %1$s in local domain\n" --msgstr "ローカルドメインにグループ %1$s を見つけられません\n" -+#: src/config/SSSDConfig/sssdoptions.py:138 -+msgid "The method to use when authenticating to a Custodia server" -+msgstr "Custodia サーバーへの認証時に使用する方法" - --#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 --msgid "Cannot set default values\n" --msgstr "デフォルト値を設定できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:139 -+msgid "" -+"The name of the headers that will be added into a HTTP request with the " -+"value defined in auth_header_value" -+msgstr "auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名前" - --#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 --msgid "The selected UID is outside the allowed range\n" --msgstr "選択された UID は許容される範囲を越えています\n" -+#: src/config/SSSDConfig/sssdoptions.py:141 -+msgid "The value sssd-secrets would use for auth_header_name" -+msgstr "sssd-secrets の値は、auth_header_name で使用します" - --#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 --msgid "Cannot set SELinux login context\n" --msgstr "SELinux ログインコンテキストを設定できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:142 -+msgid "" -+"The list of the headers to forward to the Custodia server together with the " -+"request" -+msgstr "要求と共に Custodia サーバーへ転送するヘッダーの一覧" - --#: src/tools/sss_useradd.c:224 --msgid "Cannot get info about the user\n" --msgstr "ユーザーに関する情報を取得できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:143 -+msgid "" -+"The username to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するユーザー名" - --#: src/tools/sss_useradd.c:236 --msgid "User's home directory already exists, not copying data from skeldir\n" --msgstr "" --"ユーザーのホームディレクトリーがすでに存在します、スケルトンディレクトリーか" --"らデータをコピーしません\n" -+#: src/config/SSSDConfig/sssdoptions.py:144 -+msgid "" -+"The password to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するパスワード" - --#: src/tools/sss_useradd.c:239 --#, c-format --msgid "Cannot create user's home directory: %1$s\n" --msgstr "ユーザーのホームディレクトリーを作成できません: %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:145 -+msgid "" -+"If true peer's certificate is verified if proxy_url uses https protocol" -+msgstr "proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証されるかどうか" - --#: src/tools/sss_useradd.c:250 --#, c-format --msgid "Cannot create user's mail spool: %1$s\n" --msgstr "ユーザーのメールスプールを作成できません: %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:146 -+msgid "" -+"If false peer's certificate may contain different hostname than proxy_url " -+"when https protocol is used" -+msgstr "https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外の異なるホスト名を含むかどうか" - --#: src/tools/sss_useradd.c:270 --msgid "Could not allocate ID for the user - domain full?\n" --msgstr "ユーザーに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" -+#: src/config/SSSDConfig/sssdoptions.py:148 -+msgid "Path to directory where certificate authority certificates are stored" -+msgstr "CA 証明書が保存されているディレクトリーへのパス" - --#: src/tools/sss_useradd.c:274 --msgid "A user or group with the same name or ID already exists\n" --msgstr "同じ名前または ID を持つユーザーまたはグループがすでに存在します\n" -+#: src/config/SSSDConfig/sssdoptions.py:149 -+msgid "Path to file containing server's CA certificate" -+msgstr "サーバーの CA 証明書を含むファイルへのパス" - --#: src/tools/sss_useradd.c:280 --msgid "Transaction error. Could not add user.\n" --msgstr "トランザクションエラー。ユーザーを追加できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:150 -+msgid "Path to file containing client's certificate" -+msgstr "クライアントの証明書を含むファイルへのパス" - --#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 --msgid "The GID of the group" --msgstr "グループの GID" -+#: src/config/SSSDConfig/sssdoptions.py:151 -+msgid "Path to file containing client's private key" -+msgstr "クライアントの秘密鍵を含むファイルへのパス" - --#: src/tools/sss_groupadd.c:76 --msgid "Specify group to add\n" --msgstr "追加するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:154 -+msgid "" -+"One of the following strings specifying the scope of session recording: none " -+"- No users are recorded. some - Users/groups specified by users and groups " -+"options are recorded. all - All users are recorded." -+msgstr "" - --#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 --msgid "The selected GID is outside the allowed range\n" --msgstr "選択された GID は許容される範囲を越えています\n" -+#: src/config/SSSDConfig/sssdoptions.py:157 -+msgid "" -+"A comma-separated list of users which should have session recording enabled. " -+"Matches user names as returned by NSS. I.e. after the possible space " -+"replacement, case changes, etc." -+msgstr "" - --#: src/tools/sss_groupadd.c:143 --msgid "Could not allocate ID for the group - domain full?\n" --msgstr "グループに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" -+#: src/config/SSSDConfig/sssdoptions.py:159 -+msgid "" -+"A comma-separated list of groups, members of which should have session " -+"recording enabled. Matches group names as returned by NSS. I.e. after the " -+"possible space replacement, case changes, etc." -+msgstr "" - --#: src/tools/sss_groupadd.c:147 --msgid "A group with the same name or GID already exists\n" --msgstr "同じ名前または GID を持つグループがすでに存在します\n" -+#: src/config/SSSDConfig/sssdoptions.py:164 -+msgid "Identity provider" -+msgstr "アイデンティティープロバイダー" - --#: src/tools/sss_groupadd.c:153 --msgid "Transaction error. Could not add group.\n" --msgstr "トランザクションエラー。グループを追加できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:165 -+msgid "Authentication provider" -+msgstr "認証プロバイダー" - --#: src/tools/sss_groupdel.c:70 --msgid "Specify group to delete\n" --msgstr "削除するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:166 -+msgid "Access control provider" -+msgstr "アクセス制御プロバイダー" - --#: src/tools/sss_groupdel.c:104 --#, c-format --msgid "Group %1$s is outside the defined ID range for domain\n" --msgstr "グループ %1$s はドメインに対して定義された ID の範囲を越えています\n" -+#: src/config/SSSDConfig/sssdoptions.py:167 -+msgid "Password change provider" -+msgstr "パスワード変更プロバイダー" - --#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 --#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 --#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 --#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 --#, c-format --msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" -+#: src/config/SSSDConfig/sssdoptions.py:168 -+msgid "SUDO provider" -+msgstr "SUDO プロバイダー" -+ -+#: src/config/SSSDConfig/sssdoptions.py:169 -+msgid "Autofs provider" -+msgstr "Autofs プロバイダー" -+ -+#: src/config/SSSDConfig/sssdoptions.py:170 -+msgid "Host identity provider" -+msgstr "ホスト識別プロバイダー" -+ -+#: src/config/SSSDConfig/sssdoptions.py:171 -+msgid "SELinux provider" -+msgstr "SELinux プロバイダー" -+ -+#: src/config/SSSDConfig/sssdoptions.py:172 -+msgid "Session management provider" -+msgstr "セッションマネージャーのプロバイダー" -+ -+#: src/config/SSSDConfig/sssdoptions.py:173 -+msgid "Resolver provider" - msgstr "" --"NSS リクエストに失敗しました (%1$d)。項目はメモリーキャッシュに残されます。\n" - --#: src/tools/sss_groupdel.c:132 -+#: src/config/SSSDConfig/sssdoptions.py:176 -+msgid "Whether the domain is usable by the OS or by applications" -+msgstr "OS またはアプリケーションがドメインを使用できるかどうか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:177 -+msgid "Minimum user ID" -+msgstr "最小ユーザー ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:178 -+msgid "Maximum user ID" -+msgstr "最大ユーザー ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:179 -+msgid "Enable enumerating all users/groups" -+msgstr "すべてのユーザー・グループの列挙を有効にする" -+ -+#: src/config/SSSDConfig/sssdoptions.py:180 -+msgid "Cache credentials for offline login" -+msgstr "オフラインログインのためにクレデンシャルをキャッシュする" -+ -+#: src/config/SSSDConfig/sssdoptions.py:181 -+msgid "Display users/groups in fully-qualified form" -+msgstr "ユーザー・グループを完全修飾形式で表示する" -+ -+#: src/config/SSSDConfig/sssdoptions.py:182 -+msgid "Don't include group members in group lookups" -+msgstr "グループ検索にグループメンバーを含めない" -+ -+#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:194 -+#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:199 -+msgid "Entry cache timeout length (seconds)" -+msgstr "エントリーキャッシュのタイムアウト長(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:184 - msgid "" --"No such group in local domain. Removing groups only allowed in local " --"domain.\n" --msgstr "" --"そのようなグループはローカルドメインにありません。グループの削除はローカルド" --"メインにおいてのみ許可されます。\n" -+"Restrict or prefer a specific address family when performing DNS lookups" -+msgstr "DNS 検索を実行する時に特定のアドレスファミリーを制限または優先します" - --#: src/tools/sss_groupdel.c:137 --msgid "Internal error. Could not remove group.\n" --msgstr "内部エラー。グループを削除できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:185 -+msgid "How long to keep cached entries after last successful login (days)" -+msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数" - --#: src/tools/sss_groupmod.c:44 --msgid "Groups to add this group to" --msgstr "このグループに追加するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:186 -+msgid "" -+"How long should SSSD talk to single DNS server before trying next server " -+"(miliseconds)" -+msgstr "次のサーバーを試行するまでに SSSD が単一の DNS サーバーと通信する時間 (ミリ秒)" - --#: src/tools/sss_groupmod.c:46 --msgid "Groups to remove this group from" --msgstr "このグループから削除するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:188 -+msgid "How long should keep trying to resolve single DNS query (seconds)" -+msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" - --#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 --msgid "Specify group to remove from\n" --msgstr "削除するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:189 -+msgid "How long to wait for replies from DNS when resolving servers (seconds)" -+msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" - --#: src/tools/sss_groupmod.c:101 --msgid "Specify group to modify\n" --msgstr "変更するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:190 -+msgid "The domain part of service discovery DNS query" -+msgstr "サービス検索 DNS クエリーのドメイン部分" - --#: src/tools/sss_groupmod.c:130 -+#: src/config/SSSDConfig/sssdoptions.py:191 -+msgid "Override GID value from the identity provider with this value" -+msgstr "識別プロバイダーからの GID 値をこの値で上書きする" -+ -+#: src/config/SSSDConfig/sssdoptions.py:192 -+msgid "Treat usernames as case sensitive" -+msgstr "ユーザー名が大文字小文字を区別するよう取り扱う" -+ -+#: src/config/SSSDConfig/sssdoptions.py:200 -+msgid "How often should expired entries be refreshed in background" -+msgstr "期限切れのエントリーがバックグラウンドで更新される頻度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:201 -+msgid "Whether to automatically update the client's DNS entry" -+msgstr "自動的にクライアントの DNS エントリーを更新するかどうか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:202 -+#: src/config/SSSDConfig/sssdoptions.py:232 -+msgid "The TTL to apply to the client's DNS entry after updating it" -+msgstr "クライアントの DNS 項目を更新後、適用する TTL" -+ -+#: src/config/SSSDConfig/sssdoptions.py:203 -+#: src/config/SSSDConfig/sssdoptions.py:233 -+msgid "The interface whose IP should be used for dynamic DNS updates" -+msgstr "動的 DNS 更新のために使用される IP のインターフェース" -+ -+#: src/config/SSSDConfig/sssdoptions.py:204 -+msgid "How often to periodically update the client's DNS entry" -+msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:205 -+msgid "Whether the provider should explicitly update the PTR record as well" -+msgstr "プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:206 -+msgid "Whether the nsupdate utility should default to using TCP" -+msgstr "nsupdate ユーティリティーが標準で TCP を使用するかどうか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:207 -+msgid "What kind of authentication should be used to perform the DNS update" -+msgstr "DNS 更新を実行するために使用すべき認証の種類" -+ -+#: src/config/SSSDConfig/sssdoptions.py:208 -+msgid "Override the DNS server used to perform the DNS update" -+msgstr "DNS の更新を実行する際に使用する DNS サーバーを上書き" -+ -+#: src/config/SSSDConfig/sssdoptions.py:209 -+msgid "Control enumeration of trusted domains" -+msgstr "信頼されたドメインの列挙を制御" -+ -+#: src/config/SSSDConfig/sssdoptions.py:210 -+msgid "How often should subdomains list be refreshed" -+msgstr "サブドメインの一覧のリフレッシュ回数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:211 -+msgid "List of options that should be inherited into a subdomain" -+msgstr "サブドメインに継承すべきオプションの一覧" -+ -+#: src/config/SSSDConfig/sssdoptions.py:212 -+msgid "Default subdomain homedir value" -+msgstr "デフォルトのサブドメインホームディレクトリーの値" -+ -+#: src/config/SSSDConfig/sssdoptions.py:213 -+msgid "How long can cached credentials be used for cached authentication" -+msgstr "証明書キャッシュを認証キャッシュに使用できる期間" -+ -+#: src/config/SSSDConfig/sssdoptions.py:214 -+msgid "Whether to automatically create private groups for users" -+msgstr "ユーザーにプライベートグループを自動的に作成するかどうか" -+ -+#: src/config/SSSDConfig/sssdoptions.py:215 -+msgid "Display a warning N days before the password expires." -+msgstr "Display a warning N days before the password expires." -+ -+#: src/config/SSSDConfig/sssdoptions.py:216 - msgid "" --"Cannot find group in local domain, modifying groups is allowed only in local " --"domain\n" -+"Various tags stored by the realmd configuration service for this domain." - msgstr "" --"ローカルドメインにグループが見つかりませんでした。グループの変更はローカルド" --"メインにおいてのみ許可されます\n" -- --#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 --msgid "Member groups must be in the same domain as parent group\n" --msgstr "メンバーグループが親グループと同じドメインにある必要があります\n" - --#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 --#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:217 - msgid "" --"Cannot find group %1$s in local domain, only groups in local domain are " --"allowed\n" -+"The provider which should handle fetching of subdomains. This value should " -+"be always the same as id_provider." - msgstr "" --"ローカルドメインにグループ %1$s が見つかりません。ローカルドメインにあるグ" --"ループのみが許可されます\n" - --#: src/tools/sss_groupmod.c:257 --msgid "Could not modify group - check if member group names are correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:219 -+msgid "" -+"How many seconds to keep a host ssh key after refresh. IE how long to cache " -+"the host key for." - msgstr "" --"グループを変更できませんでした - メンバーグループ名が正しいかを確認してくださ" --"い\n" - --#: src/tools/sss_groupmod.c:261 --msgid "Could not modify group - check if groupname is correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:221 -+msgid "" -+"If 2-Factor-Authentication (2FA) is used and credentials should be saved " -+"this value determines the minimal length the first authentication factor " -+"(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" --"グループを変更できませんでした - グループ名が正しいかを確認してください\n" - --#: src/tools/sss_groupmod.c:265 --msgid "Transaction error. Could not modify group.\n" --msgstr "トランザクションエラー。グループを変更できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:227 -+msgid "IPA domain" -+msgstr "IPA ドメイン" - --#: src/tools/sss_groupshow.c:616 --msgid "Magic Private " --msgstr "マジックプライベート " -+#: src/config/SSSDConfig/sssdoptions.py:228 -+msgid "IPA server address" -+msgstr "IPA サーバーのアドレス" - --#: src/tools/sss_groupshow.c:615 --#, c-format --msgid "%1$s%2$sGroup: %3$s\n" --msgstr "%1$s%2$sGroup: %3$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:229 -+msgid "Address of backup IPA server" -+msgstr "バックアップ IPA サーバーのアドレス" - --#: src/tools/sss_groupshow.c:618 --#, c-format --msgid "%1$sGID number: %2$d\n" --msgstr "%1$sGID 番号: %2$d\n" -+#: src/config/SSSDConfig/sssdoptions.py:230 -+msgid "IPA client hostname" -+msgstr "IPA クライアントのホスト名" - --#: src/tools/sss_groupshow.c:620 --#, c-format --msgid "%1$sMember users: " --msgstr "%1$sMember ユーザー: " -+#: src/config/SSSDConfig/sssdoptions.py:231 -+msgid "Whether to automatically update the client's DNS entry in FreeIPA" -+msgstr "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか" - --#: src/tools/sss_groupshow.c:627 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:234 -+msgid "Search base for HBAC related objects" -+msgstr "HBAC 関連オブジェクトの検索ベース" -+ -+#: src/config/SSSDConfig/sssdoptions.py:235 - msgid "" --"\n" --"%1$sIs a member of: " --msgstr "" --"\n" --"%1$sIs は次のメンバー: " -+"The amount of time between lookups of the HBAC rules against the IPA server" -+msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間" - --#: src/tools/sss_groupshow.c:634 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:236 - msgid "" --"\n" --"%1$sMember groups: " --msgstr "" --"\n" --"%1$sMember グループ: " -+"The amount of time in seconds between lookups of the SELinux maps against " -+"the IPA server" -+msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間" - --#: src/tools/sss_groupshow.c:670 --msgid "Print indirect group members recursively" --msgstr "間接グループメンバーを再帰的に表示する" -+#: src/config/SSSDConfig/sssdoptions.py:238 -+msgid "If set to false, host argument given by PAM will be ignored" -+msgstr "もし偽に設定されていると、PAM により渡されたホスト引数は無視されます" - --#: src/tools/sss_groupshow.c:704 --msgid "Specify group to show\n" --msgstr "表示するグループを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:239 -+msgid "The automounter location this IPA client is using" -+msgstr "この IPA クライアントが使用している automounter の場所" - --#: src/tools/sss_groupshow.c:744 --msgid "" --"No such group in local domain. Printing groups only allowed in local " --"domain.\n" --msgstr "" --"そのようなグループはローカルドメインにありません。グループの表示はローカルド" --"メインにおいてのみ許可されます。\n" -+#: src/config/SSSDConfig/sssdoptions.py:240 -+msgid "Search base for object containing info about IPA domain" -+msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース" - --#: src/tools/sss_groupshow.c:749 --msgid "Internal error. Could not print group.\n" --msgstr "内部エラー。グループを表示できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:241 -+msgid "Search base for objects containing info about ID ranges" -+msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース" - --#: src/tools/sss_userdel.c:138 --msgid "Remove home directory and mail spool" --msgstr "ホームディレクトリーとメールスプールを削除する" -+#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:296 -+msgid "Enable DNS sites - location based service discovery" -+msgstr "DNS サイトの有効化 - 位置ベースのサービス検索" - --#: src/tools/sss_userdel.c:140 --msgid "Do not remove home directory and mail spool" --msgstr "ホームディレクトリーとメールスプールを削除しない" -+#: src/config/SSSDConfig/sssdoptions.py:243 -+msgid "Search base for view containers" -+msgstr "ビューコンテナーの検索ベース" - --#: src/tools/sss_userdel.c:142 --msgid "Force removal of files not owned by the user" --msgstr "ユーザーにより所有されていないファイルの強制削除" -+#: src/config/SSSDConfig/sssdoptions.py:244 -+msgid "Objectclass for view containers" -+msgstr "ビューコンテナーのオブジェクトクラス" - --#: src/tools/sss_userdel.c:144 --msgid "Kill users' processes before removing him" --msgstr "ユーザーを削除する前にそのユーザーのプロセスを強制停止する" -+#: src/config/SSSDConfig/sssdoptions.py:245 -+msgid "Attribute with the name of the view" -+msgstr "ビューの名前の属性" - --#: src/tools/sss_userdel.c:190 --msgid "Specify user to delete\n" --msgstr "削除するユーザーを指定する\n" -+#: src/config/SSSDConfig/sssdoptions.py:246 -+msgid "Objectclass for override objects" -+msgstr "上書きされたオブジェクトのオブジェクトクラス" - --#: src/tools/sss_userdel.c:236 --#, c-format --msgid "User %1$s is outside the defined ID range for domain\n" --msgstr "ユーザー %1$s はドメインに対して定義された ID の範囲を超えています\n" -+#: src/config/SSSDConfig/sssdoptions.py:247 -+msgid "Attribute with the reference to the original object" -+msgstr "オリジナルオブジェクトを参照する属性" - --#: src/tools/sss_userdel.c:261 --msgid "Cannot reset SELinux login context\n" --msgstr "SELinux ログインコンテキストをリセットできません\n" -+#: src/config/SSSDConfig/sssdoptions.py:248 -+msgid "Objectclass for user override objects" -+msgstr "ユーザーが上書きするオブジェクトのオブジェクトクラス" - --#: src/tools/sss_userdel.c:273 --#, c-format --msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" -+#: src/config/SSSDConfig/sssdoptions.py:249 -+msgid "Objectclass for group override objects" -+msgstr "グループが上書きするオブジェクトのオブジェクトクラス" -+ -+#: src/config/SSSDConfig/sssdoptions.py:250 -+msgid "Search base for Desktop Profile related objects" -+msgstr "デスクトッププロファイルに関連するオブジェクトの検索ベース" -+ -+#: src/config/SSSDConfig/sssdoptions.py:251 -+msgid "" -+"The amount of time in seconds between lookups of the Desktop Profile rules " -+"against the IPA server" -+msgstr "IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位の合計時間" -+ -+#: src/config/SSSDConfig/sssdoptions.py:253 -+msgid "" -+"The amount of time in minutes between lookups of Desktop Profiles rules " -+"against the IPA server when the last request did not find any rule" -+msgstr "最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスクトッププロファイルル ールを検索している間の分単位の合計時間" -+ -+#: src/config/SSSDConfig/sssdoptions.py:256 -+msgid "The LDAP attribute that contains FQDN of the host." - msgstr "" --"警告: ユーザー (uid %1$lu) が削除された時にまだログインしていました。\n" - --#: src/tools/sss_userdel.c:278 --msgid "Cannot determine if the user was logged in on this platform" -+#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:280 -+msgid "The object class of a host entry in LDAP." - msgstr "" --"ユーザーがこのプラットフォームにログインしていたかを確認できませんでした" - --#: src/tools/sss_userdel.c:283 --msgid "Error while checking if the user was logged in\n" --msgstr "ユーザーがログインしていたかを確認中にエラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:258 -+msgid "Use the given string as search base for host objects." -+msgstr "" - --#: src/tools/sss_userdel.c:290 --#, c-format --msgid "The post-delete command failed: %1$s\n" --msgstr "削除後コマンドの実行に失敗しました: %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:259 -+msgid "The LDAP attribute that contains the host's SSH public keys." -+msgstr "" - --#: src/tools/sss_userdel.c:310 --msgid "Not removing home dir - not owned by user\n" -+#: src/config/SSSDConfig/sssdoptions.py:260 -+msgid "The LDAP attribute that contains NIS domain name of the netgroup." - msgstr "" --"ホームディレクトリーを削除していません - ユーザーにより所有されていません\n" - --#: src/tools/sss_userdel.c:312 --#, c-format --msgid "Cannot remove homedir: %1$s\n" --msgstr "ホームディレクトリーを削除できません: %1$s\n" -+#: src/config/SSSDConfig/sssdoptions.py:261 -+msgid "The LDAP attribute that contains the names of the netgroup's members." -+msgstr "The LDAP attribute that contains the names of the netgroup's members." - --#: src/tools/sss_userdel.c:326 -+#: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" --"No such user in local domain. Removing users only allowed in local domain.\n" -+"The LDAP attribute that lists FQDNs of hosts and host groups that are " -+"members of the netgroup." - msgstr "" --"そのようなユーザーはローカルドメインにいません。ユーザーの削除はローカルドメ" --"インにおいてのみ許可されます。\n" - --#: src/tools/sss_userdel.c:331 --msgid "Internal error. Could not remove user.\n" --msgstr "内部エラー。ユーザーを削除できませんでした。\n" -+#: src/config/SSSDConfig/sssdoptions.py:264 -+msgid "" -+"The LDAP attribute that lists hosts and host groups that are direct members " -+"of the netgroup." -+msgstr "" - --#: src/tools/sss_usermod.c:49 --msgid "The GID of the user" --msgstr "ユーザーの GID" -+#: src/config/SSSDConfig/sssdoptions.py:266 -+msgid "The LDAP attribute that lists netgroup's memberships." -+msgstr "" - --#: src/tools/sss_usermod.c:53 --msgid "Groups to add this user to" --msgstr "このユーザーを追加するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:267 -+msgid "" -+"The LDAP attribute that lists system users and groups that are direct " -+"members of the netgroup." -+msgstr "" - --#: src/tools/sss_usermod.c:54 --msgid "Groups to remove this user from" --msgstr "このユーザーを削除するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:269 -+msgid "The LDAP attribute that corresponds to the netgroup name." -+msgstr "" - --#: src/tools/sss_usermod.c:55 --msgid "Lock the account" --msgstr "アカウントをロックする" -+#: src/config/SSSDConfig/sssdoptions.py:270 -+msgid "The object class of a netgroup entry in LDAP." -+msgstr "" - --#: src/tools/sss_usermod.c:56 --msgid "Unlock the account" --msgstr "アカウントをロック解除する" -+#: src/config/SSSDConfig/sssdoptions.py:271 -+msgid "" -+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." -+msgstr "" - --#: src/tools/sss_usermod.c:57 --msgid "Add an attribute/value pair. The format is attrname=value." --msgstr "属性/値のペアを追加します。フォーマットは attrname=value です。" -+#: src/config/SSSDConfig/sssdoptions.py:272 -+msgid "" -+"The LDAP attribute that contains whether or not is user map enabled for " -+"usage." -+msgstr "" - --#: src/tools/sss_usermod.c:58 --msgid "Delete an attribute/value pair. The format is attrname=value." --msgstr "属性/値のペアを削除します。フォーマットは attrname=value です。" -+#: src/config/SSSDConfig/sssdoptions.py:274 -+msgid "The LDAP attribute that contains host category such as 'all'." -+msgstr "" - --#: src/tools/sss_usermod.c:59 -+#: src/config/SSSDConfig/sssdoptions.py:275 - msgid "" --"Set an attribute to a name/value pair. The format is attrname=value. For " --"multi-valued attributes, the command replaces the values already present" -+"The LDAP attribute that contains all hosts / hostgroups this rule match " -+"against." - msgstr "" --"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属" --"性の場合、コマンドがすでに存在する値に置き換えられます。" - --#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 --#: src/tools/sss_usermod.c:135 --msgid "Specify the attribute name/value pair(s)\n" --msgstr "属性の名前/値のペアを指定します\n" -+#: src/config/SSSDConfig/sssdoptions.py:277 -+msgid "" -+"The LDAP attribute that contains all users / groups this rule match against." -+msgstr "" - --#: src/tools/sss_usermod.c:152 --msgid "Specify user to modify\n" --msgstr "変更するユーザーを指定してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:279 -+msgid "The LDAP attribute that contains the name of SELinux usermap." -+msgstr "" - --#: src/tools/sss_usermod.c:180 -+#: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" --"Cannot find user in local domain, modifying users is allowed only in local " --"domain\n" -+"The LDAP attribute that contains DN of HBAC rule which can be used for " -+"matching instead of memberUser and memberHost." - msgstr "" --"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ" --"ンにおいてのみ許可されます。\n" - --#: src/tools/sss_usermod.c:322 --msgid "Could not modify user - check if group names are correct\n" -+#: src/config/SSSDConfig/sssdoptions.py:283 -+msgid "The LDAP attribute that contains SELinux user string itself." - msgstr "" --"ユーザーを変更できませんでした - グループ名が正しいかを確認してください\n" - --#: src/tools/sss_usermod.c:326 --msgid "Could not modify user - user already member of groups?\n" -+#: src/config/SSSDConfig/sssdoptions.py:284 -+msgid "The LDAP attribute that contains user category such as 'all'." - msgstr "" --"ユーザーを変更できませんでした - ユーザーはすでにグループのメンバーですか?\n" -- --#: src/tools/sss_usermod.c:330 --msgid "Transaction error. Could not modify user.\n" --msgstr "トランザクションエラー。ユーザーを変更できませんでした。\n" - --#: src/tools/sss_cache.c:245 --msgid "No cache object matched the specified search\n" --msgstr "指定された検索に一致するキャッシュオブジェクトがありません\n" -+#: src/config/SSSDConfig/sssdoptions.py:285 -+msgid "The LDAP attribute that contains unique ID of the user map." -+msgstr "" - --#: src/tools/sss_cache.c:536 --#, c-format --msgid "Couldn't invalidate %1$s\n" --msgstr "%1$s を無効化できませんでした\n" -+#: src/config/SSSDConfig/sssdoptions.py:286 -+msgid "" -+"The option denotes that the SSSD is running on IPA server and should perform " -+"lookups of users and groups from trusted domains differently." -+msgstr "" - --#: src/tools/sss_cache.c:543 --#, c-format --msgid "Couldn't invalidate %1$s %2$s\n" --msgstr "%1$s %2$s を無効化できませんでした\n" -+#: src/config/SSSDConfig/sssdoptions.py:288 -+msgid "Use the given string as search base for trusted domains." -+msgstr "" - --#: src/tools/sss_cache.c:721 --msgid "Invalidate all cached entries" --msgstr "すべてのキャッシュエントリーを無効化します" -+#: src/config/SSSDConfig/sssdoptions.py:291 -+msgid "Active Directory domain" -+msgstr "Active Directory ドメイン" - --#: src/tools/sss_cache.c:723 --msgid "Invalidate particular user" --msgstr "特定のユーザーを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:292 -+msgid "Enabled Active Directory domains" -+msgstr "有効化された Active Directory ドメイン" - --#: src/tools/sss_cache.c:725 --msgid "Invalidate all users" --msgstr "すべてのユーザーを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:293 -+msgid "Active Directory server address" -+msgstr "Active Directory サーバーアドレス" - --#: src/tools/sss_cache.c:727 --msgid "Invalidate particular group" --msgstr "特定のグループを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:294 -+msgid "Active Directory backup server address" -+msgstr "Active Directory バックアップサーバーのアドレス" - --#: src/tools/sss_cache.c:729 --msgid "Invalidate all groups" --msgstr "すべてのグループを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:295 -+msgid "Active Directory client hostname" -+msgstr "Active Directory クライアントホスト名" - --#: src/tools/sss_cache.c:731 --msgid "Invalidate particular netgroup" --msgstr "特定のネットワークグループを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:297 -+#: src/config/SSSDConfig/sssdoptions.py:488 -+msgid "LDAP filter to determine access privileges" -+msgstr "アクセス権限を決めるための LDAP フィルター" - --#: src/tools/sss_cache.c:733 --msgid "Invalidate all netgroups" --msgstr "すべてのネットワークグループを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:298 -+msgid "Whether to use the Global Catalog for lookups" -+msgstr "検索にグローバルカタログを使用するかどうか" - --#: src/tools/sss_cache.c:735 --msgid "Invalidate particular service" --msgstr "特定のサービスの無効化" -+#: src/config/SSSDConfig/sssdoptions.py:299 -+msgid "Operation mode for GPO-based access control" -+msgstr "グローバルカタログベースのアクセス制御に対するオペレーションモード" - --#: src/tools/sss_cache.c:737 --msgid "Invalidate all services" --msgstr "すべてのサービスの無効化" -+#: src/config/SSSDConfig/sssdoptions.py:300 -+msgid "" -+"The amount of time between lookups of the GPO policy files against the AD " -+"server" -+msgstr "AD サーバーに対する GPO ポリシーファイルを検索している間の合計時間" - --#: src/tools/sss_cache.c:740 --msgid "Invalidate particular autofs map" --msgstr "特定の autofs マップの無効化" -+#: src/config/SSSDConfig/sssdoptions.py:301 -+msgid "" -+"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " -+"settings" -+msgstr "GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/tools/sss_cache.c:742 --msgid "Invalidate all autofs maps" --msgstr "すべての autofs マップの無効化" -+#: src/config/SSSDConfig/sssdoptions.py:303 -+msgid "" -+"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " -+"policy settings" -+msgstr "GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/tools/sss_cache.c:746 --msgid "Invalidate particular SSH host" --msgstr "特定の SSH ホストを無効化します" -+#: src/config/SSSDConfig/sssdoptions.py:305 -+msgid "" -+"PAM service names that map to the GPO (Deny)NetworkLogonRight policy " -+"settings" -+msgstr "GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/tools/sss_cache.c:748 --msgid "Invalidate all SSH hosts" --msgstr "すべての SSH ホストを無効化します" -+#: src/config/SSSDConfig/sssdoptions.py:306 -+msgid "" -+"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" -+msgstr "GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/tools/sss_cache.c:752 --msgid "Invalidate particular sudo rule" --msgstr "特定の sudo ルールを無効化します" -+#: src/config/SSSDConfig/sssdoptions.py:307 -+msgid "" -+"PAM service names that map to the GPO (Deny)ServiceLogonRight policy " -+"settings" -+msgstr "(Deny)ServiceLogonRight のポリシー設定にマッピングした PAM サービス名" - --#: src/tools/sss_cache.c:754 --msgid "Invalidate all cached sudo rules" --msgstr "すべてのキャッシュ sudo ルールを無効化します" -+#: src/config/SSSDConfig/sssdoptions.py:308 -+msgid "PAM service names for which GPO-based access is always granted" -+msgstr "GPO ベースのアクセスが常に許可される PAM サービス名" - --#: src/tools/sss_cache.c:757 --msgid "Only invalidate entries from a particular domain" --msgstr "特定のドメインのみからエントリーを無効にする" -+#: src/config/SSSDConfig/sssdoptions.py:309 -+msgid "PAM service names for which GPO-based access is always denied" -+msgstr "GPO ベースのアクセスが常に拒否される PAM サービス名" - --#: src/tools/sss_cache.c:811 -+#: src/config/SSSDConfig/sssdoptions.py:310 - msgid "" --"Unexpected argument(s) provided, options that invalidate a single object " --"only accept a single provided argument.\n" --msgstr "" --"予期しない引数が提供される場合、1 つのオブジェクトを無効化するオプションは、" --"提供された引数を 1 つだけ受け取ります。\n" -+"Default logon right (or permit/deny) to use for unmapped PAM service names" -+msgstr "マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 (または許可/拒否)" - --#: src/tools/sss_cache.c:821 --msgid "Please select at least one object to invalidate\n" --msgstr "無効化するオブジェクトを少なくとも一つ選択してください\n" -+#: src/config/SSSDConfig/sssdoptions.py:311 -+msgid "a particular site to be used by the client" -+msgstr "クライアントが使用する特定のサイト" - --#: src/tools/sss_cache.c:904 --#, c-format -+#: src/config/SSSDConfig/sssdoptions.py:312 - msgid "" --"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " --"use fully qualified name instead of --domain/-d parameter.\n" --msgstr "" --"ドメイン %1$s を開けませんでした。ドメインがサブドメイン (信頼済みドメイン) " --"であれば、--domain/-d パラメーターの代わりに完全修飾名を使用してください。\n" -+"Maximum age in days before the machine account password should be renewed" -+msgstr "マシンアカウントのパスワードの更新が必要となるまでの最大日数" - --#: src/tools/sss_cache.c:909 --msgid "Could not open available domains\n" --msgstr "利用可能なドメインを開けませんでした\n" -+#: src/config/SSSDConfig/sssdoptions.py:314 -+msgid "Option for tuning the machine account renewal task" -+msgstr "マシンアカウントの更新タスクをチューニングするオプション" - --#: src/tools/tools_util.c:202 --#, c-format --msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" -+#: src/config/SSSDConfig/sssdoptions.py:315 -+msgid "Whether to update the machine account password in the Samba database" - msgstr "" --"名前 '%1$s' が FQDN であるように見えません ('%2$s = TRUE' が設定されます)\n" - --#: src/tools/tools_util.c:309 --msgid "Out of memory\n" --msgstr "メモリー不足\n" -+#: src/config/SSSDConfig/sssdoptions.py:317 -+msgid "Use LDAPS port for LDAP and Global Catalog requests" -+msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポートを使用する" - --#: src/tools/tools_util.h:40 --#, c-format --msgid "%1$s must be run as root\n" --msgstr "%1$s は root として実行する必要があります\n" -+#: src/config/SSSDConfig/sssdoptions.py:320 -+#: src/config/SSSDConfig/sssdoptions.py:321 -+msgid "Kerberos server address" -+msgstr "Kerberos サーバーのアドレス" - --#: src/tools/sssctl/sssctl.c:35 --msgid "yes" --msgstr "はい" -+#: src/config/SSSDConfig/sssdoptions.py:322 -+msgid "Kerberos backup server address" -+msgstr "Kerberos バックアップサーバーのアドレス" - --#: src/tools/sssctl/sssctl.c:37 --msgid "no" --msgstr "いいえ" -+#: src/config/SSSDConfig/sssdoptions.py:323 -+msgid "Kerberos realm" -+msgstr "Kerberos レルム" - --#: src/tools/sssctl/sssctl.c:39 --msgid "error" --msgstr "エラー" -+#: src/config/SSSDConfig/sssdoptions.py:324 -+msgid "Authentication timeout" -+msgstr "認証のタイムアウト" - --#: src/tools/sssctl/sssctl.c:42 --msgid "Invalid result." --msgstr "無効な結果。" -+#: src/config/SSSDConfig/sssdoptions.py:325 -+msgid "Whether to create kdcinfo files" -+msgstr "kdcinfo ファイルを作成するかどうか" - --#: src/tools/sssctl/sssctl.c:78 --msgid "Unable to read user input\n" --msgstr "ユーザーインプットの読み込みができませんでした\n" -+#: src/config/SSSDConfig/sssdoptions.py:326 -+msgid "Where to drop krb5 config snippets" -+msgstr "krb5 設定スニペットを削除する場所" - --#: src/tools/sssctl/sssctl.c:91 --#, c-format --msgid "Invalid input, please provide either '%s' or '%s'.\n" --msgstr "" --"無効なインプットです。'%s' または '%s' のいずれかを提供してください。\n" -+#: src/config/SSSDConfig/sssdoptions.py:329 -+msgid "Directory to store credential caches" -+msgstr "クレデンシャルのキャッシュを保存するディレクトリー" - --#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 --msgid "Error while executing external command\n" --msgstr "外部のコマンドを実行中にエラーが発生しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:330 -+msgid "Location of the user's credential cache" -+msgstr "ユーザーのクレデンシャルキャッシュの位置" - --#: src/tools/sssctl/sssctl.c:156 --msgid "SSSD needs to be running. Start SSSD now?" --msgstr "SSSD を実行する必要があります。SSSD をすぐに実行しますか?" -+#: src/config/SSSDConfig/sssdoptions.py:331 -+msgid "Location of the keytab to validate credentials" -+msgstr "クレデンシャルを検証するキーテーブルの場所" - --#: src/tools/sssctl/sssctl.c:195 --msgid "SSSD must not be running. Stop SSSD now?" --msgstr "SSSD を実行してはいけません。SSSD を今、停止しますか?" -+#: src/config/SSSDConfig/sssdoptions.py:332 -+msgid "Enable credential validation" -+msgstr "クレデンシャルの検証を有効にする" - --#: src/tools/sssctl/sssctl.c:231 --msgid "SSSD needs to be restarted. Restart SSSD now?" --msgstr "SSSD は再起動が必要です。SSSD を今、再起動しますか?" -+#: src/config/SSSDConfig/sssdoptions.py:333 -+msgid "Store password if offline for later online authentication" -+msgstr "後からオンライン認証するためにオフラインの場合にパスワードを保存します" - --#: src/tools/sssctl/sssctl_cache.c:31 --#, c-format --msgid " %s is not present in cache.\n" --msgstr " %s はキャッシュにありません\n" -+#: src/config/SSSDConfig/sssdoptions.py:334 -+msgid "Renewable lifetime of the TGT" -+msgstr "更新可能な TGT の有効期間" - --#: src/tools/sssctl/sssctl_cache.c:33 --msgid "Name" --msgstr "名前" -+#: src/config/SSSDConfig/sssdoptions.py:335 -+msgid "Lifetime of the TGT" -+msgstr "TGT の有効期間" - --#: src/tools/sssctl/sssctl_cache.c:34 --msgid "Cache entry creation date" --msgstr "キャッシュエントリーの作成日" -+#: src/config/SSSDConfig/sssdoptions.py:336 -+msgid "Time between two checks for renewal" -+msgstr "更新を確認する間隔" - --#: src/tools/sssctl/sssctl_cache.c:35 --msgid "Cache entry last update time" --msgstr "キャッシュエントリーが最後に更新された時間" -+#: src/config/SSSDConfig/sssdoptions.py:337 -+msgid "Enables FAST" -+msgstr "FAST を有効にする" - --#: src/tools/sssctl/sssctl_cache.c:36 --msgid "Cache entry expiration time" --msgstr "キャッシュエントリーの期限切れ時間" -+#: src/config/SSSDConfig/sssdoptions.py:338 -+msgid "Selects the principal to use for FAST" -+msgstr "FAST に使用するプリンシパルを選択する" - --#: src/tools/sssctl/sssctl_cache.c:37 --msgid "Cached in InfoPipe" --msgstr "InfoPipe にキャッシュ" -+#: src/config/SSSDConfig/sssdoptions.py:339 -+msgid "Enables principal canonicalization" -+msgstr "プリンシパル正規化を有効にする" - --#: src/tools/sssctl/sssctl_cache.c:522 --#, c-format --msgid "Error: Unable to get object [%d]: %s\n" --msgstr "エラー: オブジェクト [%d] を取得できません: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:340 -+msgid "Enables enterprise principals" -+msgstr "エンタープライズ・プリンシパルの有効化" - --#: src/tools/sssctl/sssctl_cache.c:538 --#, c-format --msgid "%s: Unable to read value [%d]: %s\n" --msgstr "%s: 値 [%d] の読み込みができません: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:341 -+msgid "A mapping from user names to Kerberos principal names" -+msgstr "ユーザー名から Kerberos プリンシパル名までのマッピング" - --#: src/tools/sssctl/sssctl_cache.c:566 --msgid "Specify name." --msgstr "名前を指定します。" -+#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:345 -+msgid "Server where the change password service is running if not on the KDC" -+msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー" - --#: src/tools/sssctl/sssctl_cache.c:576 --#, c-format --msgid "Unable to parse name %s.\n" --msgstr "名前 %s を構文解析できません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:348 -+msgid "ldap_uri, The URI of the LDAP server" -+msgstr "ldap_uri, LDAP サーバーの URI" - --#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 --msgid "Search by SID" --msgstr "SID で検索" -+#: src/config/SSSDConfig/sssdoptions.py:349 -+msgid "ldap_backup_uri, The URI of the LDAP server" -+msgstr "ldap_backup_uri, LDAP サーバーの URI" - --#: src/tools/sssctl/sssctl_cache.c:603 --msgid "Search by user ID" --msgstr "ユーザーID で検索" -+#: src/config/SSSDConfig/sssdoptions.py:350 -+msgid "The default base DN" -+msgstr "デフォルトのベース DN" - --#: src/tools/sssctl/sssctl_cache.c:612 --msgid "Initgroups expiration time" --msgstr "Initgroups の期限切れ時間" -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "The Schema Type in use on the LDAP server, rfc2307" -+msgstr "LDAP サーバーにおいて使用中のスキーマ形式、rfc2307" - --#: src/tools/sssctl/sssctl_cache.c:650 --msgid "Search by group ID" --msgstr "グループ ID で検索" -+#: src/config/SSSDConfig/sssdoptions.py:352 -+msgid "Mode used to change user password" -+msgstr "ユーザーのパスワードの変更にモードを使用しました" - --#: src/tools/sssctl/sssctl_config.c:70 --#, c-format --msgid "Failed to open %s\n" --msgstr "%s を開くことに失敗しました\n" -+#: src/config/SSSDConfig/sssdoptions.py:353 -+msgid "The default bind DN" -+msgstr "デフォルトのバインド DN" - --#: src/tools/sssctl/sssctl_config.c:75 --#, c-format --msgid "File %1$s does not exist.\n" --msgstr "ファイル %1$s は存在しません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:354 -+msgid "The type of the authentication token of the default bind DN" -+msgstr "デフォルトのバインド DN の認証トークンの種類" - --#: src/tools/sssctl/sssctl_config.c:79 --msgid "" --"File ownership and permissions check failed. Expected root:root and 0600.\n" --msgstr "" --"ファイルの所有権とパーミッションの確認に失敗しました。予期される root:root お" --"よび 0600。\n" -+#: src/config/SSSDConfig/sssdoptions.py:355 -+msgid "The authentication token of the default bind DN" -+msgstr "デフォルトのバインド DN の認証トークン" - --#: src/tools/sssctl/sssctl_config.c:85 --#, fuzzy, c-format --msgid "Failed to load configuration from %s.\n" --msgstr "%s からの設定のロードに失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:356 -+msgid "Length of time to attempt connection" -+msgstr "接続を試行する時間" - --#: src/tools/sssctl/sssctl_config.c:91 --msgid "Error while reading configuration directory.\n" --msgstr "設定ディレクトリーの読み込み中にエラーが発生しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:357 -+msgid "Length of time to attempt synchronous LDAP operations" -+msgstr "LDAP 同期操作を試行する時間" - --#: src/tools/sssctl/sssctl_config.c:99 --msgid "" --"There is no configuration. SSSD will use default configuration with files " --"provider.\n" --msgstr "" --"設定はありません。SSSD は、ファイルプロバイダーでデフォルト設定を使用しま" --"す。\n" -+#: src/config/SSSDConfig/sssdoptions.py:358 -+msgid "Length of time between attempts to reconnect while offline" -+msgstr "オフラインの間に再接続を試行する時間" - --#: src/tools/sssctl/sssctl_config.c:111 --msgid "Failed to run validators" --msgstr "バリデーターの実行に失敗しました" -+#: src/config/SSSDConfig/sssdoptions.py:359 -+msgid "Use only the upper case for realm names" -+msgstr "レルム名に対して大文字のみを使用する" - --#: src/tools/sssctl/sssctl_config.c:115 --#, c-format --msgid "Issues identified by validators: %zu\n" --msgstr "バリデーターで特定された問題: %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:360 -+msgid "File that contains CA certificates" -+msgstr "CA 証明書を含むファイル" - --#: src/tools/sssctl/sssctl_config.c:126 --#, c-format --msgid "Messages generated during configuration merging: %zu\n" --msgstr "設定のマージ中に生成されたメッセージ: %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:361 -+msgid "Path to CA certificate directory" -+msgstr "CA 証明書のディレクトリーのパス" - --#: src/tools/sssctl/sssctl_config.c:137 --#, c-format --msgid "Used configuration snippet files: %zu\n" --msgstr "使用された設定スニペットファイル: %zu\n" -+#: src/config/SSSDConfig/sssdoptions.py:362 -+msgid "File that contains the client certificate" -+msgstr "クライアント証明書を含むファイル" - --#: src/tools/sssctl/sssctl_data.c:89 --#, c-format --msgid "Unable to create backup directory [%d]: %s" --msgstr "バックアップディレクトリー [%d] を作成できません: %s" -+#: src/config/SSSDConfig/sssdoptions.py:363 -+msgid "File that contains the client key" -+msgstr "クライアントの鍵を含むファイル" - --#: src/tools/sssctl/sssctl_data.c:95 --msgid "SSSD backup of local data already exists, override?" --msgstr "" --"ローカルデータの SSSD バックアップはすでに存在しますが、上書きしますか?" -+#: src/config/SSSDConfig/sssdoptions.py:364 -+msgid "List of possible ciphers suites" -+msgstr "利用可能な暗号の一覧" - --#: src/tools/sssctl/sssctl_data.c:111 --msgid "Unable to export user overrides\n" --msgstr "ユーザーの上書きをエクスポートできません\n" -+#: src/config/SSSDConfig/sssdoptions.py:365 -+msgid "Require TLS certificate verification" -+msgstr "TLS 証明書の検証を要求する" - --#: src/tools/sssctl/sssctl_data.c:118 --msgid "Unable to export group overrides\n" --msgstr "グループの上書きをエクスポートできません\n" -+#: src/config/SSSDConfig/sssdoptions.py:366 -+msgid "Specify the sasl mechanism to use" -+msgstr "使用する SASL メカニズムを指定する" - --#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 --msgid "Override existing backup" --msgstr "既存のバックアップを上書き" -+#: src/config/SSSDConfig/sssdoptions.py:367 -+msgid "Specify the sasl authorization id to use" -+msgstr "使用する SASL 認可 ID を指定する" - --#: src/tools/sssctl/sssctl_data.c:164 --msgid "Unable to import user overrides\n" --msgstr "ユーザーの上書きをインポートできません\n" -+#: src/config/SSSDConfig/sssdoptions.py:368 -+msgid "Specify the sasl authorization realm to use" -+msgstr "使用する SASL 認可レルムを指定する" - --#: src/tools/sssctl/sssctl_data.c:173 --msgid "Unable to import group overrides\n" --msgstr "グループの上書きをインポートできません\n" -+#: src/config/SSSDConfig/sssdoptions.py:369 -+msgid "Specify the minimal SSF for LDAP sasl authorization" -+msgstr "LDAP SASL 認可の最小 SSF を指定する" - --#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 --#: src/tools/sssctl/sssctl_domains.c:328 --msgid "Start SSSD if it is not running" --msgstr "実行中でない場合、SSSD を開始します" -+#: src/config/SSSDConfig/sssdoptions.py:370 -+msgid "Specify the maximal SSF for LDAP sasl authorization" -+msgstr "LDAP SASL 認可の最大 SSF を指定する" - --#: src/tools/sssctl/sssctl_data.c:195 --msgid "Restart SSSD after data import" --msgstr "データのインポートの後、SSSD を再起動します" -+#: src/config/SSSDConfig/sssdoptions.py:371 -+msgid "Kerberos service keytab" -+msgstr "Kerberos サービスのキーテーブル" - --#: src/tools/sssctl/sssctl_data.c:218 --msgid "Create clean cache files and import local data" --msgstr "クリーンなキャッシュファイルを作成し、ローカルデータをインポートします" -+#: src/config/SSSDConfig/sssdoptions.py:372 -+msgid "Use Kerberos auth for LDAP connection" -+msgstr "LDAP 接続に対して Kerberos 認証を使用する" - --#: src/tools/sssctl/sssctl_data.c:219 --msgid "Stop SSSD before removing the cache" --msgstr "キャッシュを削除する前に SSSD を停止します" -+#: src/config/SSSDConfig/sssdoptions.py:373 -+msgid "Follow LDAP referrals" -+msgstr "LDAP リフェラルにしたがう" - --#: src/tools/sssctl/sssctl_data.c:220 --msgid "Start SSSD when the cache is removed" --msgstr "キャッシュの削除後に SSSD を開始します" -+#: src/config/SSSDConfig/sssdoptions.py:374 -+msgid "Lifetime of TGT for LDAP connection" -+msgstr "LDAP 接続の TGT の有効期間" - --#: src/tools/sssctl/sssctl_data.c:235 --msgid "Creating backup of local data...\n" --msgstr "ローカルデータのバックアップを作成中...\n" -+#: src/config/SSSDConfig/sssdoptions.py:375 -+msgid "How to dereference aliases" -+msgstr "エイリアスを参照解決する方法" - --#: src/tools/sssctl/sssctl_data.c:238 --msgid "Unable to create backup of local data, can not remove the cache.\n" --msgstr "" --"ローカルデータのバックアップの作成ができません。キャッシュを削除できませ" --"ん。\n" -+#: src/config/SSSDConfig/sssdoptions.py:376 -+msgid "Service name for DNS service lookups" -+msgstr "DNS サービス検索のサービス名" - --#: src/tools/sssctl/sssctl_data.c:243 --msgid "Removing cache files...\n" --msgstr "キャッシュファイルの削除中...\n" -+#: src/config/SSSDConfig/sssdoptions.py:377 -+msgid "The number of records to retrieve in a single LDAP query" -+msgstr "単一の LDAP クエリーにおいて取得するレコード数" - --#: src/tools/sssctl/sssctl_data.c:246 --msgid "Unable to remove cache files\n" --msgstr "キャッシュファイルを削除できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:378 -+msgid "The number of members that must be missing to trigger a full deref" -+msgstr "完全な参照解決を引き起こすために欠けている必要があるメンバーの数" - --#: src/tools/sssctl/sssctl_data.c:251 --msgid "Restoring local data...\n" --msgstr "ローカルデータの復元中...\n" -+#: src/config/SSSDConfig/sssdoptions.py:379 -+msgid "" -+"Whether the LDAP library should perform a reverse lookup to canonicalize the " -+"host name during a SASL bind" -+msgstr "LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行するかどうか" - --#: src/tools/sssctl/sssctl_domains.c:83 --msgid "Show domain list including primary or trusted domain type" -+#: src/config/SSSDConfig/sssdoptions.py:381 -+msgid "" -+"Allows to retain local users as members of an LDAP group for servers that " -+"use the RFC2307 schema." - msgstr "" --"プライマリーまたは信頼されたドメインタイプを含むドメインリストを表示します" - --#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 --#: src/tools/sssctl/sssctl_user_checks.c:95 --msgid "Unable to connect to system bus!\n" --msgstr "システムバスに接続できません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:384 -+msgid "entryUSN attribute" -+msgstr "entryUSN 属性" - --#: src/tools/sssctl/sssctl_domains.c:167 --msgid "Online" --msgstr "オンライン" -+#: src/config/SSSDConfig/sssdoptions.py:385 -+msgid "lastUSN attribute" -+msgstr "lastUSN 属性" - --#: src/tools/sssctl/sssctl_domains.c:167 --msgid "Offline" --msgstr "オフライン" -+#: src/config/SSSDConfig/sssdoptions.py:387 -+msgid "" -+"How long to retain a connection to the LDAP server before disconnecting" -+msgstr "LDAP サーバーを切断する前に接続を保持する時間" - --#: src/tools/sssctl/sssctl_domains.c:167 --#, c-format --msgid "Online status: %s\n" --msgstr "オンライン状態: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:390 -+msgid "Disable the LDAP paging control" -+msgstr "LDAP ページング制御を無効化する" - --#: src/tools/sssctl/sssctl_domains.c:213 --msgid "This domain has no active servers.\n" --msgstr "このドメインには、アクティブなサーバーはありません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:391 -+msgid "Disable Active Directory range retrieval" -+msgstr "Active Directory 範囲の取得の無効化" - --#: src/tools/sssctl/sssctl_domains.c:218 --msgid "Active servers:\n" --msgstr "アクティブサーバー:\n" -+#: src/config/SSSDConfig/sssdoptions.py:394 -+msgid "Length of time to wait for a search request" -+msgstr "検索要求を待つ時間" - --#: src/tools/sssctl/sssctl_domains.c:230 --msgid "not connected" --msgstr "接続していません" -+#: src/config/SSSDConfig/sssdoptions.py:395 -+msgid "Length of time to wait for a enumeration request" -+msgstr "列挙の要求を待つ時間" - --#: src/tools/sssctl/sssctl_domains.c:267 --msgid "No servers discovered.\n" --msgstr "サーバーが見つかりません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:396 -+msgid "Length of time between enumeration updates" -+msgstr "列挙の更新間隔" - --#: src/tools/sssctl/sssctl_domains.c:273 --#, c-format --msgid "Discovered %s servers:\n" --msgstr "%s サーバーが見つかりました:\n" -+#: src/config/SSSDConfig/sssdoptions.py:397 -+msgid "Length of time between cache cleanups" -+msgstr "キャッシュをクリーンアップする間隔" - --#: src/tools/sssctl/sssctl_domains.c:285 --msgid "None so far.\n" --msgstr "今のところありません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:398 -+msgid "Require TLS for ID lookups" -+msgstr "ID 検索に TLS を要求する" - --#: src/tools/sssctl/sssctl_domains.c:325 --msgid "Show online status" --msgstr "オンライン状態を表示" -+#: src/config/SSSDConfig/sssdoptions.py:399 -+msgid "Use ID-mapping of objectSID instead of pre-set IDs" -+msgstr "事前設定済み ID の代わりに objectSID の ID マッピングを使用します" - --#: src/tools/sssctl/sssctl_domains.c:326 --msgid "Show information about active server" --msgstr "アクティブサーバーに関する情報の表示" -+#: src/config/SSSDConfig/sssdoptions.py:400 -+msgid "Base DN for user lookups" -+msgstr "ユーザー検索のベース DN" - --#: src/tools/sssctl/sssctl_domains.c:327 --msgid "Show list of discovered servers" --msgstr "見つかったサーバーに関する一覧を表示" -+#: src/config/SSSDConfig/sssdoptions.py:401 -+msgid "Scope of user lookups" -+msgstr "ユーザー検索の範囲" - --#: src/tools/sssctl/sssctl_domains.c:333 --msgid "Specify domain name." --msgstr "ドメイン名を指定します。" -+#: src/config/SSSDConfig/sssdoptions.py:402 -+msgid "Filter for user lookups" -+msgstr "ユーザー検索のフィルター" - --#: src/tools/sssctl/sssctl_domains.c:355 --msgid "Out of memory!\n" --msgstr "メモリーの空き容量がありません。\n" -+#: src/config/SSSDConfig/sssdoptions.py:403 -+msgid "Objectclass for users" -+msgstr "ユーザーのオブジェクトクラス" - --#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 --msgid "Unable to get online status\n" --msgstr "オンライン状態を取得できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:404 -+msgid "Username attribute" -+msgstr "ユーザー名の属性" - --#: src/tools/sssctl/sssctl_domains.c:395 --msgid "Unable to get server list\n" --msgstr "サーバー一覧を取得できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:405 -+msgid "UID attribute" -+msgstr "UID の属性" - --#: src/tools/sssctl/sssctl_logs.c:46 --msgid "\n" --msgstr "\n" -+#: src/config/SSSDConfig/sssdoptions.py:406 -+msgid "Primary GID attribute" -+msgstr "プライマリー GID の属性" - --#: src/tools/sssctl/sssctl_logs.c:236 --msgid "Delete log files instead of truncating" --msgstr "切り捨てる代わりにログファイルを削除します" -+#: src/config/SSSDConfig/sssdoptions.py:407 -+msgid "GECOS attribute" -+msgstr "GECOS の属性" - --#: src/tools/sssctl/sssctl_logs.c:247 --msgid "Deleting log files...\n" --msgstr "ログファイルを削除中...\n" -+#: src/config/SSSDConfig/sssdoptions.py:408 -+msgid "Home directory attribute" -+msgstr "ホームディレクトリーの属性" - --#: src/tools/sssctl/sssctl_logs.c:250 --msgid "Unable to remove log files\n" --msgstr "ログファイルを削除できません\n" -+#: src/config/SSSDConfig/sssdoptions.py:409 -+msgid "Shell attribute" -+msgstr "シェルの属性" - --#: src/tools/sssctl/sssctl_logs.c:256 --msgid "Truncating log files...\n" --msgstr "ログファイルを切り捨てます...\n" -+#: src/config/SSSDConfig/sssdoptions.py:410 -+msgid "UUID attribute" -+msgstr "UUID 属性" - --#: src/tools/sssctl/sssctl_logs.c:259 --msgid "Unable to truncate log files\n" --msgstr "ログファイルの切り捨てができません\n" -+#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:449 -+msgid "objectSID attribute" -+msgstr "objectSID 属性" - --#: src/tools/sssctl/sssctl_logs.c:285 --msgid "Out of memory!" --msgstr "メモリーの空き容量がありません。" -+#: src/config/SSSDConfig/sssdoptions.py:412 -+msgid "Active Directory primary group attribute for ID-mapping" -+msgstr "ID マッピングの Active Directory プライマリーグループ属性" - --#: src/tools/sssctl/sssctl_logs.c:288 --#, c-format --msgid "Archiving log files into %s...\n" --msgstr "ログファイルを %s へアーカイブ中...\n" -+#: src/config/SSSDConfig/sssdoptions.py:413 -+msgid "User principal attribute (for Kerberos)" -+msgstr "ユーザープリンシパルの属性(Kerberos 用)" - --#: src/tools/sssctl/sssctl_logs.c:291 --msgid "Unable to archive log files\n" --msgstr "ログファイルのアーカイブができません\n" -+#: src/config/SSSDConfig/sssdoptions.py:414 -+msgid "Full Name" -+msgstr "氏名" - --#: src/tools/sssctl/sssctl_logs.c:316 --msgid "Specify debug level you want to set" --msgstr "設定したいデバッグレベルを指定します" -+#: src/config/SSSDConfig/sssdoptions.py:415 -+msgid "memberOf attribute" -+msgstr "memberOf 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:117 --msgid "SSSD InfoPipe user lookup result:\n" --msgstr "SSSD InfoPipe ユーザー検索の結果:\n" -+#: src/config/SSSDConfig/sssdoptions.py:416 -+msgid "Modification time attribute" -+msgstr "変更日時の属性" - --#: src/tools/sssctl/sssctl_user_checks.c:167 --#, c-format --msgid "dlopen failed with [%s].\n" --msgstr "dlopen は [%s] で失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:417 -+msgid "shadowLastChange attribute" -+msgstr "shadowLastChange 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:174 --#, c-format --msgid "dlsym failed with [%s].\n" --msgstr "dlsym は [%s] で失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:418 -+msgid "shadowMin attribute" -+msgstr "shadowMin 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:182 --msgid "malloc failed.\n" --msgstr "malloc は失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:419 -+msgid "shadowMax attribute" -+msgstr "shadowMax 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:189 --#, c-format --msgid "sss_getpwnam_r failed with [%d].\n" --msgstr "sss_getpwnam_r が [%d] で失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:420 -+msgid "shadowWarning attribute" -+msgstr "shadowWarning 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:194 --msgid "SSSD nss user lookup result:\n" --msgstr "SSSD nss ユーザー検索の結果:\n" -+#: src/config/SSSDConfig/sssdoptions.py:421 -+msgid "shadowInactive attribute" -+msgstr "shadowInactive 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:195 --#, c-format --msgid " - user name: %s\n" --msgstr " - user name: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:422 -+msgid "shadowExpire attribute" -+msgstr "shadowExpire 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:196 --#, c-format --msgid " - user id: %d\n" --msgstr " - user id: %d\n" -+#: src/config/SSSDConfig/sssdoptions.py:423 -+msgid "shadowFlag attribute" -+msgstr "shadowFlag 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:197 --#, c-format --msgid " - group id: %d\n" --msgstr " - group id: %d\n" -+#: src/config/SSSDConfig/sssdoptions.py:424 -+msgid "Attribute listing authorized PAM services" -+msgstr "認可された PAM サービスを一覧化する属性" - --#: src/tools/sssctl/sssctl_user_checks.c:198 --#, c-format --msgid " - gecos: %s\n" --msgstr " - gecos: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:425 -+msgid "Attribute listing authorized server hosts" -+msgstr "認可されたサーバーホストを一覧化する属性" - --#: src/tools/sssctl/sssctl_user_checks.c:199 --#, c-format --msgid " - home directory: %s\n" --msgstr " - home directory: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:426 -+msgid "Attribute listing authorized server rhosts" -+msgstr "認可されたサーバー rhosts を一覧化する属性" - --#: src/tools/sssctl/sssctl_user_checks.c:200 --#, c-format --msgid "" --" - shell: %s\n" --"\n" --msgstr "" --" - shell: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:427 -+msgid "krbLastPwdChange attribute" -+msgstr "krbLastPwdChange 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:232 --msgid "PAM action [auth|acct|setc|chau|open|clos], default: " --msgstr "PAM アクション [auth|acct|setc|chau|open|clos]、デフォルト: " -+#: src/config/SSSDConfig/sssdoptions.py:428 -+msgid "krbPasswordExpiration attribute" -+msgstr "krbPasswordExpiration 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:235 --msgid "PAM service, default: " --msgstr "PAM サービス、デフォルト: " -+#: src/config/SSSDConfig/sssdoptions.py:429 -+msgid "Attribute indicating that server side password policies are active" -+msgstr "サーバー側パスワードポリシーが有効であることを意味する属性" - --#: src/tools/sssctl/sssctl_user_checks.c:240 --msgid "Specify user name." --msgstr "ユーザー名を指定します。" -+#: src/config/SSSDConfig/sssdoptions.py:430 -+msgid "accountExpires attribute of AD" -+msgstr "AD の accountExpires 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:247 --#, c-format --msgid "" --"user: %s\n" --"action: %s\n" --"service: %s\n" --"\n" --msgstr "" --"ユーザー: %s\n" --"アクション: %s\n" --"サービス: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:431 -+msgid "userAccountControl attribute of AD" -+msgstr "AD の userAccountControl 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:252 --#, c-format --msgid "User name lookup with [%s] failed.\n" --msgstr "[%s] でのユーザー名の検索に失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:432 -+msgid "nsAccountLock attribute" -+msgstr "nsAccountLock 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:257 --#, c-format --msgid "InfoPipe User lookup with [%s] failed.\n" --msgstr "[%s] での InfoPipe ユーザーの検索に失敗しました。\n" -+#: src/config/SSSDConfig/sssdoptions.py:433 -+msgid "loginDisabled attribute of NDS" -+msgstr "NDS の loginDisabled 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:263 --#, c-format --msgid "pam_start failed: %s\n" --msgstr "pam_start に失敗しました: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:434 -+msgid "loginExpirationTime attribute of NDS" -+msgstr "NDS の loginExpirationTime 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:268 --msgid "" --"testing pam_authenticate\n" --"\n" --msgstr "" --"pam_authenticate のテスト中\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:435 -+msgid "loginAllowedTimeMap attribute of NDS" -+msgstr "NDS の loginAllowedTimeMap 属性" - --#: src/tools/sssctl/sssctl_user_checks.c:272 --#, c-format --msgid "pam_get_item failed: %s\n" --msgstr "pam_get_item に失敗しました: %s\n" -+#: src/config/SSSDConfig/sssdoptions.py:436 -+msgid "SSH public key attribute" -+msgstr "SSH 公開鍵の属性" - --#: src/tools/sssctl/sssctl_user_checks.c:275 --#, c-format --msgid "" --"pam_authenticate for user [%s]: %s\n" --"\n" --msgstr "" --"ユーザー [%s] 向けの pam_authenticate: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:437 -+msgid "attribute listing allowed authentication types for a user" -+msgstr "ユーザー用に許可された認証タイプを一覧化する属性" - --#: src/tools/sssctl/sssctl_user_checks.c:278 --msgid "" --"testing pam_chauthtok\n" --"\n" --msgstr "" --"pam_chauthtok のテスト中\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:438 -+msgid "attribute containing the X509 certificate of the user" -+msgstr "ユーザーの X509 証明書を含む属性" - --#: src/tools/sssctl/sssctl_user_checks.c:280 --#, c-format --msgid "" --"pam_chauthtok: %s\n" --"\n" --msgstr "" --"pam_chauthtok: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:439 -+msgid "attribute containing the email address of the user" -+msgstr "ユーザーの電子メールアドレスを含む属性" - --#: src/tools/sssctl/sssctl_user_checks.c:282 --msgid "" --"testing pam_acct_mgmt\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:440 -+msgid "A list of extra attributes to download along with the user entry" -+msgstr "ユーザーエントリーと共にダウンロードする追加的な属性の一覧" -+ -+#: src/config/SSSDConfig/sssdoptions.py:442 -+msgid "Base DN for group lookups" -+msgstr "グループ検索のベース DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:443 -+msgid "Objectclass for groups" -+msgstr "グループのオブジェクトクラス" -+ -+#: src/config/SSSDConfig/sssdoptions.py:444 -+msgid "Group name" -+msgstr "グループ名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:445 -+msgid "Group password" -+msgstr "グループのパスワード" -+ -+#: src/config/SSSDConfig/sssdoptions.py:446 -+msgid "GID attribute" -+msgstr "GID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:447 -+msgid "Group member attribute" -+msgstr "グループメンバー属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:448 -+msgid "Group UUID attribute" -+msgstr "グループ UUID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:450 -+msgid "Modification time attribute for groups" -+msgstr "グループの変更日時の属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:451 -+msgid "Type of the group and other flags" -+msgstr "グループおよび他のフラグのタイプ" -+ -+#: src/config/SSSDConfig/sssdoptions.py:452 -+msgid "The LDAP group external member attribute" -+msgstr "LDAP グループの外部メンバーの属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:453 -+msgid "Maximum nesting level SSSD will follow" -+msgstr "SSSD が従う最大ネストレベル" -+ -+#: src/config/SSSDConfig/sssdoptions.py:454 -+msgid "Filter for group lookups" - msgstr "" --"pam_acct_mgmt のテスト中\n" --"\n" - --#: src/tools/sssctl/sssctl_user_checks.c:284 --#, c-format --msgid "" --"pam_acct_mgmt: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:455 -+msgid "Scope of group lookups" - msgstr "" --"pam_acct_mgmt: %s\n" --"\n" - --#: src/tools/sssctl/sssctl_user_checks.c:286 --msgid "" --"testing pam_setcred\n" --"\n" --msgstr "" --"pam_setcred のテスト中\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:457 -+msgid "Base DN for netgroup lookups" -+msgstr "ネットグループ検索のベース DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:458 -+msgid "Objectclass for netgroups" -+msgstr "ネットグループのオブジェクトクラス" -+ -+#: src/config/SSSDConfig/sssdoptions.py:459 -+msgid "Netgroup name" -+msgstr "ネットグループ名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:460 -+msgid "Netgroups members attribute" -+msgstr "ネットグループメンバーの属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:461 -+msgid "Netgroup triple attribute" -+msgstr "ネットグループの三つ組の属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:462 -+msgid "Modification time attribute for netgroups" -+msgstr "ネットグループの変更日時の属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:464 -+msgid "Base DN for service lookups" -+msgstr "サービス検索のベース DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:465 -+msgid "Objectclass for services" -+msgstr "サービスのオブジェクトクラス" -+ -+#: src/config/SSSDConfig/sssdoptions.py:466 -+msgid "Service name attribute" -+msgstr "サービス名の属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:467 -+msgid "Service port attribute" -+msgstr "サービスポートの属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:468 -+msgid "Service protocol attribute" -+msgstr "サービスプロトコルの属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:470 -+msgid "Lower bound for ID-mapping" -+msgstr "ID マッピングの下限" -+ -+#: src/config/SSSDConfig/sssdoptions.py:471 -+msgid "Upper bound for ID-mapping" -+msgstr "ID マッピングの上限" -+ -+#: src/config/SSSDConfig/sssdoptions.py:472 -+msgid "Number of IDs for each slice when ID-mapping" -+msgstr "ID マッピングするとき、各スライスに対する ID の数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:473 -+msgid "Use autorid-compatible algorithm for ID-mapping" -+msgstr "ID マッピングに対する autorid 互換アルゴリズムを使用します" -+ -+#: src/config/SSSDConfig/sssdoptions.py:474 -+msgid "Name of the default domain for ID-mapping" -+msgstr "ID マッピングに対するデフォルトドメインの名前" - --#: src/tools/sssctl/sssctl_user_checks.c:288 --#, c-format --msgid "" --"pam_setcred: [%s]\n" --"\n" --msgstr "" --"pam_setcred: [%s]\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:475 -+msgid "SID of the default domain for ID-mapping" -+msgstr "ID マッピングに対するデフォルトドメインの SID" - --#: src/tools/sssctl/sssctl_user_checks.c:290 --msgid "" --"testing pam_open_session\n" --"\n" --msgstr "" --"pam_open_session のテスト中\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:476 -+msgid "Number of secondary slices" -+msgstr "セカンダリースライスの数" - --#: src/tools/sssctl/sssctl_user_checks.c:292 --#, c-format --msgid "" --"pam_open_session: %s\n" --"\n" --msgstr "" --"pam_open_session: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:478 -+msgid "Whether to use Token-Groups" -+msgstr "Token-Group を使うかどうか" - --#: src/tools/sssctl/sssctl_user_checks.c:294 --msgid "" --"testing pam_close_session\n" --"\n" --msgstr "" --"pam_close_session のテスト中\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:479 -+msgid "Set lower boundary for allowed IDs from the LDAP server" -+msgstr "LDAP サーバーから許可される ID の下限の設定" - --#: src/tools/sssctl/sssctl_user_checks.c:296 --#, c-format --msgid "" --"pam_close_session: %s\n" --"\n" --msgstr "" --"pam_close_session: %s\n" --"\n" -+#: src/config/SSSDConfig/sssdoptions.py:480 -+msgid "Set upper boundary for allowed IDs from the LDAP server" -+msgstr "LDAP サーバーから許可される ID の上限の設定" - --#: src/tools/sssctl/sssctl_user_checks.c:298 --msgid "unknown action\n" --msgstr "不明なアクション\n" -+#: src/config/SSSDConfig/sssdoptions.py:481 -+msgid "DN for ppolicy queries" -+msgstr "ppolicy クエリーの DN" - --#: src/tools/sssctl/sssctl_user_checks.c:301 --msgid "PAM Environment:\n" --msgstr "PAM 環境:\n" -+#: src/config/SSSDConfig/sssdoptions.py:482 -+msgid "How many maximum entries to fetch during a wildcard request" -+msgstr "ワイルドカードの要求の間に取得する最大エントリーの数" - --#: src/tools/sssctl/sssctl_user_checks.c:309 --msgid " - no env -\n" --msgstr " - no env -\n" -+#: src/config/SSSDConfig/sssdoptions.py:485 -+msgid "Policy to evaluate the password expiration" -+msgstr "パスワード失効の評価のポリシー" - --#: src/util/util.h:82 --msgid "The user ID to run the server as" --msgstr "次のようにサーバーを実行するユーザー ID" -+#: src/config/SSSDConfig/sssdoptions.py:489 -+msgid "Which attributes shall be used to evaluate if an account is expired" -+msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか" - --#: src/util/util.h:84 --msgid "The group ID to run the server as" --msgstr "次のようにサーバーを実行するグループ ID" -+#: src/config/SSSDConfig/sssdoptions.py:490 -+msgid "Which rules should be used to evaluate access control" -+msgstr "どのルールがアクセス制御を評価するために使用されるか" - --#: src/util/util.h:92 --msgid "Informs that the responder has been socket-activated" --msgstr "レスポンダーがソケットでアクティベートされたと知らせます" -+#: src/config/SSSDConfig/sssdoptions.py:493 -+msgid "URI of an LDAP server where password changes are allowed" -+msgstr "パスワードの変更が許可される LDAP サーバーの URI" - --#: src/util/util.h:94 --msgid "Informs that the responder has been dbus-activated" --msgstr "レスポンダーが dbus でアクティベートされたと知らせます" -+#: src/config/SSSDConfig/sssdoptions.py:494 -+msgid "URI of a backup LDAP server where password changes are allowed" -+msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI" - --#~ msgid "Set the verbosity of the debug logging" --#~ msgstr "デバッグのロギングの冗長性を設定する" -+#: src/config/SSSDConfig/sssdoptions.py:495 -+msgid "DNS service name for LDAP password change server" -+msgstr "LDAP パスワードの変更サーバーの DNS サービス名" - --#~ msgid "Include timestamps in debug logs" --#~ msgstr "デバッグログにタイムスタンプを含める" -+#: src/config/SSSDConfig/sssdoptions.py:496 -+msgid "" -+"Whether to update the ldap_user_shadow_last_change attribute after a " -+"password change" -+msgstr "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか" - --#~ msgid "Include microseconds in timestamps in debug logs" --#~ msgstr "デバッグログにミリ秒単位のタイムスタンプを含める" -+#: src/config/SSSDConfig/sssdoptions.py:500 -+msgid "Base DN for sudo rules lookups" -+msgstr "sudo ルール検索のベース DN" - --#~ msgid "Write debug messages to logfiles" --#~ msgstr "デバッグメッセージをログファイルに書き込む" -+#: src/config/SSSDConfig/sssdoptions.py:501 -+msgid "Automatic full refresh period" -+msgstr "自動的な完全更新間隔" - --#~ msgid "Watchdog timeout before restarting service" --#~ msgstr "サービス再起動前の Watchdog タイムアウト" -+#: src/config/SSSDConfig/sssdoptions.py:502 -+msgid "Automatic smart refresh period" -+msgstr "自動的なスマート更新間隔" - --#~ msgid "Command to start service" --#~ msgstr "サービス開始のコマンド" -+#: src/config/SSSDConfig/sssdoptions.py:503 -+msgid "Whether to filter rules by hostname, IP addresses and network" -+msgstr "ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどうか" - --#~ msgid "Number of times to attempt connection to Data Providers" --#~ msgstr "データプロバイダーの接続を試行する回数" -+#: src/config/SSSDConfig/sssdoptions.py:504 -+msgid "" -+"Hostnames and/or fully qualified domain names of this machine to filter sudo " -+"rules" -+msgstr "sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン名" - --#~ msgid "The number of file descriptors that may be opened by this responder" --#~ msgstr "このレスポンダーににより開かれるファイル記述子の数" -+#: src/config/SSSDConfig/sssdoptions.py:505 -+msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" -+msgstr "sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネットワーク" - --#~ msgid "Idle time before automatic disconnection of a client" --#~ msgstr "クライアントの自動切断までのアイドル時間" -+#: src/config/SSSDConfig/sssdoptions.py:506 -+msgid "Whether to include rules that contains netgroup in host attribute" -+msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか" - --#~ msgid "Idle time before automatic shutdown of the responder" --#~ msgstr "レスポンダーの自動シャットダウンまでのアイドル時間" -+#: src/config/SSSDConfig/sssdoptions.py:507 -+msgid "" -+"Whether to include rules that contains regular expression in host attribute" -+msgstr "ホスト属性に正規表現を含むルールを含めるかどうか" - --#~ msgid "Always query all the caches before querying the Data Providers" --#~ msgstr "" --#~ "データプロバイダーをクエリーする前に、常にすべてのキャッシュをクエリーしま" --#~ "す" -+#: src/config/SSSDConfig/sssdoptions.py:508 -+msgid "Object class for sudo rules" -+msgstr "sudo ルールのオブジェクトクラス" - --#~ msgid "SSSD Services to start" --#~ msgstr "開始する SSSD サービス" -+#: src/config/SSSDConfig/sssdoptions.py:509 -+msgid "Name of attribute that is used as object class for sudo rules" -+msgstr "sudo ルールのオブジェクトクラスとして使用される属性の名前" - --#~ msgid "SSSD Domains to start" --#~ msgstr "開始する SSSD ドメイン" -+#: src/config/SSSDConfig/sssdoptions.py:510 -+msgid "Sudo rule name" -+msgstr "sudo ルール名" - --#~ msgid "Timeout for messages sent over the SBUS" --#~ msgstr "SBUS 経由のメッセージ送信のタイムアウト" -+#: src/config/SSSDConfig/sssdoptions.py:511 -+msgid "Sudo rule command attribute" -+msgstr "sudo ルールのコマンドの属性" - --#~ msgid "Regex to parse username and domain" --#~ msgstr "ユーザー名とドメインを構文解析する正規表現" -+#: src/config/SSSDConfig/sssdoptions.py:512 -+msgid "Sudo rule host attribute" -+msgstr "sudo ルールのホストの属性" - --#~ msgid "Printf-compatible format for displaying fully-qualified names" --#~ msgstr "完全修飾名を表示するための printf 互換の形式" -+#: src/config/SSSDConfig/sssdoptions.py:513 -+msgid "Sudo rule user attribute" -+msgstr "sudo ルールのユーザーの属性" - --#~ msgid "" --#~ "Directory on the filesystem where SSSD should store Kerberos replay cache " --#~ "files." --#~ msgstr "" --#~ "SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムの" --#~ "ディレクトリーです。" -+#: src/config/SSSDConfig/sssdoptions.py:514 -+msgid "Sudo rule option attribute" -+msgstr "sudo ルールのオプションの属性" - --#~ msgid "Domain to add to names without a domain component." --#~ msgstr "domain 要素なしで追加するドメインの名前。" -+#: src/config/SSSDConfig/sssdoptions.py:515 -+msgid "Sudo rule runas attribute" -+msgstr "sudo ルールの runas の属性" - --#~ msgid "The user to drop privileges to" --#~ msgstr "ユーザーが特権を停止します" -+#: src/config/SSSDConfig/sssdoptions.py:516 -+msgid "Sudo rule runasuser attribute" -+msgstr "sudo ルールの runasuser の属性" - --#~ msgid "Tune certificate verification" --#~ msgstr "証明書検証の調整" -+#: src/config/SSSDConfig/sssdoptions.py:517 -+msgid "Sudo rule runasgroup attribute" -+msgstr "sudo ルールの runasgroup の属性" - --#~ msgid "" --#~ "All spaces in group or user names will be replaced with this character" --#~ msgstr "" --#~ "グループ名またはユーザー名のすべてのスペースは、この文字に置き換えられます" -+#: src/config/SSSDConfig/sssdoptions.py:518 -+msgid "Sudo rule notbefore attribute" -+msgstr "sudo ルールの notbefore の属性" - --#~ msgid "Tune sssd to honor or ignore netlink state changes" --#~ msgstr "SSSD を調整し、netlink の状態変更を尊重するか、または無視します" -+#: src/config/SSSDConfig/sssdoptions.py:519 -+msgid "Sudo rule notafter attribute" -+msgstr "sudo ルールの notafter の属性" - --#~ msgid "Enable or disable the implicit files domain" --#~ msgstr "暗黙のファイルドメインを有効化または無効化する" -+#: src/config/SSSDConfig/sssdoptions.py:520 -+msgid "Sudo rule order attribute" -+msgstr "sudo ルールの order の属性" - --#~ msgid "A specific order of the domains to be looked up" --#~ msgstr "検索するドメインの特定の順番" -+#: src/config/SSSDConfig/sssdoptions.py:523 -+msgid "Object class for automounter maps" -+msgstr "automounter マップのオブジェクトクラス" - --#~ msgid "Enumeration cache timeout length (seconds)" --#~ msgstr "列挙キャッシュのタイムアウト(秒)" -+#: src/config/SSSDConfig/sssdoptions.py:524 -+msgid "Automounter map name attribute" -+msgstr "オートマウントのマップ名の属性" - --#~ msgid "Entry cache background update timeout length (seconds)" --#~ msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" -+#: src/config/SSSDConfig/sssdoptions.py:525 -+msgid "Object class for automounter map entries" -+msgstr "automounter マップエントリーのオブジェクトクラス" - --#~ msgid "Negative cache timeout length (seconds)" --#~ msgstr "ネガティブキャッシュのタイムアウト(秒)" -+#: src/config/SSSDConfig/sssdoptions.py:526 -+msgid "Automounter map entry key attribute" -+msgstr "automounter マップエントリーの鍵属性" - --#~ msgid "Files negative cache timeout length (seconds)" --#~ msgstr "ファイルネガティブキャッシュのタイムアウト時間(秒)" -+#: src/config/SSSDConfig/sssdoptions.py:527 -+msgid "Automounter map entry value attribute" -+msgstr "automounter マップエントリーの値属性" - --#~ msgid "Users that SSSD should explicitly ignore" --#~ msgstr "SSSD が明示的に無視するユーザー" -+#: src/config/SSSDConfig/sssdoptions.py:528 -+msgid "Base DN for automounter map lookups" -+msgstr "automonter のマップ検索のベース DN" - --#~ msgid "Groups that SSSD should explicitly ignore" --#~ msgstr "SSSD が明示的に無視するグループ" -+#: src/config/SSSDConfig/sssdoptions.py:529 -+msgid "The name of the automount master map in LDAP." -+msgstr "" - --#~ msgid "Should filtered users appear in groups" --#~ msgstr "フィルターされたユーザーをグループに表示する" -+#: src/config/SSSDConfig/sssdoptions.py:532 -+msgid "Base DN for IP hosts lookups" -+msgstr "" - --#~ msgid "The value of the password field the NSS provider should return" --#~ msgstr "NSS プロバイダーが返すパスワード項目の値" -+#: src/config/SSSDConfig/sssdoptions.py:533 -+msgid "Object class for IP hosts" -+msgstr "" - --#~ msgid "Override homedir value from the identity provider with this value" --#~ msgstr "識別プロバイダーからのホームディレクトリーの値をこの値で上書きする" -+#: src/config/SSSDConfig/sssdoptions.py:534 -+msgid "IP host name attribute" -+msgstr "" - --#~ msgid "" --#~ "Substitute empty homedir value from the identity provider with this value" --#~ msgstr "" --#~ "アイデンティティープロバイダーからの空のホームディレクトリーをこの値で置き" --#~ "換えます" -+#: src/config/SSSDConfig/sssdoptions.py:535 -+msgid "IP host number (address) attribute" -+msgstr "" - --#~ msgid "Override shell value from the identity provider with this value" --#~ msgstr "アイデンティティープロバイダーからのシェル値をこの値で上書きします" -+#: src/config/SSSDConfig/sssdoptions.py:536 -+msgid "IP host entryUSN attribute" -+msgstr "" - --#~ msgid "The list of shells users are allowed to log in with" --#~ msgstr "ユーザーがログインを許可されるシェルの一覧" -+#: src/config/SSSDConfig/sssdoptions.py:537 -+msgid "Base DN for IP networks lookups" -+msgstr "" - --#~ msgid "" --#~ "The list of shells that will be vetoed, and replaced with the fallback " --#~ "shell" --#~ msgstr "拒否されてフォールバックシェルで置き換えられるシェルの一覧" -+#: src/config/SSSDConfig/sssdoptions.py:538 -+msgid "Object class for IP networks" -+msgstr "" - --#~ msgid "" --#~ "If a shell stored in central directory is allowed but not available, use " --#~ "this fallback" --#~ msgstr "" --#~ "中央ディレクトリーに保存されたシェルが許可されるが、利用できない場合、この" --#~ "フォールバックを使用する" -+#: src/config/SSSDConfig/sssdoptions.py:539 -+msgid "IP network name attribute" -+msgstr "" - --#~ msgid "Shell to use if the provider does not list one" --#~ msgstr "プロバイダーが一覧に持っていないとき使用するシェル" -+#: src/config/SSSDConfig/sssdoptions.py:540 -+msgid "IP network number (address) attribute" -+msgstr "" - --#~ msgid "How long will be in-memory cache records valid" --#~ msgstr "メモリー内のキャッシュレコードが有効な期間" -+#: src/config/SSSDConfig/sssdoptions.py:541 -+msgid "IP network entryUSN attribute" -+msgstr "" - --#~ msgid "List of user attributes the NSS responder is allowed to publish" --#~ msgstr "NSS レスポンダーがパブリッシュを許可されたユーザー属性の一覧" -+#: src/config/SSSDConfig/sssdoptions.py:544 -+msgid "Comma separated list of allowed users" -+msgstr "許可ユーザーのカンマ区切り一覧" - --#~ msgid "How long to allow cached logins between online logins (days)" --#~ msgstr "" --#~ "オンラインログイン中にキャッシュによるログインが許容される期間(日数)" -+#: src/config/SSSDConfig/sssdoptions.py:545 -+msgid "Comma separated list of prohibited users" -+msgstr "禁止ユーザーのカンマ区切り一覧" - --#~ msgid "How many failed logins attempts are allowed when offline" --#~ msgstr "オフラインの時に許容されるログイン試行失敗回数" -+#: src/config/SSSDConfig/sssdoptions.py:546 -+msgid "" -+"Comma separated list of groups that are allowed to log in. This applies only " -+"to groups within this SSSD domain. Local groups are not evaluated." -+msgstr "" -+"Comma separated list of groups that are allowed to log in. This applies only " -+"to groups within this SSSD domain. Local groups are not evaluated." - --#~ msgid "" --#~ "How long (minutes) to deny login after offline_failed_login_attempts has " --#~ "been reached" --#~ msgstr "" --#~ "offline_failed_login_attempts に達した後にログインを拒否する時間(分)" -+#: src/config/SSSDConfig/sssdoptions.py:548 -+msgid "" -+"Comma separated list of groups that are explicitly denied access. This " -+"applies only to groups within this SSSD domain. Local groups are not " -+"evaluated." -+msgstr "" -+"Comma separated list of groups that are explicitly denied access. This " -+"applies only to groups within this SSSD domain. Local groups are not " -+"evaluated." - --#~ msgid "" --#~ "What kind of messages are displayed to the user during authentication" --#~ msgstr "認証中にユーザーに表示されるメッセージの種類" -+#: src/config/SSSDConfig/sssdoptions.py:552 -+msgid "Base for home directories" -+msgstr "ホームディレクトリーのベース" - --#~ msgid "Filter PAM responses sent to the pam_sss" --#~ msgstr "pam_sss へ送信された PAM のレスポンスをフィルタリングします" -+#: src/config/SSSDConfig/sssdoptions.py:553 -+msgid "Indicate if a home directory should be created for new users." -+msgstr "" - --#~ msgid "" --#~ "How many seconds to keep identity information cached for PAM requests" --#~ msgstr "PAM 要求に対してキャッシュされた認証情報を保持する秒数" -+#: src/config/SSSDConfig/sssdoptions.py:554 -+msgid "Indicate if a home directory should be removed for deleted users." -+msgstr "" - --#~ msgid "" --#~ "How many days before password expiration a warning should be displayed" --#~ msgstr "警告が表示されるパスワード失効前の日数" -+#: src/config/SSSDConfig/sssdoptions.py:555 -+msgid "Specify the default permissions on a newly created home directory." -+msgstr "" - --#~ msgid "List of trusted uids or user's name" --#~ msgstr "信頼できる UID またはユーザー名の一覧" -+#: src/config/SSSDConfig/sssdoptions.py:556 -+msgid "The skeleton directory." -+msgstr "" - --#~ msgid "List of domains accessible even for untrusted users." --#~ msgstr "信頼できないユーザーでさえアクセス可能なドメインの一覧。" -+#: src/config/SSSDConfig/sssdoptions.py:557 -+msgid "The mail spool directory." -+msgstr "" - --#~ msgid "Message printed when user account is expired." --#~ msgstr "ユーザーアカウントの有効期限が切れると、メッセージが印刷されます。" -+#: src/config/SSSDConfig/sssdoptions.py:558 -+msgid "The command that is run after a user is removed." -+msgstr "" - --#~ msgid "Message printed when user account is locked." --#~ msgstr "ユーザーアカウントがロックされると、メッセージが印刷されます。" -+#: src/config/SSSDConfig/sssdoptions.py:561 -+msgid "The number of preforked proxy children." -+msgstr "事前にフォークされた子プロキシーの数。" - --#~ msgid "Allow certificate based/Smartcard authentication." --#~ msgstr "証明書ベースまたはスマートカードによる認証を許可します。" -+#: src/config/SSSDConfig/sssdoptions.py:564 -+msgid "The name of the NSS library to use" -+msgstr "使用する NSS ライブラリーの名前" - --#~ msgid "Path to certificate database with PKCS#11 modules." --#~ msgstr "PKCS#11 モジュールでの証明書データベースへのパス。" -+#: src/config/SSSDConfig/sssdoptions.py:565 -+msgid "The name of the NSS library to use for hosts and networks lookups" -+msgstr "" - --#~ msgid "How many seconds will pam_sss wait for p11_child to finish" --#~ msgstr "p11_child が完了するまでに pam_sss が待つ秒数" -+#: src/config/SSSDConfig/sssdoptions.py:566 -+msgid "Whether to look up canonical group name from cache if possible" -+msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか" - --#~ msgid "Which PAM services are permitted to contact application domains" --#~ msgstr "アプリケーションドメインへの接続を許可される PAM サービスはどれか" -+#: src/config/SSSDConfig/sssdoptions.py:569 -+msgid "PAM stack to use" -+msgstr "使用する PAM スタック" - --#~ msgid "Allowed services for using smartcards" --#~ msgstr "スマートカードの使用が許可されたサービス" -+#: src/config/SSSDConfig/sssdoptions.py:572 -+msgid "Path of passwd file sources." -+msgstr "passwd ファイルソースへのパス" - --#~ msgid "Additional timeout to wait for a card if requested" --#~ msgstr "要求された場合に、カードが待つ追加のタイムアウト" -+#: src/config/SSSDConfig/sssdoptions.py:573 -+msgid "Path of group file sources." -+msgstr "グループファイルソースへのパス" - --#~ msgid "" --#~ "PKCS#11 URI to restrict the selection of devices for Smartcard " --#~ "authentication" --#~ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI が制限" -+#: src/monitor/monitor.c:2371 -+msgid "Become a daemon (default)" -+msgstr "デーモンとして実行(デフォルト)" - --#~ msgid "Whether to evaluate the time-based attributes in sudo rules" --#~ msgstr "sudo ルールにおいて時間による属性を評価するかどうか" -+#: src/monitor/monitor.c:2373 -+msgid "Run interactive (not a daemon)" -+msgstr "対話的に実行(デーモンではない)" - --#~ msgid "If true, SSSD will switch back to lower-wins ordering logic" --#~ msgstr "" --#~ "正しい場合、SSSD は小さい番号が優先される順位付けのロジックへ戻ります" -+#: src/monitor/monitor.c:2376 -+msgid "Disable netlink interface" -+msgstr "netlink インターフェースを無効にする" - --#~ msgid "" --#~ "Maximum number of rules that can be refreshed at once. If this is " --#~ "exceeded, full refresh is performed." --#~ msgstr "" --#~ "一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュ" --#~ "が実行されます。" -+#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_config.c:77 -+#: src/tools/sssctl/sssctl_logs.c:310 -+msgid "Specify a non-default config file" -+msgstr "非標準の設定ファイルの指定" - --#~ msgid "Whether to hash host names and addresses in the known_hosts file" --#~ msgstr "" --#~ "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか" -+#: src/monitor/monitor.c:2380 -+msgid "Refresh the configuration database, then exit" -+msgstr "設定データベースをリフレッシュし、その後終了します" - --#~ msgid "" --#~ "How many seconds to keep a host in the known_hosts file after its host " --#~ "keys were requested" --#~ msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数" -+#: src/monitor/monitor.c:2383 -+msgid "Similar to --genconf, but only refreshes the given section" -+msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします" - --#~ msgid "Path to storage of trusted CA certificates" --#~ msgstr "信頼された CA 証明書のストレージへのパス" -+#: src/monitor/monitor.c:2386 -+msgid "Print version number and exit" -+msgstr "バージョン番号を表示して終了する" - --#~ msgid "Allow to generate ssh-keys from certificates" --#~ msgstr "証明書からの ssh-key の生成を許可します" -+#: src/monitor/monitor.c:2532 -+msgid "SSSD is already running\n" -+msgstr "SSSD はすでに実行中です\n" - --#~ msgid "" --#~ "Use the following matching rules to filter the certificates for ssh-key " --#~ "generation" --#~ msgstr "" --#~ "以下の一致するルールを使用して、ssh-key 生成用の証明書をフィルタリングしま" --#~ "す" -+#: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:638 -+msgid "Debug level" -+msgstr "デバッグレベル" - --#~ msgid "List of UIDs or user names allowed to access the PAC responder" --#~ msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" -+#: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:640 -+msgid "Add debug timestamps" -+msgstr "デバッグのタイムスタンプを追加する" - --#~ msgid "How long the PAC data is considered valid" --#~ msgstr "PAC データが有効とされる期間" -+#: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:642 -+msgid "Show timestamps with microseconds" -+msgstr "タイムスタンプをミリ秒単位で表示する" - --#~ msgid "List of UIDs or user names allowed to access the InfoPipe responder" --#~ msgstr "" --#~ "InfoPipe レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" -+#: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:644 -+msgid "An open file descriptor for the debug logs" -+msgstr "デバッグログのオープンファイルディスクリプター" - --#~ msgid "List of user attributes the InfoPipe is allowed to publish" --#~ msgstr "InfoPipe がパブリッシュを許可されたユーザー属性の一覧" -+#: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:646 -+msgid "Send the debug output to stderr directly." -+msgstr "デバッグ出力を stderr に直接送信します。" - --#~ msgid "The provider where the secrets will be stored in" --#~ msgstr "シークレットが保存されるプロバイダー" -+#: src/providers/krb5/krb5_child.c:3245 -+msgid "The user to create FAST ccache as" -+msgstr "次のように FAST ccache を作成するユーザー" - --#~ msgid "The maximum allowed number of nested containers" --#~ msgstr "ネストされたコンテナーの最大許可数" -+#: src/providers/krb5/krb5_child.c:3247 -+msgid "The group to create FAST ccache as" -+msgstr "次のように FAST ccache を作成するグループ" - --#~ msgid "The maximum number of secrets that can be stored" --#~ msgstr "保存可能なシークレットの最大数" -+#: src/providers/krb5/krb5_child.c:3249 -+msgid "Kerberos realm to use" -+msgstr "使用する Kerberos レルム" - --#~ msgid "The maximum number of secrets that can be stored per UID" --#~ msgstr "UID ごとに保存可能なシークレットの最大数" -+#: src/providers/krb5/krb5_child.c:3251 -+msgid "Requested lifetime of the ticket" -+msgstr "チケットの要求された有効期間" - --#~ msgid "The maximum payload size of a secret in kilobytes" --#~ msgstr "キロバイトでのシークレットの最大ペイロードサイズ" -+#: src/providers/krb5/krb5_child.c:3253 -+msgid "Requested renewable lifetime of the ticket" -+msgstr "チケットの要求された更新可能な有効期間" - --#~ msgid "The URL Custodia server is listening on" --#~ msgstr "URL Custodia サーバーはリッスンしています" -+#: src/providers/krb5/krb5_child.c:3255 -+msgid "FAST options ('never', 'try', 'demand')" -+msgstr "FAST のオプション ('never'、'try'、'demand')" - --#~ msgid "The method to use when authenticating to a Custodia server" --#~ msgstr "Custodia サーバーへの認証時に使用する方法" -+#: src/providers/krb5/krb5_child.c:3258 -+msgid "Specifies the server principal to use for FAST" -+msgstr "FAST で使用するサーバープリンシパルを指定します" - --#~ msgid "" --#~ "The name of the headers that will be added into a HTTP request with the " --#~ "value defined in auth_header_value" --#~ msgstr "" --#~ "auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名" --#~ "前" -+#: src/providers/krb5/krb5_child.c:3260 -+msgid "Requests canonicalization of the principal name" -+msgstr "プリンシパル名の正規化を要求します" - --#~ msgid "The value sssd-secrets would use for auth_header_name" --#~ msgstr "sssd-secrets の値は、auth_header_name で使用します" -+#: src/providers/krb5/krb5_child.c:3262 -+msgid "Use custom version of krb5_get_init_creds_password" -+msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します" - --#~ msgid "" --#~ "The list of the headers to forward to the Custodia server together with " --#~ "the request" --#~ msgstr "要求と共に Custodia サーバーへ転送するヘッダーの一覧" -+#: src/providers/data_provider_be.c:674 -+msgid "Domain of the information provider (mandatory)" -+msgstr "情報プロバイダーのドメイン (必須)" - --#~ msgid "" --#~ "The username to use when authenticating to a Custodia server using " --#~ "basic_auth" --#~ msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するユーザー名" -+#: src/sss_client/common.c:1079 -+msgid "Privileged socket has wrong ownership or permissions." -+msgstr "特権ソケットの所有者またはパーミッションが誤っています。" - --#~ msgid "" --#~ "The password to use when authenticating to a Custodia server using " --#~ "basic_auth" --#~ msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するパスワード" -+#: src/sss_client/common.c:1082 -+msgid "Public socket has wrong ownership or permissions." -+msgstr "公開ソケットの所有者またはパーミッションが誤っています。" - --#~ msgid "" --#~ "If true peer's certificate is verified if proxy_url uses https protocol" --#~ msgstr "" --#~ "proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証され" --#~ "るかどうか" -+#: src/sss_client/common.c:1085 -+msgid "Unexpected format of the server credential message." -+msgstr "サーバーのクレデンシャルメッセージの予期しない形式です。" - --#~ msgid "" --#~ "If false peer's certificate may contain different hostname than proxy_url " --#~ "when https protocol is used" --#~ msgstr "" --#~ "https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外" --#~ "の異なるホスト名を含むかどうか" -+#: src/sss_client/common.c:1088 -+msgid "SSSD is not run by root." -+msgstr "SSSD は root により実行されません。" - --#~ msgid "" --#~ "Path to directory where certificate authority certificates are stored" --#~ msgstr "CA 証明書が保存されているディレクトリーへのパス" -+#: src/sss_client/common.c:1091 -+msgid "SSSD socket does not exist." -+msgstr "SSSD ソケットは存在しません。" - --#~ msgid "Path to file containing server's CA certificate" --#~ msgstr "サーバーの CA 証明書を含むファイルへのパス" -+#: src/sss_client/common.c:1094 -+msgid "Cannot get stat of SSSD socket." -+msgstr "SSSD ソケットの統計を取得できません。" - --#~ msgid "Path to file containing client's certificate" --#~ msgstr "クライアントの証明書を含むファイルへのパス" -+#: src/sss_client/common.c:1099 -+msgid "An error occurred, but no description can be found." -+msgstr "エラーが発生しましたが、説明がありませんでした。" - --#~ msgid "Path to file containing client's private key" --#~ msgstr "クライアントの秘密鍵を含むファイルへのパス" -+#: src/sss_client/common.c:1105 -+msgid "Unexpected error while looking for an error description" -+msgstr "エラーの説明を検索中に予期しないエラーが発生しました" - --#~ msgid "Identity provider" --#~ msgstr "アイデンティティープロバイダー" -+#: src/sss_client/pam_sss.c:68 -+msgid "Permission denied. " -+msgstr "パーミッションが拒否されました。" - --#~ msgid "Authentication provider" --#~ msgstr "認証プロバイダー" -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 -+#: src/sss_client/pam_sss.c:792 -+msgid "Server message: " -+msgstr "サーバーのメッセージ: " - --#~ msgid "Access control provider" --#~ msgstr "アクセス制御プロバイダー" -+#: src/sss_client/pam_sss.c:299 -+msgid "Passwords do not match" -+msgstr "パスワードが一致しません" - --#~ msgid "Password change provider" --#~ msgstr "パスワード変更プロバイダー" -+#: src/sss_client/pam_sss.c:487 -+msgid "Password reset by root is not supported." -+msgstr "root によるパスワードのリセットはサポートされません。" - --#~ msgid "SUDO provider" --#~ msgstr "SUDO プロバイダー" -+#: src/sss_client/pam_sss.c:528 -+msgid "Authenticated with cached credentials" -+msgstr "キャッシュされているクレデンシャルを用いて認証されました" - --#~ msgid "Autofs provider" --#~ msgstr "Autofs プロバイダー" -+#: src/sss_client/pam_sss.c:529 -+msgid ", your cached password will expire at: " -+msgstr "、キャッシュされたパスワードが失効します: " - --#~ msgid "Host identity provider" --#~ msgstr "ホスト識別プロバイダー" -+#: src/sss_client/pam_sss.c:559 -+#, c-format -+msgid "Your password has expired. You have %1$d grace login(s) remaining." -+msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。" - --#~ msgid "SELinux provider" --#~ msgstr "SELinux プロバイダー" -+#: src/sss_client/pam_sss.c:605 -+#, c-format -+msgid "Your password will expire in %1$d %2$s." -+msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" - --#~ msgid "Session management provider" --#~ msgstr "セッションマネージャーのプロバイダー" -+#: src/sss_client/pam_sss.c:654 -+msgid "Authentication is denied until: " -+msgstr "次まで認証が拒否されます: " - --#~ msgid "Whether the domain is usable by the OS or by applications" --#~ msgstr "OS またはアプリケーションがドメインを使用できるかどうか" -+#: src/sss_client/pam_sss.c:675 -+msgid "System is offline, password change not possible" -+msgstr "システムがオフラインです、パスワード変更ができません" - --#~ msgid "Minimum user ID" --#~ msgstr "最小ユーザー ID" -+#: src/sss_client/pam_sss.c:690 -+msgid "" -+"After changing the OTP password, you need to log out and back in order to " -+"acquire a ticket" -+msgstr "OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインする必要があります" - --#~ msgid "Maximum user ID" --#~ msgstr "最大ユーザー ID" -+#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 -+msgid "Password change failed. " -+msgstr "パスワードの変更に失敗しました。" - --#~ msgid "Enable enumerating all users/groups" --#~ msgstr "すべてのユーザー・グループの列挙を有効にする" -+#: src/sss_client/pam_sss.c:2015 -+msgid "New Password: " -+msgstr "新しいパスワード: " - --#~ msgid "Cache credentials for offline login" --#~ msgstr "オフラインログインのためにクレデンシャルをキャッシュする" -+#: src/sss_client/pam_sss.c:2016 -+msgid "Reenter new Password: " -+msgstr "新しいパスワードの再入力: " - --#~ msgid "Display users/groups in fully-qualified form" --#~ msgstr "ユーザー・グループを完全修飾形式で表示する" -+#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 -+msgid "First Factor: " -+msgstr "1 番目の要素: " - --#~ msgid "Don't include group members in group lookups" --#~ msgstr "グループ検索にグループメンバーを含めない" -+#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 -+msgid "Second Factor (optional): " -+msgstr "2 番目の要素 (オプション): " - --#~ msgid "Entry cache timeout length (seconds)" --#~ msgstr "エントリーキャッシュのタイムアウト長(秒)" -+#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 -+msgid "Second Factor: " -+msgstr "2 番目の要素: " - --#~ msgid "" --#~ "Restrict or prefer a specific address family when performing DNS lookups" --#~ msgstr "" --#~ "DNS 検索を実行する時に特定のアドレスファミリーを制限または優先します" -+#: src/sss_client/pam_sss.c:2200 -+msgid "Password: " -+msgstr "パスワード: " - --#~ msgid "How long to keep cached entries after last successful login (days)" --#~ msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数" -+#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 -+msgid "First Factor (Current Password): " -+msgstr "1 番目の要素 (現在のパスワード): " - --#~ msgid "" --#~ "How long should SSSD talk to single DNS server before trying next server " --#~ "(miliseconds)" --#~ msgstr "" --#~ "次のサーバーを試行するまでに SSSD が単一の DNS サーバーと通信する時間 (ミ" --#~ "リ秒)" -+#: src/sss_client/pam_sss.c:2359 -+msgid "Current Password: " -+msgstr "現在のパスワード: " - --#~ msgid "How long should keep trying to resolve single DNS query (seconds)" --#~ msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" -+#: src/sss_client/pam_sss.c:2714 -+msgid "Password expired. Change your password now." -+msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。" - --#~ msgid "" --#~ "How long to wait for replies from DNS when resolving servers (seconds)" --#~ msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 -+#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 -+#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 -+#: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 -+#: src/tools/sss_cache.c:719 -+msgid "The debug level to run with" -+msgstr "実行するデバッグレベル" - --#~ msgid "The domain part of service discovery DNS query" --#~ msgstr "サービス検索 DNS クエリーのドメイン部分" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 -+msgid "The SSSD domain to use" -+msgstr "使用する SSSD ドメイン" - --#~ msgid "Override GID value from the identity provider with this value" --#~ msgstr "識別プロバイダーからの GID 値をこの値で上書きする" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 -+#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 -+#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 -+#: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 -+#: src/tools/sss_cache.c:765 -+msgid "Error setting the locale\n" -+msgstr "ロケールの設定中にエラーが発生しました\n" - --#~ msgid "Treat usernames as case sensitive" --#~ msgstr "ユーザー名が大文字小文字を区別するよう取り扱う" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 -+msgid "Not enough memory\n" -+msgstr "十分なメモリーがありません\n" - --#~ msgid "How often should expired entries be refreshed in background" --#~ msgstr "期限切れのエントリーがバックグラウンドで更新される頻度" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 -+msgid "User not specified\n" -+msgstr "ユーザーが指定されていません\n" - --#~ msgid "Whether to automatically update the client's DNS entry" --#~ msgstr "自動的にクライアントの DNS エントリーを更新するかどうか" -+#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 -+msgid "Error looking up public keys\n" -+msgstr "公開鍵の検索中にエラーが発生しました\n" - --#~ msgid "The TTL to apply to the client's DNS entry after updating it" --#~ msgstr "クライアントの DNS 項目を更新後、適用する TTL" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 -+msgid "The port to use to connect to the host" -+msgstr "ホストへの接続に使用するポート" - --#~ msgid "The interface whose IP should be used for dynamic DNS updates" --#~ msgstr "動的 DNS 更新のために使用される IP のインターフェース" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 -+msgid "Print the host ssh public keys" -+msgstr "ホスト SSH 公開鍵を印刷" - --#~ msgid "How often to periodically update the client's DNS entry" --#~ msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 -+msgid "Invalid port\n" -+msgstr "無効なポート\n" - --#~ msgid "Whether the provider should explicitly update the PTR record as well" --#~ msgstr "" --#~ "プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 -+msgid "Host not specified\n" -+msgstr "ホストが指定されていません\n" - --#~ msgid "Whether the nsupdate utility should default to using TCP" --#~ msgstr "nsupdate ユーティリティーが標準で TCP を使用するかどうか" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 -+msgid "The path to the proxy command must be absolute\n" -+msgstr "プロキシコマンドへのパスは絶対パスにする必要があります\n" - --#~ msgid "What kind of authentication should be used to perform the DNS update" --#~ msgstr "DNS 更新を実行するために使用すべき認証の種類" -+#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 -+#, c-format -+msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" -+msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" - --#~ msgid "Override the DNS server used to perform the DNS update" --#~ msgstr "DNS の更新を実行する際に使用する DNS サーバーを上書き" -+#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 -+msgid "The UID of the user" -+msgstr "ユーザーの UID" - --#~ msgid "Control enumeration of trusted domains" --#~ msgstr "信頼されたドメインの列挙を制御" -+#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 -+msgid "The comment string" -+msgstr "コメント文字列" - --#~ msgid "How often should subdomains list be refreshed" --#~ msgstr "サブドメインの一覧のリフレッシュ回数" -+#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 -+msgid "Home directory" -+msgstr "ホームディレクトリー" - --#~ msgid "List of options that should be inherited into a subdomain" --#~ msgstr "サブドメインに継承すべきオプションの一覧" -+#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 -+msgid "Login shell" -+msgstr "ログインシェル" - --#~ msgid "Default subdomain homedir value" --#~ msgstr "デフォルトのサブドメインホームディレクトリーの値" -+#: src/tools/sss_useradd.c:53 -+msgid "Groups" -+msgstr "グループ" - --#~ msgid "How long can cached credentials be used for cached authentication" --#~ msgstr "証明書キャッシュを認証キャッシュに使用できる期間" -+#: src/tools/sss_useradd.c:54 -+msgid "Create user's directory if it does not exist" -+msgstr "ユーザーのディレクトリーが存在しなければ作成する" - --#~ msgid "Whether to automatically create private groups for users" --#~ msgstr "ユーザーにプライベートグループを自動的に作成するかどうか" -+#: src/tools/sss_useradd.c:55 -+msgid "Never create user's directory, overrides config" -+msgstr "ユーザーのディレクトリーを作成しない、設定を上書きする" - --#~ msgid "IPA domain" --#~ msgstr "IPA ドメイン" -+#: src/tools/sss_useradd.c:56 -+msgid "Specify an alternative skeleton directory" -+msgstr "代替のスケルトンディレクトリーを指定する" - --#~ msgid "IPA server address" --#~ msgstr "IPA サーバーのアドレス" -+#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 -+msgid "The SELinux user for user's login" -+msgstr "ユーザーのログインに対する SELinux ユーザー" - --#~ msgid "Address of backup IPA server" --#~ msgstr "バックアップ IPA サーバーのアドレス" -+#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 -+#: src/tools/sss_usermod.c:92 -+msgid "Specify group to add to\n" -+msgstr "追加するグループを指定してください\n" - --#~ msgid "IPA client hostname" --#~ msgstr "IPA クライアントのホスト名" -+#: src/tools/sss_useradd.c:111 -+msgid "Specify user to add\n" -+msgstr "追加するユーザーを指定してください\n" - --#~ msgid "Whether to automatically update the client's DNS entry in FreeIPA" --#~ msgstr "" --#~ "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか" -+#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 -+#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 -+#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 -+#: src/tools/sss_usermod.c:162 -+msgid "Error initializing the tools - no local domain\n" -+msgstr "ツールを初期化中にエラーが発生しました - ローカルドメインがありません\n" - --#~ msgid "Search base for HBAC related objects" --#~ msgstr "HBAC 関連オブジェクトの検索ベース" -+#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 -+#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 -+#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 -+#: src/tools/sss_usermod.c:164 -+msgid "Error initializing the tools\n" -+msgstr "ツールを初期化中にエラーが発生しました\n" - --#~ msgid "" --#~ "The amount of time between lookups of the HBAC rules against the IPA " --#~ "server" --#~ msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間" -+#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 -+#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 -+#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 -+#: src/tools/sss_usermod.c:173 -+msgid "Invalid domain specified in FQDN\n" -+msgstr "FQDN で指定されたドメインが無効です\n" - --#~ msgid "" --#~ "The amount of time in seconds between lookups of the SELinux maps against " --#~ "the IPA server" --#~ msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間" -+#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 -+#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 -+#: src/tools/sss_usermod.c:226 -+msgid "Internal error while parsing parameters\n" -+msgstr "パラメーターを解析中に内部エラーが発生しました\n" - --#~ msgid "If set to false, host argument given by PAM will be ignored" --#~ msgstr "" --#~ "もし偽に設定されていると、PAM により渡されたホスト引数は無視されます" -+#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 -+#: src/tools/sss_usermod.c:235 -+msgid "Groups must be in the same domain as user\n" -+msgstr "グループがユーザーと同じドメインになければいけません\n" - --#~ msgid "The automounter location this IPA client is using" --#~ msgstr "この IPA クライアントが使用している automounter の場所" -+#: src/tools/sss_useradd.c:159 -+#, c-format -+msgid "Cannot find group %1$s in local domain\n" -+msgstr "ローカルドメインにグループ %1$s を見つけられません\n" - --#~ msgid "Search base for object containing info about IPA domain" --#~ msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース" -+#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 -+msgid "Cannot set default values\n" -+msgstr "デフォルト値を設定できません\n" - --#~ msgid "Search base for objects containing info about ID ranges" --#~ msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース" -+#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 -+msgid "The selected UID is outside the allowed range\n" -+msgstr "選択された UID は許容される範囲を越えています\n" - --#~ msgid "Enable DNS sites - location based service discovery" --#~ msgstr "DNS サイトの有効化 - 位置ベースのサービス検索" -+#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 -+msgid "Cannot set SELinux login context\n" -+msgstr "SELinux ログインコンテキストを設定できません\n" - --#~ msgid "Search base for view containers" --#~ msgstr "ビューコンテナーの検索ベース" -+#: src/tools/sss_useradd.c:224 -+msgid "Cannot get info about the user\n" -+msgstr "ユーザーに関する情報を取得できません\n" - --#~ msgid "Objectclass for view containers" --#~ msgstr "ビューコンテナーのオブジェクトクラス" -+#: src/tools/sss_useradd.c:236 -+msgid "User's home directory already exists, not copying data from skeldir\n" -+msgstr "ユーザーのホームディレクトリーがすでに存在します、スケルトンディレクトリーからデータをコピーしません\n" - --#~ msgid "Attribute with the name of the view" --#~ msgstr "ビューの名前の属性" -+#: src/tools/sss_useradd.c:239 -+#, c-format -+msgid "Cannot create user's home directory: %1$s\n" -+msgstr "ユーザーのホームディレクトリーを作成できません: %1$s\n" - --#~ msgid "Objectclass for override objects" --#~ msgstr "上書きされたオブジェクトのオブジェクトクラス" -+#: src/tools/sss_useradd.c:250 -+#, c-format -+msgid "Cannot create user's mail spool: %1$s\n" -+msgstr "ユーザーのメールスプールを作成できません: %1$s\n" - --#~ msgid "Attribute with the reference to the original object" --#~ msgstr "オリジナルオブジェクトを参照する属性" -+#: src/tools/sss_useradd.c:270 -+msgid "Could not allocate ID for the user - domain full?\n" -+msgstr "ユーザーに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" - --#~ msgid "Objectclass for user override objects" --#~ msgstr "ユーザーが上書きするオブジェクトのオブジェクトクラス" -+#: src/tools/sss_useradd.c:274 -+msgid "A user or group with the same name or ID already exists\n" -+msgstr "同じ名前または ID を持つユーザーまたはグループがすでに存在します\n" - --#~ msgid "Objectclass for group override objects" --#~ msgstr "グループが上書きするオブジェクトのオブジェクトクラス" -+#: src/tools/sss_useradd.c:280 -+msgid "Transaction error. Could not add user.\n" -+msgstr "トランザクションエラー。ユーザーを追加できませんでした。\n" - --#~ msgid "Search base for Desktop Profile related objects" --#~ msgstr "デスクトッププロファイルに関連するオブジェクトの検索ベース" -+#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 -+msgid "The GID of the group" -+msgstr "グループの GID" - --#~ msgid "" --#~ "The amount of time in seconds between lookups of the Desktop Profile " --#~ "rules against the IPA server" --#~ msgstr "" --#~ "IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位" --#~ "の合計時間" -+#: src/tools/sss_groupadd.c:76 -+msgid "Specify group to add\n" -+msgstr "追加するグループを指定してください\n" - --#~ msgid "" --#~ "The amount of time in minutes between lookups of Desktop Profiles rules " --#~ "against the IPA server when the last request did not find any rule" --#~ msgstr "" --#~ "最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスク" --#~ "トッププロファイルル ールを検索している間の分単位の合計時間" -+#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 -+msgid "The selected GID is outside the allowed range\n" -+msgstr "選択された GID は許容される範囲を越えています\n" - --#~ msgid "Active Directory domain" --#~ msgstr "Active Directory ドメイン" -+#: src/tools/sss_groupadd.c:143 -+msgid "Could not allocate ID for the group - domain full?\n" -+msgstr "グループに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" - --#~ msgid "Enabled Active Directory domains" --#~ msgstr "有効化された Active Directory ドメイン" -+#: src/tools/sss_groupadd.c:147 -+msgid "A group with the same name or GID already exists\n" -+msgstr "同じ名前または GID を持つグループがすでに存在します\n" - --#~ msgid "Active Directory server address" --#~ msgstr "Active Directory サーバーアドレス" -+#: src/tools/sss_groupadd.c:153 -+msgid "Transaction error. Could not add group.\n" -+msgstr "トランザクションエラー。グループを追加できませんでした。\n" - --#~ msgid "Active Directory backup server address" --#~ msgstr "Active Directory バックアップサーバーのアドレス" -+#: src/tools/sss_groupdel.c:70 -+msgid "Specify group to delete\n" -+msgstr "削除するグループを指定してください\n" - --#~ msgid "Active Directory client hostname" --#~ msgstr "Active Directory クライアントホスト名" -+#: src/tools/sss_groupdel.c:104 -+#, c-format -+msgid "Group %1$s is outside the defined ID range for domain\n" -+msgstr "グループ %1$s はドメインに対して定義された ID の範囲を越えています\n" - --#~ msgid "LDAP filter to determine access privileges" --#~ msgstr "アクセス権限を決めるための LDAP フィルター" -+#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 -+#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -+#: src/tools/sss_userdel.c:297 src/tools/sss_usermod.c:282 -+#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 -+#, c-format -+msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" -+msgstr "NSS リクエストに失敗しました (%1$d)。項目はメモリーキャッシュに残されます。\n" - --#~ msgid "Whether to use the Global Catalog for lookups" --#~ msgstr "検索にグローバルカタログを使用するかどうか" -+#: src/tools/sss_groupdel.c:132 -+msgid "" -+"No such group in local domain. Removing groups only allowed in local domain." -+"\n" -+msgstr "そのようなグループはローカルドメインにありません。グループの削除はローカルドメインにおいてのみ許可されます。\n" - --#~ msgid "Operation mode for GPO-based access control" --#~ msgstr "グローバルカタログベースのアクセス制御に対するオペレーションモード" -+#: src/tools/sss_groupdel.c:137 -+msgid "Internal error. Could not remove group.\n" -+msgstr "内部エラー。グループを削除できませんでした。\n" - --#~ msgid "" --#~ "The amount of time between lookups of the GPO policy files against the AD " --#~ "server" --#~ msgstr "AD サーバーに対する GPO ポリシーファイルを検索している間の合計時間" -+#: src/tools/sss_groupmod.c:44 -+msgid "Groups to add this group to" -+msgstr "このグループに追加するグループ" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービ" --#~ "ス名" -+#: src/tools/sss_groupmod.c:46 -+msgid "Groups to remove this group from" -+msgstr "このグループから削除するグループ" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " --#~ "policy settings" --#~ msgstr "" --#~ "GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM " --#~ "サービス名" -+#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 -+msgid "Specify group to remove from\n" -+msgstr "削除するグループを指定してください\n" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)NetworkLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名" -+#: src/tools/sss_groupmod.c:101 -+msgid "Specify group to modify\n" -+msgstr "変更するグループを指定してください\n" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)BatchLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名" -+#: src/tools/sss_groupmod.c:130 -+msgid "" -+"Cannot find group in local domain, modifying groups is allowed only in local " -+"domain\n" -+msgstr "ローカルドメインにグループが見つかりませんでした。グループの変更はローカルドメインにおいてのみ許可されます\n" - --#~ msgid "" --#~ "PAM service names that map to the GPO (Deny)ServiceLogonRight policy " --#~ "settings" --#~ msgstr "" --#~ "(Deny)ServiceLogonRight のポリシー設定にマッピングした PAM サービス名" -+#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 -+msgid "Member groups must be in the same domain as parent group\n" -+msgstr "メンバーグループが親グループと同じドメインにある必要があります\n" - --#~ msgid "PAM service names for which GPO-based access is always granted" --#~ msgstr "GPO ベースのアクセスが常に許可される PAM サービス名" -+#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 -+#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 -+#, c-format -+msgid "" -+"Cannot find group %1$s in local domain, only groups in local domain are " -+"allowed\n" -+msgstr "ローカルドメインにグループ %1$s が見つかりません。ローカルドメインにあるグループのみが許可されます\n" - --#~ msgid "PAM service names for which GPO-based access is always denied" --#~ msgstr "GPO ベースのアクセスが常に拒否される PAM サービス名" -+#: src/tools/sss_groupmod.c:257 -+msgid "Could not modify group - check if member group names are correct\n" -+msgstr "グループを変更できませんでした - メンバーグループ名が正しいかを確認してください\n" - --#~ msgid "" --#~ "Default logon right (or permit/deny) to use for unmapped PAM service names" --#~ msgstr "" --#~ "マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 " --#~ "(または許可/拒否)" -+#: src/tools/sss_groupmod.c:261 -+msgid "Could not modify group - check if groupname is correct\n" -+msgstr "グループを変更できませんでした - グループ名が正しいかを確認してください\n" - --#~ msgid "a particular site to be used by the client" --#~ msgstr "クライアントが使用する特定のサイト" -+#: src/tools/sss_groupmod.c:265 -+msgid "Transaction error. Could not modify group.\n" -+msgstr "トランザクションエラー。グループを変更できませんでした。\n" - --#~ msgid "" --#~ "Maximum age in days before the machine account password should be renewed" --#~ msgstr "マシンアカウントのパスワードの更新が必要となるまでの最大日数" -+#: src/tools/sss_groupshow.c:616 -+msgid "Magic Private " -+msgstr "マジックプライベート " - --#~ msgid "Option for tuning the machine account renewal task" --#~ msgstr "マシンアカウントの更新タスクをチューニングするオプション" -+#: src/tools/sss_groupshow.c:615 -+#, c-format -+msgid "%1$s%2$sGroup: %3$s\n" -+msgstr "%1$s%2$sGroup: %3$s\n" - --#~ msgid "Kerberos server address" --#~ msgstr "Kerberos サーバーのアドレス" -+#: src/tools/sss_groupshow.c:618 -+#, c-format -+msgid "%1$sGID number: %2$d\n" -+msgstr "%1$sGID 番号: %2$d\n" - --#~ msgid "Kerberos backup server address" --#~ msgstr "Kerberos バックアップサーバーのアドレス" -+#: src/tools/sss_groupshow.c:620 -+#, c-format -+msgid "%1$sMember users: " -+msgstr "%1$sMember ユーザー: " - --#~ msgid "Kerberos realm" --#~ msgstr "Kerberos レルム" -+#: src/tools/sss_groupshow.c:627 -+#, c-format -+msgid "\n" -+"%1$sIs a member of: " -+msgstr "\n" -+"%1$sIs は次のメンバー: " - --#~ msgid "Authentication timeout" --#~ msgstr "認証のタイムアウト" -+#: src/tools/sss_groupshow.c:634 -+#, c-format -+msgid "\n" -+"%1$sMember groups: " -+msgstr "\n" -+"%1$sMember グループ: " - --#~ msgid "Whether to create kdcinfo files" --#~ msgstr "kdcinfo ファイルを作成するかどうか" -+#: src/tools/sss_groupshow.c:670 -+msgid "Print indirect group members recursively" -+msgstr "間接グループメンバーを再帰的に表示する" - --#~ msgid "Where to drop krb5 config snippets" --#~ msgstr "krb5 設定スニペットを削除する場所" -+#: src/tools/sss_groupshow.c:704 -+msgid "Specify group to show\n" -+msgstr "表示するグループを指定してください\n" - --#~ msgid "Directory to store credential caches" --#~ msgstr "クレデンシャルのキャッシュを保存するディレクトリー" -+#: src/tools/sss_groupshow.c:744 -+msgid "" -+"No such group in local domain. Printing groups only allowed in local domain." -+"\n" -+msgstr "そのようなグループはローカルドメインにありません。グループの表示はローカルドメインにおいてのみ許可されます。\n" - --#~ msgid "Location of the user's credential cache" --#~ msgstr "ユーザーのクレデンシャルキャッシュの位置" -+#: src/tools/sss_groupshow.c:749 -+msgid "Internal error. Could not print group.\n" -+msgstr "内部エラー。グループを表示できませんでした。\n" - --#~ msgid "Location of the keytab to validate credentials" --#~ msgstr "クレデンシャルを検証するキーテーブルの場所" -+#: src/tools/sss_userdel.c:138 -+msgid "Remove home directory and mail spool" -+msgstr "ホームディレクトリーとメールスプールを削除する" - --#~ msgid "Enable credential validation" --#~ msgstr "クレデンシャルの検証を有効にする" -+#: src/tools/sss_userdel.c:140 -+msgid "Do not remove home directory and mail spool" -+msgstr "ホームディレクトリーとメールスプールを削除しない" - --#~ msgid "Store password if offline for later online authentication" --#~ msgstr "" --#~ "後からオンライン認証するためにオフラインの場合にパスワードを保存します" -+#: src/tools/sss_userdel.c:142 -+msgid "Force removal of files not owned by the user" -+msgstr "ユーザーにより所有されていないファイルの強制削除" - --#~ msgid "Renewable lifetime of the TGT" --#~ msgstr "更新可能な TGT の有効期間" -+#: src/tools/sss_userdel.c:144 -+msgid "Kill users' processes before removing him" -+msgstr "ユーザーを削除する前にそのユーザーのプロセスを強制停止する" - --#~ msgid "Lifetime of the TGT" --#~ msgstr "TGT の有効期間" -+#: src/tools/sss_userdel.c:190 -+msgid "Specify user to delete\n" -+msgstr "削除するユーザーを指定する\n" - --#~ msgid "Time between two checks for renewal" --#~ msgstr "更新を確認する間隔" -+#: src/tools/sss_userdel.c:236 -+#, c-format -+msgid "User %1$s is outside the defined ID range for domain\n" -+msgstr "ユーザー %1$s はドメインに対して定義された ID の範囲を超えています\n" - --#~ msgid "Enables FAST" --#~ msgstr "FAST を有効にする" -+#: src/tools/sss_userdel.c:261 -+msgid "Cannot reset SELinux login context\n" -+msgstr "SELinux ログインコンテキストをリセットできません\n" - --#~ msgid "Selects the principal to use for FAST" --#~ msgstr "FAST に使用するプリンシパルを選択する" -+#: src/tools/sss_userdel.c:273 -+#, c-format -+msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" -+msgstr "警告: ユーザー (uid %1$lu) が削除された時にまだログインしていました。\n" - --#~ msgid "Enables principal canonicalization" --#~ msgstr "プリンシパル正規化を有効にする" -+#: src/tools/sss_userdel.c:278 -+msgid "Cannot determine if the user was logged in on this platform" -+msgstr "ユーザーがこのプラットフォームにログインしていたかを確認できませんでした" - --#~ msgid "Enables enterprise principals" --#~ msgstr "エンタープライズ・プリンシパルの有効化" -+#: src/tools/sss_userdel.c:283 -+msgid "Error while checking if the user was logged in\n" -+msgstr "ユーザーがログインしていたかを確認中にエラーが発生しました\n" - --#~ msgid "A mapping from user names to Kerberos principal names" --#~ msgstr "ユーザー名から Kerberos プリンシパル名までのマッピング" -+#: src/tools/sss_userdel.c:290 -+#, c-format -+msgid "The post-delete command failed: %1$s\n" -+msgstr "削除後コマンドの実行に失敗しました: %1$s\n" - --#~ msgid "" --#~ "Server where the change password service is running if not on the KDC" --#~ msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー" -+#: src/tools/sss_userdel.c:310 -+msgid "Not removing home dir - not owned by user\n" -+msgstr "ホームディレクトリーを削除していません - ユーザーにより所有されていません\n" - --#~ msgid "ldap_uri, The URI of the LDAP server" --#~ msgstr "ldap_uri, LDAP サーバーの URI" -+#: src/tools/sss_userdel.c:312 -+#, c-format -+msgid "Cannot remove homedir: %1$s\n" -+msgstr "ホームディレクトリーを削除できません: %1$s\n" - --#~ msgid "ldap_backup_uri, The URI of the LDAP server" --#~ msgstr "ldap_backup_uri, LDAP サーバーの URI" -+#: src/tools/sss_userdel.c:326 -+msgid "" -+"No such user in local domain. Removing users only allowed in local domain.\n" -+msgstr "そのようなユーザーはローカルドメインにいません。ユーザーの削除はローカルドメインにおいてのみ許可されます。\n" - --#~ msgid "The default base DN" --#~ msgstr "デフォルトのベース DN" -+#: src/tools/sss_userdel.c:331 -+msgid "Internal error. Could not remove user.\n" -+msgstr "内部エラー。ユーザーを削除できませんでした。\n" - --#~ msgid "The Schema Type in use on the LDAP server, rfc2307" --#~ msgstr "LDAP サーバーにおいて使用中のスキーマ形式、rfc2307" -+#: src/tools/sss_usermod.c:49 -+msgid "The GID of the user" -+msgstr "ユーザーの GID" - --#~ msgid "Mode used to change user password" --#~ msgstr "ユーザーのパスワードの変更にモードを使用しました" -+#: src/tools/sss_usermod.c:53 -+msgid "Groups to add this user to" -+msgstr "このユーザーを追加するグループ" - --#~ msgid "The default bind DN" --#~ msgstr "デフォルトのバインド DN" -+#: src/tools/sss_usermod.c:54 -+msgid "Groups to remove this user from" -+msgstr "このユーザーを削除するグループ" - --#~ msgid "The type of the authentication token of the default bind DN" --#~ msgstr "デフォルトのバインド DN の認証トークンの種類" -+#: src/tools/sss_usermod.c:55 -+msgid "Lock the account" -+msgstr "アカウントをロックする" - --#~ msgid "The authentication token of the default bind DN" --#~ msgstr "デフォルトのバインド DN の認証トークン" -+#: src/tools/sss_usermod.c:56 -+msgid "Unlock the account" -+msgstr "アカウントをロック解除する" - --#~ msgid "Length of time to attempt connection" --#~ msgstr "接続を試行する時間" -+#: src/tools/sss_usermod.c:57 -+msgid "Add an attribute/value pair. The format is attrname=value." -+msgstr "属性/値のペアを追加します。フォーマットは attrname=value です。" - --#~ msgid "Length of time to attempt synchronous LDAP operations" --#~ msgstr "LDAP 同期操作を試行する時間" -+#: src/tools/sss_usermod.c:58 -+msgid "Delete an attribute/value pair. The format is attrname=value." -+msgstr "属性/値のペアを削除します。フォーマットは attrname=value です。" - --#~ msgid "Length of time between attempts to reconnect while offline" --#~ msgstr "オフラインの間に再接続を試行する時間" -+#: src/tools/sss_usermod.c:59 -+msgid "" -+"Set an attribute to a name/value pair. The format is attrname=value. For " -+"multi-valued attributes, the command replaces the values already present" -+msgstr "" -+"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます。" - --#~ msgid "Use only the upper case for realm names" --#~ msgstr "レルム名に対して大文字のみを使用する" -+#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 -+#: src/tools/sss_usermod.c:135 -+msgid "Specify the attribute name/value pair(s)\n" -+msgstr "属性の名前/値のペアを指定します\n" - --#~ msgid "File that contains CA certificates" --#~ msgstr "CA 証明書を含むファイル" -+#: src/tools/sss_usermod.c:152 -+msgid "Specify user to modify\n" -+msgstr "変更するユーザーを指定してください\n" - --#~ msgid "Path to CA certificate directory" --#~ msgstr "CA 証明書のディレクトリーのパス" -+#: src/tools/sss_usermod.c:180 -+msgid "" -+"Cannot find user in local domain, modifying users is allowed only in local " -+"domain\n" -+msgstr "ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメインにおいてのみ許可されます。\n" - --#~ msgid "File that contains the client certificate" --#~ msgstr "クライアント証明書を含むファイル" -+#: src/tools/sss_usermod.c:322 -+msgid "Could not modify user - check if group names are correct\n" -+msgstr "ユーザーを変更できませんでした - グループ名が正しいかを確認してください\n" - --#~ msgid "File that contains the client key" --#~ msgstr "クライアントの鍵を含むファイル" -+#: src/tools/sss_usermod.c:326 -+msgid "Could not modify user - user already member of groups?\n" -+msgstr "ユーザーを変更できませんでした - ユーザーはすでにグループのメンバーですか?\n" - --#~ msgid "List of possible ciphers suites" --#~ msgstr "利用可能な暗号の一覧" -+#: src/tools/sss_usermod.c:330 -+msgid "Transaction error. Could not modify user.\n" -+msgstr "トランザクションエラー。ユーザーを変更できませんでした。\n" - --#~ msgid "Require TLS certificate verification" --#~ msgstr "TLS 証明書の検証を要求する" -+#: src/tools/sss_cache.c:245 -+msgid "No cache object matched the specified search\n" -+msgstr "指定された検索に一致するキャッシュオブジェクトがありません\n" - --#~ msgid "Specify the sasl mechanism to use" --#~ msgstr "使用する SASL メカニズムを指定する" -+#: src/tools/sss_cache.c:536 -+#, c-format -+msgid "Couldn't invalidate %1$s\n" -+msgstr "%1$s を無効化できませんでした\n" - --#~ msgid "Specify the sasl authorization id to use" --#~ msgstr "使用する SASL 認可 ID を指定する" -+#: src/tools/sss_cache.c:543 -+#, c-format -+msgid "Couldn't invalidate %1$s %2$s\n" -+msgstr "%1$s %2$s を無効化できませんでした\n" - --#~ msgid "Specify the sasl authorization realm to use" --#~ msgstr "使用する SASL 認可レルムを指定する" -+#: src/tools/sss_cache.c:721 -+msgid "Invalidate all cached entries" -+msgstr "すべてのキャッシュエントリーを無効化します" - --#~ msgid "Specify the minimal SSF for LDAP sasl authorization" --#~ msgstr "LDAP SASL 認可の最小 SSF を指定する" -+#: src/tools/sss_cache.c:723 -+msgid "Invalidate particular user" -+msgstr "特定のユーザーを無効にする" - --#~ msgid "Kerberos service keytab" --#~ msgstr "Kerberos サービスのキーテーブル" -+#: src/tools/sss_cache.c:725 -+msgid "Invalidate all users" -+msgstr "すべてのユーザーを無効にする" - --#~ msgid "Use Kerberos auth for LDAP connection" --#~ msgstr "LDAP 接続に対して Kerberos 認証を使用する" -+#: src/tools/sss_cache.c:727 -+msgid "Invalidate particular group" -+msgstr "特定のグループを無効にする" - --#~ msgid "Follow LDAP referrals" --#~ msgstr "LDAP リフェラルにしたがう" -+#: src/tools/sss_cache.c:729 -+msgid "Invalidate all groups" -+msgstr "すべてのグループを無効にする" - --#~ msgid "Lifetime of TGT for LDAP connection" --#~ msgstr "LDAP 接続の TGT の有効期間" -+#: src/tools/sss_cache.c:731 -+msgid "Invalidate particular netgroup" -+msgstr "特定のネットワークグループを無効にする" - --#~ msgid "How to dereference aliases" --#~ msgstr "エイリアスを参照解決する方法" -+#: src/tools/sss_cache.c:733 -+msgid "Invalidate all netgroups" -+msgstr "すべてのネットワークグループを無効にする" - --#~ msgid "Service name for DNS service lookups" --#~ msgstr "DNS サービス検索のサービス名" -+#: src/tools/sss_cache.c:735 -+msgid "Invalidate particular service" -+msgstr "特定のサービスの無効化" - --#~ msgid "The number of records to retrieve in a single LDAP query" --#~ msgstr "単一の LDAP クエリーにおいて取得するレコード数" -+#: src/tools/sss_cache.c:737 -+msgid "Invalidate all services" -+msgstr "すべてのサービスの無効化" - --#~ msgid "The number of members that must be missing to trigger a full deref" --#~ msgstr "完全な参照解決を引き起こすために欠けている必要があるメンバーの数" -+#: src/tools/sss_cache.c:740 -+msgid "Invalidate particular autofs map" -+msgstr "特定の autofs マップの無効化" - --#~ msgid "" --#~ "Whether the LDAP library should perform a reverse lookup to canonicalize " --#~ "the host name during a SASL bind" --#~ msgstr "" --#~ "LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実" --#~ "行するかどうか" -+#: src/tools/sss_cache.c:742 -+msgid "Invalidate all autofs maps" -+msgstr "すべての autofs マップの無効化" - --#~ msgid "entryUSN attribute" --#~ msgstr "entryUSN 属性" -+#: src/tools/sss_cache.c:746 -+msgid "Invalidate particular SSH host" -+msgstr "特定の SSH ホストを無効化します" - --#~ msgid "lastUSN attribute" --#~ msgstr "lastUSN 属性" -+#: src/tools/sss_cache.c:748 -+msgid "Invalidate all SSH hosts" -+msgstr "すべての SSH ホストを無効化します" - --#~ msgid "" --#~ "How long to retain a connection to the LDAP server before disconnecting" --#~ msgstr "LDAP サーバーを切断する前に接続を保持する時間" -+#: src/tools/sss_cache.c:752 -+msgid "Invalidate particular sudo rule" -+msgstr "特定の sudo ルールを無効化します" - --#~ msgid "Disable the LDAP paging control" --#~ msgstr "LDAP ページング制御を無効化する" -+#: src/tools/sss_cache.c:754 -+msgid "Invalidate all cached sudo rules" -+msgstr "すべてのキャッシュ sudo ルールを無効化します" - --#~ msgid "Disable Active Directory range retrieval" --#~ msgstr "Active Directory 範囲の取得の無効化" -+#: src/tools/sss_cache.c:757 -+msgid "Only invalidate entries from a particular domain" -+msgstr "特定のドメインのみからエントリーを無効にする" - --#~ msgid "Length of time to wait for a search request" --#~ msgstr "検索要求を待つ時間" -+#: src/tools/sss_cache.c:811 -+msgid "" -+"Unexpected argument(s) provided, options that invalidate a single object " -+"only accept a single provided argument.\n" -+msgstr "予期しない引数が提供される場合、1 つのオブジェクトを無効化するオプションは、提供された引数を 1 つだけ受け取ります。\n" - --#~ msgid "Length of time to wait for a enumeration request" --#~ msgstr "列挙の要求を待つ時間" -+#: src/tools/sss_cache.c:821 -+msgid "Please select at least one object to invalidate\n" -+msgstr "無効化するオブジェクトを少なくとも一つ選択してください\n" - --#~ msgid "Length of time between enumeration updates" --#~ msgstr "列挙の更新間隔" -+#: src/tools/sss_cache.c:904 -+#, c-format -+msgid "" -+"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " -+"use fully qualified name instead of --domain/-d parameter.\n" -+msgstr "" -+"ドメイン %1$s を開けませんでした。ドメインがサブドメイン (信頼済みドメイン) であれば、--domain/-d " -+"パラメーターの代わりに完全修飾名を使用してください。\n" - --#~ msgid "Length of time between cache cleanups" --#~ msgstr "キャッシュをクリーンアップする間隔" -+#: src/tools/sss_cache.c:909 -+msgid "Could not open available domains\n" -+msgstr "利用可能なドメインを開けませんでした\n" - --#~ msgid "Require TLS for ID lookups" --#~ msgstr "ID 検索に TLS を要求する" -+#: src/tools/tools_util.c:202 -+#, c-format -+msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" -+msgstr "名前 '%1$s' が FQDN であるように見えません ('%2$s = TRUE' が設定されます)\n" - --#~ msgid "Use ID-mapping of objectSID instead of pre-set IDs" --#~ msgstr "事前設定済み ID の代わりに objectSID の ID マッピングを使用します" -+#: src/tools/tools_util.c:309 -+msgid "Out of memory\n" -+msgstr "メモリー不足\n" - --#~ msgid "Base DN for user lookups" --#~ msgstr "ユーザー検索のベース DN" -+#: src/tools/tools_util.h:40 -+#, c-format -+msgid "%1$s must be run as root\n" -+msgstr "%1$s は root として実行する必要があります\n" - --#~ msgid "Scope of user lookups" --#~ msgstr "ユーザー検索の範囲" -+#: src/tools/sssctl/sssctl.c:35 -+msgid "yes" -+msgstr "はい" - --#~ msgid "Filter for user lookups" --#~ msgstr "ユーザー検索のフィルター" -+#: src/tools/sssctl/sssctl.c:37 -+msgid "no" -+msgstr "いいえ" - --#~ msgid "Objectclass for users" --#~ msgstr "ユーザーのオブジェクトクラス" -+#: src/tools/sssctl/sssctl.c:39 -+msgid "error" -+msgstr "エラー" - --#~ msgid "Username attribute" --#~ msgstr "ユーザー名の属性" -+#: src/tools/sssctl/sssctl.c:42 -+msgid "Invalid result." -+msgstr "無効な結果。" - --#~ msgid "UID attribute" --#~ msgstr "UID の属性" -+#: src/tools/sssctl/sssctl.c:78 -+msgid "Unable to read user input\n" -+msgstr "ユーザーインプットの読み込みができませんでした\n" - --#~ msgid "Primary GID attribute" --#~ msgstr "プライマリー GID の属性" -+#: src/tools/sssctl/sssctl.c:91 -+#, c-format -+msgid "Invalid input, please provide either '%s' or '%s'.\n" -+msgstr "無効なインプットです。'%s' または '%s' のいずれかを提供してください。\n" - --#~ msgid "GECOS attribute" --#~ msgstr "GECOS の属性" -+#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 -+msgid "Error while executing external command\n" -+msgstr "外部のコマンドを実行中にエラーが発生しました\n" - --#~ msgid "Home directory attribute" --#~ msgstr "ホームディレクトリーの属性" -+#: src/tools/sssctl/sssctl.c:156 -+msgid "SSSD needs to be running. Start SSSD now?" -+msgstr "SSSD を実行する必要があります。SSSD をすぐに実行しますか?" - --#~ msgid "Shell attribute" --#~ msgstr "シェルの属性" -+#: src/tools/sssctl/sssctl.c:195 -+msgid "SSSD must not be running. Stop SSSD now?" -+msgstr "SSSD を実行してはいけません。SSSD を今、停止しますか?" - --#~ msgid "UUID attribute" --#~ msgstr "UUID 属性" -+#: src/tools/sssctl/sssctl.c:231 -+msgid "SSSD needs to be restarted. Restart SSSD now?" -+msgstr "SSSD は再起動が必要です。SSSD を今、再起動しますか?" - --#~ msgid "objectSID attribute" --#~ msgstr "objectSID 属性" -+#: src/tools/sssctl/sssctl_cache.c:31 -+#, c-format -+msgid " %s is not present in cache.\n" -+msgstr " %s はキャッシュにありません\n" - --#~ msgid "Active Directory primary group attribute for ID-mapping" --#~ msgstr "ID マッピングの Active Directory プライマリーグループ属性" -+#: src/tools/sssctl/sssctl_cache.c:33 -+msgid "Name" -+msgstr "名前" - --#~ msgid "User principal attribute (for Kerberos)" --#~ msgstr "ユーザープリンシパルの属性(Kerberos 用)" -+#: src/tools/sssctl/sssctl_cache.c:34 -+msgid "Cache entry creation date" -+msgstr "キャッシュエントリーの作成日" - --#~ msgid "Full Name" --#~ msgstr "氏名" -+#: src/tools/sssctl/sssctl_cache.c:35 -+msgid "Cache entry last update time" -+msgstr "キャッシュエントリーが最後に更新された時間" - --#~ msgid "memberOf attribute" --#~ msgstr "memberOf 属性" -+#: src/tools/sssctl/sssctl_cache.c:36 -+msgid "Cache entry expiration time" -+msgstr "キャッシュエントリーの期限切れ時間" - --#~ msgid "Modification time attribute" --#~ msgstr "変更日時の属性" -+#: src/tools/sssctl/sssctl_cache.c:37 -+msgid "Cached in InfoPipe" -+msgstr "InfoPipe にキャッシュ" - --#~ msgid "shadowLastChange attribute" --#~ msgstr "shadowLastChange 属性" -+#: src/tools/sssctl/sssctl_cache.c:522 -+#, c-format -+msgid "Error: Unable to get object [%d]: %s\n" -+msgstr "エラー: オブジェクト [%d] を取得できません: %s\n" - --#~ msgid "shadowMin attribute" --#~ msgstr "shadowMin 属性" -+#: src/tools/sssctl/sssctl_cache.c:538 -+#, c-format -+msgid "%s: Unable to read value [%d]: %s\n" -+msgstr "%s: 値 [%d] の読み込みができません: %s\n" - --#~ msgid "shadowMax attribute" --#~ msgstr "shadowMax 属性" -+#: src/tools/sssctl/sssctl_cache.c:566 -+msgid "Specify name." -+msgstr "名前を指定します。" - --#~ msgid "shadowWarning attribute" --#~ msgstr "shadowWarning 属性" -+#: src/tools/sssctl/sssctl_cache.c:576 -+#, c-format -+msgid "Unable to parse name %s.\n" -+msgstr "名前 %s を構文解析できません。\n" - --#~ msgid "shadowInactive attribute" --#~ msgstr "shadowInactive 属性" -+#: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 -+msgid "Search by SID" -+msgstr "SID で検索" - --#~ msgid "shadowExpire attribute" --#~ msgstr "shadowExpire 属性" -+#: src/tools/sssctl/sssctl_cache.c:603 -+msgid "Search by user ID" -+msgstr "ユーザーID で検索" - --#~ msgid "shadowFlag attribute" --#~ msgstr "shadowFlag 属性" -+#: src/tools/sssctl/sssctl_cache.c:612 -+msgid "Initgroups expiration time" -+msgstr "Initgroups の期限切れ時間" - --#~ msgid "Attribute listing authorized PAM services" --#~ msgstr "認可された PAM サービスを一覧化する属性" -+#: src/tools/sssctl/sssctl_cache.c:650 -+msgid "Search by group ID" -+msgstr "グループ ID で検索" - --#~ msgid "Attribute listing authorized server hosts" --#~ msgstr "認可されたサーバーホストを一覧化する属性" -+#: src/tools/sssctl/sssctl_config.c:112 -+#, c-format -+msgid "Failed to open %s\n" -+msgstr "%s を開くことに失敗しました\n" - --#~ msgid "Attribute listing authorized server rhosts" --#~ msgstr "認可されたサーバー rhosts を一覧化する属性" -+#: src/tools/sssctl/sssctl_config.c:117 -+#, c-format -+msgid "File %1$s does not exist.\n" -+msgstr "ファイル %1$s は存在しません。\n" - --#~ msgid "krbLastPwdChange attribute" --#~ msgstr "krbLastPwdChange 属性" -+#: src/tools/sssctl/sssctl_config.c:121 -+msgid "" -+"File ownership and permissions check failed. Expected root:root and 0600.\n" -+msgstr "ファイルの所有権とパーミッションの確認に失敗しました。予期される root:root および 0600。\n" - --#~ msgid "krbPasswordExpiration attribute" --#~ msgstr "krbPasswordExpiration 属性" -+#: src/tools/sssctl/sssctl_config.c:127 -+#, c-format -+msgid "Failed to load configuration from %s.\n" -+msgstr "" - --#~ msgid "Attribute indicating that server side password policies are active" --#~ msgstr "サーバー側パスワードポリシーが有効であることを意味する属性" -+#: src/tools/sssctl/sssctl_config.c:133 -+msgid "Error while reading configuration directory.\n" -+msgstr "設定ディレクトリーの読み込み中にエラーが発生しました。\n" - --#~ msgid "accountExpires attribute of AD" --#~ msgstr "AD の accountExpires 属性" -+#: src/tools/sssctl/sssctl_config.c:141 -+msgid "" -+"There is no configuration. SSSD will use default configuration with files " -+"provider.\n" -+msgstr "設定はありません。SSSD は、ファイルプロバイダーでデフォルト設定を使用します。\n" - --#~ msgid "userAccountControl attribute of AD" --#~ msgstr "AD の userAccountControl 属性" -+#: src/tools/sssctl/sssctl_config.c:153 -+msgid "Failed to run validators" -+msgstr "バリデーターの実行に失敗しました" - --#~ msgid "nsAccountLock attribute" --#~ msgstr "nsAccountLock 属性" -+#: src/tools/sssctl/sssctl_config.c:157 -+#, c-format -+msgid "Issues identified by validators: %zu\n" -+msgstr "バリデーターで特定された問題: %zu\n" - --#~ msgid "loginDisabled attribute of NDS" --#~ msgstr "NDS の loginDisabled 属性" -+#: src/tools/sssctl/sssctl_config.c:168 -+#, c-format -+msgid "Messages generated during configuration merging: %zu\n" -+msgstr "設定のマージ中に生成されたメッセージ: %zu\n" - --#~ msgid "loginExpirationTime attribute of NDS" --#~ msgstr "NDS の loginExpirationTime 属性" -+#: src/tools/sssctl/sssctl_config.c:179 -+#, c-format -+msgid "Used configuration snippet files: %zu\n" -+msgstr "使用された設定スニペットファイル: %zu\n" - --#~ msgid "loginAllowedTimeMap attribute of NDS" --#~ msgstr "NDS の loginAllowedTimeMap 属性" -+#: src/tools/sssctl/sssctl_data.c:89 -+#, c-format -+msgid "Unable to create backup directory [%d]: %s" -+msgstr "バックアップディレクトリー [%d] を作成できません: %s" - --#~ msgid "SSH public key attribute" --#~ msgstr "SSH 公開鍵の属性" -+#: src/tools/sssctl/sssctl_data.c:95 -+msgid "SSSD backup of local data already exists, override?" -+msgstr "ローカルデータの SSSD バックアップはすでに存在しますが、上書きしますか?" - --#~ msgid "attribute listing allowed authentication types for a user" --#~ msgstr "ユーザー用に許可された認証タイプを一覧化する属性" -+#: src/tools/sssctl/sssctl_data.c:111 -+msgid "Unable to export user overrides\n" -+msgstr "ユーザーの上書きをエクスポートできません\n" - --#~ msgid "attribute containing the X509 certificate of the user" --#~ msgstr "ユーザーの X509 証明書を含む属性" -+#: src/tools/sssctl/sssctl_data.c:118 -+msgid "Unable to export group overrides\n" -+msgstr "グループの上書きをエクスポートできません\n" - --#~ msgid "attribute containing the email address of the user" --#~ msgstr "ユーザーの電子メールアドレスを含む属性" -+#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 -+msgid "Override existing backup" -+msgstr "既存のバックアップを上書き" - --#~ msgid "A list of extra attributes to download along with the user entry" --#~ msgstr "ユーザーエントリーと共にダウンロードする追加的な属性の一覧" -+#: src/tools/sssctl/sssctl_data.c:164 -+msgid "Unable to import user overrides\n" -+msgstr "ユーザーの上書きをインポートできません\n" - --#~ msgid "Base DN for group lookups" --#~ msgstr "グループ検索のベース DN" -+#: src/tools/sssctl/sssctl_data.c:173 -+msgid "Unable to import group overrides\n" -+msgstr "グループの上書きをインポートできません\n" - --#~ msgid "Objectclass for groups" --#~ msgstr "グループのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 -+#: src/tools/sssctl/sssctl_domains.c:328 -+msgid "Start SSSD if it is not running" -+msgstr "実行中でない場合、SSSD を開始します" - --#~ msgid "Group name" --#~ msgstr "グループ名" -+#: src/tools/sssctl/sssctl_data.c:195 -+msgid "Restart SSSD after data import" -+msgstr "データのインポートの後、SSSD を再起動します" - --#~ msgid "Group password" --#~ msgstr "グループのパスワード" -+#: src/tools/sssctl/sssctl_data.c:218 -+msgid "Create clean cache files and import local data" -+msgstr "クリーンなキャッシュファイルを作成し、ローカルデータをインポートします" - --#~ msgid "GID attribute" --#~ msgstr "GID 属性" -+#: src/tools/sssctl/sssctl_data.c:219 -+msgid "Stop SSSD before removing the cache" -+msgstr "キャッシュを削除する前に SSSD を停止します" - --#~ msgid "Group member attribute" --#~ msgstr "グループメンバー属性" -+#: src/tools/sssctl/sssctl_data.c:220 -+msgid "Start SSSD when the cache is removed" -+msgstr "キャッシュの削除後に SSSD を開始します" - --#~ msgid "Group UUID attribute" --#~ msgstr "グループ UUID 属性" -+#: src/tools/sssctl/sssctl_data.c:235 -+msgid "Creating backup of local data...\n" -+msgstr "ローカルデータのバックアップを作成中...\n" - --#~ msgid "Modification time attribute for groups" --#~ msgstr "グループの変更日時の属性" -+#: src/tools/sssctl/sssctl_data.c:238 -+msgid "Unable to create backup of local data, can not remove the cache.\n" -+msgstr "ローカルデータのバックアップの作成ができません。キャッシュを削除できません。\n" - --#~ msgid "Type of the group and other flags" --#~ msgstr "グループおよび他のフラグのタイプ" -+#: src/tools/sssctl/sssctl_data.c:243 -+msgid "Removing cache files...\n" -+msgstr "キャッシュファイルの削除中...\n" - --#~ msgid "The LDAP group external member attribute" --#~ msgstr "LDAP グループの外部メンバーの属性" -+#: src/tools/sssctl/sssctl_data.c:246 -+msgid "Unable to remove cache files\n" -+msgstr "キャッシュファイルを削除できません\n" - --#~ msgid "Maximum nesting level SSSD will follow" --#~ msgstr "SSSD が従う最大ネストレベル" -+#: src/tools/sssctl/sssctl_data.c:251 -+msgid "Restoring local data...\n" -+msgstr "ローカルデータの復元中...\n" - --#~ msgid "Base DN for netgroup lookups" --#~ msgstr "ネットグループ検索のベース DN" -+#: src/tools/sssctl/sssctl_domains.c:83 -+msgid "Show domain list including primary or trusted domain type" -+msgstr "プライマリーまたは信頼されたドメインタイプを含むドメインリストを表示します" - --#~ msgid "Objectclass for netgroups" --#~ msgstr "ネットグループのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 -+#: src/tools/sssctl/sssctl_user_checks.c:95 -+msgid "Unable to connect to system bus!\n" -+msgstr "システムバスに接続できません。\n" - --#~ msgid "Netgroup name" --#~ msgstr "ネットグループ名" -+#: src/tools/sssctl/sssctl_domains.c:167 -+msgid "Online" -+msgstr "オンライン" - --#~ msgid "Netgroups members attribute" --#~ msgstr "ネットグループメンバーの属性" -+#: src/tools/sssctl/sssctl_domains.c:167 -+msgid "Offline" -+msgstr "オフライン" - --#~ msgid "Netgroup triple attribute" --#~ msgstr "ネットグループの三つ組の属性" -+#: src/tools/sssctl/sssctl_domains.c:167 -+#, c-format -+msgid "Online status: %s\n" -+msgstr "オンライン状態: %s\n" - --#~ msgid "Modification time attribute for netgroups" --#~ msgstr "ネットグループの変更日時の属性" -+#: src/tools/sssctl/sssctl_domains.c:213 -+msgid "This domain has no active servers.\n" -+msgstr "このドメインには、アクティブなサーバーはありません。\n" - --#~ msgid "Base DN for service lookups" --#~ msgstr "サービス検索のベース DN" -+#: src/tools/sssctl/sssctl_domains.c:218 -+msgid "Active servers:\n" -+msgstr "アクティブサーバー:\n" - --#~ msgid "Objectclass for services" --#~ msgstr "サービスのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_domains.c:230 -+msgid "not connected" -+msgstr "接続していません" - --#~ msgid "Service name attribute" --#~ msgstr "サービス名の属性" -+#: src/tools/sssctl/sssctl_domains.c:267 -+msgid "No servers discovered.\n" -+msgstr "サーバーが見つかりません。\n" - --#~ msgid "Service port attribute" --#~ msgstr "サービスポートの属性" -+#: src/tools/sssctl/sssctl_domains.c:273 -+#, c-format -+msgid "Discovered %s servers:\n" -+msgstr "%s サーバーが見つかりました:\n" - --#~ msgid "Service protocol attribute" --#~ msgstr "サービスプロトコルの属性" -+#: src/tools/sssctl/sssctl_domains.c:285 -+msgid "None so far.\n" -+msgstr "今のところありません。\n" - --#~ msgid "Lower bound for ID-mapping" --#~ msgstr "ID マッピングの下限" -+#: src/tools/sssctl/sssctl_domains.c:325 -+msgid "Show online status" -+msgstr "オンライン状態を表示" - --#~ msgid "Upper bound for ID-mapping" --#~ msgstr "ID マッピングの上限" -+#: src/tools/sssctl/sssctl_domains.c:326 -+msgid "Show information about active server" -+msgstr "アクティブサーバーに関する情報の表示" - --#~ msgid "Number of IDs for each slice when ID-mapping" --#~ msgstr "ID マッピングするとき、各スライスに対する ID の数" -+#: src/tools/sssctl/sssctl_domains.c:327 -+msgid "Show list of discovered servers" -+msgstr "見つかったサーバーに関する一覧を表示" - --#~ msgid "Use autorid-compatible algorithm for ID-mapping" --#~ msgstr "ID マッピングに対する autorid 互換アルゴリズムを使用します" -+#: src/tools/sssctl/sssctl_domains.c:333 -+msgid "Specify domain name." -+msgstr "ドメイン名を指定します。" - --#~ msgid "Name of the default domain for ID-mapping" --#~ msgstr "ID マッピングに対するデフォルトドメインの名前" -+#: src/tools/sssctl/sssctl_domains.c:355 -+msgid "Out of memory!\n" -+msgstr "メモリーの空き容量がありません。\n" - --#~ msgid "SID of the default domain for ID-mapping" --#~ msgstr "ID マッピングに対するデフォルトドメインの SID" -+#: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 -+msgid "Unable to get online status\n" -+msgstr "オンライン状態を取得できません\n" - --#~ msgid "Number of secondary slices" --#~ msgstr "セカンダリースライスの数" -+#: src/tools/sssctl/sssctl_domains.c:395 -+msgid "Unable to get server list\n" -+msgstr "サーバー一覧を取得できません\n" - --#~ msgid "Whether to use Token-Groups" --#~ msgstr "Token-Group を使うかどうか" -+#: src/tools/sssctl/sssctl_logs.c:46 -+msgid "\n" -+msgstr "\n" - --#~ msgid "Set lower boundary for allowed IDs from the LDAP server" --#~ msgstr "LDAP サーバーから許可される ID の下限の設定" -+#: src/tools/sssctl/sssctl_logs.c:236 -+msgid "Delete log files instead of truncating" -+msgstr "切り捨てる代わりにログファイルを削除します" - --#~ msgid "Set upper boundary for allowed IDs from the LDAP server" --#~ msgstr "LDAP サーバーから許可される ID の上限の設定" -+#: src/tools/sssctl/sssctl_logs.c:247 -+msgid "Deleting log files...\n" -+msgstr "ログファイルを削除中...\n" - --#~ msgid "DN for ppolicy queries" --#~ msgstr "ppolicy クエリーの DN" -+#: src/tools/sssctl/sssctl_logs.c:250 -+msgid "Unable to remove log files\n" -+msgstr "ログファイルを削除できません\n" - --#~ msgid "How many maximum entries to fetch during a wildcard request" --#~ msgstr "ワイルドカードの要求の間に取得する最大エントリーの数" -+#: src/tools/sssctl/sssctl_logs.c:256 -+msgid "Truncating log files...\n" -+msgstr "ログファイルを切り捨てます...\n" - --#~ msgid "Policy to evaluate the password expiration" --#~ msgstr "パスワード失効の評価のポリシー" -+#: src/tools/sssctl/sssctl_logs.c:259 -+msgid "Unable to truncate log files\n" -+msgstr "ログファイルの切り捨てができません\n" - --#~ msgid "Which attributes shall be used to evaluate if an account is expired" --#~ msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか" -+#: src/tools/sssctl/sssctl_logs.c:285 -+msgid "Out of memory!" -+msgstr "メモリーの空き容量がありません。" - --#~ msgid "Which rules should be used to evaluate access control" --#~ msgstr "どのルールがアクセス制御を評価するために使用されるか" -+#: src/tools/sssctl/sssctl_logs.c:288 -+#, c-format -+msgid "Archiving log files into %s...\n" -+msgstr "ログファイルを %s へアーカイブ中...\n" - --#~ msgid "URI of an LDAP server where password changes are allowed" --#~ msgstr "パスワードの変更が許可される LDAP サーバーの URI" -+#: src/tools/sssctl/sssctl_logs.c:291 -+msgid "Unable to archive log files\n" -+msgstr "ログファイルのアーカイブができません\n" - --#~ msgid "URI of a backup LDAP server where password changes are allowed" --#~ msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI" -+#: src/tools/sssctl/sssctl_logs.c:316 -+msgid "Specify debug level you want to set" -+msgstr "設定したいデバッグレベルを指定します" - --#~ msgid "DNS service name for LDAP password change server" --#~ msgstr "LDAP パスワードの変更サーバーの DNS サービス名" -+#: src/tools/sssctl/sssctl_user_checks.c:117 -+msgid "SSSD InfoPipe user lookup result:\n" -+msgstr "SSSD InfoPipe ユーザー検索の結果:\n" - --#~ msgid "" --#~ "Whether to update the ldap_user_shadow_last_change attribute after a " --#~ "password change" --#~ msgstr "" --#~ "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか" -+#: src/tools/sssctl/sssctl_user_checks.c:167 -+#, c-format -+msgid "dlopen failed with [%s].\n" -+msgstr "dlopen は [%s] で失敗しました。\n" - --#~ msgid "Base DN for sudo rules lookups" --#~ msgstr "sudo ルール検索のベース DN" -+#: src/tools/sssctl/sssctl_user_checks.c:174 -+#, c-format -+msgid "dlsym failed with [%s].\n" -+msgstr "dlsym は [%s] で失敗しました。\n" - --#~ msgid "Automatic full refresh period" --#~ msgstr "自動的な完全更新間隔" -+#: src/tools/sssctl/sssctl_user_checks.c:182 -+msgid "malloc failed.\n" -+msgstr "malloc は失敗しました。\n" - --#~ msgid "Automatic smart refresh period" --#~ msgstr "自動的なスマート更新間隔" -+#: src/tools/sssctl/sssctl_user_checks.c:189 -+#, c-format -+msgid "sss_getpwnam_r failed with [%d].\n" -+msgstr "sss_getpwnam_r が [%d] で失敗しました。\n" - --#~ msgid "Whether to filter rules by hostname, IP addresses and network" --#~ msgstr "" --#~ "ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するか" --#~ "どうか" -+#: src/tools/sssctl/sssctl_user_checks.c:194 -+msgid "SSSD nss user lookup result:\n" -+msgstr "SSSD nss ユーザー検索の結果:\n" - --#~ msgid "" --#~ "Hostnames and/or fully qualified domain names of this machine to filter " --#~ "sudo rules" --#~ msgstr "" --#~ "sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイ" --#~ "ン名" -+#: src/tools/sssctl/sssctl_user_checks.c:195 -+#, c-format -+msgid " - user name: %s\n" -+msgstr " - user name: %s\n" - --#~ msgid "" --#~ "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" --#~ msgstr "" --#~ "sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたは" --#~ "ネットワーク" -+#: src/tools/sssctl/sssctl_user_checks.c:196 -+#, c-format -+msgid " - user id: %d\n" -+msgstr " - user id: %d\n" - --#~ msgid "Whether to include rules that contains netgroup in host attribute" --#~ msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか" -+#: src/tools/sssctl/sssctl_user_checks.c:197 -+#, c-format -+msgid " - group id: %d\n" -+msgstr " - group id: %d\n" - --#~ msgid "" --#~ "Whether to include rules that contains regular expression in host " --#~ "attribute" --#~ msgstr "ホスト属性に正規表現を含むルールを含めるかどうか" -+#: src/tools/sssctl/sssctl_user_checks.c:198 -+#, c-format -+msgid " - gecos: %s\n" -+msgstr " - gecos: %s\n" - --#~ msgid "Object class for sudo rules" --#~ msgstr "sudo ルールのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_user_checks.c:199 -+#, c-format -+msgid " - home directory: %s\n" -+msgstr " - home directory: %s\n" - --#~ msgid "Name of attribute that is used as object class for sudo rules" --#~ msgstr "sudo ルールのオブジェクトクラスとして使用される属性の名前" -+#: src/tools/sssctl/sssctl_user_checks.c:200 -+#, c-format -+msgid " - shell: %s\n" -+"\n" -+msgstr " - shell: %s\n" -+"\n" - --#~ msgid "Sudo rule name" --#~ msgstr "sudo ルール名" -+#: src/tools/sssctl/sssctl_user_checks.c:232 -+msgid "PAM action [auth|acct|setc|chau|open|clos], default: " -+msgstr "PAM アクション [auth|acct|setc|chau|open|clos]、デフォルト: " - --#~ msgid "Sudo rule command attribute" --#~ msgstr "sudo ルールのコマンドの属性" -+#: src/tools/sssctl/sssctl_user_checks.c:235 -+msgid "PAM service, default: " -+msgstr "PAM サービス、デフォルト: " - --#~ msgid "Sudo rule host attribute" --#~ msgstr "sudo ルールのホストの属性" -+#: src/tools/sssctl/sssctl_user_checks.c:240 -+msgid "Specify user name." -+msgstr "ユーザー名を指定します。" - --#~ msgid "Sudo rule user attribute" --#~ msgstr "sudo ルールのユーザーの属性" -+#: src/tools/sssctl/sssctl_user_checks.c:247 -+#, c-format -+msgid "user: %s\n" -+"action: %s\n" -+"service: %s\n" -+"\n" -+msgstr "ユーザー: %s\n" -+"アクション: %s\n" -+"サービス: %s\n" -+"\n" - --#~ msgid "Sudo rule option attribute" --#~ msgstr "sudo ルールのオプションの属性" -+#: src/tools/sssctl/sssctl_user_checks.c:252 -+#, c-format -+msgid "User name lookup with [%s] failed.\n" -+msgstr "[%s] でのユーザー名の検索に失敗しました。\n" - --#~ msgid "Sudo rule runas attribute" --#~ msgstr "sudo ルールの runas の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:257 -+#, c-format -+msgid "InfoPipe User lookup with [%s] failed.\n" -+msgstr "[%s] での InfoPipe ユーザーの検索に失敗しました。\n" - --#~ msgid "Sudo rule runasuser attribute" --#~ msgstr "sudo ルールの runasuser の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:263 -+#, c-format -+msgid "pam_start failed: %s\n" -+msgstr "pam_start に失敗しました: %s\n" - --#~ msgid "Sudo rule runasgroup attribute" --#~ msgstr "sudo ルールの runasgroup の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:268 -+msgid "testing pam_authenticate\n" -+"\n" -+msgstr "pam_authenticate のテスト中\n" -+"\n" - --#~ msgid "Sudo rule notbefore attribute" --#~ msgstr "sudo ルールの notbefore の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:272 -+#, c-format -+msgid "pam_get_item failed: %s\n" -+msgstr "pam_get_item に失敗しました: %s\n" - --#~ msgid "Sudo rule notafter attribute" --#~ msgstr "sudo ルールの notafter の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:275 -+#, c-format -+msgid "pam_authenticate for user [%s]: %s\n" -+"\n" -+msgstr "ユーザー [%s] 向けの pam_authenticate: %s\n" -+"\n" - --#~ msgid "Sudo rule order attribute" --#~ msgstr "sudo ルールの order の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:278 -+msgid "testing pam_chauthtok\n" -+"\n" -+msgstr "pam_chauthtok のテスト中\n" -+"\n" - --#~ msgid "Object class for automounter maps" --#~ msgstr "automounter マップのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_user_checks.c:280 -+#, c-format -+msgid "pam_chauthtok: %s\n" -+"\n" -+msgstr "pam_chauthtok: %s\n" -+"\n" - --#~ msgid "Automounter map name attribute" --#~ msgstr "オートマウントのマップ名の属性" -+#: src/tools/sssctl/sssctl_user_checks.c:282 -+msgid "testing pam_acct_mgmt\n" -+"\n" -+msgstr "pam_acct_mgmt のテスト中\n" -+"\n" - --#~ msgid "Object class for automounter map entries" --#~ msgstr "automounter マップエントリーのオブジェクトクラス" -+#: src/tools/sssctl/sssctl_user_checks.c:284 -+#, c-format -+msgid "pam_acct_mgmt: %s\n" -+"\n" -+msgstr "pam_acct_mgmt: %s\n" -+"\n" - --#~ msgid "Automounter map entry key attribute" --#~ msgstr "automounter マップエントリーの鍵属性" -+#: src/tools/sssctl/sssctl_user_checks.c:286 -+msgid "testing pam_setcred\n" -+"\n" -+msgstr "pam_setcred のテスト中\n" -+"\n" - --#~ msgid "Automounter map entry value attribute" --#~ msgstr "automounter マップエントリーの値属性" -+#: src/tools/sssctl/sssctl_user_checks.c:288 -+#, c-format -+msgid "pam_setcred: [%s]\n" -+"\n" -+msgstr "pam_setcred: [%s]\n" -+"\n" - --#~ msgid "Base DN for automounter map lookups" --#~ msgstr "automonter のマップ検索のベース DN" -+#: src/tools/sssctl/sssctl_user_checks.c:290 -+msgid "testing pam_open_session\n" -+"\n" -+msgstr "pam_open_session のテスト中\n" -+"\n" - --#~ msgid "Comma separated list of allowed users" --#~ msgstr "許可ユーザーのカンマ区切り一覧" -+#: src/tools/sssctl/sssctl_user_checks.c:292 -+#, c-format -+msgid "pam_open_session: %s\n" -+"\n" -+msgstr "pam_open_session: %s\n" -+"\n" - --#~ msgid "Comma separated list of prohibited users" --#~ msgstr "禁止ユーザーのカンマ区切り一覧" -+#: src/tools/sssctl/sssctl_user_checks.c:294 -+msgid "testing pam_close_session\n" -+"\n" -+msgstr "pam_close_session のテスト中\n" -+"\n" - --#~ msgid "Default shell, /bin/bash" --#~ msgstr "デフォルトのシェル, /bin/bash" -+#: src/tools/sssctl/sssctl_user_checks.c:296 -+#, c-format -+msgid "pam_close_session: %s\n" -+"\n" -+msgstr "pam_close_session: %s\n" -+"\n" - --#~ msgid "Base for home directories" --#~ msgstr "ホームディレクトリーのベース" -+#: src/tools/sssctl/sssctl_user_checks.c:298 -+msgid "unknown action\n" -+msgstr "不明なアクション\n" - --#~ msgid "The number of preforked proxy children." --#~ msgstr "事前にフォークされた子プロキシーの数。" -+#: src/tools/sssctl/sssctl_user_checks.c:301 -+msgid "PAM Environment:\n" -+msgstr "PAM 環境:\n" - --#~ msgid "The name of the NSS library to use" --#~ msgstr "使用する NSS ライブラリーの名前" -+#: src/tools/sssctl/sssctl_user_checks.c:309 -+msgid " - no env -\n" -+msgstr " - no env -\n" - --#~ msgid "Whether to look up canonical group name from cache if possible" --#~ msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか" -+#: src/util/util.h:82 -+msgid "The user ID to run the server as" -+msgstr "次のようにサーバーを実行するユーザー ID" - --#~ msgid "PAM stack to use" --#~ msgstr "使用する PAM スタック" -+#: src/util/util.h:84 -+msgid "The group ID to run the server as" -+msgstr "次のようにサーバーを実行するグループ ID" - --#~ msgid "Path of passwd file sources." --#~ msgstr "passwd ファイルソースへのパス" -+#: src/util/util.h:92 -+msgid "Informs that the responder has been socket-activated" -+msgstr "レスポンダーがソケットでアクティベートされたと知らせます" - --#~ msgid "Path of group file sources." --#~ msgstr "グループファイルソースへのパス" -+#: src/util/util.h:94 -+msgid "Informs that the responder has been dbus-activated" -+msgstr "レスポンダーが dbus でアクティベートされたと知らせます" -diff --git a/po/sssd.pot b/po/sssd.pot -index 04a6fb83f..83b388a02 100644 ---- a/po/sssd.pot -+++ b/po/sssd.pot -@@ -8,7 +8,7 @@ msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-05-19 12:05+0200\n" -+"POT-Creation-Date: 2020-06-17 22:51+0200\n" - "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" - "Last-Translator: FULL NAME \n" - "Language-Team: LANGUAGE \n" -@@ -17,6 +17,1801 @@ msgstr "" - "Content-Type: text/plain; charset=CHARSET\n" - "Content-Transfer-Encoding: 8bit\n" - -+#: src/config/SSSDConfig/sssdoptions.py:20 -+#: src/config/SSSDConfig/sssdoptions.py:21 -+msgid "Set the verbosity of the debug logging" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:22 -+msgid "Include timestamps in debug logs" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:23 -+msgid "Include microseconds in timestamps in debug logs" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:24 -+msgid "Write debug messages to logfiles" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:25 -+msgid "Watchdog timeout before restarting service" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:26 -+msgid "Command to start service" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:27 -+msgid "Number of times to attempt connection to Data Providers" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:28 -+msgid "The number of file descriptors that may be opened by this responder" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:29 -+msgid "Idle time before automatic disconnection of a client" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:30 -+msgid "Idle time before automatic shutdown of the responder" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:31 -+msgid "Always query all the caches before querying the Data Providers" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:32 -+msgid "" -+"When SSSD switches to offline mode the amount of time before it tries to go " -+"back online will increase based upon the time spent disconnected. This value " -+"is in seconds and calculated by the following: offline_timeout + " -+"random_offset." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:38 -+msgid "" -+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " -+"version 2." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:39 -+msgid "SSSD Services to start" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:40 -+msgid "SSSD Domains to start" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:41 -+msgid "Timeout for messages sent over the SBUS" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:42 -+msgid "Regex to parse username and domain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:43 -+msgid "Printf-compatible format for displaying fully-qualified names" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:44 -+msgid "" -+"Directory on the filesystem where SSSD should store Kerberos replay cache " -+"files." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:45 -+msgid "Domain to add to names without a domain component." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:46 -+msgid "The user to drop privileges to" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:47 -+msgid "Tune certificate verification" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:48 -+msgid "All spaces in group or user names will be replaced with this character" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:49 -+msgid "Tune sssd to honor or ignore netlink state changes" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:50 -+msgid "Enable or disable the implicit files domain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:51 -+msgid "A specific order of the domains to be looked up" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:52 -+msgid "" -+"Controls if SSSD should monitor the state of resolv.conf to identify when it " -+"needs to update its internal DNS resolver." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:54 -+msgid "" -+"SSSD monitors the state of resolv.conf to identify when it needs to update " -+"its internal DNS resolver. By default, we will attempt to use inotify for " -+"this, and will fall back to polling resolv.conf every five seconds if " -+"inotify cannot be used." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:59 -+msgid "Enumeration cache timeout length (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:60 -+msgid "Entry cache background update timeout length (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:61 -+#: src/config/SSSDConfig/sssdoptions.py:112 -+msgid "Negative cache timeout length (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:62 -+msgid "Files negative cache timeout length (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:63 -+msgid "Users that SSSD should explicitly ignore" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:64 -+msgid "Groups that SSSD should explicitly ignore" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:65 -+msgid "Should filtered users appear in groups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:66 -+msgid "The value of the password field the NSS provider should return" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:67 -+msgid "Override homedir value from the identity provider with this value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:68 -+msgid "" -+"Substitute empty homedir value from the identity provider with this value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:69 -+msgid "Override shell value from the identity provider with this value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:70 -+msgid "The list of shells users are allowed to log in with" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:71 -+msgid "" -+"The list of shells that will be vetoed, and replaced with the fallback shell" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:72 -+msgid "" -+"If a shell stored in central directory is allowed but not available, use " -+"this fallback" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:73 -+msgid "Shell to use if the provider does not list one" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:74 -+msgid "How long will be in-memory cache records valid" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:75 -+msgid "" -+"The value of this option will be used in the expansion of the " -+"override_homedir option if the template contains the format string %H." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:77 -+msgid "" -+"Specifies time in seconds for which the list of subdomains will be " -+"considered valid." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:79 -+msgid "" -+"The entry cache can be set to automatically update entries in the background " -+"if they are requested beyond a percentage of the entry_cache_timeout value " -+"for the domain." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:84 -+msgid "How long to allow cached logins between online logins (days)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:85 -+msgid "How many failed logins attempts are allowed when offline" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:87 -+msgid "" -+"How long (minutes) to deny login after offline_failed_login_attempts has " -+"been reached" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:88 -+msgid "What kind of messages are displayed to the user during authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:89 -+msgid "Filter PAM responses sent to the pam_sss" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:90 -+msgid "How many seconds to keep identity information cached for PAM requests" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:91 -+msgid "How many days before password expiration a warning should be displayed" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:92 -+msgid "List of trusted uids or user's name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:93 -+msgid "List of domains accessible even for untrusted users." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:94 -+msgid "Message printed when user account is expired." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:95 -+msgid "Message printed when user account is locked." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:96 -+msgid "Allow certificate based/Smartcard authentication." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:97 -+msgid "Path to certificate database with PKCS#11 modules." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:98 -+msgid "How many seconds will pam_sss wait for p11_child to finish" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:99 -+msgid "Which PAM services are permitted to contact application domains" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:100 -+msgid "Allowed services for using smartcards" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:101 -+msgid "Additional timeout to wait for a card if requested" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:102 -+msgid "" -+"PKCS#11 URI to restrict the selection of devices for Smartcard authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:103 -+msgid "When shall the PAM responder force an initgroups request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:106 -+msgid "Whether to evaluate the time-based attributes in sudo rules" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "If true, SSSD will switch back to lower-wins ordering logic" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "" -+"Maximum number of rules that can be refreshed at once. If this is exceeded, " -+"full refresh is performed." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:115 -+msgid "Whether to hash host names and addresses in the known_hosts file" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:116 -+msgid "" -+"How many seconds to keep a host in the known_hosts file after its host keys " -+"were requested" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:118 -+msgid "Path to storage of trusted CA certificates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:119 -+msgid "Allow to generate ssh-keys from certificates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:120 -+msgid "" -+"Use the following matching rules to filter the certificates for ssh-key " -+"generation" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:124 -+msgid "List of UIDs or user names allowed to access the PAC responder" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:125 -+msgid "How long the PAC data is considered valid" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:128 -+msgid "List of user attributes the InfoPipe is allowed to publish" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:131 -+msgid "The provider where the secrets will be stored in" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:132 -+msgid "The maximum allowed number of nested containers" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:133 -+msgid "The maximum number of secrets that can be stored" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:134 -+msgid "The maximum number of secrets that can be stored per UID" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:135 -+msgid "The maximum payload size of a secret in kilobytes" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:137 -+msgid "The URL Custodia server is listening on" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:138 -+msgid "The method to use when authenticating to a Custodia server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:139 -+msgid "" -+"The name of the headers that will be added into a HTTP request with the " -+"value defined in auth_header_value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:141 -+msgid "The value sssd-secrets would use for auth_header_name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:142 -+msgid "" -+"The list of the headers to forward to the Custodia server together with the " -+"request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:143 -+msgid "" -+"The username to use when authenticating to a Custodia server using basic_auth" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:144 -+msgid "" -+"The password to use when authenticating to a Custodia server using basic_auth" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:145 -+msgid "If true peer's certificate is verified if proxy_url uses https protocol" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:146 -+msgid "" -+"If false peer's certificate may contain different hostname than proxy_url " -+"when https protocol is used" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:148 -+msgid "Path to directory where certificate authority certificates are stored" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:149 -+msgid "Path to file containing server's CA certificate" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:150 -+msgid "Path to file containing client's certificate" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:151 -+msgid "Path to file containing client's private key" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:154 -+msgid "" -+"One of the following strings specifying the scope of session recording: none " -+"- No users are recorded. some - Users/groups specified by users and groups " -+"options are recorded. all - All users are recorded." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:157 -+msgid "" -+"A comma-separated list of users which should have session recording enabled. " -+"Matches user names as returned by NSS. I.e. after the possible space " -+"replacement, case changes, etc." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:159 -+msgid "" -+"A comma-separated list of groups, members of which should have session " -+"recording enabled. Matches group names as returned by NSS. I.e. after the " -+"possible space replacement, case changes, etc." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:164 -+msgid "Identity provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:165 -+msgid "Authentication provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:166 -+msgid "Access control provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:167 -+msgid "Password change provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:168 -+msgid "SUDO provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:169 -+msgid "Autofs provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:170 -+msgid "Host identity provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:171 -+msgid "SELinux provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:172 -+msgid "Session management provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:173 -+msgid "Resolver provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:176 -+msgid "Whether the domain is usable by the OS or by applications" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:177 -+msgid "Minimum user ID" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:178 -+msgid "Maximum user ID" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:179 -+msgid "Enable enumerating all users/groups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:180 -+msgid "Cache credentials for offline login" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:181 -+msgid "Display users/groups in fully-qualified form" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:182 -+msgid "Don't include group members in group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:194 -+#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:199 -+msgid "Entry cache timeout length (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:184 -+msgid "" -+"Restrict or prefer a specific address family when performing DNS lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:185 -+msgid "How long to keep cached entries after last successful login (days)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:186 -+msgid "" -+"How long should SSSD talk to single DNS server before trying next server " -+"(miliseconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:188 -+msgid "How long should keep trying to resolve single DNS query (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:189 -+msgid "How long to wait for replies from DNS when resolving servers (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:190 -+msgid "The domain part of service discovery DNS query" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:191 -+msgid "Override GID value from the identity provider with this value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:192 -+msgid "Treat usernames as case sensitive" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:200 -+msgid "How often should expired entries be refreshed in background" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:201 -+msgid "Whether to automatically update the client's DNS entry" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:202 -+#: src/config/SSSDConfig/sssdoptions.py:232 -+msgid "The TTL to apply to the client's DNS entry after updating it" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:203 -+#: src/config/SSSDConfig/sssdoptions.py:233 -+msgid "The interface whose IP should be used for dynamic DNS updates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:204 -+msgid "How often to periodically update the client's DNS entry" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:205 -+msgid "Whether the provider should explicitly update the PTR record as well" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:206 -+msgid "Whether the nsupdate utility should default to using TCP" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:207 -+msgid "What kind of authentication should be used to perform the DNS update" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:208 -+msgid "Override the DNS server used to perform the DNS update" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:209 -+msgid "Control enumeration of trusted domains" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:210 -+msgid "How often should subdomains list be refreshed" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:211 -+msgid "List of options that should be inherited into a subdomain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:212 -+msgid "Default subdomain homedir value" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:213 -+msgid "How long can cached credentials be used for cached authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:214 -+msgid "Whether to automatically create private groups for users" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:215 -+msgid "Display a warning N days before the password expires." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:216 -+msgid "" -+"Various tags stored by the realmd configuration service for this domain." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:217 -+msgid "" -+"The provider which should handle fetching of subdomains. This value should " -+"be always the same as id_provider." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:219 -+msgid "" -+"How many seconds to keep a host ssh key after refresh. IE how long to cache " -+"the host key for." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:221 -+msgid "" -+"If 2-Factor-Authentication (2FA) is used and credentials should be saved " -+"this value determines the minimal length the first authentication factor " -+"(long term password) must have to be saved as SHA512 hash into the cache." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:227 -+msgid "IPA domain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:228 -+msgid "IPA server address" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:229 -+msgid "Address of backup IPA server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:230 -+msgid "IPA client hostname" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:231 -+msgid "Whether to automatically update the client's DNS entry in FreeIPA" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:234 -+msgid "Search base for HBAC related objects" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:235 -+msgid "" -+"The amount of time between lookups of the HBAC rules against the IPA server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:236 -+msgid "" -+"The amount of time in seconds between lookups of the SELinux maps against " -+"the IPA server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:238 -+msgid "If set to false, host argument given by PAM will be ignored" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:239 -+msgid "The automounter location this IPA client is using" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:240 -+msgid "Search base for object containing info about IPA domain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:241 -+msgid "Search base for objects containing info about ID ranges" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:296 -+msgid "Enable DNS sites - location based service discovery" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:243 -+msgid "Search base for view containers" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:244 -+msgid "Objectclass for view containers" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:245 -+msgid "Attribute with the name of the view" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:246 -+msgid "Objectclass for override objects" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:247 -+msgid "Attribute with the reference to the original object" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:248 -+msgid "Objectclass for user override objects" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:249 -+msgid "Objectclass for group override objects" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:250 -+msgid "Search base for Desktop Profile related objects" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:251 -+msgid "" -+"The amount of time in seconds between lookups of the Desktop Profile rules " -+"against the IPA server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:253 -+msgid "" -+"The amount of time in minutes between lookups of Desktop Profiles rules " -+"against the IPA server when the last request did not find any rule" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:256 -+msgid "The LDAP attribute that contains FQDN of the host." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:280 -+msgid "The object class of a host entry in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:258 -+msgid "Use the given string as search base for host objects." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:259 -+msgid "The LDAP attribute that contains the host's SSH public keys." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:260 -+msgid "The LDAP attribute that contains NIS domain name of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:261 -+msgid "The LDAP attribute that contains the names of the netgroup's members." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:262 -+msgid "" -+"The LDAP attribute that lists FQDNs of hosts and host groups that are " -+"members of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:264 -+msgid "" -+"The LDAP attribute that lists hosts and host groups that are direct members " -+"of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:266 -+msgid "The LDAP attribute that lists netgroup's memberships." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:267 -+msgid "" -+"The LDAP attribute that lists system users and groups that are direct " -+"members of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:269 -+msgid "The LDAP attribute that corresponds to the netgroup name." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:270 -+msgid "The object class of a netgroup entry in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:271 -+msgid "" -+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:272 -+msgid "" -+"The LDAP attribute that contains whether or not is user map enabled for " -+"usage." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:274 -+msgid "The LDAP attribute that contains host category such as 'all'." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:275 -+msgid "" -+"The LDAP attribute that contains all hosts / hostgroups this rule match " -+"against." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:277 -+msgid "" -+"The LDAP attribute that contains all users / groups this rule match against." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:279 -+msgid "The LDAP attribute that contains the name of SELinux usermap." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:281 -+msgid "" -+"The LDAP attribute that contains DN of HBAC rule which can be used for " -+"matching instead of memberUser and memberHost." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:283 -+msgid "The LDAP attribute that contains SELinux user string itself." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:284 -+msgid "The LDAP attribute that contains user category such as 'all'." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:285 -+msgid "The LDAP attribute that contains unique ID of the user map." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:286 -+msgid "" -+"The option denotes that the SSSD is running on IPA server and should perform " -+"lookups of users and groups from trusted domains differently." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:288 -+msgid "Use the given string as search base for trusted domains." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:291 -+msgid "Active Directory domain" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:292 -+msgid "Enabled Active Directory domains" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:293 -+msgid "Active Directory server address" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:294 -+msgid "Active Directory backup server address" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:295 -+msgid "Active Directory client hostname" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:297 -+#: src/config/SSSDConfig/sssdoptions.py:488 -+msgid "LDAP filter to determine access privileges" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:298 -+msgid "Whether to use the Global Catalog for lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:299 -+msgid "Operation mode for GPO-based access control" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:300 -+msgid "" -+"The amount of time between lookups of the GPO policy files against the AD " -+"server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:301 -+msgid "" -+"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " -+"settings" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:303 -+msgid "" -+"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " -+"policy settings" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:305 -+msgid "" -+"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:306 -+msgid "" -+"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:307 -+msgid "" -+"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:308 -+msgid "PAM service names for which GPO-based access is always granted" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:309 -+msgid "PAM service names for which GPO-based access is always denied" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:310 -+msgid "" -+"Default logon right (or permit/deny) to use for unmapped PAM service names" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:311 -+msgid "a particular site to be used by the client" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:312 -+msgid "" -+"Maximum age in days before the machine account password should be renewed" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:314 -+msgid "Option for tuning the machine account renewal task" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:315 -+msgid "Whether to update the machine account password in the Samba database" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:317 -+msgid "Use LDAPS port for LDAP and Global Catalog requests" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:320 -+#: src/config/SSSDConfig/sssdoptions.py:321 -+msgid "Kerberos server address" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:322 -+msgid "Kerberos backup server address" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:323 -+msgid "Kerberos realm" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:324 -+msgid "Authentication timeout" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:325 -+msgid "Whether to create kdcinfo files" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:326 -+msgid "Where to drop krb5 config snippets" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:329 -+msgid "Directory to store credential caches" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:330 -+msgid "Location of the user's credential cache" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:331 -+msgid "Location of the keytab to validate credentials" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:332 -+msgid "Enable credential validation" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:333 -+msgid "Store password if offline for later online authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:334 -+msgid "Renewable lifetime of the TGT" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:335 -+msgid "Lifetime of the TGT" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:336 -+msgid "Time between two checks for renewal" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:337 -+msgid "Enables FAST" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:338 -+msgid "Selects the principal to use for FAST" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:339 -+msgid "Enables principal canonicalization" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:340 -+msgid "Enables enterprise principals" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:341 -+msgid "A mapping from user names to Kerberos principal names" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:345 -+msgid "Server where the change password service is running if not on the KDC" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:348 -+msgid "ldap_uri, The URI of the LDAP server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:349 -+msgid "ldap_backup_uri, The URI of the LDAP server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:350 -+msgid "The default base DN" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "The Schema Type in use on the LDAP server, rfc2307" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:352 -+msgid "Mode used to change user password" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:353 -+msgid "The default bind DN" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:354 -+msgid "The type of the authentication token of the default bind DN" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:355 -+msgid "The authentication token of the default bind DN" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:356 -+msgid "Length of time to attempt connection" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:357 -+msgid "Length of time to attempt synchronous LDAP operations" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:358 -+msgid "Length of time between attempts to reconnect while offline" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:359 -+msgid "Use only the upper case for realm names" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:360 -+msgid "File that contains CA certificates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:361 -+msgid "Path to CA certificate directory" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:362 -+msgid "File that contains the client certificate" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:363 -+msgid "File that contains the client key" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:364 -+msgid "List of possible ciphers suites" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:365 -+msgid "Require TLS certificate verification" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:366 -+msgid "Specify the sasl mechanism to use" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:367 -+msgid "Specify the sasl authorization id to use" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:368 -+msgid "Specify the sasl authorization realm to use" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:369 -+msgid "Specify the minimal SSF for LDAP sasl authorization" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:370 -+msgid "Specify the maximal SSF for LDAP sasl authorization" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:371 -+msgid "Kerberos service keytab" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:372 -+msgid "Use Kerberos auth for LDAP connection" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:373 -+msgid "Follow LDAP referrals" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:374 -+msgid "Lifetime of TGT for LDAP connection" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:375 -+msgid "How to dereference aliases" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:376 -+msgid "Service name for DNS service lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:377 -+msgid "The number of records to retrieve in a single LDAP query" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:378 -+msgid "The number of members that must be missing to trigger a full deref" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:379 -+msgid "" -+"Whether the LDAP library should perform a reverse lookup to canonicalize the " -+"host name during a SASL bind" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:381 -+msgid "" -+"Allows to retain local users as members of an LDAP group for servers that " -+"use the RFC2307 schema." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:384 -+msgid "entryUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:385 -+msgid "lastUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:387 -+msgid "How long to retain a connection to the LDAP server before disconnecting" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:390 -+msgid "Disable the LDAP paging control" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:391 -+msgid "Disable Active Directory range retrieval" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:394 -+msgid "Length of time to wait for a search request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:395 -+msgid "Length of time to wait for a enumeration request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:396 -+msgid "Length of time between enumeration updates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:397 -+msgid "Length of time between cache cleanups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:398 -+msgid "Require TLS for ID lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:399 -+msgid "Use ID-mapping of objectSID instead of pre-set IDs" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:400 -+msgid "Base DN for user lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:401 -+msgid "Scope of user lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:402 -+msgid "Filter for user lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:403 -+msgid "Objectclass for users" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:404 -+msgid "Username attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:405 -+msgid "UID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:406 -+msgid "Primary GID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:407 -+msgid "GECOS attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:408 -+msgid "Home directory attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:409 -+msgid "Shell attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:410 -+msgid "UUID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:449 -+msgid "objectSID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:412 -+msgid "Active Directory primary group attribute for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:413 -+msgid "User principal attribute (for Kerberos)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:414 -+msgid "Full Name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:415 -+msgid "memberOf attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:416 -+msgid "Modification time attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:417 -+msgid "shadowLastChange attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:418 -+msgid "shadowMin attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:419 -+msgid "shadowMax attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:420 -+msgid "shadowWarning attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:421 -+msgid "shadowInactive attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:422 -+msgid "shadowExpire attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:423 -+msgid "shadowFlag attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:424 -+msgid "Attribute listing authorized PAM services" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:425 -+msgid "Attribute listing authorized server hosts" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:426 -+msgid "Attribute listing authorized server rhosts" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:427 -+msgid "krbLastPwdChange attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:428 -+msgid "krbPasswordExpiration attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:429 -+msgid "Attribute indicating that server side password policies are active" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:430 -+msgid "accountExpires attribute of AD" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:431 -+msgid "userAccountControl attribute of AD" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:432 -+msgid "nsAccountLock attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:433 -+msgid "loginDisabled attribute of NDS" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:434 -+msgid "loginExpirationTime attribute of NDS" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:435 -+msgid "loginAllowedTimeMap attribute of NDS" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:436 -+msgid "SSH public key attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:437 -+msgid "attribute listing allowed authentication types for a user" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:438 -+msgid "attribute containing the X509 certificate of the user" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:439 -+msgid "attribute containing the email address of the user" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:440 -+msgid "A list of extra attributes to download along with the user entry" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:442 -+msgid "Base DN for group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:443 -+msgid "Objectclass for groups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:444 -+msgid "Group name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:445 -+msgid "Group password" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:446 -+msgid "GID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:447 -+msgid "Group member attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:448 -+msgid "Group UUID attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:450 -+msgid "Modification time attribute for groups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:451 -+msgid "Type of the group and other flags" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:452 -+msgid "The LDAP group external member attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:453 -+msgid "Maximum nesting level SSSD will follow" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:454 -+msgid "Filter for group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:455 -+msgid "Scope of group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:457 -+msgid "Base DN for netgroup lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:458 -+msgid "Objectclass for netgroups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:459 -+msgid "Netgroup name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:460 -+msgid "Netgroups members attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:461 -+msgid "Netgroup triple attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:462 -+msgid "Modification time attribute for netgroups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:464 -+msgid "Base DN for service lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:465 -+msgid "Objectclass for services" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:466 -+msgid "Service name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:467 -+msgid "Service port attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:468 -+msgid "Service protocol attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:470 -+msgid "Lower bound for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:471 -+msgid "Upper bound for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:472 -+msgid "Number of IDs for each slice when ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:473 -+msgid "Use autorid-compatible algorithm for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:474 -+msgid "Name of the default domain for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:475 -+msgid "SID of the default domain for ID-mapping" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:476 -+msgid "Number of secondary slices" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:478 -+msgid "Whether to use Token-Groups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:479 -+msgid "Set lower boundary for allowed IDs from the LDAP server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:480 -+msgid "Set upper boundary for allowed IDs from the LDAP server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:481 -+msgid "DN for ppolicy queries" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:482 -+msgid "How many maximum entries to fetch during a wildcard request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:485 -+msgid "Policy to evaluate the password expiration" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:489 -+msgid "Which attributes shall be used to evaluate if an account is expired" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:490 -+msgid "Which rules should be used to evaluate access control" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:493 -+msgid "URI of an LDAP server where password changes are allowed" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:494 -+msgid "URI of a backup LDAP server where password changes are allowed" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:495 -+msgid "DNS service name for LDAP password change server" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:496 -+msgid "" -+"Whether to update the ldap_user_shadow_last_change attribute after a " -+"password change" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:500 -+msgid "Base DN for sudo rules lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:501 -+msgid "Automatic full refresh period" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:502 -+msgid "Automatic smart refresh period" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:503 -+msgid "Whether to filter rules by hostname, IP addresses and network" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:504 -+msgid "" -+"Hostnames and/or fully qualified domain names of this machine to filter sudo " -+"rules" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:505 -+msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:506 -+msgid "Whether to include rules that contains netgroup in host attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:507 -+msgid "" -+"Whether to include rules that contains regular expression in host attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:508 -+msgid "Object class for sudo rules" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:509 -+msgid "Name of attribute that is used as object class for sudo rules" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:510 -+msgid "Sudo rule name" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:511 -+msgid "Sudo rule command attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:512 -+msgid "Sudo rule host attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:513 -+msgid "Sudo rule user attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:514 -+msgid "Sudo rule option attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:515 -+msgid "Sudo rule runas attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:516 -+msgid "Sudo rule runasuser attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:517 -+msgid "Sudo rule runasgroup attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:518 -+msgid "Sudo rule notbefore attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:519 -+msgid "Sudo rule notafter attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:520 -+msgid "Sudo rule order attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:523 -+msgid "Object class for automounter maps" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:524 -+msgid "Automounter map name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:525 -+msgid "Object class for automounter map entries" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:526 -+msgid "Automounter map entry key attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:527 -+msgid "Automounter map entry value attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:528 -+msgid "Base DN for automounter map lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:529 -+msgid "The name of the automount master map in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:532 -+msgid "Base DN for IP hosts lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:533 -+msgid "Object class for IP hosts" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:534 -+msgid "IP host name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:535 -+msgid "IP host number (address) attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:536 -+msgid "IP host entryUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:537 -+msgid "Base DN for IP networks lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:538 -+msgid "Object class for IP networks" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:539 -+msgid "IP network name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:540 -+msgid "IP network number (address) attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:541 -+msgid "IP network entryUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:544 -+msgid "Comma separated list of allowed users" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:545 -+msgid "Comma separated list of prohibited users" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:546 -+msgid "" -+"Comma separated list of groups that are allowed to log in. This applies only " -+"to groups within this SSSD domain. Local groups are not evaluated." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:548 -+msgid "" -+"Comma separated list of groups that are explicitly denied access. This " -+"applies only to groups within this SSSD domain. Local groups are not " -+"evaluated." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:552 -+msgid "Base for home directories" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:553 -+msgid "Indicate if a home directory should be created for new users." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:554 -+msgid "Indicate if a home directory should be removed for deleted users." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:555 -+msgid "Specify the default permissions on a newly created home directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:556 -+msgid "The skeleton directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:557 -+msgid "The mail spool directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:558 -+msgid "The command that is run after a user is removed." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:561 -+msgid "The number of preforked proxy children." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:564 -+msgid "The name of the NSS library to use" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:565 -+msgid "The name of the NSS library to use for hosts and networks lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:566 -+msgid "Whether to look up canonical group name from cache if possible" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:569 -+msgid "PAM stack to use" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:572 -+msgid "Path of passwd file sources." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:573 -+msgid "Path of group file sources." -+msgstr "" -+ - #: src/monitor/monitor.c:2371 - msgid "Become a daemon (default)" - msgstr "" -@@ -29,7 +1824,8 @@ msgstr "" - msgid "Disable netlink interface" - msgstr "" - --#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_logs.c:310 -+#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_config.c:77 -+#: src/tools/sssctl/sssctl_logs.c:310 - msgid "Specify a non-default config file" - msgstr "" - -@@ -145,88 +1941,88 @@ msgstr "" - msgid "Permission denied. " - msgstr "" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 --#: src/sss_client/pam_sss.c:790 -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 -+#: src/sss_client/pam_sss.c:792 - msgid "Server message: " - msgstr "" - --#: src/sss_client/pam_sss.c:297 -+#: src/sss_client/pam_sss.c:299 - msgid "Passwords do not match" - msgstr "" - --#: src/sss_client/pam_sss.c:485 -+#: src/sss_client/pam_sss.c:487 - msgid "Password reset by root is not supported." - msgstr "" - --#: src/sss_client/pam_sss.c:526 -+#: src/sss_client/pam_sss.c:528 - msgid "Authenticated with cached credentials" - msgstr "" - --#: src/sss_client/pam_sss.c:527 -+#: src/sss_client/pam_sss.c:529 - msgid ", your cached password will expire at: " - msgstr "" - --#: src/sss_client/pam_sss.c:557 -+#: src/sss_client/pam_sss.c:559 - #, c-format - msgid "Your password has expired. You have %1$d grace login(s) remaining." - msgstr "" - --#: src/sss_client/pam_sss.c:603 -+#: src/sss_client/pam_sss.c:605 - #, c-format - msgid "Your password will expire in %1$d %2$s." - msgstr "" - --#: src/sss_client/pam_sss.c:652 -+#: src/sss_client/pam_sss.c:654 - msgid "Authentication is denied until: " - msgstr "" - --#: src/sss_client/pam_sss.c:673 -+#: src/sss_client/pam_sss.c:675 - msgid "System is offline, password change not possible" - msgstr "" - --#: src/sss_client/pam_sss.c:688 -+#: src/sss_client/pam_sss.c:690 - msgid "" - "After changing the OTP password, you need to log out and back in order to " - "acquire a ticket" - msgstr "" - --#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 -+#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 - msgid "Password change failed. " - msgstr "" - --#: src/sss_client/pam_sss.c:2008 -+#: src/sss_client/pam_sss.c:2015 - msgid "New Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2009 -+#: src/sss_client/pam_sss.c:2016 - msgid "Reenter new Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 -+#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 - msgid "First Factor: " - msgstr "" - --#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 -+#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 - msgid "Second Factor (optional): " - msgstr "" - --#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 -+#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 - msgid "Second Factor: " - msgstr "" - --#: src/sss_client/pam_sss.c:2190 -+#: src/sss_client/pam_sss.c:2200 - msgid "Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 -+#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 - msgid "First Factor (Current Password): " - msgstr "" - --#: src/sss_client/pam_sss.c:2349 -+#: src/sss_client/pam_sss.c:2359 - msgid "Current Password: " - msgstr "" - --#: src/sss_client/pam_sss.c:2704 -+#: src/sss_client/pam_sss.c:2714 - msgid "Password expired. Change your password now." - msgstr "" - -@@ -901,51 +2697,51 @@ msgstr "" - msgid "Search by group ID" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:70 -+#: src/tools/sssctl/sssctl_config.c:112 - #, c-format - msgid "Failed to open %s\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:75 -+#: src/tools/sssctl/sssctl_config.c:117 - #, c-format - msgid "File %1$s does not exist.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:79 -+#: src/tools/sssctl/sssctl_config.c:121 - msgid "" - "File ownership and permissions check failed. Expected root:root and 0600.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:85 -+#: src/tools/sssctl/sssctl_config.c:127 - #, c-format - msgid "Failed to load configuration from %s.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:91 -+#: src/tools/sssctl/sssctl_config.c:133 - msgid "Error while reading configuration directory.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:99 -+#: src/tools/sssctl/sssctl_config.c:141 - msgid "" - "There is no configuration. SSSD will use default configuration with files " - "provider.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:111 -+#: src/tools/sssctl/sssctl_config.c:153 - msgid "Failed to run validators" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:115 -+#: src/tools/sssctl/sssctl_config.c:157 - #, c-format - msgid "Issues identified by validators: %zu\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:126 -+#: src/tools/sssctl/sssctl_config.c:168 - #, c-format - msgid "Messages generated during configuration merging: %zu\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:137 -+#: src/tools/sssctl/sssctl_config.c:179 - #, c-format - msgid "Used configuration snippet files: %zu\n" - msgstr "" -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 44579e70f..892f81453 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -4,41 +4,1845 @@ - # - # Translators: - # Christopher Meng , 2012 -+# Ludek Janda , 2020. #zanata - msgid "" - msgstr "" - "Project-Id-Version: PACKAGE VERSION\n" - "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" --"POT-Creation-Date: 2020-05-19 12:05+0200\n" --"PO-Revision-Date: 2014-12-14 11:50+0000\n" -+"POT-Creation-Date: 2020-06-17 22:51+0200\n" -+"MIME-Version: 1.0\n" -+"Content-Type: text/plain; charset=UTF-8\n" -+"Content-Transfer-Encoding: 8bit\n" -+"PO-Revision-Date: 2020-06-18 09:05+0000\n" - "Last-Translator: Copied by Zanata \n" - "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" - "language/zh_CN/)\n" - "Language: zh_CN\n" --"MIME-Version: 1.0\n" --"Content-Type: text/plain; charset=UTF-8\n" --"Content-Transfer-Encoding: 8bit\n" - "Plural-Forms: nplurals=1; plural=0;\n" - "X-Generator: Zanata 4.6.2\n" - -+#: src/config/SSSDConfig/sssdoptions.py:20 -+#: src/config/SSSDConfig/sssdoptions.py:21 -+msgid "Set the verbosity of the debug logging" -+msgstr "设定调试日志记录等级" -+ -+#: src/config/SSSDConfig/sssdoptions.py:22 -+msgid "Include timestamps in debug logs" -+msgstr "在调试日志中包含时间戳" -+ -+#: src/config/SSSDConfig/sssdoptions.py:23 -+msgid "Include microseconds in timestamps in debug logs" -+msgstr "在调试日志中的时间戳中包含微秒" -+ -+#: src/config/SSSDConfig/sssdoptions.py:24 -+msgid "Write debug messages to logfiles" -+msgstr "写入调试信息到日志文件" -+ -+#: src/config/SSSDConfig/sssdoptions.py:25 -+msgid "Watchdog timeout before restarting service" -+msgstr "重新启动服务前 Watchdog 超时" -+ -+#: src/config/SSSDConfig/sssdoptions.py:26 -+msgid "Command to start service" -+msgstr "启动服务命令" -+ -+#: src/config/SSSDConfig/sssdoptions.py:27 -+msgid "Number of times to attempt connection to Data Providers" -+msgstr "试图连接到 Data Providers 的次数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:28 -+msgid "The number of file descriptors that may be opened by this responder" -+msgstr "可能会被该响应者打开的文件描述符的数量" -+ -+#: src/config/SSSDConfig/sssdoptions.py:29 -+msgid "Idle time before automatic disconnection of a client" -+msgstr "客户端自动断开连接之前的空闲时间" -+ -+#: src/config/SSSDConfig/sssdoptions.py:30 -+msgid "Idle time before automatic shutdown of the responder" -+msgstr "自动关闭响应者之前的空闲时间" -+ -+#: src/config/SSSDConfig/sssdoptions.py:31 -+msgid "Always query all the caches before querying the Data Providers" -+msgstr "在查询 Data Providers 之前,始终查询所有缓存" -+ -+#: src/config/SSSDConfig/sssdoptions.py:32 -+msgid "" -+"When SSSD switches to offline mode the amount of time before it tries to go " -+"back online will increase based upon the time spent disconnected. This value " -+"is in seconds and calculated by the following: offline_timeout + " -+"random_offset." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:38 -+msgid "" -+"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " -+"version 2." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:39 -+msgid "SSSD Services to start" -+msgstr "SSSD 服务启动" -+ -+#: src/config/SSSDConfig/sssdoptions.py:40 -+msgid "SSSD Domains to start" -+msgstr "SSSD 域启动" -+ -+#: src/config/SSSDConfig/sssdoptions.py:41 -+msgid "Timeout for messages sent over the SBUS" -+msgstr "通过 SBUS 发送的消息超时" -+ -+#: src/config/SSSDConfig/sssdoptions.py:42 -+msgid "Regex to parse username and domain" -+msgstr "正则表达式解析用户名和域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:43 -+msgid "Printf-compatible format for displaying fully-qualified names" -+msgstr "兼容 Printf 的格式用于显示完全限定名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:44 -+msgid "" -+"Directory on the filesystem where SSSD should store Kerberos replay cache " -+"files." -+msgstr "SSSD 应该在其中存储 Kerberos 重放缓存文件的文件系统上的目录。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:45 -+msgid "Domain to add to names without a domain component." -+msgstr "要添加到名称中的域,没有域组件。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:46 -+msgid "The user to drop privileges to" -+msgstr "放弃特权的用户" -+ -+#: src/config/SSSDConfig/sssdoptions.py:47 -+msgid "Tune certificate verification" -+msgstr "调整证书验证" -+ -+#: src/config/SSSDConfig/sssdoptions.py:48 -+msgid "All spaces in group or user names will be replaced with this character" -+msgstr "组或用户名中的所有空格都将替换为该字符" -+ -+#: src/config/SSSDConfig/sssdoptions.py:49 -+msgid "Tune sssd to honor or ignore netlink state changes" -+msgstr "调整 sssd 来接受或忽略 netlink 状态更改" -+ -+#: src/config/SSSDConfig/sssdoptions.py:50 -+msgid "Enable or disable the implicit files domain" -+msgstr "启用或禁用隐式文件域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:51 -+msgid "A specific order of the domains to be looked up" -+msgstr "要查询的域的特定顺序" -+ -+#: src/config/SSSDConfig/sssdoptions.py:52 -+msgid "" -+"Controls if SSSD should monitor the state of resolv.conf to identify when it " -+"needs to update its internal DNS resolver." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:54 -+msgid "" -+"SSSD monitors the state of resolv.conf to identify when it needs to update " -+"its internal DNS resolver. By default, we will attempt to use inotify for " -+"this, and will fall back to polling resolv.conf every five seconds if " -+"inotify cannot be used." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:59 -+msgid "Enumeration cache timeout length (seconds)" -+msgstr "枚举缓存超时时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:60 -+msgid "Entry cache background update timeout length (seconds)" -+msgstr "条目缓存后台更新超时时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:61 -+#: src/config/SSSDConfig/sssdoptions.py:112 -+msgid "Negative cache timeout length (seconds)" -+msgstr "负缓存超时时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:62 -+msgid "Files negative cache timeout length (seconds)" -+msgstr "文件负缓存超时时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:63 -+msgid "Users that SSSD should explicitly ignore" -+msgstr "SSSD 应该明确忽略的用户" -+ -+#: src/config/SSSDConfig/sssdoptions.py:64 -+msgid "Groups that SSSD should explicitly ignore" -+msgstr "SSSD 应该明确忽略的组" -+ -+#: src/config/SSSDConfig/sssdoptions.py:65 -+msgid "Should filtered users appear in groups" -+msgstr "出现在组中的应将过滤的用户" -+ -+#: src/config/SSSDConfig/sssdoptions.py:66 -+msgid "The value of the password field the NSS provider should return" -+msgstr "NSS 提供程序应返回的密码字段的值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:67 -+msgid "Override homedir value from the identity provider with this value" -+msgstr "使用此值覆盖来自身份提供者的 homedir 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:68 -+msgid "" -+"Substitute empty homedir value from the identity provider with this value" -+msgstr "使用此值替换来自身份提供者的空的 homedir 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:69 -+msgid "Override shell value from the identity provider with this value" -+msgstr "使用此值覆盖来自身份提供者的 shell 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:70 -+msgid "The list of shells users are allowed to log in with" -+msgstr "允许进行登陆的 shell 用户列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:71 -+msgid "" -+"The list of shells that will be vetoed, and replaced with the fallback shell" -+msgstr "将被否决并替换为后备 shell 的 shell 列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:72 -+msgid "" -+"If a shell stored in central directory is allowed but not available, use " -+"this fallback" -+msgstr "如果允许使用存储在中央目录中的 shell 但并不存在,使用这个后备" -+ -+#: src/config/SSSDConfig/sssdoptions.py:73 -+msgid "Shell to use if the provider does not list one" -+msgstr "如果提供程序未列出,则使用这个 shell" -+ -+#: src/config/SSSDConfig/sssdoptions.py:74 -+msgid "How long will be in-memory cache records valid" -+msgstr "内存缓存记录有效期的长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:75 -+msgid "" -+"The value of this option will be used in the expansion of the " -+"override_homedir option if the template contains the format string %H." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:77 -+msgid "" -+"Specifies time in seconds for which the list of subdomains will be " -+"considered valid." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:79 -+msgid "" -+"The entry cache can be set to automatically update entries in the background " -+"if they are requested beyond a percentage of the entry_cache_timeout value " -+"for the domain." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:84 -+msgid "How long to allow cached logins between online logins (days)" -+msgstr "在线登录间隔多长时间内允许使用缓存的登录(以天为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:85 -+msgid "How many failed logins attempts are allowed when offline" -+msgstr "离线时允许多少次失败的登录尝试" -+ -+#: src/config/SSSDConfig/sssdoptions.py:87 -+msgid "" -+"How long (minutes) to deny login after offline_failed_login_attempts has " -+"been reached" -+msgstr "当达到 offline_failed_login_attempts 之后多长时间要拒绝登录(以分钟为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:88 -+msgid "What kind of messages are displayed to the user during authentication" -+msgstr "在身份验证期间向用户显示什么信息" -+ -+#: src/config/SSSDConfig/sssdoptions.py:89 -+msgid "Filter PAM responses sent to the pam_sss" -+msgstr "过滤发送到 pam_sss 的 PAM 响应" -+ -+#: src/config/SSSDConfig/sssdoptions.py:90 -+msgid "How many seconds to keep identity information cached for PAM requests" -+msgstr "为 PAM 请求保留多长时间的身份信息缓存(以秒为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:91 -+msgid "How many days before password expiration a warning should be displayed" -+msgstr "在密码过期前几天应显示警告信息" -+ -+#: src/config/SSSDConfig/sssdoptions.py:92 -+msgid "List of trusted uids or user's name" -+msgstr "受信任的 uid 或用户名列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:93 -+msgid "List of domains accessible even for untrusted users." -+msgstr "即使不受信任的用户也可以访问的域列表。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:94 -+msgid "Message printed when user account is expired." -+msgstr "当用户帐户过期时显示的消息。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:95 -+msgid "Message printed when user account is locked." -+msgstr "当用户帐户被锁住时显示的消息。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:96 -+msgid "Allow certificate based/Smartcard authentication." -+msgstr "允许基于证书/智能卡的身份验证。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:97 -+msgid "Path to certificate database with PKCS#11 modules." -+msgstr "带有 PKCS#11 模块的证书数据库的路径。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:98 -+msgid "How many seconds will pam_sss wait for p11_child to finish" -+msgstr "pam_sss 等待 p11_child 完成的时间(以秒为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:99 -+msgid "Which PAM services are permitted to contact application domains" -+msgstr "允许哪些 PAM 服务联系应用程序域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:100 -+msgid "Allowed services for using smartcards" -+msgstr "允许服务使用智能卡" -+ -+#: src/config/SSSDConfig/sssdoptions.py:101 -+msgid "Additional timeout to wait for a card if requested" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:102 -+msgid "" -+"PKCS#11 URI to restrict the selection of devices for Smartcard " -+"authentication" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:103 -+msgid "When shall the PAM responder force an initgroups request" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:106 -+msgid "Whether to evaluate the time-based attributes in sudo rules" -+msgstr "是否在 sudo 规则中评估基于时间的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:107 -+msgid "If true, SSSD will switch back to lower-wins ordering logic" -+msgstr "如果为 true,SSSD 将切换回 lower-wins ordering 逻辑" -+ -+#: src/config/SSSDConfig/sssdoptions.py:108 -+msgid "" -+"Maximum number of rules that can be refreshed at once. If this is exceeded, " -+"full refresh is performed." -+msgstr "一次可以刷新的最大规则数。如果超出此范围,则执行完全刷新。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:115 -+msgid "Whether to hash host names and addresses in the known_hosts file" -+msgstr "在 known_hosts 文件中是否对主机名和地址进行哈希处理" -+ -+#: src/config/SSSDConfig/sssdoptions.py:116 -+msgid "" -+"How many seconds to keep a host in the known_hosts file after its host keys " -+"were requested" -+msgstr "当请求了它的主机密钥后,将主机保留在 known_hosts 文件中的时间(以秒为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:118 -+msgid "Path to storage of trusted CA certificates" -+msgstr "到可信 CA 证书存储的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:119 -+msgid "Allow to generate ssh-keys from certificates" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:120 -+msgid "" -+"Use the following matching rules to filter the certificates for ssh-key " -+"generation" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:124 -+msgid "List of UIDs or user names allowed to access the PAC responder" -+msgstr "允许访问 PAC 响应者的 UID 或用户名列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:125 -+msgid "How long the PAC data is considered valid" -+msgstr "PAC 数据被视为有效的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:128 -+msgid "List of user attributes the InfoPipe is allowed to publish" -+msgstr "允许 InfoPipe 发布的用户属性列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:131 -+msgid "The provider where the secrets will be stored in" -+msgstr "存储 secret 的提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:132 -+msgid "The maximum allowed number of nested containers" -+msgstr "允许嵌套的最大容器数量" -+ -+#: src/config/SSSDConfig/sssdoptions.py:133 -+msgid "The maximum number of secrets that can be stored" -+msgstr "可以存储的最大 secret 数量" -+ -+#: src/config/SSSDConfig/sssdoptions.py:134 -+msgid "The maximum number of secrets that can be stored per UID" -+msgstr "每个 UID 可以存储的最大 secret 数量" -+ -+#: src/config/SSSDConfig/sssdoptions.py:135 -+msgid "The maximum payload size of a secret in kilobytes" -+msgstr "一个 secret 的最大有效负载的大小(以千字节为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:137 -+msgid "The URL Custodia server is listening on" -+msgstr "正在侦听的 URL Custodia 服务器" -+ -+#: src/config/SSSDConfig/sssdoptions.py:138 -+msgid "The method to use when authenticating to a Custodia server" -+msgstr "当向 Custodia 服务器进行身份验证时使用的方法" -+ -+#: src/config/SSSDConfig/sssdoptions.py:139 -+msgid "" -+"The name of the headers that will be added into a HTTP request with the " -+"value defined in auth_header_value" -+msgstr "将使用 auth_header_value 中定义的值添加到 HTTP 请求中的标头名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:141 -+msgid "The value sssd-secrets would use for auth_header_name" -+msgstr "用于 auth_header_name 的 sssd-secrets 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:142 -+msgid "" -+"The list of the headers to forward to the Custodia server together with the " -+"request" -+msgstr "与请求一起转发到 Custodia 服务器的标头列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:143 -+msgid "" -+"The username to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "当向使用 basic_auth 的 Custodia 服务器进行身份验证时使用的用户名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:144 -+msgid "" -+"The password to use when authenticating to a Custodia server using " -+"basic_auth" -+msgstr "当向使用 basic_auth 的 Custodia 服务器进行身份验证时使用的密码" -+ -+#: src/config/SSSDConfig/sssdoptions.py:145 -+msgid "" -+"If true peer's certificate is verified if proxy_url uses https protocol" -+msgstr "如果 proxy_url 使用 https 协议,是否验证真实的对等方的证书" -+ -+#: src/config/SSSDConfig/sssdoptions.py:146 -+msgid "" -+"If false peer's certificate may contain different hostname than proxy_url " -+"when https protocol is used" -+msgstr "使用 https 协议时,错误的对等方证书的主机名可能与 proxy_url 不同" -+ -+#: src/config/SSSDConfig/sssdoptions.py:148 -+msgid "Path to directory where certificate authority certificates are stored" -+msgstr "证书颁发机构证书存储目录的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:149 -+msgid "Path to file containing server's CA certificate" -+msgstr "包含服务器 CA 证书的文件的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:150 -+msgid "Path to file containing client's certificate" -+msgstr "包含客户端证书的文件的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:151 -+msgid "Path to file containing client's private key" -+msgstr "包含客户端私钥的文件的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:154 -+msgid "" -+"One of the following strings specifying the scope of session recording: none " -+"- No users are recorded. some - Users/groups specified by users and groups " -+"options are recorded. all - All users are recorded." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:157 -+msgid "" -+"A comma-separated list of users which should have session recording enabled. " -+"Matches user names as returned by NSS. I.e. after the possible space " -+"replacement, case changes, etc." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:159 -+msgid "" -+"A comma-separated list of groups, members of which should have session " -+"recording enabled. Matches group names as returned by NSS. I.e. after the " -+"possible space replacement, case changes, etc." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:164 -+msgid "Identity provider" -+msgstr "身份提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:165 -+msgid "Authentication provider" -+msgstr "身份验证提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:166 -+msgid "Access control provider" -+msgstr "访问控制提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:167 -+msgid "Password change provider" -+msgstr "密码改变提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:168 -+msgid "SUDO provider" -+msgstr "SUDO 提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:169 -+msgid "Autofs provider" -+msgstr "Autofs 提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:170 -+msgid "Host identity provider" -+msgstr "主机身份提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:171 -+msgid "SELinux provider" -+msgstr "SELinux 提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:172 -+msgid "Session management provider" -+msgstr "会话管理提供者" -+ -+#: src/config/SSSDConfig/sssdoptions.py:173 -+msgid "Resolver provider" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:176 -+msgid "Whether the domain is usable by the OS or by applications" -+msgstr "域是否可以被 OS 或应用程序使用" -+ -+#: src/config/SSSDConfig/sssdoptions.py:177 -+msgid "Minimum user ID" -+msgstr "最小用户 ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:178 -+msgid "Maximum user ID" -+msgstr "最大用户 ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:179 -+msgid "Enable enumerating all users/groups" -+msgstr "启用枚举所有用户/组" -+ -+#: src/config/SSSDConfig/sssdoptions.py:180 -+msgid "Cache credentials for offline login" -+msgstr "为脱机登录缓存凭据" -+ -+#: src/config/SSSDConfig/sssdoptions.py:181 -+msgid "Display users/groups in fully-qualified form" -+msgstr "以完全限定的形式显示用户/组" -+ -+#: src/config/SSSDConfig/sssdoptions.py:182 -+msgid "Don't include group members in group lookups" -+msgstr "在组查询中不包括的组成员" -+ -+#: src/config/SSSDConfig/sssdoptions.py:183 -+#: src/config/SSSDConfig/sssdoptions.py:193 -+#: src/config/SSSDConfig/sssdoptions.py:194 -+#: src/config/SSSDConfig/sssdoptions.py:195 -+#: src/config/SSSDConfig/sssdoptions.py:196 -+#: src/config/SSSDConfig/sssdoptions.py:197 -+#: src/config/SSSDConfig/sssdoptions.py:198 -+#: src/config/SSSDConfig/sssdoptions.py:199 -+msgid "Entry cache timeout length (seconds)" -+msgstr "输入缓存超时时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:184 -+msgid "" -+"Restrict or prefer a specific address family when performing DNS lookups" -+msgstr "执行 DNS 查找时限制或首选使用特定的地址系列" -+ -+#: src/config/SSSDConfig/sssdoptions.py:185 -+msgid "How long to keep cached entries after last successful login (days)" -+msgstr "上次成功登录后保留缓存条目的时间(天)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:186 -+msgid "" -+"How long should SSSD talk to single DNS server before trying next server " -+"(miliseconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:188 -+msgid "How long should keep trying to resolve single DNS query (seconds)" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:189 -+msgid "How long to wait for replies from DNS when resolving servers (seconds)" -+msgstr "解析服务器时等待 DNS 回复的时间(秒)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:190 -+msgid "The domain part of service discovery DNS query" -+msgstr "服务发现 DNS 查询的域部分" -+ -+#: src/config/SSSDConfig/sssdoptions.py:191 -+msgid "Override GID value from the identity provider with this value" -+msgstr "使用此值覆盖来自身份提供者的 GID 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:192 -+msgid "Treat usernames as case sensitive" -+msgstr "用户名区分大小写" -+ -+#: src/config/SSSDConfig/sssdoptions.py:200 -+msgid "How often should expired entries be refreshed in background" -+msgstr "过期条目应在后台刷新的频率" -+ -+#: src/config/SSSDConfig/sssdoptions.py:201 -+msgid "Whether to automatically update the client's DNS entry" -+msgstr "是否自动更新客户端的 DNS 条目" -+ -+#: src/config/SSSDConfig/sssdoptions.py:202 -+#: src/config/SSSDConfig/sssdoptions.py:232 -+msgid "The TTL to apply to the client's DNS entry after updating it" -+msgstr "更新后应用于客户端 DNS 条目的TTL" -+ -+#: src/config/SSSDConfig/sssdoptions.py:203 -+#: src/config/SSSDConfig/sssdoptions.py:233 -+msgid "The interface whose IP should be used for dynamic DNS updates" -+msgstr "应该用于动态 DNS 更新的接口的 IP 地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:204 -+msgid "How often to periodically update the client's DNS entry" -+msgstr "定期更新客户端的 DNS 条目的频率" -+ -+#: src/config/SSSDConfig/sssdoptions.py:205 -+msgid "Whether the provider should explicitly update the PTR record as well" -+msgstr "提供者是否应该明确更新 PTR 记录" -+ -+#: src/config/SSSDConfig/sssdoptions.py:206 -+msgid "Whether the nsupdate utility should default to using TCP" -+msgstr "nsupdate 实用程序是否应默认使用 TCP" -+ -+#: src/config/SSSDConfig/sssdoptions.py:207 -+msgid "What kind of authentication should be used to perform the DNS update" -+msgstr "在执行 DNS 更新时应该使用哪种身份验证" -+ -+#: src/config/SSSDConfig/sssdoptions.py:208 -+msgid "Override the DNS server used to perform the DNS update" -+msgstr "覆盖用于执行 DNS 更新的 DNS 服务器" -+ -+#: src/config/SSSDConfig/sssdoptions.py:209 -+msgid "Control enumeration of trusted domains" -+msgstr "信任域的控制枚举" -+ -+#: src/config/SSSDConfig/sssdoptions.py:210 -+msgid "How often should subdomains list be refreshed" -+msgstr "子域列表应该多久刷新一次" -+ -+#: src/config/SSSDConfig/sssdoptions.py:211 -+msgid "List of options that should be inherited into a subdomain" -+msgstr "应该被继承到子域中的选项列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:212 -+msgid "Default subdomain homedir value" -+msgstr "默认子域 homedir 值" -+ -+#: src/config/SSSDConfig/sssdoptions.py:213 -+msgid "How long can cached credentials be used for cached authentication" -+msgstr "可以使用缓存凭证用于缓存身份验证的时间" -+ -+#: src/config/SSSDConfig/sssdoptions.py:214 -+msgid "Whether to automatically create private groups for users" -+msgstr "是否自动为用户创建私人组" -+ -+#: src/config/SSSDConfig/sssdoptions.py:215 -+msgid "Display a warning N days before the password expires." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:216 -+msgid "" -+"Various tags stored by the realmd configuration service for this domain." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:217 -+msgid "" -+"The provider which should handle fetching of subdomains. This value should " -+"be always the same as id_provider." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:219 -+msgid "" -+"How many seconds to keep a host ssh key after refresh. IE how long to cache " -+"the host key for." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:221 -+msgid "" -+"If 2-Factor-Authentication (2FA) is used and credentials should be saved " -+"this value determines the minimal length the first authentication factor " -+"(long term password) must have to be saved as SHA512 hash into the cache." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:227 -+msgid "IPA domain" -+msgstr "IPA 域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:228 -+msgid "IPA server address" -+msgstr "IPA 服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:229 -+msgid "Address of backup IPA server" -+msgstr "IPA 备份服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:230 -+msgid "IPA client hostname" -+msgstr "IPA 客户端主机名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:231 -+msgid "Whether to automatically update the client's DNS entry in FreeIPA" -+msgstr "是否在 FreeIPA 中自动更新客户端的 DNS 条目" -+ -+#: src/config/SSSDConfig/sssdoptions.py:234 -+msgid "Search base for HBAC related objects" -+msgstr "HBAC 相关对象的搜索基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:235 -+msgid "" -+"The amount of time between lookups of the HBAC rules against the IPA server" -+msgstr "针对 IPA 服务器查找 HBAC 规则之间的时间间隔" -+ -+#: src/config/SSSDConfig/sssdoptions.py:236 -+msgid "" -+"The amount of time in seconds between lookups of the SELinux maps against " -+"the IPA server" -+msgstr "针对 IPA 服务器查找 SELinux 映射之间的时间间隔" -+ -+#: src/config/SSSDConfig/sssdoptions.py:238 -+msgid "If set to false, host argument given by PAM will be ignored" -+msgstr "如果设置为 false,PAM 提供的主机参数将被忽略" -+ -+#: src/config/SSSDConfig/sssdoptions.py:239 -+msgid "The automounter location this IPA client is using" -+msgstr "此 IPA 客户端使用的自动挂载器的位置" -+ -+#: src/config/SSSDConfig/sssdoptions.py:240 -+msgid "Search base for object containing info about IPA domain" -+msgstr "搜索包含有关 IPA 域信息的对象的搜索基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:241 -+msgid "Search base for objects containing info about ID ranges" -+msgstr "搜索包含有关 ID 范围信息的对象的搜索基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:242 -+#: src/config/SSSDConfig/sssdoptions.py:296 -+msgid "Enable DNS sites - location based service discovery" -+msgstr "启用 DNS 站点 - 基于位置的服务发现" -+ -+#: src/config/SSSDConfig/sssdoptions.py:243 -+msgid "Search base for view containers" -+msgstr "查看容器的搜索基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:244 -+msgid "Objectclass for view containers" -+msgstr "查看容器的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:245 -+msgid "Attribute with the name of the view" -+msgstr "具有视图名称的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:246 -+msgid "Objectclass for override objects" -+msgstr "覆盖对象的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:247 -+msgid "Attribute with the reference to the original object" -+msgstr "带有到原始对象参考的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:248 -+msgid "Objectclass for user override objects" -+msgstr "用户覆盖对象的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:249 -+msgid "Objectclass for group override objects" -+msgstr "组覆盖对象的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:250 -+msgid "Search base for Desktop Profile related objects" -+msgstr "Desktop Profile 相关对象的搜索基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:251 -+msgid "" -+"The amount of time in seconds between lookups of the Desktop Profile rules " -+"against the IPA server" -+msgstr "针对 IPA 服务器查找 Desktop Profile 规则之间的时间间隔" -+ -+#: src/config/SSSDConfig/sssdoptions.py:253 -+msgid "" -+"The amount of time in minutes between lookups of Desktop Profiles rules " -+"against the IPA server when the last request did not find any rule" -+msgstr "当最后一个请求未找到任何规则时,针对 IPA 服务器的Desktop Profiles 规则查找之间的时间间隔(以分钟为单位)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:256 -+msgid "The LDAP attribute that contains FQDN of the host." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:257 -+#: src/config/SSSDConfig/sssdoptions.py:280 -+msgid "The object class of a host entry in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:258 -+msgid "Use the given string as search base for host objects." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:259 -+msgid "The LDAP attribute that contains the host's SSH public keys." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:260 -+msgid "The LDAP attribute that contains NIS domain name of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:261 -+msgid "The LDAP attribute that contains the names of the netgroup's members." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:262 -+msgid "" -+"The LDAP attribute that lists FQDNs of hosts and host groups that are " -+"members of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:264 -+msgid "" -+"The LDAP attribute that lists hosts and host groups that are direct members " -+"of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:266 -+msgid "The LDAP attribute that lists netgroup's memberships." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:267 -+msgid "" -+"The LDAP attribute that lists system users and groups that are direct " -+"members of the netgroup." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:269 -+msgid "The LDAP attribute that corresponds to the netgroup name." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:270 -+msgid "The object class of a netgroup entry in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:271 -+msgid "" -+"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:272 -+msgid "" -+"The LDAP attribute that contains whether or not is user map enabled for " -+"usage." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:274 -+msgid "The LDAP attribute that contains host category such as 'all'." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:275 -+msgid "" -+"The LDAP attribute that contains all hosts / hostgroups this rule match " -+"against." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:277 -+msgid "" -+"The LDAP attribute that contains all users / groups this rule match against." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:279 -+msgid "The LDAP attribute that contains the name of SELinux usermap." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:281 -+msgid "" -+"The LDAP attribute that contains DN of HBAC rule which can be used for " -+"matching instead of memberUser and memberHost." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:283 -+msgid "The LDAP attribute that contains SELinux user string itself." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:284 -+msgid "The LDAP attribute that contains user category such as 'all'." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:285 -+msgid "The LDAP attribute that contains unique ID of the user map." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:286 -+msgid "" -+"The option denotes that the SSSD is running on IPA server and should perform " -+"lookups of users and groups from trusted domains differently." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:288 -+msgid "Use the given string as search base for trusted domains." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:291 -+msgid "Active Directory domain" -+msgstr "活动目录域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:292 -+msgid "Enabled Active Directory domains" -+msgstr "启用活动目录域" -+ -+#: src/config/SSSDConfig/sssdoptions.py:293 -+msgid "Active Directory server address" -+msgstr "没动目录服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:294 -+msgid "Active Directory backup server address" -+msgstr "没动目录备份服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:295 -+msgid "Active Directory client hostname" -+msgstr "活动目录客户端主机名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:297 -+#: src/config/SSSDConfig/sssdoptions.py:488 -+msgid "LDAP filter to determine access privileges" -+msgstr "用于决定访问权限 的 LDAP 过滤器" -+ -+#: src/config/SSSDConfig/sssdoptions.py:298 -+msgid "Whether to use the Global Catalog for lookups" -+msgstr "是否使用 Global Catalog 进行查找" -+ -+#: src/config/SSSDConfig/sssdoptions.py:299 -+msgid "Operation mode for GPO-based access control" -+msgstr "基于 GPO 的访问控制的操作模式" -+ -+#: src/config/SSSDConfig/sssdoptions.py:300 -+msgid "" -+"The amount of time between lookups of the GPO policy files against the AD " -+"server" -+msgstr "针对 IPA 服务器查找 GPO 策略文件之间的时间间隔" -+ -+#: src/config/SSSDConfig/sssdoptions.py:301 -+msgid "" -+"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " -+"settings" -+msgstr "映射到 GPO (Deny)InteractiveLogonRight 策略设置的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:303 -+msgid "" -+"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " -+"policy settings" -+msgstr "映射到 GPO (Deny)RemoteInteractiveLogonRight 策略设置的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:305 -+msgid "" -+"PAM service names that map to the GPO (Deny)NetworkLogonRight policy " -+"settings" -+msgstr "映射到 GPO (Deny)NetworkLogonRight 策略设置的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:306 -+msgid "" -+"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" -+msgstr "映射到 GPO (Deny)BatchLogonRight 策略设置的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:307 -+msgid "" -+"PAM service names that map to the GPO (Deny)ServiceLogonRight policy " -+"settings" -+msgstr "映射到 GPO (Deny)ServiceLogonRight 策略设置的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:308 -+msgid "PAM service names for which GPO-based access is always granted" -+msgstr "基于 GPO 的访问始终会被授予的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:309 -+msgid "PAM service names for which GPO-based access is always denied" -+msgstr "基于 GPO 的访问始终会被拒绝的 PAM 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:310 -+msgid "" -+"Default logon right (or permit/deny) to use for unmapped PAM service names" -+msgstr "用于未映射的 PAM 服务名称的默认登录权(或允许/拒绝)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:311 -+msgid "a particular site to be used by the client" -+msgstr "客户要使用的特定站点" -+ -+#: src/config/SSSDConfig/sssdoptions.py:312 -+msgid "" -+"Maximum age in days before the machine account password should be renewed" -+msgstr "机器帐户密码需要续订的最长期限(天)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:314 -+msgid "Option for tuning the machine account renewal task" -+msgstr "用于调整机器帐户续订任务的选项" -+ -+#: src/config/SSSDConfig/sssdoptions.py:315 -+msgid "Whether to update the machine account password in the Samba database" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:317 -+msgid "Use LDAPS port for LDAP and Global Catalog requests" -+msgstr "将 LDAPS 端口用于 LDAP 和 Global Catalog 请求" -+ -+#: src/config/SSSDConfig/sssdoptions.py:320 -+#: src/config/SSSDConfig/sssdoptions.py:321 -+msgid "Kerberos server address" -+msgstr "Kerberos 服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:322 -+msgid "Kerberos backup server address" -+msgstr "Kerberos 备份服务器地址" -+ -+#: src/config/SSSDConfig/sssdoptions.py:323 -+msgid "Kerberos realm" -+msgstr "Kerberos realm" -+ -+#: src/config/SSSDConfig/sssdoptions.py:324 -+msgid "Authentication timeout" -+msgstr "验证超时" -+ -+#: src/config/SSSDConfig/sssdoptions.py:325 -+msgid "Whether to create kdcinfo files" -+msgstr "是否创建 kdcinfo 文件" -+ -+#: src/config/SSSDConfig/sssdoptions.py:326 -+msgid "Where to drop krb5 config snippets" -+msgstr "在哪里放置 krb5 配置片段" -+ -+#: src/config/SSSDConfig/sssdoptions.py:329 -+msgid "Directory to store credential caches" -+msgstr "存储凭证缓存的目录" -+ -+#: src/config/SSSDConfig/sssdoptions.py:330 -+msgid "Location of the user's credential cache" -+msgstr "用户凭证缓存的位置" -+ -+#: src/config/SSSDConfig/sssdoptions.py:331 -+msgid "Location of the keytab to validate credentials" -+msgstr "用于验证凭据的密钥表的位置" -+ -+#: src/config/SSSDConfig/sssdoptions.py:332 -+msgid "Enable credential validation" -+msgstr "启用凭证验证" -+ -+#: src/config/SSSDConfig/sssdoptions.py:333 -+msgid "Store password if offline for later online authentication" -+msgstr "离线时存储密码,以便以后进行在线身份验证" -+ -+#: src/config/SSSDConfig/sssdoptions.py:334 -+msgid "Renewable lifetime of the TGT" -+msgstr "TGT 的可更新寿命" -+ -+#: src/config/SSSDConfig/sssdoptions.py:335 -+msgid "Lifetime of the TGT" -+msgstr "TGT 的寿命" -+ -+#: src/config/SSSDConfig/sssdoptions.py:336 -+msgid "Time between two checks for renewal" -+msgstr "两次更新检查之间的间隔时间" -+ -+#: src/config/SSSDConfig/sssdoptions.py:337 -+msgid "Enables FAST" -+msgstr "启用 FAST" -+ -+#: src/config/SSSDConfig/sssdoptions.py:338 -+msgid "Selects the principal to use for FAST" -+msgstr "选择用于 FAST 的主体" -+ -+#: src/config/SSSDConfig/sssdoptions.py:339 -+msgid "Enables principal canonicalization" -+msgstr "启用主体规范化" -+ -+#: src/config/SSSDConfig/sssdoptions.py:340 -+msgid "Enables enterprise principals" -+msgstr "启用企业主体" -+ -+#: src/config/SSSDConfig/sssdoptions.py:341 -+msgid "A mapping from user names to Kerberos principal names" -+msgstr "从用户名到 Kerberos 主体名称的映射" -+ -+#: src/config/SSSDConfig/sssdoptions.py:344 -+#: src/config/SSSDConfig/sssdoptions.py:345 -+msgid "Server where the change password service is running if not on the KDC" -+msgstr "如果不在 KDC 上,运行更改密码服务的服务器" -+ -+#: src/config/SSSDConfig/sssdoptions.py:348 -+msgid "ldap_uri, The URI of the LDAP server" -+msgstr "ldap_uri,LDAP 服务器的 URI" -+ -+#: src/config/SSSDConfig/sssdoptions.py:349 -+msgid "ldap_backup_uri, The URI of the LDAP server" -+msgstr "ldap_backup_uri,LDAP 服务器的 URI" -+ -+#: src/config/SSSDConfig/sssdoptions.py:350 -+msgid "The default base DN" -+msgstr "默认基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:351 -+msgid "The Schema Type in use on the LDAP server, rfc2307" -+msgstr "LDAP 服务器上使用的 Schema Type,rfc2307" -+ -+#: src/config/SSSDConfig/sssdoptions.py:352 -+msgid "Mode used to change user password" -+msgstr "用来修改用户密码的模式" -+ -+#: src/config/SSSDConfig/sssdoptions.py:353 -+msgid "The default bind DN" -+msgstr "默认绑定 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:354 -+msgid "The type of the authentication token of the default bind DN" -+msgstr "默认绑定 DN 的身份验证令牌的类型" -+ -+#: src/config/SSSDConfig/sssdoptions.py:355 -+msgid "The authentication token of the default bind DN" -+msgstr "默认绑定 DN 的身份验证令牌" -+ -+#: src/config/SSSDConfig/sssdoptions.py:356 -+msgid "Length of time to attempt connection" -+msgstr "尝试连接的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:357 -+msgid "Length of time to attempt synchronous LDAP operations" -+msgstr "尝试同步 LDAP 操作的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:358 -+msgid "Length of time between attempts to reconnect while offline" -+msgstr "离线时尝试重新连接的时间间隔" -+ -+#: src/config/SSSDConfig/sssdoptions.py:359 -+msgid "Use only the upper case for realm names" -+msgstr "realm 名称仅使用大写字母" -+ -+#: src/config/SSSDConfig/sssdoptions.py:360 -+msgid "File that contains CA certificates" -+msgstr "包含 CA 证书的文件" -+ -+#: src/config/SSSDConfig/sssdoptions.py:361 -+msgid "Path to CA certificate directory" -+msgstr "CA 证书目录的路径" -+ -+#: src/config/SSSDConfig/sssdoptions.py:362 -+msgid "File that contains the client certificate" -+msgstr "包含客户端 CA 证书的文件" -+ -+#: src/config/SSSDConfig/sssdoptions.py:363 -+msgid "File that contains the client key" -+msgstr "包含客户端密钥的文件" -+ -+#: src/config/SSSDConfig/sssdoptions.py:364 -+msgid "List of possible ciphers suites" -+msgstr "可能的加密套件列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:365 -+msgid "Require TLS certificate verification" -+msgstr "调整 TLS 证书验证" -+ -+#: src/config/SSSDConfig/sssdoptions.py:366 -+msgid "Specify the sasl mechanism to use" -+msgstr "指定要使用的 sasl 机制" -+ -+#: src/config/SSSDConfig/sssdoptions.py:367 -+msgid "Specify the sasl authorization id to use" -+msgstr "指定要使用的 sasl 授权 ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:368 -+msgid "Specify the sasl authorization realm to use" -+msgstr "指定要使用的 sasl 授权 realm" -+ -+#: src/config/SSSDConfig/sssdoptions.py:369 -+msgid "Specify the minimal SSF for LDAP sasl authorization" -+msgstr "为 LDAP sasl 授权指定最小的 SSF" -+ -+#: src/config/SSSDConfig/sssdoptions.py:370 -+msgid "Specify the maximal SSF for LDAP sasl authorization" -+msgstr "为 LDAP sasl 授权指定最大的 SSF" -+ -+#: src/config/SSSDConfig/sssdoptions.py:371 -+msgid "Kerberos service keytab" -+msgstr "Kerberos服务密钥表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:372 -+msgid "Use Kerberos auth for LDAP connection" -+msgstr "使用 Kerberos 身份验证进行 LDAP 连接" -+ -+#: src/config/SSSDConfig/sssdoptions.py:373 -+msgid "Follow LDAP referrals" -+msgstr "遵循 LDAP 引用" -+ -+#: src/config/SSSDConfig/sssdoptions.py:374 -+msgid "Lifetime of TGT for LDAP connection" -+msgstr "TGT 的 LDAP 连接生命周期" -+ -+#: src/config/SSSDConfig/sssdoptions.py:375 -+msgid "How to dereference aliases" -+msgstr "如何取消引用别名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:376 -+msgid "Service name for DNS service lookups" -+msgstr "DNS 服务查找的服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:377 -+msgid "The number of records to retrieve in a single LDAP query" -+msgstr "单个 LDAP 查询中要检索的记录数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:378 -+msgid "The number of members that must be missing to trigger a full deref" -+msgstr "触发完全取消引用请最少需要缺少的成员数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:379 -+msgid "" -+"Whether the LDAP library should perform a reverse lookup to canonicalize the " -+"host name during a SASL bind" -+msgstr "在 SASL绑定期间,LDAP 库是否应执行反向查找以规范化主机名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:381 -+msgid "" -+"Allows to retain local users as members of an LDAP group for servers that " -+"use the RFC2307 schema." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:384 -+msgid "entryUSN attribute" -+msgstr "entryUSN 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:385 -+msgid "lastUSN attribute" -+msgstr "lastUSN 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:387 -+msgid "" -+"How long to retain a connection to the LDAP server before disconnecting" -+msgstr "断开连接前与 LDAP 服务器保持连接的时间" -+ -+#: src/config/SSSDConfig/sssdoptions.py:390 -+msgid "Disable the LDAP paging control" -+msgstr "禁用 LDAP 分页控制" -+ -+#: src/config/SSSDConfig/sssdoptions.py:391 -+msgid "Disable Active Directory range retrieval" -+msgstr "禁用 Active Directory 范围检索" -+ -+#: src/config/SSSDConfig/sssdoptions.py:394 -+msgid "Length of time to wait for a search request" -+msgstr "等待搜索请求的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:395 -+msgid "Length of time to wait for a enumeration request" -+msgstr "等待枚举请求的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:396 -+msgid "Length of time between enumeration updates" -+msgstr "枚举更新之间的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:397 -+msgid "Length of time between cache cleanups" -+msgstr "两次缓存清除之间的时间长度" -+ -+#: src/config/SSSDConfig/sssdoptions.py:398 -+msgid "Require TLS for ID lookups" -+msgstr "需要 TLS 进行 ID 查找" -+ -+#: src/config/SSSDConfig/sssdoptions.py:399 -+msgid "Use ID-mapping of objectSID instead of pre-set IDs" -+msgstr "使用 objectSID 的 ID 映射而不是预设的 ID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:400 -+msgid "Base DN for user lookups" -+msgstr "用户查找的基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:401 -+msgid "Scope of user lookups" -+msgstr "用户查找范围" -+ -+#: src/config/SSSDConfig/sssdoptions.py:402 -+msgid "Filter for user lookups" -+msgstr "用户查找过滤" -+ -+#: src/config/SSSDConfig/sssdoptions.py:403 -+msgid "Objectclass for users" -+msgstr "用户的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:404 -+msgid "Username attribute" -+msgstr "用户名属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:405 -+msgid "UID attribute" -+msgstr "UID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:406 -+msgid "Primary GID attribute" -+msgstr "主 GID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:407 -+msgid "GECOS attribute" -+msgstr "GECOS 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:408 -+msgid "Home directory attribute" -+msgstr "家目录属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:409 -+msgid "Shell attribute" -+msgstr "Shell 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:410 -+msgid "UUID attribute" -+msgstr "UUID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:411 -+#: src/config/SSSDConfig/sssdoptions.py:449 -+msgid "objectSID attribute" -+msgstr "objectSID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:412 -+msgid "Active Directory primary group attribute for ID-mapping" -+msgstr "用于 ID 映射的活动目录的主组属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:413 -+msgid "User principal attribute (for Kerberos)" -+msgstr "用户主体属性(用于 Kerberos)" -+ -+#: src/config/SSSDConfig/sssdoptions.py:414 -+msgid "Full Name" -+msgstr "全称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:415 -+msgid "memberOf attribute" -+msgstr "memberOf 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:416 -+msgid "Modification time attribute" -+msgstr "修改时间属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:417 -+msgid "shadowLastChange attribute" -+msgstr "shadowLastChange 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:418 -+msgid "shadowMin attribute" -+msgstr "shadowMin 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:419 -+msgid "shadowMax attribute" -+msgstr "shadowMax 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:420 -+msgid "shadowWarning attribute" -+msgstr "shadowWarning 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:421 -+msgid "shadowInactive attribute" -+msgstr "shadowInactive 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:422 -+msgid "shadowExpire attribute" -+msgstr "shadowExpire 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:423 -+msgid "shadowFlag attribute" -+msgstr "shadowFlag 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:424 -+msgid "Attribute listing authorized PAM services" -+msgstr "列出授权的 PAM 服务的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:425 -+msgid "Attribute listing authorized server hosts" -+msgstr "列出授权的服务器主机的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:426 -+msgid "Attribute listing authorized server rhosts" -+msgstr "列出授权的服务器 rhost 的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:427 -+msgid "krbLastPwdChange attribute" -+msgstr "krbLastPwdChange 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:428 -+msgid "krbPasswordExpiration attribute" -+msgstr "krbPasswordExpiration 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:429 -+msgid "Attribute indicating that server side password policies are active" -+msgstr "用来指示服务器端密码策略处于活动状态的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:430 -+msgid "accountExpires attribute of AD" -+msgstr "AD 的 accountExpires 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:431 -+msgid "userAccountControl attribute of AD" -+msgstr "AD 的 userAccountControl 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:432 -+msgid "nsAccountLock attribute" -+msgstr "nsAccountLock 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:433 -+msgid "loginDisabled attribute of NDS" -+msgstr "NDS 的 loginDisabled 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:434 -+msgid "loginExpirationTime attribute of NDS" -+msgstr "NDS 的 loginExpirationTime 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:435 -+msgid "loginAllowedTimeMap attribute of NDS" -+msgstr "NDS 的 loginAllowedTimeMap 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:436 -+msgid "SSH public key attribute" -+msgstr "SSH 公钥属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:437 -+msgid "attribute listing allowed authentication types for a user" -+msgstr "列出用户允许的身份验证类型的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:438 -+msgid "attribute containing the X509 certificate of the user" -+msgstr "包含用户的 X509 证书的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:439 -+msgid "attribute containing the email address of the user" -+msgstr "包含用户电子邮件地址的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:440 -+msgid "A list of extra attributes to download along with the user entry" -+msgstr "要与用户条目一起下载的其他属性的列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:442 -+msgid "Base DN for group lookups" -+msgstr "组查找的基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:443 -+msgid "Objectclass for groups" -+msgstr "组的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:444 -+msgid "Group name" -+msgstr "组名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:445 -+msgid "Group password" -+msgstr "组密码" -+ -+#: src/config/SSSDConfig/sssdoptions.py:446 -+msgid "GID attribute" -+msgstr "GID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:447 -+msgid "Group member attribute" -+msgstr "组成员属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:448 -+msgid "Group UUID attribute" -+msgstr "组 UUID 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:450 -+msgid "Modification time attribute for groups" -+msgstr "组的修改时间属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:451 -+msgid "Type of the group and other flags" -+msgstr "组的类型和其他标志" -+ -+#: src/config/SSSDConfig/sssdoptions.py:452 -+msgid "The LDAP group external member attribute" -+msgstr "LDAP 组外部成员属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:453 -+msgid "Maximum nesting level SSSD will follow" -+msgstr "将遵循的最大嵌套级别 SSSD" -+ -+#: src/config/SSSDConfig/sssdoptions.py:454 -+msgid "Filter for group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:455 -+msgid "Scope of group lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:457 -+msgid "Base DN for netgroup lookups" -+msgstr "netgroup 查找的基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:458 -+msgid "Objectclass for netgroups" -+msgstr "netgroup 的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:459 -+msgid "Netgroup name" -+msgstr "Netgroup 名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:460 -+msgid "Netgroups members attribute" -+msgstr "Netgroups 成员属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:461 -+msgid "Netgroup triple attribute" -+msgstr "Netgroup triple 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:462 -+msgid "Modification time attribute for netgroups" -+msgstr "netgroup 的修改时间属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:464 -+msgid "Base DN for service lookups" -+msgstr "服务查找的基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:465 -+msgid "Objectclass for services" -+msgstr "服务的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:466 -+msgid "Service name attribute" -+msgstr "服务名属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:467 -+msgid "Service port attribute" -+msgstr "服务端口属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:468 -+msgid "Service protocol attribute" -+msgstr "服务协议属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:470 -+msgid "Lower bound for ID-mapping" -+msgstr "ID 映射的下限" -+ -+#: src/config/SSSDConfig/sssdoptions.py:471 -+msgid "Upper bound for ID-mapping" -+msgstr "ID 映射的上限" -+ -+#: src/config/SSSDConfig/sssdoptions.py:472 -+msgid "Number of IDs for each slice when ID-mapping" -+msgstr "ID 映射时每个片的 ID 数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:473 -+msgid "Use autorid-compatible algorithm for ID-mapping" -+msgstr "使用与 autorid 兼容的算法进行 ID 映射" -+ -+#: src/config/SSSDConfig/sssdoptions.py:474 -+msgid "Name of the default domain for ID-mapping" -+msgstr "用于 ID 映射的默认域的名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:475 -+msgid "SID of the default domain for ID-mapping" -+msgstr "用于 ID 映射的默认域的 SID" -+ -+#: src/config/SSSDConfig/sssdoptions.py:476 -+msgid "Number of secondary slices" -+msgstr "次要切片数" -+ -+#: src/config/SSSDConfig/sssdoptions.py:478 -+msgid "Whether to use Token-Groups" -+msgstr "是否使用令牌组" -+ -+#: src/config/SSSDConfig/sssdoptions.py:479 -+msgid "Set lower boundary for allowed IDs from the LDAP server" -+msgstr "设置 LDAP 服务器允许的 ID 的下边界" -+ -+#: src/config/SSSDConfig/sssdoptions.py:480 -+msgid "Set upper boundary for allowed IDs from the LDAP server" -+msgstr "设置 LDAP 服务器允许的 ID 的上边界" -+ -+#: src/config/SSSDConfig/sssdoptions.py:481 -+msgid "DN for ppolicy queries" -+msgstr "ppolicy 查询的 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:482 -+msgid "How many maximum entries to fetch during a wildcard request" -+msgstr "在通配符请求期间要提取多少个最大条目" -+ -+#: src/config/SSSDConfig/sssdoptions.py:485 -+msgid "Policy to evaluate the password expiration" -+msgstr "评估密码有效期的策略" -+ -+#: src/config/SSSDConfig/sssdoptions.py:489 -+msgid "Which attributes shall be used to evaluate if an account is expired" -+msgstr "应使用哪些属性来评估帐户是否过期" -+ -+#: src/config/SSSDConfig/sssdoptions.py:490 -+msgid "Which rules should be used to evaluate access control" -+msgstr "应该使用哪些规则来评估访问控制" -+ -+#: src/config/SSSDConfig/sssdoptions.py:493 -+msgid "URI of an LDAP server where password changes are allowed" -+msgstr "允许更改密码的 LDAP 服务器的 URI" -+ -+#: src/config/SSSDConfig/sssdoptions.py:494 -+msgid "URI of a backup LDAP server where password changes are allowed" -+msgstr "允许更改密码的备份 LDAP 服务器的 URI" -+ -+#: src/config/SSSDConfig/sssdoptions.py:495 -+msgid "DNS service name for LDAP password change server" -+msgstr "LDAP 密码更改服务器的 DNS 服务名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:496 -+msgid "" -+"Whether to update the ldap_user_shadow_last_change attribute after a " -+"password change" -+msgstr "更改密码后是否更新 ldap_user_shadow_last_change 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:500 -+msgid "Base DN for sudo rules lookups" -+msgstr "sudo 规则查找的基本DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:501 -+msgid "Automatic full refresh period" -+msgstr "自动完整刷新周期" -+ -+#: src/config/SSSDConfig/sssdoptions.py:502 -+msgid "Automatic smart refresh period" -+msgstr "自动智能刷新周期" -+ -+#: src/config/SSSDConfig/sssdoptions.py:503 -+msgid "Whether to filter rules by hostname, IP addresses and network" -+msgstr "是否按主机名,IP地址和网络过滤规则" -+ -+#: src/config/SSSDConfig/sssdoptions.py:504 -+msgid "" -+"Hostnames and/or fully qualified domain names of this machine to filter sudo " -+"rules" -+msgstr "本机的主机名和/或限定域名,用于过滤 sudo 规则" -+ -+#: src/config/SSSDConfig/sssdoptions.py:505 -+msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" -+msgstr "IPv4 或 IPv6 地址或本机器的网络,用于过滤 sudo 规则" -+ -+#: src/config/SSSDConfig/sssdoptions.py:506 -+msgid "Whether to include rules that contains netgroup in host attribute" -+msgstr "是否在主机属性中包含带有 netgroup 的规则" -+ -+#: src/config/SSSDConfig/sssdoptions.py:507 -+msgid "" -+"Whether to include rules that contains regular expression in host attribute" -+msgstr "是否在主机属性中包含带有正则表达式的规则" -+ -+#: src/config/SSSDConfig/sssdoptions.py:508 -+msgid "Object class for sudo rules" -+msgstr "sudo 规则的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:509 -+msgid "Name of attribute that is used as object class for sudo rules" -+msgstr "用作 sudo 规则的对象类的属性名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:510 -+msgid "Sudo rule name" -+msgstr "sudo 规则名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:511 -+msgid "Sudo rule command attribute" -+msgstr "sudo 规则命令属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:512 -+msgid "Sudo rule host attribute" -+msgstr "sudo 规则主机属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:513 -+msgid "Sudo rule user attribute" -+msgstr "sudo 规则用户属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:514 -+msgid "Sudo rule option attribute" -+msgstr "sudo 规则选项属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:515 -+msgid "Sudo rule runas attribute" -+msgstr "sudo 规则 runas 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:516 -+msgid "Sudo rule runasuser attribute" -+msgstr "sudo 规则 runasuser 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:517 -+msgid "Sudo rule runasgroup attribute" -+msgstr "sudo 规则 runasgroup 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:518 -+msgid "Sudo rule notbefore attribute" -+msgstr "sudo 规则 notbefore 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:519 -+msgid "Sudo rule notafter attribute" -+msgstr "sudo 规则 notafter 属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:520 -+msgid "Sudo rule order attribute" -+msgstr "sudo 规则顺序属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:523 -+msgid "Object class for automounter maps" -+msgstr "自动挂载器映射的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:524 -+msgid "Automounter map name attribute" -+msgstr "自动挂载器映射名称属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:525 -+msgid "Object class for automounter map entries" -+msgstr "自动挂载器映射条目的对象类" -+ -+#: src/config/SSSDConfig/sssdoptions.py:526 -+msgid "Automounter map entry key attribute" -+msgstr "自动挂载器映射条目键的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:527 -+msgid "Automounter map entry value attribute" -+msgstr "自动挂载器映射条目值的属性" -+ -+#: src/config/SSSDConfig/sssdoptions.py:528 -+msgid "Base DN for automounter map lookups" -+msgstr "自动挂载程序映射查找的基本 DN" -+ -+#: src/config/SSSDConfig/sssdoptions.py:529 -+msgid "The name of the automount master map in LDAP." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:532 -+msgid "Base DN for IP hosts lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:533 -+msgid "Object class for IP hosts" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:534 -+msgid "IP host name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:535 -+msgid "IP host number (address) attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:536 -+msgid "IP host entryUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:537 -+msgid "Base DN for IP networks lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:538 -+msgid "Object class for IP networks" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:539 -+msgid "IP network name attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:540 -+msgid "IP network number (address) attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:541 -+msgid "IP network entryUSN attribute" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:544 -+msgid "Comma separated list of allowed users" -+msgstr "以逗号分隔的允许的用户列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:545 -+msgid "Comma separated list of prohibited users" -+msgstr "以逗号分隔的不允许的用户列表" -+ -+#: src/config/SSSDConfig/sssdoptions.py:546 -+msgid "" -+"Comma separated list of groups that are allowed to log in. This applies only " -+"to groups within this SSSD domain. Local groups are not evaluated." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:548 -+msgid "" -+"Comma separated list of groups that are explicitly denied access. This " -+"applies only to groups within this SSSD domain. Local groups are not " -+"evaluated." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:552 -+msgid "Base for home directories" -+msgstr "家目录的基础" -+ -+#: src/config/SSSDConfig/sssdoptions.py:553 -+msgid "Indicate if a home directory should be created for new users." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:554 -+msgid "Indicate if a home directory should be removed for deleted users." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:555 -+msgid "Specify the default permissions on a newly created home directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:556 -+msgid "The skeleton directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:557 -+msgid "The mail spool directory." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:558 -+msgid "The command that is run after a user is removed." -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:561 -+msgid "The number of preforked proxy children." -+msgstr "预分支代理子代的数量。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:564 -+msgid "The name of the NSS library to use" -+msgstr "使用的 NSS 库的名称" -+ -+#: src/config/SSSDConfig/sssdoptions.py:565 -+msgid "The name of the NSS library to use for hosts and networks lookups" -+msgstr "" -+ -+#: src/config/SSSDConfig/sssdoptions.py:566 -+msgid "Whether to look up canonical group name from cache if possible" -+msgstr "如果可能,是否从缓存中查找规范的组名" -+ -+#: src/config/SSSDConfig/sssdoptions.py:569 -+msgid "PAM stack to use" -+msgstr "使用的 PAM 堆栈" -+ -+#: src/config/SSSDConfig/sssdoptions.py:572 -+msgid "Path of passwd file sources." -+msgstr "passwd 文件源的路径。" -+ -+#: src/config/SSSDConfig/sssdoptions.py:573 -+msgid "Path of group file sources." -+msgstr "group 文件源的路径。" -+ - #: src/monitor/monitor.c:2371 - msgid "Become a daemon (default)" --msgstr "" -+msgstr "成为守护进程(默认)" - - #: src/monitor/monitor.c:2373 - msgid "Run interactive (not a daemon)" --msgstr "" -+msgstr "交互式运行(不是守护程序)" - - #: src/monitor/monitor.c:2376 - msgid "Disable netlink interface" --msgstr "" -+msgstr "禁用 netlink 接口" - --#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_logs.c:310 -+#: src/monitor/monitor.c:2378 src/tools/sssctl/sssctl_config.c:77 -+#: src/tools/sssctl/sssctl_logs.c:310 - msgid "Specify a non-default config file" --msgstr "" -+msgstr "指定一个非默认的配置文件" - - #: src/monitor/monitor.c:2380 - msgid "Refresh the configuration database, then exit" --msgstr "" -+msgstr "刷新配置数据库,然后退出" - - #: src/monitor/monitor.c:2383 - msgid "Similar to --genconf, but only refreshes the given section" -@@ -46,87 +1850,87 @@ msgstr "" - - #: src/monitor/monitor.c:2386 - msgid "Print version number and exit" --msgstr "" -+msgstr "显示版本号并退出" - - #: src/monitor/monitor.c:2532 - msgid "SSSD is already running\n" --msgstr "" -+msgstr "SSSD 已运行\n" - - #: src/providers/krb5/krb5_child.c:3233 src/providers/ldap/ldap_child.c:638 - msgid "Debug level" --msgstr "" -+msgstr "调试级别" - - #: src/providers/krb5/krb5_child.c:3235 src/providers/ldap/ldap_child.c:640 - msgid "Add debug timestamps" --msgstr "" -+msgstr "添加调试时间戳" - - #: src/providers/krb5/krb5_child.c:3237 src/providers/ldap/ldap_child.c:642 - msgid "Show timestamps with microseconds" --msgstr "" -+msgstr "显示时间戳(以微秒为单位)" - - #: src/providers/krb5/krb5_child.c:3239 src/providers/ldap/ldap_child.c:644 - msgid "An open file descriptor for the debug logs" --msgstr "" -+msgstr "调试日志的打开文件描述符" - - #: src/providers/krb5/krb5_child.c:3242 src/providers/ldap/ldap_child.c:646 - msgid "Send the debug output to stderr directly." --msgstr "" -+msgstr "将调试直接输出到 stderr。" - - #: src/providers/krb5/krb5_child.c:3245 - msgid "The user to create FAST ccache as" --msgstr "" -+msgstr "用户创建 FAST 缓存为" - - #: src/providers/krb5/krb5_child.c:3247 - msgid "The group to create FAST ccache as" --msgstr "" -+msgstr "组创建 FAST 缓存为" - - #: src/providers/krb5/krb5_child.c:3249 - msgid "Kerberos realm to use" --msgstr "" -+msgstr "使用的 kerberos realm" - - #: src/providers/krb5/krb5_child.c:3251 - msgid "Requested lifetime of the ticket" --msgstr "" -+msgstr "要求的票证寿命" - - #: src/providers/krb5/krb5_child.c:3253 - msgid "Requested renewable lifetime of the ticket" --msgstr "" -+msgstr "要求的可续约票证寿命" - - #: src/providers/krb5/krb5_child.c:3255 - msgid "FAST options ('never', 'try', 'demand')" --msgstr "" -+msgstr "FAST 选项('never'、'try'、'demand')" - - #: src/providers/krb5/krb5_child.c:3258 - msgid "Specifies the server principal to use for FAST" --msgstr "" -+msgstr "指定用于 FAST 的服务器主体" - - #: src/providers/krb5/krb5_child.c:3260 - msgid "Requests canonicalization of the principal name" --msgstr "" -+msgstr "要求规范化主体名称" - - #: src/providers/krb5/krb5_child.c:3262 - msgid "Use custom version of krb5_get_init_creds_password" --msgstr "" -+msgstr "使用自定义版本的 krb5_get_init_creds_password" - - #: src/providers/data_provider_be.c:674 - msgid "Domain of the information provider (mandatory)" --msgstr "" -+msgstr "信息提供者的域(强制)" - - #: src/sss_client/common.c:1079 - msgid "Privileged socket has wrong ownership or permissions." --msgstr "" -+msgstr "特权套接字有错误的所有权或权限。" - - #: src/sss_client/common.c:1082 - msgid "Public socket has wrong ownership or permissions." --msgstr "" -+msgstr "公共套接字有错误的所有权或权限。" - - #: src/sss_client/common.c:1085 - msgid "Unexpected format of the server credential message." --msgstr "" -+msgstr "服务器凭证消息的格式异常。" - - #: src/sss_client/common.c:1088 - msgid "SSSD is not run by root." --msgstr "" -+msgstr "SSSD 没有由 root 运行。" - - #: src/sss_client/common.c:1091 - msgid "SSSD socket does not exist." -@@ -138,100 +1942,100 @@ msgstr "" - - #: src/sss_client/common.c:1099 - msgid "An error occurred, but no description can be found." --msgstr "" -+msgstr "发生错误,但找不到描述信息。" - - #: src/sss_client/common.c:1105 - msgid "Unexpected error while looking for an error description" --msgstr "" -+msgstr "查找错误说明时出现意外错误" - - #: src/sss_client/pam_sss.c:68 - msgid "Permission denied. " --msgstr "" -+msgstr "权限被拒绝。" - --#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:779 --#: src/sss_client/pam_sss.c:790 -+#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 -+#: src/sss_client/pam_sss.c:792 - msgid "Server message: " --msgstr "" -+msgstr "服务器消息: " - --#: src/sss_client/pam_sss.c:297 -+#: src/sss_client/pam_sss.c:299 - msgid "Passwords do not match" --msgstr "" -+msgstr "密码不匹配" - --#: src/sss_client/pam_sss.c:485 -+#: src/sss_client/pam_sss.c:487 - msgid "Password reset by root is not supported." --msgstr "" -+msgstr "不支持通过 root 重置密码。" - --#: src/sss_client/pam_sss.c:526 -+#: src/sss_client/pam_sss.c:528 - msgid "Authenticated with cached credentials" --msgstr "" -+msgstr "通过缓存的凭据进行身份验证" - --#: src/sss_client/pam_sss.c:527 -+#: src/sss_client/pam_sss.c:529 - msgid ", your cached password will expire at: " --msgstr "" -+msgstr ",您缓存的密码将过期于: " - --#: src/sss_client/pam_sss.c:557 -+#: src/sss_client/pam_sss.c:559 - #, c-format - msgid "Your password has expired. You have %1$d grace login(s) remaining." --msgstr "" -+msgstr "您的密码已过期。您有 %1$d 剩余宽限登陆。" - --#: src/sss_client/pam_sss.c:603 -+#: src/sss_client/pam_sss.c:605 - #, c-format - msgid "Your password will expire in %1$d %2$s." --msgstr "" -+msgstr "您的密码将于 %1$d %2$s 过期。" - --#: src/sss_client/pam_sss.c:652 -+#: src/sss_client/pam_sss.c:654 - msgid "Authentication is denied until: " --msgstr "" -+msgstr "身份验证被拒绝,直到: " - --#: src/sss_client/pam_sss.c:673 -+#: src/sss_client/pam_sss.c:675 - msgid "System is offline, password change not possible" --msgstr "" -+msgstr "系统离线,无法更改密码" - --#: src/sss_client/pam_sss.c:688 -+#: src/sss_client/pam_sss.c:690 - msgid "" - "After changing the OTP password, you need to log out and back in order to " - "acquire a ticket" --msgstr "" -+msgstr "更改 OTP 密码后,您需要注销并重新登录以获得票证" - --#: src/sss_client/pam_sss.c:776 src/sss_client/pam_sss.c:789 -+#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 - msgid "Password change failed. " --msgstr "" -+msgstr "更改密码失败。" - --#: src/sss_client/pam_sss.c:2008 -+#: src/sss_client/pam_sss.c:2015 - msgid "New Password: " --msgstr "" -+msgstr "新密码:" - --#: src/sss_client/pam_sss.c:2009 -+#: src/sss_client/pam_sss.c:2016 - msgid "Reenter new Password: " --msgstr "" -+msgstr "重新输入新密码:" - --#: src/sss_client/pam_sss.c:2171 src/sss_client/pam_sss.c:2174 -+#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 - msgid "First Factor: " --msgstr "" -+msgstr "第一因素: " - --#: src/sss_client/pam_sss.c:2172 src/sss_client/pam_sss.c:2343 -+#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 - msgid "Second Factor (optional): " --msgstr "" -+msgstr "第二因素(可选): " - --#: src/sss_client/pam_sss.c:2175 src/sss_client/pam_sss.c:2346 -+#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 - msgid "Second Factor: " --msgstr "" -+msgstr "第二因素: " - --#: src/sss_client/pam_sss.c:2190 -+#: src/sss_client/pam_sss.c:2200 - msgid "Password: " --msgstr "" -+msgstr "密码:" - --#: src/sss_client/pam_sss.c:2342 src/sss_client/pam_sss.c:2345 -+#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 - msgid "First Factor (Current Password): " --msgstr "" -+msgstr "第一因素(当前密码): " - --#: src/sss_client/pam_sss.c:2349 -+#: src/sss_client/pam_sss.c:2359 - msgid "Current Password: " --msgstr "" -+msgstr "当前密码:" - --#: src/sss_client/pam_sss.c:2704 -+#: src/sss_client/pam_sss.c:2714 - msgid "Password expired. Change your password now." --msgstr "" -+msgstr "密码已过期。立即更改密码。" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:186 src/tools/sss_useradd.c:48 -@@ -240,12 +2044,12 @@ msgstr "" - #: src/tools/sss_userdel.c:136 src/tools/sss_usermod.c:47 - #: src/tools/sss_cache.c:719 - msgid "The debug level to run with" --msgstr "" -+msgstr "要运行的调试级别" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:190 - msgid "The SSSD domain to use" --msgstr "" -+msgstr "要使用的 SSSD 域" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 - #: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 -@@ -253,27 +2057,27 @@ msgstr "" - #: src/tools/sss_userdel.c:154 src/tools/sss_usermod.c:79 - #: src/tools/sss_cache.c:765 - msgid "Error setting the locale\n" --msgstr "" -+msgstr "地区设置错误\n" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 - msgid "Not enough memory\n" --msgstr "" -+msgstr "内存不足\n" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 - msgid "User not specified\n" --msgstr "" -+msgstr "未指定用户\n" - - #: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 - msgid "Error looking up public keys\n" --msgstr "" -+msgstr "查找公钥时出错\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:188 - msgid "The port to use to connect to the host" --msgstr "" -+msgstr "用于连接主机的端口" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:192 - msgid "Print the host ssh public keys" --msgstr "" -+msgstr "打印主机 ssh 公钥" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:234 - msgid "Invalid port\n" -@@ -281,173 +2085,173 @@ msgstr "无效端口\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:239 - msgid "Host not specified\n" --msgstr "" -+msgstr "未指定主机\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:245 - msgid "The path to the proxy command must be absolute\n" --msgstr "" -+msgstr "到 proxy 命令的路径必须是绝对路径\n" - - #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:324 - #, c-format - msgid "sss_ssh_knownhostsproxy: Could not resolve hostname %s\n" --msgstr "" -+msgstr "sss_ssh_knownhostsproxy:无法解析主机名 %s\n" - - #: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 - msgid "The UID of the user" --msgstr "" -+msgstr "用户的 UID" - - #: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 - msgid "The comment string" --msgstr "" -+msgstr "注释字符串" - - #: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 - msgid "Home directory" --msgstr "" -+msgstr "家目录" - - #: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 - msgid "Login shell" --msgstr "" -+msgstr "登陆 shell" - - #: src/tools/sss_useradd.c:53 - msgid "Groups" --msgstr "" -+msgstr "组" - - #: src/tools/sss_useradd.c:54 - msgid "Create user's directory if it does not exist" --msgstr "" -+msgstr "创建用户目录(如果不存在)" - - #: src/tools/sss_useradd.c:55 - msgid "Never create user's directory, overrides config" --msgstr "" -+msgstr "不创建用户目录,覆盖配置" - - #: src/tools/sss_useradd.c:56 - msgid "Specify an alternative skeleton directory" --msgstr "" -+msgstr "指定一个备用的 skeleton 目录" - - #: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 - msgid "The SELinux user for user's login" --msgstr "" -+msgstr "用于用户登录的 SELinux用户" - - #: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 - #: src/tools/sss_usermod.c:92 - msgid "Specify group to add to\n" --msgstr "" -+msgstr "指定添加到的组\n" - - #: src/tools/sss_useradd.c:111 - msgid "Specify user to add\n" --msgstr "" -+msgstr "指定要添加的用户\n" - - #: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 - #: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 - #: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:200 - #: src/tools/sss_usermod.c:162 - msgid "Error initializing the tools - no local domain\n" --msgstr "" -+msgstr "初始化工具时出错 - 没有本地域\n" - - #: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 - #: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 - #: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:202 - #: src/tools/sss_usermod.c:164 - msgid "Error initializing the tools\n" --msgstr "" -+msgstr "初始化工具出错。\n" - - #: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 - #: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 - #: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:211 - #: src/tools/sss_usermod.c:173 - msgid "Invalid domain specified in FQDN\n" --msgstr "" -+msgstr "FQDN 中指定的域无效\n" - - #: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 - #: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 - #: src/tools/sss_usermod.c:226 - msgid "Internal error while parsing parameters\n" --msgstr "" -+msgstr "解析参数时发生内部错误\n" - - #: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 - #: src/tools/sss_usermod.c:235 - msgid "Groups must be in the same domain as user\n" --msgstr "" -+msgstr "组必须与用户在同一域中\n" - - #: src/tools/sss_useradd.c:159 - #, c-format - msgid "Cannot find group %1$s in local domain\n" --msgstr "" -+msgstr "无法在本的域中找到组 %1$s\n" - - #: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:221 - msgid "Cannot set default values\n" --msgstr "" -+msgstr "无法设置默认值\n" - - #: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 - msgid "The selected UID is outside the allowed range\n" --msgstr "" -+msgstr "所选的 UID 超出了允许范围\n" - - #: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 - msgid "Cannot set SELinux login context\n" --msgstr "" -+msgstr "无法设置 SELinux 登录上下文\n" - - #: src/tools/sss_useradd.c:224 - msgid "Cannot get info about the user\n" --msgstr "" -+msgstr "无法获得用户的信息\n" - - #: src/tools/sss_useradd.c:236 - msgid "User's home directory already exists, not copying data from skeldir\n" --msgstr "" -+msgstr "用户的家目录已存在,无法从 skeldir 复制数据\n" - - #: src/tools/sss_useradd.c:239 - #, c-format - msgid "Cannot create user's home directory: %1$s\n" --msgstr "" -+msgstr "无法创建用户的家目录:%1$s\n" - - #: src/tools/sss_useradd.c:250 - #, c-format - msgid "Cannot create user's mail spool: %1$s\n" --msgstr "" -+msgstr "无法创建用户的邮件 spool: %1$s\n" - - #: src/tools/sss_useradd.c:270 - msgid "Could not allocate ID for the user - domain full?\n" --msgstr "" -+msgstr "无法为用户分配 ID - 域已满?\n" - - #: src/tools/sss_useradd.c:274 - msgid "A user or group with the same name or ID already exists\n" --msgstr "" -+msgstr "具有相同名称或 ID 的用户或组已经存在\n" - - #: src/tools/sss_useradd.c:280 - msgid "Transaction error. Could not add user.\n" --msgstr "" -+msgstr "交易错误。无法添加用户。\n" - - #: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 - msgid "The GID of the group" --msgstr "" -+msgstr "组的 GID" - - #: src/tools/sss_groupadd.c:76 - msgid "Specify group to add\n" --msgstr "" -+msgstr "指定添加的组\n" - - #: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 - msgid "The selected GID is outside the allowed range\n" --msgstr "" -+msgstr "所选的 GID 超出了允许范围\n" - - #: src/tools/sss_groupadd.c:143 - msgid "Could not allocate ID for the group - domain full?\n" --msgstr "" -+msgstr "无法为组分配 ID - 域已满?\n" - - #: src/tools/sss_groupadd.c:147 - msgid "A group with the same name or GID already exists\n" --msgstr "" -+msgstr "具有相同名称或 GID 的组已经存在\n" - - #: src/tools/sss_groupadd.c:153 - msgid "Transaction error. Could not add group.\n" --msgstr "" -+msgstr "交易错误。无法添加组。\n" - - #: src/tools/sss_groupdel.c:70 - msgid "Specify group to delete\n" --msgstr "" -+msgstr "指定删除的组\n" - - #: src/tools/sss_groupdel.c:104 - #, c-format - msgid "Group %1$s is outside the defined ID range for domain\n" --msgstr "" -+msgstr "组 %1$s 在域的定义 ID 范围之外\n" - - #: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 - #: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 -@@ -455,43 +2259,43 @@ msgstr "" - #: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 - #, c-format - msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" --msgstr "" -+msgstr "NSS 请求失败(%1$d)。条目可能保留在内存缓存中。\n" - - #: src/tools/sss_groupdel.c:132 - msgid "" --"No such group in local domain. Removing groups only allowed in local " --"domain.\n" --msgstr "" -+"No such group in local domain. Removing groups only allowed in local domain." -+"\n" -+msgstr "本地域中没有这样的组。只在本地域中允许删除组。\n" - - #: src/tools/sss_groupdel.c:137 - msgid "Internal error. Could not remove group.\n" --msgstr "" -+msgstr "内部错误。无法删除组。\n" - - #: src/tools/sss_groupmod.c:44 - msgid "Groups to add this group to" --msgstr "" -+msgstr "把这个组添加到的组" - - #: src/tools/sss_groupmod.c:46 - msgid "Groups to remove this group from" --msgstr "" -+msgstr "要从中删除该组的组" - - #: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 - msgid "Specify group to remove from\n" --msgstr "" -+msgstr "指定要从中删除的组\n" - - #: src/tools/sss_groupmod.c:101 - msgid "Specify group to modify\n" --msgstr "" -+msgstr "指定修改的组\n" - - #: src/tools/sss_groupmod.c:130 - msgid "" - "Cannot find group in local domain, modifying groups is allowed only in local " - "domain\n" --msgstr "" -+msgstr "在本地域中找不到组,仅允许在本地域中修改组\n" - - #: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 - msgid "Member groups must be in the same domain as parent group\n" --msgstr "" -+msgstr "成员组必须与父组在同一域中\n" - - #: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 - #: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 -@@ -499,456 +2303,456 @@ msgstr "" - msgid "" - "Cannot find group %1$s in local domain, only groups in local domain are " - "allowed\n" --msgstr "" -+msgstr "无法在本地域中找到组 %1$s,只允许在本地域中的组\n" - - #: src/tools/sss_groupmod.c:257 - msgid "Could not modify group - check if member group names are correct\n" --msgstr "" -+msgstr "无法修改组 - 检查成员组名称是否正确\n" - - #: src/tools/sss_groupmod.c:261 - msgid "Could not modify group - check if groupname is correct\n" --msgstr "" -+msgstr " 无法修改组 - 检查组名是否正确\n" - - #: src/tools/sss_groupmod.c:265 - msgid "Transaction error. Could not modify group.\n" --msgstr "" -+msgstr "交易错误。无法修改组。\n" - - #: src/tools/sss_groupshow.c:616 - msgid "Magic Private " --msgstr "" -+msgstr "Magic Private " - - #: src/tools/sss_groupshow.c:615 - #, c-format - msgid "%1$s%2$sGroup: %3$s\n" --msgstr "" -+msgstr "%1$s%2$sGroup: %3$s\n" - - #: src/tools/sss_groupshow.c:618 - #, c-format - msgid "%1$sGID number: %2$d\n" --msgstr "" -+msgstr "%1$sGID 号:%2$d\n" - - #: src/tools/sss_groupshow.c:620 - #, c-format - msgid "%1$sMember users: " --msgstr "" -+msgstr "%1$sMember 用户:" - - #: src/tools/sss_groupshow.c:627 - #, c-format --msgid "" --"\n" -+msgid "\n" - "%1$sIs a member of: " --msgstr "" -+msgstr "\n" -+"%1$sIs 一个成员:" - - #: src/tools/sss_groupshow.c:634 - #, c-format --msgid "" --"\n" -+msgid "\n" - "%1$sMember groups: " --msgstr "" -+msgstr "\n" -+"%1$sMember 组:" - - #: src/tools/sss_groupshow.c:670 - msgid "Print indirect group members recursively" --msgstr "" -+msgstr "递归打印间接组成员" - - #: src/tools/sss_groupshow.c:704 - msgid "Specify group to show\n" --msgstr "" -+msgstr "指定显示的组\n" - - #: src/tools/sss_groupshow.c:744 - msgid "" --"No such group in local domain. Printing groups only allowed in local " --"domain.\n" --msgstr "" -+"No such group in local domain. Printing groups only allowed in local domain." -+"\n" -+msgstr "本地域中没有这样的组。只在本地域中允许打印组。\n" - - #: src/tools/sss_groupshow.c:749 - msgid "Internal error. Could not print group.\n" --msgstr "" -+msgstr "内部错误。无法打印组。\n" - - #: src/tools/sss_userdel.c:138 - msgid "Remove home directory and mail spool" --msgstr "" -+msgstr "删除主目录和邮件假脱机" - - #: src/tools/sss_userdel.c:140 - msgid "Do not remove home directory and mail spool" --msgstr "" -+msgstr "不删除主目录和邮件假脱机" - - #: src/tools/sss_userdel.c:142 - msgid "Force removal of files not owned by the user" --msgstr "" -+msgstr "用户不允许强制删除文件" - - #: src/tools/sss_userdel.c:144 - msgid "Kill users' processes before removing him" --msgstr "" -+msgstr "在删除用户前终止用户的进程" - - #: src/tools/sss_userdel.c:190 - msgid "Specify user to delete\n" --msgstr "" -+msgstr "指定删除的用户\n" - - #: src/tools/sss_userdel.c:236 - #, c-format - msgid "User %1$s is outside the defined ID range for domain\n" --msgstr "" -+msgstr "用户 %1$s 在域的定义 ID 范围之外\n" - - #: src/tools/sss_userdel.c:261 - msgid "Cannot reset SELinux login context\n" --msgstr "" -+msgstr "无法重新设置 SELinux 登录上下文\n" - - #: src/tools/sss_userdel.c:273 - #, c-format - msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" --msgstr "" -+msgstr "警告:用户(uid %1$lu )在删除后仍处于登录状态。\n" - - #: src/tools/sss_userdel.c:278 - msgid "Cannot determine if the user was logged in on this platform" --msgstr "" -+msgstr "无法确定用户是否已在此平台上登录" - - #: src/tools/sss_userdel.c:283 - msgid "Error while checking if the user was logged in\n" --msgstr "" -+msgstr "检查用户是否登录时出错\n" - - #: src/tools/sss_userdel.c:290 - #, c-format - msgid "The post-delete command failed: %1$s\n" --msgstr "" -+msgstr "后删除命令失败: %1$s\n" - - #: src/tools/sss_userdel.c:310 - msgid "Not removing home dir - not owned by user\n" --msgstr "" -+msgstr "没有删除主目录 - 不归用户所有\n" - - #: src/tools/sss_userdel.c:312 - #, c-format - msgid "Cannot remove homedir: %1$s\n" --msgstr "" -+msgstr "无法删除主目录:%1$s\n" - - #: src/tools/sss_userdel.c:326 - msgid "" - "No such user in local domain. Removing users only allowed in local domain.\n" --msgstr "" -+msgstr "本地域中没有这样的用户。只在本地域中允许删除用户。\n" - - #: src/tools/sss_userdel.c:331 - msgid "Internal error. Could not remove user.\n" --msgstr "" -+msgstr "内部错误。无法删除用户。\n" - - #: src/tools/sss_usermod.c:49 - msgid "The GID of the user" --msgstr "" -+msgstr "用户的 GID" - - #: src/tools/sss_usermod.c:53 - msgid "Groups to add this user to" --msgstr "" -+msgstr "这个用户加入的组" - - #: src/tools/sss_usermod.c:54 - msgid "Groups to remove this user from" --msgstr "" -+msgstr "要从中删除该用户的组" - - #: src/tools/sss_usermod.c:55 - msgid "Lock the account" --msgstr "" -+msgstr "锁定账户" - - #: src/tools/sss_usermod.c:56 - msgid "Unlock the account" --msgstr "" -+msgstr "解锁账户" - - #: src/tools/sss_usermod.c:57 - msgid "Add an attribute/value pair. The format is attrname=value." --msgstr "" -+msgstr "添加一个属性/值对。格式为 attrname=value。" - - #: src/tools/sss_usermod.c:58 - msgid "Delete an attribute/value pair. The format is attrname=value." --msgstr "" -+msgstr "删除一个属性/值对。格式为 attrname=value。" - - #: src/tools/sss_usermod.c:59 - msgid "" - "Set an attribute to a name/value pair. The format is attrname=value. For " - "multi-valued attributes, the command replaces the values already present" --msgstr "" -+msgstr "将属性设置为名称/值对。格式为 attrname=value。对于多值属性,替换值的命令已存在。" - - #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 - #: src/tools/sss_usermod.c:135 - msgid "Specify the attribute name/value pair(s)\n" --msgstr "" -+msgstr "指定属性名称/值对\n" - - #: src/tools/sss_usermod.c:152 - msgid "Specify user to modify\n" --msgstr "" -+msgstr "指定要修改的用户\n" - - #: src/tools/sss_usermod.c:180 - msgid "" - "Cannot find user in local domain, modifying users is allowed only in local " - "domain\n" --msgstr "" -+msgstr "在本地域中找不到用户,仅允许在本地域中修改用户\n" - - #: src/tools/sss_usermod.c:322 - msgid "Could not modify user - check if group names are correct\n" --msgstr "" -+msgstr "无法修改用户 - 检查组名称是否正确\n" - - #: src/tools/sss_usermod.c:326 - msgid "Could not modify user - user already member of groups?\n" --msgstr "" -+msgstr "无法修改用户 - 用户是否已是组成员?\n" - - #: src/tools/sss_usermod.c:330 - msgid "Transaction error. Could not modify user.\n" --msgstr "" -+msgstr "交易错误。无法修改用户。\n" - - #: src/tools/sss_cache.c:245 - msgid "No cache object matched the specified search\n" --msgstr "" -+msgstr "没有符合指定搜索条件的缓存对象\n" - - #: src/tools/sss_cache.c:536 - #, c-format - msgid "Couldn't invalidate %1$s\n" --msgstr "" -+msgstr "无法使 %1$s 无效\n" - - #: src/tools/sss_cache.c:543 - #, c-format - msgid "Couldn't invalidate %1$s %2$s\n" --msgstr "" -+msgstr "无法使 %1$s %2$s 无效\n" - - #: src/tools/sss_cache.c:721 - msgid "Invalidate all cached entries" --msgstr "" -+msgstr "使所有缓存的条目无效" - - #: src/tools/sss_cache.c:723 - msgid "Invalidate particular user" --msgstr "" -+msgstr "使特定用户无效" - - #: src/tools/sss_cache.c:725 - msgid "Invalidate all users" --msgstr "" -+msgstr "使所有用户无效" - - #: src/tools/sss_cache.c:727 - msgid "Invalidate particular group" --msgstr "" -+msgstr "使特定组无效" - - #: src/tools/sss_cache.c:729 - msgid "Invalidate all groups" --msgstr "" -+msgstr "使所有组无效" - - #: src/tools/sss_cache.c:731 - msgid "Invalidate particular netgroup" --msgstr "" -+msgstr "使特定 netgroup 无效" - - #: src/tools/sss_cache.c:733 - msgid "Invalidate all netgroups" --msgstr "" -+msgstr "使所有 netgroup 无效" - - #: src/tools/sss_cache.c:735 - msgid "Invalidate particular service" --msgstr "" -+msgstr "使特定服务无效" - - #: src/tools/sss_cache.c:737 - msgid "Invalidate all services" --msgstr "" -+msgstr "使所有服务无效" - - #: src/tools/sss_cache.c:740 - msgid "Invalidate particular autofs map" --msgstr "" -+msgstr "使特定 autofs 映射无效" - - #: src/tools/sss_cache.c:742 - msgid "Invalidate all autofs maps" --msgstr "" -+msgstr "使所有 autofs 映射无效" - - #: src/tools/sss_cache.c:746 - msgid "Invalidate particular SSH host" --msgstr "" -+msgstr "使特定 SSH 主机无效" - - #: src/tools/sss_cache.c:748 - msgid "Invalidate all SSH hosts" --msgstr "" -+msgstr "使所有 SSH 主机无效" - - #: src/tools/sss_cache.c:752 - msgid "Invalidate particular sudo rule" --msgstr "" -+msgstr "使特定 sudo 规则无效" - - #: src/tools/sss_cache.c:754 - msgid "Invalidate all cached sudo rules" --msgstr "" -+msgstr "使所有缓存的 sudo 规则无效" - - #: src/tools/sss_cache.c:757 - msgid "Only invalidate entries from a particular domain" --msgstr "" -+msgstr "使来自特定域的项无效" - - #: src/tools/sss_cache.c:811 - msgid "" - "Unexpected argument(s) provided, options that invalidate a single object " - "only accept a single provided argument.\n" --msgstr "" -+msgstr "提供了意外的参数,使单个对象无效的选项仅接受单个参数。\n" - - #: src/tools/sss_cache.c:821 - msgid "Please select at least one object to invalidate\n" --msgstr "" -+msgstr "请选择至少一个对象以使其无效\n" - - #: src/tools/sss_cache.c:904 - #, c-format - msgid "" - "Could not open domain %1$s. If the domain is a subdomain (trusted domain), " - "use fully qualified name instead of --domain/-d parameter.\n" --msgstr "" -+msgstr "无法打开域 %1$s 。如果域是子域(受信任的域),请使用完全限定名而不是 --domain/-d 参数。\n" - - #: src/tools/sss_cache.c:909 - msgid "Could not open available domains\n" --msgstr "" -+msgstr "无法打开可用域\n" - - #: src/tools/tools_util.c:202 - #, c-format - msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" --msgstr "" -+msgstr "名称 '%1$s' 似乎不是 FQDN(设置了 '%2$s =TRUE‘)\n" - - #: src/tools/tools_util.c:309 - msgid "Out of memory\n" --msgstr "" -+msgstr "无可用内存\n" - - #: src/tools/tools_util.h:40 - #, c-format - msgid "%1$s must be run as root\n" --msgstr "" -+msgstr "%1$s 必须以 root 运行\n" - - #: src/tools/sssctl/sssctl.c:35 - msgid "yes" --msgstr "" -+msgstr "是" - - #: src/tools/sssctl/sssctl.c:37 - msgid "no" --msgstr "" -+msgstr "否" - - #: src/tools/sssctl/sssctl.c:39 - msgid "error" --msgstr "" -+msgstr "错误" - - #: src/tools/sssctl/sssctl.c:42 - msgid "Invalid result." --msgstr "" -+msgstr "结果无效。" - - #: src/tools/sssctl/sssctl.c:78 - msgid "Unable to read user input\n" --msgstr "" -+msgstr "无法读取用户输入\n" - - #: src/tools/sssctl/sssctl.c:91 - #, c-format - msgid "Invalid input, please provide either '%s' or '%s'.\n" --msgstr "" -+msgstr "无效输入,请提供 '%s' 或 '%s'。\n" - - #: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 - msgid "Error while executing external command\n" --msgstr "" -+msgstr "执行外部命令时出错\n" - - #: src/tools/sssctl/sssctl.c:156 - msgid "SSSD needs to be running. Start SSSD now?" --msgstr "" -+msgstr "需要运行 SSSD。现在启动 SSSD?" - - #: src/tools/sssctl/sssctl.c:195 - msgid "SSSD must not be running. Stop SSSD now?" --msgstr "" -+msgstr "SSSD 不能运行。现在停止 SSSD?" - - #: src/tools/sssctl/sssctl.c:231 - msgid "SSSD needs to be restarted. Restart SSSD now?" --msgstr "" -+msgstr "需要重新运行 SSSD。现在重新运行 SSSD?" - - #: src/tools/sssctl/sssctl_cache.c:31 - #, c-format - msgid " %s is not present in cache.\n" --msgstr "" -+msgstr " %s 没有存在于缓存中。\n" - - #: src/tools/sssctl/sssctl_cache.c:33 - msgid "Name" --msgstr "" -+msgstr "名称" - - #: src/tools/sssctl/sssctl_cache.c:34 - msgid "Cache entry creation date" --msgstr "" -+msgstr "缓存条目创建日期" - - #: src/tools/sssctl/sssctl_cache.c:35 - msgid "Cache entry last update time" --msgstr "" -+msgstr "缓存条目最新更新的时间" - - #: src/tools/sssctl/sssctl_cache.c:36 - msgid "Cache entry expiration time" --msgstr "" -+msgstr "缓存条目过期的时间" - - #: src/tools/sssctl/sssctl_cache.c:37 - msgid "Cached in InfoPipe" --msgstr "" -+msgstr "在 InfoPipe 中缓存" - - #: src/tools/sssctl/sssctl_cache.c:522 - #, c-format - msgid "Error: Unable to get object [%d]: %s\n" --msgstr "" -+msgstr "错误:无法获得对象 [%d]: %s\n" - - #: src/tools/sssctl/sssctl_cache.c:538 - #, c-format - msgid "%s: Unable to read value [%d]: %s\n" --msgstr "" -+msgstr "%s: 无法读取值 [%d]: %s\n" - - #: src/tools/sssctl/sssctl_cache.c:566 - msgid "Specify name." --msgstr "" -+msgstr "指定名称。" - - #: src/tools/sssctl/sssctl_cache.c:576 - #, c-format - msgid "Unable to parse name %s.\n" --msgstr "" -+msgstr "无法解析名称 %s 。\n" - - #: src/tools/sssctl/sssctl_cache.c:602 src/tools/sssctl/sssctl_cache.c:649 - msgid "Search by SID" --msgstr "" -+msgstr "使用 SID 搜索" - - #: src/tools/sssctl/sssctl_cache.c:603 - msgid "Search by user ID" --msgstr "" -+msgstr "使用用户 ID 搜索" - - #: src/tools/sssctl/sssctl_cache.c:612 - msgid "Initgroups expiration time" --msgstr "" -+msgstr "Initgroups 过期时间" - - #: src/tools/sssctl/sssctl_cache.c:650 - msgid "Search by group ID" --msgstr "" -+msgstr "使用组 ID 搜索" - --#: src/tools/sssctl/sssctl_config.c:70 -+#: src/tools/sssctl/sssctl_config.c:112 - #, c-format - msgid "Failed to open %s\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:75 -+#: src/tools/sssctl/sssctl_config.c:117 - #, c-format - msgid "File %1$s does not exist.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:79 -+#: src/tools/sssctl/sssctl_config.c:121 - msgid "" - "File ownership and permissions check failed. Expected root:root and 0600.\n" --msgstr "" -+msgstr "文件所有权和权限检查失败。预期的是 root:root 和 0600。\n" - --#: src/tools/sssctl/sssctl_config.c:85 -+#: src/tools/sssctl/sssctl_config.c:127 - #, c-format - msgid "Failed to load configuration from %s.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:91 -+#: src/tools/sssctl/sssctl_config.c:133 - msgid "Error while reading configuration directory.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:99 -+#: src/tools/sssctl/sssctl_config.c:141 - msgid "" - "There is no configuration. SSSD will use default configuration with files " - "provider.\n" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:111 -+#: src/tools/sssctl/sssctl_config.c:153 - msgid "Failed to run validators" - msgstr "" - --#: src/tools/sssctl/sssctl_config.c:115 -+#: src/tools/sssctl/sssctl_config.c:157 - #, c-format - msgid "Issues identified by validators: %zu\n" --msgstr "" -+msgstr "验证者发现了问题: %zu\n" - --#: src/tools/sssctl/sssctl_config.c:126 -+#: src/tools/sssctl/sssctl_config.c:168 - #, c-format - msgid "Messages generated during configuration merging: %zu\n" --msgstr "" -+msgstr "配置合并期间生成的消息: %zu\n" - --#: src/tools/sssctl/sssctl_config.c:137 -+#: src/tools/sssctl/sssctl_config.c:179 - #, c-format - msgid "Used configuration snippet files: %zu\n" - msgstr "" -@@ -956,76 +2760,76 @@ msgstr "" - #: src/tools/sssctl/sssctl_data.c:89 - #, c-format - msgid "Unable to create backup directory [%d]: %s" --msgstr "" -+msgstr "无法创建备份目录 [%d]: %s" - - #: src/tools/sssctl/sssctl_data.c:95 - msgid "SSSD backup of local data already exists, override?" --msgstr "" -+msgstr "SSSD 本地数据备份已经存在,可以覆盖吗?" - - #: src/tools/sssctl/sssctl_data.c:111 - msgid "Unable to export user overrides\n" --msgstr "" -+msgstr "无法导出用户覆盖\n" - - #: src/tools/sssctl/sssctl_data.c:118 - msgid "Unable to export group overrides\n" --msgstr "" -+msgstr "无法导出组覆盖\n" - - #: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 - msgid "Override existing backup" --msgstr "" -+msgstr "覆盖现有的备份" - - #: src/tools/sssctl/sssctl_data.c:164 - msgid "Unable to import user overrides\n" --msgstr "" -+msgstr "无法导入用户覆盖\n" - - #: src/tools/sssctl/sssctl_data.c:173 - msgid "Unable to import group overrides\n" --msgstr "" -+msgstr "无法导入组覆盖\n" - - #: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:82 - #: src/tools/sssctl/sssctl_domains.c:328 - msgid "Start SSSD if it is not running" --msgstr "" -+msgstr "如果未运行,启动 SSSD" - - #: src/tools/sssctl/sssctl_data.c:195 - msgid "Restart SSSD after data import" --msgstr "" -+msgstr "数据导入后重新启动 SSSD" - - #: src/tools/sssctl/sssctl_data.c:218 - msgid "Create clean cache files and import local data" --msgstr "" -+msgstr "创建干净的缓存文件并导入本地数据" - - #: src/tools/sssctl/sssctl_data.c:219 - msgid "Stop SSSD before removing the cache" --msgstr "" -+msgstr "在删除缓存之前停止 SSSD" - - #: src/tools/sssctl/sssctl_data.c:220 - msgid "Start SSSD when the cache is removed" --msgstr "" -+msgstr "删除缓存后启动 SSSD" - - #: src/tools/sssctl/sssctl_data.c:235 - msgid "Creating backup of local data...\n" --msgstr "" -+msgstr "正在创建本地数据备份...\n" - - #: src/tools/sssctl/sssctl_data.c:238 - msgid "Unable to create backup of local data, can not remove the cache.\n" --msgstr "" -+msgstr "无法创建本地数据备份,无法删除缓存。\n" - - #: src/tools/sssctl/sssctl_data.c:243 - msgid "Removing cache files...\n" --msgstr "" -+msgstr "删除缓存文件...\n" - - #: src/tools/sssctl/sssctl_data.c:246 - msgid "Unable to remove cache files\n" --msgstr "" -+msgstr "无法删除缓存文件\n" - - #: src/tools/sssctl/sssctl_data.c:251 - msgid "Restoring local data...\n" --msgstr "" -+msgstr "恢复本地数据...\n" - - #: src/tools/sssctl/sssctl_domains.c:83 - msgid "Show domain list including primary or trusted domain type" --msgstr "" -+msgstr "显示域列表,包括主要或受信任的域类型" - - #: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 - #: src/tools/sssctl/sssctl_user_checks.c:95 -@@ -1034,16 +2838,16 @@ msgstr "" - - #: src/tools/sssctl/sssctl_domains.c:167 - msgid "Online" --msgstr "" -+msgstr "在线" - - #: src/tools/sssctl/sssctl_domains.c:167 - msgid "Offline" --msgstr "" -+msgstr "离线" - - #: src/tools/sssctl/sssctl_domains.c:167 - #, c-format - msgid "Online status: %s\n" --msgstr "" -+msgstr "在线状态: %s\n" - - #: src/tools/sssctl/sssctl_domains.c:213 - msgid "This domain has no active servers.\n" -@@ -1051,11 +2855,11 @@ msgstr "" - - #: src/tools/sssctl/sssctl_domains.c:218 - msgid "Active servers:\n" --msgstr "" -+msgstr "活动服务器:\n" - - #: src/tools/sssctl/sssctl_domains.c:230 - msgid "not connected" --msgstr "" -+msgstr "未连接" - - #: src/tools/sssctl/sssctl_domains.c:267 - msgid "No servers discovered.\n" -@@ -1064,307 +2868,285 @@ msgstr "" - #: src/tools/sssctl/sssctl_domains.c:273 - #, c-format - msgid "Discovered %s servers:\n" --msgstr "" -+msgstr "发现的 %s 服务器:\n" - - #: src/tools/sssctl/sssctl_domains.c:285 - msgid "None so far.\n" --msgstr "" -+msgstr "到目前为止没有。\n" - - #: src/tools/sssctl/sssctl_domains.c:325 - msgid "Show online status" --msgstr "" -+msgstr "显示在线状态" - - #: src/tools/sssctl/sssctl_domains.c:326 - msgid "Show information about active server" --msgstr "" -+msgstr "显示有关活动服务器的信息" - - #: src/tools/sssctl/sssctl_domains.c:327 - msgid "Show list of discovered servers" --msgstr "" -+msgstr "显示发现的服务器列表" - - #: src/tools/sssctl/sssctl_domains.c:333 - msgid "Specify domain name." --msgstr "" -+msgstr "指定域名。" - - #: src/tools/sssctl/sssctl_domains.c:355 - msgid "Out of memory!\n" --msgstr "" -+msgstr "无可用的内存!\n" - - #: src/tools/sssctl/sssctl_domains.c:375 src/tools/sssctl/sssctl_domains.c:385 - msgid "Unable to get online status\n" --msgstr "" -+msgstr "无法获得在线状态\n" - - #: src/tools/sssctl/sssctl_domains.c:395 - msgid "Unable to get server list\n" --msgstr "" -+msgstr "无法获取服务器列表\n" - - #: src/tools/sssctl/sssctl_logs.c:46 - msgid "\n" --msgstr "" -+msgstr "\n" - - #: src/tools/sssctl/sssctl_logs.c:236 - msgid "Delete log files instead of truncating" --msgstr "" -+msgstr "删除日志文件而不是截断" - - #: src/tools/sssctl/sssctl_logs.c:247 - msgid "Deleting log files...\n" --msgstr "" -+msgstr "删除日志文件...\n" - - #: src/tools/sssctl/sssctl_logs.c:250 - msgid "Unable to remove log files\n" --msgstr "" -+msgstr "无法删除日志文件\n" - - #: src/tools/sssctl/sssctl_logs.c:256 - msgid "Truncating log files...\n" --msgstr "" -+msgstr "截断日志文件...\n" - - #: src/tools/sssctl/sssctl_logs.c:259 - msgid "Unable to truncate log files\n" --msgstr "" -+msgstr "无法截断日志文件\n" - - #: src/tools/sssctl/sssctl_logs.c:285 - msgid "Out of memory!" --msgstr "" -+msgstr "无可用的内存!" - - #: src/tools/sssctl/sssctl_logs.c:288 - #, c-format - msgid "Archiving log files into %s...\n" --msgstr "" -+msgstr "将日志文件归档到 %s ...\n" - - #: src/tools/sssctl/sssctl_logs.c:291 - msgid "Unable to archive log files\n" --msgstr "" -+msgstr "无法归档日志文件\n" - - #: src/tools/sssctl/sssctl_logs.c:316 - msgid "Specify debug level you want to set" --msgstr "" -+msgstr "指定要设置的调试级别" - - #: src/tools/sssctl/sssctl_user_checks.c:117 - msgid "SSSD InfoPipe user lookup result:\n" --msgstr "" -+msgstr "SSSD InfoPipe 用户查找结果:\n" - - #: src/tools/sssctl/sssctl_user_checks.c:167 - #, c-format - msgid "dlopen failed with [%s].\n" --msgstr "" -+msgstr "dlopen 失败 [%s]。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:174 - #, c-format - msgid "dlsym failed with [%s].\n" --msgstr "" -+msgstr "dlsym 失败 [%s]。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:182 - msgid "malloc failed.\n" --msgstr "" -+msgstr "malloc 失败。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:189 - #, c-format - msgid "sss_getpwnam_r failed with [%d].\n" --msgstr "" -+msgstr "sss_getpwnam_r 失败 [%d]。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:194 - msgid "SSSD nss user lookup result:\n" --msgstr "" -+msgstr "SSSD nss 用户查找结果:\n" - - #: src/tools/sssctl/sssctl_user_checks.c:195 - #, c-format - msgid " - user name: %s\n" --msgstr "" -+msgstr " - 用户名 : %s\n" - - #: src/tools/sssctl/sssctl_user_checks.c:196 - #, c-format - msgid " - user id: %d\n" --msgstr "" -+msgstr " - 用户 id: %d\n" - - #: src/tools/sssctl/sssctl_user_checks.c:197 - #, c-format - msgid " - group id: %d\n" --msgstr "" -+msgstr " - 组 id: %d\n" - - #: src/tools/sssctl/sssctl_user_checks.c:198 - #, c-format - msgid " - gecos: %s\n" --msgstr "" -+msgstr " - gecos: %s\n" - - #: src/tools/sssctl/sssctl_user_checks.c:199 - #, c-format - msgid " - home directory: %s\n" --msgstr "" -+msgstr " - 家目录 : %s\n" - - #: src/tools/sssctl/sssctl_user_checks.c:200 - #, c-format --msgid "" --" - shell: %s\n" -+msgid " - shell: %s\n" -+"\n" -+msgstr " - shell: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:232 - msgid "PAM action [auth|acct|setc|chau|open|clos], default: " --msgstr "" -+msgstr "PAM 操作 [auth|acct|setc|chau|open|clos],默认:" - - #: src/tools/sssctl/sssctl_user_checks.c:235 - msgid "PAM service, default: " --msgstr "" -+msgstr "PAM 服务,默认:" - - #: src/tools/sssctl/sssctl_user_checks.c:240 - msgid "Specify user name." --msgstr "" -+msgstr "指定用户名。" - - #: src/tools/sssctl/sssctl_user_checks.c:247 - #, c-format --msgid "" --"user: %s\n" -+msgid "user: %s\n" - "action: %s\n" - "service: %s\n" - "\n" --msgstr "" -+msgstr "用户:%s\n" -+"操作:%s\n" -+"服务:%s\n" -+"\n" - - #: src/tools/sssctl/sssctl_user_checks.c:252 - #, c-format - msgid "User name lookup with [%s] failed.\n" --msgstr "" -+msgstr "使用 [%s] 进行用户名查找失败。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:257 - #, c-format - msgid "InfoPipe User lookup with [%s] failed.\n" --msgstr "" -+msgstr "使用 [%s] 进行 InfoPipe 用户查找失败。\n" - - #: src/tools/sssctl/sssctl_user_checks.c:263 - #, c-format - msgid "pam_start failed: %s\n" --msgstr "" -+msgstr "pam_start 失败:%s\n" - - #: src/tools/sssctl/sssctl_user_checks.c:268 --msgid "" --"testing pam_authenticate\n" -+msgid "testing pam_authenticate\n" -+"\n" -+msgstr "testing pam_authenticate\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:272 - #, c-format - msgid "pam_get_item failed: %s\n" --msgstr "" -+msgstr "pam_get_item 失败:%s\n" - - #: src/tools/sssctl/sssctl_user_checks.c:275 - #, c-format --msgid "" --"pam_authenticate for user [%s]: %s\n" -+msgid "pam_authenticate for user [%s]: %s\n" -+"\n" -+msgstr "pam_authenticate 用户 [%s]: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:278 --msgid "" --"testing pam_chauthtok\n" -+msgid "testing pam_chauthtok\n" -+"\n" -+msgstr "testing pam_chauthtok\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:280 - #, c-format --msgid "" --"pam_chauthtok: %s\n" -+msgid "pam_chauthtok: %s\n" -+"\n" -+msgstr "pam_chauthtok: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:282 --msgid "" --"testing pam_acct_mgmt\n" -+msgid "testing pam_acct_mgmt\n" -+"\n" -+msgstr "测试 pam_acct_mgmt\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:284 - #, c-format --msgid "" --"pam_acct_mgmt: %s\n" -+msgid "pam_acct_mgmt: %s\n" -+"\n" -+msgstr "pam_acct_mgmt: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:286 --msgid "" --"testing pam_setcred\n" -+msgid "testing pam_setcred\n" -+"\n" -+msgstr "测试 pam_setcred\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:288 - #, c-format --msgid "" --"pam_setcred: [%s]\n" -+msgid "pam_setcred: [%s]\n" -+"\n" -+msgstr "pam_setcred: [%s]\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:290 --msgid "" --"testing pam_open_session\n" -+msgid "testing pam_open_session\n" -+"\n" -+msgstr "测试 pam_open_session\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:292 - #, c-format --msgid "" --"pam_open_session: %s\n" -+msgid "pam_open_session: %s\n" -+"\n" -+msgstr "pam_open_session: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:294 --msgid "" --"testing pam_close_session\n" -+msgid "testing pam_close_session\n" -+"\n" -+msgstr "testing pam_close_session\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:296 - #, c-format --msgid "" --"pam_close_session: %s\n" -+msgid "pam_close_session: %s\n" -+"\n" -+msgstr "pam_close_session: %s\n" - "\n" --msgstr "" - - #: src/tools/sssctl/sssctl_user_checks.c:298 - msgid "unknown action\n" --msgstr "" -+msgstr "未知操作\n" - - #: src/tools/sssctl/sssctl_user_checks.c:301 - msgid "PAM Environment:\n" --msgstr "" -+msgstr "PAM 环境:\n" - - #: src/tools/sssctl/sssctl_user_checks.c:309 - msgid " - no env -\n" --msgstr "" -+msgstr " -没有环境-\n" - - #: src/util/util.h:82 - msgid "The user ID to run the server as" --msgstr "" -+msgstr "运行服务器的用户 ID" - - #: src/util/util.h:84 - msgid "The group ID to run the server as" --msgstr "" -+msgstr "运行服务器的组 ID" - - #: src/util/util.h:92 - msgid "Informs that the responder has been socket-activated" --msgstr "" -+msgstr "通知响应者已被套接字激活" - - #: src/util/util.h:94 - msgid "Informs that the responder has been dbus-activated" --msgstr "" -- --#~ msgid "Set the verbosity of the debug logging" --#~ msgstr "设定调试日志记录等级" -- --#~ msgid "Include timestamps in debug logs" --#~ msgstr "在调试日志中包含时间戳" -- --#~ msgid "Write debug messages to logfiles" --#~ msgstr "写入调试信息到日志文件" -- --#~ msgid "Command to start service" --#~ msgstr "启动服务命令" -- --#~ msgid "IPA server address" --#~ msgstr "IPA 服务器地址" -- --#~ msgid "Address of backup IPA server" --#~ msgstr "IPA 备份服务器地址" -- --#~ msgid "Kerberos server address" --#~ msgstr "Kerberos 服务器地址" -- --#~ msgid "Authentication timeout" --#~ msgstr "验证超时" -+msgstr "通知响应者已被 dbus 激活" --- -2.21.3 - diff --git a/SOURCES/0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch b/SOURCES/0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch deleted file mode 100644 index 81d4709..0000000 --- a/SOURCES/0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch +++ /dev/null @@ -1,1537 +0,0 @@ -From 7de6754738f61080b3520c4c7add6d627877eb27 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 24 Jul 2020 12:13:39 +0200 -Subject: [PATCH] Updated translation files: Japanese, Chinese (China), French - ---- - po/fr.po | 152 +++++++++++++++++++++++++++++++++++----------- - po/ja.po | 124 +++++++++++++++++++++----------------- - po/zh_CN.po | 170 +++++++++++++++++++++++++++------------------------- - 3 files changed, 277 insertions(+), 169 deletions(-) - -diff --git a/po/fr.po b/po/fr.po -index 198c757e8..6119909e9 100644 ---- a/po/fr.po -+++ b/po/fr.po -@@ -1,13 +1,12 @@ - # SOME DESCRIPTIVE TITLE. - # Copyright (C) YEAR Red Hat, Inc. - # This file is distributed under the same license as the PACKAGE package. --# -+# - # Translators: - # Fabien Archambault , 2012 - # Jérôme Fenal , 2012-2014 - # Fabien Archambault , 2012 - # Mariko Vincent , 2012 --# Jérôme Fenal , 2015. #zanata - # Jérôme Fenal , 2016. #zanata - # Ludek Janda , 2020. #zanata - # Pavel Brezina , 2020. #zanata -@@ -19,8 +18,8 @@ msgstr "" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" --"PO-Revision-Date: 2020-05-19 10:07+0000\n" --"Last-Translator: Pavel Brezina \n" -+"PO-Revision-Date: 2020-07-22 07:46-0400\n" -+"Last-Translator: Copied by Zanata \n" - "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/fr/" - ")\n" - "Language: fr\n" -@@ -84,12 +83,18 @@ msgid "" - "is in seconds and calculated by the following: offline_timeout + " - "random_offset." - msgstr "" -+"Lorsque le SSSD passe en mode hors ligne, le temps qui s’écoule avant qu'il " -+"ne tente de se reconnecter augmente en fonction du temps passé hors ligne. " -+"Cette valeur est exprimée en secondes et calculée comme suit : " -+"offline_timeout + random_offset." - - #: src/config/SSSDConfig/sssdoptions.py:38 - msgid "" - "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " - "version 2." - msgstr "" -+"Indique la syntaxe du fichier de configuration. Pour SSSD 0.6.0 ou " -+"supérieure utiliser la version 2." - - #: src/config/SSSDConfig/sssdoptions.py:39 - msgid "SSSD Services to start" -@@ -154,6 +159,8 @@ msgid "" - "Controls if SSSD should monitor the state of resolv.conf to identify when it " - "needs to update its internal DNS resolver." - msgstr "" -+"Contrôle si le SSSD doit surveiller l'état de resolv.conf pour identifier " -+"quand il doit mettre à jour son résolveur DNS interne." - - #: src/config/SSSDConfig/sssdoptions.py:54 - msgid "" -@@ -162,6 +169,10 @@ msgid "" - "this, and will fall back to polling resolv.conf every five seconds if " - "inotify cannot be used." - msgstr "" -+"Le SSSD surveille l'état de resolv.conf afin d'identifier quand il doit " -+"mettre à jour son résolveur DNS interne. Par défaut, nous essaierons " -+"d'utiliser inotify pour cela, et par défaut, resolv.conf sera interrogé " -+"toutes les cinq secondes si inotify ne peut pas être utilisé." - - #: src/config/SSSDConfig/sssdoptions.py:59 - msgid "Enumeration cache timeout length (seconds)" -@@ -250,12 +261,16 @@ msgid "" - "The value of this option will be used in the expansion of the " - "override_homedir option if the template contains the format string %H." - msgstr "" -+"La valeur de cette option sera utilisée dans l'extension de l'option " -+"override_homedir si le modèle contient la chaîne de format %H." - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Specifies time in seconds for which the list of subdomains will be " - "considered valid." - msgstr "" -+"Spécifie la durée en secondes pendant laquelle la liste de sous-domaines est " -+"jugée valide." - - #: src/config/SSSDConfig/sssdoptions.py:79 - msgid "" -@@ -263,6 +278,9 @@ msgid "" - "if they are requested beyond a percentage of the entry_cache_timeout value " - "for the domain." - msgstr "" -+"La valeur du cache peut être définie pour mettre à jour automatiquement les " -+"entrées en arrière plan si la requête ne dépasse pas un pourcentage de la " -+"valeur de entry_cache_timeout pour le domaine." - - #: src/config/SSSDConfig/sssdoptions.py:84 - msgid "How long to allow cached logins between online logins (days)" -@@ -359,7 +377,7 @@ msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:103 - msgid "When shall the PAM responder force an initgroups request" --msgstr "" -+msgstr "Quand le répondeur de PAM doit-il forcer une demande d'initgroupes" - - #: src/config/SSSDConfig/sssdoptions.py:106 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -520,6 +538,10 @@ msgid "" - "- No users are recorded. some - Users/groups specified by users and groups " - "options are recorded. all - All users are recorded." - msgstr "" -+"Une des chaînes suivantes spécifiant l'étendue de l'enregistrement de la " -+"session : none - Aucun utilisateur n'est enregistré. some - Les utilisateurs/" -+"groupes spécifiés par les options des utilisateurs et des groupes sont " -+"enregistrés. all - Tous les utilisateurs sont enregistrés." - - #: src/config/SSSDConfig/sssdoptions.py:157 - msgid "" -@@ -527,6 +549,10 @@ msgid "" - "Matches user names as returned by NSS. I.e. after the possible space " - "replacement, case changes, etc." - msgstr "" -+"Une liste d'utilisateurs, séparés par des virgules, dont l'enregistrement de " -+"session devrait être activé. Correspond aux noms d'utilisateurs renvoyés par " -+"le NSS. C'est-à-dire après le remplacement éventuel de l'espace, les " -+"changements de casse, etc." - - #: src/config/SSSDConfig/sssdoptions.py:159 - msgid "" -@@ -534,6 +560,10 @@ msgid "" - "recording enabled. Matches group names as returned by NSS. I.e. after the " - "possible space replacement, case changes, etc." - msgstr "" -+"Une liste de groupes séparés par des virgules, dont les membres doivent " -+"avoir l'enregistrement de session activé. Correspond aux noms des groupes " -+"renvoyés par le NSS, c-à-d après le remplacement éventuel de l'espace, les " -+"changements de cas, etc." - - #: src/config/SSSDConfig/sssdoptions.py:164 - msgid "Identity provider" -@@ -573,7 +603,7 @@ msgstr "Fournisseur de gestion de session" - - #: src/config/SSSDConfig/sssdoptions.py:173 - msgid "Resolver provider" --msgstr "" -+msgstr "Fournisseur de résolveurs" - - #: src/config/SSSDConfig/sssdoptions.py:176 - msgid "Whether the domain is usable by the OS or by applications" -@@ -733,24 +763,30 @@ msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:215 - msgid "Display a warning N days before the password expires." --msgstr "" -+msgstr "Afficher une alerte N jours avant l'expiration du mot de passe." - - #: src/config/SSSDConfig/sssdoptions.py:216 - msgid "" - "Various tags stored by the realmd configuration service for this domain." - msgstr "" -+"Étiquettes diverses stockées par le service de configuration de realmd pour " -+"ce domaine." - - #: src/config/SSSDConfig/sssdoptions.py:217 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." - msgstr "" -+"Le fournisseur doit être capable de gérer la récupération des sous-domaines. " -+"Cette valeur doit être toujours identique à id_provider." - - #: src/config/SSSDConfig/sssdoptions.py:219 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." - msgstr "" -+"La durée en secondes pendant laquelle conserver une clé ssh d'hôte après " -+"rafraichissement. I.e. combien de temps mettre la clé en cache." - - #: src/config/SSSDConfig/sssdoptions.py:221 - msgid "" -@@ -758,6 +794,11 @@ msgid "" - "this value determines the minimal length the first authentication factor " - "(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" -+"Si l'authentification à 2 facteurs (2FA) est utilisée et que les " -+"informations d'identification sont sauvegardées, cette valeur détermine la " -+"longueur minimale à laquelle le premier facteur d'authentification (mot de " -+"passe à long terme) doit être sauvegardé en tant que hachage SHA512 dans le " -+"cache." - - #: src/config/SSSDConfig/sssdoptions.py:227 - msgid "IPA domain" -@@ -871,116 +912,140 @@ msgstr "" - - #: src/config/SSSDConfig/sssdoptions.py:256 - msgid "The LDAP attribute that contains FQDN of the host." --msgstr "" -+msgstr "L'attribut LDAP qui contient le FQDN de l'hôte." - - #: src/config/SSSDConfig/sssdoptions.py:257 - #: src/config/SSSDConfig/sssdoptions.py:280 - msgid "The object class of a host entry in LDAP." --msgstr "" -+msgstr "La classe d'objet d'une entrée utilisateur dans LDAP." - - #: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Use the given string as search base for host objects." - msgstr "" -+"Utiliser la chaîne donnée comme base de recherche pour héberger des objets." - - #: src/config/SSSDConfig/sssdoptions.py:259 - msgid "The LDAP attribute that contains the host's SSH public keys." --msgstr "" -+msgstr "L'attribut LDAP qui contient les clés publiques SSH de l'hôte." - - #: src/config/SSSDConfig/sssdoptions.py:260 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." --msgstr "" -+msgstr "L'attribut LDAP qui contient le nom de domaine NIS du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:261 - msgid "The LDAP attribute that contains the names of the netgroup's members." --msgstr "" -+msgstr "L'attribut LDAP contenant les noms des membres du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." - msgstr "" -+"L'attribut LDAP qui répertorie les FQDN des hôtes et des groupes d'hôtes qui " -+"sont membres du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:264 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." - msgstr "" -+"L'attribut LDAP qui répertorie les hôtes et les groupes d'hôtes qui sont des " -+"membres directs du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:266 - msgid "The LDAP attribute that lists netgroup's memberships." --msgstr "" -+msgstr "L'attribut LDAP qui répertorie les adhésions au netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:267 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." - msgstr "" -+"L'attribut LDAP qui répertorie les utilisateurs du système et les groupes " -+"qui sont des membres directs du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:269 - msgid "The LDAP attribute that corresponds to the netgroup name." --msgstr "" -+msgstr "L'attribut LDAP correspondant au nom du netgroup." - - #: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The object class of a netgroup entry in LDAP." --msgstr "" -+msgstr "La classe d'objet d'une entrée de netgroup dans LDAP." - - #: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." --msgstr "" -+msgstr "L'attribut LDAP qui contient l'UUID/GUID d'un objet de netgroup LDAP." - - #: src/config/SSSDConfig/sssdoptions.py:272 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." - msgstr "" -+"L'attribut LDAP qui contient l’information de savoir si la carte " -+"d'utilisateur est activée ou non pour l'utilisation." - - #: src/config/SSSDConfig/sssdoptions.py:274 - msgid "The LDAP attribute that contains host category such as 'all'." --msgstr "" -+msgstr "L'attribut LDAP qui contient la catégorie d'hôte telle que \"all\"." - - #: src/config/SSSDConfig/sssdoptions.py:275 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." - msgstr "" -+"L'attribut LDAP qui contient tous les hôtes / groupes d'hôtes auxquels cette " -+"règle correspond." - - #: src/config/SSSDConfig/sssdoptions.py:277 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." - msgstr "" -+"L'attribut LDAP qui contient tous les utilisateurs / groupes auxquels cette " -+"règle correspond." - - #: src/config/SSSDConfig/sssdoptions.py:279 - msgid "The LDAP attribute that contains the name of SELinux usermap." - msgstr "" -+"L'attribut LDAP qui contient le nom de la carte d'utilisateur SELinux." - - #: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." - msgstr "" -+"L'attribut LDAP qui contient le DN de la règle HBAC qui peut être utilisé " -+"pour la correspondance au lieu de memberUser et memberHost." - - #: src/config/SSSDConfig/sssdoptions.py:283 - msgid "The LDAP attribute that contains SELinux user string itself." - msgstr "" -+"L'attribut LDAP qui contient la chaîne d'utilisateur SELinux elle-même." - - #: src/config/SSSDConfig/sssdoptions.py:284 - msgid "The LDAP attribute that contains user category such as 'all'." - msgstr "" -+"L'attribut LDAP qui contient la catégorie d'utilisateur telle que \"all\"." - - #: src/config/SSSDConfig/sssdoptions.py:285 - msgid "The LDAP attribute that contains unique ID of the user map." - msgstr "" -+"L'attribut LDAP qui contient l'ID unique de la carte de l'utilisateur." - - #: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." - msgstr "" -+"L'option indique que le SSSD fonctionne sur le serveur IPA et qu’il doit " -+"effectuer différemment les recherches des utilisateurs et des groupes des " -+"domaines approuvés." - - #: src/config/SSSDConfig/sssdoptions.py:288 - msgid "Use the given string as search base for trusted domains." - msgstr "" -+"Utiliser la chaîne donnée comme base de recherche pour les domaines " -+"approuvés." - - #: src/config/SSSDConfig/sssdoptions.py:291 - msgid "Active Directory domain" -@@ -1099,6 +1164,8 @@ msgstr "Option de réglage de la tâche de renouvellement du compte machine" - #: src/config/SSSDConfig/sssdoptions.py:315 - msgid "Whether to update the machine account password in the Samba database" - msgstr "" -+"Indique s'il faut mettre à jour le mot de passe du compte de la machine dans " -+"la base de données Samba" - - #: src/config/SSSDConfig/sssdoptions.py:317 - msgid "Use LDAPS port for LDAP and Global Catalog requests" -@@ -1330,6 +1397,8 @@ msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." - msgstr "" -+"Permet de conserver les utilisateurs locaux en tant que membres d'un groupe " -+"LDAP pour les serveurs qui utilisent le schéma RFC2307." - - #: src/config/SSSDConfig/sssdoptions.py:384 - msgid "entryUSN attribute" -@@ -1596,11 +1665,11 @@ msgstr "Le niveau d'imbrication maximal du SSSD suivra" - - #: src/config/SSSDConfig/sssdoptions.py:454 - msgid "Filter for group lookups" --msgstr "" -+msgstr "Filtre pour les recherches de groupes" - - #: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Scope of group lookups" --msgstr "" -+msgstr "Portée des recherches de groupe" - - #: src/config/SSSDConfig/sssdoptions.py:457 - msgid "Base DN for netgroup lookups" -@@ -1853,47 +1922,47 @@ msgstr "Base DN pour les requêtes de carte de montage automatique" - - #: src/config/SSSDConfig/sssdoptions.py:529 - msgid "The name of the automount master map in LDAP." --msgstr "" -+msgstr "Le nom de la table de montage automatique maîtresse dans LDAP." - - #: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Base DN for IP hosts lookups" --msgstr "" -+msgstr "DN de base pour la recherche d'hôtes IP" - - #: src/config/SSSDConfig/sssdoptions.py:533 - msgid "Object class for IP hosts" --msgstr "" -+msgstr "Classe d'objet pour les hôtes IP" - - #: src/config/SSSDConfig/sssdoptions.py:534 - msgid "IP host name attribute" --msgstr "" -+msgstr "Attribut du nom d'hôte IP" - - #: src/config/SSSDConfig/sssdoptions.py:535 - msgid "IP host number (address) attribute" --msgstr "" -+msgstr "Attribut (adresse) du numéro d'hôte IP" - - #: src/config/SSSDConfig/sssdoptions.py:536 - msgid "IP host entryUSN attribute" --msgstr "" -+msgstr "Attribut entryUSN d’hôte IP" - - #: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Base DN for IP networks lookups" --msgstr "" -+msgstr "DN de base pour la recherche de réseaux IP" - - #: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Object class for IP networks" --msgstr "" -+msgstr "Classe d'objets pour les réseaux IP" - - #: src/config/SSSDConfig/sssdoptions.py:539 - msgid "IP network name attribute" --msgstr "" -+msgstr "Attribut du nom du réseau IP" - - #: src/config/SSSDConfig/sssdoptions.py:540 - msgid "IP network number (address) attribute" --msgstr "" -+msgstr "Attribut (adresse) du numéro de réseau IP" - - #: src/config/SSSDConfig/sssdoptions.py:541 - msgid "IP network entryUSN attribute" --msgstr "" -+msgstr "Attribut entryUSN de réseau IP" - - #: src/config/SSSDConfig/sssdoptions.py:544 - msgid "Comma separated list of allowed users" -@@ -1908,6 +1977,9 @@ msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." - msgstr "" -+"Liste séparée par des virgules de groupes autorisés à se connecter. Ceci ne " -+"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " -+"pas pris en compte." - - #: src/config/SSSDConfig/sssdoptions.py:548 - msgid "" -@@ -1915,6 +1987,9 @@ msgid "" - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." - msgstr "" -+"Liste séparée par des virgules de groupes dont l'accès sera refusé. Ceci ne " -+"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " -+"pas pris en compte." - - #: src/config/SSSDConfig/sssdoptions.py:552 - msgid "Base for home directories" -@@ -1923,26 +1998,32 @@ msgstr "Base pour les répertoires utilisateur" - #: src/config/SSSDConfig/sssdoptions.py:553 - msgid "Indicate if a home directory should be created for new users." - msgstr "" -+"Indiquez si un répertoire d'accueil doit être créé pour les nouveaux " -+"utilisateurs." - - #: src/config/SSSDConfig/sssdoptions.py:554 - msgid "Indicate if a home directory should be removed for deleted users." - msgstr "" -+"Indiquez si un répertoire d’accueil doit être supprimé pour les utilisateurs " -+"supprimés." - - #: src/config/SSSDConfig/sssdoptions.py:555 - msgid "Specify the default permissions on a newly created home directory." - msgstr "" -+"Indiquez les autorisations par défaut sur un répertoire d'accueil " -+"nouvellement créé." - - #: src/config/SSSDConfig/sssdoptions.py:556 - msgid "The skeleton directory." --msgstr "" -+msgstr "Le répertoire skeleton." - - #: src/config/SSSDConfig/sssdoptions.py:557 - msgid "The mail spool directory." --msgstr "" -+msgstr "Le répertoire mail spool." - - #: src/config/SSSDConfig/sssdoptions.py:558 - msgid "The command that is run after a user is removed." --msgstr "" -+msgstr "La commande qui est exécutée après la suppression d'un utilisateur." - - #: src/config/SSSDConfig/sssdoptions.py:561 - msgid "The number of preforked proxy children." -@@ -1955,6 +2036,8 @@ msgstr "Nom de la bibliothèque NSS à utiliser" - #: src/config/SSSDConfig/sssdoptions.py:565 - msgid "The name of the NSS library to use for hosts and networks lookups" - msgstr "" -+"Le nom de la bibliothèque du NSS à utiliser pour les recherches réseaux et " -+"hôtes" - - #: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Whether to look up canonical group name from cache if possible" -@@ -2934,7 +3017,7 @@ msgstr "" - #: src/tools/sssctl/sssctl_config.c:127 - #, c-format - msgid "Failed to load configuration from %s.\n" --msgstr "" -+msgstr "Impossible de charger la configuration à partir de %s.\n" - - #: src/tools/sssctl/sssctl_config.c:133 - msgid "Error while reading configuration directory.\n" -@@ -3363,3 +3446,4 @@ msgstr "Informe que le répondeur a été activé par un socket" - #: src/util/util.h:94 - msgid "Informs that the responder has been dbus-activated" - msgstr "Informe que le répondeur a été activé par un dbus" -+ -diff --git a/po/ja.po b/po/ja.po -index a5156184c..7dc9157d3 100644 ---- a/po/ja.po -+++ b/po/ja.po -@@ -1,7 +1,7 @@ - # SOME DESCRIPTIVE TITLE. - # Copyright (C) YEAR Red Hat, Inc. - # This file is distributed under the same license as the PACKAGE package. --# -+# - # Translators: - # Tomoyuki KATO , 2012-2013 - # Noriko Mizumoto , 2016. #zanata -@@ -16,8 +16,8 @@ msgstr "" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" --"PO-Revision-Date: 2020-06-18 09:13+0000\n" --"Last-Translator: Ludek Janda \n" -+"PO-Revision-Date: 2020-07-22 07:46-0400\n" -+"Last-Translator: Copied by Zanata \n" - "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" - "ja/)\n" - "Language: ja\n" -@@ -76,6 +76,9 @@ msgid "" - "is in seconds and calculated by the following: offline_timeout + " - "random_offset." - msgstr "" -+"SSSD " -+"がオフラインモードに切り替わると、オンラインに戻ろうとするまでの時間が、切断の時間に基づいて長くなります。この値は秒単位で、offline_timeout " -+"+ random_offset で計算されます。" - - #: src/config/SSSDConfig/sssdoptions.py:38 - msgid "" -@@ -144,6 +147,7 @@ msgid "" - "Controls if SSSD should monitor the state of resolv.conf to identify when it " - "needs to update its internal DNS resolver." - msgstr "" -+"内部 DNS リゾルバーを更新する必要があるときを判断するために SSSD が resolv.conf の状態を監視するかどうかを制御します。" - - #: src/config/SSSDConfig/sssdoptions.py:54 - msgid "" -@@ -231,12 +235,13 @@ msgid "" - "The value of this option will be used in the expansion of the " - "override_homedir option if the template contains the format string %H." - msgstr "" -+"このオプションの値は、テンプレートに書式文字列 %H を含んでいる場合に override_homedir オプションの拡張で使用されます。" - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Specifies time in seconds for which the list of subdomains will be " - "considered valid." --msgstr "" -+msgstr "サブドメインのリストが有効とみなされる時間を秒単位で指定します。" - - #: src/config/SSSDConfig/sssdoptions.py:79 - msgid "" -@@ -326,7 +331,7 @@ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI - - #: src/config/SSSDConfig/sssdoptions.py:103 - msgid "When shall the PAM responder force an initgroups request" --msgstr "" -+msgstr "PAM レスポンダーが initgroups リクエストを強制するとき" - - #: src/config/SSSDConfig/sssdoptions.py:106 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -467,6 +472,8 @@ msgid "" - "- No users are recorded. some - Users/groups specified by users and groups " - "options are recorded. all - All users are recorded." - msgstr "" -+"セッション記録の範囲を指定する以下の文字列の 1 つ: none: 記録されたユーザーはいません。some: " -+"ユーザーとグループオプションによって指定されているユーザー/グループが記録されています。all: すべてのユーザーが記録されます。" - - #: src/config/SSSDConfig/sssdoptions.py:157 - msgid "" -@@ -474,6 +481,8 @@ msgid "" - "Matches user names as returned by NSS. I.e. after the possible space " - "replacement, case changes, etc." - msgstr "" -+"セッション記録を有効にしておくべきユーザーのカンマ区切りのリストです。NSS " -+"が返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" - - #: src/config/SSSDConfig/sssdoptions.py:159 - msgid "" -@@ -481,6 +490,8 @@ msgid "" - "recording enabled. Matches group names as returned by NSS. I.e. after the " - "possible space replacement, case changes, etc." - msgstr "" -+"セッション記録を有効にしておくべきユーザーのグループごとのカンマ区切りのリストです。NSS " -+"が返すグループ名にマッチします。つまり、スペースの置換、大文字小文字の変更などの可能性がある場合には、その後になります。" - - #: src/config/SSSDConfig/sssdoptions.py:164 - msgid "Identity provider" -@@ -520,7 +531,7 @@ msgstr "セッションマネージャーのプロバイダー" - - #: src/config/SSSDConfig/sssdoptions.py:173 - msgid "Resolver provider" --msgstr "" -+msgstr "リゾルバープロバイダ" - - #: src/config/SSSDConfig/sssdoptions.py:176 - msgid "Whether the domain is usable by the OS or by applications" -@@ -665,19 +676,19 @@ msgstr "Display a warning N days before the password expires." - #: src/config/SSSDConfig/sssdoptions.py:216 - msgid "" - "Various tags stored by the realmd configuration service for this domain." --msgstr "" -+msgstr "このドメインのための realmd 設定サービスによって格納された様々なタグ。" - - #: src/config/SSSDConfig/sssdoptions.py:217 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." --msgstr "" -+msgstr "サブドメインの取得を処理する必要のあるプロバイダー。この値は常に id_provider と同じでなければなりません。" - - #: src/config/SSSDConfig/sssdoptions.py:219 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." --msgstr "" -+msgstr "リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何秒キャッシュするか。" - - #: src/config/SSSDConfig/sssdoptions.py:221 - msgid "" -@@ -685,6 +696,8 @@ msgid "" - "this value determines the minimal length the first authentication factor " - "(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" -+"2-Factor-Authentication (2FA) が使用され、認証情報を保存する必要がある場合、この値は、最初の認証要素 (長期パスワード) " -+"を SHA512 ハッシュとしてキャッシュに保存する必要がある最小の長さを決定します。" - - #: src/config/SSSDConfig/sssdoptions.py:227 - msgid "IPA domain" -@@ -788,24 +801,24 @@ msgstr "最後の要求がルールを何も見つけなかった場合の IPA - - #: src/config/SSSDConfig/sssdoptions.py:256 - msgid "The LDAP attribute that contains FQDN of the host." --msgstr "" -+msgstr "ホストの FQDN を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:257 - #: src/config/SSSDConfig/sssdoptions.py:280 - msgid "The object class of a host entry in LDAP." --msgstr "" -+msgstr "LDAP にあるホストエントリーのオブジェクトクラスです。" - - #: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Use the given string as search base for host objects." --msgstr "" -+msgstr "ホストオブジェクトの検索ベースとして与えられた文字列を使用します。" - - #: src/config/SSSDConfig/sssdoptions.py:259 - msgid "The LDAP attribute that contains the host's SSH public keys." --msgstr "" -+msgstr "ホストの SSH 公開鍵を含む LDAP 属性です。" - - #: src/config/SSSDConfig/sssdoptions.py:260 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." --msgstr "" -+msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:261 - msgid "The LDAP attribute that contains the names of the netgroup's members." -@@ -815,89 +828,91 @@ msgstr "The LDAP attribute that contains the names of the netgroup's members." - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." --msgstr "" -+msgstr "ネットグループのメンバーであるホストとホストグループの FQDN を一覧表示する LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:264 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." --msgstr "" -+msgstr "ネットグループの直接のメンバーであるホストとホストグループを一覧表示する LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:266 - msgid "The LDAP attribute that lists netgroup's memberships." --msgstr "" -+msgstr "ネットグループのメンバーシップを一覧表示する LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:267 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." --msgstr "" -+msgstr "ネットグループの直接のメンバーであるシステムユーザーとグループを一覧表示する LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:269 - msgid "The LDAP attribute that corresponds to the netgroup name." --msgstr "" -+msgstr "ネットワークグループ名に対応する LDAP 属性です。" - - #: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The object class of a netgroup entry in LDAP." --msgstr "" -+msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" - - #: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." --msgstr "" -+msgstr "LDAP ネットグループオブジェクトの UUID/GUID を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:272 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." --msgstr "" -+msgstr "使用のためにユーザーマップが有効になっているかどうかを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:274 - msgid "The LDAP attribute that contains host category such as 'all'." --msgstr "" -+msgstr "'all' などのホストカテゴリを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:275 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." --msgstr "" -+msgstr "このルールがマッチするすべてのホスト/ホストグループを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:277 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." --msgstr "" -+msgstr "このルールがマッチするすべてのユーザー/グループを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:279 - msgid "The LDAP attribute that contains the name of SELinux usermap." --msgstr "" -+msgstr "SELinux usermap の名前を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." --msgstr "" -+msgstr "memberUser および memberHost の代わりにマッチングに使用できる HBAC ルールの DN を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:283 - msgid "The LDAP attribute that contains SELinux user string itself." --msgstr "" -+msgstr "SELinuxのユーザー文字列そのものを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:284 - msgid "The LDAP attribute that contains user category such as 'all'." --msgstr "" -+msgstr "'all' などのユーザーカテゴリーを含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:285 - msgid "The LDAP attribute that contains unique ID of the user map." --msgstr "" -+msgstr "ユーザーマップの一意の ID を含む LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." - msgstr "" -+"このオプションは、SSSD が IPA " -+"サーバー上で実行されており、信頼されたドメインからのユーザーとグループの検索を異なる方法で実行する必要があることを示します。" - - #: src/config/SSSDConfig/sssdoptions.py:288 - msgid "Use the given string as search base for trusted domains." --msgstr "" -+msgstr "信頼されたドメインに対する検索ベースとして、与えられた文字列を使用します。" - - #: src/config/SSSDConfig/sssdoptions.py:291 - msgid "Active Directory domain" -@@ -995,7 +1010,7 @@ msgstr "マシンアカウントの更新タスクをチューニングするオ - - #: src/config/SSSDConfig/sssdoptions.py:315 - msgid "Whether to update the machine account password in the Samba database" --msgstr "" -+msgstr "Samba データベースのマシンアカウントパスワードを更新するかどうか" - - #: src/config/SSSDConfig/sssdoptions.py:317 - msgid "Use LDAPS port for LDAP and Global Catalog requests" -@@ -1217,7 +1232,7 @@ msgstr "LDAP ライブラリーが SASL バインド中にホスト名を正規 - msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." --msgstr "" -+msgstr "RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカルユーザーを保持することができます。" - - #: src/config/SSSDConfig/sssdoptions.py:384 - msgid "entryUSN attribute" -@@ -1475,11 +1490,11 @@ msgstr "SSSD が従う最大ネストレベル" - - #: src/config/SSSDConfig/sssdoptions.py:454 - msgid "Filter for group lookups" --msgstr "" -+msgstr "グループ検索のフィルター" - - #: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Scope of group lookups" --msgstr "" -+msgstr "グループ検索の範囲" - - #: src/config/SSSDConfig/sssdoptions.py:457 - msgid "Base DN for netgroup lookups" -@@ -1716,47 +1731,47 @@ msgstr "automonter のマップ検索のベース DN" - - #: src/config/SSSDConfig/sssdoptions.py:529 - msgid "The name of the automount master map in LDAP." --msgstr "" -+msgstr "LDAP のオートマウントマスターマップの名前。" - - #: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Base DN for IP hosts lookups" --msgstr "" -+msgstr "IP ホストのルックアップのためのベース DN" - - #: src/config/SSSDConfig/sssdoptions.py:533 - msgid "Object class for IP hosts" --msgstr "" -+msgstr "IP ホストのオブジェクトクラス" - - #: src/config/SSSDConfig/sssdoptions.py:534 - msgid "IP host name attribute" --msgstr "" -+msgstr "IP ホスト名属性" - - #: src/config/SSSDConfig/sssdoptions.py:535 - msgid "IP host number (address) attribute" --msgstr "" -+msgstr "IP ホスト番号 (アドレス) 属性" - - #: src/config/SSSDConfig/sssdoptions.py:536 - msgid "IP host entryUSN attribute" --msgstr "" -+msgstr "IP ホストエントリー USN 属性" - - #: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Base DN for IP networks lookups" --msgstr "" -+msgstr "IP ネットワーク検索のためのベース DN" - - #: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Object class for IP networks" --msgstr "" -+msgstr "IP ネットワークのオブジェクトクラス" - - #: src/config/SSSDConfig/sssdoptions.py:539 - msgid "IP network name attribute" --msgstr "" -+msgstr "IP ネットワーク名属性" - - #: src/config/SSSDConfig/sssdoptions.py:540 - msgid "IP network number (address) attribute" --msgstr "" -+msgstr "IP ネットワーク番号 (アドレス) 属性" - - #: src/config/SSSDConfig/sssdoptions.py:541 - msgid "IP network entryUSN attribute" --msgstr "" -+msgstr "IP ネットワークエントリー USN 属性" - - #: src/config/SSSDConfig/sssdoptions.py:544 - msgid "Comma separated list of allowed users" -@@ -1790,27 +1805,27 @@ msgstr "ホームディレクトリーのベース" - - #: src/config/SSSDConfig/sssdoptions.py:553 - msgid "Indicate if a home directory should be created for new users." --msgstr "" -+msgstr "新しいユーザーのためにホームディレクトリーを作成するかどうかを示します。" - - #: src/config/SSSDConfig/sssdoptions.py:554 - msgid "Indicate if a home directory should be removed for deleted users." --msgstr "" -+msgstr "削除されたユーザーのホームディレクトリーを削除するかどうかを示します。" - - #: src/config/SSSDConfig/sssdoptions.py:555 - msgid "Specify the default permissions on a newly created home directory." --msgstr "" -+msgstr "新しく作成したホームディレクトリーのデフォルトのパーミッションを指定します。" - - #: src/config/SSSDConfig/sssdoptions.py:556 - msgid "The skeleton directory." --msgstr "" -+msgstr "スケルトンディレクトリー。" - - #: src/config/SSSDConfig/sssdoptions.py:557 - msgid "The mail spool directory." --msgstr "" -+msgstr "メールスプールディレクトリー。" - - #: src/config/SSSDConfig/sssdoptions.py:558 - msgid "The command that is run after a user is removed." --msgstr "" -+msgstr "ユーザーが削除された後に実行されるコマンド。" - - #: src/config/SSSDConfig/sssdoptions.py:561 - msgid "The number of preforked proxy children." -@@ -1822,7 +1837,7 @@ msgstr "使用する NSS ライブラリーの名前" - - #: src/config/SSSDConfig/sssdoptions.py:565 - msgid "The name of the NSS library to use for hosts and networks lookups" --msgstr "" -+msgstr "ホストやネットワークの検索に使用する NSS ライブラリの名前" - - #: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Whether to look up canonical group name from cache if possible" -@@ -2746,7 +2761,7 @@ msgstr "ファイルの所有権とパーミッションの確認に失敗しま - #: src/tools/sssctl/sssctl_config.c:127 - #, c-format - msgid "Failed to load configuration from %s.\n" --msgstr "" -+msgstr "%s からの設定の読み込みに失敗しました。\n" - - #: src/tools/sssctl/sssctl_config.c:133 - msgid "Error while reading configuration directory.\n" -@@ -3170,3 +3185,4 @@ msgstr "レスポンダーがソケットでアクティベートされたと知 - #: src/util/util.h:94 - msgid "Informs that the responder has been dbus-activated" - msgstr "レスポンダーが dbus でアクティベートされたと知らせます" -+ -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 892f81453..f33aef494 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -13,7 +13,7 @@ msgstr "" - "MIME-Version: 1.0\n" - "Content-Type: text/plain; charset=UTF-8\n" - "Content-Transfer-Encoding: 8bit\n" --"PO-Revision-Date: 2020-06-18 09:05+0000\n" -+"PO-Revision-Date: 2020-07-22 07:46-0400\n" - "Last-Translator: Copied by Zanata \n" - "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" - "language/zh_CN/)\n" -@@ -73,12 +73,14 @@ msgid "" - "is in seconds and calculated by the following: offline_timeout + " - "random_offset." - msgstr "" -+"当 SSSD 切换到脱机模式时,它尝试重新上线前的时间会根据断开连接的时间而增加。这个值以秒为单位,并使用以下公式计算:offline_timeout " -+"+ random_offset。" - - #: src/config/SSSDConfig/sssdoptions.py:38 - msgid "" - "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " - "version 2." --msgstr "" -+msgstr "表示配置文件的语法是什么。SSSD 0.6.0 及以后的版本使用版本 2。" - - #: src/config/SSSDConfig/sssdoptions.py:39 - msgid "SSSD Services to start" -@@ -138,7 +140,7 @@ msgstr "要查询的域的特定顺序" - msgid "" - "Controls if SSSD should monitor the state of resolv.conf to identify when it " - "needs to update its internal DNS resolver." --msgstr "" -+msgstr "控制 SSSD 是否应监控 resolv.conf 的状态,以确定何时需要更新其内部 DNS 解析器。" - - #: src/config/SSSDConfig/sssdoptions.py:54 - msgid "" -@@ -147,6 +149,8 @@ msgid "" - "this, and will fall back to polling resolv.conf every five seconds if " - "inotify cannot be used." - msgstr "" -+"SSSD 监视 resolv.conf 的状态,以确定何时需要更新其内部的 DNS 解析器。默认情况下,我们会尝试使用 inotify " -+"进行。如果不能使用 inotify,则会回到每五秒轮询一次 resolv.conf 的状态。" - - #: src/config/SSSDConfig/sssdoptions.py:59 - msgid "Enumeration cache timeout length (seconds)" -@@ -221,20 +225,20 @@ msgstr "内存缓存记录有效期的长度" - msgid "" - "The value of this option will be used in the expansion of the " - "override_homedir option if the template contains the format string %H." --msgstr "" -+msgstr "如果模板中包含格式字符串%H,那么这个选项的值将被用于 override_homedir 选项的扩展。" - - #: src/config/SSSDConfig/sssdoptions.py:77 - msgid "" - "Specifies time in seconds for which the list of subdomains will be " - "considered valid." --msgstr "" -+msgstr "指定子域列表被视为有效的时间,以秒为单位。" - - #: src/config/SSSDConfig/sssdoptions.py:79 - msgid "" - "The entry cache can be set to automatically update entries in the background " - "if they are requested beyond a percentage of the entry_cache_timeout value " - "for the domain." --msgstr "" -+msgstr "条目缓存可以设置为在后台自动更新条目,如果被请求的时间超过域名的 entry_cache_timeout 值的一个百分比。" - - #: src/config/SSSDConfig/sssdoptions.py:84 - msgid "How long to allow cached logins between online logins (days)" -@@ -304,17 +308,17 @@ msgstr "允许服务使用智能卡" - - #: src/config/SSSDConfig/sssdoptions.py:101 - msgid "Additional timeout to wait for a card if requested" --msgstr "" -+msgstr "等待卡的额外超时,如果请求。" - - #: src/config/SSSDConfig/sssdoptions.py:102 - msgid "" - "PKCS#11 URI to restrict the selection of devices for Smartcard " - "authentication" --msgstr "" -+msgstr "PKCS#11 URI,用于限制智能卡认证设备的选择。" - - #: src/config/SSSDConfig/sssdoptions.py:103 - msgid "When shall the PAM responder force an initgroups request" --msgstr "" -+msgstr "什么时候 PAM 响应者要强制发起 initgroups 请求?" - - #: src/config/SSSDConfig/sssdoptions.py:106 - msgid "Whether to evaluate the time-based attributes in sudo rules" -@@ -346,13 +350,13 @@ msgstr "到可信 CA 证书存储的路径" - - #: src/config/SSSDConfig/sssdoptions.py:119 - msgid "Allow to generate ssh-keys from certificates" --msgstr "" -+msgstr "允许从证书中生成 ssh-keys。" - - #: src/config/SSSDConfig/sssdoptions.py:120 - msgid "" - "Use the following matching rules to filter the certificates for ssh-key " - "generation" --msgstr "" -+msgstr "使用以下匹配规则来过滤生成 ssh-key 的证书。" - - #: src/config/SSSDConfig/sssdoptions.py:124 - msgid "List of UIDs or user names allowed to access the PAC responder" -@@ -455,20 +459,21 @@ msgid "" - "- No users are recorded. some - Users/groups specified by users and groups " - "options are recorded. all - All users are recorded." - msgstr "" -+"使用以下字符串之一指定会话记录范围: none - 不记录用户。 some - 记录由用户和组选项指定的用户和组。 all - 记录所有用户。" - - #: src/config/SSSDConfig/sssdoptions.py:157 - msgid "" - "A comma-separated list of users which should have session recording enabled. " - "Matches user names as returned by NSS. I.e. after the possible space " - "replacement, case changes, etc." --msgstr "" -+msgstr "以逗号分隔的用户列表,这些用户应该启用会话记录。匹配 NSS 返回的用户名。在可能的空格替换、大小写更改等之后。" - - #: src/config/SSSDConfig/sssdoptions.py:159 - msgid "" - "A comma-separated list of groups, members of which should have session " - "recording enabled. Matches group names as returned by NSS. I.e. after the " - "possible space replacement, case changes, etc." --msgstr "" -+msgstr "以逗号分隔的组列表,其成员应已启用会话记录。