From a36f5fea4be5439ada086266f68c2be5c9c8a57d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 11 Jun 2018 12:19:53 +0200
Subject: [PATCH] New upstream release 1.16.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
---
.gitignore | 1 +
0001-IPA-Handle-empty-nisDomainName.patch | 87 ---
0002-intg-enhance-netgroups-test.patch | 85 ---
...db-transaction-from-sss_ldb_modify_p.patch | 94 ---
...-Take-into-consideration-app-domains.patch | 44 --
...ESTS-Move-get_call_output-to-util.py.patch | 66 --
...all_output-more-flexible-about-the-s.patch | 40 -
...d-a-basic-test-of-sssctl-domain-list.patch | 73 --
...adb-when-dealing-with-sss_iobuf-data.patch | 67 --
...-KCM-Remove-mem_ctx-from-kcm_new_req.patch | 50 --
...-Introduce-kcm_input_get_payload_len.patch | 61 --
...e-2048-as-fixed-size-for-the-payload.patch | 243 ------
...st-REPLY_MAX-to-the-one-used-in-krb5.patch | 55 --
...results-returned-as-bytes-to-strings.patch | 48 --
...ix-typo-in-ccdb_sec_delete_list_done.patch | 34 -
...he-number-of-found-items-after-we-ha.patch | 45 --
...ng-an-entry-as-expired-also-set-the-.patch | 120 ---
...-store-rules-without-sudoHost-attrib.patch | 39 -
...pletely-replace-old-object-instead-o.patch | 100 ---
...-shutdown-messages-for-socket-activa.patch | 46 --
...lify-the-externalUser-sudo-attribute.patch | 70 --
...oup-setnetgrent-cache-lifetime-if-mi.patch | 56 --
...passwd_files-and-group_files-options.patch | 165 ----
...-FILES-Handle-files-provider-sources.patch | 721 ------------------
...-test-for-the-multiple-files-feature.patch | 123 ---
0025-AD-Missing-header-in-ad_access.h.patch | 30 -
..._options-to-ad_gpo_process_som_state.patch | 65 --
0027-GPO-Use-AD-site-override-if-set.patch | 79 --
...ze-nss_enum_index-in-nss_setnetgrent.patch | 36 -
...oup-counter-to-struct-nss_enum_index.patch | 116 ---
...g-help-even-when-sssd-not-configured.patch | 101 ---
...k-for-version-error-to-correct-place.patch | 90 ---
...map-man-page-regarding-priority-proc.patch | 35 -
...e-a-DEBUG-message-about-GC-detection.patch | 42 -
...-MAN-Improve-docs-about-GC-detection.patch | 34 -
0035-nss-idmap-do-not-set-a-limit.patch | 34 -
...ght-group-list-pointer-after-sss_get.patch | 69 --
...-NSS-Add-InvalidateGroupById-handler.patch | 177 -----
...dd-dp_sbus_invalidate_group_memcache.patch | 91 ---
0039-ERRORS-Add-ERR_GID_DUPLICATED.patch | 49 --
...-sdap_opts-structure-with-a-data-pro.patch | 380 ---------
...ndle_id_collision_for_incomplete_gro.patch | 95 ---
...ndle-group-id-collision-when-renamin.patch | 129 ----
...out-on-id-collision-when-adding-an-i.patch | 64 --
...egration-test-for-renaming-incomplet.patch | 194 -----
...incomplete_group-now-returns-EEXIST-.patch | 119 ---
...ch-principal-does-the-AD-provider-us.patch | 47 --
0047-GPO-Fix-bug-with-empty-GPO-rules.patch | 77 --
...rwrite-and-actually-remove-files_ctx.patch | 88 ---
0049-FILES-Reduce-code-duplication.patch | 310 --------
...he-domain-status-back-even-on-errors.patch | 75 --
...-Skip-files-that-are-not-created-yet.patch | 145 ----
...the-request-for-update-if-the-files-.patch | 41 -
...CA-to-generate-certificates-for-test.patch | 551 -------------
...TESTS-replace-hardcoded-certificates.patch | 365 ---------
...retry-logic-into-a-separate-function.patch | 63 --
0056-DYNDNS-Retry-also-on-timeouts.patch | 65 --
...DAP-schema-is-overriden-with-the-AD-.patch | 50 --
...k-non-POSIX-groups-for-GID-conflicts.patch | 144 ----
...cating-external-groups-on-a-long-liv.patch | 56 --
...-fail-the-domain-locator-plugin-if-I.patch | 124 ---
...netgroup_hash_table-do-not-free-data.patch | 52 --
...andle-name-gid-override-when-using-d.patch | 218 ------
...est_ca-add-empty-index.txt.attr-file.patch | 42 -
sources | 2 +-
sssd.spec | 91 +--
66 files changed, 26 insertions(+), 7142 deletions(-)
delete mode 100644 0001-IPA-Handle-empty-nisDomainName.patch
delete mode 100644 0002-intg-enhance-netgroups-test.patch
delete mode 100644 0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
delete mode 100644 0004-TOOLS-Take-into-consideration-app-domains.patch
delete mode 100644 0005-TESTS-Move-get_call_output-to-util.py.patch
delete mode 100644 0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
delete mode 100644 0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
delete mode 100644 0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
delete mode 100644 0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
delete mode 100644 0010-KCM-Introduce-kcm_input_get_payload_len.patch
delete mode 100644 0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
delete mode 100644 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
delete mode 100644 0013-intg-convert-results-returned-as-bytes-to-strings.patch
delete mode 100644 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
delete mode 100644 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
delete mode 100644 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
delete mode 100644 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
delete mode 100644 0018-sysdb-custom-completely-replace-old-object-instead-o.patch
delete mode 100644 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
delete mode 100644 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
delete mode 100644 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
delete mode 100644 0022-CONFDB-Add-passwd_files-and-group_files-options.patch
delete mode 100644 0023-FILES-Handle-files-provider-sources.patch
delete mode 100644 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
delete mode 100644 0025-AD-Missing-header-in-ad_access.h.patch
delete mode 100644 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
delete mode 100644 0027-GPO-Use-AD-site-override-if-set.patch
delete mode 100644 0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
delete mode 100644 0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
delete mode 100644 0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
delete mode 100644 0031-sssctl-move-check-for-version-error-to-correct-place.patch
delete mode 100644 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
delete mode 100644 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
delete mode 100644 0034-MAN-Improve-docs-about-GC-detection.patch
delete mode 100644 0035-nss-idmap-do-not-set-a-limit.patch
delete mode 100644 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
delete mode 100644 0037-NSS-Add-InvalidateGroupById-handler.patch
delete mode 100644 0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
delete mode 100644 0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
delete mode 100644 0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
delete mode 100644 0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
delete mode 100644 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
delete mode 100644 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
delete mode 100644 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
delete mode 100644 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
delete mode 100644 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
delete mode 100644 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
delete mode 100644 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
delete mode 100644 0049-FILES-Reduce-code-duplication.patch
delete mode 100644 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
delete mode 100644 0051-FILES-Skip-files-that-are-not-created-yet.patch
delete mode 100644 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
delete mode 100644 0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
delete mode 100644 0054-TESTS-replace-hardcoded-certificates.patch
delete mode 100644 0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
delete mode 100644 0056-DYNDNS-Retry-also-on-timeouts.patch
delete mode 100644 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
delete mode 100644 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
delete mode 100644 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
delete mode 100644 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
delete mode 100644 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
delete mode 100644 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
delete mode 100644 0063-test_ca-add-empty-index.txt.attr-file.patch
diff --git a/.gitignore b/.gitignore
index ec20057..f225b9b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -79,3 +79,4 @@ sssd-1.2.91.tar.gz
/sssd-1.15.3.tar.gz
/sssd-1.16.0.tar.gz
/sssd-1.16.1.tar.gz
+/sssd-1.16.2.tar.gz
diff --git a/0001-IPA-Handle-empty-nisDomainName.patch b/0001-IPA-Handle-empty-nisDomainName.patch
deleted file mode 100644
index 5bdca99..0000000
--- a/0001-IPA-Handle-empty-nisDomainName.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From f9b7073e5cd057cf961b34f99ea1dff0c86b5b6a Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 17 Nov 2017 20:15:34 +0100
-Subject: [PATCH 01/15] IPA: Handle empty nisDomainName
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3573
-
-If nisdomain=, i.e. a blank NIS domain name, sssd was not processing the
-netgroup at all. This is not in agreement with man innetgr which says "Any of
-the elements in a triple can be empty, which means that anything matches. The
-functions described here allow access to the netgroup databases".
-
-This patch instead returns an empty domain as well, which eventually
-produces the same output as if the netgroup was requested from the
-compat tree.
-
-To reproduce the bug:
-$ ipa netgroup-add
-Netgroup name: emptydom
--------------------------
-Added netgroup "emptydom"
--------------------------
- Netgroup name: emptydom
- NIS domain name: ipa.test
- IPA unique ID: 164bc15a-f4b3-11e7-acdb-525400ca6df3
-$ ipa netgroup-add-member
-Netgroup name: emptydom
-[member user]: admin
-[member group]:
-[member host]:
-[member host group]:
-[member netgroup]:
- Netgroup name: emptydom
- NIS domain name: ipa.test
- Member User: admin
--------------------------
-Number of members added 1
--------------------------
-$ ipa netgroup-mod --nisdomain="" emptydom
-----------------------------
-Modified netgroup "emptydom"
-----------------------------
- Netgroup name: emptydom
- Member User: admin
-
-Then run:
- getent negroup emptydom
-without the patch, the netgroup won't be resolvable. It will resolve to
-a netgroup triple that looks like this after the patch:
- emptydom (-,admin,)
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
----
- src/providers/ipa/ipa_netgroups.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
-index 5c929a485..05ebac758 100644
---- a/src/providers/ipa/ipa_netgroups.c
-+++ b/src/providers/ipa/ipa_netgroups.c
-@@ -953,7 +953,9 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
-
- ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
- &domain);
-- if (ret != EOK) {
-+ if (ret == ENOENT) {
-+ domain = NULL;
-+ } else if (ret != EOK) {
- goto done;
- }
-
-@@ -974,7 +976,7 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
- for (k = 0; k < hosts_count; k++) {
- triple = talloc_asprintf(state, "(%s,%s,%s)",
- hosts[k], uids[j],
-- domain);
-+ domain ? domain : "");
- if (triple == NULL) {
- ret = ENOMEM;
- goto done;
---
-2.14.3
-
diff --git a/0002-intg-enhance-netgroups-test.patch b/0002-intg-enhance-netgroups-test.patch
deleted file mode 100644
index 1a3bfb1..0000000
--- a/0002-intg-enhance-netgroups-test.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 3adc0a2fac5f7f1f30f6b1f75f098d4b50e7cf35 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 5 Mar 2018 12:29:58 +0100
-Subject: [PATCH 02/15] intg: enhance netgroups test
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/sssd_netgroup.py | 9 ++++++---
- src/tests/intg/test_netgroup.py | 26 ++++++++++++++++++++++++++
- 2 files changed, 32 insertions(+), 3 deletions(-)
-
-diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py
-index 3668d2e29..4c34ea61f 100644
---- a/src/tests/intg/sssd_netgroup.py
-+++ b/src/tests/intg/sssd_netgroup.py
-@@ -209,9 +209,12 @@ class NetgroupRetriever(object):
-
- if result_p[0].type == NetgroupType.TRIPLE_VAL:
- triple = result_p[0].val.triple
-- result.append((triple.host.decode('utf-8'),
-- triple.user.decode('utf-8'),
-- triple.domain.decode('utf-8')))
-+ result.append((triple.host and triple.host.decode('utf-8')
-+ or "",
-+ triple.user and triple.user.decode('utf-8')
-+ or "",
-+ triple.domain and triple.domain.decode('utf-8')
-+ or ""))
-
- res, errno, result_p = self._getnetgrent_r(result_p, buff,
- buff_len)
-diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py
-index 3cf5dac2e..06a1cfafd 100644
---- a/src/tests/intg/test_netgroup.py
-+++ b/src/tests/intg/test_netgroup.py
-@@ -106,6 +106,8 @@ def format_basic_conf(ldap_conn, schema):
- services = nss
- disable_netlink = true
-
-+ [nss]
-+
- [domain/LDAP]
- {schema_conf}
- id_provider = ldap
-@@ -222,6 +224,14 @@ def add_tripled_netgroup(request, ldap_conn):
- ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)",
- "(host2,user2,domain2)"])
-
-+ ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"])
-+
-+ ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"])
-+
-+ ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"])
-+
-+ ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"])
-+
- create_ldap_fixture(request, ldap_conn, ent_list)
- conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
- create_conf_fixture(request, conf)
-@@ -243,6 +253,22 @@ def test_add_tripled_netgroup(add_tripled_netgroup):
- assert sorted(netgrps) == sorted([("host1", "user1", "domain1"),
- ("host2", "user2", "domain2")])
-
-+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_domain")
-+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
-+ assert netgrps == [("host", "user", "")]
-+
-+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_user")
-+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
-+ assert netgrps == [("host", "", "domain")]
-+
-+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_no_host")
-+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
-+ assert netgrps == [("", "user", "domain")]
-+
-+ res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup_none")
-+ assert res == sssd_netgroup.NssReturnCode.SUCCESS
-+ assert netgrps == [("", "", "")]
-+
-
- @pytest.fixture
- def add_mixed_netgroup(request, ldap_conn):
---
-2.14.3
-
diff --git a/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch b/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
deleted file mode 100644
index e4c2517..0000000
--- a/0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From d38421b5beb91de9213203bee87a3717952f52bc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Wed, 14 Mar 2018 22:55:21 +0100
-Subject: [PATCH 03/15] CONFDB: Start a ldb transaction from
- sss_ldb_modify_permissive()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The reason why confdb_expand_app_domains() always fails is because we
-try to do a ldb_request() without starting a ldb transaction.
-
-When we're dealing with ldb_modify(), ldb_add(), ldb_delete() kind of
-messages, those call ldb_autotransaction_request() which will start a
-new transaction and treat it properly when doing the ldb_request(). In
-our case that we're calling ldb_request() by our own, we must ensure
-that the transaction is started and properly deal with it._
-
-It's never been noticed because in the only place the function is used
-its errors are ignored.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3660
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/db/sysdb_ops.c | 39 ++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 38 insertions(+), 1 deletion(-)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 15915101e..cc86a114e 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -66,7 +66,9 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
- struct ldb_message *msg)
- {
- struct ldb_request *req;
-- int ret = EOK;
-+ int ret;
-+ int cancel_ret;
-+ bool in_transaction = false;
-
- ret = ldb_build_mod_req(&req, ldb, ldb,
- msg,
-@@ -84,9 +86,44 @@ int sss_ldb_modify_permissive(struct ldb_context *ldb,
- return ret;
- }
-
-+ ret = ldb_transaction_start(ldb);
-+ if (ret != LDB_SUCCESS) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to start ldb transaction [%d]: %s\n",
-+ ret, sss_strerror(ret));
-+ goto done;
-+ }
-+
-+ in_transaction = true;
-+
- ret = ldb_request(ldb, req);
- if (ret == LDB_SUCCESS) {
- ret = ldb_wait(req->handle, LDB_WAIT_ALL);
-+ if (ret != LDB_SUCCESS) {
-+ goto done;
-+ }
-+ }
-+
-+ ret = ldb_transaction_commit(ldb);
-+ if (ret != LDB_SUCCESS) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to commit ldb transaction [%d]: %s\n",
-+ ret, sss_strerror(ret));
-+ goto done;
-+ }
-+
-+ in_transaction = false;
-+
-+ ret = LDB_SUCCESS;
-+
-+done:
-+ if (in_transaction) {
-+ cancel_ret = ldb_transaction_cancel(ldb);
-+ if (cancel_ret != LDB_SUCCESS) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to cancel ldb transaction [%d]: %s\n",
-+ cancel_ret, sss_strerror(cancel_ret));
-+ }
- }
-
- talloc_free(req);
---
-2.14.3
-
diff --git a/0004-TOOLS-Take-into-consideration-app-domains.patch b/0004-TOOLS-Take-into-consideration-app-domains.patch
deleted file mode 100644
index 9ba25e3..0000000
--- a/0004-TOOLS-Take-into-consideration-app-domains.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 692780f793f96815aaee0007515838fce30b6097 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Wed, 14 Mar 2018 23:01:39 +0100
-Subject: [PATCH 04/15] TOOLS: Take into consideration app domains
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In order to properly show an app domain when listing domains using
-sssctl domain-list we have to expand the confdb, as already done in the
-monitor code.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3658
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tools/common/sss_tools.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index e491a1286..4832db5a0 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -117,6 +117,14 @@ static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *dom;
- errno_t ret;
-
-+ ret = confdb_expand_app_domains(confdb);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Unable to expand application domains [%d]: %s\n",
-+ ret, sss_strerror(ret));
-+ return ret;
-+ }
-+
- ret = confdb_get_domains(confdb, &domains);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n",
---
-2.14.3
-
diff --git a/0005-TESTS-Move-get_call_output-to-util.py.patch b/0005-TESTS-Move-get_call_output-to-util.py.patch
deleted file mode 100644
index 4a10fd6..0000000
--- a/0005-TESTS-Move-get_call_output-to-util.py.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From be7e7de999f93f57bfccdeeabcb8682d1e92023a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Fri, 16 Mar 2018 19:00:52 +0100
-Subject: [PATCH 05/15] TESTS: Move get_call_output() to util.py
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This function will be reused outside of test_sssctl.py.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3658
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/test_sssctl.py | 9 +--------
- src/tests/intg/util.py | 7 +++++++
- 2 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py
-index 0df5d0bc1..e8861dd86 100644
---- a/src/tests/intg/test_sssctl.py
-+++ b/src/tests/intg/test_sssctl.py
-@@ -28,7 +28,7 @@ import signal
- import ds_openldap
- import ldap_ent
- import config
--from util import unindent
-+from util import unindent, get_call_output
- import sssd_netgroup
-
- LDAP_BASE_DN = "dc=example,dc=com"
-@@ -203,13 +203,6 @@ def fqname_case_insensitive_rfc2307(request, ldap_conn):
- return None
-
-
--def get_call_output(cmd):
-- process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
-- stderr=subprocess.PIPE)
-- output, ret = process.communicate()
-- return output.decode('utf-8')
--
--
- def test_user_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL):
- # Fill the cache first
- ent.assert_passwd_by_name(
-diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
-index 2b40311bd..a1c439648 100644
---- a/src/tests/intg/util.py
-+++ b/src/tests/intg/util.py
-@@ -78,3 +78,10 @@ def restore_envvar_file(name):
- path = os.environ[name]
- backup_path = path + ".bak"
- os.rename(backup_path, path)
-+
-+
-+def get_call_output(cmd):
-+ process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
-+ stderr=subprocess.PIPE)
-+ output, ret = process.communicate()
-+ return output.decode('utf-8')
---
-2.14.3
-
diff --git a/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch b/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
deleted file mode 100644
index 9450f9b..0000000
--- a/0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From e8c0527bf782de166722706db119ccb01258e78b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Fri, 16 Mar 2018 19:23:58 +0100
-Subject: [PATCH 06/15] TESTS: Make get_call_output() more flexible about the
- stderr log
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Future tests that will be added will need the stderr redirected to the
-STDOUT.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3658
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/util.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py
-index a1c439648..bfebbfb35 100644
---- a/src/tests/intg/util.py
-+++ b/src/tests/intg/util.py
-@@ -80,8 +80,8 @@ def restore_envvar_file(name):
- os.rename(backup_path, path)
-
-
--def get_call_output(cmd):
-+def get_call_output(cmd, stderr_output=subprocess.PIPE):
- process = subprocess.Popen(cmd, stdout=subprocess.PIPE,
-- stderr=subprocess.PIPE)
-+ stderr=stderr_output)
- output, ret = process.communicate()
- return output.decode('utf-8')
---
-2.14.3
-
diff --git a/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch b/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
deleted file mode 100644
index 3c54b6f..0000000
--- a/0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 15ab42ad5349485c9156234f5a6d1c6635c36de3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Thu, 15 Mar 2018 16:28:41 +0100
-Subject: [PATCH 07/15] TESTS: Add a basic test of `sssctl domain-list`
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Let's just add a test for `sssctl domain-list` in order to avoid
-regressing https://pagure.io/SSSD/sssd/issue/3658.
-
-The test has been added as part of test_infopipe.py in order to take
-advantage of the machinery already provided there.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3658
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/test_infopipe.py | 17 +++++++++++++++--
- 1 file changed, 15 insertions(+), 2 deletions(-)
-
-diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py
-index 3a7961403..b851bbd91 100644
---- a/src/tests/intg/test_infopipe.py
-+++ b/src/tests/intg/test_infopipe.py
-@@ -34,7 +34,7 @@ import dbus
- import config
- import ds_openldap
- import ldap_ent
--from util import unindent
-+from util import unindent, get_call_output
-
- LDAP_BASE_DN = "dc=example,dc=com"
- INTERACTIVE_TIMEOUT = 4
-@@ -194,7 +194,7 @@ def format_basic_conf(ldap_conn, schema):
- return unindent("""\
- [sssd]
- debug_level = 0xffff
-- domains = LDAP
-+ domains = LDAP, app
- services = nss, ifp
- enable_files_domain = false
-
-@@ -212,6 +212,9 @@ def format_basic_conf(ldap_conn, schema):
- id_provider = ldap
- ldap_uri = {ldap_conn.ds_inst.ldap_url}
- ldap_search_base = {ldap_conn.ds_inst.base_dn}
-+
-+ [application/app]
-+ inherit_from = LDAP
- """).format(**locals())
-
-
-@@ -532,3 +535,13 @@ def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307):
-
- assert len(res) == 2
- assert sorted(res) == ['single_user_group', 'two_user_group']
-+
-+
-+def test_sssctl_domain_list_app_domain(dbus_system_bus,
-+ ldap_conn,
-+ sanity_rfc2307):
-+ output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT)
-+
-+ assert "Error" not in output
-+ assert output.find("LDAP") != -1
-+ assert output.find("app") != -1
---
-2.14.3
-
diff --git a/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch b/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
deleted file mode 100644
index 91ba3e7..0000000
--- a/0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 8a89fce38a2ad76eb4eebd74a0821c80154ac892 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Wed, 21 Mar 2018 16:38:22 +0100
-Subject: [PATCH 08/15] KCM: Use json_loadb() when dealing with sss_iobuf data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As sss_iobuf data is *non* NULL terminated, we have to use json_loadb()
-passing the data's length instead of just using json_loads().
-
-Due to this issue, when running sssd-kcm under valgrind and performing a
-`kinit foo` a bunch of erros like the following one could be seen:
-==2638== Conditional jump or move depends on uninitialised value(s)
-==2638== at 0x57DB678: stream_get.part.3 (load.c:172)
-==2638== by 0x57DB9CA: stream_get (load.c:643)
-==2638== by 0x57DB9CA: lex_get (load.c:246)
-==2638== by 0x57DB9CA: lex_scan (load.c:601)
-==2638== by 0x57DC56A: parse_json.constprop.7 (load.c:904)
-==2638== by 0x57DC6AB: json_loads (load.c:959)
-==2638== by 0x11ABEA: ??? (in /usr/libexec/sssd/sssd_kcm)
-==2638== by 0x11AEF0: ??? (in /usr/libexec/sssd/sssd_kcm)
-==2638== by 0x125D4A: ??? (in /usr/libexec/sssd/sssd_kcm)
-==2638== by 0x12623B: ??? (in /usr/libexec/sssd/sssd_kcm)
-==2638== by 0x9BCD71F: epoll_event_loop (tevent_epoll.c:728)
-==2638== by 0x9BCD71F: epoll_event_loop_once (tevent_epoll.c:930)
-==2638== by 0x9BCBBA6: std_event_loop_once (tevent_standard.c:114)
-==2638== by 0x9BC7FEC: _tevent_loop_once (tevent.c:725)
-==2638== by 0x9BC820A: tevent_common_loop_wait (tevent.c:848)
-
-Related to:
-https://pagure.io/SSSD/sssd/issue/3687
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache_secrets.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
-index 8be7daea5..04dad9596 100644
---- a/src/responder/kcm/kcmsrv_ccache_secrets.c
-+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
-@@ -231,6 +231,7 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
- {
- json_t *root;
- uint8_t *sec_http_list;
-+ size_t sec_http_list_len;
- json_error_t error;
- json_t *element;
- errno_t ret;
-@@ -244,8 +245,10 @@ static errno_t sec_list_parse(struct sss_iobuf *outbuf,
- DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer?\n");
- return EINVAL;
- }
-+ sec_http_list_len = sss_iobuf_get_len(outbuf);
-
-- root = json_loads((const char *) sec_http_list, 0, &error);
-+ root = json_loadb((const char *) sec_http_list,
-+ sec_http_list_len, 0, &error);
- if (root == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to parse JSON payload on line %d: %s\n",
---
-2.14.3
-
diff --git a/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch b/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
deleted file mode 100644
index fab80a1..0000000
--- a/0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 48cff40315cfbfcfae3582935efda961757ceec6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 13 Mar 2018 21:11:16 +0100
-Subject: [PATCH 09/15] KCM: Remove mem_ctx from kcm_new_req()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Let's remove the mem_ctx argument as we really want cctx to be the
-memory context here, so that if the client disconnects the request goes
-away.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_cmd.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
-index 0b933f0b4..d4ebb79bf 100644
---- a/src/responder/kcm/kcmsrv_cmd.c
-+++ b/src/responder/kcm/kcmsrv_cmd.c
-@@ -423,8 +423,10 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
- return EOK;
- }
-
--static struct kcm_req_ctx *kcm_new_req(TALLOC_CTX *mem_ctx,
-- struct cli_ctx *cctx,
-+/* Mind that kcm_new_req() does not take a mem_ctx argument on purpose as we
-+ * really want the cctx to be the memory context here so that if the client
-+ * disconnects, the request goes away. */
-+static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
- struct kcm_ctx *kctx)
- {
- struct kcm_req_ctx *req;
-@@ -467,8 +469,8 @@ static void kcm_recv(struct cli_ctx *cctx)
- kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx);
- req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx);
- if (req == NULL) {
-- /* A new request comes in, setup data structures */
-- req = kcm_new_req(cctx, cctx, kctx);
-+ /* A new request comes in, setup data structures. */
-+ req = kcm_new_req(cctx, kctx);
- if (req == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot set up client connection\n");
---
-2.14.3
-
diff --git a/0010-KCM-Introduce-kcm_input_get_payload_len.patch b/0010-KCM-Introduce-kcm_input_get_payload_len.patch
deleted file mode 100644
index e0ea83e..0000000
--- a/0010-KCM-Introduce-kcm_input_get_payload_len.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 7fa69ab8152392b11490950ff8aeeef7e0ad14de Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 13 Mar 2018 23:13:35 +0100
-Subject: [PATCH 10/15] KCM: Introduce kcm_input_get_payload_len()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As this piece of code will be useful for us in the future patches of
-this series, let's move it to a new function.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_cmd.c | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
-index d4ebb79bf..3ecba9df2 100644
---- a/src/responder/kcm/kcmsrv_cmd.c
-+++ b/src/responder/kcm/kcmsrv_cmd.c
-@@ -129,23 +129,27 @@ struct kcm_reqbuf {
- struct kcm_iovec v_msg;
- };
-
-+static uint32_t kcm_input_get_payload_len(struct kcm_iovec *v)
-+{
-+ size_t lc = 0;
-+ uint32_t len_be = 0;
-+
-+ /* The first 4 bytes before the payload is message length */
-+ SAFEALIGN_COPY_UINT32_CHECK(&len_be, v->kiov_base, v->kiov_len, &lc);
-+
-+ return be32toh(len_be);
-+}
-+
- static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
- struct kcm_op_io *op_io)
- {
-- size_t lc = 0;
- size_t mc = 0;
- uint16_t opcode_be = 0;
-- uint32_t len_be = 0;
- uint32_t msglen;
- uint8_t proto_maj = 0;
- uint8_t proto_min = 0;
-
-- /* The first 4 bytes before the payload is message length */
-- SAFEALIGN_COPY_UINT32_CHECK(&len_be,
-- reqbuf->v_len.kiov_base,
-- reqbuf->v_len.kiov_len,
-- &lc);
-- msglen = be32toh(len_be);
-+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
- DEBUG(SSSDBG_TRACE_LIBS,
- "Received message with length %"PRIu32"\n", msglen);
-
---
-2.14.3
-
diff --git a/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch b/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
deleted file mode 100644
index 964bddb..0000000
--- a/0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
+++ /dev/null
@@ -1,243 +0,0 @@
-From 9f078d2e9ec7e1803b6c7e2f8a51e0e185723e76 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Wed, 14 Mar 2018 00:57:39 +0100
-Subject: [PATCH 11/15] KCM: Do not use 2048 as fixed size for the payload
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The KCM code has the limit set as 2048 only inside #ifdef __APPLE__,
-while it should be normally set as 10 * 1024 * 1024, as seen in:
-https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
-
-Last but not least, doesn't make much sense to use a fixed value as the
-first 4 bytes received are the payload size ... so let's just allocate
-the needed size instead of having a fixed value.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3671
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_cmd.c | 103 +++++++++++++++++++++++++----------------
- 1 file changed, 62 insertions(+), 41 deletions(-)
-
-diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
-index 3ecba9df2..728979da9 100644
---- a/src/responder/kcm/kcmsrv_cmd.c
-+++ b/src/responder/kcm/kcmsrv_cmd.c
-@@ -38,7 +38,7 @@
- /* The maximum length of a request or reply as defined by the RPC
- * protocol. This is the same constant size as MIT KRB5 uses
- */
--#define KCM_PACKET_MAX_SIZE 2048
-+#define KCM_PACKET_MAX_SIZE 10*1024*1024
-
- /* KCM operation, its raw input and raw output and result */
- struct kcm_op_io {
-@@ -125,7 +125,6 @@ struct kcm_reqbuf {
- struct kcm_iovec v_len;
-
- /* Includes the major, minor versions etc */
-- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
- struct kcm_iovec v_msg;
- };
-
-@@ -238,7 +237,6 @@ struct kcm_repbuf {
- uint8_t rcbuf[KCM_RETCODE_SIZE];
- struct kcm_iovec v_rc;
-
-- uint8_t msgbuf[KCM_PACKET_MAX_SIZE];
- struct kcm_iovec v_msg;
- };
-
-@@ -259,11 +257,13 @@ static errno_t kcm_failbuf_construct(errno_t ret,
- /* retcode is 0 if the operation at least ran, non-zero if there
- * was some kind of internal KCM error, like input couldn't be parsed
- */
--static errno_t kcm_output_construct(struct kcm_op_io *op_io,
-+static errno_t kcm_output_construct(TALLOC_CTX *mem_ctx,
-+ struct kcm_op_io *op_io,
- struct kcm_repbuf *repbuf)
- {
-- size_t c;
-+ uint8_t *rep;
- size_t replen;
-+ size_t c;
-
- replen = sss_iobuf_get_len(op_io->reply);
- if (replen > KCM_PACKET_MAX_SIZE) {
-@@ -281,14 +281,22 @@ static errno_t kcm_output_construct(struct kcm_op_io *op_io,
- SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, 0, &c);
-
- if (replen > 0) {
-+ rep = talloc_zero_array(mem_ctx, uint8_t, replen);
-+ if (rep == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to allocate memory for the message\n");
-+ return ENOMEM;
-+ }
-+
- c = 0;
-- SAFEALIGN_MEMCPY_CHECK(repbuf->msgbuf,
-+ SAFEALIGN_MEMCPY_CHECK(rep,
- sss_iobuf_get_data(op_io->reply),
- replen,
-- repbuf->v_msg.kiov_len,
-+ replen,
- &c);
-
-- /* Length of the buffer to send to KCM client */
-+ /* Set the buffer and its length to send to KCM client */
-+ repbuf->v_msg.kiov_base = rep;