匹配NSS 返回的组名。在可能的空格替换、大小写改变等之后。" - - #: src/config/SSSDConfig/sssdoptions.py:164 - msgid "Identity provider" -@@ -508,7 +513,7 @@ msgstr "会话管理提供者" - - #: src/config/SSSDConfig/sssdoptions.py:173 - msgid "Resolver provider" --msgstr "" -+msgstr "解析器提供者" - - #: src/config/SSSDConfig/sssdoptions.py:176 - msgid "Whether the domain is usable by the OS or by applications" -@@ -562,11 +567,11 @@ msgstr "上次成功登录后保留缓存条目的时间(天)" - msgid "" - "How long should SSSD talk to single DNS server before trying next server " - "(miliseconds)" --msgstr "" -+msgstr "在尝试下一个服务器之前,SSSD 应该与一个 DNS 服务器联系多久(毫秒)?" - - #: src/config/SSSDConfig/sssdoptions.py:188 - msgid "How long should keep trying to resolve single DNS query (seconds)" --msgstr "" -+msgstr "尝试解析单个 DNS 查询需要多长时间(秒)?" - - #: src/config/SSSDConfig/sssdoptions.py:189 - msgid "How long to wait for replies from DNS when resolving servers (seconds)" -@@ -648,24 +653,24 @@ msgstr "是否自动为用户创建私人组" - - #: src/config/SSSDConfig/sssdoptions.py:215 - msgid "Display a warning N days before the password expires." --msgstr "" -+msgstr "在密码过期前 N 天显示一个警告。" - - #: src/config/SSSDConfig/sssdoptions.py:216 - msgid "" - "Various tags stored by the realmd configuration service for this domain." --msgstr "" -+msgstr "realmd 配置服务为这个域存储的各种标签。" - - #: src/config/SSSDConfig/sssdoptions.py:217 - msgid "" - "The provider which should handle fetching of subdomains. This value should " - "be always the same as id_provider." --msgstr "" -+msgstr "应该处理子域获取的提供者,这个值应始终和 id_provider 相同。" - - #: src/config/SSSDConfig/sssdoptions.py:219 - msgid "" - "How many seconds to keep a host ssh key after refresh. IE how long to cache " - "the host key for." --msgstr "" -+msgstr "刷新后主机 ssh 密钥要保留多少秒。IE 缓存主机密钥多长时间。" - - #: src/config/SSSDConfig/sssdoptions.py:221 - msgid "" -@@ -673,6 +678,8 @@ msgid "" - "this value determines the minimal length the first authentication factor " - "(long term password) must have to be saved as SHA512 hash into the cache." - msgstr "" -+"如果使用 2-Factor-Authentication (2FA),应该保存凭证,这个值决定了第一个认证因素((期密码)必须以SHA512 " -+"哈希值的形式保存到缓存中的最小长度。" - - #: src/config/SSSDConfig/sssdoptions.py:227 - msgid "IPA domain" -@@ -776,116 +783,116 @@ msgstr "当最后一个请求未找到任何规则时,针对 IPA 服务器的D - - #: src/config/SSSDConfig/sssdoptions.py:256 - msgid "The LDAP attribute that contains FQDN of the host." --msgstr "" -+msgstr "包含主机 FQDN 的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:257 - #: src/config/SSSDConfig/sssdoptions.py:280 - msgid "The object class of a host entry in LDAP." --msgstr "" -+msgstr "LDAP 中主机条目的对象类。" - - #: src/config/SSSDConfig/sssdoptions.py:258 - msgid "Use the given string as search base for host objects." --msgstr "" -+msgstr "使用给定的字符串作为主机对象的搜索基础。" - - #: src/config/SSSDConfig/sssdoptions.py:259 - msgid "The LDAP attribute that contains the host's SSH public keys." --msgstr "" -+msgstr "包含主机 SSH 公钥的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:260 - msgid "The LDAP attribute that contains NIS domain name of the netgroup." --msgstr "" -+msgstr "包含 netgroup 的 NIS 域名的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:261 - msgid "The LDAP attribute that contains the names of the netgroup's members." --msgstr "" -+msgstr "包含 netgroup 成员名称的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:262 - msgid "" - "The LDAP attribute that lists FQDNs of hosts and host groups that are " - "members of the netgroup." --msgstr "" -+msgstr "列出属于 netgroup 成员的主机和主机组的 FQDN 的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:264 - msgid "" - "The LDAP attribute that lists hosts and host groups that are direct members " - "of the netgroup." --msgstr "" -+msgstr "LDAP属性,列出作为 netgroup 直接成员的主机和主机组。" - - #: src/config/SSSDConfig/sssdoptions.py:266 - msgid "The LDAP attribute that lists netgroup's memberships." --msgstr "" -+msgstr "列出 netgroup 成员资格的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:267 - msgid "" - "The LDAP attribute that lists system users and groups that are direct " - "members of the netgroup." --msgstr "" -+msgstr "LDAP 属性,列出作为 netgroup 直接成员的系统用户和组。" - - #: src/config/SSSDConfig/sssdoptions.py:269 - msgid "The LDAP attribute that corresponds to the netgroup name." --msgstr "" -+msgstr "与 netgroup 名称相对应的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:270 - msgid "The object class of a netgroup entry in LDAP." --msgstr "" -+msgstr "LDAP 中 netgroup 条目的对象类。" - - #: src/config/SSSDConfig/sssdoptions.py:271 - msgid "" - "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." --msgstr "" -+msgstr "包含 LDAP netgroup 对象的 UUID/GUID 的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:272 - msgid "" - "The LDAP attribute that contains whether or not is user map enabled for " - "usage." --msgstr "" -+msgstr "包含是否启用用户映射的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:274 - msgid "The LDAP attribute that contains host category such as 'all'." --msgstr "" -+msgstr "包含主机类别的 LDAP 属性,如'all'。" - - #: src/config/SSSDConfig/sssdoptions.py:275 - msgid "" - "The LDAP attribute that contains all hosts / hostgroups this rule match " - "against." --msgstr "" -+msgstr "包含此规则所匹配的所有主机/主机组的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:277 - msgid "" - "The LDAP attribute that contains all users / groups this rule match against." --msgstr "" -+msgstr "包含该规则所匹配的所有用户/组的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:279 - msgid "The LDAP attribute that contains the name of SELinux usermap." --msgstr "" -+msgstr "包含 SELinux usermap 名称的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:281 - msgid "" - "The LDAP attribute that contains DN of HBAC rule which can be used for " - "matching instead of memberUser and memberHost." --msgstr "" -+msgstr "包含 HBAC 规则的 DN 的 LDAP 属性,可以用来代替 memberUser 和 memberHost 进行匹配。" - - #: src/config/SSSDConfig/sssdoptions.py:283 - msgid "The LDAP attribute that contains SELinux user string itself." --msgstr "" -+msgstr "包含 SELinux 用户字符串的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:284 - msgid "The LDAP attribute that contains user category such as 'all'." --msgstr "" -+msgstr "包含用户类别的 LDAP 属性,如'all'。" - - #: src/config/SSSDConfig/sssdoptions.py:285 - msgid "The LDAP attribute that contains unique ID of the user map." --msgstr "" -+msgstr "包含用户映射的唯一 ID 的 LDAP 属性。" - - #: src/config/SSSDConfig/sssdoptions.py:286 - msgid "" - "The option denotes that the SSSD is running on IPA server and should perform " - "lookups of users and groups from trusted domains differently." --msgstr "" -+msgstr "该选项表示 SSSD 在 IPA 服务器上运行,应该以不同的方式执行来自受信任域的用户和组的查找。" - - #: src/config/SSSDConfig/sssdoptions.py:288 - msgid "Use the given string as search base for trusted domains." --msgstr "" -+msgstr "使用给定的字符串作为可信域的搜索基础。" - - #: src/config/SSSDConfig/sssdoptions.py:291 - msgid "Active Directory domain" -@@ -983,7 +990,7 @@ msgstr "用于调整机器帐户续订任务的选项" - - #: src/config/SSSDConfig/sssdoptions.py:315 - msgid "Whether to update the machine account password in the Samba database" --msgstr "" -+msgstr "是否要更新 Samba 数据库中的机器账户密码?" - - #: src/config/SSSDConfig/sssdoptions.py:317 - msgid "Use LDAPS port for LDAP and Global Catalog requests" -@@ -1205,7 +1212,7 @@ msgstr "在 SASL绑定期间,LDAP 库是否应执行反向查找以规范化 - msgid "" - "Allows to retain local users as members of an LDAP group for servers that " - "use the RFC2307 schema." --msgstr "" -+msgstr "允许保留本地用户作为使用 RFC2307 模式的服务器的 LDAP 组成员。" - - #: src/config/SSSDConfig/sssdoptions.py:384 - msgid "entryUSN attribute" -@@ -1463,11 +1470,11 @@ msgstr "将遵循的最大嵌套级别 SSSD" - - #: src/config/SSSDConfig/sssdoptions.py:454 - msgid "Filter for group lookups" --msgstr "" -+msgstr "组查询的过滤器" - - #: src/config/SSSDConfig/sssdoptions.py:455 - msgid "Scope of group lookups" --msgstr "" -+msgstr "组查询的范围" - - #: src/config/SSSDConfig/sssdoptions.py:457 - msgid "Base DN for netgroup lookups" -@@ -1704,47 +1711,47 @@ msgstr "自动挂载程序映射查找的基本 DN" - - #: src/config/SSSDConfig/sssdoptions.py:529 - msgid "The name of the automount master map in LDAP." --msgstr "" -+msgstr "LDAP 中自动挂载主映射的名称。" - - #: src/config/SSSDConfig/sssdoptions.py:532 - msgid "Base DN for IP hosts lookups" --msgstr "" -+msgstr "IP 主机查询的基础 DN" - - #: src/config/SSSDConfig/sssdoptions.py:533 - msgid "Object class for IP hosts" --msgstr "" -+msgstr "IP 主机的对象类" - - #: src/config/SSSDConfig/sssdoptions.py:534 - msgid "IP host name attribute" --msgstr "" -+msgstr "IP 主机名属性" - - #: src/config/SSSDConfig/sssdoptions.py:535 - msgid "IP host number (address) attribute" --msgstr "" -+msgstr "IP 主机号(地址)属性" - - #: src/config/SSSDConfig/sssdoptions.py:536 - msgid "IP host entryUSN attribute" --msgstr "" -+msgstr "IP 主机 entryUSN 属性" - - #: src/config/SSSDConfig/sssdoptions.py:537 - msgid "Base DN for IP networks lookups" --msgstr "" -+msgstr "IP 网络查询的基础 DN" - - #: src/config/SSSDConfig/sssdoptions.py:538 - msgid "Object class for IP networks" --msgstr "" -+msgstr "IP 网络的对象类" - - #: src/config/SSSDConfig/sssdoptions.py:539 - msgid "IP network name attribute" --msgstr "" -+msgstr "IP 网络名称属性" - - #: src/config/SSSDConfig/sssdoptions.py:540 - msgid "IP network number (address) attribute" --msgstr "" -+msgstr "I P网号(地址)属性" - - #: src/config/SSSDConfig/sssdoptions.py:541 - msgid "IP network entryUSN attribute" --msgstr "" -+msgstr "IP 网络 entryUSN 属性" - - #: src/config/SSSDConfig/sssdoptions.py:544 - msgid "Comma separated list of allowed users" -@@ -1758,14 +1765,14 @@ msgstr "以逗号分隔的不允许的用户列表" - msgid "" - "Comma separated list of groups that are allowed to log in. This applies only " - "to groups within this SSSD domain. Local groups are not evaluated." --msgstr "" -+msgstr "以逗号分隔的允许登录的组的列表。这只适用于此 SSSD 域内的组。本地组不被评估。" - - #: src/config/SSSDConfig/sssdoptions.py:548 - msgid "" - "Comma separated list of groups that are explicitly denied access. This " - "applies only to groups within this SSSD domain. Local groups are not " - "evaluated." --msgstr "" -+msgstr "以逗号分隔的明确拒绝访问的组的列表。这只适用于此 SSSD 域内的组。本地组不被评估。" - - #: src/config/SSSDConfig/sssdoptions.py:552 - msgid "Base for home directories" -@@ -1773,27 +1780,27 @@ msgstr "家目录的基础" - - #: src/config/SSSDConfig/sssdoptions.py:553 - msgid "Indicate if a home directory should be created for new users." --msgstr "" -+msgstr "指定是否应该为新用户创建主目录。" - - #: src/config/SSSDConfig/sssdoptions.py:554 - msgid "Indicate if a home directory should be removed for deleted users." --msgstr "" -+msgstr "指定是否要删除已删除用户的主目录。" - - #: src/config/SSSDConfig/sssdoptions.py:555 - msgid "Specify the default permissions on a newly created home directory." --msgstr "" -+msgstr "指定新创建的主目录的默认权限。" - - #: src/config/SSSDConfig/sssdoptions.py:556 - msgid "The skeleton directory." --msgstr "" -+msgstr "skeleton 目录。" - - #: src/config/SSSDConfig/sssdoptions.py:557 - msgid "The mail spool directory." --msgstr "" -+msgstr "邮件 spool 目录。" - - #: src/config/SSSDConfig/sssdoptions.py:558 - msgid "The command that is run after a user is removed." --msgstr "" -+msgstr "用户被删除后运行的命令。" - - #: src/config/SSSDConfig/sssdoptions.py:561 - msgid "The number of preforked proxy children." -@@ -1805,7 +1812,7 @@ msgstr "使用的 NSS 库的名称" - - #: src/config/SSSDConfig/sssdoptions.py:565 - msgid "The name of the NSS library to use for hosts and networks lookups" --msgstr "" -+msgstr "用于查询主机和网络的 NSS 库名称。" - - #: src/config/SSSDConfig/sssdoptions.py:566 - msgid "Whether to look up canonical group name from cache if possible" -@@ -1846,7 +1853,7 @@ msgstr "刷新配置数据库,然后退出" - - #: src/monitor/monitor.c:2383 - msgid "Similar to --genconf, but only refreshes the given section" --msgstr "" -+msgstr "类似于 --genconf,但只刷新指定的部分。" - - #: src/monitor/monitor.c:2386 - msgid "Print version number and exit" -@@ -1934,11 +1941,11 @@ msgstr "SSSD 没有由 root 运行。" - - #: src/sss_client/common.c:1091 - msgid "SSSD socket does not exist." --msgstr "" -+msgstr "SSSD socket 不存在。" - - #: src/sss_client/common.c:1094 - msgid "Cannot get stat of SSSD socket." --msgstr "" -+msgstr "无法获取 SSSD socket 的统计数据。" - - #: src/sss_client/common.c:1099 - msgid "An error occurred, but no description can be found." -@@ -2711,12 +2718,12 @@ msgstr "使用组 ID 搜索" - #: src/tools/sssctl/sssctl_config.c:112 - #, c-format - msgid "Failed to open %s\n" --msgstr "" -+msgstr "打开失败:%s\n" - - #: src/tools/sssctl/sssctl_config.c:117 - #, c-format - msgid "File %1$s does not exist.\n" --msgstr "" -+msgstr "文件 %1$s 不存在\n" - - #: src/tools/sssctl/sssctl_config.c:121 - msgid "" -@@ -2726,21 +2733,21 @@ msgstr "文件所有权和权限检查失败。预期的是 root:root 和 0600 - #: src/tools/sssctl/sssctl_config.c:127 - #, c-format - msgid "Failed to load configuration from %s.\n" --msgstr "" -+msgstr "从 %s 加载配置失败。\n" - - #: src/tools/sssctl/sssctl_config.c:133 - msgid "Error while reading configuration directory.\n" --msgstr "" -+msgstr "读取配置目录时出错。\n" - - #: src/tools/sssctl/sssctl_config.c:141 - msgid "" - "There is no configuration. SSSD will use default configuration with files " - "provider.\n" --msgstr "" -+msgstr "没有配置。SSSD 将使用默认配置与文件提供者。\n" - - #: src/tools/sssctl/sssctl_config.c:153 - msgid "Failed to run validators" --msgstr "" -+msgstr "运行验证器失败" - - #: src/tools/sssctl/sssctl_config.c:157 - #, c-format -@@ -2755,7 +2762,7 @@ msgstr "配置合并期间生成的消息: %zu\n" - #: src/tools/sssctl/sssctl_config.c:179 - #, c-format - msgid "Used configuration snippet files: %zu\n" --msgstr "" -+msgstr "所使用的配置摘要文件: %zu\n" - - #: src/tools/sssctl/sssctl_data.c:89 - #, c-format -@@ -2834,7 +2841,7 @@ msgstr "显示域列表,包括主要或受信任的域类型" - #: src/tools/sssctl/sssctl_domains.c:105 src/tools/sssctl/sssctl_domains.c:367 - #: src/tools/sssctl/sssctl_user_checks.c:95 - msgid "Unable to connect to system bus!\n" --msgstr "" -+msgstr "无法连接到系统总线!\n" - - #: src/tools/sssctl/sssctl_domains.c:167 - msgid "Online" -@@ -2851,7 +2858,7 @@ msgstr "在线状态: %s\n" - - #: src/tools/sssctl/sssctl_domains.c:213 - msgid "This domain has no active servers.\n" --msgstr "" -+msgstr "这个域没有活跃的服务器。\n" - - #: src/tools/sssctl/sssctl_domains.c:218 - msgid "Active servers:\n" -@@ -2863,7 +2870,7 @@ msgstr "未连接" - - #: src/tools/sssctl/sssctl_domains.c:267 - msgid "No servers discovered.\n" --msgstr "" -+msgstr "没有发现服务器。\n" - - #: src/tools/sssctl/sssctl_domains.c:273 - #, c-format -@@ -3150,3 +3157,4 @@ msgstr "通知响应者已被套接字激活" - #: src/util/util.h:94 - msgid "Informs that the responder has been dbus-activated" - msgstr "通知响应者已被 dbus 激活" -+ --- -2.21.3 - diff --git a/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch b/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch new file mode 100644 index 0000000..cb06e15 --- /dev/null +++ b/SOURCES/0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch @@ -0,0 +1,34 @@ +From c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 8 Jan 2021 14:00:47 +0100 +Subject: [PATCH] pamsrv_gssapi: fix implicit conversion warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +src/responder/pam/pamsrv_gssapi.c: In function ‘pam_cmd_gssapi_sec_ctx’: +src/responder/pam/pamsrv_gssapi.c:716:64: error: implicit conversion from ‘enum sss_domain_type’ to ‘enum cache_req_dom_type’ [-Werror=enum-conversion] + 716 | cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, + +Reviewed-by: Alexey Tikhonov +--- + src/responder/pam/pamsrv_gssapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c +index 099675e1c..2d05c7888 100644 +--- a/src/responder/pam/pamsrv_gssapi.c ++++ b/src/responder/pam/pamsrv_gssapi.c +@@ -713,7 +713,8 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) + DEBUG(SSSDBG_TRACE_FUNC, "Checking that target user matches UPN\n"); + + req = cache_req_user_by_upn_send(cli_ctx, cli_ctx->ev, cli_ctx->rctx, +- cli_ctx->rctx->ncache, 0, DOM_TYPE_POSIX, ++ cli_ctx->rctx->ncache, 0, ++ CACHE_REQ_POSIX_DOM, + domain->name, state->authenticated_upn); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); +-- +2.21.3 + diff --git a/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch b/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch new file mode 100644 index 0000000..d4ea08c --- /dev/null +++ b/SOURCES/0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch @@ -0,0 +1,34 @@ +From cc173629f30fbc885ee90e52a205554b118e0ee6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 11 Jan 2021 13:11:39 +0100 +Subject: [PATCH 38/39] gssapi: default pam_gssapi_services to NULL in domain + section + +We need to distinguish when the option is not set in domain section and when +it is is explicitly disabled. Now if it is not set, domain->gssapi_services +is NULL and we'll use value from the pam section. + +Without this change, the value in the pam section is ignored. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/confdb/confdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 2881ce5da..befcfff2d 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1582,7 +1582,7 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, +- "-"); ++ NULL); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->gssapi_services, NULL); +-- +2.21.3 + diff --git a/SOURCES/0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch b/SOURCES/0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch deleted file mode 100644 index c4aa6ad..0000000 --- a/SOURCES/0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 72b8e02c77f0b0b7e36663fa3bd3fd6987ea1b80 Mon Sep 17 00:00:00 2001 -From: Tomas Halman -Date: Mon, 13 Jul 2020 18:11:40 +0200 -Subject: [PATCH] sssctl: sssctl config-check alternative snippet dir - -The sssctl config-check now allows to specify not only alternative -config file but also snippet dir. - - sssctl config-check -c ./sssd.conf -s /etc/sssd/conf.d - -Configuration snippets are still looked up in the same place under -conf.d directory by default. It would be in ./conf.d/ for the example -above. - -Resolves: -https://github.com/SSSD/sssd/issues/5142 - -Reviewed-by: Pawel Polawski ---- - src/tools/sssctl/sssctl_config.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c -index de9f3de6e..db4aeeae4 100644 ---- a/src/tools/sssctl/sssctl_config.c -+++ b/src/tools/sssctl/sssctl_config.c -@@ -75,6 +75,11 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, - struct poptOption long_options[] = { - {"config", 'c', POPT_ARG_STRING, &config_path, - 0, _("Specify a non-default config file"), NULL}, -+ {"snippet", 's', POPT_ARG_STRING, &config_snippet_path, -+ 0, _("Specify a non-default snippet dir (The default is to look in " -+ "the same place where the main config file is located. For " -+ "example if the config is set to \"/my/path/sssd.conf\", " -+ "the snippet dir \"/my/path/conf.d\" is used)"), NULL}, - POPT_TABLEEND - }; - -@@ -92,16 +97,17 @@ errno_t sssctl_config_check(struct sss_cmdline *cmdline, - goto done; - } - -- if (config_path != NULL) { -+ if (config_path == NULL) { -+ config_path = SSSD_CONFIG_FILE; -+ } -+ -+ if (config_snippet_path == NULL) { - config_snippet_path = sssctl_config_snippet_path(tmp_ctx, config_path); - if (config_snippet_path == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create snippet path\n"); - ret = ENOMEM; - goto done; - } -- } else { -- config_path = SSSD_CONFIG_FILE; -- config_snippet_path = CONFDB_DEFAULT_CONFIG_DIR; - } - - ret = sss_ini_read_sssd_conf(init_data, --- -2.21.3 - diff --git a/SOURCES/0039-certmap-sanitize-LDAP-search-filter.patch b/SOURCES/0039-certmap-sanitize-LDAP-search-filter.patch deleted file mode 100644 index 909222b..0000000 --- a/SOURCES/0039-certmap-sanitize-LDAP-search-filter.patch +++ /dev/null @@ -1,651 +0,0 @@ -From a2b9a84460429181f2a4fa7e2bb5ab49fd561274 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Mon, 9 Dec 2019 11:31:14 +0100 -Subject: [PATCH] certmap: sanitize LDAP search filter - -The sss_certmap_get_search_filter() will now sanitize the values read -from the certificates before adding them to a search filter. To be able -to get the plain values as well sss_certmap_expand_mapping_rule() is -added. - -Resolves: -https://github.com/SSSD/sssd/issues/5135 - -Reviewed-by: Alexey Tikhonov ---- - Makefile.am | 2 +- - src/lib/certmap/sss_certmap.c | 42 ++++++++++-- - src/lib/certmap/sss_certmap.exports | 5 ++ - src/lib/certmap/sss_certmap.h | 35 ++++++++-- - src/responder/pam/pamsrv_p11.c | 5 +- - src/tests/cmocka/test_certmap.c | 98 +++++++++++++++++++++++++++- - src/util/util.c | 94 --------------------------- - src/util/util_ext.c | 99 +++++++++++++++++++++++++++++ - 8 files changed, 272 insertions(+), 108 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 059e1eaf6..4bacabdda 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -2163,7 +2163,7 @@ libsss_certmap_la_LIBADD = \ - $(NULL) - libsss_certmap_la_LDFLAGS = \ - -Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \ -- -version-info 1:0:1 -+ -version-info 2:0:2 - - if HAVE_NSS - libsss_certmap_la_SOURCES += \ -diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c -index 703782b53..f19e57732 100644 ---- a/src/lib/certmap/sss_certmap.c -+++ b/src/lib/certmap/sss_certmap.c -@@ -441,10 +441,12 @@ static int expand_san(struct sss_certmap_ctx *ctx, - static int expand_template(struct sss_certmap_ctx *ctx, - struct parsed_template *parsed_template, - struct sss_cert_content *cert_content, -+ bool sanitize, - char **expanded) - { - int ret; - char *exp = NULL; -+ char *exp_sanitized = NULL; - - if (strcmp("issuer_dn", parsed_template->name) == 0) { - ret = rdn_list_2_dn_str(ctx, parsed_template->conversion, -@@ -455,6 +457,8 @@ static int expand_template(struct sss_certmap_ctx *ctx, - } else if (strncmp("subject_", parsed_template->name, 8) == 0) { - ret = expand_san(ctx, parsed_template, cert_content->san_list, &exp); - } else if (strcmp("cert", parsed_template->name) == 0) { -+ /* cert blob is already sanitized */ -+ sanitize = false; - ret = expand_cert(ctx, parsed_template, cert_content, &exp); - } else { - CM_DEBUG(ctx, "Unsupported template name."); -@@ -471,6 +475,16 @@ static int expand_template(struct sss_certmap_ctx *ctx, - goto done; - } - -+ if (sanitize) { -+ ret = sss_filter_sanitize(ctx, exp, &exp_sanitized); -+ if (ret != EOK) { -+ CM_DEBUG(ctx, "Failed to sanitize expanded template."); -+ goto done; -+ } -+ talloc_free(exp); -+ exp = exp_sanitized; -+ } -+ - ret = 0; - - done: -@@ -485,7 +499,7 @@ done: - - static int get_filter(struct sss_certmap_ctx *ctx, - struct ldap_mapping_rule *parsed_mapping_rule, -- struct sss_cert_content *cert_content, -+ struct sss_cert_content *cert_content, bool sanitize, - char **filter) - { - struct ldap_mapping_rule_comp *comp; -@@ -503,7 +517,7 @@ static int get_filter(struct sss_certmap_ctx *ctx, - result = talloc_strdup_append(result, comp->val); - } else if (comp->type == comp_template) { - ret = expand_template(ctx, comp->parsed_template, cert_content, -- &expanded); -+ sanitize, &expanded); - if (ret != 0) { - CM_DEBUG(ctx, "Failed to expanded template."); - goto done; -@@ -791,8 +805,9 @@ done: - return ret; - } - --int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, -+static int expand_mapping_rule_ex(struct sss_certmap_ctx *ctx, - const uint8_t *der_cert, size_t der_size, -+ bool sanitize, - char **_filter, char ***_domains) - { - int ret; -@@ -819,7 +834,8 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, - return EINVAL; - } - -- ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, &filter); -+ ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, sanitize, -+ &filter); - goto done; - } - -@@ -829,7 +845,7 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, - if (ret == 0) { - /* match */ - ret = get_filter(ctx, r->parsed_mapping_rule, cert_content, -- &filter); -+ sanitize, &filter); - if (ret != 0) { - CM_DEBUG(ctx, "Failed to get filter"); - goto done; -@@ -873,6 +889,22 @@ done: - return ret; - } - -+int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, -+ const uint8_t *der_cert, size_t der_size, -+ char **_filter, char ***_domains) -+{ -+ return expand_mapping_rule_ex(ctx, der_cert, der_size, true, -+ _filter, _domains); -+} -+ -+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx, -+ const uint8_t *der_cert, size_t der_size, -+ char **_expanded, char ***_domains) -+{ -+ return expand_mapping_rule_ex(ctx, der_cert, der_size, false, -+ _expanded, _domains); -+} -+ - int sss_certmap_init(TALLOC_CTX *mem_ctx, - sss_certmap_ext_debug *debug, void *debug_priv, - struct sss_certmap_ctx **ctx) -diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports -index a9e48d6d0..7d7667738 100644 ---- a/src/lib/certmap/sss_certmap.exports -+++ b/src/lib/certmap/sss_certmap.exports -@@ -16,3 +16,8 @@ SSS_CERTMAP_0.1 { - global: - sss_certmap_display_cert_content; - } SSS_CERTMAP_0.0; -+ -+SSS_CERTMAP_0.2 { -+ global: -+ sss_certmap_expand_mapping_rule; -+} SSS_CERTMAP_0.1; -diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h -index 7da2d1c58..058d4f9e4 100644 ---- a/src/lib/certmap/sss_certmap.h -+++ b/src/lib/certmap/sss_certmap.h -@@ -103,7 +103,7 @@ int sss_certmap_add_rule(struct sss_certmap_ctx *ctx, - * - * @param[in] ctx certmap context previously initialized with - * @ref sss_certmap_init -- * @param[in] der_cert binary blog with the DER encoded certificate -+ * @param[in] der_cert binary blob with the DER encoded certificate - * @param[in] der_size size of the certificate blob - * - * @return -@@ -119,10 +119,11 @@ int sss_certmap_match_cert(struct sss_certmap_ctx *ctx, - * - * @param[in] ctx certmap context previously initialized with - * @ref sss_certmap_init -- * @param[in] der_cert binary blog with the DER encoded certificate -+ * @param[in] der_cert binary blob with the DER encoded certificate - * @param[in] der_size size of the certificate blob -- * @param[out] filter LDAP filter string, caller should free the data by -- * calling sss_certmap_free_filter_and_domains -+ * @param[out] filter LDAP filter string, expanded templates are sanitized, -+ * caller should free the data by calling -+ * sss_certmap_free_filter_and_domains - * @param[out] domains NULL-terminated array of strings with the domains the - * rule applies, caller should free the data by calling - * sss_certmap_free_filter_and_domains -@@ -136,8 +137,32 @@ int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, - const uint8_t *der_cert, size_t der_size, - char **filter, char ***domains); - -+/** -+ * @brief Expand the mapping rule by replacing the templates -+ * -+ * @param[in] ctx certmap context previously initialized with -+ * @ref sss_certmap_init -+ * @param[in] der_cert binary blob with the DER encoded certificate -+ * @param[in] der_size size of the certificate blob -+ * @param[out] expanded expanded mapping rule, templates are filled in -+ * verbatim in contrast to sss_certmap_get_search_filter, -+ * caller should free the data by -+ * calling sss_certmap_free_filter_and_domains -+ * @param[out] domains NULL-terminated array of strings with the domains the -+ * rule applies, caller should free the data by calling -+ * sss_certmap_free_filter_and_domains -+ * -+ * @return -+ * - 0: certificate matches a rule -+ * - ENOENT: certificate does not match -+ * - EINVAL: internal error -+ */ -+int sss_certmap_expand_mapping_rule(struct sss_certmap_ctx *ctx, -+ const uint8_t *der_cert, size_t der_size, -+ char **_expanded, char ***_domains); - /** - * @brief Free data returned by @ref sss_certmap_get_search_filter -+ * and @ref sss_certmap_expand_mapping_rule - * - * @param[in] filter LDAP filter strings returned by - * sss_certmap_get_search_filter -@@ -150,7 +175,7 @@ void sss_certmap_free_filter_and_domains(char *filter, char **domains); - * @brief Get a string with the content of the certificate used by the library - * - * @param[in] mem_ctx Talloc memory context, may be NULL -- * @param[in] der_cert binary blog with the DER encoded certificate -+ * @param[in] der_cert binary blob with the DER encoded certificate - * @param[in] der_size size of the certificate blob - * @param[out] desc Multiline string showing the certificate content - * which is used by libsss_certmap -diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c -index 3f0afaeff..cdf239e07 100644 ---- a/src/responder/pam/pamsrv_p11.c -+++ b/src/responder/pam/pamsrv_p11.c -@@ -1049,9 +1049,10 @@ static char *get_cert_prompt(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = sss_certmap_get_search_filter(ctx, der, der_size, &filter, &domains); -+ ret = sss_certmap_expand_mapping_rule(ctx, der, der_size, -+ &filter, &domains); - if (ret != 0) { -- DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_get_search_filter failed.\n"); -+ DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_expand_mapping_rule failed.\n"); - goto done; - } - -diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c -index c882202a0..232ff7878 100644 ---- a/src/tests/cmocka/test_certmap.c -+++ b/src/tests/cmocka/test_certmap.c -@@ -1431,6 +1431,15 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule100=CN=Certificate\\20Authority,O=IPA.DEVEL" -+ "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); -+ assert_null(domains); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule100=CN=Certificate Authority,O=IPA.DEVEL" - "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); - assert_null(domains); -@@ -1445,6 +1454,17 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule99=CN=Certificate\\20Authority,O=IPA.DEVEL" -+ "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); -+ assert_non_null(domains); -+ assert_string_equal(domains[0], "test.dom"); -+ assert_null(domains[1]); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule99=CN=Certificate Authority,O=IPA.DEVEL" - "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); - assert_non_null(domains); -@@ -1466,6 +1486,16 @@ static void test_sss_certmap_get_search_filter(void **state) - assert_string_equal(domains[0], "test.dom"); - assert_null(domains[1]); - -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); -+ assert_string_equal(filter, "rule98=userCertificate;binary=" TEST_CERT_BIN); -+ assert_non_null(domains); -+ assert_string_equal(domains[0], "test.dom"); -+ assert_null(domains[1]); -+ - ret = sss_certmap_add_rule(ctx, 97, - "KRB5:CN=Certificate Authority,O=IPA.DEVEL", - "LDAP:rule97={issuer_dn!nss_x500}{subject_dn}", -@@ -1476,6 +1506,17 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule97=O=IPA.DEVEL,CN=Certificate\\20Authority" -+ "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); -+ assert_non_null(domains); -+ assert_string_equal(domains[0], "test.dom"); -+ assert_null(domains[1]); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule97=O=IPA.DEVEL,CN=Certificate Authority" - "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); - assert_non_null(domains); -@@ -1492,6 +1533,17 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule96=O=IPA.DEVEL,CN=Certificate\\20Authority" -+ "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); -+ assert_non_null(domains); -+ assert_string_equal(domains[0], "test.dom"); -+ assert_null(domains[1]); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule96=O=IPA.DEVEL,CN=Certificate Authority" - "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); - assert_non_null(domains); -@@ -1510,6 +1562,14 @@ static void test_sss_certmap_get_search_filter(void **state) - assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")"); - assert_null(domains); - -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); -+ assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")"); -+ assert_null(domains); -+ - ret = sss_certmap_add_rule(ctx, 94, - "KRB5:CN=Certificate Authority,O=IPA.DEVEL", - "LDAP:rule94={issuer_dn!ad_x500}{subject_dn!ad_x500}", -@@ -1520,12 +1580,22 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -- assert_string_equal(filter, "rule94=O=IPA.DEVEL,CN=Certificate Authority" -+ assert_string_equal(filter, "rule94=O=IPA.DEVEL,CN=Certificate\\20Authority" - "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); - assert_non_null(domains); - assert_string_equal(domains[0], "test.dom"); - assert_null(domains[1]); - -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert_der), -+ sizeof(test_cert_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); -+ assert_string_equal(filter, "rule94=O=IPA.DEVEL,CN=Certificate Authority" -+ "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); -+ assert_non_null(domains); -+ assert_string_equal(domains[0], "test.dom"); -+ assert_null(domains[1]); - - ret = sss_certmap_add_rule(ctx, 89, NULL, - "(rule89={subject_nt_principal})", -@@ -1539,6 +1609,14 @@ static void test_sss_certmap_get_search_filter(void **state) - assert_string_equal(filter, "(rule89=tu1@ad.devel)"); - assert_null(domains); - -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), -+ sizeof(test_cert2_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); -+ assert_string_equal(filter, "(rule89=tu1@ad.devel)"); -+ assert_null(domains); -+ - ret = sss_certmap_add_rule(ctx, 88, NULL, - "(rule88={subject_nt_principal.short_name})", - NULL); -@@ -1560,6 +1638,15 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule87=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" -+ "DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain"); -+ assert_null(domains); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), -+ sizeof(test_cert2_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule87=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" - "DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); - assert_null(domains); -@@ -1573,6 +1660,15 @@ static void test_sss_certmap_get_search_filter(void **state) - &filter, &domains); - assert_int_equal(ret, 0); - assert_non_null(filter); -+ assert_string_equal(filter, "rule86=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" -+ "DC=devel,DC=ad,CN=Users,CN=t\\20u,E=test.user@email.domain"); -+ assert_null(domains); -+ -+ ret = sss_certmap_expand_mapping_rule(ctx, discard_const(test_cert2_der), -+ sizeof(test_cert2_der), -+ &filter, &domains); -+ assert_int_equal(ret, 0); -+ assert_non_null(filter); - assert_string_equal(filter, "rule86=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" - "DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); - assert_null(domains); -diff --git a/src/util/util.c b/src/util/util.c -index d9bd3cb59..19d447328 100644 ---- a/src/util/util.c -+++ b/src/util/util.c -@@ -436,100 +436,6 @@ errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count, - return sss_hash_create_ex(mem_ctx, count, tbl, 0, 0, 0, 0, NULL, NULL); - } - --errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, -- const char *input, -- char **sanitized, -- const char *ignore) --{ -- char *output; -- size_t i = 0; -- size_t j = 0; -- char *allowed; -- -- /* Assume the worst-case. We'll resize it later, once */ -- output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1); -- if (!output) { -- return ENOMEM; -- } -- -- while (input[i]) { -- /* Even though this character might have a special meaning, if it's -- * explicitly allowed, just copy it and move on -- */ -- if (ignore == NULL) { -- allowed = NULL; -- } else { -- allowed = strchr(ignore, input[i]); -- } -- if (allowed) { -- output[j++] = input[i++]; -- continue; -- } -- -- switch(input[i]) { -- case '\t': -- output[j++] = '\\'; -- output[j++] = '0'; -- output[j++] = '9'; -- break; -- case ' ': -- output[j++] = '\\'; -- output[j++] = '2'; -- output[j++] = '0'; -- break; -- case '*': -- output[j++] = '\\'; -- output[j++] = '2'; -- output[j++] = 'a'; -- break; -- case '(': -- output[j++] = '\\'; -- output[j++] = '2'; -- output[j++] = '8'; -- break; -- case ')': -- output[j++] = '\\'; -- output[j++] = '2'; -- output[j++] = '9'; -- break; -- case '\\': -- output[j++] = '\\'; -- output[j++] = '5'; -- output[j++] = 'c'; -- break; -- case '\r': -- output[j++] = '\\'; -- output[j++] = '0'; -- output[j++] = 'd'; -- break; -- case '\n': -- output[j++] = '\\'; -- output[j++] = '0'; -- output[j++] = 'a'; -- break; -- default: -- output[j++] = input[i]; -- } -- -- i++; -- } -- output[j] = '\0'; -- *sanitized = talloc_realloc(mem_ctx, output, char, j+1); -- if (!*sanitized) { -- talloc_free(output); -- return ENOMEM; -- } -- -- return EOK; --} -- --errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, -- const char *input, -- char **sanitized) --{ -- return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL); --} -- - char * - sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr) - { -diff --git a/src/util/util_ext.c b/src/util/util_ext.c -index 04dc02a8a..a89b60f76 100644 ---- a/src/util/util_ext.c -+++ b/src/util/util_ext.c -@@ -29,6 +29,11 @@ - - #define EOK 0 - -+#ifndef HAVE_ERRNO_T -+#define HAVE_ERRNO_T -+typedef int errno_t; -+#endif -+ - int split_on_separator(TALLOC_CTX *mem_ctx, const char *str, - const char sep, bool trim, bool skip_empty, - char ***_list, int *size) -@@ -141,3 +146,97 @@ bool string_in_list(const char *string, char **list, bool case_sensitive) - - return false; - } -+ -+errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, -+ const char *input, -+ char **sanitized, -+ const char *ignore) -+{ -+ char *output; -+ size_t i = 0; -+ size_t j = 0; -+ char *allowed; -+ -+ /* Assume the worst-case. We'll resize it later, once */ -+ output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1); -+ if (!output) { -+ return ENOMEM; -+ } -+ -+ while (input[i]) { -+ /* Even though this character might have a special meaning, if it's -+ * explicitly allowed, just copy it and move on -+ */ -+ if (ignore == NULL) { -+ allowed = NULL; -+ } else { -+ allowed = strchr(ignore, input[i]); -+ } -+ if (allowed) { -+ output[j++] = input[i++]; -+ continue; -+ } -+ -+ switch(input[i]) { -+ case '\t': -+ output[j++] = '\\'; -+ output[j++] = '0'; -+ output[j++] = '9'; -+ break; -+ case ' ': -+ output[j++] = '\\'; -+ output[j++] = '2'; -+ output[j++] = '0'; -+ break; -+ case '*': -+ output[j++] = '\\'; -+ output[j++] = '2'; -+ output[j++] = 'a'; -+ break; -+ case '(': -+ output[j++] = '\\'; -+ output[j++] = '2'; -+ output[j++] = '8'; -+ break; -+ case ')': -+ output[j++] = '\\'; -+ output[j++] = '2'; -+ output[j++] = '9'; -+ break; -+ case '\\': -+ output[j++] = '\\'; -+ output[j++] = '5'; -+ output[j++] = 'c'; -+ break; -+ case '\r': -+ output[j++] = '\\'; -+ output[j++] = '0'; -+ output[j++] = 'd'; -+ break; -+ case '\n': -+ output[j++] = '\\'; -+ output[j++] = '0'; -+ output[j++] = 'a'; -+ break; -+ default: -+ output[j++] = input[i]; -+ } -+ -+ i++; -+ } -+ output[j] = '\0'; -+ *sanitized = talloc_realloc(mem_ctx, output, char, j+1); -+ if (!*sanitized) { -+ talloc_free(output); -+ return ENOMEM; -+ } -+ -+ return EOK; -+} -+ -+errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, -+ const char *input, -+ char **sanitized) -+{ -+ return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL); -+} --- -2.21.3 - diff --git a/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch b/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch new file mode 100644 index 0000000..cd37baf --- /dev/null +++ b/SOURCES/0039-pam_sss_gssapi-fix-coverity-issues.patch @@ -0,0 +1,133 @@ +From 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 12 Jan 2021 13:50:11 +0100 +Subject: [PATCH 39/39] pam_sss_gssapi: fix coverity issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +``` +1. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to. +Expand +2. Defect type: RESOURCE_LEAK +3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to. +Expand +3. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to. +Expand +4. Defect type: RESOURCE_LEAK +6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to. +Expand +5. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to. +Expand +6. Defect type: RESOURCE_LEAK +7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to. + +1. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username' +Expand +2. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn' +Expand +3. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target' +Expand +4. Defect type: CLANG_WARNING +1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain' +``` + +Also fix compilation warning +``` +../src/sss_client/pam_sss_gss.c:339:5: warning: ‘reply’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 339 | free(reply); + | ^~~~~~~~~~~ +../src/sss_client/pam_sss_gss.c:328:14: note: ‘reply’ was declared here + 328 | uint8_t *reply; + | ^~~~~ +../src/sss_client/pam_sss_gss.c:270:11: warning: ‘reply_len’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 270 | upn = malloc(reply_len * sizeof(char)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../src/sss_client/pam_sss_gss.c:327:12: note: ‘reply_len’ was declared here + 327 | size_t reply_len; + | ^~~~~~~~~ +``` + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +--- + src/sss_client/pam_sss_gss.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c +index cd38db7da..51be36ece 100644 +--- a/src/sss_client/pam_sss_gss.c ++++ b/src/sss_client/pam_sss_gss.c +@@ -195,6 +195,8 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + struct sss_cli_req_data req_data; + size_t service_len; + size_t user_len; ++ size_t reply_len; ++ uint8_t *reply = NULL; + uint8_t *data; + errno_t ret; + int ret_errno; +@@ -217,7 +219,7 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + + req_data.data = data; + +- ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, _reply, _reply_len, ++ ret = sss_pam_make_request(SSS_GSSAPI_INIT, &req_data, &reply, &reply_len, + &ret_errno); + free(data); + if (ret != PAM_SUCCESS) { +@@ -233,6 +235,16 @@ static errno_t sssd_gssapi_init_send(pam_handle_t *pamh, + return (ret_errno != EOK) ? ret_errno : EIO; + } + ++ if (ret_errno == EOK) { ++ *_reply = reply; ++ *_reply_len = reply_len; ++ } else { ++ /* We got PAM_SUCCESS therefore the communication with SSSD was ++ * successful and we have received a reply buffer. We just don't care ++ * about it, we are only interested in the error code. */ ++ free(reply); ++ } ++ + return ret_errno; + } + +@@ -257,7 +269,8 @@ static errno_t sssd_gssapi_init_recv(uint8_t *reply, + target = malloc(reply_len * sizeof(char)); + upn = malloc(reply_len * sizeof(char)); + if (username == NULL || domain == NULL || target == NULL || upn == NULL) { +- return ENOMEM; ++ ret = ENOMEM; ++ goto done; + } + + buf = (const char*)reply; +@@ -311,8 +324,8 @@ static errno_t sssd_gssapi_init(pam_handle_t *pamh, + char **_target, + char **_upn) + { +- size_t reply_len; +- uint8_t *reply; ++ size_t reply_len = 0; ++ uint8_t *reply = NULL; + errno_t ret; + + ret = sssd_gssapi_init_send(pamh, pam_service, pam_user, &reply, +@@ -549,6 +562,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, + + done: + sss_pam_close_fd(); ++ free(username); + free(domain); + free(target); + free(upn); +-- +2.21.3 + diff --git a/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch b/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch deleted file mode 100644 index 527067e..0000000 --- a/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= -Date: Thu, 28 May 2020 12:12:58 +0200 -Subject: [PATCH] AD: Enforcing GPO rule restriction on user - -This fixes bug related to ad_gpo_implicit_deny option set to True. -gpo_implict_denay was checked only for dacl_filtered_gpos, -but not for cse_filtered_gpos. - -Resolves: -https://github.com/SSSD/sssd/issues/5181 - -Reviewed-by: Sumit Bose ---- - src/providers/ad/ad_gpo.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 53560a754..2c6aa7fa6 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) - /* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */ - DEBUG(SSSDBG_TRACE_FUNC, - "no applicable gpos found after cse_guid filtering\n"); -- ret = EOK; -+ -+ if (state->gpo_implicit_deny == true) { -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "No applicable GPOs have been found and ad_gpo_implicit_deny" -+ " is set to 'true'. The user will be denied access.\n"); -+ ret = ERR_ACCESS_DENIED; -+ } else { -+ ret = EOK; -+ } -+ - goto done; - } - --- -2.21.3 - diff --git a/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch new file mode 100644 index 0000000..ca3d905 --- /dev/null +++ b/SOURCES/0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch @@ -0,0 +1,40 @@ +From cd48ef5071741443e3b84e100a4d4d28e3578e4f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 25 Jan 2021 15:14:05 +0200 +Subject: [PATCH] sudo runas: do not add '%' to external groups in IPA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When IPA allows to add AD users and groups directly to sudo rules +(FreeIPA 4.9.1 or later), external groups will already have '%' prefix. +Thus, we don't need to add additional '%'. + +Resolves: https://github.com/SSSD/sssd/issues/5475 +Signed-off-by: Alexander Bokovoy + +Reviewed-by: Pavel Březina +--- + src/providers/ipa/ipa_sudo_conversion.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c +index cfb41d8b0..1bfee096d 100644 +--- a/src/providers/ipa/ipa_sudo_conversion.c ++++ b/src/providers/ipa/ipa_sudo_conversion.c +@@ -939,6 +939,12 @@ convert_runasextusergroup(TALLOC_CTX *mem_ctx, + const char *value, + bool *skip_entry) + { ++ if (value == NULL) ++ return NULL; ++ ++ if (value[0] == '%') ++ return talloc_strdup(mem_ctx, value); ++ + return talloc_asprintf(mem_ctx, "%%%s", value); + } + +-- +2.21.3 + diff --git a/SOURCES/0041-man-clarify-AD-certificate-rule.patch b/SOURCES/0041-man-clarify-AD-certificate-rule.patch deleted file mode 100644 index a54281a..0000000 --- a/SOURCES/0041-man-clarify-AD-certificate-rule.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3bb910503bb7cbc20105f0a302db400f04436d2a Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Tue, 18 Aug 2020 11:45:18 +0200 -Subject: [PATCH] man: clarify AD certificate rule - -Clarify AD specific certificate rule example by changing userPrincipal to -userPrincipalName. Moreover, match the subject principal name in the -example with the rule name. - -Resolves: -https://github.com/SSSD/sssd/issues/5278 - -Reviewed-by: Sumit Bose ---- - src/man/sss-certmap.5.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml -index 10343625e..09aec997c 100644 ---- a/src/man/sss-certmap.5.xml -+++ b/src/man/sss-certmap.5.xml -@@ -487,7 +487,7 @@ - sign. - - -- Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) -+ Example: (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name})) - - - --- -2.21.3 - diff --git a/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch new file mode 100644 index 0000000..e61ec25 --- /dev/null +++ b/SOURCES/0041-responders-add-callback-to-schedule_get_domains_task.patch @@ -0,0 +1,199 @@ +From e07eeea7df55ede36ac0978ac904c1bb11188265 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 20 Jan 2021 17:48:44 +0100 +Subject: [PATCH 41/42] responders: add callback to schedule_get_domains_task() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To allow responders to run dedicated code at the end of the initial +getDomains request a callback is added. + +Resolves: https://github.com/SSSD/sssd/issues/5469 + +Reviewed-by: Tomáš Halman +--- + src/responder/autofs/autofssrv.c | 2 +- + src/responder/common/responder.h | 5 ++++- + src/responder/common/responder_get_domains.c | 12 +++++++++++- + src/responder/ifp/ifpsrv.c | 2 +- + src/responder/nss/nsssrv.c | 3 ++- + src/responder/pac/pacsrv.c | 2 +- + src/responder/pam/pamsrv.c | 3 ++- + src/responder/ssh/sshsrv.c | 2 +- + src/responder/sudo/sudosrv.c | 2 +- + src/tests/cmocka/test_responder_common.c | 2 +- + 10 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c +index 27de1b44a..130eaf775 100644 +--- a/src/responder/autofs/autofssrv.c ++++ b/src/responder/autofs/autofssrv.c +@@ -142,7 +142,7 @@ autofs_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h +index f83ba1bc0..ff0559c08 100644 +--- a/src/responder/common/responder.h ++++ b/src/responder/common/responder.h +@@ -366,10 +366,13 @@ errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_domain); + ++typedef void (get_domains_callback_fn_t)(void *); + errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, +- struct sss_nc_ctx *optional_ncache); ++ struct sss_nc_ctx *optional_ncache, ++ get_domains_callback_fn_t *callback, ++ void *callback_pvt); + + errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + bool allow_sss_loop, +diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c +index e551b0fff..12b6e9028 100644 +--- a/src/responder/common/responder_get_domains.c ++++ b/src/responder/common/responder_get_domains.c +@@ -430,6 +430,8 @@ static errno_t check_last_request(struct resp_ctx *rctx, const char *hint) + struct get_domains_state { + struct resp_ctx *rctx; + struct sss_nc_ctx *optional_ncache; ++ get_domains_callback_fn_t *callback; ++ void *callback_pvt; + }; + + static void get_domains_at_startup_done(struct tevent_req *req) +@@ -462,6 +464,10 @@ static void get_domains_at_startup_done(struct tevent_req *req) + } + } + ++ if (state->callback != NULL) { ++ state->callback(state->callback_pvt); ++ } ++ + talloc_free(state); + return; + } +@@ -489,7 +495,9 @@ static void get_domains_at_startup(struct tevent_context *ev, + errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, +- struct sss_nc_ctx *optional_ncache) ++ struct sss_nc_ctx *optional_ncache, ++ get_domains_callback_fn_t *callback, ++ void *callback_pvt) + { + struct tevent_immediate *imm; + struct get_domains_state *state; +@@ -500,6 +508,8 @@ errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + } + state->rctx = rctx; + state->optional_ncache = optional_ncache; ++ state->callback = callback; ++ state->callback_pvt = callback_pvt; + + imm = tevent_create_immediate(mem_ctx); + if (imm == NULL) { +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 7407ee07b..ee1452728 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -266,7 +266,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, + return EIO; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "schedule_get_domains_tasks failed.\n"); +diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c +index e80104e3d..2b7958e80 100644 +--- a/src/responder/nss/nsssrv.c ++++ b/src/responder/nss/nsssrv.c +@@ -557,7 +557,8 @@ int nss_process_init(TALLOC_CTX *mem_ctx, + } + responder_set_fd_limit(fd_limit); + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c +index 217f83c26..96935150b 100644 +--- a/src/responder/pac/pacsrv.c ++++ b/src/responder/pac/pacsrv.c +@@ -129,7 +129,7 @@ int pac_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index de1620e82..8b1ce2e92 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -246,7 +246,8 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + } + responder_set_fd_limit(fd_limit); + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, ++ NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto done; +diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c +index 6072a702c..e79a0438c 100644 +--- a/src/responder/ssh/sshsrv.c ++++ b/src/responder/ssh/sshsrv.c +@@ -126,7 +126,7 @@ int ssh_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index 5951b17b1..dc4a44b2f 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -102,7 +102,7 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + goto fail; + } + +- ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); ++ ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; +diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c +index 5fc0d712d..29356253b 100644 +--- a/src/tests/cmocka/test_responder_common.c ++++ b/src/tests/cmocka/test_responder_common.c +@@ -265,7 +265,7 @@ void test_schedule_get_domains_task(void **state) + ret = schedule_get_domains_task(dummy_ncache_ptr, + parse_inp_ctx->rctx->ev, + parse_inp_ctx->rctx, +- dummy_ncache_ptr); ++ dummy_ncache_ptr, NULL, NULL); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(parse_inp_ctx->tctx); +-- +2.21.3 + diff --git a/SOURCES/0042-config-allow-prompting-options-in-configuration.patch b/SOURCES/0042-config-allow-prompting-options-in-configuration.patch deleted file mode 100644 index 20e4c7e..0000000 --- a/SOURCES/0042-config-allow-prompting-options-in-configuration.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 4526858adb58736066a0b2cf2dc793ddfe671b2b Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Tue, 4 Aug 2020 15:39:51 +0200 -Subject: [PATCH] config: allow prompting options in configuration - -False warnings were logged after enabling prompting options in -configuration file. This change modifies the configuration rules to -allow prompting options. - -Resolves: -https://github.com/SSSD/sssd/issues/5259 - -Reviewed-by: Sumit Bose ---- - src/config/cfg_rules.ini | 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index 2874ea048..2d4e7b51d 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -14,6 +14,10 @@ section = session_recording - section_re = ^secrets/users/[0-9]\+$ - section_re = ^secrets/secrets$ - section_re = ^secrets/kcm$ -+section_re = ^prompting/password$ -+section_re = ^prompting/password/[^/\@]\+$ -+section_re = ^prompting/2fa$ -+section_re = ^prompting/2fa/[^/\@]\+$ - section_re = ^domain/[^/\@]\+$ - section_re = ^domain/[^/\@]\+/[^/\@]\+$ - section_re = ^application/[^/\@]\+$ -@@ -332,6 +336,36 @@ option = scope - option = users - option = groups - -+# Prompting during authentication -+[rule/allowed_prompting_password_options] -+validator = ini_allowed_options -+section_re = ^prompting/password$ -+ -+option = password_prompt -+ -+[rule/allowed_prompting_2fa_options] -+validator = ini_allowed_options -+section_re = ^prompting/2fa$ -+ -+option = single_prompt -+option = first_prompt -+option = second_prompt -+ -+[rule/allowed_prompting_password_subsec_options] -+validator = ini_allowed_options -+section_re = ^prompting/password/[^/\@]\+$ -+ -+option = password_prompt -+ -+[rule/allowed_prompting_2fa_subsec_options] -+validator = ini_allowed_options -+section_re = ^prompting/2fa/[^/\@]\+$ -+ -+option = single_prompt -+option = first_prompt -+option = second_prompt -+ -+ - [rule/allowed_domain_options] - validator = ini_allowed_options - section_re = ^\(domain\|application\)/[^/]\+$ --- -2.21.3 - diff --git a/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch new file mode 100644 index 0000000..882f567 --- /dev/null +++ b/SOURCES/0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch @@ -0,0 +1,64 @@ +From cb936e92041d63f79a74c30bae8140c74a18dbc0 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 20 Jan 2021 18:25:04 +0100 +Subject: [PATCH 42/42] pam: refresh certificate maps at the end of initial + domains lookup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During startup SSSD's responders send a getDomains request to all +backends to refresh some domain related needed by the responders. + +The PAM responder specifically needs the certificate mapping and +matching rules when Smartcard authentication is enable. Currently the +rules are not refreshed at the end of the initial request but the code +assumed that the related structures are initialized after the request +finished. + +To avoid a race condition this patch adds a callback to the end of the +request to make sure the rules are properly refreshed even if they are +already initialized before. + +Resolves: https://github.com/SSSD/sssd/issues/5469 + +Reviewed-by: Tomáš Halman +--- + src/responder/pam/pamsrv.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 8b1ce2e92..65370662d 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -154,6 +154,18 @@ static errno_t get_app_services(struct pam_ctx *pctx) + return EOK; + } + ++static void pam_get_domains_callback(void *pvt) ++{ ++ struct pam_ctx *pctx; ++ int ret; ++ ++ pctx = talloc_get_type(pvt, struct pam_ctx); ++ ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n"); ++ } ++} ++ + static int pam_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, +@@ -247,7 +259,7 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + responder_set_fd_limit(fd_limit); + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache, +- NULL, NULL); ++ pam_get_domains_callback, pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto done; +-- +2.21.3 + diff --git a/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch new file mode 100644 index 0000000..eb99c88 --- /dev/null +++ b/SOURCES/0043-SBUS-set-sbus_name-before-dp_init_send.patch @@ -0,0 +1,134 @@ +From 0c6924b8d474daf35ee30d74e5496957e503b206 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 20 Jan 2021 15:40:34 +0100 +Subject: [PATCH] SBUS: set sbus_name before dp_init_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some async task might access sbus_name before dp_initialized() was executed + +Resolves: https://github.com/SSSD/sssd/issues/5466 + +Reviewed-by: Pavel Březina +--- + src/providers/data_provider/dp.c | 21 ++++----------------- + src/providers/data_provider/dp.h | 6 +++--- + src/providers/data_provider_be.c | 12 ++++++++++-- + 3 files changed, 17 insertions(+), 22 deletions(-) + +diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c +index 90324d74d..64fe847b2 100644 +--- a/src/providers/data_provider/dp.c ++++ b/src/providers/data_provider/dp.c +@@ -134,7 +134,6 @@ static int dp_destructor(struct data_provider *provider) + struct dp_init_state { + struct be_ctx *be_ctx; + struct data_provider *provider; +- char *sbus_name; + }; + + static void dp_init_done(struct tevent_req *subreq); +@@ -144,7 +143,8 @@ dp_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, +- gid_t gid) ++ gid_t gid, ++ const char *sbus_name) + { + struct dp_init_state *state; + struct tevent_req *subreq; +@@ -177,13 +177,6 @@ dp_init_send(TALLOC_CTX *mem_ctx, + state->provider->gid = gid; + state->provider->be_ctx = be_ctx; + +- state->sbus_name = sss_iface_domain_bus(state, be_ctx->domain); +- if (state->sbus_name == NULL) { +- DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); +- ret = ENOMEM; +- goto done; +- } +- + /* Initialize data provider bus. Data provider can receive client + * registration and other D-Bus methods. However no data provider + * request will be executed as long as the modules and targets +@@ -192,7 +185,7 @@ dp_init_send(TALLOC_CTX *mem_ctx, + talloc_set_destructor(state->provider, dp_destructor); + + subreq = sbus_server_create_and_connect_send(state->provider, ev, +- state->sbus_name, NULL, sbus_address, true, 1000, uid, gid, ++ sbus_name, NULL, sbus_address, true, 1000, uid, gid, + (sbus_server_on_connection_cb)dp_client_init, + (sbus_server_on_connection_data)state->provider); + if (subreq == NULL) { +@@ -270,16 +263,10 @@ done: + } + + errno_t dp_init_recv(TALLOC_CTX *mem_ctx, +- struct tevent_req *req, +- const char **_sbus_name) ++ struct tevent_req *req) + { +- struct dp_init_state *state; +- state = tevent_req_data(req, struct dp_init_state); +- + TEVENT_REQ_RETURN_ON_ERROR(req); + +- *_sbus_name = talloc_steal(mem_ctx, state->sbus_name); +- + return EOK; + } + +diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h +index a8b6e9f3a..95c6588ad 100644 +--- a/src/providers/data_provider/dp.h ++++ b/src/providers/data_provider/dp.h +@@ -122,11 +122,11 @@ dp_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, +- gid_t gid); ++ gid_t gid, ++ const char *sbus_name); + + errno_t dp_init_recv(TALLOC_CTX *mem_ctx, +- struct tevent_req *req, +- const char **_sbus_name); ++ struct tevent_req *req); + + bool _dp_target_enabled(struct data_provider *provider, + const char *module_name, +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index f059a3f96..8458146ea 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -565,7 +565,15 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, + goto done; + } + +- req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid); ++ be_ctx->sbus_name = sss_iface_domain_bus(be_ctx, be_ctx->domain); ++ if (be_ctx->sbus_name == NULL) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend name.\n"); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ req = dp_init_send(be_ctx, be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid, ++ be_ctx->sbus_name); + if (req == NULL) { + ret = ENOMEM; + goto done; +@@ -612,7 +620,7 @@ static void dp_initialized(struct tevent_req *req) + + be_ctx = tevent_req_callback_data(req, struct be_ctx); + +- ret = dp_init_recv(be_ctx, req, &be_ctx->sbus_name); ++ ret = dp_init_recv(be_ctx, req); + talloc_zfree(req); + if (ret != EOK) { + goto done; +-- +2.21.3 + diff --git a/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch b/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch deleted file mode 100644 index 95cac65..0000000 --- a/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Tue, 18 Aug 2020 14:37:04 +0200 -Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1 - -For details please see discussion at -https://github.com/SSSD/sssd/pull/837#issuecomment-672831519 - -:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1 - -Resolves: -https://github.com/SSSD/sssd/issues/5002 - -Reviewed-by: Iker Pedrosa -Reviewed-by: Sumit Bose ---- - src/man/sssd.conf.5.xml | 3 ++- - src/p11_child/p11_child_common_utils.c | 6 +++--- - src/p11_child/p11_child_openssl.c | 4 ++-- - 3 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index 874a09c49..50692dfdd 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -507,7 +507,8 @@ - sha512 - - -- Default: sha256 -+ Default: sha1 (to allow compatibility with -+ RFC5019-compliant responder) - - (NSS Version) This option is - ignored, because NSS uses sha1 -diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c -index 6798752c7..95791b1f0 100644 ---- a/src/p11_child/p11_child_common_utils.c -+++ b/src/p11_child/p11_child_common_utils.c -@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx) - cert_verify_opts->ocsp_default_responder = NULL; - cert_verify_opts->ocsp_default_responder_signing_cert = NULL; - cert_verify_opts->crl_file = NULL; -- cert_verify_opts->ocsp_dgst = CKM_SHA256; -+ cert_verify_opts->ocsp_dgst = CKM_SHA_1; - cert_verify_opts->soft_ocsp = false; - cert_verify_opts->soft_crl = false; - -@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, - } else { - DEBUG(SSSDBG_CRIT_FAILURE, - "Unsupported digest for OCSP [%s], " -- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]); -- cert_verify_opts->ocsp_dgst = CKM_SHA256; -+ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]); -+ cert_verify_opts->ocsp_dgst = CKM_SHA_1; - } - #endif - } else if (strcasecmp(opts[c], "soft_ocsp") == 0) { -diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c -index 321cf162e..04b3e1467 100644 ---- a/src/p11_child/p11_child_openssl.c -+++ b/src/p11_child/p11_child_openssl.c -@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert) - ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst); - if (ocsp_dgst == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function " -- "for OCSP, using default sha256.\n"); -- ocsp_dgst = EVP_sha256(); -+ "for OCSP, using default sha1.\n"); -+ ocsp_dgst = EVP_sha1(); - } - cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer); - if (cid == NULL) { --- -2.21.3 - diff --git a/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch b/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch deleted file mode 100644 index d00fb18..0000000 --- a/SOURCES/0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 69e1f5fe79806a530e90c8af09bedd3b9e6b4dac Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 10 Jul 2020 15:30:29 +0200 -Subject: [PATCH] GPO: respect ad_gpo_implicit_deny when evaluation rules -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently if setting ad_gpo_implicit_deny to 'True' is rejected access -if no GPOs applied to the host since in this case there are obvious not -allow rules available. - -But according to the man page we have to be more strict "When this -option is set to True users will be allowed access only when explicitly -allowed by a GPO rule". So if GPOs apply and no allow rules are present -we have to reject access as well. - -Resolves: https://github.com/SSSD/sssd/issues/5061 - -Reviewed-by: Pavel Březina ---- - src/man/sssd-ad.5.xml | 59 +++++++++++++++++++++++++++++++++++++++ - src/providers/ad/ad_gpo.c | 13 +++++++-- - 2 files changed, 69 insertions(+), 3 deletions(-) - -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index 5c2f46546..fbd4985d7 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -477,9 +477,68 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, - built-in Administrators group if no GPO rules - apply to them. - -+ - - Default: False - -+ -+ -+ The following 2 tables should illustrate when a user -+ is allowed or rejected based on the allow and deny -+ login rights defined on the server-side and the -+ setting of ad_gpo_implicit_deny. -+ -+ -+ -+ -+ -+ -+ -+ -+ ad_gpo_implicit_deny = False (default) -+ allow-rulesdeny-rules -+ results -+ -+ -+ missingmissing -+ all users are allowed -+ -+ missingpresent -+ only users not in deny-rules are -+ allowed -+ presentmissing -+ only users in allow-rules are -+ allowed -+ presentpresent -+ only users in allow-rules and not in -+ deny-rules are allowed -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ad_gpo_implicit_deny = True -+ allow-rulesdeny-rules -+ results -+ -+ -+ missingmissing -+ no users are allowed -+ -+ missingpresent -+ no users are allowed -+ -+ presentmissing -+ only users in allow-rules are -+ allowed -+ presentpresent -+ only users in allow-rules and not in -+ deny-rules are allowed -+ - - - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 2c6aa7fa6..0cf5da2a1 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1531,6 +1531,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, - enum gpo_access_control_mode gpo_mode, - enum gpo_map_type gpo_map_type, - const char *user, -+ bool gpo_implicit_deny, - struct sss_domain_info *domain, - char **allowed_sids, - int allowed_size, -@@ -1575,7 +1576,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, - group_sids[j]); - } - -- if (allowed_size == 0) { -+ if (allowed_size == 0 && !gpo_implicit_deny) { - access_granted = true; - } else { - access_granted = check_rights(allowed_sids, allowed_size, user_sid, -@@ -1694,6 +1695,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, - enum gpo_access_control_mode gpo_mode, - enum gpo_map_type gpo_map_type, - const char *user, -+ bool gpo_implicit_deny, - struct sss_domain_info *user_domain, - struct sss_domain_info *host_domain) - { -@@ -1732,8 +1734,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, - - /* perform access check with the final resultant allow_sids and deny_sids */ - ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, -- user_domain, allow_sids, allow_size, deny_sids, -- deny_size); -+ gpo_implicit_deny, user_domain, -+ allow_sids, allow_size, deny_sids, deny_size); - - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -1918,6 +1920,7 @@ immediately: - static errno_t - process_offline_gpos(TALLOC_CTX *mem_ctx, - const char *user, -+ bool gpo_implicit_deny, - enum gpo_access_control_mode gpo_mode, - struct sss_domain_info *user_domain, - struct sss_domain_info *host_domain, -@@ -1930,6 +1933,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx, - gpo_mode, - gpo_map_type, - user, -+ gpo_implicit_deny, - user_domain, - host_domain); - if (ret != EOK) { -@@ -1976,6 +1980,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) - DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); - ret = process_offline_gpos(state, - state->user, -+ state->gpo_implicit_deny, - state->gpo_mode, - state->user_domain, - state->host_domain, -@@ -2102,6 +2107,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) - DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); - ret = process_offline_gpos(state, - state->user, -+ state->gpo_implicit_deny, - state->gpo_mode, - state->user_domain, - state->host_domain, -@@ -2766,6 +2772,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) - state->gpo_mode, - state->gpo_map_type, - state->user, -+ state->gpo_implicit_deny, - state->user_domain, - state->host_domain); - if (ret != EOK) { --- -2.21.3 - diff --git a/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch b/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch new file mode 100644 index 0000000..91d15c4 --- /dev/null +++ b/SOURCES/0044-pam_sss_gss-support-authentication-indicators.patch @@ -0,0 +1,655 @@ +From c2e8879189ecbbdfdd4b42395319a4cd91cb569f Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 12 Feb 2021 20:02:52 +0100 +Subject: [PATCH] pam_sss_gss: support authentication indicators (upstream +patch 5ce7ced269c7b3dd8f75122a50f539083b5697ae by Alexander Bokovoy) + +MIT Kerberos allows to associate authentication indicators with the +issued ticket based on the way how the TGT was obtained. The indicators +present in the TGT then copied to service tickets. There are two ways to +check the authentication indicators: + + - when KDC issues a service ticket, a policy at KDC side can reject the + ticket issuance based on a lack of certain indicator + + - when a server application presented with a service ticket from a + client, it can verify that this ticket contains intended + authentication indicators before authorizing access from the client. + +Add support to validate presence of a specific (set of) authentication +indicator(s) in pam_sss_gss when validating a user's TGT. + +This concept can be used to only allow access to a PAM service when user +is in possession of a ticket obtained using some of pre-authentication +mechanisms that require multiple factors: smart-cards (PKINIT), 2FA +tokens (otp/radius), etc. + +Patch by: Alexander Bokovoy + +Reviewed by: Sumit Bose + +Adapted to 8.4 branch by: Alexey Tikhonov +--- + src/confdb/confdb.c | 13 ++ + src/confdb/confdb.h | 3 + + src/config/SSSDConfig/sssdoptions.py | 2 + + src/config/SSSDConfigTest.py | 6 +- + src/config/cfg_rules.ini | 3 + + src/config/etc/sssd.api.conf | 2 + + src/db/sysdb_subdomains.c | 12 ++ + src/man/pam_sss_gss.8.xml | 13 ++ + src/man/sssd.conf.5.xml | 64 +++++++ + src/responder/pam/pamsrv.c | 21 +++ + src/responder/pam/pamsrv.h | 2 + + src/responder/pam/pamsrv_gssapi.c | 250 +++++++++++++++++++++++++++ + 12 files changed, 389 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index befcfff..cca7615 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1603,6 +1603,19 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + } + } + ++ tmp = ldb_msg_find_attr_as_string(res->msgs[0], ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP, ++ NULL); ++ if (tmp != NULL && tmp[0] != '\0') { ++ ret = split_on_separator(domain, tmp, ',', true, true, ++ &domain->gssapi_indicators_map, NULL); ++ if (ret != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot parse %s\n", CONFDB_PAM_GSSAPI_INDICATORS_MAP); ++ goto done; ++ } ++ } ++ + domain->has_views = false; + domain->view_name = NULL; + +diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h +index 036f9ec..a2be227 100644 +--- a/src/confdb/confdb.h ++++ b/src/confdb/confdb.h +@@ -146,6 +146,7 @@ + #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" + #define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" + #define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn" ++#define CONFDB_PAM_GSSAPI_INDICATORS_MAP "pam_gssapi_indicators_map" + + /* SUDO */ + #define CONFDB_SUDO_CONF_ENTRY "config/sudo" +@@ -437,6 +438,8 @@ struct sss_domain_info { + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; + char *gssapi_check_upn; /* true | false | NULL */ ++ /* List of indicators associated with the specific PAM service */ ++ char **gssapi_indicators_map; + }; + + /** +diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py +index 5da52a9..0d849bc 100644 +--- a/src/config/SSSDConfig/sssdoptions.py ++++ b/src/config/SSSDConfig/sssdoptions.py +@@ -106,6 +106,8 @@ class SSSDOptions(object): + 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), + 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), + 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'), ++ 'pam_gssapi_indicators_map' : _('List of pairs : that ' ++ 'must be enforced for PAM access with GSSAPI authentication'), + + # [sudo] + 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), +diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py +index ea4e4f6..d0422df 100755 +--- a/src/config/SSSDConfigTest.py ++++ b/src/config/SSSDConfigTest.py +@@ -655,7 +655,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'cached_auth_timeout', + 'auto_private_groups', + 'pam_gssapi_services', +- 'pam_gssapi_check_upn'] ++ 'pam_gssapi_check_upn', ++ 'pam_gssapi_indicators_map'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +@@ -1034,7 +1035,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): + 'cached_auth_timeout', + 'auto_private_groups', + 'pam_gssapi_services', +- 'pam_gssapi_check_upn'] ++ 'pam_gssapi_check_upn', ++ 'pam_gssapi_indicators_map'] + + self.assertTrue(type(options) == dict, + "Options should be a dictionary") +diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini +index 6642c63..872ceba 100644 +--- a/src/config/cfg_rules.ini ++++ b/src/config/cfg_rules.ini +@@ -141,6 +141,7 @@ option = p11_uri + option = pam_initgroups_scheme + option = pam_gssapi_services + option = pam_gssapi_check_upn ++option = pam_gssapi_indicators_map + + [rule/allowed_sudo_options] + validator = ini_allowed_options +@@ -441,6 +442,7 @@ option = re_expression + option = auto_private_groups + option = pam_gssapi_services + option = pam_gssapi_check_upn ++option = pam_gssapi_indicators_map + + #Entry cache timeouts + option = entry_cache_user_timeout +@@ -837,6 +839,7 @@ option = use_fully_qualified_names + option = auto_private_groups + option = pam_gssapi_services + option = pam_gssapi_check_upn ++option = pam_gssapi_indicators_map + + [rule/sssd_checks] + validator = sssd_checks +diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf +index d3cad73..49ced63 100644 +--- a/src/config/etc/sssd.api.conf ++++ b/src/config/etc/sssd.api.conf +@@ -82,6 +82,7 @@ p11_uri = str, None, false + pam_initgroups_scheme = str, None, false + pam_gssapi_services = str, None, false + pam_gssapi_check_upn = bool, None, false ++pam_gssapi_indicators_map = str, None, false + + [sudo] + # sudo service +@@ -203,6 +204,7 @@ re_expression = str, None, false + auto_private_groups = str, None, false + pam_gssapi_services = str, None, false + pam_gssapi_check_upn = bool, None, false ++pam_gssapi_indicators_map = str, None, false + + #Entry cache timeouts + entry_cache_user_timeout = int, None, false +diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c +index 03ba121..2243872 100644 +--- a/src/db/sysdb_subdomains.c ++++ b/src/db/sysdb_subdomains.c +@@ -185,6 +185,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, + dom->override_gid = parent->override_gid; + + dom->gssapi_services = parent->gssapi_services; ++ dom->gssapi_indicators_map = parent->gssapi_indicators_map; + + if (parent->sysdb == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); +@@ -266,6 +267,17 @@ check_subdom_config_file(struct confdb_ctx *confdb, + goto done; + } + ++ /* allow to set pam_gssapi_indicators_map */ ++ ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path, ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP, ++ &subdomain->gssapi_indicators_map); ++ if (ret != EOK && ret != ENOENT) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to get %s option for the subdomain: %s\n", ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP, subdomain->name); ++ goto done; ++ } ++ + ret = EOK; + done: + talloc_free(tmp_ctx); +diff --git a/src/man/pam_sss_gss.8.xml b/src/man/pam_sss_gss.8.xml +index ce5b11b..a83369d 100644 +--- a/src/man/pam_sss_gss.8.xml ++++ b/src/man/pam_sss_gss.8.xml +@@ -70,6 +70,19 @@ + 5 + for more details on these options. + ++ ++ Some Kerberos deployments allow to assocate authentication ++ indicators with a particular pre-authentication method used to ++ obtain the ticket granting ticket by the user. ++ pam_sss_gss.so allows to enforce presence of ++ authentication indicators in the service tickets before a particular ++ PAM service can be accessed. ++ ++ ++ If is set in the [pam] or ++ domain section of sssd.conf, then SSSD will perform a check of the ++ presence of any configured indicators in the service ticket. ++ + + + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index 8b330de..3a9955b 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -1770,6 +1770,70 @@ pam_gssapi_services = sudo, sudo-i + + + ++ ++ pam_gssapi_indicators_map ++ ++ ++ Comma separated list of authentication indicators required ++ to be present in a Kerberos ticket to access a PAM service ++ that is allowed to try GSSAPI authentication using ++ pam_sss_gss.so module. ++ ++ ++ Each element of the list can be either an authentication indicator ++ name or a pair service:indicator. Indicators not ++ prefixed with the PAM service name will be required to access any ++ PAM service configured to be used with ++ . A resulting list of indicators ++ per PAM service is then checked against indicators in the Kerberos ++ ticket during authentication by pam_sss_gss.so. Any indicator from the ++ ticket that matches the resulting list of indicators for the PAM service ++ would grant access. If none of the indicators in the list match, access ++ will be denied. If the resulting list of indicators for the PAM service ++ is empty, the check will not prevent the access. ++ ++ ++ To disable GSSAPI authentication indicator check, set this option ++ to - (dash). To disable the check for a specific PAM ++ service, add service:-. ++ ++ ++ Note: This option can also be set per-domain which ++ overwrites the value in [pam] section. It can also ++ be set for trusted domain which overwrites the value ++ in the domain section. ++ ++ ++ Following authentication indicators are supported by IPA Kerberos deployments: ++ ++ ++ pkinit -- pre-authentication using X.509 certificates -- whether stored in files or on smart cards. ++ ++ ++ hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a FAST channel. ++ ++ ++ radius -- pre-authentication with the help of a RADIUS server. ++ ++ ++ otp -- pre-authentication using integrated two-factor authentication (2FA or one-time password, OTP) in IPA. ++ ++ ++ ++ ++ Example: to require access to SUDO services only ++ for users which obtained their Kerberos tickets ++ with a X.509 certificate pre-authentication ++ (PKINIT), set ++ ++pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit ++ ++ ++ ++ Default: not set (use of authentication indicators is not required) ++ ++ ++ + + + +diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c +index 3904c09..9b4d6c1 100644 +--- a/src/responder/pam/pamsrv.c ++++ b/src/responder/pam/pamsrv.c +@@ -370,6 +370,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, + goto done; + } + ++ ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY, ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP, "-", &tmpstr); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Failed to determine gssapi services.\n"); ++ goto done; ++ } ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr, ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP); ++ ++ if (tmpstr != NULL) { ++ ret = split_on_separator(pctx, tmpstr, ',', true, true, ++ &pctx->gssapi_indicators_map, NULL); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "split_on_separator() failed [%d]: [%s].\n", ret, ++ sss_strerror(ret)); ++ goto done; ++ } ++ } ++ + /* The responder is initialized. Now tell it to the monitor. */ + ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, + SSS_PAM_SBUS_SERVICE_NAME, +diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h +index 3553296..383c7be 100644 +--- a/src/responder/pam/pamsrv.h ++++ b/src/responder/pam/pamsrv.h +@@ -65,6 +65,8 @@ struct pam_ctx { + + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; ++ /* List of authentication indicators associated with a PAM service */ ++ char **gssapi_indicators_map; + bool gssapi_check_upn; + }; + +diff --git a/src/responder/pam/pamsrv_gssapi.c b/src/responder/pam/pamsrv_gssapi.c +index 2d05c78..e4da4c4 100644 +--- a/src/responder/pam/pamsrv_gssapi.c ++++ b/src/responder/pam/pamsrv_gssapi.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -83,6 +84,117 @@ static bool pam_gssapi_should_check_upn(struct pam_ctx *pam_ctx, + return pam_ctx->gssapi_check_upn; + } + ++static int pam_gssapi_check_indicators(TALLOC_CTX *mem_ctx, ++ const char *pam_service, ++ char **gssapi_indicators_map, ++ char **indicators) ++{ ++ char *authind = NULL; ++ size_t pam_len = strlen(pam_service); ++ char **map = gssapi_indicators_map; ++ char **result = NULL; ++ int res; ++ ++ authind = talloc_strdup(mem_ctx, ""); ++ if (authind == NULL) { ++ return ENOMEM; ++ } ++ ++ for (int i = 0; map[i]; i++) { ++ if (map[i][0] == '-') { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Indicators aren't used for [%s]\n", ++ pam_service); ++ talloc_free(authind); ++ return EOK; ++ } ++ if (!strchr(map[i], ':')) { ++ authind = talloc_asprintf_append(authind, "%s ", map[i]); ++ if (authind == NULL) { ++ /* Since we allocate on pam_ctx, caller will free it */ ++ return ENOMEM; ++ } ++ continue; ++ } ++ ++ res = strncmp(map[i], pam_service, pam_len); ++ if (res == 0) { ++ if (strlen(map[i]) > pam_len) { ++ if (map[i][pam_len] != ':') { ++ /* different PAM service, skip it */ ++ continue; ++ } ++ ++ if (map[i][pam_len + 1] == '-') { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Indicators aren't used for [%s]\n", ++ pam_service); ++ talloc_free(authind); ++ return EOK; ++ } ++ ++ authind = talloc_asprintf_append(authind, "%s ", ++ map[i] + (pam_len + 1)); ++ if (authind == NULL) { ++ /* Since we allocate on pam_ctx, caller will free it */ ++ return ENOMEM; ++ } ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Invalid value for %s: [%s]\n", ++ CONFDB_PAM_GSSAPI_INDICATORS_MAP, map[i]); ++ talloc_free(authind); ++ return EINVAL; ++ } ++ } ++ } ++ ++ res = ENOENT; ++ map = NULL; ++ ++ if (authind[0] == '\0') { ++ /* empty list of per-service indicators -> skip */ ++ goto done; ++ } ++ ++ /* trim a space after the final indicator ++ * to prevent split_on_separator() to fail */ ++ authind[strlen(authind) - 1] = '\0'; ++ ++ res = split_on_separator(mem_ctx, authind, ' ', true, true, ++ &map, NULL); ++ if (res != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot parse list of indicators: [%s]\n", authind); ++ res = EINVAL; ++ goto done; ++ } ++ ++ res = diff_string_lists(mem_ctx, indicators, map, NULL, NULL, &result); ++ if (res != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE,"Cannot diff lists of indicators\n"); ++ res = EINVAL; ++ goto done; ++ } ++ ++ if (result && result[0] != NULL) { ++ for (int i = 0; result[i]; i++) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "indicator [%s] is allowed for PAM service [%s]\n", ++ result[i], pam_service); ++ } ++ res = EOK; ++ goto done; ++ } ++ ++ res = EPERM; ++ ++done: ++ talloc_free(result); ++ talloc_free(authind); ++ talloc_free(map); ++ return res; ++} ++ + static bool pam_gssapi_allowed(struct pam_ctx *pam_ctx, + struct sss_domain_info *domain, + const char *service) +@@ -385,12 +497,126 @@ static char *gssapi_get_name(TALLOC_CTX *mem_ctx, gss_name_t gss_name) + return exported; + } + ++#define AUTH_INDICATORS_TAG "auth-indicators" ++ ++static char **gssapi_get_indicators(TALLOC_CTX *mem_ctx, gss_name_t gss_name) ++{ ++ gss_buffer_set_t attrs = GSS_C_NO_BUFFER_SET; ++ int is_mechname; ++ OM_uint32 major; ++ OM_uint32 minor; ++ gss_buffer_desc value = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc display_value = GSS_C_EMPTY_BUFFER; ++ char *exported = NULL; ++ char **map = NULL; ++ int res; ++ ++ major = gss_inquire_name(&minor, gss_name, &is_mechname, NULL, &attrs); ++ if (major != GSS_S_COMPLETE) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to inquire name\n"); ++ return NULL; ++ } ++ ++ if (attrs == GSS_C_NO_BUFFER_SET) { ++ DEBUG(SSSDBG_TRACE_FUNC, "No krb5 attributes in the ticket\n"); ++ return NULL; ++ } ++ ++ exported = talloc_strdup(mem_ctx, ""); ++ if (exported == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unable to pre-allocate indicators\n"); ++ goto done; ++ } ++ ++ for (int i = 0; i < attrs->count; i++) { ++ int authenticated = 0; ++ int complete = 0; ++ int more = -1; ++ ++ /* skip anything but auth-indicators */ ++ if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value, ++ sizeof(AUTH_INDICATORS_TAG) - 1) != 0) ++ continue; ++ ++ /* retrieve all indicators */ ++ while (more != 0) { ++ value.value = NULL; ++ display_value.value = NULL; ++ ++ major = gss_get_name_attribute(&minor, gss_name, ++ &attrs->elements[i], ++ &authenticated, ++ &complete, &value, ++ &display_value, ++ &more); ++ if (major != GSS_S_COMPLETE) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unable to retrieve an attribute\n"); ++ goto done; ++ } ++ ++ if ((value.value != NULL) && authenticated) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "attribute's [%.*s] value [%.*s] authenticated\n", ++ (int) attrs->elements[i].length, ++ (char*) attrs->elements[i].value, ++ (int) value.length, ++ (char*) value.value); ++ exported = talloc_asprintf_append(exported, "%.*s ", ++ (int) value.length, ++ (char*) value.value); ++ } ++ ++ if (exported == NULL) { ++ /* Since we allocate on mem_ctx, caller will free ++ * the previous version of 'exported' */ ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unable to collect an attribute value\n"); ++ goto done; ++ } ++ (void) gss_release_buffer(&minor, &value); ++ (void) gss_release_buffer(&minor, &display_value); ++ } ++ } ++ ++ if (exported[0] != '\0') { ++ /* trim a space after the final indicator ++ * to prevent split_on_separator() to fail */ ++ exported[strlen(exported) - 1] = '\0'; ++ } else { ++ /* empty list */ ++ goto done; ++ } ++ ++ res = split_on_separator(mem_ctx, exported, ' ', true, true, ++ &map, NULL); ++ if (res != 0) { ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Cannot parse list of indicators: [%s]\n", exported); ++ goto done; ++ } else { ++ DEBUG(SSSDBG_TRACE_FUNC, "authentication indicators: [%s]\n", ++ exported); ++ } ++ ++done: ++ (void) gss_release_buffer(&minor, &value); ++ (void) gss_release_buffer(&minor, &display_value); ++ (void) gss_release_buffer_set(&minor, &attrs); ++ ++ talloc_free(exported); ++ return map; ++} ++ ++ + struct gssapi_state { + struct cli_ctx *cli_ctx; + struct sss_domain_info *domain; + const char *username; + + char *authenticated_upn; ++ char **auth_indicators; + bool established; + gss_ctx_id_t ctx; + }; +@@ -568,6 +794,8 @@ gssapi_handshake(struct gssapi_state *state, + DEBUG(SSSDBG_TRACE_FUNC, "Security context established with [%s]\n", + state->authenticated_upn); + ++ state->auth_indicators = gssapi_get_indicators(state, client_name); ++ + state->established = true; + ret = EOK; + +@@ -632,6 +860,7 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) + const char *domain_name; + const char *username; + char *target; ++ char **indicators_map = NULL; + size_t gss_data_len; + uint8_t *gss_data; + errno_t ret; +@@ -699,6 +928,27 @@ pam_cmd_gssapi_sec_ctx(struct cli_ctx *cli_ctx) + goto done; + } + ++ /* Use map for auth-indicators from the domain, if defined and ++ * fallback to the [pam] section otherwise */ ++ indicators_map = domain->gssapi_indicators_map ? ++ domain->gssapi_indicators_map : ++ (pam_ctx->gssapi_indicators_map ? ++ pam_ctx->gssapi_indicators_map : NULL); ++ if (indicators_map != NULL) { ++ ret = pam_gssapi_check_indicators(state, ++ pam_service, ++ indicators_map, ++ state->auth_indicators); ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "Check if acquired service ticket has req. indicators: %d\n", ++ ret); ++ if ((ret == EPERM) || (ret == ENOMEM) || (ret == EINVAL)) { ++ /* skip further checks if denied or no memory, ++ * ENOENT means the check is not applicable */ ++ goto done; ++ } ++ } ++ + if (!pam_gssapi_should_check_upn(pam_ctx, domain)) { + /* We are done. */ + goto done; +-- +2.21.3 + diff --git a/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch b/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch new file mode 100644 index 0000000..af99e4f --- /dev/null +++ b/SOURCES/0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch @@ -0,0 +1,121 @@ +From b100efbfabd96dcfb2825777b75b9a9dfaacb937 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 29 Jan 2021 12:41:28 +0100 +Subject: [PATCH] sudo: do not search by low usn value to improve performance + +This is a follow up on these two commits. + +- 819d70ef6e6fa0e736ebd60a7f8a26f672927d57 +- 6815844daa7701c76e31addbbdff74656cd30bea + +The first one improved the search filter little bit to achieve better +performance, however it also changed the behavior: we started to search +for `usn >= 1` in the filter if no usn number was known. + +This caused issues on OpenLDAP server which was fixed by the second patch. +However, the fix was wrong and searching by this meaningfully low number +can cause performance issues depending on how the filter is optimized and +evaluated on the server. + +Now we omit the usn attribute from the filter if there is no meaningful value. + +How to test: +1. Setup LDAP with no sudo rules defined +2. Make sure that the LDAP server does not support USN or use the following diff + to enforce modifyTimestamp (last USN is always available from rootDSE) +```diff + +Reviewed-by: Alexey Tikhonov +--- + src/providers/ldap/sdap.c | 4 ++-- + src/providers/ldap/sdap_sudo_refresh.c | 6 ++++-- + src/providers/ldap/sdap_sudo_shared.c | 21 ++++++--------------- + 3 files changed, 12 insertions(+), 19 deletions(-) + +diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c +index 32c0144b9..c853e4dc1 100644 +--- a/src/providers/ldap/sdap.c ++++ b/src/providers/ldap/sdap.c +@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; + entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; + if (rootdse) { +- if (last_usn_name) { ++ if (false) { + ret = sysdb_attrs_get_string(rootdse, + last_usn_name, &last_usn_value); + if (ret != EOK) { +@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + } + } + +- if (!last_usn_name) { ++ if (true) { + DEBUG(SSSDBG_FUNC_DATA, + "No known USN scheme is supported by this server!\n"); + if (!entry_usn_name) { +diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c +index ddcb23781..83f944ccf 100644 +--- a/src/providers/ldap/sdap_sudo_refresh.c ++++ b/src/providers/ldap/sdap_sudo_refresh.c +@@ -181,8 +181,10 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, + state->sysdb = id_ctx->be->domain->sysdb; + + /* Download all rules from LDAP that are newer than usn */ +- if (srv_opts == NULL || srv_opts->max_sudo_value == 0) { +- DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n"); ++ if (srv_opts == NULL || srv_opts->max_sudo_value == NULL ++ || strcmp(srv_opts->max_sudo_value, "0") == 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero and " ++ "omitting it from the filter.\n"); + usn = "0"; + search_filter = talloc_asprintf(state, "(%s=%s)", + map[SDAP_AT_SUDO_OC].name, +diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c +index 4f09957ea..75d1bc3d8 100644 +--- a/src/providers/ldap/sdap_sudo_shared.c ++++ b/src/providers/ldap/sdap_sudo_shared.c +@@ -129,25 +129,17 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, + static char * + sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, + unsigned long usn, +- const char *leftover, +- bool supports_usn) ++ const char *leftover) + { + const char *str = leftover == NULL ? "" : leftover; + char *newusn; + +- /* This is a fresh start and server uses modifyTimestamp. We need to +- * provide proper datetime value. */ +- if (!supports_usn && usn == 0) { +- newusn = talloc_strdup(mem_ctx, "00000101000000Z"); +- if (newusn == NULL) { +- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); +- return NULL; +- } +- +- return newusn; ++ /* Current largest USN is unknown so we keep "0" to indicate it. */ ++ if (usn == 0) { ++ return talloc_strdup(mem_ctx, "0"); + } + +- /* We increment USN number so that we can later use simplify filter ++ /* We increment USN number so that we can later use simplified filter + * (just usn >= last+1 instead of usn >= last && usn != last). + */ + usn++; +@@ -219,8 +211,7 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, + srv_opts->last_usn = usn_number; + } + +- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone, +- srv_opts->supports_usn); ++ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, timezone); + if (newusn == NULL) { + return; + } +-- +2.21.3 + diff --git a/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch b/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch new file mode 100644 index 0000000..ae6dfb7 --- /dev/null +++ b/SOURCES/0046-ldap-fix-modifytimestamp-debugging-leftovers.patch @@ -0,0 +1,34 @@ +From fff02bbf7967d291ccb019fae741e6591ed8fd41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 12 Feb 2021 15:30:59 +0100 +Subject: [PATCH] ldap: fix modifytimestamp debugging leftovers + +--- + src/providers/ldap/sdap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c +index c853e4dc1..32c0144b9 100644 +--- a/src/providers/ldap/sdap.c ++++ b/src/providers/ldap/sdap.c +@@ -1391,7 +1391,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; + entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; + if (rootdse) { +- if (false) { ++ if (last_usn_name) { + ret = sysdb_attrs_get_string(rootdse, + last_usn_name, &last_usn_value); + if (ret != EOK) { +@@ -1500,7 +1500,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + } + } + +- if (true) { ++ if (!last_usn_name) { + DEBUG(SSSDBG_FUNC_DATA, + "No known USN scheme is supported by this server!\n"); + if (!entry_usn_name) { +-- +2.21.3 + diff --git a/SOURCES/0047-ssh-restore-default-debug-level.patch b/SOURCES/0047-ssh-restore-default-debug-level.patch new file mode 100644 index 0000000..7b29783 --- /dev/null +++ b/SOURCES/0047-ssh-restore-default-debug-level.patch @@ -0,0 +1,49 @@ +From 2d26c95d78cf43798b54ac8c478b8a9ee41cab39 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 3 Feb 2021 18:28:29 +0100 +Subject: [PATCH] ssh: restore default debug level + +The recent change of the default debug level for the main SSSD +components affected the ssh helpers sss_ssh_authorizedkeys and +sss_ssh_knownhostsproxy as well. + +To avoid any confusion about unexpected debug messages this patch +restores to original value for the two helpers. + +Resolves: https://github.com/SSSD/sssd/issues/5488 + +Reviewed-by: Alexey Tikhonov +--- + src/sss_client/ssh/sss_ssh_authorizedkeys.c | 2 +- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c +index 8e80f9663..877c00299 100644 +--- a/src/sss_client/ssh/sss_ssh_authorizedkeys.c ++++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c +@@ -32,7 +32,7 @@ + int main(int argc, const char **argv) + { + TALLOC_CTX *mem_ctx = NULL; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_FATAL_FAILURE; + const char *pc_domain = NULL; + const char *pc_user = NULL; + struct poptOption long_options[] = { +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index ad6af81d8..1102fd4ab 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -174,7 +174,7 @@ connect_proxy_command(char **args) + int main(int argc, const char **argv) + { + TALLOC_CTX *mem_ctx = NULL; +- int pc_debug = SSSDBG_DEFAULT; ++ int pc_debug = SSSDBG_FATAL_FAILURE; + int pc_port = 22; + const char *pc_domain = NULL; + const char *pc_host = NULL; +-- +2.21.3 + diff --git a/SOURCES/0048-pot-update-pot-files.patch b/SOURCES/0048-pot-update-pot-files.patch new file mode 100644 index 0000000..8e1141a --- /dev/null +++ b/SOURCES/0048-pot-update-pot-files.patch @@ -0,0 +1,2230 @@ +From 6add2ef311815a25598e1ec90d28119636976e21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 5 Feb 2021 11:59:35 +0100 +Subject: [PATCH] pot: update pot files + +--- + po/sssd.pot | 860 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 436 insertions(+), 424 deletions(-) + +diff --git a/po/sssd.pot b/po/sssd.pot +index 669c22846..19f6994ff 100644 +--- a/po/sssd.pot ++++ b/po/sssd.pot +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +-"POT-Creation-Date: 2020-10-12 12:21+0200\n" ++"POT-Creation-Date: 2021-02-05 11:58+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -153,7 +153,7 @@ msgid "Entry cache background update timeout length (seconds)" + msgstr "" + + #: src/config/SSSDConfig/sssdoptions.py:61 +-#: src/config/SSSDConfig/sssdoptions.py:115 ++#: src/config/SSSDConfig/sssdoptions.py:117 + msgid "Negative cache timeout length (seconds)" + msgstr "" + +@@ -329,1653 +329,1665 @@ msgstr "" + msgid "When shall the PAM responder force an initgroups request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:109 ++#: src/config/SSSDConfig/sssdoptions.py:107 ++msgid "List of PAM services that are allowed to authenticate with GSSAPI." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:108 ++msgid "Whether to match authenticated UPN with target user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:111 + msgid "Whether to evaluate the time-based attributes in sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:110 ++#: src/config/SSSDConfig/sssdoptions.py:112 + msgid "If true, SSSD will switch back to lower-wins ordering logic" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:111 ++#: src/config/SSSDConfig/sssdoptions.py:113 + msgid "" + "Maximum number of rules that can be refreshed at once. If this is exceeded, " + "full refresh is performed." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:118 ++#: src/config/SSSDConfig/sssdoptions.py:120 + msgid "Whether to hash host names and addresses in the known_hosts file" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:119 ++#: src/config/SSSDConfig/sssdoptions.py:121 + msgid "" + "How many seconds to keep a host in the known_hosts file after its host keys " + "were requested" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:121 ++#: src/config/SSSDConfig/sssdoptions.py:123 + msgid "Path to storage of trusted CA certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:122 ++#: src/config/SSSDConfig/sssdoptions.py:124 + msgid "Allow to generate ssh-keys from certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:123 ++#: src/config/SSSDConfig/sssdoptions.py:125 + msgid "" + "Use the following matching rules to filter the certificates for ssh-key " + "generation" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:127 ++#: src/config/SSSDConfig/sssdoptions.py:129 + msgid "List of UIDs or user names allowed to access the PAC responder" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:128 ++#: src/config/SSSDConfig/sssdoptions.py:130 + msgid "How long the PAC data is considered valid" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:131 ++#: src/config/SSSDConfig/sssdoptions.py:133 + msgid "List of user attributes the InfoPipe is allowed to publish" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:134 ++#: src/config/SSSDConfig/sssdoptions.py:136 + msgid "The provider where the secrets will be stored in" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:135 ++#: src/config/SSSDConfig/sssdoptions.py:137 + msgid "The maximum allowed number of nested containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:136 ++#: src/config/SSSDConfig/sssdoptions.py:138 + msgid "The maximum number of secrets that can be stored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:137 ++#: src/config/SSSDConfig/sssdoptions.py:139 + msgid "The maximum number of secrets that can be stored per UID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:138 ++#: src/config/SSSDConfig/sssdoptions.py:140 + msgid "The maximum payload size of a secret in kilobytes" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:140 ++#: src/config/SSSDConfig/sssdoptions.py:142 + msgid "The URL Custodia server is listening on" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:141 ++#: src/config/SSSDConfig/sssdoptions.py:143 + msgid "The method to use when authenticating to a Custodia server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:142 ++#: src/config/SSSDConfig/sssdoptions.py:144 + msgid "" + "The name of the headers that will be added into a HTTP request with the " + "value defined in auth_header_value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:144 ++#: src/config/SSSDConfig/sssdoptions.py:146 + msgid "The value sssd-secrets would use for auth_header_name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:145 ++#: src/config/SSSDConfig/sssdoptions.py:147 + msgid "" + "The list of the headers to forward to the Custodia server together with the " + "request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:146 ++#: src/config/SSSDConfig/sssdoptions.py:148 + msgid "" + "The username to use when authenticating to a Custodia server using basic_auth" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:147 ++#: src/config/SSSDConfig/sssdoptions.py:149 + msgid "" + "The password to use when authenticating to a Custodia server using basic_auth" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:148 ++#: src/config/SSSDConfig/sssdoptions.py:150 + msgid "If true peer's certificate is verified if proxy_url uses https protocol" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:149 ++#: src/config/SSSDConfig/sssdoptions.py:151 + msgid "" + "If false peer's certificate may contain different hostname than proxy_url " + "when https protocol is used" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:151 ++#: src/config/SSSDConfig/sssdoptions.py:153 + msgid "Path to directory where certificate authority certificates are stored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:152 ++#: src/config/SSSDConfig/sssdoptions.py:154 + msgid "Path to file containing server's CA certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:153 ++#: src/config/SSSDConfig/sssdoptions.py:155 + msgid "Path to file containing client's certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:154 ++#: src/config/SSSDConfig/sssdoptions.py:156 + msgid "Path to file containing client's private key" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:157 ++#: src/config/SSSDConfig/sssdoptions.py:159 + msgid "" + "One of the following strings specifying the scope of session recording: none " + "- No users are recorded. some - Users/groups specified by users and groups " + "options are recorded. all - All users are recorded." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:160 ++#: src/config/SSSDConfig/sssdoptions.py:162 + msgid "" + "A comma-separated list of users which should have session recording enabled. " + "Matches user names as returned by NSS. I.e. after the possible space " + "replacement, case changes, etc." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:162 ++#: src/config/SSSDConfig/sssdoptions.py:164 + msgid "" + "A comma-separated list of groups, members of which should have session " + "recording enabled. Matches group names as returned by NSS. I.e. after the " + "possible space replacement, case changes, etc." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:165 ++#: src/config/SSSDConfig/sssdoptions.py:167 + msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:166 ++#: src/config/SSSDConfig/sssdoptions.py:168 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:170 ++#: src/config/SSSDConfig/sssdoptions.py:172 + msgid "Identity provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:171 ++#: src/config/SSSDConfig/sssdoptions.py:173 + msgid "Authentication provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:172 ++#: src/config/SSSDConfig/sssdoptions.py:174 + msgid "Access control provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:173 ++#: src/config/SSSDConfig/sssdoptions.py:175 + msgid "Password change provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:174 ++#: src/config/SSSDConfig/sssdoptions.py:176 + msgid "SUDO provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:175 ++#: src/config/SSSDConfig/sssdoptions.py:177 + msgid "Autofs provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:176 ++#: src/config/SSSDConfig/sssdoptions.py:178 + msgid "Host identity provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:177 ++#: src/config/SSSDConfig/sssdoptions.py:179 + msgid "SELinux provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:178 ++#: src/config/SSSDConfig/sssdoptions.py:180 + msgid "Session management provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:179 ++#: src/config/SSSDConfig/sssdoptions.py:181 + msgid "Resolver provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:182 ++#: src/config/SSSDConfig/sssdoptions.py:184 + msgid "Whether the domain is usable by the OS or by applications" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:183 ++#: src/config/SSSDConfig/sssdoptions.py:185 + msgid "Enable or disable the domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:184 ++#: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Minimum user ID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:185 ++#: src/config/SSSDConfig/sssdoptions.py:187 + msgid "Maximum user ID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:186 ++#: src/config/SSSDConfig/sssdoptions.py:188 + msgid "Enable enumerating all users/groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:187 ++#: src/config/SSSDConfig/sssdoptions.py:189 + msgid "Cache credentials for offline login" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:188 ++#: src/config/SSSDConfig/sssdoptions.py:190 + msgid "Display users/groups in fully-qualified form" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:189 ++#: src/config/SSSDConfig/sssdoptions.py:191 + msgid "Don't include group members in group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:190 +-#: src/config/SSSDConfig/sssdoptions.py:200 +-#: src/config/SSSDConfig/sssdoptions.py:201 ++#: src/config/SSSDConfig/sssdoptions.py:192 + #: src/config/SSSDConfig/sssdoptions.py:202 + #: src/config/SSSDConfig/sssdoptions.py:203 + #: src/config/SSSDConfig/sssdoptions.py:204 + #: src/config/SSSDConfig/sssdoptions.py:205 + #: src/config/SSSDConfig/sssdoptions.py:206 ++#: src/config/SSSDConfig/sssdoptions.py:207 ++#: src/config/SSSDConfig/sssdoptions.py:208 + msgid "Entry cache timeout length (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:191 ++#: src/config/SSSDConfig/sssdoptions.py:193 + msgid "" + "Restrict or prefer a specific address family when performing DNS lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:192 ++#: src/config/SSSDConfig/sssdoptions.py:194 + msgid "How long to keep cached entries after last successful login (days)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:193 ++#: src/config/SSSDConfig/sssdoptions.py:195 + msgid "" + "How long should SSSD talk to single DNS server before trying next server " + "(miliseconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:195 ++#: src/config/SSSDConfig/sssdoptions.py:197 + msgid "How long should keep trying to resolve single DNS query (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:196 ++#: src/config/SSSDConfig/sssdoptions.py:198 + msgid "How long to wait for replies from DNS when resolving servers (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:197 ++#: src/config/SSSDConfig/sssdoptions.py:199 + msgid "The domain part of service discovery DNS query" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:198 ++#: src/config/SSSDConfig/sssdoptions.py:200 + msgid "Override GID value from the identity provider with this value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:199 ++#: src/config/SSSDConfig/sssdoptions.py:201 + msgid "Treat usernames as case sensitive" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:207 ++#: src/config/SSSDConfig/sssdoptions.py:209 + msgid "How often should expired entries be refreshed in background" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:208 ++#: src/config/SSSDConfig/sssdoptions.py:210 + msgid "Whether to automatically update the client's DNS entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:209 +-#: src/config/SSSDConfig/sssdoptions.py:239 ++#: src/config/SSSDConfig/sssdoptions.py:211 ++#: src/config/SSSDConfig/sssdoptions.py:241 + msgid "The TTL to apply to the client's DNS entry after updating it" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:210 +-#: src/config/SSSDConfig/sssdoptions.py:240 ++#: src/config/SSSDConfig/sssdoptions.py:212 ++#: src/config/SSSDConfig/sssdoptions.py:242 + msgid "The interface whose IP should be used for dynamic DNS updates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:211 ++#: src/config/SSSDConfig/sssdoptions.py:213 + msgid "How often to periodically update the client's DNS entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:212 ++#: src/config/SSSDConfig/sssdoptions.py:214 + msgid "Whether the provider should explicitly update the PTR record as well" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:213 ++#: src/config/SSSDConfig/sssdoptions.py:215 + msgid "Whether the nsupdate utility should default to using TCP" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:214 ++#: src/config/SSSDConfig/sssdoptions.py:216 + msgid "What kind of authentication should be used to perform the DNS update" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:215 ++#: src/config/SSSDConfig/sssdoptions.py:217 + msgid "Override the DNS server used to perform the DNS update" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:216 ++#: src/config/SSSDConfig/sssdoptions.py:218 + msgid "Control enumeration of trusted domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:217 ++#: src/config/SSSDConfig/sssdoptions.py:219 + msgid "How often should subdomains list be refreshed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:218 ++#: src/config/SSSDConfig/sssdoptions.py:220 + msgid "List of options that should be inherited into a subdomain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:219 ++#: src/config/SSSDConfig/sssdoptions.py:221 + msgid "Default subdomain homedir value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:220 ++#: src/config/SSSDConfig/sssdoptions.py:222 + msgid "How long can cached credentials be used for cached authentication" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:221 ++#: src/config/SSSDConfig/sssdoptions.py:223 + msgid "Whether to automatically create private groups for users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:222 ++#: src/config/SSSDConfig/sssdoptions.py:224 + msgid "Display a warning N days before the password expires." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:223 ++#: src/config/SSSDConfig/sssdoptions.py:225 + msgid "" + "Various tags stored by the realmd configuration service for this domain." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:224 ++#: src/config/SSSDConfig/sssdoptions.py:226 + msgid "" + "The provider which should handle fetching of subdomains. This value should " + "be always the same as id_provider." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:226 ++#: src/config/SSSDConfig/sssdoptions.py:228 + msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:228 ++#: src/config/SSSDConfig/sssdoptions.py:230 + msgid "" + "If 2-Factor-Authentication (2FA) is used and credentials should be saved " + "this value determines the minimal length the first authentication factor " + "(long term password) must have to be saved as SHA512 hash into the cache." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:234 ++#: src/config/SSSDConfig/sssdoptions.py:236 + msgid "IPA domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:235 ++#: src/config/SSSDConfig/sssdoptions.py:237 + msgid "IPA server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:236 ++#: src/config/SSSDConfig/sssdoptions.py:238 + msgid "Address of backup IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:237 ++#: src/config/SSSDConfig/sssdoptions.py:239 + msgid "IPA client hostname" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:238 ++#: src/config/SSSDConfig/sssdoptions.py:240 + msgid "Whether to automatically update the client's DNS entry in FreeIPA" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:241 ++#: src/config/SSSDConfig/sssdoptions.py:243 + msgid "Search base for HBAC related objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:242 ++#: src/config/SSSDConfig/sssdoptions.py:244 + msgid "" + "The amount of time between lookups of the HBAC rules against the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:243 ++#: src/config/SSSDConfig/sssdoptions.py:245 + msgid "" + "The amount of time in seconds between lookups of the SELinux maps against " + "the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:245 ++#: src/config/SSSDConfig/sssdoptions.py:247 + msgid "If set to false, host argument given by PAM will be ignored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:246 ++#: src/config/SSSDConfig/sssdoptions.py:248 + msgid "The automounter location this IPA client is using" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:247 ++#: src/config/SSSDConfig/sssdoptions.py:249 + msgid "Search base for object containing info about IPA domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:248 ++#: src/config/SSSDConfig/sssdoptions.py:250 + msgid "Search base for objects containing info about ID ranges" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:249 +-#: src/config/SSSDConfig/sssdoptions.py:303 ++#: src/config/SSSDConfig/sssdoptions.py:251 ++#: src/config/SSSDConfig/sssdoptions.py:305 + msgid "Enable DNS sites - location based service discovery" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:250 ++#: src/config/SSSDConfig/sssdoptions.py:252 + msgid "Search base for view containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:251 ++#: src/config/SSSDConfig/sssdoptions.py:253 + msgid "Objectclass for view containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:252 ++#: src/config/SSSDConfig/sssdoptions.py:254 + msgid "Attribute with the name of the view" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:253 ++#: src/config/SSSDConfig/sssdoptions.py:255 + msgid "Objectclass for override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:254 ++#: src/config/SSSDConfig/sssdoptions.py:256 + msgid "Attribute with the reference to the original object" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:255 ++#: src/config/SSSDConfig/sssdoptions.py:257 + msgid "Objectclass for user override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:256 ++#: src/config/SSSDConfig/sssdoptions.py:258 + msgid "Objectclass for group override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:257 ++#: src/config/SSSDConfig/sssdoptions.py:259 + msgid "Search base for Desktop Profile related objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:258 ++#: src/config/SSSDConfig/sssdoptions.py:260 + msgid "" + "The amount of time in seconds between lookups of the Desktop Profile rules " + "against the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:260 ++#: src/config/SSSDConfig/sssdoptions.py:262 + msgid "" + "The amount of time in minutes between lookups of Desktop Profiles rules " + "against the IPA server when the last request did not find any rule" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:263 ++#: src/config/SSSDConfig/sssdoptions.py:265 + msgid "The LDAP attribute that contains FQDN of the host." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:264 +-#: src/config/SSSDConfig/sssdoptions.py:287 ++#: src/config/SSSDConfig/sssdoptions.py:266 ++#: src/config/SSSDConfig/sssdoptions.py:289 + msgid "The object class of a host entry in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:265 ++#: src/config/SSSDConfig/sssdoptions.py:267 + msgid "Use the given string as search base for host objects." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:266 ++#: src/config/SSSDConfig/sssdoptions.py:268 + msgid "The LDAP attribute that contains the host's SSH public keys." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:267 ++#: src/config/SSSDConfig/sssdoptions.py:269 + msgid "The LDAP attribute that contains NIS domain name of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:268 ++#: src/config/SSSDConfig/sssdoptions.py:270 + msgid "The LDAP attribute that contains the names of the netgroup's members." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:269 ++#: src/config/SSSDConfig/sssdoptions.py:271 + msgid "" + "The LDAP attribute that lists FQDNs of hosts and host groups that are " + "members of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:271 ++#: src/config/SSSDConfig/sssdoptions.py:273 + msgid "" + "The LDAP attribute that lists hosts and host groups that are direct members " + "of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:273 ++#: src/config/SSSDConfig/sssdoptions.py:275 + msgid "The LDAP attribute that lists netgroup's memberships." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:274 ++#: src/config/SSSDConfig/sssdoptions.py:276 + msgid "" + "The LDAP attribute that lists system users and groups that are direct " + "members of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:276 ++#: src/config/SSSDConfig/sssdoptions.py:278 + msgid "The LDAP attribute that corresponds to the netgroup name." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:277 ++#: src/config/SSSDConfig/sssdoptions.py:279 + msgid "The object class of a netgroup entry in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:278 ++#: src/config/SSSDConfig/sssdoptions.py:280 + msgid "" + "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:279 ++#: src/config/SSSDConfig/sssdoptions.py:281 + msgid "" + "The LDAP attribute that contains whether or not is user map enabled for " + "usage." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:281 ++#: src/config/SSSDConfig/sssdoptions.py:283 + msgid "The LDAP attribute that contains host category such as 'all'." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:282 ++#: src/config/SSSDConfig/sssdoptions.py:284 + msgid "" + "The LDAP attribute that contains all hosts / hostgroups this rule match " + "against." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:284 ++#: src/config/SSSDConfig/sssdoptions.py:286 + msgid "" + "The LDAP attribute that contains all users / groups this rule match against." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:286 ++#: src/config/SSSDConfig/sssdoptions.py:288 + msgid "The LDAP attribute that contains the name of SELinux usermap." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:288 ++#: src/config/SSSDConfig/sssdoptions.py:290 + msgid "" + "The LDAP attribute that contains DN of HBAC rule which can be used for " + "matching instead of memberUser and memberHost." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:290 ++#: src/config/SSSDConfig/sssdoptions.py:292 + msgid "The LDAP attribute that contains SELinux user string itself." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:291 ++#: src/config/SSSDConfig/sssdoptions.py:293 + msgid "The LDAP attribute that contains user category such as 'all'." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:292 ++#: src/config/SSSDConfig/sssdoptions.py:294 + msgid "The LDAP attribute that contains unique ID of the user map." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:293 ++#: src/config/SSSDConfig/sssdoptions.py:295 + msgid "" + "The option denotes that the SSSD is running on IPA server and should perform " + "lookups of users and groups from trusted domains differently." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:295 ++#: src/config/SSSDConfig/sssdoptions.py:297 + msgid "Use the given string as search base for trusted domains." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:298 ++#: src/config/SSSDConfig/sssdoptions.py:300 + msgid "Active Directory domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:299 ++#: src/config/SSSDConfig/sssdoptions.py:301 + msgid "Enabled Active Directory domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:300 ++#: src/config/SSSDConfig/sssdoptions.py:302 + msgid "Active Directory server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:301 ++#: src/config/SSSDConfig/sssdoptions.py:303 + msgid "Active Directory backup server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:302 ++#: src/config/SSSDConfig/sssdoptions.py:304 + msgid "Active Directory client hostname" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:304 +-#: src/config/SSSDConfig/sssdoptions.py:497 ++#: src/config/SSSDConfig/sssdoptions.py:306 ++#: src/config/SSSDConfig/sssdoptions.py:500 + msgid "LDAP filter to determine access privileges" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:305 ++#: src/config/SSSDConfig/sssdoptions.py:307 + msgid "Whether to use the Global Catalog for lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:306 ++#: src/config/SSSDConfig/sssdoptions.py:308 + msgid "Operation mode for GPO-based access control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:307 ++#: src/config/SSSDConfig/sssdoptions.py:309 + msgid "" + "The amount of time between lookups of the GPO policy files against the AD " + "server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:308 ++#: src/config/SSSDConfig/sssdoptions.py:310 + msgid "" + "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " + "settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:310 ++#: src/config/SSSDConfig/sssdoptions.py:312 + msgid "" + "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " + "policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:312 ++#: src/config/SSSDConfig/sssdoptions.py:314 + msgid "" + "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:313 ++#: src/config/SSSDConfig/sssdoptions.py:315 + msgid "" + "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:314 ++#: src/config/SSSDConfig/sssdoptions.py:316 + msgid "" + "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:315 ++#: src/config/SSSDConfig/sssdoptions.py:317 + msgid "PAM service names for which GPO-based access is always granted" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:316 ++#: src/config/SSSDConfig/sssdoptions.py:318 + msgid "PAM service names for which GPO-based access is always denied" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:317 ++#: src/config/SSSDConfig/sssdoptions.py:319 + msgid "" + "Default logon right (or permit/deny) to use for unmapped PAM service names" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:318 ++#: src/config/SSSDConfig/sssdoptions.py:320 + msgid "a particular site to be used by the client" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:319 ++#: src/config/SSSDConfig/sssdoptions.py:321 + msgid "" + "Maximum age in days before the machine account password should be renewed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:321 ++#: src/config/SSSDConfig/sssdoptions.py:323 + msgid "Option for tuning the machine account renewal task" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:322 ++#: src/config/SSSDConfig/sssdoptions.py:324 + msgid "Whether to update the machine account password in the Samba database" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:324 ++#: src/config/SSSDConfig/sssdoptions.py:326 + msgid "Use LDAPS port for LDAP and Global Catalog requests" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:325 ++#: src/config/SSSDConfig/sssdoptions.py:327 + msgid "Do not filter domain local groups from other domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:328 +-#: src/config/SSSDConfig/sssdoptions.py:329 ++#: src/config/SSSDConfig/sssdoptions.py:330 ++#: src/config/SSSDConfig/sssdoptions.py:331 + msgid "Kerberos server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:330 ++#: src/config/SSSDConfig/sssdoptions.py:332 + msgid "Kerberos backup server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:331 ++#: src/config/SSSDConfig/sssdoptions.py:333 + msgid "Kerberos realm" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:332 ++#: src/config/SSSDConfig/sssdoptions.py:334 + msgid "Authentication timeout" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:333 ++#: src/config/SSSDConfig/sssdoptions.py:335 + msgid "Whether to create kdcinfo files" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:334 ++#: src/config/SSSDConfig/sssdoptions.py:336 + msgid "Where to drop krb5 config snippets" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:337 ++#: src/config/SSSDConfig/sssdoptions.py:339 + msgid "Directory to store credential caches" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:338 ++#: src/config/SSSDConfig/sssdoptions.py:340 + msgid "Location of the user's credential cache" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:339 ++#: src/config/SSSDConfig/sssdoptions.py:341 + msgid "Location of the keytab to validate credentials" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:340 ++#: src/config/SSSDConfig/sssdoptions.py:342 + msgid "Enable credential validation" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:341 ++#: src/config/SSSDConfig/sssdoptions.py:343 + msgid "Store password if offline for later online authentication" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:342 ++#: src/config/SSSDConfig/sssdoptions.py:344 + msgid "Renewable lifetime of the TGT" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:343 ++#: src/config/SSSDConfig/sssdoptions.py:345 + msgid "Lifetime of the TGT" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:344 ++#: src/config/SSSDConfig/sssdoptions.py:346 + msgid "Time between two checks for renewal" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:345 ++#: src/config/SSSDConfig/sssdoptions.py:347 + msgid "Enables FAST" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:346 ++#: src/config/SSSDConfig/sssdoptions.py:348 + msgid "Selects the principal to use for FAST" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:347 ++#: src/config/SSSDConfig/sssdoptions.py:349 + msgid "Enables principal canonicalization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:348 ++#: src/config/SSSDConfig/sssdoptions.py:350 + msgid "Enables enterprise principals" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:349 +-msgid "A mapping from user names to Kerberos principal names" ++#: src/config/SSSDConfig/sssdoptions.py:351 ++msgid "Enables using of subdomains realms for authentication" + msgstr "" + + #: src/config/SSSDConfig/sssdoptions.py:352 +-#: src/config/SSSDConfig/sssdoptions.py:353 +-msgid "Server where the change password service is running if not on the KDC" ++msgid "A mapping from user names to Kerberos principal names" + msgstr "" + ++#: src/config/SSSDConfig/sssdoptions.py:355 + #: src/config/SSSDConfig/sssdoptions.py:356 ++msgid "Server where the change password service is running if not on the KDC" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:359 + msgid "ldap_uri, The URI of the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:357 ++#: src/config/SSSDConfig/sssdoptions.py:360 + msgid "ldap_backup_uri, The URI of the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:358 ++#: src/config/SSSDConfig/sssdoptions.py:361 + msgid "The default base DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:359 ++#: src/config/SSSDConfig/sssdoptions.py:362 + msgid "The Schema Type in use on the LDAP server, rfc2307" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:360 ++#: src/config/SSSDConfig/sssdoptions.py:363 + msgid "Mode used to change user password" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:361 ++#: src/config/SSSDConfig/sssdoptions.py:364 + msgid "The default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:362 ++#: src/config/SSSDConfig/sssdoptions.py:365 + msgid "The type of the authentication token of the default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:363 ++#: src/config/SSSDConfig/sssdoptions.py:366 + msgid "The authentication token of the default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:364 ++#: src/config/SSSDConfig/sssdoptions.py:367 + msgid "Length of time to attempt connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:365 ++#: src/config/SSSDConfig/sssdoptions.py:368 + msgid "Length of time to attempt synchronous LDAP operations" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:366 ++#: src/config/SSSDConfig/sssdoptions.py:369 + msgid "Length of time between attempts to reconnect while offline" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:367 ++#: src/config/SSSDConfig/sssdoptions.py:370 + msgid "Use only the upper case for realm names" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:368 ++#: src/config/SSSDConfig/sssdoptions.py:371 + msgid "File that contains CA certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:369 ++#: src/config/SSSDConfig/sssdoptions.py:372 + msgid "Path to CA certificate directory" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:370 ++#: src/config/SSSDConfig/sssdoptions.py:373 + msgid "File that contains the client certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:371 ++#: src/config/SSSDConfig/sssdoptions.py:374 + msgid "File that contains the client key" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:372 ++#: src/config/SSSDConfig/sssdoptions.py:375 + msgid "List of possible ciphers suites" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:373 ++#: src/config/SSSDConfig/sssdoptions.py:376 + msgid "Require TLS certificate verification" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:374 ++#: src/config/SSSDConfig/sssdoptions.py:377 + msgid "Specify the sasl mechanism to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:375 ++#: src/config/SSSDConfig/sssdoptions.py:378 + msgid "Specify the sasl authorization id to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:376 ++#: src/config/SSSDConfig/sssdoptions.py:379 + msgid "Specify the sasl authorization realm to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:377 ++#: src/config/SSSDConfig/sssdoptions.py:380 + msgid "Specify the minimal SSF for LDAP sasl authorization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:378 ++#: src/config/SSSDConfig/sssdoptions.py:381 + msgid "Specify the maximal SSF for LDAP sasl authorization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:379 ++#: src/config/SSSDConfig/sssdoptions.py:382 + msgid "Kerberos service keytab" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:380 ++#: src/config/SSSDConfig/sssdoptions.py:383 + msgid "Use Kerberos auth for LDAP connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:381 ++#: src/config/SSSDConfig/sssdoptions.py:384 + msgid "Follow LDAP referrals" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:382 ++#: src/config/SSSDConfig/sssdoptions.py:385 + msgid "Lifetime of TGT for LDAP connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:383 ++#: src/config/SSSDConfig/sssdoptions.py:386 + msgid "How to dereference aliases" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:384 ++#: src/config/SSSDConfig/sssdoptions.py:387 + msgid "Service name for DNS service lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:385 ++#: src/config/SSSDConfig/sssdoptions.py:388 + msgid "The number of records to retrieve in a single LDAP query" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:386 ++#: src/config/SSSDConfig/sssdoptions.py:389 + msgid "The number of members that must be missing to trigger a full deref" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:387 ++#: src/config/SSSDConfig/sssdoptions.py:390 + msgid "" + "Whether the LDAP library should perform a reverse lookup to canonicalize the " + "host name during a SASL bind" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:389 ++#: src/config/SSSDConfig/sssdoptions.py:392 + msgid "" + "Allows to retain local users as members of an LDAP group for servers that " + "use the RFC2307 schema." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:392 ++#: src/config/SSSDConfig/sssdoptions.py:395 + msgid "entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:393 ++#: src/config/SSSDConfig/sssdoptions.py:396 + msgid "lastUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:395 ++#: src/config/SSSDConfig/sssdoptions.py:398 + msgid "How long to retain a connection to the LDAP server before disconnecting" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:398 ++#: src/config/SSSDConfig/sssdoptions.py:401 + msgid "Disable the LDAP paging control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:399 ++#: src/config/SSSDConfig/sssdoptions.py:402 + msgid "Disable Active Directory range retrieval" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:402 ++#: src/config/SSSDConfig/sssdoptions.py:405 + msgid "Length of time to wait for a search request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:403 ++#: src/config/SSSDConfig/sssdoptions.py:406 + msgid "Length of time to wait for a enumeration request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:404 ++#: src/config/SSSDConfig/sssdoptions.py:407 + msgid "Length of time between enumeration updates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:405 ++#: src/config/SSSDConfig/sssdoptions.py:408 + msgid "Length of time between cache cleanups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:406 ++#: src/config/SSSDConfig/sssdoptions.py:409 + msgid "Require TLS for ID lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:407 ++#: src/config/SSSDConfig/sssdoptions.py:410 + msgid "Use ID-mapping of objectSID instead of pre-set IDs" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:408 ++#: src/config/SSSDConfig/sssdoptions.py:411 + msgid "Base DN for user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:409 ++#: src/config/SSSDConfig/sssdoptions.py:412 + msgid "Scope of user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:410 ++#: src/config/SSSDConfig/sssdoptions.py:413 + msgid "Filter for user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:411 ++#: src/config/SSSDConfig/sssdoptions.py:414 + msgid "Objectclass for users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:412 ++#: src/config/SSSDConfig/sssdoptions.py:415 + msgid "Username attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:413 ++#: src/config/SSSDConfig/sssdoptions.py:416 + msgid "UID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:414 ++#: src/config/SSSDConfig/sssdoptions.py:417 + msgid "Primary GID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:415 ++#: src/config/SSSDConfig/sssdoptions.py:418 + msgid "GECOS attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:416 ++#: src/config/SSSDConfig/sssdoptions.py:419 + msgid "Home directory attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:417 ++#: src/config/SSSDConfig/sssdoptions.py:420 + msgid "Shell attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:418 ++#: src/config/SSSDConfig/sssdoptions.py:421 + msgid "UUID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:419 +-#: src/config/SSSDConfig/sssdoptions.py:457 ++#: src/config/SSSDConfig/sssdoptions.py:422 ++#: src/config/SSSDConfig/sssdoptions.py:460 + msgid "objectSID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:420 ++#: src/config/SSSDConfig/sssdoptions.py:423 + msgid "Active Directory primary group attribute for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:421 ++#: src/config/SSSDConfig/sssdoptions.py:424 + msgid "User principal attribute (for Kerberos)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:422 ++#: src/config/SSSDConfig/sssdoptions.py:425 + msgid "Full Name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:423 ++#: src/config/SSSDConfig/sssdoptions.py:426 + msgid "memberOf attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:424 ++#: src/config/SSSDConfig/sssdoptions.py:427 + msgid "Modification time attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:425 ++#: src/config/SSSDConfig/sssdoptions.py:428 + msgid "shadowLastChange attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:426 ++#: src/config/SSSDConfig/sssdoptions.py:429 + msgid "shadowMin attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:427 ++#: src/config/SSSDConfig/sssdoptions.py:430 + msgid "shadowMax attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:428 ++#: src/config/SSSDConfig/sssdoptions.py:431 + msgid "shadowWarning attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:429 ++#: src/config/SSSDConfig/sssdoptions.py:432 + msgid "shadowInactive attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:430 ++#: src/config/SSSDConfig/sssdoptions.py:433 + msgid "shadowExpire attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:431 ++#: src/config/SSSDConfig/sssdoptions.py:434 + msgid "shadowFlag attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:432 ++#: src/config/SSSDConfig/sssdoptions.py:435 + msgid "Attribute listing authorized PAM services" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:433 ++#: src/config/SSSDConfig/sssdoptions.py:436 + msgid "Attribute listing authorized server hosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:434 ++#: src/config/SSSDConfig/sssdoptions.py:437 + msgid "Attribute listing authorized server rhosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:435 ++#: src/config/SSSDConfig/sssdoptions.py:438 + msgid "krbLastPwdChange attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:436 ++#: src/config/SSSDConfig/sssdoptions.py:439 + msgid "krbPasswordExpiration attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:437 ++#: src/config/SSSDConfig/sssdoptions.py:440 + msgid "Attribute indicating that server side password policies are active" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:438 ++#: src/config/SSSDConfig/sssdoptions.py:441 + msgid "accountExpires attribute of AD" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:439 ++#: src/config/SSSDConfig/sssdoptions.py:442 + msgid "userAccountControl attribute of AD" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:440 ++#: src/config/SSSDConfig/sssdoptions.py:443 + msgid "nsAccountLock attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:441 ++#: src/config/SSSDConfig/sssdoptions.py:444 + msgid "loginDisabled attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:442 ++#: src/config/SSSDConfig/sssdoptions.py:445 + msgid "loginExpirationTime attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:443 ++#: src/config/SSSDConfig/sssdoptions.py:446 + msgid "loginAllowedTimeMap attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:444 ++#: src/config/SSSDConfig/sssdoptions.py:447 + msgid "SSH public key attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:445 ++#: src/config/SSSDConfig/sssdoptions.py:448 + msgid "attribute listing allowed authentication types for a user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:446 ++#: src/config/SSSDConfig/sssdoptions.py:449 + msgid "attribute containing the X509 certificate of the user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:447 ++#: src/config/SSSDConfig/sssdoptions.py:450 + msgid "attribute containing the email address of the user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:448 ++#: src/config/SSSDConfig/sssdoptions.py:451 + msgid "A list of extra attributes to download along with the user entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:450 ++#: src/config/SSSDConfig/sssdoptions.py:453 + msgid "Base DN for group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:451 ++#: src/config/SSSDConfig/sssdoptions.py:454 + msgid "Objectclass for groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:452 ++#: src/config/SSSDConfig/sssdoptions.py:455 + msgid "Group name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:453 ++#: src/config/SSSDConfig/sssdoptions.py:456 + msgid "Group password" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:454 ++#: src/config/SSSDConfig/sssdoptions.py:457 + msgid "GID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:455 ++#: src/config/SSSDConfig/sssdoptions.py:458 + msgid "Group member attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:456 ++#: src/config/SSSDConfig/sssdoptions.py:459 + msgid "Group UUID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:458 ++#: src/config/SSSDConfig/sssdoptions.py:461 + msgid "Modification time attribute for groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:459 ++#: src/config/SSSDConfig/sssdoptions.py:462 + msgid "Type of the group and other flags" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:460 ++#: src/config/SSSDConfig/sssdoptions.py:463 + msgid "The LDAP group external member attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:461 ++#: src/config/SSSDConfig/sssdoptions.py:464 + msgid "Maximum nesting level SSSD will follow" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:462 ++#: src/config/SSSDConfig/sssdoptions.py:465 + msgid "Filter for group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:463 ++#: src/config/SSSDConfig/sssdoptions.py:466 + msgid "Scope of group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:465 ++#: src/config/SSSDConfig/sssdoptions.py:468 + msgid "Base DN for netgroup lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:466 ++#: src/config/SSSDConfig/sssdoptions.py:469 + msgid "Objectclass for netgroups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:467 ++#: src/config/SSSDConfig/sssdoptions.py:470 + msgid "Netgroup name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:468 ++#: src/config/SSSDConfig/sssdoptions.py:471 + msgid "Netgroups members attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:469 ++#: src/config/SSSDConfig/sssdoptions.py:472 + msgid "Netgroup triple attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:470 ++#: src/config/SSSDConfig/sssdoptions.py:473 + msgid "Modification time attribute for netgroups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:472 ++#: src/config/SSSDConfig/sssdoptions.py:475 + msgid "Base DN for service lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:473 ++#: src/config/SSSDConfig/sssdoptions.py:476 + msgid "Objectclass for services" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:474 ++#: src/config/SSSDConfig/sssdoptions.py:477 + msgid "Service name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:475 ++#: src/config/SSSDConfig/sssdoptions.py:478 + msgid "Service port attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:476 ++#: src/config/SSSDConfig/sssdoptions.py:479 + msgid "Service protocol attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:478 ++#: src/config/SSSDConfig/sssdoptions.py:481 + msgid "Lower bound for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:479 ++#: src/config/SSSDConfig/sssdoptions.py:482 + msgid "Upper bound for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:480 ++#: src/config/SSSDConfig/sssdoptions.py:483 + msgid "Number of IDs for each slice when ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:481 ++#: src/config/SSSDConfig/sssdoptions.py:484 + msgid "Use autorid-compatible algorithm for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:482 ++#: src/config/SSSDConfig/sssdoptions.py:485 + msgid "Name of the default domain for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:483 ++#: src/config/SSSDConfig/sssdoptions.py:486 + msgid "SID of the default domain for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:484 ++#: src/config/SSSDConfig/sssdoptions.py:487 + msgid "Number of secondary slices" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:486 ++#: src/config/SSSDConfig/sssdoptions.py:489 + msgid "Whether to use Token-Groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:487 ++#: src/config/SSSDConfig/sssdoptions.py:490 + msgid "Set lower boundary for allowed IDs from the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:488 ++#: src/config/SSSDConfig/sssdoptions.py:491 + msgid "Set upper boundary for allowed IDs from the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:489 ++#: src/config/SSSDConfig/sssdoptions.py:492 + msgid "DN for ppolicy queries" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:490 ++#: src/config/SSSDConfig/sssdoptions.py:493 + msgid "How many maximum entries to fetch during a wildcard request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:491 ++#: src/config/SSSDConfig/sssdoptions.py:494 + msgid "Set libldap debug level" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:494 ++#: src/config/SSSDConfig/sssdoptions.py:497 + msgid "Policy to evaluate the password expiration" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:498 ++#: src/config/SSSDConfig/sssdoptions.py:501 + msgid "Which attributes shall be used to evaluate if an account is expired" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:499 ++#: src/config/SSSDConfig/sssdoptions.py:502 + msgid "Which rules should be used to evaluate access control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:502 ++#: src/config/SSSDConfig/sssdoptions.py:505 + msgid "URI of an LDAP server where password changes are allowed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:503 ++#: src/config/SSSDConfig/sssdoptions.py:506 + msgid "URI of a backup LDAP server where password changes are allowed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:504 ++#: src/config/SSSDConfig/sssdoptions.py:507 + msgid "DNS service name for LDAP password change server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:505 ++#: src/config/SSSDConfig/sssdoptions.py:508 + msgid "" + "Whether to update the ldap_user_shadow_last_change attribute after a " + "password change" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:509 ++#: src/config/SSSDConfig/sssdoptions.py:512 + msgid "Base DN for sudo rules lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:510 ++#: src/config/SSSDConfig/sssdoptions.py:513 + msgid "Automatic full refresh period" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:511 ++#: src/config/SSSDConfig/sssdoptions.py:514 + msgid "Automatic smart refresh period" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:512 ++#: src/config/SSSDConfig/sssdoptions.py:515 + msgid "Whether to filter rules by hostname, IP addresses and network" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:513 ++#: src/config/SSSDConfig/sssdoptions.py:516 + msgid "" + "Hostnames and/or fully qualified domain names of this machine to filter sudo " + "rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:514 ++#: src/config/SSSDConfig/sssdoptions.py:517 + msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:515 ++#: src/config/SSSDConfig/sssdoptions.py:518 + msgid "Whether to include rules that contains netgroup in host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:516 ++#: src/config/SSSDConfig/sssdoptions.py:519 + msgid "" + "Whether to include rules that contains regular expression in host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:517 ++#: src/config/SSSDConfig/sssdoptions.py:520 + msgid "Object class for sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:518 ++#: src/config/SSSDConfig/sssdoptions.py:521 + msgid "Name of attribute that is used as object class for sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:519 ++#: src/config/SSSDConfig/sssdoptions.py:522 + msgid "Sudo rule name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:520 ++#: src/config/SSSDConfig/sssdoptions.py:523 + msgid "Sudo rule command attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:521 ++#: src/config/SSSDConfig/sssdoptions.py:524 + msgid "Sudo rule host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:522 ++#: src/config/SSSDConfig/sssdoptions.py:525 + msgid "Sudo rule user attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:523 ++#: src/config/SSSDConfig/sssdoptions.py:526 + msgid "Sudo rule option attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:524 ++#: src/config/SSSDConfig/sssdoptions.py:527 + msgid "Sudo rule runas attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:525 ++#: src/config/SSSDConfig/sssdoptions.py:528 + msgid "Sudo rule runasuser attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:526 ++#: src/config/SSSDConfig/sssdoptions.py:529 + msgid "Sudo rule runasgroup attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:527 ++#: src/config/SSSDConfig/sssdoptions.py:530 + msgid "Sudo rule notbefore attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:528 ++#: src/config/SSSDConfig/sssdoptions.py:531 + msgid "Sudo rule notafter attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:529 ++#: src/config/SSSDConfig/sssdoptions.py:532 + msgid "Sudo rule order attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:532 ++#: src/config/SSSDConfig/sssdoptions.py:535 + msgid "Object class for automounter maps" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:533 ++#: src/config/SSSDConfig/sssdoptions.py:536 + msgid "Automounter map name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:534 ++#: src/config/SSSDConfig/sssdoptions.py:537 + msgid "Object class for automounter map entries" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:535 ++#: src/config/SSSDConfig/sssdoptions.py:538 + msgid "Automounter map entry key attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:536 ++#: src/config/SSSDConfig/sssdoptions.py:539 + msgid "Automounter map entry value attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:537 ++#: src/config/SSSDConfig/sssdoptions.py:540 + msgid "Base DN for automounter map lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:538 ++#: src/config/SSSDConfig/sssdoptions.py:541 + msgid "The name of the automount master map in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:541 ++#: src/config/SSSDConfig/sssdoptions.py:544 + msgid "Base DN for IP hosts lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:542 ++#: src/config/SSSDConfig/sssdoptions.py:545 + msgid "Object class for IP hosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:543 ++#: src/config/SSSDConfig/sssdoptions.py:546 + msgid "IP host name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:544 ++#: src/config/SSSDConfig/sssdoptions.py:547 + msgid "IP host number (address) attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:545 ++#: src/config/SSSDConfig/sssdoptions.py:548 + msgid "IP host entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:546 ++#: src/config/SSSDConfig/sssdoptions.py:549 + msgid "Base DN for IP networks lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:547 ++#: src/config/SSSDConfig/sssdoptions.py:550 + msgid "Object class for IP networks" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:548 ++#: src/config/SSSDConfig/sssdoptions.py:551 + msgid "IP network name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:549 ++#: src/config/SSSDConfig/sssdoptions.py:552 + msgid "IP network number (address) attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:550 ++#: src/config/SSSDConfig/sssdoptions.py:553 + msgid "IP network entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:553 ++#: src/config/SSSDConfig/sssdoptions.py:556 + msgid "Comma separated list of allowed users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:554 ++#: src/config/SSSDConfig/sssdoptions.py:557 + msgid "Comma separated list of prohibited users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:555 ++#: src/config/SSSDConfig/sssdoptions.py:558 + msgid "" + "Comma separated list of groups that are allowed to log in. This applies only " + "to groups within this SSSD domain. Local groups are not evaluated." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:557 ++#: src/config/SSSDConfig/sssdoptions.py:560 + msgid "" + "Comma separated list of groups that are explicitly denied access. This " + "applies only to groups within this SSSD domain. Local groups are not " + "evaluated." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:561 ++#: src/config/SSSDConfig/sssdoptions.py:564 + msgid "Base for home directories" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:562 ++#: src/config/SSSDConfig/sssdoptions.py:565 + msgid "Indicate if a home directory should be created for new users." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:563 ++#: src/config/SSSDConfig/sssdoptions.py:566 + msgid "Indicate if a home directory should be removed for deleted users." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:564 ++#: src/config/SSSDConfig/sssdoptions.py:567 + msgid "Specify the default permissions on a newly created home directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:565 ++#: src/config/SSSDConfig/sssdoptions.py:568 + msgid "The skeleton directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:566 ++#: src/config/SSSDConfig/sssdoptions.py:569 + msgid "The mail spool directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:567 ++#: src/config/SSSDConfig/sssdoptions.py:570 + msgid "The command that is run after a user is removed." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:570 ++#: src/config/SSSDConfig/sssdoptions.py:573 + msgid "The number of preforked proxy children." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:573 ++#: src/config/SSSDConfig/sssdoptions.py:576 + msgid "The name of the NSS library to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:574 ++#: src/config/SSSDConfig/sssdoptions.py:577 + msgid "The name of the NSS library to use for hosts and networks lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:575 ++#: src/config/SSSDConfig/sssdoptions.py:578 + msgid "Whether to look up canonical group name from cache if possible" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:578 ++#: src/config/SSSDConfig/sssdoptions.py:581 + msgid "PAM stack to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:581 ++#: src/config/SSSDConfig/sssdoptions.py:584 + msgid "Path of passwd file sources." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:582 ++#: src/config/SSSDConfig/sssdoptions.py:585 + msgid "Path of group file sources." + msgstr "" + +-#: src/monitor/monitor.c:2376 ++#: src/monitor/monitor.c:2381 + msgid "Become a daemon (default)" + msgstr "" + +-#: src/monitor/monitor.c:2378 ++#: src/monitor/monitor.c:2383 + msgid "Run interactive (not a daemon)" + msgstr "" + +-#: src/monitor/monitor.c:2381 ++#: src/monitor/monitor.c:2386 + msgid "Disable netlink interface" + msgstr "" + +-#: src/monitor/monitor.c:2383 src/tools/sssctl/sssctl_config.c:77 ++#: src/monitor/monitor.c:2388 src/tools/sssctl/sssctl_config.c:77 + #: src/tools/sssctl/sssctl_logs.c:310 + msgid "Specify a non-default config file" + msgstr "" + +-#: src/monitor/monitor.c:2385 ++#: src/monitor/monitor.c:2390 + msgid "Refresh the configuration database, then exit" + msgstr "" + +-#: src/monitor/monitor.c:2388 ++#: src/monitor/monitor.c:2393 + msgid "Similar to --genconf, but only refreshes the given section" + msgstr "" + +-#: src/monitor/monitor.c:2391 ++#: src/monitor/monitor.c:2396 + msgid "Print version number and exit" + msgstr "" + +-#: src/monitor/monitor.c:2537 ++#: src/monitor/monitor.c:2542 + msgid "SSSD is already running\n" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3260 src/providers/ldap/ldap_child.c:638 ++#: src/providers/krb5/krb5_child.c:3274 src/providers/ldap/ldap_child.c:638 + msgid "Debug level" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3262 src/providers/ldap/ldap_child.c:640 ++#: src/providers/krb5/krb5_child.c:3276 src/providers/ldap/ldap_child.c:640 + msgid "Add debug timestamps" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3264 src/providers/ldap/ldap_child.c:642 ++#: src/providers/krb5/krb5_child.c:3278 src/providers/ldap/ldap_child.c:642 + msgid "Show timestamps with microseconds" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3266 src/providers/ldap/ldap_child.c:644 ++#: src/providers/krb5/krb5_child.c:3280 src/providers/ldap/ldap_child.c:644 + msgid "An open file descriptor for the debug logs" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3269 src/providers/ldap/ldap_child.c:646 ++#: src/providers/krb5/krb5_child.c:3283 src/providers/ldap/ldap_child.c:646 + msgid "Send the debug output to stderr directly." + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3272 ++#: src/providers/krb5/krb5_child.c:3286 + msgid "The user to create FAST ccache as" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3274 ++#: src/providers/krb5/krb5_child.c:3288 + msgid "The group to create FAST ccache as" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3276 ++#: src/providers/krb5/krb5_child.c:3290 + msgid "Kerberos realm to use" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3278 ++#: src/providers/krb5/krb5_child.c:3292 + msgid "Requested lifetime of the ticket" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3280 ++#: src/providers/krb5/krb5_child.c:3294 + msgid "Requested renewable lifetime of the ticket" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3282 ++#: src/providers/krb5/krb5_child.c:3296 + msgid "FAST options ('never', 'try', 'demand')" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3285 ++#: src/providers/krb5/krb5_child.c:3299 + msgid "Specifies the server principal to use for FAST" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3287 ++#: src/providers/krb5/krb5_child.c:3301 + msgid "Requests canonicalization of the principal name" + msgstr "" + +-#: src/providers/krb5/krb5_child.c:3289 ++#: src/providers/krb5/krb5_child.c:3303 + msgid "Use custom version of krb5_get_init_creds_password" + msgstr "" + +-#: src/providers/data_provider_be.c:699 ++#: src/providers/data_provider_be.c:711 + msgid "Domain of the information provider (mandatory)" + msgstr "" + +-#: src/sss_client/common.c:1079 ++#: src/sss_client/common.c:1088 + msgid "Privileged socket has wrong ownership or permissions." + msgstr "" + +-#: src/sss_client/common.c:1082 ++#: src/sss_client/common.c:1091 + msgid "Public socket has wrong ownership or permissions." + msgstr "" + +-#: src/sss_client/common.c:1085 ++#: src/sss_client/common.c:1094 + msgid "Unexpected format of the server credential message." + msgstr "" + +-#: src/sss_client/common.c:1088 ++#: src/sss_client/common.c:1097 + msgid "SSSD is not run by root." + msgstr "" + +-#: src/sss_client/common.c:1091 ++#: src/sss_client/common.c:1100 + msgid "SSSD socket does not exist." + msgstr "" + +-#: src/sss_client/common.c:1094 ++#: src/sss_client/common.c:1103 + msgid "Cannot get stat of SSSD socket." + msgstr "" + +-#: src/sss_client/common.c:1099 ++#: src/sss_client/common.c:1108 + msgid "An error occurred, but no description can be found." + msgstr "" + +-#: src/sss_client/common.c:1105 ++#: src/sss_client/common.c:1114 + msgid "Unexpected error while looking for an error description" + msgstr "" + +@@ -1983,88 +1995,88 @@ msgstr "" + msgid "Permission denied. " + msgstr "" + +-#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 +-#: src/sss_client/pam_sss.c:792 ++#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 ++#: src/sss_client/pam_sss.c:796 + msgid "Server message: " + msgstr "" + +-#: src/sss_client/pam_sss.c:299 ++#: src/sss_client/pam_sss.c:303 + msgid "Passwords do not match" + msgstr "" + +-#: src/sss_client/pam_sss.c:487 ++#: src/sss_client/pam_sss.c:491 + msgid "Password reset by root is not supported." + msgstr "" + +-#: src/sss_client/pam_sss.c:528 ++#: src/sss_client/pam_sss.c:532 + msgid "Authenticated with cached credentials" + msgstr "" + +-#: src/sss_client/pam_sss.c:529 ++#: src/sss_client/pam_sss.c:533 + msgid ", your cached password will expire at: " + msgstr "" + +-#: src/sss_client/pam_sss.c:559 ++#: src/sss_client/pam_sss.c:563 + #, c-format + msgid "Your password has expired. You have %1$d grace login(s) remaining." + msgstr "" + +-#: src/sss_client/pam_sss.c:605 ++#: src/sss_client/pam_sss.c:609 + #, c-format + msgid "Your password will expire in %1$d %2$s." + msgstr "" + +-#: src/sss_client/pam_sss.c:654 ++#: src/sss_client/pam_sss.c:658 + msgid "Authentication is denied until: " + msgstr "" + +-#: src/sss_client/pam_sss.c:675 ++#: src/sss_client/pam_sss.c:679 + msgid "System is offline, password change not possible" + msgstr "" + +-#: src/sss_client/pam_sss.c:690 ++#: src/sss_client/pam_sss.c:694 + msgid "" + "After changing the OTP password, you need to log out and back in order to " + "acquire a ticket" + msgstr "" + +-#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 ++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 + msgid "Password change failed. " + msgstr "" + +-#: src/sss_client/pam_sss.c:2015 ++#: src/sss_client/pam_sss.c:2044 + msgid "New Password: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2016 ++#: src/sss_client/pam_sss.c:2045 + msgid "Reenter new Password: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 ++#: src/sss_client/pam_sss.c:2207 src/sss_client/pam_sss.c:2210 + msgid "First Factor: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 ++#: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2382 + msgid "Second Factor (optional): " + msgstr "" + +-#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 ++#: src/sss_client/pam_sss.c:2211 src/sss_client/pam_sss.c:2385 + msgid "Second Factor: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2200 ++#: src/sss_client/pam_sss.c:2229 + msgid "Password: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 ++#: src/sss_client/pam_sss.c:2381 src/sss_client/pam_sss.c:2384 + msgid "First Factor (Current Password): " + msgstr "" + +-#: src/sss_client/pam_sss.c:2359 ++#: src/sss_client/pam_sss.c:2388 + msgid "Current Password: " + msgstr "" + +-#: src/sss_client/pam_sss.c:2716 ++#: src/sss_client/pam_sss.c:2745 + msgid "Password expired. Change your password now." + msgstr "" + +@@ -3181,18 +3193,18 @@ msgstr "" + msgid " - no env -\n" + msgstr "" + +-#: src/util/util.h:82 ++#: src/util/util.h:86 + msgid "The user ID to run the server as" + msgstr "" + +-#: src/util/util.h:84 ++#: src/util/util.h:88 + msgid "The group ID to run the server as" + msgstr "" + +-#: src/util/util.h:92 ++#: src/util/util.h:96 + msgid "Informs that the responder has been socket-activated" + msgstr "" + +-#: src/util/util.h:94 ++#: src/util/util.h:98 + msgid "Informs that the responder has been dbus-activated" + msgstr "" +-- +2.21.3 + diff --git a/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch b/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch new file mode 100644 index 0000000..8e6c364 --- /dev/null +++ b/SOURCES/0049-Update-the-translations-for-the-2.4.1-release.patch @@ -0,0 +1,6893 @@ +From b38701b9ebdfe1291e0d9f7aa6ff814f9b42b51a Mon Sep 17 00:00:00 2001 +From: Weblate +Date: Fri, 5 Feb 2021 12:01:46 +0100 +Subject: [PATCH] Update the translations for the 2.4.1 release + +--- + po/fr.po | 860 ++++++++++++++++++++++++++-------------------------- + po/ja.po | 860 ++++++++++++++++++++++++++-------------------------- + po/zh_CN.po | 860 ++++++++++++++++++++++++++-------------------------- + 3 files changed, 1308 insertions(+), 1272 deletions(-) + +diff --git a/po/fr.po b/po/fr.po +index eded3659c..e2e906d35 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -15,7 +15,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +-"POT-Creation-Date: 2020-10-12 12:21+0200\n" ++"POT-Creation-Date: 2021-02-05 11:58+0100\n" + "PO-Revision-Date: 2020-08-04 05:55+0000\n" + "Last-Translator: Jean-Baptiste Holcroft \n" + "Language-Team: French \n" + "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" +@@ -175,7 +175,7 @@ msgid "Entry cache background update timeout length (seconds)" + msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" + + #: src/config/SSSDConfig/sssdoptions.py:61 +-#: src/config/SSSDConfig/sssdoptions.py:115 ++#: src/config/SSSDConfig/sssdoptions.py:117 + msgid "Negative cache timeout length (seconds)" + msgstr "ネガティブキャッシュのタイムアウト(秒)" + +@@ -360,15 +360,23 @@ msgstr "スマートカード認証向けのデバイスの選択を PKCS#11 URI + msgid "When shall the PAM responder force an initgroups request" + msgstr "PAM レスポンダーが initgroups リクエストを強制するとき" + +-#: src/config/SSSDConfig/sssdoptions.py:109 ++#: src/config/SSSDConfig/sssdoptions.py:107 ++msgid "List of PAM services that are allowed to authenticate with GSSAPI." ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:108 ++msgid "Whether to match authenticated UPN with target user" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:111 + msgid "Whether to evaluate the time-based attributes in sudo rules" + msgstr "sudo ルールにおいて時間による属性を評価するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:110 ++#: src/config/SSSDConfig/sssdoptions.py:112 + msgid "If true, SSSD will switch back to lower-wins ordering logic" + msgstr "正しい場合、SSSD は小さい番号が優先される順位付けのロジックへ戻ります" + +-#: src/config/SSSDConfig/sssdoptions.py:111 ++#: src/config/SSSDConfig/sssdoptions.py:113 + msgid "" + "Maximum number of rules that can be refreshed at once. If this is exceeded, " + "full refresh is performed." +@@ -376,105 +384,105 @@ msgstr "" + "一度にリフレッシュ可能なルールの最大数。最大数を超えると、フルリフレッシュが" + "実行されます。" + +-#: src/config/SSSDConfig/sssdoptions.py:118 ++#: src/config/SSSDConfig/sssdoptions.py:120 + msgid "Whether to hash host names and addresses in the known_hosts file" + msgstr "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:119 ++#: src/config/SSSDConfig/sssdoptions.py:121 + msgid "" + "How many seconds to keep a host in the known_hosts file after its host keys " + "were requested" + msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数" + +-#: src/config/SSSDConfig/sssdoptions.py:121 ++#: src/config/SSSDConfig/sssdoptions.py:123 + msgid "Path to storage of trusted CA certificates" + msgstr "信頼された CA 証明書のストレージへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:122 ++#: src/config/SSSDConfig/sssdoptions.py:124 + msgid "Allow to generate ssh-keys from certificates" + msgstr "証明書からの ssh-key の生成を許可します" + +-#: src/config/SSSDConfig/sssdoptions.py:123 ++#: src/config/SSSDConfig/sssdoptions.py:125 + msgid "" + "Use the following matching rules to filter the certificates for ssh-key " + "generation" + msgstr "" + "以下の一致するルールを使用して、ssh-key 生成用の証明書をフィルタリングします" + +-#: src/config/SSSDConfig/sssdoptions.py:127 ++#: src/config/SSSDConfig/sssdoptions.py:129 + msgid "List of UIDs or user names allowed to access the PAC responder" + msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:128 ++#: src/config/SSSDConfig/sssdoptions.py:130 + msgid "How long the PAC data is considered valid" + msgstr "PAC データが有効とされる期間" + +-#: src/config/SSSDConfig/sssdoptions.py:131 ++#: src/config/SSSDConfig/sssdoptions.py:133 + msgid "List of user attributes the InfoPipe is allowed to publish" + msgstr "InfoPipe がパブリッシュを許可されたユーザー属性の一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:134 ++#: src/config/SSSDConfig/sssdoptions.py:136 + msgid "The provider where the secrets will be stored in" + msgstr "シークレットが保存されるプロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:135 ++#: src/config/SSSDConfig/sssdoptions.py:137 + msgid "The maximum allowed number of nested containers" + msgstr "ネストされたコンテナーの最大許可数" + +-#: src/config/SSSDConfig/sssdoptions.py:136 ++#: src/config/SSSDConfig/sssdoptions.py:138 + msgid "The maximum number of secrets that can be stored" + msgstr "保存可能なシークレットの最大数" + +-#: src/config/SSSDConfig/sssdoptions.py:137 ++#: src/config/SSSDConfig/sssdoptions.py:139 + msgid "The maximum number of secrets that can be stored per UID" + msgstr "UID ごとに保存可能なシークレットの最大数" + +-#: src/config/SSSDConfig/sssdoptions.py:138 ++#: src/config/SSSDConfig/sssdoptions.py:140 + msgid "The maximum payload size of a secret in kilobytes" + msgstr "キロバイトでのシークレットの最大ペイロードサイズ" + +-#: src/config/SSSDConfig/sssdoptions.py:140 ++#: src/config/SSSDConfig/sssdoptions.py:142 + msgid "The URL Custodia server is listening on" + msgstr "URL Custodia サーバーはリッスンしています" + +-#: src/config/SSSDConfig/sssdoptions.py:141 ++#: src/config/SSSDConfig/sssdoptions.py:143 + msgid "The method to use when authenticating to a Custodia server" + msgstr "Custodia サーバーへの認証時に使用する方法" + +-#: src/config/SSSDConfig/sssdoptions.py:142 ++#: src/config/SSSDConfig/sssdoptions.py:144 + msgid "" + "The name of the headers that will be added into a HTTP request with the " + "value defined in auth_header_value" + msgstr "" + "auth_header_value で値が定義され、HTTP リクエストに追加されるヘッダーの名前" + +-#: src/config/SSSDConfig/sssdoptions.py:144 ++#: src/config/SSSDConfig/sssdoptions.py:146 + msgid "The value sssd-secrets would use for auth_header_name" + msgstr "sssd-secrets の値は、auth_header_name で使用します" + +-#: src/config/SSSDConfig/sssdoptions.py:145 ++#: src/config/SSSDConfig/sssdoptions.py:147 + msgid "" + "The list of the headers to forward to the Custodia server together with the " + "request" + msgstr "要求と共に Custodia サーバーへ転送するヘッダーの一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:146 ++#: src/config/SSSDConfig/sssdoptions.py:148 + msgid "" + "The username to use when authenticating to a Custodia server using basic_auth" + msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するユーザー名" + +-#: src/config/SSSDConfig/sssdoptions.py:147 ++#: src/config/SSSDConfig/sssdoptions.py:149 + msgid "" + "The password to use when authenticating to a Custodia server using basic_auth" + msgstr "basic_auth を使った Custodia サーバーへの認証時に使用するパスワード" + +-#: src/config/SSSDConfig/sssdoptions.py:148 ++#: src/config/SSSDConfig/sssdoptions.py:150 + msgid "If true peer's certificate is verified if proxy_url uses https protocol" + msgstr "" + "proxy_url が https protocol を使用する場合に、正しいピアの証明書が検証される" + "かどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:149 ++#: src/config/SSSDConfig/sssdoptions.py:151 + msgid "" + "If false peer's certificate may contain different hostname than proxy_url " + "when https protocol is used" +@@ -482,23 +490,23 @@ msgstr "" + "https プロトコルが使用される場合に、間違ったピアの証明書が proxy_url 以外の異" + "なるホスト名を含むかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:151 ++#: src/config/SSSDConfig/sssdoptions.py:153 + msgid "Path to directory where certificate authority certificates are stored" + msgstr "CA 証明書が保存されているディレクトリーへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:152 ++#: src/config/SSSDConfig/sssdoptions.py:154 + msgid "Path to file containing server's CA certificate" + msgstr "サーバーの CA 証明書を含むファイルへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:153 ++#: src/config/SSSDConfig/sssdoptions.py:155 + msgid "Path to file containing client's certificate" + msgstr "クライアントの証明書を含むファイルへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:154 ++#: src/config/SSSDConfig/sssdoptions.py:156 + msgid "Path to file containing client's private key" + msgstr "クライアントの秘密鍵を含むファイルへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:157 ++#: src/config/SSSDConfig/sssdoptions.py:159 + msgid "" + "One of the following strings specifying the scope of session recording: none " + "- No users are recorded. some - Users/groups specified by users and groups " +@@ -508,7 +516,7 @@ msgstr "" + "いません。