- repbuf->v_msg.kiov_len = replen;
- }
-
-@@ -321,24 +329,6 @@ static void kcm_reply_error(struct cli_ctx *cctx,
- TEVENT_FD_WRITEABLE(cctx->cfde);
- }
-
--static void kcm_send_reply(struct cli_ctx *cctx,
-- struct kcm_op_io *op_io,
-- struct kcm_repbuf *repbuf)
--{
-- errno_t ret;
--
-- DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
-- ret = kcm_output_construct(op_io, repbuf);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot construct the reply buffer, terminating client\n");
-- kcm_reply_error(cctx, ret, repbuf);
-- return;
-- }
--
-- TEVENT_FD_WRITEABLE(cctx->cfde);
--}
--
- /**
- * Request-reply dispatcher
- */
-@@ -356,6 +346,26 @@ struct kcm_req_ctx {
- struct kcm_op_io op_io;
- };
-
-+static void kcm_send_reply(struct kcm_req_ctx *req_ctx)
-+{
-+ struct cli_ctx *cctx;
-+ errno_t ret;
-+
-+ DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n");
-+
-+ cctx = req_ctx->cctx;
-+
-+ ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Cannot construct the reply buffer, terminating client\n");
-+ kcm_reply_error(cctx, ret, &req_ctx->repbuf);
-+ return;
-+ }
-+
-+ TEVENT_FD_WRITEABLE(cctx->cfde);
-+}
-+
- static void kcm_cmd_request_done(struct tevent_req *req);
-
- static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
-@@ -385,11 +395,9 @@ static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx,
- static void kcm_cmd_request_done(struct tevent_req *req)
- {
- struct kcm_req_ctx *req_ctx;
-- struct cli_ctx *cctx;
- errno_t ret;
-
- req_ctx = tevent_req_callback_data(req, struct kcm_req_ctx);
-- cctx = req_ctx->cctx;
-
- ret = kcm_cmd_recv(req_ctx, req,
- &req_ctx->op_io.reply);
-@@ -397,15 +405,19 @@ static void kcm_cmd_request_done(struct tevent_req *req)
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret));
-- kcm_reply_error(cctx, ret, &req_ctx->repbuf);
-+ kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf);
- return;
- }
-
-- kcm_send_reply(cctx, &req_ctx->op_io, &req_ctx->repbuf);
-+ kcm_send_reply(req_ctx);
- }
-
--static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
-+static errno_t kcm_recv_data(TALLOC_CTX *mem_ctx,
-+ int fd,
-+ struct kcm_reqbuf *reqbuf)
- {
-+ uint8_t *msg;
-+ uint32_t msglen;
- errno_t ret;
-
- ret = kcm_read_iovec(fd, &reqbuf->v_len);
-@@ -416,6 +428,24 @@ static errno_t kcm_recv_data(int fd, struct kcm_reqbuf *reqbuf)
- return ret;
- }
-
-+ msglen = kcm_input_get_payload_len(&reqbuf->v_len);
-+ if (msglen > KCM_PACKET_MAX_SIZE) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Request exceeds the KCM protocol limit, aborting\n");
-+ return E2BIG;
-+ }
-+
-+ msg = talloc_zero_array(mem_ctx, uint8_t, msglen);
-+ if (msg == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to allocate memory for the message\n");
-+ return ENOMEM;
-+ }
-+
-+ /* Set the buffer and its expected len to receive the data */
-+ reqbuf->v_msg.kiov_base = msg;
-+ reqbuf->v_msg.kiov_len = msglen;
-+
- ret = kcm_read_iovec(fd, &reqbuf->v_msg);
- if (ret != EOK) {
- /* Not all errors are fatal, hence we don't print DEBUG messages
-@@ -443,21 +473,12 @@ static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx,
- req->reqbuf.v_len.kiov_base = req->reqbuf.lenbuf;
- req->reqbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
-
-- req->reqbuf.v_msg.kiov_base = req->reqbuf.msgbuf;
-- req->reqbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
--
- req->repbuf.v_len.kiov_base = req->repbuf.lenbuf;
- req->repbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE;
-
- req->repbuf.v_rc.kiov_base = req->repbuf.rcbuf;
- req->repbuf.v_rc.kiov_len = KCM_RETCODE_SIZE;
-
-- req->repbuf.v_msg.kiov_base = req->repbuf.msgbuf;
-- /* Length of the msg iobuf will be adjusted later, so far use the full
-- * length so that constructing the reply can use that capacity
-- */
-- req->repbuf.v_msg.kiov_len = KCM_PACKET_MAX_SIZE;
--
- req->cctx = cctx;
- req->kctx = kctx;
-
-@@ -485,7 +506,7 @@ static void kcm_recv(struct cli_ctx *cctx)
- cctx->state_ctx = req;
- }
-
-- ret = kcm_recv_data(cctx->cfd, &req->reqbuf);
-+ ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf);
- switch (ret) {
- case ENODATA:
- DEBUG(SSSDBG_TRACE_ALL, "Client closed connection.\n");
---
-2.14.3
-
diff --git a/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch b/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
deleted file mode 100644
index 7df0643..0000000
--- a/0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From d910ef0667a902b4ac0551f3e8d11121bb02214c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Wed, 14 Mar 2018 09:21:45 +0100
-Subject: [PATCH 12/15] KCM: Adjust REPLY_MAX to the one used in krb5
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-krb5 has its MAX_REPLY_SIZE set as 10*1024*1024, as seen in:
-https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3386
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_ops.c | 5 ++++-
- src/util/tev_curl.c | 3 ++-
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
-index 7a78e9d6b..1e229adc4 100644
---- a/src/responder/kcm/kcmsrv_ops.c
-+++ b/src/responder/kcm/kcmsrv_ops.c
-@@ -31,7 +31,10 @@
- #include "responder/kcm/kcmsrv_ops.h"
- #include "responder/kcm/kcmsrv_ccache.h"
-
--#define KCM_REPLY_MAX 16384
-+/* This limit comes from:
-+ * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53
-+ */
-+#define KCM_REPLY_MAX 10*1024*1024
-
- struct kcm_op_ctx {
- struct kcm_resp_ctx *kcm_data;
-diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
-index 4c2f1ec9f..f8bede6c5 100644
---- a/src/util/tev_curl.c
-+++ b/src/util/tev_curl.c
-@@ -35,7 +35,8 @@
- #include "util/tev_curl.h"
-
- #define TCURL_IOBUF_CHUNK 1024
--#define TCURL_IOBUF_MAX 16384
-+/* This limit in the same one as KCM_REPLY_MAX */
-+#define TCURL_IOBUF_MAX 10*1024*1024
-
- static bool global_is_curl_initialized;
-
---
-2.14.3
-
diff --git a/0013-intg-convert-results-returned-as-bytes-to-strings.patch b/0013-intg-convert-results-returned-as-bytes-to-strings.patch
deleted file mode 100644
index 0174103..0000000
--- a/0013-intg-convert-results-returned-as-bytes-to-strings.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 414ce6438a5450e5f1c1b03994f59d37f0ff8a36 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Fri, 16 Mar 2018 13:43:17 +0100
-Subject: [PATCH 13/15] intg: convert results returned as bytes to strings
-
-With python3 comparisons between byte literals and strings will fail. To
-make sure assertions will pass the search results must be converted to
-(utf-8) strings first.
-
-Resolves https://pagure.io/SSSD/sssd/issue/3666
-
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/tests/intg/test_ts_cache.py | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py
-index 703e3b255..c3819e21a 100644
---- a/src/tests/intg/test_ts_cache.py
-+++ b/src/tests/intg/test_ts_cache.py
-@@ -212,12 +212,17 @@ def get_attrs(ldb_conn, type, name, domain, attr_list):
- ts_attrs = dict()
-
- for attr in attr_list:
-- sysdb_attrs[attr] = ldb_conn.get_entry_attr(
-- sssd_ldb.CacheType.sysdb,
-- type, name, domain, attr)
-- ts_attrs[attr] = ldb_conn.get_entry_attr(
-- sssd_ldb.CacheType.timestamps,
-- type, name, domain, attr)
-+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb,
-+ type, name, domain, attr)
-+ if val:
-+ val = val.decode('utf-8')
-+ sysdb_attrs[attr] = val
-+
-+ val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.timestamps,
-+ type, name, domain, attr)
-+ if val:
-+ val = val.decode('utf-8')
-+ ts_attrs[attr] = val
- return (sysdb_attrs, ts_attrs)
-
-
---
-2.14.3
-
diff --git a/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch b/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
deleted file mode 100644
index 5edf89d..0000000
--- a/0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1c03afc703fb6e398915e2b2b200b7db19b4e6b8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 26 Mar 2018 15:40:15 +0200
-Subject: [PATCH 14/15] KCM: Fix typo in ccdb_sec_delete_list_done()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When deleting the ccache we want to check if sec_key_list_len is equal 0
-and not if sec_key_list is 0.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
-index 04dad9596..8a7a577d8 100644
---- a/src/responder/kcm/kcmsrv_ccache_secrets.c
-+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
-@@ -2007,7 +2007,7 @@ static void ccdb_sec_delete_list_done(struct tevent_req *subreq)
- return;
- }
-
-- if (sec_key_list == 0) {
-+ if (state->sec_key_list_len == 0) {
- DEBUG(SSSDBG_MINOR_FAILURE, "No ccaches to delete\n");
- tevent_req_done(req);
- return;
---
-2.14.3
-
diff --git a/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch b/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
deleted file mode 100644
index 2a85141..0000000
--- a/0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 94897e5c82967528dae2a79e42cd1eb3c3be68f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 27 Mar 2018 15:02:09 +0200
-Subject: [PATCH 15/15] KCM: Only print the number of found items after we have
- it
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With the current code we've been always printing "Found 0 items" as
-state->sec_key_list_len is only set by sec_list_parse().
-
-In order to solve this, let's just print it *after* we have
-state->sec_key_list_len set.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
----
- src/responder/kcm/kcmsrv_ccache_secrets.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c
-index 8a7a577d8..f2b46460e 100644
---- a/src/responder/kcm/kcmsrv_ccache_secrets.c
-+++ b/src/responder/kcm/kcmsrv_ccache_secrets.c
-@@ -207,7 +207,6 @@ static void sec_list_done(struct tevent_req *subreq)
- return;
- }
- } else if (http_code == 200) {
-- DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
- ret = sec_list_parse(outbuf, state,
- &state->sec_key_list,
- &state->sec_key_list_len);
-@@ -215,6 +214,7 @@ static void sec_list_done(struct tevent_req *subreq)
- tevent_req_error(req, ret);
- return;
- }
-+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len);
- } else {
- tevent_req_error(req, http2errno(http_code));
- return;
---
-2.14.3
-
diff --git a/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch b/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
deleted file mode 100644
index 7fef666..0000000
--- a/0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 23 Mar 2018 13:40:34 +0100
-Subject: [PATCH] SYSDB: When marking an entry as expired, also set the
- originalModifyTimestamp to 1
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3684
-
-If the cleanup task removes a user who was a fully resolved member (not a
-ghost), but then the group the user was a member of is requested, unless
-the group had changed, the user doesn't appear as a member of the group
-again. This is because the modify timestamp would prevent the group from
-updating and therefore the ghost attribute is not readded.
-
-To mitigate this, let's also set the originalModifyTimestamp attribute
-to 1, so that we never take the optimized path while updating the group.
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78)
----
- src/db/sysdb_ops.c | 13 +++++++++++
- src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 67 insertions(+)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index cc86a114e..09aa04a29 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
- goto done;
- }
-
-+ ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP,
-+ LDB_FLAG_MOD_REPLACE, NULL);
-+ if (ret != LDB_SUCCESS) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
-+
-+ ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1");
-+ if (ret != LDB_SUCCESS) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
-+
- ret = ldb_modify(dom->sysdb->ldb, msg);
- if (ret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(ret);
-diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
-index a6659b1b7..db3253858 100644
---- a/src/tests/intg/test_ldap.py
-+++ b/src/tests/intg/test_ldap.py
-@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
- dict(mem=ent.contains_only("user1")))
-
-
-+@pytest.fixture
-+def update_ts_after_cleanup_task(request, ldap_conn):
-+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
-+ ent_list.add_user("user1", 1001, 2001)
-+ ent_list.add_user("user2", 1002, 2001)
-+
-+ ent_list.add_group_bis("group1", 2001, ["user1", "user2"])
-+
-+ create_ldap_fixture(request, ldap_conn, ent_list)
-+
-+ conf = \
-+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
-+ unindent("""
-+ [domain/LDAP]
-+ ldap_purge_cache_timeout = 3
-+ """).format(**locals())
-+ create_conf_fixture(request, conf)
-+ create_sssd_fixture(request)
-+ return None
-+
-+
-+def test_update_ts_cache_after_cleanup_task(ldap_conn,
-+ update_ts_after_cleanup_task):
-+ """
-+ Regression test for ticket:
-+ https://fedorahosted.org/sssd/ticket/2676
-+ """
-+ ent.assert_group_by_name(
-+ "group1",
-+ dict(mem=ent.contains_only("user1", "user2")))
-+
-+ ent.assert_passwd_by_name(
-+ 'user1',
-+ dict(name='user1', passwd='*', uid=1001, gid=2001,
-+ gecos='1001', shell='/bin/bash'))
-+
-+ ent.assert_passwd_by_name(
-+ 'user2',
-+ dict(name='user2', passwd='*', uid=1002, gid=2001,
-+ gecos='1002', shell='/bin/bash'))
-+
-+ if subprocess.call(["sss_cache", "-u", "user1"]) != 0:
-+ raise Exception("sssd_cache failed")
-+
-+ # The cleanup task runs every 3 seconds, so sleep for 6
-+ # so that we know the cleanup task ran at least once
-+ # even if we start sleeping during the first one
-+ time.sleep(6)
-+
-+ ent.assert_group_by_name(
-+ "group1",
-+ dict(mem=ent.contains_only("user1", "user2")))
-+
-+
- @pytest.fixture
- def blank_rfc2307(request, ldap_conn):
- """Create blank RFC2307 directory fixture with interactive SSSD conf"""
---
-2.14.3
-
diff --git a/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch b/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
deleted file mode 100644
index fa51604..0000000
--- a/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Tue, 31 Oct 2017 15:14:52 +0100
-Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Unless it is cn=defaults.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3558
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
----
- src/providers/ldap/sdap_async_sudo.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
-index 5dc580128..3da76256e 100644
---- a/src/providers/ldap/sdap_async_sudo.c
-+++ b/src/providers/ldap/sdap_async_sudo.c
-@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
- goto done;
- }
-
-- /* sudoHost is not specified */
-- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
-+ /* sudoHost is not specified and it is a cn=defaults rule */
-+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
-+ map[SDAP_AT_SUDO_HOST].name,
- map[SDAP_AT_SUDO_HOST].name);
- if (filter == NULL) {
- goto done;
---
-2.14.3
-
diff --git a/0018-sysdb-custom-completely-replace-old-object-instead-o.patch b/0018-sysdb-custom-completely-replace-old-object-instead-o.patch
deleted file mode 100644
index 0da0d09..0000000
--- a/0018-sysdb-custom-completely-replace-old-object-instead-o.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Tue, 31 Oct 2017 15:16:35 +0100
-Subject: [PATCH] sysdb custom: completely replace old object instead of
- merging it
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This patch is written primary for sudo use case, but it makes sure the we do
-not merge two record in other parts of the code that uses sysdb_store_custom.
-
-1) If there are two rules with the same cn (possible with multiple search bases
-or organizational units) we would end up merging those two rules instead of
-choosing one of them.
-
-2) Also smart refresh would merge the diff insteand of removing the attributes
-that are no longer present in ldap.
-
-Since 1) is a rare use case and it is a misconfiguration we completely replace
-the old rule with new one. It is simpler to implement and it solves both issues.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3558
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63)
----
- src/db/sysdb_ops.c | 33 +++++----------------------------
- 1 file changed, 5 insertions(+), 28 deletions(-)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 09aa04a29..5d3cf643d 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain,
- struct sysdb_attrs *attrs)
- {
- TALLOC_CTX *tmp_ctx;
-- const char *search_attrs[] = { "*", NULL };
-- size_t resp_count = 0;
-- struct ldb_message **resp;
- struct ldb_message *msg;
-- struct ldb_message_element *el;
-- bool add_object = false;
- int ret;
- int i;
-
-@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain,
- goto done;
- }
-
-- ret = sysdb_search_custom_by_name(tmp_ctx, domain,
-- object_name, subtree_name,
-- search_attrs, &resp_count, &resp);
-- if (ret != EOK && ret != ENOENT) {
-+ /* Always add a new object. */
-+ ret = sysdb_delete_custom(domain, object_name, subtree_name);
-+ if (ret != EOK) {
- goto done;
- }
-
-- if (ret == ENOENT) {
-- add_object = true;
-- }
--
- msg = ldb_msg_new(tmp_ctx);
- if (msg == NULL) {
- ret = ENOMEM;
-@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain,
-
- for (i = 0; i < attrs->num; i++) {
- msg->elements[i] = attrs->a[i];
-- if (add_object) {
-- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
-- } else {
-- el = ldb_msg_find_element(resp[0], attrs->a[i].name);
-- if (el == NULL) {
-- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
-- } else {
-- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
-- }
-- }
-+ msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- }
- msg->num_elements = attrs->num;
-
-- if (add_object) {
-- ret = ldb_add(domain->sysdb->ldb, msg);
-- } else {
-- ret = ldb_modify(domain->sysdb->ldb, msg);
-- }
-+ ret = ldb_add(domain->sysdb->ldb, msg);
- if (ret != LDB_SUCCESS) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n",
- ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb));
---
-2.14.3
-
diff --git a/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch b/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
deleted file mode 100644
index 26d15ca..0000000
--- a/0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 778f7c61b8d55e0b8d8eccd2cf8649d730e7d4a5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 3 Apr 2018 21:43:28 +0200
-Subject: [PATCH] SERVER: Tone down shutdown messages for socket-activated
- responders
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When dealing with socket-activated responders, those may be shut
-themselves down after some inactivy period. And that's completely normal
-and expected, thus should not be logged as an fatal error.