some: ユーザーとグループオプションによって指定されているユーザー/グ" + "ループが記録されています。all: すべてのユーザーが記録されます。" + +-#: src/config/SSSDConfig/sssdoptions.py:160 ++#: src/config/SSSDConfig/sssdoptions.py:162 + msgid "" + "A comma-separated list of users which should have session recording enabled. " + "Matches user names as returned by NSS. I.e. after the possible space " +@@ -518,7 +526,7 @@ msgstr "" + "返すユーザー名にマッチします。つまり、スペースの置換、大文字小文字の変更など" + "の可能性がある場合には、その後になります。" + +-#: src/config/SSSDConfig/sssdoptions.py:162 ++#: src/config/SSSDConfig/sssdoptions.py:164 + msgid "" + "A comma-separated list of groups, members of which should have session " + "recording enabled. Matches group names as returned by NSS. I.e. after the " +@@ -528,112 +536,112 @@ msgstr "" + "トです。NSS が返すグループ名にマッチします。つまり、スペースの置換、大文字小" + "文字の変更などの可能性がある場合には、その後になります。" + +-#: src/config/SSSDConfig/sssdoptions.py:165 ++#: src/config/SSSDConfig/sssdoptions.py:167 + msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:166 ++#: src/config/SSSDConfig/sssdoptions.py:168 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:170 ++#: src/config/SSSDConfig/sssdoptions.py:172 + msgid "Identity provider" + msgstr "アイデンティティープロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:171 ++#: src/config/SSSDConfig/sssdoptions.py:173 + msgid "Authentication provider" + msgstr "認証プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:172 ++#: src/config/SSSDConfig/sssdoptions.py:174 + msgid "Access control provider" + msgstr "アクセス制御プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:173 ++#: src/config/SSSDConfig/sssdoptions.py:175 + msgid "Password change provider" + msgstr "パスワード変更プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:174 ++#: src/config/SSSDConfig/sssdoptions.py:176 + msgid "SUDO provider" + msgstr "SUDO プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:175 ++#: src/config/SSSDConfig/sssdoptions.py:177 + msgid "Autofs provider" + msgstr "Autofs プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:176 ++#: src/config/SSSDConfig/sssdoptions.py:178 + msgid "Host identity provider" + msgstr "ホスト識別プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:177 ++#: src/config/SSSDConfig/sssdoptions.py:179 + msgid "SELinux provider" + msgstr "SELinux プロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:178 ++#: src/config/SSSDConfig/sssdoptions.py:180 + msgid "Session management provider" + msgstr "セッションマネージャーのプロバイダー" + +-#: src/config/SSSDConfig/sssdoptions.py:179 ++#: src/config/SSSDConfig/sssdoptions.py:181 + msgid "Resolver provider" + msgstr "リゾルバープロバイダ" + +-#: src/config/SSSDConfig/sssdoptions.py:182 ++#: src/config/SSSDConfig/sssdoptions.py:184 + msgid "Whether the domain is usable by the OS or by applications" + msgstr "OS またはアプリケーションがドメインを使用できるかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:183 ++#: src/config/SSSDConfig/sssdoptions.py:185 + #, fuzzy + msgid "Enable or disable the domain" + msgstr "暗黙のファイルドメインを有効化または無効化する" + +-#: src/config/SSSDConfig/sssdoptions.py:184 ++#: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Minimum user ID" + msgstr "最小ユーザー ID" + +-#: src/config/SSSDConfig/sssdoptions.py:185 ++#: src/config/SSSDConfig/sssdoptions.py:187 + msgid "Maximum user ID" + msgstr "最大ユーザー ID" + +-#: src/config/SSSDConfig/sssdoptions.py:186 ++#: src/config/SSSDConfig/sssdoptions.py:188 + msgid "Enable enumerating all users/groups" + msgstr "すべてのユーザー・グループの列挙を有効にする" + +-#: src/config/SSSDConfig/sssdoptions.py:187 ++#: src/config/SSSDConfig/sssdoptions.py:189 + msgid "Cache credentials for offline login" + msgstr "オフラインログインのためにクレデンシャルをキャッシュする" + +-#: src/config/SSSDConfig/sssdoptions.py:188 ++#: src/config/SSSDConfig/sssdoptions.py:190 + msgid "Display users/groups in fully-qualified form" + msgstr "ユーザー・グループを完全修飾形式で表示する" + +-#: src/config/SSSDConfig/sssdoptions.py:189 ++#: src/config/SSSDConfig/sssdoptions.py:191 + msgid "Don't include group members in group lookups" + msgstr "グループ検索にグループメンバーを含めない" + +-#: src/config/SSSDConfig/sssdoptions.py:190 +-#: src/config/SSSDConfig/sssdoptions.py:200 +-#: src/config/SSSDConfig/sssdoptions.py:201 ++#: src/config/SSSDConfig/sssdoptions.py:192 + #: src/config/SSSDConfig/sssdoptions.py:202 + #: src/config/SSSDConfig/sssdoptions.py:203 + #: src/config/SSSDConfig/sssdoptions.py:204 + #: src/config/SSSDConfig/sssdoptions.py:205 + #: src/config/SSSDConfig/sssdoptions.py:206 ++#: src/config/SSSDConfig/sssdoptions.py:207 ++#: src/config/SSSDConfig/sssdoptions.py:208 + msgid "Entry cache timeout length (seconds)" + msgstr "エントリーキャッシュのタイムアウト長(秒)" + +-#: src/config/SSSDConfig/sssdoptions.py:191 ++#: src/config/SSSDConfig/sssdoptions.py:193 + msgid "" + "Restrict or prefer a specific address family when performing DNS lookups" + msgstr "DNS 検索を実行する時に特定のアドレスファミリーを制限または優先します" + +-#: src/config/SSSDConfig/sssdoptions.py:192 ++#: src/config/SSSDConfig/sssdoptions.py:194 + msgid "How long to keep cached entries after last successful login (days)" + msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数" + +-#: src/config/SSSDConfig/sssdoptions.py:193 ++#: src/config/SSSDConfig/sssdoptions.py:195 + msgid "" + "How long should SSSD talk to single DNS server before trying next server " + "(miliseconds)" +@@ -641,99 +649,99 @@ msgstr "" + "次のサーバーを試行するまでに SSSD が単一の DNS サーバーと通信する時間 (ミリ" + "秒)" + +-#: src/config/SSSDConfig/sssdoptions.py:195 ++#: src/config/SSSDConfig/sssdoptions.py:197 + msgid "How long should keep trying to resolve single DNS query (seconds)" + msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" + +-#: src/config/SSSDConfig/sssdoptions.py:196 ++#: src/config/SSSDConfig/sssdoptions.py:198 + msgid "How long to wait for replies from DNS when resolving servers (seconds)" + msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" + +-#: src/config/SSSDConfig/sssdoptions.py:197 ++#: src/config/SSSDConfig/sssdoptions.py:199 + msgid "The domain part of service discovery DNS query" + msgstr "サービス検索 DNS クエリーのドメイン部分" + +-#: src/config/SSSDConfig/sssdoptions.py:198 ++#: src/config/SSSDConfig/sssdoptions.py:200 + msgid "Override GID value from the identity provider with this value" + msgstr "識別プロバイダーからの GID 値をこの値で上書きする" + +-#: src/config/SSSDConfig/sssdoptions.py:199 ++#: src/config/SSSDConfig/sssdoptions.py:201 + msgid "Treat usernames as case sensitive" + msgstr "ユーザー名が大文字小文字を区別するよう取り扱う" + +-#: src/config/SSSDConfig/sssdoptions.py:207 ++#: src/config/SSSDConfig/sssdoptions.py:209 + msgid "How often should expired entries be refreshed in background" + msgstr "期限切れのエントリーがバックグラウンドで更新される頻度" + +-#: src/config/SSSDConfig/sssdoptions.py:208 ++#: src/config/SSSDConfig/sssdoptions.py:210 + msgid "Whether to automatically update the client's DNS entry" + msgstr "自動的にクライアントの DNS エントリーを更新するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:209 +-#: src/config/SSSDConfig/sssdoptions.py:239 ++#: src/config/SSSDConfig/sssdoptions.py:211 ++#: src/config/SSSDConfig/sssdoptions.py:241 + msgid "The TTL to apply to the client's DNS entry after updating it" + msgstr "クライアントの DNS 項目を更新後、適用する TTL" + +-#: src/config/SSSDConfig/sssdoptions.py:210 +-#: src/config/SSSDConfig/sssdoptions.py:240 ++#: src/config/SSSDConfig/sssdoptions.py:212 ++#: src/config/SSSDConfig/sssdoptions.py:242 + msgid "The interface whose IP should be used for dynamic DNS updates" + msgstr "動的 DNS 更新のために使用される IP のインターフェース" + +-#: src/config/SSSDConfig/sssdoptions.py:211 ++#: src/config/SSSDConfig/sssdoptions.py:213 + msgid "How often to periodically update the client's DNS entry" + msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか" + +-#: src/config/SSSDConfig/sssdoptions.py:212 ++#: src/config/SSSDConfig/sssdoptions.py:214 + msgid "Whether the provider should explicitly update the PTR record as well" + msgstr "" + "プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:213 ++#: src/config/SSSDConfig/sssdoptions.py:215 + msgid "Whether the nsupdate utility should default to using TCP" + msgstr "nsupdate ユーティリティーが標準で TCP を使用するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:214 ++#: src/config/SSSDConfig/sssdoptions.py:216 + msgid "What kind of authentication should be used to perform the DNS update" + msgstr "DNS 更新を実行するために使用すべき認証の種類" + +-#: src/config/SSSDConfig/sssdoptions.py:215 ++#: src/config/SSSDConfig/sssdoptions.py:217 + msgid "Override the DNS server used to perform the DNS update" + msgstr "DNS の更新を実行する際に使用する DNS サーバーを上書き" + +-#: src/config/SSSDConfig/sssdoptions.py:216 ++#: src/config/SSSDConfig/sssdoptions.py:218 + msgid "Control enumeration of trusted domains" + msgstr "信頼されたドメインの列挙を制御" + +-#: src/config/SSSDConfig/sssdoptions.py:217 ++#: src/config/SSSDConfig/sssdoptions.py:219 + msgid "How often should subdomains list be refreshed" + msgstr "サブドメインの一覧のリフレッシュ回数" + +-#: src/config/SSSDConfig/sssdoptions.py:218 ++#: src/config/SSSDConfig/sssdoptions.py:220 + msgid "List of options that should be inherited into a subdomain" + msgstr "サブドメインに継承すべきオプションの一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:219 ++#: src/config/SSSDConfig/sssdoptions.py:221 + msgid "Default subdomain homedir value" + msgstr "デフォルトのサブドメインホームディレクトリーの値" + +-#: src/config/SSSDConfig/sssdoptions.py:220 ++#: src/config/SSSDConfig/sssdoptions.py:222 + msgid "How long can cached credentials be used for cached authentication" + msgstr "証明書キャッシュを認証キャッシュに使用できる期間" + +-#: src/config/SSSDConfig/sssdoptions.py:221 ++#: src/config/SSSDConfig/sssdoptions.py:223 + msgid "Whether to automatically create private groups for users" + msgstr "ユーザーにプライベートグループを自動的に作成するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:222 ++#: src/config/SSSDConfig/sssdoptions.py:224 + msgid "Display a warning N days before the password expires." + msgstr "Display a warning N days before the password expires." + +-#: src/config/SSSDConfig/sssdoptions.py:223 ++#: src/config/SSSDConfig/sssdoptions.py:225 + msgid "" + "Various tags stored by the realmd configuration service for this domain." + msgstr "このドメインのための realmd 設定サービスによって格納された様々なタグ。" + +-#: src/config/SSSDConfig/sssdoptions.py:224 ++#: src/config/SSSDConfig/sssdoptions.py:226 + msgid "" + "The provider which should handle fetching of subdomains. This value should " + "be always the same as id_provider." +@@ -741,7 +749,7 @@ msgstr "" + "サブドメインの取得を処理する必要のあるプロバイダー。この値は常に id_provider " + "と同じでなければなりません。" + +-#: src/config/SSSDConfig/sssdoptions.py:226 ++#: src/config/SSSDConfig/sssdoptions.py:228 + msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." +@@ -749,7 +757,7 @@ msgstr "" + "リフレッシュ後にホストの ssh 鍵を保持するには何秒かかるか。IE ホストキーを何" + "秒キャッシュするか。" + +-#: src/config/SSSDConfig/sssdoptions.py:228 ++#: src/config/SSSDConfig/sssdoptions.py:230 + msgid "" + "If 2-Factor-Authentication (2FA) is used and credentials should be saved " + "this value determines the minimal length the first authentication factor " +@@ -759,95 +767,95 @@ msgstr "" + "この値は、最初の認証要素 (長期パスワード) を SHA512 ハッシュとしてキャッシュ" + "に保存する必要がある最小の長さを決定します。" + +-#: src/config/SSSDConfig/sssdoptions.py:234 ++#: src/config/SSSDConfig/sssdoptions.py:236 + msgid "IPA domain" + msgstr "IPA ドメイン" + +-#: src/config/SSSDConfig/sssdoptions.py:235 ++#: src/config/SSSDConfig/sssdoptions.py:237 + msgid "IPA server address" + msgstr "IPA サーバーのアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:236 ++#: src/config/SSSDConfig/sssdoptions.py:238 + msgid "Address of backup IPA server" + msgstr "バックアップ IPA サーバーのアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:237 ++#: src/config/SSSDConfig/sssdoptions.py:239 + msgid "IPA client hostname" + msgstr "IPA クライアントのホスト名" + +-#: src/config/SSSDConfig/sssdoptions.py:238 ++#: src/config/SSSDConfig/sssdoptions.py:240 + msgid "Whether to automatically update the client's DNS entry in FreeIPA" + msgstr "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:241 ++#: src/config/SSSDConfig/sssdoptions.py:243 + msgid "Search base for HBAC related objects" + msgstr "HBAC 関連オブジェクトの検索ベース" + +-#: src/config/SSSDConfig/sssdoptions.py:242 ++#: src/config/SSSDConfig/sssdoptions.py:244 + msgid "" + "The amount of time between lookups of the HBAC rules against the IPA server" + msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間" + +-#: src/config/SSSDConfig/sssdoptions.py:243 ++#: src/config/SSSDConfig/sssdoptions.py:245 + msgid "" + "The amount of time in seconds between lookups of the SELinux maps against " + "the IPA server" + msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間" + +-#: src/config/SSSDConfig/sssdoptions.py:245 ++#: src/config/SSSDConfig/sssdoptions.py:247 + msgid "If set to false, host argument given by PAM will be ignored" + msgstr "もし偽に設定されていると、PAM により渡されたホスト引数は無視されます" + +-#: src/config/SSSDConfig/sssdoptions.py:246 ++#: src/config/SSSDConfig/sssdoptions.py:248 + msgid "The automounter location this IPA client is using" + msgstr "この IPA クライアントが使用している automounter の場所" + +-#: src/config/SSSDConfig/sssdoptions.py:247 ++#: src/config/SSSDConfig/sssdoptions.py:249 + msgid "Search base for object containing info about IPA domain" + msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース" + +-#: src/config/SSSDConfig/sssdoptions.py:248 ++#: src/config/SSSDConfig/sssdoptions.py:250 + msgid "Search base for objects containing info about ID ranges" + msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース" + +-#: src/config/SSSDConfig/sssdoptions.py:249 +-#: src/config/SSSDConfig/sssdoptions.py:303 ++#: src/config/SSSDConfig/sssdoptions.py:251 ++#: src/config/SSSDConfig/sssdoptions.py:305 + msgid "Enable DNS sites - location based service discovery" + msgstr "DNS サイトの有効化 - 位置ベースのサービス検索" + +-#: src/config/SSSDConfig/sssdoptions.py:250 ++#: src/config/SSSDConfig/sssdoptions.py:252 + msgid "Search base for view containers" + msgstr "ビューコンテナーの検索ベース" + +-#: src/config/SSSDConfig/sssdoptions.py:251 ++#: src/config/SSSDConfig/sssdoptions.py:253 + msgid "Objectclass for view containers" + msgstr "ビューコンテナーのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:252 ++#: src/config/SSSDConfig/sssdoptions.py:254 + msgid "Attribute with the name of the view" + msgstr "ビューの名前の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:253 ++#: src/config/SSSDConfig/sssdoptions.py:255 + msgid "Objectclass for override objects" + msgstr "上書きされたオブジェクトのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:254 ++#: src/config/SSSDConfig/sssdoptions.py:256 + msgid "Attribute with the reference to the original object" + msgstr "オリジナルオブジェクトを参照する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:255 ++#: src/config/SSSDConfig/sssdoptions.py:257 + msgid "Objectclass for user override objects" + msgstr "ユーザーが上書きするオブジェクトのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:256 ++#: src/config/SSSDConfig/sssdoptions.py:258 + msgid "Objectclass for group override objects" + msgstr "グループが上書きするオブジェクトのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:257 ++#: src/config/SSSDConfig/sssdoptions.py:259 + msgid "Search base for Desktop Profile related objects" + msgstr "デスクトッププロファイルに関連するオブジェクトの検索ベース" + +-#: src/config/SSSDConfig/sssdoptions.py:258 ++#: src/config/SSSDConfig/sssdoptions.py:260 + msgid "" + "The amount of time in seconds between lookups of the Desktop Profile rules " + "against the IPA server" +@@ -855,7 +863,7 @@ msgstr "" + "IPA サーバーに対するデスクトッププロファイルルールを検索している間の秒単位の" + "合計時間" + +-#: src/config/SSSDConfig/sssdoptions.py:260 ++#: src/config/SSSDConfig/sssdoptions.py:262 + msgid "" + "The amount of time in minutes between lookups of Desktop Profiles rules " + "against the IPA server when the last request did not find any rule" +@@ -863,32 +871,32 @@ msgstr "" + "最後の要求がルールを何も見つけなかった場合の IPA サーバーに対するデスクトップ" + "プロファイルル ールを検索している間の分単位の合計時間" + +-#: src/config/SSSDConfig/sssdoptions.py:263 ++#: src/config/SSSDConfig/sssdoptions.py:265 + msgid "The LDAP attribute that contains FQDN of the host." + msgstr "ホストの FQDN を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:264 +-#: src/config/SSSDConfig/sssdoptions.py:287 ++#: src/config/SSSDConfig/sssdoptions.py:266 ++#: src/config/SSSDConfig/sssdoptions.py:289 + msgid "The object class of a host entry in LDAP." + msgstr "LDAP にあるホストエントリーのオブジェクトクラスです。" + +-#: src/config/SSSDConfig/sssdoptions.py:265 ++#: src/config/SSSDConfig/sssdoptions.py:267 + msgid "Use the given string as search base for host objects." + msgstr "ホストオブジェクトの検索ベースとして与えられた文字列を使用します。" + +-#: src/config/SSSDConfig/sssdoptions.py:266 ++#: src/config/SSSDConfig/sssdoptions.py:268 + msgid "The LDAP attribute that contains the host's SSH public keys." + msgstr "ホストの SSH 公開鍵を含む LDAP 属性です。" + +-#: src/config/SSSDConfig/sssdoptions.py:267 ++#: src/config/SSSDConfig/sssdoptions.py:269 + msgid "The LDAP attribute that contains NIS domain name of the netgroup." + msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:268 ++#: src/config/SSSDConfig/sssdoptions.py:270 + msgid "The LDAP attribute that contains the names of the netgroup's members." + msgstr "The LDAP attribute that contains the names of the netgroup's members." + +-#: src/config/SSSDConfig/sssdoptions.py:269 ++#: src/config/SSSDConfig/sssdoptions.py:271 + msgid "" + "The LDAP attribute that lists FQDNs of hosts and host groups that are " + "members of the netgroup." +@@ -896,7 +904,7 @@ msgstr "" + "ネットグループのメンバーであるホストとホストグループの FQDN を一覧表示する " + "LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:271 ++#: src/config/SSSDConfig/sssdoptions.py:273 + msgid "" + "The LDAP attribute that lists hosts and host groups that are direct members " + "of the netgroup." +@@ -904,11 +912,11 @@ msgstr "" + "ネットグループの直接のメンバーであるホストとホストグループを一覧表示する " + "LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:273 ++#: src/config/SSSDConfig/sssdoptions.py:275 + msgid "The LDAP attribute that lists netgroup's memberships." + msgstr "ネットグループのメンバーシップを一覧表示する LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:274 ++#: src/config/SSSDConfig/sssdoptions.py:276 + msgid "" + "The LDAP attribute that lists system users and groups that are direct " + "members of the netgroup." +@@ -916,45 +924,45 @@ msgstr "" + "ネットグループの直接のメンバーであるシステムユーザーとグループを一覧表示する " + "LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:276 ++#: src/config/SSSDConfig/sssdoptions.py:278 + msgid "The LDAP attribute that corresponds to the netgroup name." + msgstr "ネットワークグループ名に対応する LDAP 属性です。" + +-#: src/config/SSSDConfig/sssdoptions.py:277 ++#: src/config/SSSDConfig/sssdoptions.py:279 + msgid "The object class of a netgroup entry in LDAP." + msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" + +-#: src/config/SSSDConfig/sssdoptions.py:278 ++#: src/config/SSSDConfig/sssdoptions.py:280 + msgid "" + "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." + msgstr "LDAP ネットグループオブジェクトの UUID/GUID を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:279 ++#: src/config/SSSDConfig/sssdoptions.py:281 + msgid "" + "The LDAP attribute that contains whether or not is user map enabled for " + "usage." + msgstr "使用のためにユーザーマップが有効になっているかどうかを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:281 ++#: src/config/SSSDConfig/sssdoptions.py:283 + msgid "The LDAP attribute that contains host category such as 'all'." + msgstr "'all' などのホストカテゴリを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:282 ++#: src/config/SSSDConfig/sssdoptions.py:284 + msgid "" + "The LDAP attribute that contains all hosts / hostgroups this rule match " + "against." + msgstr "このルールがマッチするすべてのホスト/ホストグループを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:284 ++#: src/config/SSSDConfig/sssdoptions.py:286 + msgid "" + "The LDAP attribute that contains all users / groups this rule match against." + msgstr "このルールがマッチするすべてのユーザー/グループを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:286 ++#: src/config/SSSDConfig/sssdoptions.py:288 + msgid "The LDAP attribute that contains the name of SELinux usermap." + msgstr "SELinux usermap の名前を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:288 ++#: src/config/SSSDConfig/sssdoptions.py:290 + msgid "" + "The LDAP attribute that contains DN of HBAC rule which can be used for " + "matching instead of memberUser and memberHost." +@@ -962,19 +970,19 @@ msgstr "" + "memberUser および memberHost の代わりにマッチングに使用できる HBAC ルールの " + "DN を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:290 ++#: src/config/SSSDConfig/sssdoptions.py:292 + msgid "The LDAP attribute that contains SELinux user string itself." + msgstr "SELinuxのユーザー文字列そのものを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:291 ++#: src/config/SSSDConfig/sssdoptions.py:293 + msgid "The LDAP attribute that contains user category such as 'all'." + msgstr "'all' などのユーザーカテゴリーを含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:292 ++#: src/config/SSSDConfig/sssdoptions.py:294 + msgid "The LDAP attribute that contains unique ID of the user map." + msgstr "ユーザーマップの一意の ID を含む LDAP 属性。" + +-#: src/config/SSSDConfig/sssdoptions.py:293 ++#: src/config/SSSDConfig/sssdoptions.py:295 + msgid "" + "The option denotes that the SSSD is running on IPA server and should perform " + "lookups of users and groups from trusted domains differently." +@@ -983,58 +991,58 @@ msgstr "" + "からのユーザーとグループの検索を異なる方法で実行する必要があることを示しま" + "す。" + +-#: src/config/SSSDConfig/sssdoptions.py:295 ++#: src/config/SSSDConfig/sssdoptions.py:297 + msgid "Use the given string as search base for trusted domains." + msgstr "" + "信頼されたドメインに対する検索ベースとして、与えられた文字列を使用します。" + +-#: src/config/SSSDConfig/sssdoptions.py:298 ++#: src/config/SSSDConfig/sssdoptions.py:300 + msgid "Active Directory domain" + msgstr "Active Directory ドメイン" + +-#: src/config/SSSDConfig/sssdoptions.py:299 ++#: src/config/SSSDConfig/sssdoptions.py:301 + msgid "Enabled Active Directory domains" + msgstr "有効化された Active Directory ドメイン" + +-#: src/config/SSSDConfig/sssdoptions.py:300 ++#: src/config/SSSDConfig/sssdoptions.py:302 + msgid "Active Directory server address" + msgstr "Active Directory サーバーアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:301 ++#: src/config/SSSDConfig/sssdoptions.py:303 + msgid "Active Directory backup server address" + msgstr "Active Directory バックアップサーバーのアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:302 ++#: src/config/SSSDConfig/sssdoptions.py:304 + msgid "Active Directory client hostname" + msgstr "Active Directory クライアントホスト名" + +-#: src/config/SSSDConfig/sssdoptions.py:304 +-#: src/config/SSSDConfig/sssdoptions.py:497 ++#: src/config/SSSDConfig/sssdoptions.py:306 ++#: src/config/SSSDConfig/sssdoptions.py:500 + msgid "LDAP filter to determine access privileges" + msgstr "アクセス権限を決めるための LDAP フィルター" + +-#: src/config/SSSDConfig/sssdoptions.py:305 ++#: src/config/SSSDConfig/sssdoptions.py:307 + msgid "Whether to use the Global Catalog for lookups" + msgstr "検索にグローバルカタログを使用するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:306 ++#: src/config/SSSDConfig/sssdoptions.py:308 + msgid "Operation mode for GPO-based access control" + msgstr "グローバルカタログベースのアクセス制御に対するオペレーションモード" + +-#: src/config/SSSDConfig/sssdoptions.py:307 ++#: src/config/SSSDConfig/sssdoptions.py:309 + msgid "" + "The amount of time between lookups of the GPO policy files against the AD " + "server" + msgstr "AD サーバーに対する GPO ポリシーファイルを検索している間の合計時間" + +-#: src/config/SSSDConfig/sssdoptions.py:308 ++#: src/config/SSSDConfig/sssdoptions.py:310 + msgid "" + "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " + "settings" + msgstr "" + "GPO (Deny)InteractiveLogonRight のポリシー設定にマッピングした PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:310 ++#: src/config/SSSDConfig/sssdoptions.py:312 + msgid "" + "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " + "policy settings" +@@ -1042,270 +1050,274 @@ msgstr "" + "GPO (Deny)RemoteInteractiveLogonRight のポリシー設定にマッピングした PAM サー" + "ビス名" + +-#: src/config/SSSDConfig/sssdoptions.py:312 ++#: src/config/SSSDConfig/sssdoptions.py:314 + msgid "" + "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" + msgstr "" + "GPO (Deny)NetworkLogonRight のポリシー設定にマッピングした PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:313 ++#: src/config/SSSDConfig/sssdoptions.py:315 + msgid "" + "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" + msgstr "" + "GPO (Deny)BatchLogonRight のポリシー設定にマッピングした PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:314 ++#: src/config/SSSDConfig/sssdoptions.py:316 + msgid "" + "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" + msgstr "(Deny)ServiceLogonRight のポリシー設定にマッピングした PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:315 ++#: src/config/SSSDConfig/sssdoptions.py:317 + msgid "PAM service names for which GPO-based access is always granted" + msgstr "GPO ベースのアクセスが常に許可される PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:316 ++#: src/config/SSSDConfig/sssdoptions.py:318 + msgid "PAM service names for which GPO-based access is always denied" + msgstr "GPO ベースのアクセスが常に拒否される PAM サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:317 ++#: src/config/SSSDConfig/sssdoptions.py:319 + msgid "" + "Default logon right (or permit/deny) to use for unmapped PAM service names" + msgstr "" + "マッピングされていない PAM サービス名に使用するデフォルトのログオン権利 (また" + "は許可/拒否)" + +-#: src/config/SSSDConfig/sssdoptions.py:318 ++#: src/config/SSSDConfig/sssdoptions.py:320 + msgid "a particular site to be used by the client" + msgstr "クライアントが使用する特定のサイト" + +-#: src/config/SSSDConfig/sssdoptions.py:319 ++#: src/config/SSSDConfig/sssdoptions.py:321 + msgid "" + "Maximum age in days before the machine account password should be renewed" + msgstr "マシンアカウントのパスワードの更新が必要となるまでの最大日数" + +-#: src/config/SSSDConfig/sssdoptions.py:321 ++#: src/config/SSSDConfig/sssdoptions.py:323 + msgid "Option for tuning the machine account renewal task" + msgstr "マシンアカウントの更新タスクをチューニングするオプション" + +-#: src/config/SSSDConfig/sssdoptions.py:322 ++#: src/config/SSSDConfig/sssdoptions.py:324 + msgid "Whether to update the machine account password in the Samba database" + msgstr "Samba データベースのマシンアカウントパスワードを更新するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:324 ++#: src/config/SSSDConfig/sssdoptions.py:326 + msgid "Use LDAPS port for LDAP and Global Catalog requests" + msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポートを使用する" + +-#: src/config/SSSDConfig/sssdoptions.py:325 ++#: src/config/SSSDConfig/sssdoptions.py:327 + msgid "Do not filter domain local groups from other domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:328 +-#: src/config/SSSDConfig/sssdoptions.py:329 ++#: src/config/SSSDConfig/sssdoptions.py:330 ++#: src/config/SSSDConfig/sssdoptions.py:331 + msgid "Kerberos server address" + msgstr "Kerberos サーバーのアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:330 ++#: src/config/SSSDConfig/sssdoptions.py:332 + msgid "Kerberos backup server address" + msgstr "Kerberos バックアップサーバーのアドレス" + +-#: src/config/SSSDConfig/sssdoptions.py:331 ++#: src/config/SSSDConfig/sssdoptions.py:333 + msgid "Kerberos realm" + msgstr "Kerberos レルム" + +-#: src/config/SSSDConfig/sssdoptions.py:332 ++#: src/config/SSSDConfig/sssdoptions.py:334 + msgid "Authentication timeout" + msgstr "認証のタイムアウト" + +-#: src/config/SSSDConfig/sssdoptions.py:333 ++#: src/config/SSSDConfig/sssdoptions.py:335 + msgid "Whether to create kdcinfo files" + msgstr "kdcinfo ファイルを作成するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:334 ++#: src/config/SSSDConfig/sssdoptions.py:336 + msgid "Where to drop krb5 config snippets" + msgstr "krb5 設定スニペットを削除する場所" + +-#: src/config/SSSDConfig/sssdoptions.py:337 ++#: src/config/SSSDConfig/sssdoptions.py:339 + msgid "Directory to store credential caches" + msgstr "クレデンシャルのキャッシュを保存するディレクトリー" + +-#: src/config/SSSDConfig/sssdoptions.py:338 ++#: src/config/SSSDConfig/sssdoptions.py:340 + msgid "Location of the user's credential cache" + msgstr "ユーザーのクレデンシャルキャッシュの位置" + +-#: src/config/SSSDConfig/sssdoptions.py:339 ++#: src/config/SSSDConfig/sssdoptions.py:341 + msgid "Location of the keytab to validate credentials" + msgstr "クレデンシャルを検証するキーテーブルの場所" + +-#: src/config/SSSDConfig/sssdoptions.py:340 ++#: src/config/SSSDConfig/sssdoptions.py:342 + msgid "Enable credential validation" + msgstr "クレデンシャルの検証を有効にする" + +-#: src/config/SSSDConfig/sssdoptions.py:341 ++#: src/config/SSSDConfig/sssdoptions.py:343 + msgid "Store password if offline for later online authentication" + msgstr "後からオンライン認証するためにオフラインの場合にパスワードを保存します" + +-#: src/config/SSSDConfig/sssdoptions.py:342 ++#: src/config/SSSDConfig/sssdoptions.py:344 + msgid "Renewable lifetime of the TGT" + msgstr "更新可能な TGT の有効期間" + +-#: src/config/SSSDConfig/sssdoptions.py:343 ++#: src/config/SSSDConfig/sssdoptions.py:345 + msgid "Lifetime of the TGT" + msgstr "TGT の有効期間" + +-#: src/config/SSSDConfig/sssdoptions.py:344 ++#: src/config/SSSDConfig/sssdoptions.py:346 + msgid "Time between two checks for renewal" + msgstr "更新を確認する間隔" + +-#: src/config/SSSDConfig/sssdoptions.py:345 ++#: src/config/SSSDConfig/sssdoptions.py:347 + msgid "Enables FAST" + msgstr "FAST を有効にする" + +-#: src/config/SSSDConfig/sssdoptions.py:346 ++#: src/config/SSSDConfig/sssdoptions.py:348 + msgid "Selects the principal to use for FAST" + msgstr "FAST に使用するプリンシパルを選択する" + +-#: src/config/SSSDConfig/sssdoptions.py:347 ++#: src/config/SSSDConfig/sssdoptions.py:349 + msgid "Enables principal canonicalization" + msgstr "プリンシパル正規化を有効にする" + +-#: src/config/SSSDConfig/sssdoptions.py:348 ++#: src/config/SSSDConfig/sssdoptions.py:350 + msgid "Enables enterprise principals" + msgstr "エンタープライズ・プリンシパルの有効化" + +-#: src/config/SSSDConfig/sssdoptions.py:349 ++#: src/config/SSSDConfig/sssdoptions.py:351 ++msgid "Enables using of subdomains realms for authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:352 + msgid "A mapping from user names to Kerberos principal names" + msgstr "ユーザー名から Kerberos プリンシパル名までのマッピング" + +-#: src/config/SSSDConfig/sssdoptions.py:352 +-#: src/config/SSSDConfig/sssdoptions.py:353 ++#: src/config/SSSDConfig/sssdoptions.py:355 ++#: src/config/SSSDConfig/sssdoptions.py:356 + msgid "Server where the change password service is running if not on the KDC" + msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー" + +-#: src/config/SSSDConfig/sssdoptions.py:356 ++#: src/config/SSSDConfig/sssdoptions.py:359 + msgid "ldap_uri, The URI of the LDAP server" + msgstr "ldap_uri, LDAP サーバーの URI" + +-#: src/config/SSSDConfig/sssdoptions.py:357 ++#: src/config/SSSDConfig/sssdoptions.py:360 + msgid "ldap_backup_uri, The URI of the LDAP server" + msgstr "ldap_backup_uri, LDAP サーバーの URI" + +-#: src/config/SSSDConfig/sssdoptions.py:358 ++#: src/config/SSSDConfig/sssdoptions.py:361 + msgid "The default base DN" + msgstr "デフォルトのベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:359 ++#: src/config/SSSDConfig/sssdoptions.py:362 + msgid "The Schema Type in use on the LDAP server, rfc2307" + msgstr "LDAP サーバーにおいて使用中のスキーマ形式、rfc2307" + +-#: src/config/SSSDConfig/sssdoptions.py:360 ++#: src/config/SSSDConfig/sssdoptions.py:363 + msgid "Mode used to change user password" + msgstr "ユーザーのパスワードの変更にモードを使用しました" + +-#: src/config/SSSDConfig/sssdoptions.py:361 ++#: src/config/SSSDConfig/sssdoptions.py:364 + msgid "The default bind DN" + msgstr "デフォルトのバインド DN" + +-#: src/config/SSSDConfig/sssdoptions.py:362 ++#: src/config/SSSDConfig/sssdoptions.py:365 + msgid "The type of the authentication token of the default bind DN" + msgstr "デフォルトのバインド DN の認証トークンの種類" + +-#: src/config/SSSDConfig/sssdoptions.py:363 ++#: src/config/SSSDConfig/sssdoptions.py:366 + msgid "The authentication token of the default bind DN" + msgstr "デフォルトのバインド DN の認証トークン" + +-#: src/config/SSSDConfig/sssdoptions.py:364 ++#: src/config/SSSDConfig/sssdoptions.py:367 + msgid "Length of time to attempt connection" + msgstr "接続を試行する時間" + +-#: src/config/SSSDConfig/sssdoptions.py:365 ++#: src/config/SSSDConfig/sssdoptions.py:368 + msgid "Length of time to attempt synchronous LDAP operations" + msgstr "LDAP 同期操作を試行する時間" + +-#: src/config/SSSDConfig/sssdoptions.py:366 ++#: src/config/SSSDConfig/sssdoptions.py:369 + msgid "Length of time between attempts to reconnect while offline" + msgstr "オフラインの間に再接続を試行する時間" + +-#: src/config/SSSDConfig/sssdoptions.py:367 ++#: src/config/SSSDConfig/sssdoptions.py:370 + msgid "Use only the upper case for realm names" + msgstr "レルム名に対して大文字のみを使用する" + +-#: src/config/SSSDConfig/sssdoptions.py:368 ++#: src/config/SSSDConfig/sssdoptions.py:371 + msgid "File that contains CA certificates" + msgstr "CA 証明書を含むファイル" + +-#: src/config/SSSDConfig/sssdoptions.py:369 ++#: src/config/SSSDConfig/sssdoptions.py:372 + msgid "Path to CA certificate directory" + msgstr "CA 証明書のディレクトリーのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:370 ++#: src/config/SSSDConfig/sssdoptions.py:373 + msgid "File that contains the client certificate" + msgstr "クライアント証明書を含むファイル" + +-#: src/config/SSSDConfig/sssdoptions.py:371 ++#: src/config/SSSDConfig/sssdoptions.py:374 + msgid "File that contains the client key" + msgstr "クライアントの鍵を含むファイル" + +-#: src/config/SSSDConfig/sssdoptions.py:372 ++#: src/config/SSSDConfig/sssdoptions.py:375 + msgid "List of possible ciphers suites" + msgstr "利用可能な暗号の一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:373 ++#: src/config/SSSDConfig/sssdoptions.py:376 + msgid "Require TLS certificate verification" + msgstr "TLS 証明書の検証を要求する" + +-#: src/config/SSSDConfig/sssdoptions.py:374 ++#: src/config/SSSDConfig/sssdoptions.py:377 + msgid "Specify the sasl mechanism to use" + msgstr "使用する SASL メカニズムを指定する" + +-#: src/config/SSSDConfig/sssdoptions.py:375 ++#: src/config/SSSDConfig/sssdoptions.py:378 + msgid "Specify the sasl authorization id to use" + msgstr "使用する SASL 認可 ID を指定する" + +-#: src/config/SSSDConfig/sssdoptions.py:376 ++#: src/config/SSSDConfig/sssdoptions.py:379 + msgid "Specify the sasl authorization realm to use" + msgstr "使用する SASL 認可レルムを指定する" + +-#: src/config/SSSDConfig/sssdoptions.py:377 ++#: src/config/SSSDConfig/sssdoptions.py:380 + msgid "Specify the minimal SSF for LDAP sasl authorization" + msgstr "LDAP SASL 認可の最小 SSF を指定する" + +-#: src/config/SSSDConfig/sssdoptions.py:378 ++#: src/config/SSSDConfig/sssdoptions.py:381 + msgid "Specify the maximal SSF for LDAP sasl authorization" + msgstr "LDAP SASL 認可の最大 SSF を指定する" + +-#: src/config/SSSDConfig/sssdoptions.py:379 ++#: src/config/SSSDConfig/sssdoptions.py:382 + msgid "Kerberos service keytab" + msgstr "Kerberos サービスのキーテーブル" + +-#: src/config/SSSDConfig/sssdoptions.py:380 ++#: src/config/SSSDConfig/sssdoptions.py:383 + msgid "Use Kerberos auth for LDAP connection" + msgstr "LDAP 接続に対して Kerberos 認証を使用する" + +-#: src/config/SSSDConfig/sssdoptions.py:381 ++#: src/config/SSSDConfig/sssdoptions.py:384 + msgid "Follow LDAP referrals" + msgstr "LDAP リフェラルにしたがう" + +-#: src/config/SSSDConfig/sssdoptions.py:382 ++#: src/config/SSSDConfig/sssdoptions.py:385 + msgid "Lifetime of TGT for LDAP connection" + msgstr "LDAP 接続の TGT の有効期間" + +-#: src/config/SSSDConfig/sssdoptions.py:383 ++#: src/config/SSSDConfig/sssdoptions.py:386 + msgid "How to dereference aliases" + msgstr "エイリアスを参照解決する方法" + +-#: src/config/SSSDConfig/sssdoptions.py:384 ++#: src/config/SSSDConfig/sssdoptions.py:387 + msgid "Service name for DNS service lookups" + msgstr "DNS サービス検索のサービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:385 ++#: src/config/SSSDConfig/sssdoptions.py:388 + msgid "The number of records to retrieve in a single LDAP query" + msgstr "単一の LDAP クエリーにおいて取得するレコード数" + +-#: src/config/SSSDConfig/sssdoptions.py:386 ++#: src/config/SSSDConfig/sssdoptions.py:389 + msgid "The number of members that must be missing to trigger a full deref" + msgstr "完全な参照解決を引き起こすために欠けている必要があるメンバーの数" + +-#: src/config/SSSDConfig/sssdoptions.py:387 ++#: src/config/SSSDConfig/sssdoptions.py:390 + msgid "" + "Whether the LDAP library should perform a reverse lookup to canonicalize the " + "host name during a SASL bind" +@@ -1313,7 +1325,7 @@ msgstr "" + "LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行す" + "るかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:389 ++#: src/config/SSSDConfig/sssdoptions.py:392 + msgid "" + "Allows to retain local users as members of an LDAP group for servers that " + "use the RFC2307 schema." +@@ -1321,412 +1333,412 @@ msgstr "" + "RFC2307 スキーマを使用するサーバーの LDAP グループのメンバーとしてローカル" + "ユーザーを保持することができます。" + +-#: src/config/SSSDConfig/sssdoptions.py:392 ++#: src/config/SSSDConfig/sssdoptions.py:395 + msgid "entryUSN attribute" + msgstr "entryUSN 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:393 ++#: src/config/SSSDConfig/sssdoptions.py:396 + msgid "lastUSN attribute" + msgstr "lastUSN 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:395 ++#: src/config/SSSDConfig/sssdoptions.py:398 + msgid "How long to retain a connection to the LDAP server before disconnecting" + msgstr "LDAP サーバーを切断する前に接続を保持する時間" + +-#: src/config/SSSDConfig/sssdoptions.py:398 ++#: src/config/SSSDConfig/sssdoptions.py:401 + msgid "Disable the LDAP paging control" + msgstr "LDAP ページング制御を無効化する" + +-#: src/config/SSSDConfig/sssdoptions.py:399 ++#: src/config/SSSDConfig/sssdoptions.py:402 + msgid "Disable Active Directory range retrieval" + msgstr "Active Directory 範囲の取得の無効化" + +-#: src/config/SSSDConfig/sssdoptions.py:402 ++#: src/config/SSSDConfig/sssdoptions.py:405 + msgid "Length of time to wait for a search request" + msgstr "検索要求を待つ時間" + +-#: src/config/SSSDConfig/sssdoptions.py:403 ++#: src/config/SSSDConfig/sssdoptions.py:406 + msgid "Length of time to wait for a enumeration request" + msgstr "列挙の要求を待つ時間" + +-#: src/config/SSSDConfig/sssdoptions.py:404 ++#: src/config/SSSDConfig/sssdoptions.py:407 + msgid "Length of time between enumeration updates" + msgstr "列挙の更新間隔" + +-#: src/config/SSSDConfig/sssdoptions.py:405 ++#: src/config/SSSDConfig/sssdoptions.py:408 + msgid "Length of time between cache cleanups" + msgstr "キャッシュをクリーンアップする間隔" + +-#: src/config/SSSDConfig/sssdoptions.py:406 ++#: src/config/SSSDConfig/sssdoptions.py:409 + msgid "Require TLS for ID lookups" + msgstr "ID 検索に TLS を要求する" + +-#: src/config/SSSDConfig/sssdoptions.py:407 ++#: src/config/SSSDConfig/sssdoptions.py:410 + msgid "Use ID-mapping of objectSID instead of pre-set IDs" + msgstr "事前設定済み ID の代わりに objectSID の ID マッピングを使用します" + +-#: src/config/SSSDConfig/sssdoptions.py:408 ++#: src/config/SSSDConfig/sssdoptions.py:411 + msgid "Base DN for user lookups" + msgstr "ユーザー検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:409 ++#: src/config/SSSDConfig/sssdoptions.py:412 + msgid "Scope of user lookups" + msgstr "ユーザー検索の範囲" + +-#: src/config/SSSDConfig/sssdoptions.py:410 ++#: src/config/SSSDConfig/sssdoptions.py:413 + msgid "Filter for user lookups" + msgstr "ユーザー検索のフィルター" + +-#: src/config/SSSDConfig/sssdoptions.py:411 ++#: src/config/SSSDConfig/sssdoptions.py:414 + msgid "Objectclass for users" + msgstr "ユーザーのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:412 ++#: src/config/SSSDConfig/sssdoptions.py:415 + msgid "Username attribute" + msgstr "ユーザー名の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:413 ++#: src/config/SSSDConfig/sssdoptions.py:416 + msgid "UID attribute" + msgstr "UID の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:414 ++#: src/config/SSSDConfig/sssdoptions.py:417 + msgid "Primary GID attribute" + msgstr "プライマリー GID の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:415 ++#: src/config/SSSDConfig/sssdoptions.py:418 + msgid "GECOS attribute" + msgstr "GECOS の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:416 ++#: src/config/SSSDConfig/sssdoptions.py:419 + msgid "Home directory attribute" + msgstr "ホームディレクトリーの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:417 ++#: src/config/SSSDConfig/sssdoptions.py:420 + msgid "Shell attribute" + msgstr "シェルの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:418 ++#: src/config/SSSDConfig/sssdoptions.py:421 + msgid "UUID attribute" + msgstr "UUID 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:419 +-#: src/config/SSSDConfig/sssdoptions.py:457 ++#: src/config/SSSDConfig/sssdoptions.py:422 ++#: src/config/SSSDConfig/sssdoptions.py:460 + msgid "objectSID attribute" + msgstr "objectSID 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:420 ++#: src/config/SSSDConfig/sssdoptions.py:423 + msgid "Active Directory primary group attribute for ID-mapping" + msgstr "ID マッピングの Active Directory プライマリーグループ属性" + +-#: src/config/SSSDConfig/sssdoptions.py:421 ++#: src/config/SSSDConfig/sssdoptions.py:424 + msgid "User principal attribute (for Kerberos)" + msgstr "ユーザープリンシパルの属性(Kerberos 用)" + +-#: src/config/SSSDConfig/sssdoptions.py:422 ++#: src/config/SSSDConfig/sssdoptions.py:425 + msgid "Full Name" + msgstr "氏名" + +-#: src/config/SSSDConfig/sssdoptions.py:423 ++#: src/config/SSSDConfig/sssdoptions.py:426 + msgid "memberOf attribute" + msgstr "memberOf 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:424 ++#: src/config/SSSDConfig/sssdoptions.py:427 + msgid "Modification time attribute" + msgstr "変更日時の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:425 ++#: src/config/SSSDConfig/sssdoptions.py:428 + msgid "shadowLastChange attribute" + msgstr "shadowLastChange 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:426 ++#: src/config/SSSDConfig/sssdoptions.py:429 + msgid "shadowMin attribute" + msgstr "shadowMin 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:427 ++#: src/config/SSSDConfig/sssdoptions.py:430 + msgid "shadowMax attribute" + msgstr "shadowMax 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:428 ++#: src/config/SSSDConfig/sssdoptions.py:431 + msgid "shadowWarning attribute" + msgstr "shadowWarning 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:429 ++#: src/config/SSSDConfig/sssdoptions.py:432 + msgid "shadowInactive attribute" + msgstr "shadowInactive 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:430 ++#: src/config/SSSDConfig/sssdoptions.py:433 + msgid "shadowExpire attribute" + msgstr "shadowExpire 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:431 ++#: src/config/SSSDConfig/sssdoptions.py:434 + msgid "shadowFlag attribute" + msgstr "shadowFlag 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:432 ++#: src/config/SSSDConfig/sssdoptions.py:435 + msgid "Attribute listing authorized PAM services" + msgstr "認可された PAM サービスを一覧化する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:433 ++#: src/config/SSSDConfig/sssdoptions.py:436 + msgid "Attribute listing authorized server hosts" + msgstr "認可されたサーバーホストを一覧化する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:434 ++#: src/config/SSSDConfig/sssdoptions.py:437 + msgid "Attribute listing authorized server rhosts" + msgstr "認可されたサーバー rhosts を一覧化する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:435 ++#: src/config/SSSDConfig/sssdoptions.py:438 + msgid "krbLastPwdChange attribute" + msgstr "krbLastPwdChange 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:436 ++#: src/config/SSSDConfig/sssdoptions.py:439 + msgid "krbPasswordExpiration attribute" + msgstr "krbPasswordExpiration 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:437 ++#: src/config/SSSDConfig/sssdoptions.py:440 + msgid "Attribute indicating that server side password policies are active" + msgstr "サーバー側パスワードポリシーが有効であることを意味する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:438 ++#: src/config/SSSDConfig/sssdoptions.py:441 + msgid "accountExpires attribute of AD" + msgstr "AD の accountExpires 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:439 ++#: src/config/SSSDConfig/sssdoptions.py:442 + msgid "userAccountControl attribute of AD" + msgstr "AD の userAccountControl 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:440 ++#: src/config/SSSDConfig/sssdoptions.py:443 + msgid "nsAccountLock attribute" + msgstr "nsAccountLock 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:441 ++#: src/config/SSSDConfig/sssdoptions.py:444 + msgid "loginDisabled attribute of NDS" + msgstr "NDS の loginDisabled 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:442 ++#: src/config/SSSDConfig/sssdoptions.py:445 + msgid "loginExpirationTime attribute of NDS" + msgstr "NDS の loginExpirationTime 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:443 ++#: src/config/SSSDConfig/sssdoptions.py:446 + msgid "loginAllowedTimeMap attribute of NDS" + msgstr "NDS の loginAllowedTimeMap 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:444 ++#: src/config/SSSDConfig/sssdoptions.py:447 + msgid "SSH public key attribute" + msgstr "SSH 公開鍵の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:445 ++#: src/config/SSSDConfig/sssdoptions.py:448 + msgid "attribute listing allowed authentication types for a user" + msgstr "ユーザー用に許可された認証タイプを一覧化する属性" + +-#: src/config/SSSDConfig/sssdoptions.py:446 ++#: src/config/SSSDConfig/sssdoptions.py:449 + msgid "attribute containing the X509 certificate of the user" + msgstr "ユーザーの X509 証明書を含む属性" + +-#: src/config/SSSDConfig/sssdoptions.py:447 ++#: src/config/SSSDConfig/sssdoptions.py:450 + msgid "attribute containing the email address of the user" + msgstr "ユーザーの電子メールアドレスを含む属性" + +-#: src/config/SSSDConfig/sssdoptions.py:448 ++#: src/config/SSSDConfig/sssdoptions.py:451 + msgid "A list of extra attributes to download along with the user entry" + msgstr "ユーザーエントリーと共にダウンロードする追加的な属性の一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:450 ++#: src/config/SSSDConfig/sssdoptions.py:453 + msgid "Base DN for group lookups" + msgstr "グループ検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:451 ++#: src/config/SSSDConfig/sssdoptions.py:454 + msgid "Objectclass for groups" + msgstr "グループのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:452 ++#: src/config/SSSDConfig/sssdoptions.py:455 + msgid "Group name" + msgstr "グループ名" + +-#: src/config/SSSDConfig/sssdoptions.py:453 ++#: src/config/SSSDConfig/sssdoptions.py:456 + msgid "Group password" + msgstr "グループのパスワード" + +-#: src/config/SSSDConfig/sssdoptions.py:454 ++#: src/config/SSSDConfig/sssdoptions.py:457 + msgid "GID attribute" + msgstr "GID 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:455 ++#: src/config/SSSDConfig/sssdoptions.py:458 + msgid "Group member attribute" + msgstr "グループメンバー属性" + +-#: src/config/SSSDConfig/sssdoptions.py:456 ++#: src/config/SSSDConfig/sssdoptions.py:459 + msgid "Group UUID attribute" + msgstr "グループ UUID 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:458 ++#: src/config/SSSDConfig/sssdoptions.py:461 + msgid "Modification time attribute for groups" + msgstr "グループの変更日時の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:459 ++#: src/config/SSSDConfig/sssdoptions.py:462 + msgid "Type of the group and other flags" + msgstr "グループおよび他のフラグのタイプ" + +-#: src/config/SSSDConfig/sssdoptions.py:460 ++#: src/config/SSSDConfig/sssdoptions.py:463 + msgid "The LDAP group external member attribute" + msgstr "LDAP グループの外部メンバーの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:461 ++#: src/config/SSSDConfig/sssdoptions.py:464 + msgid "Maximum nesting level SSSD will follow" + msgstr "SSSD が従う最大ネストレベル" + +-#: src/config/SSSDConfig/sssdoptions.py:462 ++#: src/config/SSSDConfig/sssdoptions.py:465 + msgid "Filter for group lookups" + msgstr "グループ検索のフィルター" + +-#: src/config/SSSDConfig/sssdoptions.py:463 ++#: src/config/SSSDConfig/sssdoptions.py:466 + msgid "Scope of group lookups" + msgstr "グループ検索の範囲" + +-#: src/config/SSSDConfig/sssdoptions.py:465 ++#: src/config/SSSDConfig/sssdoptions.py:468 + msgid "Base DN for netgroup lookups" + msgstr "ネットグループ検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:466 ++#: src/config/SSSDConfig/sssdoptions.py:469 + msgid "Objectclass for netgroups" + msgstr "ネットグループのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:467 ++#: src/config/SSSDConfig/sssdoptions.py:470 + msgid "Netgroup name" + msgstr "ネットグループ名" + +-#: src/config/SSSDConfig/sssdoptions.py:468 ++#: src/config/SSSDConfig/sssdoptions.py:471 + msgid "Netgroups members attribute" + msgstr "ネットグループメンバーの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:469 ++#: src/config/SSSDConfig/sssdoptions.py:472 + msgid "Netgroup triple attribute" + msgstr "ネットグループの三つ組の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:470 ++#: src/config/SSSDConfig/sssdoptions.py:473 + msgid "Modification time attribute for netgroups" + msgstr "ネットグループの変更日時の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:472 ++#: src/config/SSSDConfig/sssdoptions.py:475 + msgid "Base DN for service lookups" + msgstr "サービス検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:473 ++#: src/config/SSSDConfig/sssdoptions.py:476 + msgid "Objectclass for services" + msgstr "サービスのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:474 ++#: src/config/SSSDConfig/sssdoptions.py:477 + msgid "Service name attribute" + msgstr "サービス名の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:475 ++#: src/config/SSSDConfig/sssdoptions.py:478 + msgid "Service port attribute" + msgstr "サービスポートの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:476 ++#: src/config/SSSDConfig/sssdoptions.py:479 + msgid "Service protocol attribute" + msgstr "サービスプロトコルの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:478 ++#: src/config/SSSDConfig/sssdoptions.py:481 + msgid "Lower bound for ID-mapping" + msgstr "ID マッピングの下限" + +-#: src/config/SSSDConfig/sssdoptions.py:479 ++#: src/config/SSSDConfig/sssdoptions.py:482 + msgid "Upper bound for ID-mapping" + msgstr "ID マッピングの上限" + +-#: src/config/SSSDConfig/sssdoptions.py:480 ++#: src/config/SSSDConfig/sssdoptions.py:483 + msgid "Number of IDs for each slice when ID-mapping" + msgstr "ID マッピングするとき、各スライスに対する ID の数" + +-#: src/config/SSSDConfig/sssdoptions.py:481 ++#: src/config/SSSDConfig/sssdoptions.py:484 + msgid "Use autorid-compatible algorithm for ID-mapping" + msgstr "ID マッピングに対する autorid 互換アルゴリズムを使用します" + +-#: src/config/SSSDConfig/sssdoptions.py:482 ++#: src/config/SSSDConfig/sssdoptions.py:485 + msgid "Name of the default domain for ID-mapping" + msgstr "ID マッピングに対するデフォルトドメインの名前" + +-#: src/config/SSSDConfig/sssdoptions.py:483 ++#: src/config/SSSDConfig/sssdoptions.py:486 + msgid "SID of the default domain for ID-mapping" + msgstr "ID マッピングに対するデフォルトドメインの SID" + +-#: src/config/SSSDConfig/sssdoptions.py:484 ++#: src/config/SSSDConfig/sssdoptions.py:487 + msgid "Number of secondary slices" + msgstr "セカンダリースライスの数" + +-#: src/config/SSSDConfig/sssdoptions.py:486 ++#: src/config/SSSDConfig/sssdoptions.py:489 + msgid "Whether to use Token-Groups" + msgstr "Token-Group を使うかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:487 ++#: src/config/SSSDConfig/sssdoptions.py:490 + msgid "Set lower boundary for allowed IDs from the LDAP server" + msgstr "LDAP サーバーから許可される ID の下限の設定" + +-#: src/config/SSSDConfig/sssdoptions.py:488 ++#: src/config/SSSDConfig/sssdoptions.py:491 + msgid "Set upper boundary for allowed IDs from the LDAP server" + msgstr "LDAP サーバーから許可される ID の上限の設定" + +-#: src/config/SSSDConfig/sssdoptions.py:489 ++#: src/config/SSSDConfig/sssdoptions.py:492 + msgid "DN for ppolicy queries" + msgstr "ppolicy クエリーの DN" + +-#: src/config/SSSDConfig/sssdoptions.py:490 ++#: src/config/SSSDConfig/sssdoptions.py:493 + msgid "How many maximum entries to fetch during a wildcard request" + msgstr "ワイルドカードの要求の間に取得する最大エントリーの数" + +-#: src/config/SSSDConfig/sssdoptions.py:491 ++#: src/config/SSSDConfig/sssdoptions.py:494 + msgid "Set libldap debug level" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:494 ++#: src/config/SSSDConfig/sssdoptions.py:497 + msgid "Policy to evaluate the password expiration" + msgstr "パスワード失効の評価のポリシー" + +-#: src/config/SSSDConfig/sssdoptions.py:498 ++#: src/config/SSSDConfig/sssdoptions.py:501 + msgid "Which attributes shall be used to evaluate if an account is expired" + msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか" + +-#: src/config/SSSDConfig/sssdoptions.py:499 ++#: src/config/SSSDConfig/sssdoptions.py:502 + msgid "Which rules should be used to evaluate access control" + msgstr "どのルールがアクセス制御を評価するために使用されるか" + +-#: src/config/SSSDConfig/sssdoptions.py:502 ++#: src/config/SSSDConfig/sssdoptions.py:505 + msgid "URI of an LDAP server where password changes are allowed" + msgstr "パスワードの変更が許可される LDAP サーバーの URI" + +-#: src/config/SSSDConfig/sssdoptions.py:503 ++#: src/config/SSSDConfig/sssdoptions.py:506 + msgid "URI of a backup LDAP server where password changes are allowed" + msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI" + +-#: src/config/SSSDConfig/sssdoptions.py:504 ++#: src/config/SSSDConfig/sssdoptions.py:507 + msgid "DNS service name for LDAP password change server" + msgstr "LDAP パスワードの変更サーバーの DNS サービス名" + +-#: src/config/SSSDConfig/sssdoptions.py:505 ++#: src/config/SSSDConfig/sssdoptions.py:508 + msgid "" + "Whether to update the ldap_user_shadow_last_change attribute after a " + "password change" + msgstr "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:509 ++#: src/config/SSSDConfig/sssdoptions.py:512 + msgid "Base DN for sudo rules lookups" + msgstr "sudo ルール検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:510 ++#: src/config/SSSDConfig/sssdoptions.py:513 + msgid "Automatic full refresh period" + msgstr "自動的な完全更新間隔" + +-#: src/config/SSSDConfig/sssdoptions.py:511 ++#: src/config/SSSDConfig/sssdoptions.py:514 + msgid "Automatic smart refresh period" + msgstr "自動的なスマート更新間隔" + +-#: src/config/SSSDConfig/sssdoptions.py:512 ++#: src/config/SSSDConfig/sssdoptions.py:515 + msgid "Whether to filter rules by hostname, IP addresses and network" + msgstr "" + "ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどう" + "か" + +-#: src/config/SSSDConfig/sssdoptions.py:513 ++#: src/config/SSSDConfig/sssdoptions.py:516 + msgid "" + "Hostnames and/or fully qualified domain names of this machine to filter sudo " + "rules" +@@ -1734,150 +1746,150 @@ msgstr "" + "sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン" + "名" + +-#: src/config/SSSDConfig/sssdoptions.py:514 ++#: src/config/SSSDConfig/sssdoptions.py:517 + msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" + msgstr "" + "sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネット" + "ワーク" + +-#: src/config/SSSDConfig/sssdoptions.py:515 ++#: src/config/SSSDConfig/sssdoptions.py:518 + msgid "Whether to include rules that contains netgroup in host attribute" + msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:516 ++#: src/config/SSSDConfig/sssdoptions.py:519 + msgid "" + "Whether to include rules that contains regular expression in host attribute" + msgstr "ホスト属性に正規表現を含むルールを含めるかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:517 ++#: src/config/SSSDConfig/sssdoptions.py:520 + msgid "Object class for sudo rules" + msgstr "sudo ルールのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:518 ++#: src/config/SSSDConfig/sssdoptions.py:521 + msgid "Name of attribute that is used as object class for sudo rules" + msgstr "sudo ルールのオブジェクトクラスとして使用される属性の名前" + +-#: src/config/SSSDConfig/sssdoptions.py:519 ++#: src/config/SSSDConfig/sssdoptions.py:522 + msgid "Sudo rule name" + msgstr "sudo ルール名" + +-#: src/config/SSSDConfig/sssdoptions.py:520 ++#: src/config/SSSDConfig/sssdoptions.py:523 + msgid "Sudo rule command attribute" + msgstr "sudo ルールのコマンドの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:521 ++#: src/config/SSSDConfig/sssdoptions.py:524 + msgid "Sudo rule host attribute" + msgstr "sudo ルールのホストの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:522 ++#: src/config/SSSDConfig/sssdoptions.py:525 + msgid "Sudo rule user attribute" + msgstr "sudo ルールのユーザーの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:523 ++#: src/config/SSSDConfig/sssdoptions.py:526 + msgid "Sudo rule option attribute" + msgstr "sudo ルールのオプションの属性" + +-#: src/config/SSSDConfig/sssdoptions.py:524 ++#: src/config/SSSDConfig/sssdoptions.py:527 + msgid "Sudo rule runas attribute" + msgstr "sudo ルールの runas の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:525 ++#: src/config/SSSDConfig/sssdoptions.py:528 + msgid "Sudo rule runasuser attribute" + msgstr "sudo ルールの runasuser の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:526 ++#: src/config/SSSDConfig/sssdoptions.py:529 + msgid "Sudo rule runasgroup attribute" + msgstr "sudo ルールの runasgroup の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:527 ++#: src/config/SSSDConfig/sssdoptions.py:530 + msgid "Sudo rule notbefore attribute" + msgstr "sudo ルールの notbefore の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:528 ++#: src/config/SSSDConfig/sssdoptions.py:531 + msgid "Sudo rule notafter attribute" + msgstr "sudo ルールの notafter の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:529 ++#: src/config/SSSDConfig/sssdoptions.py:532 + msgid "Sudo rule order attribute" + msgstr "sudo ルールの order の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:532 ++#: src/config/SSSDConfig/sssdoptions.py:535 + msgid "Object class for automounter maps" + msgstr "automounter マップのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:533 ++#: src/config/SSSDConfig/sssdoptions.py:536 + msgid "Automounter map name attribute" + msgstr "オートマウントのマップ名の属性" + +-#: src/config/SSSDConfig/sssdoptions.py:534 ++#: src/config/SSSDConfig/sssdoptions.py:537 + msgid "Object class for automounter map entries" + msgstr "automounter マップエントリーのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:535 ++#: src/config/SSSDConfig/sssdoptions.py:538 + msgid "Automounter map entry key attribute" + msgstr "automounter マップエントリーの鍵属性" + +-#: src/config/SSSDConfig/sssdoptions.py:536 ++#: src/config/SSSDConfig/sssdoptions.py:539 + msgid "Automounter map entry value attribute" + msgstr "automounter マップエントリーの値属性" + +-#: src/config/SSSDConfig/sssdoptions.py:537 ++#: src/config/SSSDConfig/sssdoptions.py:540 + msgid "Base DN for automounter map lookups" + msgstr "automonter のマップ検索のベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:538 ++#: src/config/SSSDConfig/sssdoptions.py:541 + msgid "The name of the automount master map in LDAP." + msgstr "LDAP のオートマウントマスターマップの名前。" + +-#: src/config/SSSDConfig/sssdoptions.py:541 ++#: src/config/SSSDConfig/sssdoptions.py:544 + msgid "Base DN for IP hosts lookups" + msgstr "IP ホストのルックアップのためのベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:542 ++#: src/config/SSSDConfig/sssdoptions.py:545 + msgid "Object class for IP hosts" + msgstr "IP ホストのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:543 ++#: src/config/SSSDConfig/sssdoptions.py:546 + msgid "IP host name attribute" + msgstr "IP ホスト名属性" + +-#: src/config/SSSDConfig/sssdoptions.py:544 ++#: src/config/SSSDConfig/sssdoptions.py:547 + msgid "IP host number (address) attribute" + msgstr "IP ホスト番号 (アドレス) 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:545 ++#: src/config/SSSDConfig/sssdoptions.py:548 + msgid "IP host entryUSN attribute" + msgstr "IP ホストエントリー USN 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:546 ++#: src/config/SSSDConfig/sssdoptions.py:549 + msgid "Base DN for IP networks lookups" + msgstr "IP ネットワーク検索のためのベース DN" + +-#: src/config/SSSDConfig/sssdoptions.py:547 ++#: src/config/SSSDConfig/sssdoptions.py:550 + msgid "Object class for IP networks" + msgstr "IP ネットワークのオブジェクトクラス" + +-#: src/config/SSSDConfig/sssdoptions.py:548 ++#: src/config/SSSDConfig/sssdoptions.py:551 + msgid "IP network name attribute" + msgstr "IP ネットワーク名属性" + +-#: src/config/SSSDConfig/sssdoptions.py:549 ++#: src/config/SSSDConfig/sssdoptions.py:552 + msgid "IP network number (address) attribute" + msgstr "IP ネットワーク番号 (アドレス) 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:550 ++#: src/config/SSSDConfig/sssdoptions.py:553 + msgid "IP network entryUSN attribute" + msgstr "IP ネットワークエントリー USN 属性" + +-#: src/config/SSSDConfig/sssdoptions.py:553 ++#: src/config/SSSDConfig/sssdoptions.py:556 + msgid "Comma separated list of allowed users" + msgstr "許可ユーザーのカンマ区切り一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:554 ++#: src/config/SSSDConfig/sssdoptions.py:557 + msgid "Comma separated list of prohibited users" + msgstr "禁止ユーザーのカンマ区切り一覧" + +-#: src/config/SSSDConfig/sssdoptions.py:555 ++#: src/config/SSSDConfig/sssdoptions.py:558 + msgid "" + "Comma separated list of groups that are allowed to log in. This applies only " + "to groups within this SSSD domain. Local groups are not evaluated." +@@ -1885,7 +1897,7 @@ msgstr "" + "Comma separated list of groups that are allowed to log in. This applies only " + "to groups within this SSSD domain. Local groups are not evaluated." + +-#: src/config/SSSDConfig/sssdoptions.py:557 ++#: src/config/SSSDConfig/sssdoptions.py:560 + msgid "" + "Comma separated list of groups that are explicitly denied access. This " + "applies only to groups within this SSSD domain. Local groups are not " +@@ -1895,186 +1907,186 @@ msgstr "" + "applies only to groups within this SSSD domain. Local groups are not " + "evaluated." + +-#: src/config/SSSDConfig/sssdoptions.py:561 ++#: src/config/SSSDConfig/sssdoptions.py:564 + msgid "Base for home directories" + msgstr "ホームディレクトリーのベース" + +-#: src/config/SSSDConfig/sssdoptions.py:562 ++#: src/config/SSSDConfig/sssdoptions.py:565 + msgid "Indicate if a home directory should be created for new users." + msgstr "" + "新しいユーザーのためにホームディレクトリーを作成するかどうかを示します。" + +-#: src/config/SSSDConfig/sssdoptions.py:563 ++#: src/config/SSSDConfig/sssdoptions.py:566 + msgid "Indicate if a home directory should be removed for deleted users." + msgstr "削除されたユーザーのホームディレクトリーを削除するかどうかを示します。" + +-#: src/config/SSSDConfig/sssdoptions.py:564 ++#: src/config/SSSDConfig/sssdoptions.py:567 + msgid "Specify the default permissions on a newly created home directory." + msgstr "" + "新しく作成したホームディレクトリーのデフォルトのパーミッションを指定します。" + +-#: src/config/SSSDConfig/sssdoptions.py:565 ++#: src/config/SSSDConfig/sssdoptions.py:568 + msgid "The skeleton directory." + msgstr "スケルトンディレクトリー。" + +-#: src/config/SSSDConfig/sssdoptions.py:566 ++#: src/config/SSSDConfig/sssdoptions.py:569 + msgid "The mail spool directory." + msgstr "メールスプールディレクトリー。" + +-#: src/config/SSSDConfig/sssdoptions.py:567 ++#: src/config/SSSDConfig/sssdoptions.py:570 + msgid "The command that is run after a user is removed." + msgstr "ユーザーが削除された後に実行されるコマンド。" + +-#: src/config/SSSDConfig/sssdoptions.py:570 ++#: src/config/SSSDConfig/sssdoptions.py:573 + msgid "The number of preforked proxy children." + msgstr "事前にフォークされた子プロキシーの数。" + +-#: src/config/SSSDConfig/sssdoptions.py:573 ++#: src/config/SSSDConfig/sssdoptions.py:576 + msgid "The name of the NSS library to use" + msgstr "使用する NSS ライブラリーの名前" + +-#: src/config/SSSDConfig/sssdoptions.py:574 ++#: src/config/SSSDConfig/sssdoptions.py:577 + msgid "The name of the NSS library to use for hosts and networks lookups" + msgstr "ホストやネットワークの検索に使用する NSS ライブラリの名前" + +-#: src/config/SSSDConfig/sssdoptions.py:575 ++#: src/config/SSSDConfig/sssdoptions.py:578 + msgid "Whether to look up canonical group name from cache if possible" + msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか" + +-#: src/config/SSSDConfig/sssdoptions.py:578 ++#: src/config/SSSDConfig/sssdoptions.py:581 + msgid "PAM stack to use" + msgstr "使用する PAM スタック" + +-#: src/config/SSSDConfig/sssdoptions.py:581 ++#: src/config/SSSDConfig/sssdoptions.py:584 + msgid "Path of passwd file sources." + msgstr "passwd ファイルソースへのパス" + +-#: src/config/SSSDConfig/sssdoptions.py:582 ++#: src/config/SSSDConfig/sssdoptions.py:585 + msgid "Path of group file sources." + msgstr "グループファイルソースへのパス" + +-#: src/monitor/monitor.c:2376 ++#: src/monitor/monitor.c:2381 + msgid "Become a daemon (default)" + msgstr "デーモンとして実行(デフォルト)" + +-#: src/monitor/monitor.c:2378 ++#: src/monitor/monitor.c:2383 + msgid "Run interactive (not a daemon)" + msgstr "対話的に実行(デーモンではない)" + +-#: src/monitor/monitor.c:2381 ++#: src/monitor/monitor.c:2386 + msgid "Disable netlink interface" + msgstr "netlink インターフェースを無効にする" + +-#: src/monitor/monitor.c:2383 src/tools/sssctl/sssctl_config.c:77 ++#: src/monitor/monitor.c:2388 src/tools/sssctl/sssctl_config.c:77 + #: src/tools/sssctl/sssctl_logs.c:310 + msgid "Specify a non-default config file" + msgstr "非標準の設定ファイルの指定" + +-#: src/monitor/monitor.c:2385 ++#: src/monitor/monitor.c:2390 + msgid "Refresh the configuration database, then exit" + msgstr "設定データベースをリフレッシュし、その後終了します" + +-#: src/monitor/monitor.c:2388 ++#: src/monitor/monitor.c:2393 + msgid "Similar to --genconf, but only refreshes the given section" + msgstr "--genconf と似ていますが、任意のセクションのみをリフレッシュします" + +-#: src/monitor/monitor.c:2391 ++#: src/monitor/monitor.c:2396 + msgid "Print version number and exit" + msgstr "バージョン番号を表示して終了する" + +-#: src/monitor/monitor.c:2537 ++#: src/monitor/monitor.c:2542 + msgid "SSSD is already running\n" + msgstr "SSSD はすでに実行中です\n" + +-#: src/providers/krb5/krb5_child.c:3260 src/providers/ldap/ldap_child.c:638 ++#: src/providers/krb5/krb5_child.c:3274 src/providers/ldap/ldap_child.c:638 + msgid "Debug level" + msgstr "デバッグレベル" + +-#: src/providers/krb5/krb5_child.c:3262 src/providers/ldap/ldap_child.c:640 ++#: src/providers/krb5/krb5_child.c:3276 src/providers/ldap/ldap_child.c:640 + msgid "Add debug timestamps" + msgstr "デバッグのタイムスタンプを追加する" + +-#: src/providers/krb5/krb5_child.c:3264 src/providers/ldap/ldap_child.c:642 ++#: src/providers/krb5/krb5_child.c:3278 src/providers/ldap/ldap_child.c:642 + msgid "Show timestamps with microseconds" + msgstr "タイムスタンプをミリ秒単位で表示する" + +-#: src/providers/krb5/krb5_child.c:3266 src/providers/ldap/ldap_child.c:644 ++#: src/providers/krb5/krb5_child.c:3280 src/providers/ldap/ldap_child.c:644 + msgid "An open file descriptor for the debug logs" + msgstr "デバッグログのオープンファイルディスクリプター" + +-#: src/providers/krb5/krb5_child.c:3269 src/providers/ldap/ldap_child.c:646 ++#: src/providers/krb5/krb5_child.c:3283 src/providers/ldap/ldap_child.c:646 + msgid "Send the debug output to stderr directly." + msgstr "デバッグ出力を stderr に直接送信します。" + +-#: src/providers/krb5/krb5_child.c:3272 ++#: src/providers/krb5/krb5_child.c:3286 + msgid "The user to create FAST ccache as" + msgstr "次のように FAST ccache を作成するユーザー" + +-#: src/providers/krb5/krb5_child.c:3274 ++#: src/providers/krb5/krb5_child.c:3288 + msgid "The group to create FAST ccache as" + msgstr "次のように FAST ccache を作成するグループ" + +-#: src/providers/krb5/krb5_child.c:3276 ++#: src/providers/krb5/krb5_child.c:3290 + msgid "Kerberos realm to use" + msgstr "使用する Kerberos レルム" + +-#: src/providers/krb5/krb5_child.c:3278 ++#: src/providers/krb5/krb5_child.c:3292 + msgid "Requested lifetime of the ticket" + msgstr "チケットの要求された有効期間" + +-#: src/providers/krb5/krb5_child.c:3280 ++#: src/providers/krb5/krb5_child.c:3294 + msgid "Requested renewable lifetime of the ticket" + msgstr "チケットの要求された更新可能な有効期間" + +-#: src/providers/krb5/krb5_child.c:3282 ++#: src/providers/krb5/krb5_child.c:3296 + msgid "FAST options ('never', 'try', 'demand')" + msgstr "FAST のオプション ('never'、'try'、'demand')" + +-#: src/providers/krb5/krb5_child.c:3285 ++#: src/providers/krb5/krb5_child.c:3299 + msgid "Specifies the server principal to use for FAST" + msgstr "FAST で使用するサーバープリンシパルを指定します" + +-#: src/providers/krb5/krb5_child.c:3287 ++#: src/providers/krb5/krb5_child.c:3301 + msgid "Requests canonicalization of the principal name" + msgstr "プリンシパル名の正規化を要求します" + +-#: src/providers/krb5/krb5_child.c:3289 ++#: src/providers/krb5/krb5_child.c:3303 + msgid "Use custom version of krb5_get_init_creds_password" + msgstr "krb5_get_init_creds_password のカスタムバージョンを使用します" + +-#: src/providers/data_provider_be.c:699 ++#: src/providers/data_provider_be.c:711 + msgid "Domain of the information provider (mandatory)" + msgstr "情報プロバイダーのドメイン (必須)" + +-#: src/sss_client/common.c:1079 ++#: src/sss_client/common.c:1088 + msgid "Privileged socket has wrong ownership or permissions." + msgstr "特権ソケットの所有者またはパーミッションが誤っています。" + +-#: src/sss_client/common.c:1082 ++#: src/sss_client/common.c:1091 + msgid "Public socket has wrong ownership or permissions." + msgstr "公開ソケットの所有者またはパーミッションが誤っています。" + +-#: src/sss_client/common.c:1085 ++#: src/sss_client/common.c:1094 + msgid "Unexpected format of the server credential message." + msgstr "サーバーのクレデンシャルメッセージの予期しない形式です。" + +-#: src/sss_client/common.c:1088 ++#: src/sss_client/common.c:1097 + msgid "SSSD is not run by root." + msgstr "SSSD は root により実行されません。" + +-#: src/sss_client/common.c:1091 ++#: src/sss_client/common.c:1100 + msgid "SSSD socket does not exist." + msgstr "SSSD ソケットは存在しません。" + +-#: src/sss_client/common.c:1094 ++#: src/sss_client/common.c:1103 + msgid "Cannot get stat of SSSD socket." + msgstr "SSSD ソケットの統計を取得できません。" + +-#: src/sss_client/common.c:1099 ++#: src/sss_client/common.c:1108 + msgid "An error occurred, but no description can be found." + msgstr "エラーが発生しましたが、説明がありませんでした。" + +-#: src/sss_client/common.c:1105 ++#: src/sss_client/common.c:1114 + msgid "Unexpected error while looking for an error description" + msgstr "エラーの説明を検索中に予期しないエラーが発生しました" + +@@ -2082,46 +2094,46 @@ msgstr "エラーの説明を検索中に予期しないエラーが発生しま + msgid "Permission denied. " + msgstr "パーミッションが拒否されました。" + +-#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:781 +-#: src/sss_client/pam_sss.c:792 ++#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 ++#: src/sss_client/pam_sss.c:796 + msgid "Server message: " + msgstr "サーバーのメッセージ: " + +-#: src/sss_client/pam_sss.c:299 ++#: src/sss_client/pam_sss.c:303 + msgid "Passwords do not match" + msgstr "パスワードが一致しません" + +-#: src/sss_client/pam_sss.c:487 ++#: src/sss_client/pam_sss.c:491 + msgid "Password reset by root is not supported." + msgstr "root によるパスワードのリセットはサポートされません。" + +-#: src/sss_client/pam_sss.c:528 ++#: src/sss_client/pam_sss.c:532 + msgid "Authenticated with cached credentials" + msgstr "キャッシュされているクレデンシャルを用いて認証されました" + +-#: src/sss_client/pam_sss.c:529 ++#: src/sss_client/pam_sss.c:533 + msgid ", your cached password will expire at: " + msgstr "、キャッシュされたパスワードが失効します: " + +-#: src/sss_client/pam_sss.c:559 ++#: src/sss_client/pam_sss.c:563 + #, c-format + msgid "Your password has expired. You have %1$d grace login(s) remaining." + msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。" + +-#: src/sss_client/pam_sss.c:605 ++#: src/sss_client/pam_sss.c:609 + #, c-format + msgid "Your password will expire in %1$d %2$s." + msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" + +-#: src/sss_client/pam_sss.c:654 ++#: src/sss_client/pam_sss.c:658 + msgid "Authentication is denied until: " + msgstr "次まで認証が拒否されます: " + +-#: src/sss_client/pam_sss.c:675 ++#: src/sss_client/pam_sss.c:679 + msgid "System is offline, password change not possible" + msgstr "システムがオフラインです、パスワード変更ができません" + +-#: src/sss_client/pam_sss.c:690 ++#: src/sss_client/pam_sss.c:694 + msgid "" + "After changing the OTP password, you need to log out and back in order to " + "acquire a ticket" +@@ -2129,43 +2141,43 @@ msgstr "" + "OTP パスワードの変更後、チケットを取得するためにログアウト後に再びログインす" + "る必要があります" + +-#: src/sss_client/pam_sss.c:778 src/sss_client/pam_sss.c:791 ++#: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 + msgid "Password change failed. " + msgstr "パスワードの変更に失敗しました。" + +-#: src/sss_client/pam_sss.c:2015 ++#: src/sss_client/pam_sss.c:2044 + msgid "New Password: " + msgstr "新しいパスワード: " + +-#: src/sss_client/pam_sss.c:2016 ++#: src/sss_client/pam_sss.c:2045 + msgid "Reenter new Password: " + msgstr "新しいパスワードの再入力: " + +-#: src/sss_client/pam_sss.c:2178 src/sss_client/pam_sss.c:2181 ++#: src/sss_client/pam_sss.c:2207 src/sss_client/pam_sss.c:2210 + msgid "First Factor: " + msgstr "1 番目の要素: " + +-#: src/sss_client/pam_sss.c:2179 src/sss_client/pam_sss.c:2353 ++#: src/sss_client/pam_sss.c:2208 src/sss_client/pam_sss.c:2382 + msgid "Second Factor (optional): " + msgstr "2 番目の要素 (オプション): " + +-#: src/sss_client/pam_sss.c:2182 src/sss_client/pam_sss.c:2356 ++#: src/sss_client/pam_sss.c:2211 src/sss_client/pam_sss.c:2385 + msgid "Second Factor: " + msgstr "2 番目の要素: " + +-#: src/sss_client/pam_sss.c:2200 ++#: src/sss_client/pam_sss.c:2229 + msgid "Password: " + msgstr "パスワード: " + +-#: src/sss_client/pam_sss.c:2352 src/sss_client/pam_sss.c:2355 ++#: src/sss_client/pam_sss.c:2381 src/sss_client/pam_sss.c:2384 + msgid "First Factor (Current Password): " + msgstr "1 番目の要素 (現在のパスワード): " + +-#: src/sss_client/pam_sss.c:2359 ++#: src/sss_client/pam_sss.c:2388 + msgid "Current Password: " + msgstr "現在のパスワード: " + +-#: src/sss_client/pam_sss.c:2716 ++#: src/sss_client/pam_sss.c:2745 + msgid "Password expired. Change your password now." + msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。" + +@@ -3356,18 +3368,18 @@ msgstr "PAM 環境:\n" + msgid " - no env -\n" + msgstr " - no env -\n" + +-#: src/util/util.h:82 ++#: src/util/util.h:86 + msgid "The user ID to run the server as" + msgstr "次のようにサーバーを実行するユーザー ID" + +-#: src/util/util.h:84 ++#: src/util/util.h:88 + msgid "The group ID to run the server as" + msgstr "次のようにサーバーを実行するグループ ID" + +-#: src/util/util.h:92 ++#: src/util/util.h:96 + msgid "Informs that the responder has been socket-activated" + msgstr "レスポンダーがソケットでアクティベートされたと知らせます" + +-#: src/util/util.h:94 ++#: src/util/util.h:98 + msgid "Informs that the responder has been dbus-activated" + msgstr "レスポンダーが dbus でアクティベートされたと知らせます" +diff --git a/po/zh_CN.po b/po/zh_CN.po +index 1d195436a..ee38f25e3 100644 +--- a/po/zh_CN.po ++++ b/po/zh_CN.po +@@ -11,7 +11,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +-"POT-Creation-Date: 2020-10-12 12:21+0200\n" ++"POT-Creation-Date: 2021-02-05 11:58+0100\n" + "PO-Revision-Date: 2020-08-20 14:29+0000\n" + "Last-Translator: Charles Lee \n" + "Language-Team: Chinese (Simplified) +Date: Fri, 19 Feb 2021 16:57:31 +0100 +Subject: [PATCH] pot: update pot files + +--- + po/sssd.pot | 744 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 375 insertions(+), 369 deletions(-) + +diff --git a/po/sssd.pot b/po/sssd.pot +index 19f6994ff..075f908a8 100644 +--- a/po/sssd.pot ++++ b/po/sssd.pot +@@ -8,7 +8,7 @@ msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +-"POT-Creation-Date: 2021-02-05 11:58+0100\n" ++"POT-Creation-Date: 2021-02-19 16:47+0100\n" + "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" + "Last-Translator: FULL NAME \n" + "Language-Team: LANGUAGE \n" +@@ -153,7 +153,7 @@ msgid "Entry cache background update timeout length (seconds)" + msgstr "" + + #: src/config/SSSDConfig/sssdoptions.py:61 +-#: src/config/SSSDConfig/sssdoptions.py:117 ++#: src/config/SSSDConfig/sssdoptions.py:119 + msgid "Negative cache timeout length (seconds)" + msgstr "" + +@@ -337,1532 +337,1538 @@ msgstr "" + msgid "Whether to match authenticated UPN with target user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:111 ++#: src/config/SSSDConfig/sssdoptions.py:109 ++msgid "" ++"List of pairs : that must be enforced " ++"for PAM access with GSSAPI authentication" ++msgstr "" ++ ++#: src/config/SSSDConfig/sssdoptions.py:113 + msgid "Whether to evaluate the time-based attributes in sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:112 ++#: src/config/SSSDConfig/sssdoptions.py:114 + msgid "If true, SSSD will switch back to lower-wins ordering logic" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:113 ++#: src/config/SSSDConfig/sssdoptions.py:115 + msgid "" + "Maximum number of rules that can be refreshed at once. If this is exceeded, " + "full refresh is performed." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:120 ++#: src/config/SSSDConfig/sssdoptions.py:122 + msgid "Whether to hash host names and addresses in the known_hosts file" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:121 ++#: src/config/SSSDConfig/sssdoptions.py:123 + msgid "" + "How many seconds to keep a host in the known_hosts file after its host keys " + "were requested" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:123 ++#: src/config/SSSDConfig/sssdoptions.py:125 + msgid "Path to storage of trusted CA certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:124 ++#: src/config/SSSDConfig/sssdoptions.py:126 + msgid "Allow to generate ssh-keys from certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:125 ++#: src/config/SSSDConfig/sssdoptions.py:127 + msgid "" + "Use the following matching rules to filter the certificates for ssh-key " + "generation" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:129 ++#: src/config/SSSDConfig/sssdoptions.py:131 + msgid "List of UIDs or user names allowed to access the PAC responder" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:130 ++#: src/config/SSSDConfig/sssdoptions.py:132 + msgid "How long the PAC data is considered valid" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:133 ++#: src/config/SSSDConfig/sssdoptions.py:135 + msgid "List of user attributes the InfoPipe is allowed to publish" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:136 ++#: src/config/SSSDConfig/sssdoptions.py:138 + msgid "The provider where the secrets will be stored in" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:137 ++#: src/config/SSSDConfig/sssdoptions.py:139 + msgid "The maximum allowed number of nested containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:138 ++#: src/config/SSSDConfig/sssdoptions.py:140 + msgid "The maximum number of secrets that can be stored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:139 ++#: src/config/SSSDConfig/sssdoptions.py:141 + msgid "The maximum number of secrets that can be stored per UID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:140 ++#: src/config/SSSDConfig/sssdoptions.py:142 + msgid "The maximum payload size of a secret in kilobytes" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:142 ++#: src/config/SSSDConfig/sssdoptions.py:144 + msgid "The URL Custodia server is listening on" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:143 ++#: src/config/SSSDConfig/sssdoptions.py:145 + msgid "The method to use when authenticating to a Custodia server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:144 ++#: src/config/SSSDConfig/sssdoptions.py:146 + msgid "" + "The name of the headers that will be added into a HTTP request with the " + "value defined in auth_header_value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:146 ++#: src/config/SSSDConfig/sssdoptions.py:148 + msgid "The value sssd-secrets would use for auth_header_name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:147 ++#: src/config/SSSDConfig/sssdoptions.py:149 + msgid "" + "The list of the headers to forward to the Custodia server together with the " + "request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:148 ++#: src/config/SSSDConfig/sssdoptions.py:150 + msgid "" + "The username to use when authenticating to a Custodia server using basic_auth" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:149 ++#: src/config/SSSDConfig/sssdoptions.py:151 + msgid "" + "The password to use when authenticating to a Custodia server using basic_auth" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:150 ++#: src/config/SSSDConfig/sssdoptions.py:152 + msgid "If true peer's certificate is verified if proxy_url uses https protocol" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:151 ++#: src/config/SSSDConfig/sssdoptions.py:153 + msgid "" + "If false peer's certificate may contain different hostname than proxy_url " + "when https protocol is used" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:153 ++#: src/config/SSSDConfig/sssdoptions.py:155 + msgid "Path to directory where certificate authority certificates are stored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:154 ++#: src/config/SSSDConfig/sssdoptions.py:156 + msgid "Path to file containing server's CA certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:155 ++#: src/config/SSSDConfig/sssdoptions.py:157 + msgid "Path to file containing client's certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:156 ++#: src/config/SSSDConfig/sssdoptions.py:158 + msgid "Path to file containing client's private key" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:159 ++#: src/config/SSSDConfig/sssdoptions.py:161 + msgid "" + "One of the following strings specifying the scope of session recording: none " + "- No users are recorded. some - Users/groups specified by users and groups " + "options are recorded. all - All users are recorded." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:162 ++#: src/config/SSSDConfig/sssdoptions.py:164 + msgid "" + "A comma-separated list of users which should have session recording enabled. " + "Matches user names as returned by NSS. I.e. after the possible space " + "replacement, case changes, etc." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:164 ++#: src/config/SSSDConfig/sssdoptions.py:166 + msgid "" + "A comma-separated list of groups, members of which should have session " + "recording enabled. Matches group names as returned by NSS. I.e. after the " + "possible space replacement, case changes, etc." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:167 ++#: src/config/SSSDConfig/sssdoptions.py:169 + msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:168 ++#: src/config/SSSDConfig/sssdoptions.py:170 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:172 ++#: src/config/SSSDConfig/sssdoptions.py:174 + msgid "Identity provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:173 ++#: src/config/SSSDConfig/sssdoptions.py:175 + msgid "Authentication provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:174 ++#: src/config/SSSDConfig/sssdoptions.py:176 + msgid "Access control provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:175 ++#: src/config/SSSDConfig/sssdoptions.py:177 + msgid "Password change provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:176 ++#: src/config/SSSDConfig/sssdoptions.py:178 + msgid "SUDO provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:177 ++#: src/config/SSSDConfig/sssdoptions.py:179 + msgid "Autofs provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:178 ++#: src/config/SSSDConfig/sssdoptions.py:180 + msgid "Host identity provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:179 ++#: src/config/SSSDConfig/sssdoptions.py:181 + msgid "SELinux provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:180 ++#: src/config/SSSDConfig/sssdoptions.py:182 + msgid "Session management provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:181 ++#: src/config/SSSDConfig/sssdoptions.py:183 + msgid "Resolver provider" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:184 ++#: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Whether the domain is usable by the OS or by applications" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:185 ++#: src/config/SSSDConfig/sssdoptions.py:187 + msgid "Enable or disable the domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:186 ++#: src/config/SSSDConfig/sssdoptions.py:188 + msgid "Minimum user ID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:187 ++#: src/config/SSSDConfig/sssdoptions.py:189 + msgid "Maximum user ID" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:188 ++#: src/config/SSSDConfig/sssdoptions.py:190 + msgid "Enable enumerating all users/groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:189 ++#: src/config/SSSDConfig/sssdoptions.py:191 + msgid "Cache credentials for offline login" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:190 ++#: src/config/SSSDConfig/sssdoptions.py:192 + msgid "Display users/groups in fully-qualified form" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:191 ++#: src/config/SSSDConfig/sssdoptions.py:193 + msgid "Don't include group members in group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:192 +-#: src/config/SSSDConfig/sssdoptions.py:202 +-#: src/config/SSSDConfig/sssdoptions.py:203 ++#: src/config/SSSDConfig/sssdoptions.py:194 + #: src/config/SSSDConfig/sssdoptions.py:204 + #: src/config/SSSDConfig/sssdoptions.py:205 + #: src/config/SSSDConfig/sssdoptions.py:206 + #: src/config/SSSDConfig/sssdoptions.py:207 + #: src/config/SSSDConfig/sssdoptions.py:208 ++#: src/config/SSSDConfig/sssdoptions.py:209 ++#: src/config/SSSDConfig/sssdoptions.py:210 + msgid "Entry cache timeout length (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:193 ++#: src/config/SSSDConfig/sssdoptions.py:195 + msgid "" + "Restrict or prefer a specific address family when performing DNS lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:194 ++#: src/config/SSSDConfig/sssdoptions.py:196 + msgid "How long to keep cached entries after last successful login (days)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:195 ++#: src/config/SSSDConfig/sssdoptions.py:197 + msgid "" + "How long should SSSD talk to single DNS server before trying next server " + "(miliseconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:197 ++#: src/config/SSSDConfig/sssdoptions.py:199 + msgid "How long should keep trying to resolve single DNS query (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:198 ++#: src/config/SSSDConfig/sssdoptions.py:200 + msgid "How long to wait for replies from DNS when resolving servers (seconds)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:199 ++#: src/config/SSSDConfig/sssdoptions.py:201 + msgid "The domain part of service discovery DNS query" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:200 ++#: src/config/SSSDConfig/sssdoptions.py:202 + msgid "Override GID value from the identity provider with this value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:201 ++#: src/config/SSSDConfig/sssdoptions.py:203 + msgid "Treat usernames as case sensitive" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:209 ++#: src/config/SSSDConfig/sssdoptions.py:211 + msgid "How often should expired entries be refreshed in background" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:210 ++#: src/config/SSSDConfig/sssdoptions.py:212 + msgid "Whether to automatically update the client's DNS entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:211 +-#: src/config/SSSDConfig/sssdoptions.py:241 ++#: src/config/SSSDConfig/sssdoptions.py:213 ++#: src/config/SSSDConfig/sssdoptions.py:243 + msgid "The TTL to apply to the client's DNS entry after updating it" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:212 +-#: src/config/SSSDConfig/sssdoptions.py:242 ++#: src/config/SSSDConfig/sssdoptions.py:214 ++#: src/config/SSSDConfig/sssdoptions.py:244 + msgid "The interface whose IP should be used for dynamic DNS updates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:213 ++#: src/config/SSSDConfig/sssdoptions.py:215 + msgid "How often to periodically update the client's DNS entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:214 ++#: src/config/SSSDConfig/sssdoptions.py:216 + msgid "Whether the provider should explicitly update the PTR record as well" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:215 ++#: src/config/SSSDConfig/sssdoptions.py:217 + msgid "Whether the nsupdate utility should default to using TCP" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:216 ++#: src/config/SSSDConfig/sssdoptions.py:218 + msgid "What kind of authentication should be used to perform the DNS update" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:217 ++#: src/config/SSSDConfig/sssdoptions.py:219 + msgid "Override the DNS server used to perform the DNS update" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:218 ++#: src/config/SSSDConfig/sssdoptions.py:220 + msgid "Control enumeration of trusted domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:219 ++#: src/config/SSSDConfig/sssdoptions.py:221 + msgid "How often should subdomains list be refreshed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:220 ++#: src/config/SSSDConfig/sssdoptions.py:222 + msgid "List of options that should be inherited into a subdomain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:221 ++#: src/config/SSSDConfig/sssdoptions.py:223 + msgid "Default subdomain homedir value" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:222 ++#: src/config/SSSDConfig/sssdoptions.py:224 + msgid "How long can cached credentials be used for cached authentication" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:223 ++#: src/config/SSSDConfig/sssdoptions.py:225 + msgid "Whether to automatically create private groups for users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:224 ++#: src/config/SSSDConfig/sssdoptions.py:226 + msgid "Display a warning N days before the password expires." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:225 ++#: src/config/SSSDConfig/sssdoptions.py:227 + msgid "" + "Various tags stored by the realmd configuration service for this domain." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:226 ++#: src/config/SSSDConfig/sssdoptions.py:228 + msgid "" + "The provider which should handle fetching of subdomains. This value should " + "be always the same as id_provider." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:228 ++#: src/config/SSSDConfig/sssdoptions.py:230 + msgid "" + "How many seconds to keep a host ssh key after refresh. IE how long to cache " + "the host key for." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:230 ++#: src/config/SSSDConfig/sssdoptions.py:232 + msgid "" + "If 2-Factor-Authentication (2FA) is used and credentials should be saved " + "this value determines the minimal length the first authentication factor " + "(long term password) must have to be saved as SHA512 hash into the cache." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:236 ++#: src/config/SSSDConfig/sssdoptions.py:238 + msgid "IPA domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:237 ++#: src/config/SSSDConfig/sssdoptions.py:239 + msgid "IPA server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:238 ++#: src/config/SSSDConfig/sssdoptions.py:240 + msgid "Address of backup IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:239 ++#: src/config/SSSDConfig/sssdoptions.py:241 + msgid "IPA client hostname" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:240 ++#: src/config/SSSDConfig/sssdoptions.py:242 + msgid "Whether to automatically update the client's DNS entry in FreeIPA" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:243 ++#: src/config/SSSDConfig/sssdoptions.py:245 + msgid "Search base for HBAC related objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:244 ++#: src/config/SSSDConfig/sssdoptions.py:246 + msgid "" + "The amount of time between lookups of the HBAC rules against the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:245 ++#: src/config/SSSDConfig/sssdoptions.py:247 + msgid "" + "The amount of time in seconds between lookups of the SELinux maps against " + "the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:247 ++#: src/config/SSSDConfig/sssdoptions.py:249 + msgid "If set to false, host argument given by PAM will be ignored" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:248 ++#: src/config/SSSDConfig/sssdoptions.py:250 + msgid "The automounter location this IPA client is using" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:249 ++#: src/config/SSSDConfig/sssdoptions.py:251 + msgid "Search base for object containing info about IPA domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:250 ++#: src/config/SSSDConfig/sssdoptions.py:252 + msgid "Search base for objects containing info about ID ranges" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:251 +-#: src/config/SSSDConfig/sssdoptions.py:305 ++#: src/config/SSSDConfig/sssdoptions.py:253 ++#: src/config/SSSDConfig/sssdoptions.py:307 + msgid "Enable DNS sites - location based service discovery" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:252 ++#: src/config/SSSDConfig/sssdoptions.py:254 + msgid "Search base for view containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:253 ++#: src/config/SSSDConfig/sssdoptions.py:255 + msgid "Objectclass for view containers" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:254 ++#: src/config/SSSDConfig/sssdoptions.py:256 + msgid "Attribute with the name of the view" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:255 ++#: src/config/SSSDConfig/sssdoptions.py:257 + msgid "Objectclass for override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:256 ++#: src/config/SSSDConfig/sssdoptions.py:258 + msgid "Attribute with the reference to the original object" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:257 ++#: src/config/SSSDConfig/sssdoptions.py:259 + msgid "Objectclass for user override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:258 ++#: src/config/SSSDConfig/sssdoptions.py:260 + msgid "Objectclass for group override objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:259 ++#: src/config/SSSDConfig/sssdoptions.py:261 + msgid "Search base for Desktop Profile related objects" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:260 ++#: src/config/SSSDConfig/sssdoptions.py:262 + msgid "" + "The amount of time in seconds between lookups of the Desktop Profile rules " + "against the IPA server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:262 ++#: src/config/SSSDConfig/sssdoptions.py:264 + msgid "" + "The amount of time in minutes between lookups of Desktop Profiles rules " + "against the IPA server when the last request did not find any rule" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:265 ++#: src/config/SSSDConfig/sssdoptions.py:267 + msgid "The LDAP attribute that contains FQDN of the host." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:266 +-#: src/config/SSSDConfig/sssdoptions.py:289 ++#: src/config/SSSDConfig/sssdoptions.py:268 ++#: src/config/SSSDConfig/sssdoptions.py:291 + msgid "The object class of a host entry in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:267 ++#: src/config/SSSDConfig/sssdoptions.py:269 + msgid "Use the given string as search base for host objects." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:268 ++#: src/config/SSSDConfig/sssdoptions.py:270 + msgid "The LDAP attribute that contains the host's SSH public keys." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:269 ++#: src/config/SSSDConfig/sssdoptions.py:271 + msgid "The LDAP attribute that contains NIS domain name of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:270 ++#: src/config/SSSDConfig/sssdoptions.py:272 + msgid "The LDAP attribute that contains the names of the netgroup's members." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:271 ++#: src/config/SSSDConfig/sssdoptions.py:273 + msgid "" + "The LDAP attribute that lists FQDNs of hosts and host groups that are " + "members of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:273 ++#: src/config/SSSDConfig/sssdoptions.py:275 + msgid "" + "The LDAP attribute that lists hosts and host groups that are direct members " + "of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:275 ++#: src/config/SSSDConfig/sssdoptions.py:277 + msgid "The LDAP attribute that lists netgroup's memberships." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:276 ++#: src/config/SSSDConfig/sssdoptions.py:278 + msgid "" + "The LDAP attribute that lists system users and groups that are direct " + "members of the netgroup." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:278 ++#: src/config/SSSDConfig/sssdoptions.py:280 + msgid "The LDAP attribute that corresponds to the netgroup name." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:279 ++#: src/config/SSSDConfig/sssdoptions.py:281 + msgid "The object class of a netgroup entry in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:280 ++#: src/config/SSSDConfig/sssdoptions.py:282 + msgid "" + "The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:281 ++#: src/config/SSSDConfig/sssdoptions.py:283 + msgid "" + "The LDAP attribute that contains whether or not is user map enabled for " + "usage." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:283 ++#: src/config/SSSDConfig/sssdoptions.py:285 + msgid "The LDAP attribute that contains host category such as 'all'." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:284 ++#: src/config/SSSDConfig/sssdoptions.py:286 + msgid "" + "The LDAP attribute that contains all hosts / hostgroups this rule match " + "against." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:286 ++#: src/config/SSSDConfig/sssdoptions.py:288 + msgid "" + "The LDAP attribute that contains all users / groups this rule match against." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:288 ++#: src/config/SSSDConfig/sssdoptions.py:290 + msgid "The LDAP attribute that contains the name of SELinux usermap." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:290 ++#: src/config/SSSDConfig/sssdoptions.py:292 + msgid "" + "The LDAP attribute that contains DN of HBAC rule which can be used for " + "matching instead of memberUser and memberHost." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:292 ++#: src/config/SSSDConfig/sssdoptions.py:294 + msgid "The LDAP attribute that contains SELinux user string itself." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:293 ++#: src/config/SSSDConfig/sssdoptions.py:295 + msgid "The LDAP attribute that contains user category such as 'all'." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:294 ++#: src/config/SSSDConfig/sssdoptions.py:296 + msgid "The LDAP attribute that contains unique ID of the user map." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:295 ++#: src/config/SSSDConfig/sssdoptions.py:297 + msgid "" + "The option denotes that the SSSD is running on IPA server and should perform " + "lookups of users and groups from trusted domains differently." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:297 ++#: src/config/SSSDConfig/sssdoptions.py:299 + msgid "Use the given string as search base for trusted domains." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:300 ++#: src/config/SSSDConfig/sssdoptions.py:302 + msgid "Active Directory domain" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:301 ++#: src/config/SSSDConfig/sssdoptions.py:303 + msgid "Enabled Active Directory domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:302 ++#: src/config/SSSDConfig/sssdoptions.py:304 + msgid "Active Directory server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:303 ++#: src/config/SSSDConfig/sssdoptions.py:305 + msgid "Active Directory backup server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:304 ++#: src/config/SSSDConfig/sssdoptions.py:306 + msgid "Active Directory client hostname" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:306 +-#: src/config/SSSDConfig/sssdoptions.py:500 ++#: src/config/SSSDConfig/sssdoptions.py:308 ++#: src/config/SSSDConfig/sssdoptions.py:502 + msgid "LDAP filter to determine access privileges" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:307 ++#: src/config/SSSDConfig/sssdoptions.py:309 + msgid "Whether to use the Global Catalog for lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:308 ++#: src/config/SSSDConfig/sssdoptions.py:310 + msgid "Operation mode for GPO-based access control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:309 ++#: src/config/SSSDConfig/sssdoptions.py:311 + msgid "" + "The amount of time between lookups of the GPO policy files against the AD " + "server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:310 ++#: src/config/SSSDConfig/sssdoptions.py:312 + msgid "" + "PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " + "settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:312 ++#: src/config/SSSDConfig/sssdoptions.py:314 + msgid "" + "PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " + "policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:314 ++#: src/config/SSSDConfig/sssdoptions.py:316 + msgid "" + "PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:315 ++#: src/config/SSSDConfig/sssdoptions.py:317 + msgid "" + "PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:316 ++#: src/config/SSSDConfig/sssdoptions.py:318 + msgid "" + "PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:317 ++#: src/config/SSSDConfig/sssdoptions.py:319 + msgid "PAM service names for which GPO-based access is always granted" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:318 ++#: src/config/SSSDConfig/sssdoptions.py:320 + msgid "PAM service names for which GPO-based access is always denied" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:319 ++#: src/config/SSSDConfig/sssdoptions.py:321 + msgid "" + "Default logon right (or permit/deny) to use for unmapped PAM service names" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:320 ++#: src/config/SSSDConfig/sssdoptions.py:322 + msgid "a particular site to be used by the client" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:321 ++#: src/config/SSSDConfig/sssdoptions.py:323 + msgid "" + "Maximum age in days before the machine account password should be renewed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:323 ++#: src/config/SSSDConfig/sssdoptions.py:325 + msgid "Option for tuning the machine account renewal task" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:324 ++#: src/config/SSSDConfig/sssdoptions.py:326 + msgid "Whether to update the machine account password in the Samba database" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:326 ++#: src/config/SSSDConfig/sssdoptions.py:328 + msgid "Use LDAPS port for LDAP and Global Catalog requests" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:327 ++#: src/config/SSSDConfig/sssdoptions.py:329 + msgid "Do not filter domain local groups from other domains" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:330 +-#: src/config/SSSDConfig/sssdoptions.py:331 ++#: src/config/SSSDConfig/sssdoptions.py:332 ++#: src/config/SSSDConfig/sssdoptions.py:333 + msgid "Kerberos server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:332 ++#: src/config/SSSDConfig/sssdoptions.py:334 + msgid "Kerberos backup server address" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:333 ++#: src/config/SSSDConfig/sssdoptions.py:335 + msgid "Kerberos realm" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:334 ++#: src/config/SSSDConfig/sssdoptions.py:336 + msgid "Authentication timeout" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:335 ++#: src/config/SSSDConfig/sssdoptions.py:337 + msgid "Whether to create kdcinfo files" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:336 ++#: src/config/SSSDConfig/sssdoptions.py:338 + msgid "Where to drop krb5 config snippets" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:339 ++#: src/config/SSSDConfig/sssdoptions.py:341 + msgid "Directory to store credential caches" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:340 ++#: src/config/SSSDConfig/sssdoptions.py:342 + msgid "Location of the user's credential cache" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:341 ++#: src/config/SSSDConfig/sssdoptions.py:343 + msgid "Location of the keytab to validate credentials" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:342 ++#: src/config/SSSDConfig/sssdoptions.py:344 + msgid "Enable credential validation" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:343 ++#: src/config/SSSDConfig/sssdoptions.py:345 + msgid "Store password if offline for later online authentication" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:344 ++#: src/config/SSSDConfig/sssdoptions.py:346 + msgid "Renewable lifetime of the TGT" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:345 ++#: src/config/SSSDConfig/sssdoptions.py:347 + msgid "Lifetime of the TGT" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:346 ++#: src/config/SSSDConfig/sssdoptions.py:348 + msgid "Time between two checks for renewal" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:347 ++#: src/config/SSSDConfig/sssdoptions.py:349 + msgid "Enables FAST" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:348 ++#: src/config/SSSDConfig/sssdoptions.py:350 + msgid "Selects the principal to use for FAST" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:349 ++#: src/config/SSSDConfig/sssdoptions.py:351 + msgid "Enables principal canonicalization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:350 ++#: src/config/SSSDConfig/sssdoptions.py:352 + msgid "Enables enterprise principals" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:351 ++#: src/config/SSSDConfig/sssdoptions.py:353 + msgid "Enables using of subdomains realms for authentication" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:352 ++#: src/config/SSSDConfig/sssdoptions.py:354 + msgid "A mapping from user names to Kerberos principal names" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:355 +-#: src/config/SSSDConfig/sssdoptions.py:356 ++#: src/config/SSSDConfig/sssdoptions.py:357 ++#: src/config/SSSDConfig/sssdoptions.py:358 + msgid "Server where the change password service is running if not on the KDC" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:359 ++#: src/config/SSSDConfig/sssdoptions.py:361 + msgid "ldap_uri, The URI of the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:360 ++#: src/config/SSSDConfig/sssdoptions.py:362 + msgid "ldap_backup_uri, The URI of the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:361 ++#: src/config/SSSDConfig/sssdoptions.py:363 + msgid "The default base DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:362 ++#: src/config/SSSDConfig/sssdoptions.py:364 + msgid "The Schema Type in use on the LDAP server, rfc2307" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:363 ++#: src/config/SSSDConfig/sssdoptions.py:365 + msgid "Mode used to change user password" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:364 ++#: src/config/SSSDConfig/sssdoptions.py:366 + msgid "The default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:365 ++#: src/config/SSSDConfig/sssdoptions.py:367 + msgid "The type of the authentication token of the default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:366 ++#: src/config/SSSDConfig/sssdoptions.py:368 + msgid "The authentication token of the default bind DN" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:367 ++#: src/config/SSSDConfig/sssdoptions.py:369 + msgid "Length of time to attempt connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:368 ++#: src/config/SSSDConfig/sssdoptions.py:370 + msgid "Length of time to attempt synchronous LDAP operations" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:369 ++#: src/config/SSSDConfig/sssdoptions.py:371 + msgid "Length of time between attempts to reconnect while offline" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:370 ++#: src/config/SSSDConfig/sssdoptions.py:372 + msgid "Use only the upper case for realm names" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:371 ++#: src/config/SSSDConfig/sssdoptions.py:373 + msgid "File that contains CA certificates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:372 ++#: src/config/SSSDConfig/sssdoptions.py:374 + msgid "Path to CA certificate directory" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:373 ++#: src/config/SSSDConfig/sssdoptions.py:375 + msgid "File that contains the client certificate" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:374 ++#: src/config/SSSDConfig/sssdoptions.py:376 + msgid "File that contains the client key" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:375 ++#: src/config/SSSDConfig/sssdoptions.py:377 + msgid "List of possible ciphers suites" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:376 ++#: src/config/SSSDConfig/sssdoptions.py:378 + msgid "Require TLS certificate verification" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:377 ++#: src/config/SSSDConfig/sssdoptions.py:379 + msgid "Specify the sasl mechanism to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:378 ++#: src/config/SSSDConfig/sssdoptions.py:380 + msgid "Specify the sasl authorization id to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:379 ++#: src/config/SSSDConfig/sssdoptions.py:381 + msgid "Specify the sasl authorization realm to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:380 ++#: src/config/SSSDConfig/sssdoptions.py:382 + msgid "Specify the minimal SSF for LDAP sasl authorization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:381 ++#: src/config/SSSDConfig/sssdoptions.py:383 + msgid "Specify the maximal SSF for LDAP sasl authorization" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:382 ++#: src/config/SSSDConfig/sssdoptions.py:384 + msgid "Kerberos service keytab" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:383 ++#: src/config/SSSDConfig/sssdoptions.py:385 + msgid "Use Kerberos auth for LDAP connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:384 ++#: src/config/SSSDConfig/sssdoptions.py:386 + msgid "Follow LDAP referrals" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:385 ++#: src/config/SSSDConfig/sssdoptions.py:387 + msgid "Lifetime of TGT for LDAP connection" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:386 ++#: src/config/SSSDConfig/sssdoptions.py:388 + msgid "How to dereference aliases" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:387 ++#: src/config/SSSDConfig/sssdoptions.py:389 + msgid "Service name for DNS service lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:388 ++#: src/config/SSSDConfig/sssdoptions.py:390 + msgid "The number of records to retrieve in a single LDAP query" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:389 ++#: src/config/SSSDConfig/sssdoptions.py:391 + msgid "The number of members that must be missing to trigger a full deref" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:390 ++#: src/config/SSSDConfig/sssdoptions.py:392 + msgid "" + "Whether the LDAP library should perform a reverse lookup to canonicalize the " + "host name during a SASL bind" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:392 ++#: src/config/SSSDConfig/sssdoptions.py:394 + msgid "" + "Allows to retain local users as members of an LDAP group for servers that " + "use the RFC2307 schema." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:395 ++#: src/config/SSSDConfig/sssdoptions.py:397 + msgid "entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:396 ++#: src/config/SSSDConfig/sssdoptions.py:398 + msgid "lastUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:398 ++#: src/config/SSSDConfig/sssdoptions.py:400 + msgid "How long to retain a connection to the LDAP server before disconnecting" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:401 ++#: src/config/SSSDConfig/sssdoptions.py:403 + msgid "Disable the LDAP paging control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:402 ++#: src/config/SSSDConfig/sssdoptions.py:404 + msgid "Disable Active Directory range retrieval" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:405 ++#: src/config/SSSDConfig/sssdoptions.py:407 + msgid "Length of time to wait for a search request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:406 ++#: src/config/SSSDConfig/sssdoptions.py:408 + msgid "Length of time to wait for a enumeration request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:407 ++#: src/config/SSSDConfig/sssdoptions.py:409 + msgid "Length of time between enumeration updates" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:408 ++#: src/config/SSSDConfig/sssdoptions.py:410 + msgid "Length of time between cache cleanups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:409 ++#: src/config/SSSDConfig/sssdoptions.py:411 + msgid "Require TLS for ID lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:410 ++#: src/config/SSSDConfig/sssdoptions.py:412 + msgid "Use ID-mapping of objectSID instead of pre-set IDs" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:411 ++#: src/config/SSSDConfig/sssdoptions.py:413 + msgid "Base DN for user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:412 ++#: src/config/SSSDConfig/sssdoptions.py:414 + msgid "Scope of user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:413 ++#: src/config/SSSDConfig/sssdoptions.py:415 + msgid "Filter for user lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:414 ++#: src/config/SSSDConfig/sssdoptions.py:416 + msgid "Objectclass for users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:415 ++#: src/config/SSSDConfig/sssdoptions.py:417 + msgid "Username attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:416 ++#: src/config/SSSDConfig/sssdoptions.py:418 + msgid "UID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:417 ++#: src/config/SSSDConfig/sssdoptions.py:419 + msgid "Primary GID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:418 ++#: src/config/SSSDConfig/sssdoptions.py:420 + msgid "GECOS attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:419 ++#: src/config/SSSDConfig/sssdoptions.py:421 + msgid "Home directory attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:420 ++#: src/config/SSSDConfig/sssdoptions.py:422 + msgid "Shell attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:421 ++#: src/config/SSSDConfig/sssdoptions.py:423 + msgid "UUID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:422 +-#: src/config/SSSDConfig/sssdoptions.py:460 ++#: src/config/SSSDConfig/sssdoptions.py:424 ++#: src/config/SSSDConfig/sssdoptions.py:462 + msgid "objectSID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:423 ++#: src/config/SSSDConfig/sssdoptions.py:425 + msgid "Active Directory primary group attribute for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:424 ++#: src/config/SSSDConfig/sssdoptions.py:426 + msgid "User principal attribute (for Kerberos)" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:425 ++#: src/config/SSSDConfig/sssdoptions.py:427 + msgid "Full Name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:426 ++#: src/config/SSSDConfig/sssdoptions.py:428 + msgid "memberOf attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:427 ++#: src/config/SSSDConfig/sssdoptions.py:429 + msgid "Modification time attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:428 ++#: src/config/SSSDConfig/sssdoptions.py:430 + msgid "shadowLastChange attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:429 ++#: src/config/SSSDConfig/sssdoptions.py:431 + msgid "shadowMin attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:430 ++#: src/config/SSSDConfig/sssdoptions.py:432 + msgid "shadowMax attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:431 ++#: src/config/SSSDConfig/sssdoptions.py:433 + msgid "shadowWarning attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:432 ++#: src/config/SSSDConfig/sssdoptions.py:434 + msgid "shadowInactive attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:433 ++#: src/config/SSSDConfig/sssdoptions.py:435 + msgid "shadowExpire attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:434 ++#: src/config/SSSDConfig/sssdoptions.py:436 + msgid "shadowFlag attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:435 ++#: src/config/SSSDConfig/sssdoptions.py:437 + msgid "Attribute listing authorized PAM services" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:436 ++#: src/config/SSSDConfig/sssdoptions.py:438 + msgid "Attribute listing authorized server hosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:437 ++#: src/config/SSSDConfig/sssdoptions.py:439 + msgid "Attribute listing authorized server rhosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:438 ++#: src/config/SSSDConfig/sssdoptions.py:440 + msgid "krbLastPwdChange attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:439 ++#: src/config/SSSDConfig/sssdoptions.py:441 + msgid "krbPasswordExpiration attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:440 ++#: src/config/SSSDConfig/sssdoptions.py:442 + msgid "Attribute indicating that server side password policies are active" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:441 ++#: src/config/SSSDConfig/sssdoptions.py:443 + msgid "accountExpires attribute of AD" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:442 ++#: src/config/SSSDConfig/sssdoptions.py:444 + msgid "userAccountControl attribute of AD" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:443 ++#: src/config/SSSDConfig/sssdoptions.py:445 + msgid "nsAccountLock attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:444 ++#: src/config/SSSDConfig/sssdoptions.py:446 + msgid "loginDisabled attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:445 ++#: src/config/SSSDConfig/sssdoptions.py:447 + msgid "loginExpirationTime attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:446 ++#: src/config/SSSDConfig/sssdoptions.py:448 + msgid "loginAllowedTimeMap attribute of NDS" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:447 ++#: src/config/SSSDConfig/sssdoptions.py:449 + msgid "SSH public key attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:448 ++#: src/config/SSSDConfig/sssdoptions.py:450 + msgid "attribute listing allowed authentication types for a user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:449 ++#: src/config/SSSDConfig/sssdoptions.py:451 + msgid "attribute containing the X509 certificate of the user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:450 ++#: src/config/SSSDConfig/sssdoptions.py:452 + msgid "attribute containing the email address of the user" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:451 ++#: src/config/SSSDConfig/sssdoptions.py:453 + msgid "A list of extra attributes to download along with the user entry" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:453 ++#: src/config/SSSDConfig/sssdoptions.py:455 + msgid "Base DN for group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:454 ++#: src/config/SSSDConfig/sssdoptions.py:456 + msgid "Objectclass for groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:455 ++#: src/config/SSSDConfig/sssdoptions.py:457 + msgid "Group name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:456 ++#: src/config/SSSDConfig/sssdoptions.py:458 + msgid "Group password" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:457 ++#: src/config/SSSDConfig/sssdoptions.py:459 + msgid "GID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:458 ++#: src/config/SSSDConfig/sssdoptions.py:460 + msgid "Group member attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:459 ++#: src/config/SSSDConfig/sssdoptions.py:461 + msgid "Group UUID attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:461 ++#: src/config/SSSDConfig/sssdoptions.py:463 + msgid "Modification time attribute for groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:462 ++#: src/config/SSSDConfig/sssdoptions.py:464 + msgid "Type of the group and other flags" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:463 ++#: src/config/SSSDConfig/sssdoptions.py:465 + msgid "The LDAP group external member attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:464 ++#: src/config/SSSDConfig/sssdoptions.py:466 + msgid "Maximum nesting level SSSD will follow" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:465 ++#: src/config/SSSDConfig/sssdoptions.py:467 + msgid "Filter for group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:466 ++#: src/config/SSSDConfig/sssdoptions.py:468 + msgid "Scope of group lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:468 ++#: src/config/SSSDConfig/sssdoptions.py:470 + msgid "Base DN for netgroup lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:469 ++#: src/config/SSSDConfig/sssdoptions.py:471 + msgid "Objectclass for netgroups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:470 ++#: src/config/SSSDConfig/sssdoptions.py:472 + msgid "Netgroup name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:471 ++#: src/config/SSSDConfig/sssdoptions.py:473 + msgid "Netgroups members attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:472 ++#: src/config/SSSDConfig/sssdoptions.py:474 + msgid "Netgroup triple attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:473 ++#: src/config/SSSDConfig/sssdoptions.py:475 + msgid "Modification time attribute for netgroups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:475 ++#: src/config/SSSDConfig/sssdoptions.py:477 + msgid "Base DN for service lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:476 ++#: src/config/SSSDConfig/sssdoptions.py:478 + msgid "Objectclass for services" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:477 ++#: src/config/SSSDConfig/sssdoptions.py:479 + msgid "Service name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:478 ++#: src/config/SSSDConfig/sssdoptions.py:480 + msgid "Service port attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:479 ++#: src/config/SSSDConfig/sssdoptions.py:481 + msgid "Service protocol attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:481 ++#: src/config/SSSDConfig/sssdoptions.py:483 + msgid "Lower bound for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:482 ++#: src/config/SSSDConfig/sssdoptions.py:484 + msgid "Upper bound for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:483 ++#: src/config/SSSDConfig/sssdoptions.py:485 + msgid "Number of IDs for each slice when ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:484 ++#: src/config/SSSDConfig/sssdoptions.py:486 + msgid "Use autorid-compatible algorithm for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:485 ++#: src/config/SSSDConfig/sssdoptions.py:487 + msgid "Name of the default domain for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:486 ++#: src/config/SSSDConfig/sssdoptions.py:488 + msgid "SID of the default domain for ID-mapping" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:487 ++#: src/config/SSSDConfig/sssdoptions.py:489 + msgid "Number of secondary slices" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:489 ++#: src/config/SSSDConfig/sssdoptions.py:491 + msgid "Whether to use Token-Groups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:490 ++#: src/config/SSSDConfig/sssdoptions.py:492 + msgid "Set lower boundary for allowed IDs from the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:491 ++#: src/config/SSSDConfig/sssdoptions.py:493 + msgid "Set upper boundary for allowed IDs from the LDAP server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:492 ++#: src/config/SSSDConfig/sssdoptions.py:494 + msgid "DN for ppolicy queries" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:493 ++#: src/config/SSSDConfig/sssdoptions.py:495 + msgid "How many maximum entries to fetch during a wildcard request" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:494 ++#: src/config/SSSDConfig/sssdoptions.py:496 + msgid "Set libldap debug level" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:497 ++#: src/config/SSSDConfig/sssdoptions.py:499 + msgid "Policy to evaluate the password expiration" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:501 ++#: src/config/SSSDConfig/sssdoptions.py:503 + msgid "Which attributes shall be used to evaluate if an account is expired" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:502 ++#: src/config/SSSDConfig/sssdoptions.py:504 + msgid "Which rules should be used to evaluate access control" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:505 ++#: src/config/SSSDConfig/sssdoptions.py:507 + msgid "URI of an LDAP server where password changes are allowed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:506 ++#: src/config/SSSDConfig/sssdoptions.py:508 + msgid "URI of a backup LDAP server where password changes are allowed" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:507 ++#: src/config/SSSDConfig/sssdoptions.py:509 + msgid "DNS service name for LDAP password change server" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:508 ++#: src/config/SSSDConfig/sssdoptions.py:510 + msgid "" + "Whether to update the ldap_user_shadow_last_change attribute after a " + "password change" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:512 ++#: src/config/SSSDConfig/sssdoptions.py:514 + msgid "Base DN for sudo rules lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:513 ++#: src/config/SSSDConfig/sssdoptions.py:515 + msgid "Automatic full refresh period" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:514 ++#: src/config/SSSDConfig/sssdoptions.py:516 + msgid "Automatic smart refresh period" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:515 ++#: src/config/SSSDConfig/sssdoptions.py:517 + msgid "Whether to filter rules by hostname, IP addresses and network" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:516 ++#: src/config/SSSDConfig/sssdoptions.py:518 + msgid "" + "Hostnames and/or fully qualified domain names of this machine to filter sudo " + "rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:517 ++#: src/config/SSSDConfig/sssdoptions.py:519 + msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:518 ++#: src/config/SSSDConfig/sssdoptions.py:520 + msgid "Whether to include rules that contains netgroup in host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:519 ++#: src/config/SSSDConfig/sssdoptions.py:521 + msgid "" + "Whether to include rules that contains regular expression in host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:520 ++#: src/config/SSSDConfig/sssdoptions.py:522 + msgid "Object class for sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:521 ++#: src/config/SSSDConfig/sssdoptions.py:523 + msgid "Name of attribute that is used as object class for sudo rules" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:522 ++#: src/config/SSSDConfig/sssdoptions.py:524 + msgid "Sudo rule name" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:523 ++#: src/config/SSSDConfig/sssdoptions.py:525 + msgid "Sudo rule command attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:524 ++#: src/config/SSSDConfig/sssdoptions.py:526 + msgid "Sudo rule host attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:525 ++#: src/config/SSSDConfig/sssdoptions.py:527 + msgid "Sudo rule user attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:526 ++#: src/config/SSSDConfig/sssdoptions.py:528 + msgid "Sudo rule option attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:527 ++#: src/config/SSSDConfig/sssdoptions.py:529 + msgid "Sudo rule runas attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:528 ++#: src/config/SSSDConfig/sssdoptions.py:530 + msgid "Sudo rule runasuser attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:529 ++#: src/config/SSSDConfig/sssdoptions.py:531 + msgid "Sudo rule runasgroup attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:530 ++#: src/config/SSSDConfig/sssdoptions.py:532 + msgid "Sudo rule notbefore attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:531 ++#: src/config/SSSDConfig/sssdoptions.py:533 + msgid "Sudo rule notafter attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:532 ++#: src/config/SSSDConfig/sssdoptions.py:534 + msgid "Sudo rule order attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:535 ++#: src/config/SSSDConfig/sssdoptions.py:537 + msgid "Object class for automounter maps" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:536 ++#: src/config/SSSDConfig/sssdoptions.py:538 + msgid "Automounter map name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:537 ++#: src/config/SSSDConfig/sssdoptions.py:539 + msgid "Object class for automounter map entries" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:538 ++#: src/config/SSSDConfig/sssdoptions.py:540 + msgid "Automounter map entry key attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:539 ++#: src/config/SSSDConfig/sssdoptions.py:541 + msgid "Automounter map entry value attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:540 ++#: src/config/SSSDConfig/sssdoptions.py:542 + msgid "Base DN for automounter map lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:541 ++#: src/config/SSSDConfig/sssdoptions.py:543 + msgid "The name of the automount master map in LDAP." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:544 ++#: src/config/SSSDConfig/sssdoptions.py:546 + msgid "Base DN for IP hosts lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:545 ++#: src/config/SSSDConfig/sssdoptions.py:547 + msgid "Object class for IP hosts" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:546 ++#: src/config/SSSDConfig/sssdoptions.py:548 + msgid "IP host name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:547 ++#: src/config/SSSDConfig/sssdoptions.py:549 + msgid "IP host number (address) attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:548 ++#: src/config/SSSDConfig/sssdoptions.py:550 + msgid "IP host entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:549 ++#: src/config/SSSDConfig/sssdoptions.py:551 + msgid "Base DN for IP networks lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:550 ++#: src/config/SSSDConfig/sssdoptions.py:552 + msgid "Object class for IP networks" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:551 ++#: src/config/SSSDConfig/sssdoptions.py:553 + msgid "IP network name attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:552 ++#: src/config/SSSDConfig/sssdoptions.py:554 + msgid "IP network number (address) attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:553 ++#: src/config/SSSDConfig/sssdoptions.py:555 + msgid "IP network entryUSN attribute" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:556 ++#: src/config/SSSDConfig/sssdoptions.py:558 + msgid "Comma separated list of allowed users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:557 ++#: src/config/SSSDConfig/sssdoptions.py:559 + msgid "Comma separated list of prohibited users" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:558 ++#: src/config/SSSDConfig/sssdoptions.py:560 + msgid "" + "Comma separated list of groups that are allowed to log in. This applies only " + "to groups within this SSSD domain. Local groups are not evaluated." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:560 ++#: src/config/SSSDConfig/sssdoptions.py:562 + msgid "" + "Comma separated list of groups that are explicitly denied access. This " + "applies only to groups within this SSSD domain. Local groups are not " + "evaluated." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:564 ++#: src/config/SSSDConfig/sssdoptions.py:566 + msgid "Base for home directories" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:565 ++#: src/config/SSSDConfig/sssdoptions.py:567 + msgid "Indicate if a home directory should be created for new users." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:566 ++#: src/config/SSSDConfig/sssdoptions.py:568 + msgid "Indicate if a home directory should be removed for deleted users." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:567 ++#: src/config/SSSDConfig/sssdoptions.py:569 + msgid "Specify the default permissions on a newly created home directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:568 ++#: src/config/SSSDConfig/sssdoptions.py:570 + msgid "The skeleton directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:569 ++#: src/config/SSSDConfig/sssdoptions.py:571 + msgid "The mail spool directory." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:570 ++#: src/config/SSSDConfig/sssdoptions.py:572 + msgid "The command that is run after a user is removed." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:573 ++#: src/config/SSSDConfig/sssdoptions.py:575 + msgid "The number of preforked proxy children." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:576 ++#: src/config/SSSDConfig/sssdoptions.py:578 + msgid "The name of the NSS library to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:577 ++#: src/config/SSSDConfig/sssdoptions.py:579 + msgid "The name of the NSS library to use for hosts and networks lookups" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:578 ++#: src/config/SSSDConfig/sssdoptions.py:580 + msgid "Whether to look up canonical group name from cache if possible" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:581 ++#: src/config/SSSDConfig/sssdoptions.py:583 + msgid "PAM stack to use" + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:584 ++#: src/config/SSSDConfig/sssdoptions.py:586 + msgid "Path of passwd file sources." + msgstr "" + +-#: src/config/SSSDConfig/sssdoptions.py:585 ++#: src/config/SSSDConfig/sssdoptions.py:587 + msgid "Path of group file sources." + msgstr "" + +-- +2.21.3 + diff --git a/SOURCES/0051-po-update-translations.patch b/SOURCES/0051-po-update-translations.patch new file mode 100644 index 0000000..b9a1f3f --- /dev/null +++ b/SOURCES/0051-po-update-translations.patch @@ -0,0 +1,729 @@ +From 341c5e358180d8297276a38f3cf6eb9dbbbc6c62 Mon Sep 17 00:00:00 2001 +From: Weblate +Date: Thu, 18 Mar 2021 11:39:24 +0100 +Subject: [PATCH] po: update translations + +Currently translated at 2.8% (21 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fi/ + +Translated using Weblate (Finnish) + +Currently translated at 2.5% (68 of 2643 strings) + +Translation: SSSD/sssd-manpage +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/fi/ + +Translated using Weblate (Chinese (Simplified) (zh_CN)) + +Currently translated at 100.0% (726 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/zh_CN/ + +Translated using Weblate (Japanese) + +Currently translated at 100.0% (726 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ja/ + +Translated using Weblate (French) + +Currently translated at 100.0% (726 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/fr/ + +Translated using Weblate (Ukrainian) + +Currently translated at 100.0% (726 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/uk/ + +Translated using Weblate (Polish) + +Currently translated at 100.0% (726 of 726 strings) + +Translation: SSSD/sssd +Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/pl/ +--- + po/fr.po | 45 ++++++++++++++------- + po/ja.po | 111 ++++++++++++++++++++++++---------------------------- + po/zh_CN.po | 38 +++++++++--------- + 3 files changed, 102 insertions(+), 92 deletions(-) + +diff --git a/po/fr.po b/po/fr.po +index e2e906d35..5edfcfd16 100644 +--- a/po/fr.po ++++ b/po/fr.po +@@ -11,21 +11,22 @@ + # Ludek Janda , 2020. #zanata + # Pavel Brezina , 2020. #zanata + # Jean-Baptiste Holcroft , 2020. ++# Sundeep Anand , 2021. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-02-05 11:58+0100\n" +-"PO-Revision-Date: 2020-08-04 05:55+0000\n" +-"Last-Translator: Jean-Baptiste Holcroft \n" ++"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"Last-Translator: Sundeep Anand \n" + "Language-Team: French \n" ++"sssd-master/fr/>\n" + "Language: fr\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=2; plural=n > 1;\n" +-"X-Generator: Weblate 4.1.1\n" ++"X-Generator: Weblate 4.5.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -259,18 +260,24 @@ msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for passwd requests" + msgstr "" ++"Taille (en mégaoctets) de la table de données allouée dans le cache en " ++"mémoire rapide pour les demandes de mots de passe" + + #: src/config/SSSDConfig/sssdoptions.py:76 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for group requests" + msgstr "" ++"Taille (en mégaoctets) de la table de données allouée dans le cache en " ++"mémoire rapide pour les requêtes de groupe" + + #: src/config/SSSDConfig/sssdoptions.py:77 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for initgroups requests" + msgstr "" ++"Taille (en mégaoctets) de la table de données allouée dans le cache en " ++"mémoire rapide pour les demandes d'initgroups" + + #: src/config/SSSDConfig/sssdoptions.py:78 + msgid "" +@@ -395,11 +402,11 @@ msgstr "Quand le répondeur de PAM doit-il forcer une demande d'initgroupes" + + #: src/config/SSSDConfig/sssdoptions.py:107 + msgid "List of PAM services that are allowed to authenticate with GSSAPI." +-msgstr "" ++msgstr "Liste des services PAM qui sont autorisés à s'authentifier avec GSSAPI." + + #: src/config/SSSDConfig/sssdoptions.py:108 + msgid "Whether to match authenticated UPN with target user" +-msgstr "" ++msgstr "S'il faut faire correspondre l'UPN authentifié avec l'utilisateur cible" + + #: src/config/SSSDConfig/sssdoptions.py:111 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -588,12 +595,16 @@ msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" + msgstr "" ++"Une liste d'utilisateurs à exclure de l'enregistrement, séparés par des " ++"virgules, uniquement lorsque scope=all" + + #: src/config/SSSDConfig/sssdoptions.py:168 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " + msgstr "" ++"Une liste de groupes séparés par des virgules, dont les membres doivent être " ++"exclus de l'enregistrement, uniquement lorsque scope=all. " + + #: src/config/SSSDConfig/sssdoptions.py:172 + msgid "Identity provider" +@@ -640,9 +651,8 @@ msgid "Whether the domain is usable by the OS or by applications" + msgstr "Si le domaine est utilisable par l'OS ou par des applications" + + #: src/config/SSSDConfig/sssdoptions.py:185 +-#, fuzzy + msgid "Enable or disable the domain" +-msgstr "Activer ou désactiver le domaine des fichiers implicites" ++msgstr "Activer ou désactiver le domaine" + + #: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Minimum user ID" +@@ -1202,6 +1212,7 @@ msgstr "Utiliser le port LDAPS pour les requêtes LDAP et Catalogue global" + #: src/config/SSSDConfig/sssdoptions.py:327 + msgid "Do not filter domain local groups from other domains" + msgstr "" ++"Ne pas filtrer les groupes locaux d'un domaine à partir d'autres domaines" + + #: src/config/SSSDConfig/sssdoptions.py:330 + #: src/config/SSSDConfig/sssdoptions.py:331 +@@ -1280,7 +1291,7 @@ msgstr "Active les principals d'entreprise" + + #: src/config/SSSDConfig/sssdoptions.py:351 + msgid "Enables using of subdomains realms for authentication" +-msgstr "" ++msgstr "Permet d'utiliser les domaines de sous-domaines pour l'authentification" + + #: src/config/SSSDConfig/sssdoptions.py:352 + msgid "A mapping from user names to Kerberos principal names" +@@ -1802,7 +1813,7 @@ msgstr "Combien d'entrées maximum à récupérer lors d'une demande de wildcard + + #: src/config/SSSDConfig/sssdoptions.py:494 + msgid "Set libldap debug level" +-msgstr "" ++msgstr "Définir le niveau de débogage de libldap" + + #: src/config/SSSDConfig/sssdoptions.py:497 + msgid "Policy to evaluate the password expiration" +@@ -2368,14 +2379,16 @@ msgid "The path to the proxy command must be absolute\n" + msgstr "Le chemin vers la commande de proxy doit être absolue\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 +-#, fuzzy, c-format ++#, c-format + msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" +-msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" ++msgstr "" ++"sss_ssh_knownhostsproxy : impossible de transmettre des données par proxy : %" ++"s\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 +-#, fuzzy, c-format ++#, c-format + msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n" +-msgstr "sss_ssh_knownhostsproxy : Impossible de résoudre le nom d'hôte %s\n" ++msgstr "sss_ssh_knownhostsproxy : se connecter à l'hôte %s port %d: %s\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334 + #, c-format +@@ -3052,6 +3065,10 @@ msgid "" + "where the main config file is located. For example if the config is set to " + "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" + msgstr "" ++"Spécifiez un répertoire (dir) de snippet non par défaut (par défaut, il doit " ++"se trouver au même endroit que le fichier de configuration principal. Par " ++"exemple, si la configuration est définie sur \"/my/path/sssd.conf\", le " ++"répertoire d'extrait \"/my/path/conf.d\" sera utilisé)" + + #: src/tools/sssctl/sssctl_config.c:118 + #, c-format +diff --git a/po/ja.po b/po/ja.po +index 25b456e8d..1a5341757 100644 +--- a/po/ja.po ++++ b/po/ja.po +@@ -8,21 +8,22 @@ + # Keiko Moriguchi , 2019. #zanata + # Ludek Janda , 2020. #zanata + # Pavel Brezina , 2020. #zanata ++# Sundeep Anand , 2021. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-02-05 11:58+0100\n" +-"PO-Revision-Date: 2020-07-22 07:46-0400\n" +-"Last-Translator: Copied by Zanata \n" +-"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" +-"ja/)\n" ++"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"Last-Translator: Sundeep Anand \n" ++"Language-Team: Japanese \n" + "Language: ja\n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Zanata 4.6.2\n" ++"X-Generator: Weblate 4.5.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -85,9 +86,7 @@ msgstr "" + msgid "" + "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " + "version 2." +-msgstr "" +-"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +-"version 2." ++msgstr "設定ファイルの構文を示します。SSSD 0.6.0 以降はバージョン 2 を使用します。" + + #: src/config/SSSDConfig/sssdoptions.py:39 + msgid "SSSD Services to start" +@@ -161,27 +160,25 @@ msgid "" + "this, and will fall back to polling resolv.conf every five seconds if " + "inotify cannot be used." + msgstr "" +-"SSSD monitors the state of resolv.conf to identify when it needs to update " +-"its internal DNS resolver. By default, we will attempt to use inotify for " +-"this, and will fall back to polling resolv.conf every five seconds if " +-"inotify cannot be used." ++"SSSD は、内部 DNSリゾルバーを更新する必要があるときを識別するために resolv.conf の状態を監視します。デフォルトでは、inotify " ++"の使用を試行します。また、inotify が使用できない場合は、5 秒ごとに resolv.conf のポーリングにフォールバックします。" + + #: src/config/SSSDConfig/sssdoptions.py:59 + msgid "Enumeration cache timeout length (seconds)" +-msgstr "列挙キャッシュのタイムアウト(秒)" ++msgstr "列挙キャッシュのタイムアウト (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:60 + msgid "Entry cache background update timeout length (seconds)" +-msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" ++msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間 (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:61 + #: src/config/SSSDConfig/sssdoptions.py:117 + msgid "Negative cache timeout length (seconds)" +-msgstr "ネガティブキャッシュのタイムアウト(秒)" ++msgstr "ネガティブキャッシュのタイムアウト (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:62 + msgid "Files negative cache timeout length (seconds)" +-msgstr "ファイルネガティブキャッシュのタイムアウト時間(秒)" ++msgstr "ファイルネガティブキャッシュのタイムアウト時間 (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:63 + msgid "Users that SSSD should explicitly ignore" +@@ -243,19 +240,19 @@ msgstr "メモリー内のキャッシュレコードが有効な期間" + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for passwd requests" +-msgstr "" ++msgstr "パスワード要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" + + #: src/config/SSSDConfig/sssdoptions.py:76 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for group requests" +-msgstr "" ++msgstr "グループ要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" + + #: src/config/SSSDConfig/sssdoptions.py:77 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for initgroups requests" +-msgstr "" ++msgstr "initgroups 要求の高速インメモリーキャッシュ内で割り当てられるデータテーブルのサイズ (メガバイト)" + + #: src/config/SSSDConfig/sssdoptions.py:78 + msgid "" +@@ -277,13 +274,12 @@ msgid "" + "if they are requested beyond a percentage of the entry_cache_timeout value " + "for the domain." + msgstr "" +-"The entry cache can be set to automatically update entries in the background " +-"if they are requested beyond a percentage of the entry_cache_timeout value " +-"for the domain." ++"エントリーキャッシュは、ドメインの entry_cache_timeout " ++"値のパーセントを超えるリクエストが行われた場合に、バックグラウンドでエントリーを自動的に更新するように設定できます。" + + #: src/config/SSSDConfig/sssdoptions.py:87 + msgid "How long to allow cached logins between online logins (days)" +-msgstr "オンラインログイン中にキャッシュによるログインが許容される期間(日数)" ++msgstr "オンラインログイン中にキャッシュによるログインが許容される期間 (日数)" + + #: src/config/SSSDConfig/sssdoptions.py:88 + msgid "How many failed logins attempts are allowed when offline" +@@ -293,7 +289,7 @@ msgstr "オフラインの時に許容されるログイン試行失敗回数" + msgid "" + "How long (minutes) to deny login after offline_failed_login_attempts has " + "been reached" +-msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間(分)" ++msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間 (分)" + + #: src/config/SSSDConfig/sssdoptions.py:91 + msgid "What kind of messages are displayed to the user during authentication" +@@ -362,11 +358,11 @@ msgstr "PAM レスポンダーが initgroups リクエストを強制すると + + #: src/config/SSSDConfig/sssdoptions.py:107 + msgid "List of PAM services that are allowed to authenticate with GSSAPI." +-msgstr "" ++msgstr "GSSAPI での認証が許可される PAM サービスの一覧。" + + #: src/config/SSSDConfig/sssdoptions.py:108 + msgid "Whether to match authenticated UPN with target user" +-msgstr "" ++msgstr "ターゲットユーザーと認証された UPN に一致するかどうか" + + #: src/config/SSSDConfig/sssdoptions.py:111 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -540,13 +536,13 @@ msgstr "" + msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" +-msgstr "" ++msgstr "録画から除外されるユーザーのコンマ区切りリスト。scope=all の場合のみ" + + #: src/config/SSSDConfig/sssdoptions.py:168 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " +-msgstr "" ++msgstr "scope=all の場合にのみ記録から除外されるべきメンバーから成るグループのコンマ区切りリスト。 " + + #: src/config/SSSDConfig/sssdoptions.py:172 + msgid "Identity provider" +@@ -593,9 +589,8 @@ msgid "Whether the domain is usable by the OS or by applications" + msgstr "OS またはアプリケーションがドメインを使用できるかどうか" + + #: src/config/SSSDConfig/sssdoptions.py:185 +-#, fuzzy + msgid "Enable or disable the domain" +-msgstr "暗黙のファイルドメインを有効化または無効化する" ++msgstr "ドメインを有効または無効にする" + + #: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Minimum user ID" +@@ -630,7 +625,7 @@ msgstr "グループ検索にグループメンバーを含めない" + #: src/config/SSSDConfig/sssdoptions.py:207 + #: src/config/SSSDConfig/sssdoptions.py:208 + msgid "Entry cache timeout length (seconds)" +-msgstr "エントリーキャッシュのタイムアウト長(秒)" ++msgstr "エントリーキャッシュのタイムアウト長 (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:193 + msgid "" +@@ -655,7 +650,7 @@ msgstr "単一の DNS クエリーの解決を試行する時間 (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:198 + msgid "How long to wait for replies from DNS when resolving servers (seconds)" +-msgstr "サーバーを名前解決する時に DNS から応答を待つ時間(秒)" ++msgstr "サーバーを名前解決する時に DNS から応答を待つ時間 (秒)" + + #: src/config/SSSDConfig/sssdoptions.py:199 + msgid "The domain part of service discovery DNS query" +@@ -734,7 +729,7 @@ msgstr "ユーザーにプライベートグループを自動的に作成する + + #: src/config/SSSDConfig/sssdoptions.py:224 + msgid "Display a warning N days before the password expires." +-msgstr "Display a warning N days before the password expires." ++msgstr "パスワードの期限が切れる N 日前の警告を表示します。" + + #: src/config/SSSDConfig/sssdoptions.py:225 + msgid "" +@@ -894,7 +889,7 @@ msgstr "ネットグループの NIS ドメイン名を含む LDAP 属性。" + + #: src/config/SSSDConfig/sssdoptions.py:270 + msgid "The LDAP attribute that contains the names of the netgroup's members." +-msgstr "The LDAP attribute that contains the names of the netgroup's members." ++msgstr "ネットグループのメンバーの名前を含む LDAP 属性。" + + #: src/config/SSSDConfig/sssdoptions.py:271 + msgid "" +@@ -1105,7 +1100,7 @@ msgstr "LDAP およびグローバルカタログのリクエストに LDAPS ポ + + #: src/config/SSSDConfig/sssdoptions.py:327 + msgid "Do not filter domain local groups from other domains" +-msgstr "" ++msgstr "他のドメインからのドメインローカルグループをフィルターしない" + + #: src/config/SSSDConfig/sssdoptions.py:330 + #: src/config/SSSDConfig/sssdoptions.py:331 +@@ -1182,7 +1177,7 @@ msgstr "エンタープライズ・プリンシパルの有効化" + + #: src/config/SSSDConfig/sssdoptions.py:351 + msgid "Enables using of subdomains realms for authentication" +-msgstr "" ++msgstr "認証にサブドメインレルムの使用を有効化" + + #: src/config/SSSDConfig/sssdoptions.py:352 + msgid "A mapping from user names to Kerberos principal names" +@@ -1432,7 +1427,7 @@ msgstr "ID マッピングの Active Directory プライマリーグループ属 + + #: src/config/SSSDConfig/sssdoptions.py:424 + msgid "User principal attribute (for Kerberos)" +-msgstr "ユーザープリンシパルの属性(Kerberos 用)" ++msgstr "ユーザープリンシパルの属性 (Kerberos 用)" + + #: src/config/SSSDConfig/sssdoptions.py:425 + msgid "Full Name" +@@ -1688,7 +1683,7 @@ msgstr "ワイルドカードの要求の間に取得する最大エントリー + + #: src/config/SSSDConfig/sssdoptions.py:494 + msgid "Set libldap debug level" +-msgstr "" ++msgstr "libldap デバッグレベルの設定" + + #: src/config/SSSDConfig/sssdoptions.py:497 + msgid "Policy to evaluate the password expiration" +@@ -1893,9 +1888,7 @@ msgstr "禁止ユーザーのカンマ区切り一覧" + msgid "" + "Comma separated list of groups that are allowed to log in. This applies only " + "to groups within this SSSD domain. Local groups are not evaluated." +-msgstr "" +-"Comma separated list of groups that are allowed to log in. This applies only " +-"to groups within this SSSD domain. Local groups are not evaluated." ++msgstr "ログインが許可されるグループのカンマ区切りの一覧。これは、SSSDドメイン内のグループにのみ適用されます。ローカルグループは評価されません。" + + #: src/config/SSSDConfig/sssdoptions.py:560 + msgid "" +@@ -1903,9 +1896,8 @@ msgid "" + "applies only to groups within this SSSD domain. Local groups are not " + "evaluated." + msgstr "" +-"Comma separated list of groups that are explicitly denied access. This " +-"applies only to groups within this SSSD domain. Local groups are not " +-"evaluated." ++"排他的にアクセスが拒否されたグループのカンマ区切りの一覧。これは、この SSSD " ++"ドメイン内のグループにのみ適用されます。ローカルグループは評価されません。" + + #: src/config/SSSDConfig/sssdoptions.py:564 + msgid "Base for home directories" +@@ -1959,19 +1951,19 @@ msgstr "使用する PAM スタック" + + #: src/config/SSSDConfig/sssdoptions.py:584 + msgid "Path of passwd file sources." +-msgstr "passwd ファイルソースへのパス" ++msgstr "passwd ファイルソースへのパス。" + + #: src/config/SSSDConfig/sssdoptions.py:585 + msgid "Path of group file sources." +-msgstr "グループファイルソースへのパス" ++msgstr "グループファイルソースへのパス。" + + #: src/monitor/monitor.c:2381 + msgid "Become a daemon (default)" +-msgstr "デーモンとして実行(デフォルト)" ++msgstr "デーモンとして実行 (デフォルト)" + + #: src/monitor/monitor.c:2383 + msgid "Run interactive (not a daemon)" +-msgstr "対話的に実行(デーモンではない)" ++msgstr "対話的に実行 (デーモンではない)" + + #: src/monitor/monitor.c:2386 + msgid "Disable netlink interface" +@@ -2092,7 +2084,7 @@ msgstr "エラーの説明を検索中に予期しないエラーが発生しま + + #: src/sss_client/pam_sss.c:68 + msgid "Permission denied. " +-msgstr "パーミッションが拒否されました。" ++msgstr "パーミッションが拒否されました。 " + + #: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:785 + #: src/sss_client/pam_sss.c:796 +@@ -2143,7 +2135,7 @@ msgstr "" + + #: src/sss_client/pam_sss.c:782 src/sss_client/pam_sss.c:795 + msgid "Password change failed. " +-msgstr "パスワードの変更に失敗しました。" ++msgstr "パスワードの変更に失敗しました。 " + + #: src/sss_client/pam_sss.c:2044 + msgid "New Password: " +@@ -2236,14 +2228,14 @@ msgid "The path to the proxy command must be absolute\n" + msgstr "プロキシコマンドへのパスは絶対パスにする必要があります\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 +-#, fuzzy, c-format ++#, c-format + msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" +-msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" ++msgstr "sss_ssh_knownhostsproxy: データをプロキシーできません: %s\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 +-#, fuzzy, c-format ++#, c-format + msgid "sss_ssh_knownhostsproxy: connect to host %s port %d: %s\n" +-msgstr "sss_ssh_knownhostsproxy: ホスト名 %s を解決できませんでした\n" ++msgstr "sss_ssh_knownhostsproxy: ホスト %s ポート %d に接続: %s\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:334 + #, c-format +@@ -2644,8 +2636,7 @@ msgid "" + "Set an attribute to a name/value pair. The format is attrname=value. For " + "multi-valued attributes, the command replaces the values already present" + msgstr "" +-"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属" +-"性の場合、コマンドがすでに存在する値に置き換えられます。" ++"名前/値のペアに属性を指定します。形式は attrname=value です。複数の値を持つ属性の場合、コマンドがすでに存在する値に置き換えられます" + + #: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 + #: src/tools/sss_usermod.c:135 +@@ -2660,9 +2651,7 @@ msgstr "変更するユーザーを指定してください\n" + msgid "" + "Cannot find user in local domain, modifying users is allowed only in local " + "domain\n" +-msgstr "" +-"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ" +-"ンにおいてのみ許可されます。\n" ++msgstr "ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメインにおいてのみ許可されます\n" + + #: src/tools/sss_usermod.c:322 + msgid "Could not modify user - check if group names are correct\n" +@@ -2841,7 +2830,7 @@ msgstr "SSSD は再起動が必要です。SSSD を今、再起動しますか?" + #: src/tools/sssctl/sssctl_cache.c:31 + #, c-format + msgid " %s is not present in cache.\n" +-msgstr " %s はキャッシュにありません\n" ++msgstr " %s はキャッシュにありません。\n" + + #: src/tools/sssctl/sssctl_cache.c:33 + msgid "Name" +@@ -2904,6 +2893,8 @@ msgid "" + "where the main config file is located. For example if the config is set to " + "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" + msgstr "" ++"デフォルト以外のスニペットディレクトリーを指定します (デフォルトでは、メインの設定ファイルが存在する場所と同じ場所を検索します)。たとえば、設定が \"" ++"/my/path/sssd.conf\" に設定されている場合は、スニペット dir \"/my/path/conf.d\" が使用されます" + + #: src/tools/sssctl/sssctl_config.c:118 + #, c-format +diff --git a/po/zh_CN.po b/po/zh_CN.po +index ee38f25e3..e3f018d97 100644 +--- a/po/zh_CN.po ++++ b/po/zh_CN.po +@@ -7,13 +7,14 @@ + # Ludek Janda , 2020. #zanata + # Pavel Brezina , 2020. #zanata + # Charles Lee , 2020. ++# Sundeep Anand , 2021. + msgid "" + msgstr "" + "Project-Id-Version: PACKAGE VERSION\n" + "Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" + "POT-Creation-Date: 2021-02-05 11:58+0100\n" +-"PO-Revision-Date: 2020-08-20 14:29+0000\n" +-"Last-Translator: Charles Lee \n" ++"PO-Revision-Date: 2021-03-18 10:39+0000\n" ++"Last-Translator: Sundeep Anand \n" + "Language-Team: Chinese (Simplified) \n" + "Language: zh_CN\n" +@@ -21,7 +22,7 @@ msgstr "" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" + "Plural-Forms: nplurals=1; plural=0;\n" +-"X-Generator: Weblate 4.1.1\n" ++"X-Generator: Weblate 4.5.1\n" + + #: src/config/SSSDConfig/sssdoptions.py:20 + #: src/config/SSSDConfig/sssdoptions.py:21 +@@ -230,19 +231,19 @@ msgstr "内存缓存记录有效期的长度" + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for passwd requests" +-msgstr "" ++msgstr "为 passwd 请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" + + #: src/config/SSSDConfig/sssdoptions.py:76 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for group requests" +-msgstr "" ++msgstr "为组请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" + + #: src/config/SSSDConfig/sssdoptions.py:77 + msgid "" + "Size (in megabytes) of the data table allocated inside fast in-memory cache " + "for initgroups requests" +-msgstr "" ++msgstr "为 initgroups 请求在快速内存缓存(in-memory cache)中分配的数据表的大小(以 MB 为单位)" + + #: src/config/SSSDConfig/sssdoptions.py:78 + msgid "" +@@ -349,11 +350,11 @@ msgstr "什么时候 PAM 响应者要强制发起 initgroups 请求?" + + #: src/config/SSSDConfig/sssdoptions.py:107 + msgid "List of PAM services that are allowed to authenticate with GSSAPI." +-msgstr "" ++msgstr "允许使用 GSSAPI 验证的 PAM 服务列表。" + + #: src/config/SSSDConfig/sssdoptions.py:108 + msgid "Whether to match authenticated UPN with target user" +-msgstr "" ++msgstr "是否与目标用户匹配认证的 UPN" + + #: src/config/SSSDConfig/sssdoptions.py:111 + msgid "Whether to evaluate the time-based attributes in sudo rules" +@@ -517,13 +518,13 @@ msgstr "" + msgid "" + "A comma-separated list of users to be excluded from recording, only when " + "scope=all" +-msgstr "" ++msgstr "要从记录中排除的用逗号分开的用户列表,仅当 scope=all 时" + + #: src/config/SSSDConfig/sssdoptions.py:168 + msgid "" + "A comma-separated list of groups, members of which should be excluded from " + "recording, only when scope=all. " +-msgstr "" ++msgstr "用逗号分隔的组列表,其中的成员应不记录中排除,仅在 scope=all 时。 " + + #: src/config/SSSDConfig/sssdoptions.py:172 + msgid "Identity provider" +@@ -570,9 +571,8 @@ msgid "Whether the domain is usable by the OS or by applications" + msgstr "域是否可以被 OS 或应用程序使用" + + #: src/config/SSSDConfig/sssdoptions.py:185 +-#, fuzzy + msgid "Enable or disable the domain" +-msgstr "启用或禁用隐式文件域" ++msgstr "启用或禁用域" + + #: src/config/SSSDConfig/sssdoptions.py:186 + msgid "Minimum user ID" +@@ -1057,7 +1057,7 @@ msgstr "将 LDAPS 端口用于 LDAP 和 Global Catalog 请求" + + #: src/config/SSSDConfig/sssdoptions.py:327 + msgid "Do not filter domain local groups from other domains" +-msgstr "" ++msgstr "不要从其它域过滤域本地组" + + #: src/config/SSSDConfig/sssdoptions.py:330 + #: src/config/SSSDConfig/sssdoptions.py:331 +@@ -1134,7 +1134,7 @@ msgstr "启用企业主体" + + #: src/config/SSSDConfig/sssdoptions.py:351 + msgid "Enables using of subdomains realms for authentication" +-msgstr "" ++msgstr "启用使用子域域进行验证" + + #: src/config/SSSDConfig/sssdoptions.py:352 + msgid "A mapping from user names to Kerberos principal names" +@@ -1636,7 +1636,7 @@ msgstr "在通配符请求期间要提取多少个最大条目" + + #: src/config/SSSDConfig/sssdoptions.py:494 + msgid "Set libldap debug level" +-msgstr "" ++msgstr "设置 libldap debug 级别" + + #: src/config/SSSDConfig/sssdoptions.py:497 + msgid "Policy to evaluate the password expiration" +@@ -2172,9 +2172,9 @@ msgid "The path to the proxy command must be absolute\n" + msgstr "到 proxy 命令的路径必须是绝对路径\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:326 +-#, fuzzy, c-format ++#, c-format + msgid "sss_ssh_knownhostsproxy: unable to proxy data: %s\n" +-msgstr "sss_ssh_knownhostsproxy:无法解析主机名 %s\n" ++msgstr "sss_ssh_knownhostsproxy:无法到代理数据:%s\n" + + #: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:330 + #, c-format +@@ -2812,6 +2812,8 @@ msgid "" + "where the main config file is located. For example if the config is set to " + "\"/my/path/sssd.conf\", the snippet dir \"/my/path/conf.d\" is used)" + msgstr "" ++"指定非默认 snippet dir(默认为在主配置文件所在的相同位置查找)。例如,如果配置被设置为 \"/my/path/sssd.conf\", " ++"snippet dir 为 \"/my/path/conf.d\" )" + + #: src/tools/sssctl/sssctl_config.c:118 + #, c-format +@@ -3009,7 +3011,7 @@ msgstr "无法获取服务器列表\n" + + #: src/tools/sssctl/sssctl_logs.c:46 + msgid "\n" +-msgstr "" ++msgstr "\n" + + #: src/tools/sssctl/sssctl_logs.c:236 + msgid "Delete log files instead of truncating" +-- +2.21.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index c74441a..15e684b 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -25,7 +25,7 @@ %endif Name: sssd -Version: 2.3.0 +Version: 2.4.0 Release: 9%{?dist} Group: Applications/System Summary: System Security Services Daemon @@ -34,50 +34,57 @@ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ad_gpo_ndr.c-more-ndr-updates.patch -Patch0002: 0002-test-avoid-endian-issues-in-network-tests.patch -Patch0003: 0003-sssctl-sssctl-config-check-alternative-config-file.patch -Patch0004: 0004-DEBUG-only-open-child-process-log-files-when-require.patch -Patch0005: 0005-DEBUG-use-new-exec_child-_ex-interface-in-tests.patch -Patch0006: 0006-NEGCACHE-skip-permanent-entries-in-users-groups-rese.patch -Patch0007: 0007-util-inotify-fixed-CLANG_WARNING.patch -Patch0008: 0008-util-inotify-fixed-bug-in-inotify-event-processing.patch -Patch0009: 0009-Replaced-enter-with-insert.patch -Patch0010: 0010-NSS-client-preserve-errno-during-_nss_sss_end-calls.patch -Patch0011: 0011-ipa-add-failover-to-subdomain-override-lookups.patch -Patch0012: 0012-GPO-fix-link-order-in-a-SOM.patch -Patch0013: 0013-sysdb-make-sysdb_update_subdomains-more-robust.patch -Patch0014: 0014-ad-rename-ad_master_domain_-to-ad_domain_info_.patch -Patch0015: 0015-sysdb-make-new_subdomain-public.patch -Patch0016: 0016-ad-rename-ads_get_root_id_ctx-to-ads_get_dom_id_ctx.patch -Patch0017: 0017-ad-remove-unused-trust_type-from-ad_subdom_store.patch -Patch0018: 0018-ad-add-ad_check_domain_-send-recv.patch -Patch0019: 0019-ad-check-forest-root-directly-if-not-present-on-loca.patch -Patch0020: 0020-man-Document-invalid-selinux-context-for-homedirs.patch -Patch0021: 0021-pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch -Patch0022: 0022-pam_sss-special-handling-for-gdm-smartcard.patch -Patch0023: 0023-pam_sss-make-sure-old-certificate-data-is-removed-be.patch -Patch0024: 0024-systemtap-Missing-a-comma.patch -Patch0025: 0025-proxy-use-x-as-default-pwfield-only-for-sssd-shadowu.patch -Patch0026: 0026-files-allow-root-membership.patch -Patch0027: 0027-PAM-do-not-treat-error-for-cache-only-lookups-as-fat.patch -Patch0028: 0028-mem-cache-sizes-of-free-and-data-tables-were-made-co.patch -Patch0029: 0029-NSS-make-memcache-size-configurable.patch -Patch0030: 0030-NSS-avoid-excessive-log-messages.patch -Patch0031: 0031-NSS-enhanced-debug-during-mem-cache-initialization.patch -Patch0032: 0032-mem-cache-added-log-message-in-case-cache-is-full.patch -Patch0033: 0033-NSS-make-memcache-size-configurable-in-megabytes.patch -Patch0034: 0034-mem-cache-comment-added.patch -Patch0035: 0035-mem-cache-always-cleanup-old-content.patch -Patch0036: 0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch -Patch0037: 0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch -Patch0038: 0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch -Patch0039: 0039-certmap-sanitize-LDAP-search-filter.patch -Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch -Patch0041: 0041-man-clarify-AD-certificate-rule.patch -Patch0042: 0042-config-allow-prompting-options-in-configuration.patch -Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch -Patch0044: 0044-GPO-respect-ad_gpo_implicit_deny-when-evaluation-rul.patch +Patch0001: 0001-SYSDB-merge_res_sysdb_attrs-fixed-to-avoid-NULL-ptr-.patch +Patch0002: 0002-KCM-perf-improvements.patch +Patch0003: 0003-DEBUG-journal_send-was-made-static.patch +Patch0004: 0004-DEBUG-fixes-program-identifier-as-seen-in-syslog.patch +Patch0005: 0005-negcache-make-sure-domain-config-does-not-leak-into-.patch +Patch0006: 0006-utils-add-SSS_GND_SUBDOMAINS-flag-for-get_next_domai.patch +Patch0007: 0007-negcache-make-sure-short-names-are-added-to-sub-doma.patch +Patch0008: 0008-negcache-do-not-use-default_domain_suffix.patch +Patch0009: 0009-kcm-decode-base64-encoded-secret-on-upgrade-path.patch +Patch0010: 0010-nss-check-if-groups-are-filtered-during-initgroups.patch +Patch0011: 0011-ifp-fix-use-after-free.patch +Patch0012: 0012-ifp-fix-original-fix-use-after-free.patch +Patch0013: 0013-pam_sss-use-unique-id-for-gdm-choice-list.patch +Patch0014: 0014-authtok-add-label-to-Smartcard-token.patch +Patch0015: 0015-pam_sss-add-certificate-label-to-reply-to-pam_sss.patch +Patch0016: 0016-add-tests-multiple-certs-same-id.patch +Patch0017: 0017-data_provider_be-Add-random-offset-default.patch +Patch0018: 0018-data_provider_be-MAN-page-update.patch +Patch0019: 0019-logs-review.patch +Patch0020: 0020-sss_format.h-include-config.h.patch +Patch0021: 0021-packet-add-sss_packet_set_body.patch +Patch0022: 0022-domain-store-hostname-and-keytab-path.patch +Patch0023: 0023-cache_req-add-helper-to-call-user-by-upn-search.patch +Patch0024: 0024-pam-fix-typo-in-debug-message.patch +Patch0025: 0025-pam-add-pam_gssapi_services-option.patch +Patch0026: 0026-pam-add-pam_gssapi_check_upn-option.patch +Patch0027: 0027-pam-add-pam_sss_gss-module-for-gssapi-authentication.patch +Patch0028: 0028-cache_req-allow-cache_req-to-return-ERR_OFFLINE-if-a.patch +Patch0029: 0029-autofs-return-ERR_OFFLINE-if-we-fail-to-get-informat.patch +Patch0030: 0030-autofs-translate-ERR_OFFLINE-to-EHOSTDOWN.patch +Patch0031: 0031-autofs-disable-fast-reply.patch +Patch0032: 0032-autofs-correlate-errors-for-different-protocol-versi.patch +Patch0033: 0033-configure-check-for-stdatomic.h.patch +Patch0034: 0034-cache_req-ignore-autofs-not-configured-error.patch +Patch0035: 0035-simple-fix-memory-leak-while-reloading-lists.patch +Patch0036: 0036-SBUS-do-not-try-to-del-non-existing-sender.patch +Patch0037: 0037-pamsrv_gssapi-fix-implicit-conversion-warning.patch +Patch0038: 0038-gssapi-default-pam_gssapi_services-to-NULL-in-domain.patch +Patch0039: 0039-pam_sss_gssapi-fix-coverity-issues.patch +Patch0040: 0040-sudo-runas-do-not-add-to-external-groups-in-IPA.patch +Patch0041: 0041-responders-add-callback-to-schedule_get_domains_task.patch +Patch0042: 0042-pam-refresh-certificate-maps-at-the-end-of-initial-d.patch +Patch0043: 0043-SBUS-set-sbus_name-before-dp_init_send.patch +Patch0044: 0044-pam_sss_gss-support-authentication-indicators.patch +Patch0045: 0045-sudo-do-not-search-by-low-usn-value-to-improve-perfo.patch +Patch0046: 0046-ldap-fix-modifytimestamp-debugging-leftovers.patch +Patch0047: 0047-ssh-restore-default-debug-level.patch +Patch0048: 0048-pot-update-pot-files.patch +Patch0049: 0049-Update-the-translations-for-the-2.4.1-release.patch +Patch0050: 0050-pot-update-pot-files.patch +Patch0051: 0051-po-update-translations.patch ### Downstream Patches ### @@ -169,6 +176,7 @@ BuildRequires: systemtap-sdt-devel BuildRequires: libuuid-devel BuildRequires: jansson-devel BuildRequires: gdm-pam-extensions-devel +BuildRequires: po4a %description Provides a set of daemons to manage access to remote directories and @@ -202,6 +210,7 @@ Recommends: libsss_sudo = %{version}-%{release} Recommends: libsss_autofs%{?_isa} = %{version}-%{release} Recommends: sssd-nfs-idmap = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Requires(pre): shadow-utils %{?systemd_requires} @@ -258,6 +267,7 @@ Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: sssd-dbus %description tools @@ -312,6 +322,7 @@ Conflicts: sssd < 1.10.0-8.beta2 Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} %description ldap Provides the LDAP back end that the SSSD can utilize to fetch identity data @@ -362,6 +373,7 @@ Requires: samba-client-libs >= %{samba_package_version} Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: libipa_hbac%{?_isa} = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} @@ -381,6 +393,7 @@ Requires: sssd-common = %{version}-%{release} Requires: sssd-krb5-common = %{version}-%{release} Requires: sssd-common-pac = %{version}-%{release} Requires: libsss_idmap = %{version}-%{release} +Requires: libsss_certmap = %{version}-%{release} Recommends: bind-utils Recommends: adcli Suggests: sssd-libwbclient = %{version}-%{release} @@ -641,6 +654,7 @@ autoreconf -ivf --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ --disable-static \ --with-crypto=libcrypto \ + --with-libwbclient \ --disable-rpath \ --with-initscript=systemd \ --with-syslog=journald \ @@ -655,7 +669,7 @@ autoreconf -ivf make %{?_smp_mflags} all docs make -C po ja.gmo make -C po fr.gmo -make -C po zh_CN.po +make -C po zh_CN.gmo %check export CK_TIMEOUT_MULTIPLIER=10 @@ -975,6 +989,7 @@ done %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 %{_libdir}/security/pam_sss.so +%{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so %dir %{_libdir}/cifs-utils @@ -985,6 +1000,7 @@ done %dir %{_libdir}/%{name}/modules %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so %{_mandir}/man8/pam_sss.8* +%{_mandir}/man8/pam_sss_gss.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* %files -n libsss_sudo @@ -1250,6 +1266,65 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Fri Mar 19 2021 Alexey Tikhonov - 2.4.0-9 +- Resolves: rhbz#1899712 - [sssd] RHEL 8.4 Tier 0 Localization + +* Fri Feb 12 2021 Alexey Tikhonov - 2.4.0-8 +- Resolves: rhbz#1926622 - Add support to verify authentication indicators in pam_sss_gss +- Resolves: rhbz#1926454 - First smart refresh query contains modifyTimestamp even if the modifyTimestamp is 0. +- Resolves: rhbz#1893159 - Default debug level should report all errors / failures (additional patch) + +* Tue Jan 26 2021 Alexey Tikhonov - 2.4.0-7 +- Resolves: rhbz#1920001 - Do not add '%' to group names already prefixed with '%' in IPA sudo rules +- Resolves: rhbz#1918433 - sssd unable to lookup certmap rules +- Resolves: rhbz#1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11 + +* Mon Jan 18 2021 Alexey Tikhonov - 2.4.0-6 +- Resolves: rhbz#1113639 - autofs: return a connection failure until maps have been fetched +- Resolves: rhbz#1915395 - Memory leak in the simple access provider +- Resolves: rhbz#1915319 - SSSD: SBUS: failures during servers startup +- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication (additional patches) + +* Mon Dec 28 2020 Alexey Tikhonov - 2.4.0-5 +- Resolves: rhbz#1631410 - Can't login with smartcard with multiple certs having same ID value +- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff (additional patches) +- Resolves: rhbz#1893159 - Default debug level should report all errors / failures +- Resolves: rhbz#1893698 - [RFE] sudo kerberos authentication + +* Mon Dec 21 2020 Alexey Tikhonov - 2.4.0-4 +- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process +- Resolves: rhbz#1876658 - filter_groups option partially filters the group from 'id' output of the user because gidNumber still appears in 'id' output [RHEL 8] +- Resolves: rhbz#1895001 - User lookups over the InfoPipe responder fail intermittently + +* Mon Dec 07 2020 Alexey Tikhonov - 2.4.0-3 +- Resolves: rhbz#1900733 - sssd_be segfaults at be_refresh_get_values_ex() due to NULL ptrs in results of sysdb_search_with_ts_attr() +- Resolves: rhbz#1876514 - High CPU utilization by the sssd_kcm process +- Resolves: rhbz#1894540 - sssd component logging is now too generic in syslog/journal +- Resolves: rhbz#1828483 - filtered ID is appearing due to strange negative cache behavior + +* Thu Nov 12 2020 Alexey Tikhonov - 2.4.0-2 +- This is to bump version to allow rebuild against rebased libldb. + +* Fri Oct 23 2020 Alexey Tikhonov - 2.4.0-1 +- Resolves: rhbz#1881992 - Rebase SSSD for RHEL 8.4 +- Resolves: rhbz#1722842 - sssd-kcm does not store TGT with ssh login using GSSAPI +- Resolves: rhbz#1734040 - sssd crash in ad_get_account_domain_search() +- Resolves: rhbz#1784459 - [RFE] tlog does not allow to exclude some users from session recording +- Resolves: rhbz#1791300 - sporadic sssd_be crash on s390x +- Resolves: rhbz#1817122 - 'getent group ldapgroupname' doesn't show any LDAP users or some LDAP users when 'rfc2307bis' schema is used with SSSD. +- Resolves: rhbz#1819012 - [RFE] Improve AD site discovery process +- Resolves: rhbz#1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL +- Resolves: rhbz#1873715 - automount sssd issue when 2 automount maps have the same key (one un uppercase, one in lowercase) +- Resolves: rhbz#1879860 - correction in sssd.conf:pam_response_filter man page +- Resolves: rhbz#1881336 - [RFE] sssd-ldap man page modification for parameter "ldap_referrals" +- Resolves: rhbz#1883488 - [RfE] Implement a new sssd.conf option to disable the filter for AD domain local groups from trusted domains +- Resolves: rhbz#1884196 - [RFE] Add "enabled" option to domain section in config file +- Resolves: rhbz#1884205 - KCM: Increase client idle timeout to 5 minutes +- Resolves: rhbz#1884207 - [RFE] ldap: add new option ldap_library_debug_level +- Resolves: rhbz#1884213 - [RFE] add offline_timeout_max config option to control offline interval backoff +- Resolves: rhbz#1884281 - Secondary LDAP group go missing from 'id' command +- Resolves: rhbz#1884301 - [RFE] dyndns: suport asymmetric auth for nsupdate + * Mon Sep 14 2020 Alexey Tikhonov - 2.3.0-9 - Resolves: rhbz#1855323 - When ad_gpo_implicit_deny is True, it is permitting users to login when no gpo is applied