-
-For the case when the responder is started by the monitor, however, it
-still makes sense to keep the code as it is as the responders won't shut
-themselves down in any normal scenario.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 519354d079731e673244a8e3851e5c5522d1b45e)
----
- src/util/server.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/util/server.c b/src/util/server.c
-index 62e09314c..f34bf49f6 100644
---- a/src/util/server.c
-+++ b/src/util/server.c
-@@ -248,8 +248,12 @@ void orderly_shutdown(int status)
- {
- #if HAVE_GETPGRP
- static int sent_sigterm;
-+ int debug;
-+
- if (sent_sigterm == 0 && getpgrp() == getpid()) {
-- DEBUG(SSSDBG_FATAL_FAILURE, "SIGTERM: killing children\n");
-+ debug = is_socket_activated() ? SSSDBG_TRACE_INTERNAL
-+ : SSSDBG_FATAL_FAILURE;
-+ DEBUG(debug, "SIGTERM: killing children\n");
- sent_sigterm = 1;
- kill(-getpgrp(), SIGTERM);
- }
---
-2.14.3
-
diff --git a/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch b/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
deleted file mode 100644
index dd7e1a0..0000000
--- a/0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 26 Mar 2018 11:36:00 +0200
-Subject: [PATCH] IPA: Qualify the externalUser sudo attribute
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We broke the externalUser support with the introduction of the fully
-qualified attributes, because the provider was saving the data verbatim,
-but the sudo responder expects a fully qualified name.
-
-Reproducer:
- on the server:
- ipa sudocmd-add --desc='For reading log files' /usr/bin/less
- ipa sudorule-add readfiles
- ipa sudorule-add-user --users=lcluser
- ipa sudorule-mod --hostcat=all readfiles
-
- then on the client:
- configure sssd with:
- id_provider = files
- sudo_provider = ipa
- ipa_domain = ipa.test
-
- run:
- sudo useradd lcluser
- sudo passwd lcluser
- su - lcluser
- sudo -l
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e)
----
- src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
-index a96ae3447..bfa66b2c6 100644
---- a/src/providers/ipa/ipa_sudo_conversion.c
-+++ b/src/providers/ipa/ipa_sudo_conversion.c
-@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
- return fqdn;
- }
-
-+static const char *
-+convert_ext_user(TALLOC_CTX *mem_ctx,
-+ struct ipa_sudo_conv *conv,
-+ const char *value,
-+ bool *skip_entry)
-+{
-+ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
-+}
-+
- static const char *
- convert_group(TALLOC_CTX *mem_ctx,
- struct ipa_sudo_conv *conv,
-@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
- {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
- {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
- {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
-- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL},
-+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
- {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
- {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
- {NULL, NULL, NULL}};
---
-2.14.3
-
diff --git a/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch b/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
deleted file mode 100644
index d24d232..0000000
--- a/0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From d0801ecbac1300978fc864ae394e6ff43dda2781 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 5 Mar 2018 21:00:30 +0100
-Subject: [PATCH] NSS: Adjust netgroup setnetgrent cache lifetime if midpoint
- refresh is used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a minor regression compared to the state of the code before we
-converted the responders to cache_req. The NSS responder keeps a has
-table of netgroup objects in memory for either the lifetime of the
-netgroup, or, in case midpoint refresh is used, up to the midpoint
-refresh time. The case with the midpoint refresh was removed in the
-cache_req enabled code, which means that even if the netgroup was
-updated in the cache with the background refresh task, the object was
-never read from cache, but always still returned from the in-memory
-enumeration hash.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3550
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit f22528922c065f37ca928f95fd86ed2ea79e0d51)
----
- src/responder/nss/nss_enum.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
-index da844fbce..031db9f2e 100644
---- a/src/responder/nss/nss_enum.c
-+++ b/src/responder/nss/nss_enum.c
-@@ -280,7 +280,18 @@ nss_setnetgrent_set_timeout(struct tevent_context *ev,
- struct timeval tv;
- uint32_t timeout;
-
-- timeout = enum_ctx->result[0]->domain->netgroup_timeout;
-+ if (nss_ctx->cache_refresh_percent) {
-+ timeout = enum_ctx->result[0]->domain->netgroup_timeout *
-+ (nss_ctx->cache_refresh_percent / 100.0);
-+ } else {
-+ timeout = enum_ctx->result[0]->domain->netgroup_timeout;
-+ }
-+
-+ /* In order to not trash the cache between setnetgrent()/getnetgrent()
-+ * calls with too low timeout values, we only allow 10 seconds as
-+ * the minimal timeout
-+ */
-+ if (timeout < 10) timeout = 10;
-
- tv = tevent_timeval_current_ofs(timeout, 0);
- te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx);
---
-2.14.3
-
diff --git a/0022-CONFDB-Add-passwd_files-and-group_files-options.patch b/0022-CONFDB-Add-passwd_files-and-group_files-options.patch
deleted file mode 100644
index 70694a2..0000000
--- a/0022-CONFDB-Add-passwd_files-and-group_files-options.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From a40215878688cf10e35e6ba27893201c686395b3 Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Fri, 14 Jul 2017 16:08:37 -0400
-Subject: [PATCH] CONFDB: Add passwd_files and group_files options
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add new options to the files provider allowing an administrator to
-configure the files provider to read and monitor multiple or
-non-standard passwd and group file sources. These options default to
-/etc/passwd and /etc/group when unset.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit c1208b485924964a7a4fcf19562964acb47fc214)
----
- Makefile.am | 3 ++-
- src/confdb/confdb.h | 4 ++++
- src/config/SSSDConfig/__init__.py.in | 6 +++++-
- src/config/cfg_rules.ini | 4 ++++
- src/config/etc/sssd.api.d/sssd-files.conf | 3 +++
- src/man/sssd-files.5.xml | 36 +++++++++++++++++++++++++++++--
- src/providers/files/files_init.c | 1 +
- 7 files changed, 53 insertions(+), 4 deletions(-)
- create mode 100644 src/config/etc/sssd.api.d/sssd-files.conf
-
-diff --git a/Makefile.am b/Makefile.am
-index 25e996d2d..d52fe0670 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4577,7 +4577,8 @@ dist_sssdapiplugin_DATA = \
- src/config/etc/sssd.api.d/sssd-ldap.conf \
- src/config/etc/sssd.api.d/sssd-local.conf \
- src/config/etc/sssd.api.d/sssd-proxy.conf \
-- src/config/etc/sssd.api.d/sssd-simple.conf
-+ src/config/etc/sssd.api.d/sssd-simple.conf \
-+ src/config/etc/sssd.api.d/sssd-files.conf
-
- edit_cmd = $(SED) \
- -e 's|@sbindir[@]|$(sbindir)|g' \
-diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
-index c97a9b804..1d322aaac 100644
---- a/src/confdb/confdb.h
-+++ b/src/confdb/confdb.h
-@@ -242,6 +242,10 @@
- #define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias"
- #define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children"
-
-+/* Files Provider */
-+#define CONFDB_FILES_PASSWD "passwd_files"
-+#define CONFDB_FILES_GROUP "group_files"
-+
- /* Secrets Service */
- #define CONFDB_SEC_CONF_ENTRY "config/secrets"
- #define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level"
-diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
-index 857d56cb5..32b74e4c7 100644
---- a/src/config/SSSDConfig/__init__.py.in
-+++ b/src/config/SSSDConfig/__init__.py.in
-@@ -473,7 +473,11 @@ option_strings = {
- 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
-
- # [provider/proxy/auth]
-- 'proxy_pam_target' : _('PAM stack to use')
-+ 'proxy_pam_target' : _('PAM stack to use'),
-+
-+ # [provider/files]
-+ 'passwd_files' : _('Path of passwd file sources.'),
-+ 'group_files' : _('Path of group file sources.')
- }
-
- def striplist(l):
-diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
-index 4e70bf7b6..551322780 100644
---- a/src/config/cfg_rules.ini
-+++ b/src/config/cfg_rules.ini
-@@ -404,6 +404,10 @@ option = dyndns_force_tcp
- option = dyndns_auth
- option = dyndns_server
-
-+# files provider specific options
-+option = passwd_files
-+option = group_files
-+
- # local provider specific options
- option = create_homedir
- option = remove_homedir
-diff --git a/src/config/etc/sssd.api.d/sssd-files.conf b/src/config/etc/sssd.api.d/sssd-files.conf
-new file mode 100644
-index 000000000..2444d4924
---- /dev/null
-+++ b/src/config/etc/sssd.api.d/sssd-files.conf
-@@ -0,0 +1,3 @@
-+[provider/files]
-+passwd_files = str, None, false
-+group_files = str, None, false
-diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml
-index d44fffc03..59e1b6523 100644
---- a/src/man/sssd-files.5.xml
-+++ b/src/man/sssd-files.5.xml
-@@ -56,14 +56,46 @@
- <refsect1 id='configuration-options'>
- <title>CONFIGURATION OPTIONS</title>
- <para>
-- The files provider has no specific options of its own, however,
-- generic SSSD domain options can be set where applicable.
-+ In addition to the options listed below, generic SSSD domain options
-+ can be set where applicable.
- Refer to the section <quote>DOMAIN SECTIONS</quote> of the
- <citerefentry>
- <refentrytitle>sssd.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- </citerefentry> manual page for details on the configuration
- of an SSSD domain.
-+ <variablelist>
-+ <varlistentry>
-+ <term>passwd_files (string)</term>
-+ <listitem>
-+ <para>
-+ Comma-separated list of one or multiple password
-+ filenames to be read and enumerated by the files
-+ provider, inotify monitor watches will be set on
-+ each file to detect changes dynamically.
-+ </para>
-+ <para>
-+ Default: /etc/passwd
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>group_files (string)</term>
-+ <listitem>
-+ <para>
-+ Comma-separated list of one or multiple group
-+ filenames to be read and enumerated by the files
-+ provider, inotify monitor watches will be set on
-+ each file to detect changes dynamically.
-+ </para>
-+ <para>
-+ Default: /etc/group
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+
-+ </variablelist>
- </para>
- </refsect1>
-
-diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
-index 8e5cd4cf9..b8a051c34 100644
---- a/src/providers/files/files_init.c
-+++ b/src/providers/files/files_init.c
-@@ -21,6 +21,7 @@
-
- #include "providers/data_provider/dp.h"
- #include "providers/files/files_private.h"
-+#include "util/util.h"
-
- int sssm_files_init(TALLOC_CTX *mem_ctx,
- struct be_ctx *be_ctx,
---
-2.14.3
-
diff --git a/0023-FILES-Handle-files-provider-sources.patch b/0023-FILES-Handle-files-provider-sources.patch
deleted file mode 100644
index 6565fb7..0000000
--- a/0023-FILES-Handle-files-provider-sources.patch
+++ /dev/null
@@ -1,721 +0,0 @@
-From 2eb09d21d486e83a3a844fda0a504bbc479c9b3a Mon Sep 17 00:00:00 2001
-From: Justin Stephenson <jstephen@redhat.com>
-Date: Mon, 17 Jul 2017 15:01:36 -0400
-Subject: [PATCH] FILES: Handle files provider sources
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Setup watches on passwd and group files provided with the files provider
-options passwd_files and group_files lists
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3402
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 0d6d493f68bb83a046d351cb3035b08ef5456b50)
----
- src/providers/files/files_init.c | 161 +++++++++++++++++---
- src/providers/files/files_ops.c | 285 ++++++++++++++++++++++--------------
- src/providers/files/files_private.h | 8 +-
- 3 files changed, 327 insertions(+), 127 deletions(-)
-
-diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c
-index b8a051c34..746c04af1 100644
---- a/src/providers/files/files_init.c
-+++ b/src/providers/files/files_init.c
-@@ -23,6 +23,138 @@
- #include "providers/files/files_private.h"
- #include "util/util.h"
-
-+#define DEFAULT_PASSWD_FILE "/etc/passwd"
-+#define DEFAULT_GROUP_FILE "/etc/group"
-+
-+static errno_t files_init_file_sources(TALLOC_CTX *mem_ctx,
-+ struct be_ctx *be_ctx,
-+ const char ***_passwd_files,
-+ const char ***_group_files)
-+{
-+ TALLOC_CTX *tmp_ctx = NULL;
-+ char *conf_passwd_files;
-+ char *conf_group_files;
-+ char **passwd_list = NULL;
-+ char **group_list = NULL;
-+ int num_passwd_files = 0;
-+ int num_group_files = 0;
-+ const char **passwd_files = NULL;
-+ const char **group_files = NULL;
-+ const char *dfl_passwd_files = NULL;
-+ const char *env_group_files = NULL;
-+ int i;
-+ errno_t ret;
-+
-+ tmp_ctx = talloc_new(NULL);
-+ if (tmp_ctx == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ dfl_passwd_files = getenv("SSS_FILES_PASSWD");
-+ if (dfl_passwd_files) {
-+ sss_log(SSS_LOG_ALERT,
-+ "Defaulting to %s for the passwd file, "
-+ "this should only be used for testing!\n",
-+ dfl_passwd_files);
-+ } else {
-+ dfl_passwd_files = DEFAULT_PASSWD_FILE;
-+ }
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Using default passwd file: [%s].\n", dfl_passwd_files);
-+
-+ env_group_files = getenv("SSS_FILES_GROUP");
-+ if (env_group_files) {
-+ sss_log(SSS_LOG_ALERT,
-+ "Defaulting to %s for the group file, "
-+ "this should only be used for testing!\n",
-+ env_group_files);
-+ } else {
-+ env_group_files = DEFAULT_GROUP_FILE;
-+ }
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Using default group file: [%s].\n", DEFAULT_GROUP_FILE);
-+
-+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
-+ CONFDB_FILES_PASSWD, dfl_passwd_files,
-+ &conf_passwd_files);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb passwd files!\n");
-+ goto done;
-+ }
-+
-+ ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path,
-+ CONFDB_FILES_GROUP, env_group_files,
-+ &conf_group_files);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb group files!\n");
-+ goto done;
-+ }
-+
-+ ret = split_on_separator(tmp_ctx, conf_passwd_files, ',', true, true,
-+ &passwd_list, &num_passwd_files);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to parse passwd list!\n");
-+ goto done;
-+ }
-+
-+ passwd_files = talloc_zero_array(tmp_ctx, const char *,
-+ num_passwd_files + 1);
-+ if (passwd_files == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ for (i = 0; i < num_passwd_files; i++) {
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Using passwd file: [%s].\n", passwd_list[i]);
-+
-+ passwd_files[i] = talloc_strdup(passwd_files, passwd_list[i]);
-+ if (passwd_files[i] == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+ }
-+
-+ /* Retrieve list of group files */
-+ ret = split_on_separator(tmp_ctx, conf_group_files, ',', true, true,
-+ &group_list, &num_group_files);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Failed to parse group files!\n");
-+ goto done;
-+ }
-+
-+ group_files = talloc_zero_array(tmp_ctx, const char *,
-+ num_group_files + 1);
-+ if (group_files == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n");
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ for (i = 0; i < num_group_files; i++) {
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Using group file: [%s].\n", group_list[i]);
-+ group_files[i] = talloc_strdup(group_files, group_list[i]);
-+ if (group_files[i] == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+ }
-+
-+ *_passwd_files = talloc_steal(mem_ctx, passwd_files);
-+ *_group_files = talloc_steal(mem_ctx, group_files);
-+
-+ ret = EOK;
-+
-+done:
-+ talloc_free(tmp_ctx);
-+ return ret;
-+}
-+
- int sssm_files_init(TALLOC_CTX *mem_ctx,
- struct be_ctx *be_ctx,
- struct data_provider *provider,
-@@ -30,32 +162,27 @@ int sssm_files_init(TALLOC_CTX *mem_ctx,
- void **_module_data)
- {
- struct files_id_ctx *ctx;
-- int ret;
-- const char *passwd_file = NULL;
-- const char *group_file = NULL;
--
-- /* So far this is mostly useful for tests */
-- passwd_file = getenv("SSS_FILES_PASSWD");
-- if (passwd_file == NULL) {
-- passwd_file = "/etc/passwd";
-- }
--
-- group_file = getenv("SSS_FILES_GROUP");
-- if (group_file == NULL) {
-- group_file = "/etc/group";
-- }
-+ errno_t ret;
-
- ctx = talloc_zero(mem_ctx, struct files_id_ctx);
- if (ctx == NULL) {
- return ENOMEM;
- }
-+
- ctx->be = be_ctx;
- ctx->domain = be_ctx->domain;
-- ctx->passwd_file = passwd_file;
-- ctx->group_file = group_file;
-+
-+ ret = files_init_file_sources(ctx, be_ctx,
-+ &ctx->passwd_files,
-+ &ctx->group_files);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize the passwd/group source files\n");
-+ goto done;
-+ }
-
- ctx->fctx = sf_init(ctx, be_ctx->ev,
-- ctx->passwd_file, ctx->group_file,
-+ ctx->passwd_files,
-+ ctx->group_files,
- ctx);
- if (ctx->fctx == NULL) {
- ret = ENOMEM;
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index b59a94252..a2a2798d3 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -44,6 +44,7 @@ struct files_ctx {
-
- static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
- struct files_id_ctx *id_ctx,
-+ const char *passwd_file,
- struct passwd ***_users)
- {
- errno_t ret, close_ret;
-@@ -53,12 +54,12 @@ static errno_t enum_files_users(TALLOC_CTX *mem_ctx,
- FILE *pwd_handle = NULL;
- size_t n_users = 0;
-
-- pwd_handle = fopen(id_ctx->passwd_file, "r");
-+ pwd_handle = fopen(passwd_file, "r");
- if (pwd_handle == NULL) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot open passwd file %s [%d]\n",
-- id_ctx->passwd_file, ret);
-+ passwd_file, ret);
- goto done;
- }
-
-@@ -133,7 +134,7 @@ done:
- close_ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot close passwd file %s [%d]\n",
-- id_ctx->passwd_file, close_ret);
-+ passwd_file, close_ret);
- }
- }
- return ret;
-@@ -141,6 +142,7 @@ done:
-
- static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
- struct files_id_ctx *id_ctx,
-+ const char *group_file,
- struct group ***_groups)
- {
- errno_t ret, close_ret;
-@@ -150,12 +152,12 @@ static errno_t enum_files_groups(TALLOC_CTX *mem_ctx,
- size_t n_groups = 0;
- FILE *grp_handle = NULL;
-
-- grp_handle = fopen(id_ctx->group_file, "r");
-+ grp_handle = fopen(group_file, "r");
- if (grp_handle == NULL) {
- ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot open group file %s [%d]\n",
-- id_ctx->group_file, ret);
-+ group_file, ret);
- goto done;
- }
-
-@@ -237,7 +239,7 @@ done:
- close_ret = errno;
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot close group file %s [%d]\n",
-- id_ctx->group_file, close_ret);
-+ group_file, close_ret);
- }
- }
- return ret;
-@@ -446,35 +448,23 @@ done:
- return ret;
- }
-
--static errno_t sf_enum_groups(struct files_id_ctx *id_ctx);
-+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
-+ const char *group_file);
-
--errno_t sf_enum_users(struct files_id_ctx *id_ctx)
-+errno_t sf_enum_users(struct files_id_ctx *id_ctx,
-+ const char *passwd_file)
- {
- errno_t ret;
-- errno_t tret;
- TALLOC_CTX *tmp_ctx = NULL;
- struct passwd **users = NULL;
-- bool in_transaction = false;
-
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- return ENOMEM;
- }
-
-- ret = enum_files_users(tmp_ctx, id_ctx, &users);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = true;
--
-- /* remove previous cache contents */
-- /* FIXME - this is terribly inefficient */
-- ret = delete_all_users(id_ctx->domain);
-+ ret = enum_files_users(tmp_ctx, id_ctx, passwd_file,
-+ &users);
- if (ret != EOK) {
- goto done;
- }
-@@ -496,31 +486,8 @@ errno_t sf_enum_users(struct files_id_ctx *id_ctx)
- "override values might not be available.\n");
- }
-
-- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = false;
--
-- /* Covers the case when someone edits /etc/group, adds a group member and
-- * only then edits passwd and adds the user. The reverse is not needed,
-- * because member/memberof links are established when groups are saved.
-- */
-- ret = sf_enum_groups(id_ctx);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot refresh groups\n");
-- goto done;
-- }
--
- ret = EOK;
- done:
-- if (in_transaction) {
-- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-- if (tret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot cancel transaction: %d\n", ret);
-- }
-- }
- talloc_free(tmp_ctx);
- return ret;
- }
-@@ -698,13 +665,12 @@ done:
- return ret;
- }
-
--static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
-+static errno_t sf_enum_groups(struct files_id_ctx *id_ctx,
-+ const char *group_file)
- {
- errno_t ret;
-- errno_t tret;
- TALLOC_CTX *tmp_ctx = NULL;
- struct group **groups = NULL;
-- bool in_transaction = false;
- const char **cached_users = NULL;
-
- tmp_ctx = talloc_new(NULL);
-@@ -712,7 +678,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
- return ENOMEM;
- }
-
-- ret = enum_files_groups(tmp_ctx, id_ctx, &groups);
-+ ret = enum_files_groups(tmp_ctx, id_ctx, group_file,
-+ &groups);
- if (ret != EOK) {
- goto done;
- }
-@@ -722,18 +689,6 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
- goto done;
- }
-
-- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = true;
--
-- /* remove previous cache contents */
-- ret = delete_all_groups(id_ctx->domain);
-- if (ret != EOK) {
-- goto done;
-- }
--
- for (size_t i = 0; groups[i]; i++) {
- ret = save_file_group(id_ctx, groups[i], cached_users);
- if (ret != EOK) {
-@@ -750,21 +705,8 @@ static errno_t sf_enum_groups(struct files_id_ctx *id_ctx)
- "override values might not be available.\n");
- }
-
-- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = false;
--
- ret = EOK;
- done:
-- if (in_transaction) {
-- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-- if (tret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot cancel transaction: %d\n", ret);
-- }
-- }
- talloc_free(tmp_ctx);
- return ret;
- }
-@@ -783,21 +725,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
- {
- struct files_id_ctx *id_ctx;
- errno_t ret;
-+ errno_t tret;
-+ bool in_transaction = false;
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-- return EINVAL;
-+ ret = EINVAL;
-+ goto done;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
-
-- if (strcmp(filename, id_ctx->passwd_file) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Wrong file, expected %s, got %s\n",
-- id_ctx->passwd_file, filename);
-- return EINVAL;
-- }
--
- id_ctx->updating_passwd = true;
- dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
-
-@@ -805,11 +743,64 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
- dp_sbus_reset_users_memcache(id_ctx->be->provider);
- dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
-
-- ret = sf_enum_users(id_ctx);
-+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = true;
-+
-+ ret = delete_all_users(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ /* All users were deleted, therefore we need to enumerate each file again */
-+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
-+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
-+ goto done;
-+ }
-+ }
-+
-+ /* Covers the case when someone edits /etc/group, adds a group member and
-+ * only then edits passwd and adds the user. The reverse is not needed,
-+ * because member/memberof links are established when groups are saved.
-+ */
-+ ret = delete_all_groups(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ /* All groups were deleted, therefore we need to enumerate each file again */
-+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-+ goto done;
-+ }
-+ }
-+
-+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = false;
-
- id_ctx->updating_passwd = false;
- sf_cb_done(id_ctx);
- files_account_info_finished(id_ctx, BE_REQ_USER, ret);
-+
-+ ret = EOK;
-+done:
-+ if (in_transaction) {
-+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-+ if (tret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Cannot cancel transaction: %d\n", ret);
-+ }
-+ }
-+
- return ret;
- }
-
-@@ -817,21 +808,17 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
- {
- struct files_id_ctx *id_ctx;
- errno_t ret;
-+ errno_t tret;
-+ bool in_transaction = false;
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-- return EINVAL;
-+ ret = EINVAL;
-+ goto done;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
-
-- if (strcmp(filename, id_ctx->group_file) != 0) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Wrong file, expected %s, got %s\n",
-- id_ctx->group_file, filename);
-- return EINVAL;
-- }
--
- id_ctx->updating_groups = true;
- dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain);
-
-@@ -839,11 +826,47 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
- dp_sbus_reset_groups_memcache(id_ctx->be->provider);
- dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
-
-- ret = sf_enum_groups(id_ctx);
-+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = true;
-+
-+ ret = delete_all_groups(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ /* All groups were deleted, therefore we need to enumerate each file again */
-+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-+ goto done;
-+ }
-+ }
-+
-+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = false;
-
- id_ctx->updating_groups = false;
- sf_cb_done(id_ctx);
- files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
-+
-+ ret = EOK;
-+
-+done:
-+ if (in_transaction) {
-+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-+ if (tret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Cannot cancel transaction: %d\n", ret);
-+ }
-+ }
-+
- return ret;
- }
-
-@@ -853,19 +876,62 @@ static void startup_enum_files(struct tevent_context *ev,
- {
- struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- errno_t ret;
-+ errno_t tret;
-+ bool in_transaction = false;
-
- talloc_zfree(imm);
-
-- ret = sf_enum_users(id_ctx);
-+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Enumerating users failed, data might be inconsistent!\n");
-+ goto done;
- }
-+ in_transaction = true;
-
-- ret = sf_enum_groups(id_ctx);
-+ ret = delete_all_users(id_ctx->domain);
- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Enumerating groups failed, data might be inconsistent!\n");
-+ goto done;
-+ }
-+
-+ ret = delete_all_groups(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
-+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Enumerating users failed, data might be inconsistent!\n");
-+ goto done;
-+ }
-+ }
-+
-+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
-+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Enumerating groups failed, data might be inconsistent!\n");
-+ goto done;
-+ }
-+ }
-+
-+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = false;
-+
-+done:
-+ if (in_transaction) {
-+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-+ if (tret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Cannot cancel transaction: %d\n", ret);
-+ }
- }
- }
-
-@@ -884,22 +950,29 @@ static struct snotify_ctx *sf_setup_watch(TALLOC_CTX *mem_ctx,
-
- struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
-- const char *passwd_file,
-- const char *group_file,
-+ const char **passwd_files,
-+ const char **group_files,
- struct files_id_ctx *id_ctx)
- {
- struct files_ctx *fctx;
- struct tevent_immediate *imm;
-+ int i;
-
- fctx = talloc(mem_ctx, struct files_ctx);
- if (fctx == NULL) {
- return NULL;
- }
-
-- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_file,
-- sf_passwd_cb, id_ctx);
-- fctx->grp_watch = sf_setup_watch(fctx, ev, group_file,
-- sf_group_cb, id_ctx);
-+ for (i = 0; passwd_files[i]; i++) {
-+ fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
-+ sf_passwd_cb, id_ctx);
-+ }
-+
-+ for (i = 0; group_files[i]; i++) {
-+ fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
-+ sf_group_cb, id_ctx);
-+ }
-+
- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
- talloc_free(fctx);
- return NULL;
-diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h
-index a7d195c90..f44e6d458 100644
---- a/src/providers/files/files_private.h
-+++ b/src/providers/files/files_private.h
-@@ -39,8 +39,8 @@ struct files_id_ctx {
- struct sss_domain_info *domain;
- struct files_ctx *fctx;
-
-- const char *passwd_file;
-- const char *group_file;
-+ const char **passwd_files;
-+ const char **group_files;
-
- bool updating_passwd;
- bool updating_groups;
-@@ -53,8 +53,8 @@ struct files_id_ctx {
- /* files_ops.c */
- struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
-- const char *passwd_file,
-- const char *group_file,
-+ const char **passwd_files,
-+ const char **group_files,
- struct files_id_ctx *id_ctx);
-
- /* files_id.c */
---
-2.14.3
-
diff --git a/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch b/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
deleted file mode 100644
index a21c0b3..0000000
--- a/0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From bb1455ce8d45d026f173f402bce29bf97af8c44d Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 26 Mar 2018 17:30:14 +0200
-Subject: [PATCH] TESTS: Add a test for the multiple files feature
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Adds an integration test for the new feature.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 4a9100a588ade253cecb2224b95bd8caa8136109)
----
- src/tests/intg/test_files_provider.py | 61 ++++++++++++++++++++++++++++++++++-
- 1 file changed, 60 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
-index 41bfd8844..ce5c7b774 100644
---- a/src/tests/intg/test_files_provider.py
-+++ b/src/tests/intg/test_files_provider.py
-@@ -25,6 +25,7 @@ import subprocess
- import pwd
- import grp
- import pytest
-+import tempfile
-
- import ent
- import sssd_id
-@@ -33,7 +34,7 @@ from sssd_passwd import (call_sssd_getpwnam,
- call_sssd_enumeration,
- call_sssd_getpwuid)
- from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid
--from files_ops import passwd_ops_setup, group_ops_setup
-+from files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps
- from util import unindent
-
- # Sync this with files_ops.c
-@@ -59,6 +60,11 @@ OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010,
- dir='/home/ov/user1',
- shell='/bin/ov_user1_shell')
-
-+ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001,
-+ gecos='User for tests from alt files',
-+ dir='/home/altuser1',
-+ shell='/bin/bash')
-+
- CANARY_GR = dict(name='canary',
- gid=300001,
- mem=[])
-@@ -79,6 +85,10 @@ GROUP_NOMEM = dict(name='group_nomem',
- gid=40000,
- mem=[])
-
-+ALT_GROUP1 = dict(name='alt_group1',
-+ gid=80001,
-+ mem=['alt_user1'])
-+
-
- def start_sssd():
- """Start sssd and add teardown for stopping it and removing state"""
-@@ -145,6 +155,38 @@ def files_domain_only(request):
- return None
-
-
-+@pytest.fixture
-+def files_multiple_sources(request):
-+ _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd')
-+ request.addfinalizer(lambda: os.unlink(alt_passwd_path))
-+ alt_pwops = PasswdOps(alt_passwd_path)
-+
-+ _, alt_group_path = tempfile.mkstemp(prefix='altgroup')
-+ request.addfinalizer(lambda: os.unlink(alt_group_path))
-+ alt_grops = GroupOps(alt_group_path)
-+
-+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
-+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
-+
-+ conf = unindent("""\
-+ [sssd]
-+ domains = files
-+ services = nss
-+
-+ [nss]
-+ debug_level = 10
-+
-+ [domain/files]
-+ id_provider = files
-+ passwd_files = {passwd_list}
-+ group_files = {group_list}
-+ debug_level = 10
-+ """).format(**locals())
-+ create_conf_fixture(request, conf)
-+ create_sssd_fixture(request)
-+ return alt_pwops, alt_grops
-+
-+
- @pytest.fixture
- def proxy_to_files_domain_only(request):
- conf = unindent("""\
-@@ -1054,3 +1096,20 @@ def test_no_sssd_conf(add_user_with_canary, no_sssd_conf):
- res, user = sssd_getpwnam_sync(USER1["name"])
- assert res == NssReturnCode.SUCCESS
- assert user == USER1
-+
-+
-+def test_multiple_passwd_group_files(add_user_with_canary,
-+ add_group_with_canary,
-+ files_multiple_sources):
-+ """
-+ Test that users and groups can be mirrored from multiple files
-+ """
-+ alt_pwops, alt_grops = files_multiple_sources
-+ alt_pwops.useradd(**ALT_USER1)
-+ alt_grops.groupadd(**ALT_GROUP1)
-+
-+ check_user(USER1)
-+ check_user(ALT_USER1)
-+
-+ check_group(GROUP1)
-+ check_group(ALT_GROUP1)
---
-2.14.3
-
diff --git a/0025-AD-Missing-header-in-ad_access.h.patch b/0025-AD-Missing-header-in-ad_access.h.patch
deleted file mode 100644
index b00bb67..0000000
--- a/0025-AD-Missing-header-in-ad_access.h.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From d81931454a0846fe503d090595fa5b0d4ffd93a5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Wed, 4 Apr 2018 12:10:13 +0200
-Subject: [PATCH] AD: Missing header in ad_access.h
-
-ad_access.h depends on data_provider.h header but
-does not include it.
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit abf377672e0011da817b5105fe581b27f2f855b7)
----
- src/providers/ad/ad_access.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
-index cc565a8e6..34d5597da 100644
---- a/src/providers/ad/ad_access.h
-+++ b/src/providers/ad/ad_access.h
-@@ -23,6 +23,8 @@
- #ifndef AD_ACCESS_H_
- #define AD_ACCESS_H_
-
-+#include "providers/data_provider.h"
-+
- struct ad_access_ctx {
- struct dp_option *ad_options;
- struct sdap_access_ctx *sdap_access_ctx;
---
-2.14.3
-
diff --git a/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch b/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
deleted file mode 100644
index 34ef7ce..0000000
--- a/0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 5e47ae51f5cf11decdfec483ab1adef07ec2b7ef Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Wed, 4 Apr 2018 12:17:37 +0200
-Subject: [PATCH] GPO: Add ad_options to ad_gpo_process_som_state
-
-We will need at least ad_site option from this
-context available to get the AD site override
-value.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3646
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 7a42831b208ed8d2fcb9d8beaa12bd2214bb7dce)
----
- src/providers/ad/ad_gpo.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index d9ea31141..028f6a2e7 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -146,6 +146,7 @@ struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
- struct ldb_context *ldb_ctx,
- struct sdap_id_op *sdap_op,
- struct sdap_options *opts,
-+ struct dp_option *ad_options,
- int timeout,
- const char *target_dn,
- const char *domain_name);
-@@ -1975,6 +1976,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
- state->ldb_ctx,
- state->sdap_op,
- state->opts,
-+ state->access_ctx->ad_options,
- state->timeout,
- state->target_dn,
- state->host_domain->name);
-@@ -2701,6 +2703,7 @@ struct ad_gpo_process_som_state {
- struct tevent_context *ev;
- struct sdap_id_op *sdap_op;
- struct sdap_options *opts;
-+ struct dp_option *ad_options;
- int timeout;
- bool allow_enforced_only;
- char *site_name;
-@@ -2734,6 +2737,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
- struct ldb_context *ldb_ctx,
- struct sdap_id_op *sdap_op,
- struct sdap_options *opts,
-+ struct dp_option *ad_options,
- int timeout,
- const char *target_dn,
- const char *domain_name)
-@@ -2752,6 +2756,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx,
- state->ev = ev;
- state->sdap_op = sdap_op;
- state->opts = opts;
-+ state->ad_options = ad_options;
- state->timeout = timeout;
- state->som_index = 0;
- state->allow_enforced_only = 0;
---
-2.14.3
-
diff --git a/0027-GPO-Use-AD-site-override-if-set.patch b/0027-GPO-Use-AD-site-override-if-set.patch
deleted file mode 100644
index 59066dd..0000000
--- a/0027-GPO-Use-AD-site-override-if-set.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 82096e7e4a6ccaf8a2828ddfc77a04c930a14148 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Wed, 4 Apr 2018 13:24:21 +0200
-Subject: [PATCH] GPO: Use AD site override if set
-
-Use AD site override if it was set in SSSD configuration.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3646
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 744e2b4d0710c1dc850bfadbd75ae1ae7faf1148)
----
- src/providers/ad/ad_gpo.c | 33 ++++++++++++++++++++++++++++++---
- 1 file changed, 30 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index 028f6a2e7..a48f264c7 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -2806,7 +2806,8 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
- struct tevent_req *req;
- struct ad_gpo_process_som_state *state;
- int ret;
-- char *site;
-+ char *site = NULL;
-+ char *site_override = NULL;
- const char *attrs[] = {AD_AT_CONFIG_NC, NULL};
-
- req = tevent_req_callback_data(subreq, struct tevent_req);
-@@ -2817,17 +2818,43 @@ ad_gpo_site_name_retrieval_done(struct tevent_req *subreq)
- talloc_zfree(subreq);
-
- if (ret != EOK || site == NULL) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n");
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Could not autodiscover AD site. This is not fatal if "
-+ "ad_site option was set.\n");
-+ }
-+
-+ site_override = dp_opt_get_string(state->ad_options, AD_SITE);
-+ if (site_override != NULL) {
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Overriding autodiscovered AD site value '%s' with '%s' from "
-+ "configuration.\n", site ? site : "none", site_override);
-+ }
-+
-+ if (site == NULL && site_override == NULL) {
-+ sss_log(SSS_LOG_WARNING,
-+ "Could not autodiscover AD site value using DNS and ad_site "
-+ "option was not set in configuration. GPO will not work. "
-+ "To work around this issue you can use ad_site option in SSSD "
-+ "configuration.");
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Could not autodiscover AD site value using DNS and ad_site "
-+ "option was not set in configuration. GPO will not work. "
-+ "To work around this issue you can use ad_site option in SSSD "
-+ "configuration.\n");
- tevent_req_error(req, ENOENT);
- return;
- }
-
-- state->site_name = talloc_asprintf(state, "cn=%s", site);
-+ state->site_name = talloc_asprintf(state, "cn=%s",
-+ site_override ? site_override
-+ : site);
- if (state->site_name == NULL) {
- tevent_req_error(req, ENOMEM);
- return;
- }
-
-+ DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name);
-+
- /*
- * note: the configNC attribute is being retrieved here from the rootDSE
- * entry. In future, since we already make an LDAP query for the rootDSE
---
-2.14.3
-
diff --git a/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch b/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
deleted file mode 100644
index ea41680..0000000
--- a/0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 29f9df0162096d0e3ec4e85c1f1b5ce87062aa64 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 15 Mar 2018 12:43:34 +0100
-Subject: [PATCH] nss: initialize nss_enum_index in nss_setnetgrent()
-
-setnetgrent() is the first call when looking up a netgroup and sets the
-netgroup name for upcoming getnetgrent() and endnetgrent() calls.
-Currently the state is reset by calling endnetgrent() but it would be
-more robust to unconditionally reset the state in setnetgrent() as well
-in case calling endnetgrent() was forgotten.
-
-Related to https://pagure.io/SSSD/sssd/issue/3679
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 37a84285aeb497ed4909d16916bbf934af3f68b3)
----
- src/responder/nss/nss_cmd.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
-index 956ee53cb..9f8479b7b 100644
---- a/src/responder/nss/nss_cmd.c
-+++ b/src/responder/nss/nss_cmd.c
-@@ -756,6 +756,9 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
- goto done;
- }
-
-+ state_ctx->netgrent.domain = 0;
-+ state_ctx->netgrent.result = 0;
-+
- talloc_zfree(state_ctx->netgroup);
- state_ctx->netgroup = talloc_strdup(state_ctx, netgroup);
- if (state_ctx->netgroup == NULL) {
---
-2.14.3
-
diff --git a/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch b/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
deleted file mode 100644
index 5af0f87..0000000
--- a/0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 9f85ab4d8eba042b43a9346ed6dfbf3fc60ea488 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 15 Mar 2018 12:50:20 +0100
-Subject: [PATCH] nss: add a netgroup counter to struct nss_enum_index
-
-Netgroups are not looked up with the help of a single request but by
-calling setnetgrent(), getnetgrent() and endnetgrent() where
-getnetgrent() might be called multiple times depending on the number of
-netgroup elements. Since the caller does not provide a state the state
-has to be maintained by the SSSD nss responder. Besides the netgroup
-name this is mainly the number of elements already returned.
-
-This number is used to select the next element to return and currently
-it is assumed that there are not changes to the netgroup while the
-client is requesting the individual elements. But if e.g. the 3 nss
-calls are not used correctly or the netgroup is modified while the
-client is sending getnetgrent() calls the stored number might be out of
-range. To be on the safe side the stored number should be always
-compared with the current number of netgroup elements.
-
-Related to https://pagure.io/SSSD/sssd/issue/3679
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 08db22b1b1a2e742edbca92e35087294d963adda)
----
- src/db/sysdb.h | 3 ++-
- src/db/sysdb_search.c | 5 ++++-
- src/responder/nss/nss_enum.c | 3 ++-
- src/responder/nss/nss_private.h | 1 +
- src/responder/nss/nss_protocol_netgr.c | 7 +++++++
- 5 files changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index fd18ecefe..2660314a7 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -1219,7 +1219,8 @@ errno_t sysdb_attrs_to_list(TALLOC_CTX *mem_ctx,
-
- errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
- struct ldb_result *res,
-- struct sysdb_netgroup_ctx ***entries);
-+ struct sysdb_netgroup_ctx ***entries,
-+ size_t *netgroup_count);
-
- errno_t sysdb_dn_sanitize(TALLOC_CTX *mem_ctx, const char *input,
- char **sanitized);
-diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
-index dc0bd4f2c..b7ceb6e59 100644
---- a/src/db/sysdb_search.c
-+++ b/src/db/sysdb_search.c
-@@ -1831,7 +1831,8 @@ done:
-
- errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
- struct ldb_result *res,
-- struct sysdb_netgroup_ctx ***entries)
-+ struct sysdb_netgroup_ctx ***entries,
-+ size_t *netgroup_count)
- {
- errno_t ret;
- size_t size = 0;
-@@ -1935,6 +1936,8 @@ errno_t sysdb_netgr_to_entries(TALLOC_CTX *mem_ctx,
- tmp_entry[c] = NULL;
-
- *entries = talloc_steal(mem_ctx, tmp_entry);
-+ *netgroup_count = c;
-+
- ret = EOK;
-
- done:
-diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c
-index 031db9f2e..a45b65233 100644
---- a/src/responder/nss/nss_enum.c
-+++ b/src/responder/nss/nss_enum.c
-@@ -144,7 +144,8 @@ static void nss_setent_internal_done(struct tevent_req *subreq)
- /* We need to expand the netgroup into triples and members. */
- ret = sysdb_netgr_to_entries(state->enum_ctx,
- result[0]->ldb_result,
-- &state->enum_ctx->netgroup);
-+ &state->enum_ctx->netgroup,
-+ &state->enum_ctx->netgroup_count);
- if (ret != EOK) {
- goto done;
- }
-diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h
-index 5fc19d26b..aa8d8e9cd 100644
---- a/src/responder/nss/nss_private.h
-+++ b/src/responder/nss/nss_private.h
-@@ -41,6 +41,7 @@ struct nss_enum_index {
- struct nss_enum_ctx {
- struct cache_req_result **result;
- struct sysdb_netgroup_ctx **netgroup;
-+ size_t netgroup_count;
-
- /* Ongoing cache request that is constructing enumeration result. */
- struct tevent_req *ongoing;
-diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c
-index ed04fd258..9f27c6b78 100644
---- a/src/responder/nss/nss_protocol_netgr.c
-+++ b/src/responder/nss/nss_protocol_netgr.c
-@@ -126,6 +126,13 @@ nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx,
- idx = cmd_ctx->enum_index;
- entries = cmd_ctx->enum_ctx->netgroup;
-
-+ if (idx->result > cmd_ctx->enum_ctx->netgroup_count) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Unconsistent state while processing netgroups.\n");
-+ ret = EINVAL;
-+ goto done;
-+ }
-+
- /* First two fields (length and reserved), filled up later. */
- ret = sss_packet_grow(packet, 2 * sizeof(uint32_t));
- if (ret != EOK) {
---
-2.14.3
-
diff --git a/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch b/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
deleted file mode 100644
index 949cb9a..0000000
--- a/0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 3d0fd106754c7614f5d9fb3875d0b40092d200f3 Mon Sep 17 00:00:00 2001
-From: amitkuma <amitkuma@redhat.com>
-Date: Thu, 15 Feb 2018 18:21:10 +0530
-Subject: [PATCH] sssctl: Showing help even when sssd not configured
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On a clean and unconfigured system, it's not possible
-to use --help.
-1) dnf install sssd-tools
-2) sssctl cache-remove --help
-Shows:
-[confdb_get_domains] (0x0010): No domains configured, fatal error!
-
-Solution: Donot check for confdb initialization when sssctl 3rd
-command line argument passed is '--help'.
-
-Please note when we run 'sssctl --help' on unconfigured system
-confdb check is not done and proper o/p is seen.
-
-Resolves: https://pagure.io/SSSD/sssd/issue/3634
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit b8db8c2d83d1d75c42c1e17145d3907211b3a146)
----
- src/tools/common/sss_tools.c | 19 ++++++++++++-------
- src/tools/common/sss_tools.h | 1 +
- 2 files changed, 13 insertions(+), 7 deletions(-)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index 4832db5a0..d45584ce1 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -58,11 +58,14 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
- poptContext pc;
- int debug = SSSDBG_DEFAULT;
- int orig_argc = *argc;
-+ int help = 0;
- int opt;
-
- struct poptOption options[] = {
- {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug,
- 0, _("The debug level to run with"), NULL },
-+ {"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, &help,
-+ 1, NULL, NULL },
- POPT_TABLEEND
- };
-
-@@ -74,6 +77,7 @@ static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx,
- /* Strip common options from arguments. We will discard_const here,
- * since it is not worth the trouble to convert it back and forth. */
- *argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv));
-+ tool_ctx->print_help = help;
-
- DEBUG_CLI_INIT(debug);
-
-@@ -187,7 +191,6 @@ errno_t sss_tool_init(TALLOC_CTX *mem_ctx,
- }
-
- sss_tool_common_opts(tool_ctx, argc, argv);
--
- *_tool_ctx = tool_ctx;
-
- return EOK;
-@@ -341,12 +344,14 @@ errno_t sss_tool_route(int argc, const char **argv,
- return tool_ctx->init_err;
- }
-
-- ret = tool_cmd_init(tool_ctx, &commands[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_FATAL_FAILURE,
-- "Command initialization failed [%d] %s\n",
-- ret, sss_strerror(ret));
-- return ret;
-+ if (!tool_ctx->print_help) {
-+ ret = tool_cmd_init(tool_ctx, &commands[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_FATAL_FAILURE,
-+ "Command initialization failed [%d] %s\n",
-+ ret, sss_strerror(ret));
-+ return ret;
-+ }
- }
-
- return commands[i].fn(&cmdline, tool_ctx, pvt);
-diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h
-index 848009365..0e4308ee6 100644
---- a/src/tools/common/sss_tools.h
-+++ b/src/tools/common/sss_tools.h
-@@ -29,6 +29,7 @@
- struct sss_tool_ctx {
- struct confdb_ctx *confdb;
-
-+ bool print_help;
- errno_t init_err;
- char *default_domain;
- struct sss_domain_info *domains;
---
-2.14.3
-
diff --git a/0031-sssctl-move-check-for-version-error-to-correct-place.patch b/0031-sssctl-move-check-for-version-error-to-correct-place.patch
deleted file mode 100644
index 2ee637f..0000000
--- a/0031-sssctl-move-check-for-version-error-to-correct-place.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 08fced82ad1a8bc03c69f84bcfdb495a5f473165 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Tue, 3 Apr 2018 10:20:29 +0200
-Subject: [PATCH] sssctl: move check for version error to correct place
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This check was added here:
-
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 490) int sss_tool_main(int argc, const char **argv,
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 491) struct sss_route_cmd *commands,
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 492) void *pvt)
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 493) {
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 494) struct sss_tool_ctx *tool_ctx;
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 495) uid_t uid;
-e98ccef2 (Pavel Březina 2016-06-09 16:13:34 +0200 496) errno_t ret;
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 497)
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 498) uid = getuid();
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 499) if (uid != 0) {
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 500) DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid);
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 501) ERROR("%1$s must be run as root\n", argv[0]);
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 502) return EXIT_FAILURE;
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 503) }
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 504)
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 505) ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 506) if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 507) tool_ctx->init_err = ret;
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 508) } else if (ret != EOK) {
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 509) DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 510) return EXIT_FAILURE;
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 511) }
-
-But then the initialization code was moved from sss_tool_init to tool_cmd_init which is called from sss_tool_route.
-
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 328) if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) {
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 329) DEBUG(SSSDBG_FATAL_FAILURE,
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 330) "Command %s does not handle initialization error [%d] %s\n",
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 331) cmdline.command, tool_ctx->init_err,
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 332) sss_strerror(tool_ctx->init_err));
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 333) return tool_ctx->init_err;
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 334) }
-a0b824ac (Jakub Hrozek 2016-07-01 13:26:38 +0200 335)
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 336) ret = tool_cmd_init(tool_ctx, &commands[i]);
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 337) if (ret != EOK) {
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 338) DEBUG(SSSDBG_FATAL_FAILURE,
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 339) "Command initialization failed [%d] %s\n",
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 340) ret, sss_strerror(ret));
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 341) return ret;
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 342) }
-cbee11e9 (Michal Židek 2016-10-12 13:09:37 +0200 343)
-284937e6 (Pavel Březina 2015-07-22 10:02:02 +0200 344) return commands[i].fn(&cmdline, tool_ctx, pvt);
-
-This rendered the original change a dead code, because sss_tool_init only returns ENOMEM or EOK.
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit fe58f0fbf34de5931ce3305396e5e4467796a325)
----
- src/tools/common/sss_tools.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
-index d45584ce1..701db2d93 100644
---- a/src/tools/common/sss_tools.c
-+++ b/src/tools/common/sss_tools.c
-@@ -346,7 +346,9 @@ errno_t sss_tool_route(int argc, const char **argv,
-
- if (!tool_ctx->print_help) {
- ret = tool_cmd_init(tool_ctx, &commands[i]);
-- if (ret != EOK) {
-+ if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
-+ tool_ctx->init_err = ret;
-+ } else if (ret != EOK) {
- DEBUG(SSSDBG_FATAL_FAILURE,
- "Command initialization failed [%d] %s\n",
- ret, sss_strerror(ret));
-@@ -516,9 +518,7 @@ int sss_tool_main(int argc, const char **argv,
- }
-
- ret = sss_tool_init(NULL, &argc, argv, &tool_ctx);
-- if (ret == ERR_SYSDB_VERSION_TOO_OLD) {
-- tool_ctx->init_err = ret;
-- } else if (ret != EOK) {
-+ if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n");
- return EXIT_FAILURE;
- }
---
-2.14.3
-
diff --git a/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch b/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
deleted file mode 100644
index 9fac092..0000000
--- a/0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 39539d7b882722336bb4bfad99ef3ebadfc9b276 Mon Sep 17 00:00:00 2001
-From: amitkumar50 <amitkuma@redhat.com>
-Date: Tue, 10 Apr 2018 15:29:01 +0530
-Subject: [PATCH] MAN: Add sss-certmap man page regarding priority processing
-
-PR adds following text in PRIORITY section of man sss-certmap:
-The processing is stopped when a matched rule is found and no
-further rules are checked.
-
-Resolves: https://pagure.io/SSSD/sssd/issue/3469
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit 56839605d139573319b7df24774b56ea78ec742b)
----
- src/man/sss-certmap.5.xml | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
-index 593cd4666..db258d14a 100644
---- a/src/man/sss-certmap.5.xml
-+++ b/src/man/sss-certmap.5.xml
-@@ -44,7 +44,9 @@
- <para>
- The rules are processed by priority while the number '0' (zero)
- indicates the highest priority. The higher the number the lower is
-- the priority. A missing value indicates the lowest priority.
-+ the priority. A missing value indicates the lowest priority. The
-+ rules processing is stopped when a matched rule is found and no
-+ further rules are checked.
- </para>
- <para>
- Internally the priority is treated as unsigned 32bit integer, using
---
-2.14.3
-
diff --git a/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch b/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
deleted file mode 100644
index df640fd..0000000
--- a/0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ac1636acadcf8e799a93d799140e8ff2d533f313 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 23 Jan 2018 11:23:37 +0100
-Subject: [PATCH] SDAP: Improve a DEBUG message about GC detection
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It was not entirely clear what the message means. We should improve the
-debug message to make it clear that all or none attributes should be
-replicated to the Global Catalog.
-
-This patch can be reverted once we fix
-https://pagure.io/SSSD/sssd/issue/3538 and only use the GC to look up
-the entry DN, not the entry itself.
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 2d43eaf43540c375d39c5e1c2482595e919fb4df)
----
- src/providers/ldap/sdap_async.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
-index 76cfce207..1e77b1c3c 100644
---- a/src/providers/ldap/sdap_async.c
-+++ b/src/providers/ldap/sdap_async.c
-@@ -2720,7 +2720,11 @@ static void sdap_gc_posix_check_done(struct tevent_req *subreq)
-
- /* Positive hit is definitive, no need to search other bases */
- if (state->has_posix == true) {
-- DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes\n");
-+ DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will "
-+ "be used for user and group lookups. Note that if "
-+ "only a subset of POSIX attributes is present "
-+ "in GC, the non-replicated attributes are "
-+ "currently not read from the LDAP port\n");
- tevent_req_done(req);
- return;
- }
---
-2.14.3
-
diff --git a/0034-MAN-Improve-docs-about-GC-detection.patch b/0034-MAN-Improve-docs-about-GC-detection.patch
deleted file mode 100644
index d9fe8d4..0000000
--- a/0034-MAN-Improve-docs-about-GC-detection.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1438765a294161b9b636e01ed86bc52c540183d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Thu, 12 Apr 2018 10:38:42 +0200
-Subject: [PATCH] MAN: Improve docs about GC detection
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add the same note we have as part of our debug to the sssd-ad manual.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 4ab8734cc45fab2d1a0e690b566da1bda63df76c)
----
- src/man/sssd-ad.5.xml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
-index be2593dca..f43c7fcf4 100644
---- a/src/man/sssd-ad.5.xml
-+++ b/src/man/sssd-ad.5.xml
-@@ -100,6 +100,9 @@ ldap_id_mapping = False
- domains in the forest sequentially. Please note that the
- <quote>cache_first</quote> option might be also helpful in
- speeding up domainless searches.
-+ Note that if only a subset of POSIX attributes is present in
-+ the Global Catalog, the non-replicated attributes are currently
-+ not read from the LDAP port.
- </para>
- <para>
- Users, groups and other entities served by SSSD are always treated as
---
-2.14.3
-
diff --git a/0035-nss-idmap-do-not-set-a-limit.patch b/0035-nss-idmap-do-not-set-a-limit.patch
deleted file mode 100644
index 7975f19..0000000
--- a/0035-nss-idmap-do-not-set-a-limit.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 18 Apr 2018 10:20:06 +0200
-Subject: [PATCH] nss-idmap: do not set a limit
-
-If the limit is set the needed size to return all groups cannot be
-returned.
-
-Related to https://pagure.io/SSSD/sssd/issue/3715
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85)
----
- src/sss_client/idmap/sss_nss_ex.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
-index c00e64cc4..b87b5e3b2 100644
---- a/src/sss_client/idmap/sss_nss_ex.c
-+++ b/src/sss_client/idmap/sss_nss_ex.c
-@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp)
- inp->result.initgrrep.start,
- inp->result.initgrrep.ngroups,
- &(inp->result.initgrrep.groups),
-- *(inp->result.initgrrep.ngroups));
-+ /* no limit so that needed size can
-+ * be returned properly */
-+ -1);
- break;
- default:
- return EINVAL;
---
-2.14.3
-
diff --git a/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch b/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
deleted file mode 100644
index 012a426..0000000
--- a/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 18 Apr 2018 10:23:22 +0200
-Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex()
-
-If the initial array is too small it will be reallocated during
-sss_get_ex() and the pointer might change and the initial memory area
-should not be used anymore.
-
-Related to https://pagure.io/SSSD/sssd/issue/3715
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b)
----
- src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
-index b87b5e3b2..971422063 100644
---- a/src/sss_client/idmap/sss_nss_ex.c
-+++ b/src/sss_client/idmap/sss_nss_ex.c
-@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
- uint32_t flags, unsigned int timeout)
- {
- int ret;
-- gid_t *new_groups;
- long int new_ngroups;
- long int start = 1;
- struct nss_input inp = {
-@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
- }
-
- new_ngroups = MAX(1, *ngroups);
-- new_groups = malloc(new_ngroups * sizeof(gid_t));
-- if (new_groups == NULL) {
-+ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t));
-+ if (inp.result.initgrrep.groups == NULL) {
- free(discard_const(inp.rd.data));
- return ENOMEM;
- }
-- new_groups[0] = group;
-+ inp.result.initgrrep.groups[0] = group;
-
-- inp.result.initgrrep.groups = new_groups,
- inp.result.initgrrep.ngroups = &new_ngroups;
- inp.result.initgrrep.start = &start;
-
--
-+ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and
-+ * inp.result.initgrrep.start might be modified by sss_get_ex() */
- ret = sss_get_ex(&inp, flags, timeout);
- free(discard_const(inp.rd.data));
- if (ret != 0) {
-- free(new_groups);
-+ free(inp.result.initgrrep.groups);
- return ret;
- }
-
-- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
-- free(new_groups);
-+ memcpy(groups, inp.result.initgrrep.groups,
-+ MIN(*ngroups, start) * sizeof(gid_t));
-+ free(inp.result.initgrrep.groups);
-
- if (start > *ngroups) {
- ret = ERANGE;
---
-2.14.3
-
diff --git a/0037-NSS-Add-InvalidateGroupById-handler.patch b/0037-NSS-Add-InvalidateGroupById-handler.patch
deleted file mode 100644
index 7cb604e..0000000
--- a/0037-NSS-Add-InvalidateGroupById-handler.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From d1f38315fa7f8c9d3392af0feb32afc56a0f6c4e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Fri, 16 Feb 2018 13:55:53 +0100
-Subject: [PATCH] NSS: Add InvalidateGroupById handler
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There are some situations where, from the backend, the NSS responder
-will have to be notified to invalidate a group.
-
-In order to achieve this in a clean way, let's add the
-InvalidateGroupById handler and make use of it later in this very same
-series.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 851d31264c826d7e1bca38bb6d49e66b446707e7)
----
- src/responder/nss/nss_iface.c | 16 ++++++++++++++
- src/responder/nss/nss_iface.xml | 3 +++
- src/responder/nss/nss_iface_generated.c | 38 +++++++++++++++++++++++++++++++++
- src/responder/nss/nss_iface_generated.h | 5 +++++
- 4 files changed, 62 insertions(+)
-
-diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c
-index 415af9550..805e4fcdf 100644
---- a/src/responder/nss/nss_iface.c
-+++ b/src/responder/nss/nss_iface.c
-@@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req,
- return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req);
- }
-
-+int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req,
-+ void *data,
-+ gid_t gid)
-+{
-+ struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx);
-+ struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx);
-+
-+ DEBUG(SSSDBG_TRACE_LIBS,
-+ "Invalidating group %"PRIu32" from memory cache\n", gid);
-+
-+ sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid);
-+
-+ return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req);
-+}
-+
- struct iface_nss_memorycache iface_nss_memorycache = {
- { &iface_nss_memorycache_meta, 0 },
- .UpdateInitgroups = nss_memorycache_update_initgroups,
- .InvalidateAllUsers = nss_memorycache_invalidate_users,
- .InvalidateAllGroups = nss_memorycache_invalidate_groups,
- .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups,
-+ .InvalidateGroupById = nss_memorycache_invalidate_group_by_id,
- };
-
- static struct sbus_iface_map iface_map[] = {
-diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml
-index 27aae0197..4d8cf14f9 100644
---- a/src/responder/nss/nss_iface.xml
-+++ b/src/responder/nss/nss_iface.xml
-@@ -14,5 +14,8 @@
- </method>
- <method name="InvalidateAllInitgroups">
- </method>
-+ <method name="InvalidateGroupById">
-+ <arg name="gid" type="u" direction="in" />
-+ </method>
- </interface>
- </node>
-diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c
-index 4a8b704da..8d5a4584b 100644
---- a/src/responder/nss/nss_iface_generated.c
-+++ b/src/responder/nss/nss_iface_generated.c
-@@ -12,6 +12,9 @@
- /* invokes a handler with a 'ssau' DBus signature */
- static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr);
-
-+/* invokes a handler with a 'u' DBus signature */
-+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr);
-+
- /* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */
- const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = {
- { "user", "s" },
-@@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re
- DBUS_TYPE_INVALID);
- }
-
-+/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */
-+const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = {
-+ { "gid", "u" },
-+ { NULL, }
-+};
-+
-+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req)
-+{
-+ return sbus_request_return_and_finish(req,
-+ DBUS_TYPE_INVALID);
-+}
-+
- /* methods for org.freedesktop.sssd.nss.MemoryCache */
- const struct sbus_method_meta iface_nss_memorycache__methods[] = {
- {
-@@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = {
- offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups),
- NULL, /* no invoker */
- },
-+ {
-+ "InvalidateGroupById", /* name */
-+ iface_nss_memorycache_InvalidateGroupById__in,
-+ NULL, /* no out_args */
-+ offsetof(struct iface_nss_memorycache, InvalidateGroupById),
-+ invoke_u_method,
-+ },
- { NULL, }
- };
-
-@@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = {
- sbus_invoke_get_all, /* GetAll invoker */
- };
-
-+/* invokes a handler with a 'u' DBus signature */
-+static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr)
-+{
-+ uint32_t arg_0;
-+ int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr;
-+
-+ if (!sbus_request_parse_or_finish(dbus_req,
-+ DBUS_TYPE_UINT32, &arg_0,
-+ DBUS_TYPE_INVALID)) {
-+ return EOK; /* request handled */
-+ }
-+
-+ return (handler)(dbus_req, dbus_req->intf->handler_data,
-+ arg_0);
-+}
-+
- /* invokes a handler with a 'ssau' DBus signature */
- static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr)
- {
-diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h
-index 11fac7916..27a6d0853 100644
---- a/src/responder/nss/nss_iface_generated.h
-+++ b/src/responder/nss/nss_iface_generated.h
-@@ -18,6 +18,7 @@
- #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers"
- #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups"
- #define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups"
-+#define IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID "InvalidateGroupById"
-
- /* ------------------------------------------------------------------------
- * DBus handlers
-@@ -44,6 +45,7 @@ struct iface_nss_memorycache {
- int (*InvalidateAllUsers)(struct sbus_request *req, void *data);
- int (*InvalidateAllGroups)(struct sbus_request *req, void *data);
- int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data);
-+ int (*InvalidateGroupById)(struct sbus_request *req, void *data, uint32_t arg_gid);
- };
-
- /* finish function for UpdateInitgroups */
-@@ -58,6 +60,9 @@ int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req);
- /* finish function for InvalidateAllInitgroups */
- int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req);
-
-+/* finish function for InvalidateGroupById */
-+int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req);
-+
- /* ------------------------------------------------------------------------
- * DBus Interface Metadata
- *
---
-2.14.3
-
diff --git a/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch b/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
deleted file mode 100644
index 7f738c6..0000000
--- a/0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From efaabeae96f76036bbe06122f7fbf70a66d26c56 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 19 Feb 2018 08:42:10 +0100
-Subject: [PATCH] DP: Add dp_sbus_invalidate_group_memcache()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This function will be called from the data provider to the NSS
-responder, which will invalidate a group in the memcache.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 709c42f0cabc96d0e0edf72753a0967593206ff4)
----
- src/providers/data_provider/dp.h | 2 ++
- src/providers/data_provider/dp_resp_client.c | 45 ++++++++++++++++++++++++++++
- 2 files changed, 47 insertions(+)
-
-diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h
-index ceb49da53..e8b2f9c8f 100644
---- a/src/providers/data_provider/dp.h
-+++ b/src/providers/data_provider/dp.h
-@@ -179,6 +179,8 @@ void dp_sbus_reset_groups_ncache(struct data_provider *provider,
- void dp_sbus_reset_users_memcache(struct data_provider *provider);
- void dp_sbus_reset_groups_memcache(struct data_provider *provider);
- void dp_sbus_reset_initgr_memcache(struct data_provider *provider);
-+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
-+ gid_t gid);
-
- /*
- * A dummy handler for DPM_ACCT_DOMAIN_HANDLER.
-diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c
-index 5735188a6..a61f7c59d 100644
---- a/src/providers/data_provider/dp_resp_client.c
-+++ b/src/providers/data_provider/dp_resp_client.c
-@@ -189,3 +189,48 @@ void dp_sbus_reset_initgr_memcache(struct data_provider *provider)
- return dp_sbus_reset_memcache(provider,
- IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS);
- }
-+
-+void dp_sbus_invalidate_group_memcache(struct data_provider *provider,
-+ gid_t gid)
-+{
-+ struct dp_client *dp_cli;
-+ DBusMessage *msg;
-+ dbus_bool_t dbret;
-+
-+ if (provider == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "No provider pointer\n");
-+ return;
-+ }
-+
-+ dp_cli = provider->clients[DPC_NSS];
-+ if (dp_cli == NULL) {
-+ return;
-+ }
-+
-+ msg = dbus_message_new_method_call(NULL,
-+ NSS_MEMORYCACHE_PATH,
-+ IFACE_NSS_MEMORYCACHE,
-+ IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID);
-+ if (msg == NULL) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
-+ return;
-+ }
-+
-+ dbret = dbus_message_append_args(msg,
-+ DBUS_TYPE_UINT32, &gid,
-+ DBUS_TYPE_INVALID);
-+ if (!dbret) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n");
-+ dbus_message_unref(msg);
-+ return;
-+ }
-+
-+ DEBUG(SSSDBG_TRACE_FUNC,
-+ "Ordering NSS responder to invalidate the group %"PRIu32" \n",
-+ gid);
-+
-+ sbus_conn_send_reply(dp_client_conn(dp_cli), msg);
-+ dbus_message_unref(msg);
-+
-+ return;
-+}
---
-2.14.3
-
diff --git a/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch b/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
deleted file mode 100644
index 8dbcc78..0000000
--- a/0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 454f493664bf117c27634e6efe33ebe7d5a85c56 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 19 Feb 2018 08:29:36 +0100
-Subject: [PATCH] ERRORS: Add ERR_GID_DUPLICATED
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This new error will be returned from sysdb_add_incomplete_group()
-when renaming a group which will case gid collision.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit ccd349f0274217e1f0cc118e3a6045e2235ce420)
----
- src/util/util_errors.c | 1 +
- src/util/util_errors.h | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/util/util_errors.c b/src/util/util_errors.c
-index 39ce3d7dc..e2bb2a014 100644
---- a/src/util/util_errors.c
-+++ b/src/util/util_errors.c
-@@ -118,6 +118,7 @@ struct err_string error_to_str[] = {
- { "GetAccountDomain() not supported" }, /* ERR_GET_ACCT_DOM_NOT_SUPPORTED */
- { "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */
- { "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */
-+ { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */
- { "ERR_LAST" } /* ERR_LAST */
- };
-
-diff --git a/src/util/util_errors.h b/src/util/util_errors.h
-index ad4dad5f8..49501727d 100644
---- a/src/util/util_errors.h
-+++ b/src/util/util_errors.h
-@@ -140,6 +140,7 @@ enum sssd_errors {
- ERR_GET_ACCT_DOM_NOT_SUPPORTED,
- ERR_GET_ACCT_DOM_CACHED,
- ERR_ID_OUTSIDE_RANGE,
-+ ERR_GID_DUPLICATED,
- ERR_LAST /* ALWAYS LAST */
- };
-
---
-2.14.3
-
diff --git a/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch b/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
deleted file mode 100644
index d2df4bf..0000000
--- a/0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
+++ /dev/null
@@ -1,380 +0,0 @@
-From f60c77df9b7162f46d8639f940d5df31f64f5815 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 9 Apr 2018 12:36:45 +0200
-Subject: [PATCH] LDAP: Augment the sdap_opts structure with a data provider
- pointer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In order to be able to use the Data Provider methods from the SDAP code
-to e.g. invalidate memcache when needed, add a new field to the
-sdap_options structure with the data_provider structure pointer.
-
-Fill the pointer value for all LDAP-based providers.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit d2633d922eeed68f92be4248b9172b928c189920)
----
- src/providers/ad/ad_common.c | 18 +++++++++++++-----
- src/providers/ad/ad_common.h | 4 ++++
- src/providers/ad/ad_init.c | 5 ++++-
- src/providers/ad/ad_subdomains.c | 8 ++++++--
- src/providers/ipa/ipa_common.c | 2 ++
- src/providers/ipa/ipa_common.h | 1 +
- src/providers/ipa/ipa_init.c | 5 ++++-
- src/providers/ipa/ipa_subdomains_server.c | 2 ++
- src/providers/ldap/ldap_common.h | 1 +
- src/providers/ldap/ldap_init.c | 3 ++-
- src/providers/ldap/ldap_options.c | 2 ++
- src/providers/ldap/sdap.h | 1 +
- src/tests/cmocka/common_mock_sdap.c | 2 +-
- src/tests/cmocka/test_ad_common.c | 3 +++
- 14 files changed, 46 insertions(+), 11 deletions(-)
-
-diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
-index 2a1647173..d92c68e6f 100644
---- a/src/providers/ad/ad_common.c
-+++ b/src/providers/ad/ad_common.c
-@@ -35,7 +35,8 @@ static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
- struct sdap_options *id_opts);
-
- static struct sdap_options *
--ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
-+ad_create_default_sdap_options(TALLOC_CTX *mem_ctx,
-+ struct data_provider *dp)
- {
- struct sdap_options *id_opts;
- errno_t ret;
-@@ -44,6 +45,7 @@ ad_create_default_sdap_options(TALLOC_CTX *mem_ctx)
- if (!id_opts) {
- return NULL;
- }
-+ id_opts->dp = dp;
-
- ret = dp_copy_defaults(id_opts,
- ad_def_ldap_opts,
-@@ -112,6 +114,7 @@ static errno_t
- ad_create_sdap_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_id_opts)
- {
- struct sdap_options *id_opts;
-@@ -119,7 +122,7 @@ ad_create_sdap_options(TALLOC_CTX *mem_ctx,
-
- if (cdb == NULL || conf_path == NULL) {
- /* Fallback to defaults if there is no confdb */
-- id_opts = ad_create_default_sdap_options(mem_ctx);
-+ id_opts = ad_create_default_sdap_options(mem_ctx, dp);
- if (id_opts == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Failed to initialize default sdap options\n");
-@@ -220,6 +223,7 @@ struct ad_options *
- ad_create_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sss_domain_info *subdom)
- {
- struct ad_options *ad_options;
-@@ -252,6 +256,7 @@ ad_create_options(TALLOC_CTX *mem_ctx,
- ret = ad_create_sdap_options(ad_options,
- cdb,
- conf_path,
-+ dp,
- &ad_options->id);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n");
-@@ -304,6 +309,7 @@ struct ad_options *
- ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- const char *realm,
- struct sss_domain_info *subdom,
- const char *hostname,
-@@ -315,7 +321,7 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
- DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n",
- subdom->name);
-
-- ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom);
-+ ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom);
- if (ad_options == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
- return NULL;
-@@ -343,6 +349,7 @@ struct ad_options *
- ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *subdom_conf_path,
-+ struct data_provider *dp,
- struct sss_domain_info *subdom,
- const char *hostname,
- const char *keytab,
-@@ -355,7 +362,7 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
- DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n",
- subdom->name);
-
-- ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom);
-+ ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom);
- if (ad_options == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n");
- return NULL;
-@@ -1056,12 +1063,13 @@ errno_t
- ad_get_id_options(struct ad_options *ad_opts,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts)
- {
- struct sdap_options *id_opts;
- errno_t ret;
-
-- ret = ad_create_sdap_options(ad_opts, cdb, conf_path, &id_opts);
-+ ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts);
- if (ret != EOK) {
- return ENOMEM;
- }
-diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
-index 931aafc6c..6eb2ba7e9 100644
---- a/src/providers/ad/ad_common.h
-+++ b/src/providers/ad/ad_common.h
-@@ -112,11 +112,13 @@ ad_get_common_options(TALLOC_CTX *mem_ctx,
- struct ad_options *ad_create_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sss_domain_info *subdom);
-
- struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- const char *realm,
- struct sss_domain_info *subdom,
- const char *hostname,
-@@ -125,6 +127,7 @@ struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx,
- struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sss_domain_info *subdom,
- const char *hostname,
- const char *keytab,
-@@ -147,6 +150,7 @@ errno_t
- ad_get_id_options(struct ad_options *ad_opts,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts);
- errno_t
- ad_get_autofs_options(struct ad_options *ad_opts,
-diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
-index 8c485a7c2..b19624782 100644
---- a/src/providers/ad/ad_init.c
-+++ b/src/providers/ad/ad_init.c
-@@ -453,7 +453,10 @@ errno_t sssm_ad_init(TALLOC_CTX *mem_ctx,
-
- init_ctx->options->id_ctx = init_ctx->id_ctx;
-
-- ret = ad_get_id_options(init_ctx->options, be_ctx->cdb, be_ctx->conf_path,
-+ ret = ad_get_id_options(init_ctx->options,
-+ be_ctx->cdb,
-+ be_ctx->conf_path,
-+ be_ctx->provider,
- &init_ctx->id_ctx->sdap_id_ctx->opts);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n");
-diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
-index bd94ba8ea..74b9f0751 100644
---- a/src/providers/ad/ad_subdomains.c
-+++ b/src/providers/ad/ad_subdomains.c
-@@ -265,8 +265,12 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
- return ENOMEM;
- }
-
-- ad_options = ad_create_2way_trust_options(id_ctx, be_ctx->cdb,
-- subdom_conf_path, realm, subdom,
-+ ad_options = ad_create_2way_trust_options(id_ctx,
-+ be_ctx->cdb,
-+ subdom_conf_path,
-+ be_ctx->provider,
-+ realm,
-+ subdom,
- hostname, keytab);
- talloc_free(subdom_conf_path);
- if (ad_options == NULL) {
-diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
-index 2b81d7f3f..87ed96767 100644
---- a/src/providers/ipa/ipa_common.c
-+++ b/src/providers/ipa/ipa_common.c
-@@ -171,6 +171,7 @@ static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx,
- int ipa_get_id_options(struct ipa_options *ipa_opts,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts)
- {
- TALLOC_CTX *tmpctx;
-@@ -190,6 +191,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
- ret = ENOMEM;
- goto done;
- }
-+ ipa_opts->id->dp = dp;
-
- ret = sdap_domain_add(ipa_opts->id,
- ipa_opts->id_ctx->sdap_id_ctx->be->domain,
-diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
-index 3a1259ccd..725e0e937 100644
---- a/src/providers/ipa/ipa_common.h
-+++ b/src/providers/ipa/ipa_common.h
-@@ -235,6 +235,7 @@ int ipa_get_options(TALLOC_CTX *memctx,
- int ipa_get_id_options(struct ipa_options *ipa_opts,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts);
-
- int ipa_get_auth_options(struct ipa_options *ipa_opts,
-diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
-index cd2227896..931145985 100644
---- a/src/providers/ipa/ipa_init.c
-+++ b/src/providers/ipa/ipa_init.c
-@@ -161,7 +161,10 @@ static errno_t ipa_init_id_ctx(TALLOC_CTX *mem_ctx,
- ipa_id_ctx->sdap_id_ctx = sdap_id_ctx;
- ipa_options->id_ctx = ipa_id_ctx;
-
-- ret = ipa_get_id_options(ipa_options, be_ctx->cdb, be_ctx->conf_path,
-+ ret = ipa_get_id_options(ipa_options,
-+ be_ctx->cdb,
-+ be_ctx->conf_path,
-+ be_ctx->provider,
- &sdap_id_ctx->opts);
- if (ret != EOK) {
- goto done;
-diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
-index d670a156b..1e53e7a95 100644
---- a/src/providers/ipa/ipa_subdomains_server.c
-+++ b/src/providers/ipa/ipa_subdomains_server.c
-@@ -148,6 +148,7 @@ ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx,
- ad_options = ad_create_1way_trust_options(id_ctx,
- be_ctx->cdb,
- subdom_conf_path,
-+ be_ctx->provider,
- subdom,
- id_ctx->server_mode->hostname,
- keytab,
-@@ -186,6 +187,7 @@ static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx,
- ad_options = ad_create_2way_trust_options(id_ctx,
- be_ctx->cdb,
- subdom_conf_path,
-+ be_ctx->provider,
- id_ctx->server_mode->realm,
- subdom,
- id_ctx->server_mode->hostname,
-diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
-index 44dbc3fb0..548f0f985 100644
---- a/src/providers/ldap/ldap_common.h
-+++ b/src/providers/ldap/ldap_common.h
-@@ -193,6 +193,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
- struct sss_domain_info *dom,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts);
-
- int ldap_get_sudo_options(struct confdb_ctx *cdb,
-diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
-index 83075b5d3..44b3e9ab3 100644
---- a/src/providers/ldap/ldap_init.c
-+++ b/src/providers/ldap/ldap_init.c
-@@ -458,7 +458,8 @@ errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx,
-
- /* Always initialize options since it is needed everywhere. */
- ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb,
-- be_ctx->conf_path, &init_ctx->options);
-+ be_ctx->conf_path, be_ctx->provider,
-+ &init_ctx->options);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options "
- "[%d]: %s\n", ret, sss_strerror(ret));
-diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
-index ccc1a2c5b..0b79715d2 100644
---- a/src/providers/ldap/ldap_options.c
-+++ b/src/providers/ldap/ldap_options.c
-@@ -27,6 +27,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
- struct sss_domain_info *dom,
- struct confdb_ctx *cdb,
- const char *conf_path,
-+ struct data_provider *dp,
- struct sdap_options **_opts)
- {
- struct sdap_attr_map *default_attr_map;
-@@ -57,6 +58,7 @@ int ldap_get_options(TALLOC_CTX *memctx,
-
- opts = talloc_zero(memctx, struct sdap_options);
- if (!opts) return ENOMEM;
-+ opts->dp = dp;
-
- ret = sdap_domain_add(opts, dom, NULL);
- if (ret != EOK) {
-diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
-index ecf9c4d2e..e892c4071 100644
---- a/src/providers/ldap/sdap.h
-+++ b/src/providers/ldap/sdap.h
-@@ -465,6 +465,7 @@ struct sdap_certmap_ctx;
-
- struct sdap_options {
- struct dp_option *basic;
-+ struct data_provider *dp;
- struct sdap_attr_map *gen_map;
- struct sdap_attr_map *user_map;
- size_t user_map_cnt;
-diff --git a/src/tests/cmocka/common_mock_sdap.c b/src/tests/cmocka/common_mock_sdap.c
-index cef321613..fa4787c4b 100644
---- a/src/tests/cmocka/common_mock_sdap.c
-+++ b/src/tests/cmocka/common_mock_sdap.c
-@@ -48,7 +48,7 @@ struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx,
- struct sdap_options *opts = NULL;
- errno_t ret;
-
-- ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, &opts);
-+ ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, NULL, &opts);
- if (ret != EOK) {
- return NULL;
- }
-diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
-index 94f351e19..39ebbc633 100644
---- a/src/tests/cmocka/test_ad_common.c
-+++ b/src/tests/cmocka/test_ad_common.c
-@@ -449,6 +449,7 @@ static void test_ad_create_1way_trust_options(void **state)
- test_ctx->ad_ctx,
- NULL,
- NULL,
-+ NULL,
- test_ctx->subdom,
- ONEWAY_HOST_NAME,
- ONEWAY_KEYTAB_PATH,
-@@ -515,6 +516,7 @@ static void test_ad_create_2way_trust_options(void **state)
- test_ctx->ad_ctx,
- NULL,
- NULL,
-+ NULL,
- REALMNAME,
- test_ctx->subdom,
- HOST_NAME,
-@@ -585,6 +587,7 @@ test_ldap_conn_setup(void **state)
- ad_ctx,
- NULL,
- NULL,
-+ NULL,
- REALMNAME,
- test_ctx->subdom,
- HOST_NAME,
---
-2.14.3
-
diff --git a/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch b/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
deleted file mode 100644
index bcba007..0000000
--- a/0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 87a0027c7dbc54422ac519ef8eef0323baff4b60 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 19 Feb 2018 12:43:06 +0100
-Subject: [PATCH] SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This newly added function is a helper to properly hadle group
-id-collisions when renaming incomplete groups and it does:
-- Deletes the group from sysdb
-- Adds the new incomplete group
-- Notifies the NSS responder that the entry also has to be deleted from
- the memory cache
-
-This function will be called from
-sdap_ad_save_group_membership_with_idmapping() and from
-sdap_add_incomplete_groups().
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit a537df2ea99acb0181dc360ddf9a60b69c16faf0)
----
- src/providers/ldap/sdap_async.h | 11 ++++++++++
- src/providers/ldap/sdap_async_initgroups.c | 34 ++++++++++++++++++++++++++++++
- 2 files changed, 45 insertions(+)
-
-diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
-index 40da81fb9..6ca3ed8d8 100644
---- a/src/providers/ldap/sdap_async.h
-+++ b/src/providers/ldap/sdap_async.h
-@@ -412,4 +412,15 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
- errno_t
- sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req);
-
-+errno_t
-+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
-+ struct sss_domain_info *domain,
-+ const char *name,
-+ gid_t gid,
-+ const char *original_dn,
-+ const char *sid_str,
-+ const char *uuid,
-+ bool posix,
-+ time_t now);
-+
- #endif /* _SDAP_ASYNC_H_ */
-diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
-index 326294a1c..34747be59 100644
---- a/src/providers/ldap/sdap_async_initgroups.c
-+++ b/src/providers/ldap/sdap_async_initgroups.c
-@@ -3543,3 +3543,37 @@ errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx,
- return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain,
- name, grouplist, true);
- }
-+
-+errno_t
-+sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp,
-+ struct sss_domain_info *domain,
-+ const char *name,
-+ gid_t gid,
-+ const char *original_dn,
-+ const char *sid_str,
-+ const char *uuid,
-+ bool posix,
-+ time_t now)
-+{
-+ errno_t ret;
-+
-+ ret = sysdb_delete_group(domain, NULL, gid);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_MINOR_FAILURE,
-+ "Due to an id collision, the new group with gid [\"%"PRIu32"\"] "
-+ "will not be added as the old group (with the same gid) could "
-+ "not be removed from the sysdb!",
-+ gid);
-+ return ret;
-+ }
-+
-+ ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str,
-+ uuid, posix, now);
-+ if (ret != EOK) {
-+ return ret;
-+ }
-+
-+ dp_sbus_invalidate_group_memcache(dp, gid);
-+
-+ return EOK;
-+}
---
-2.14.3
-
diff --git a/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch b/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
deleted file mode 100644
index 71cdc20..0000000
--- a/0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From de891b231464f10ce029593d7ee2ebb401e8a0b3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 19 Feb 2018 12:51:57 +0100
-Subject: [PATCH] SDAP: Properly handle group id-collision when renaming
- incomplete groups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit a2e743cd23e8e2033340612c77a8dbb8ef48c1e1)
----
- src/providers/ad/ad_pac.c | 3 +++
- src/providers/ldap/sdap_async_ad.h | 1 +
- src/providers/ldap/sdap_async_initgroups.c | 13 +++++++++++++
- src/providers/ldap/sdap_async_initgroups_ad.c | 15 +++++++++++++++
- 4 files changed, 32 insertions(+)
-
-diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c
-index 6b47462cf..1a344725f 100644
---- a/src/providers/ad/ad_pac.c
-+++ b/src/providers/ad/ad_pac.c
-@@ -434,6 +434,7 @@ struct ad_handle_pac_initgr_state {
- const char *err;
- int dp_error;
- int sdap_ret;
-+ struct sdap_options *opts;
-
- size_t num_missing_sids;
- char **missing_sids;
-@@ -471,6 +472,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
- return NULL;
- }
- state->user_dom = sdom->dom;
-+ state->opts = id_ctx->opts;
-
- /* The following variables are currently unused because no sub-request
- * returns any of them. But they are needed to allow the same signature as
-@@ -514,6 +516,7 @@ struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx,
- DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n");
-
- ret = sdap_ad_save_group_membership_with_idmapping(state->username,
-+ state->opts,
- sdom->dom,
- id_ctx->opts->idmap_ctx,
- num_sids, group_sids);
-diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h
-index 950f5a030..a5f47a1a9 100644
---- a/src/providers/ldap/sdap_async_ad.h
-+++ b/src/providers/ldap/sdap_async_ad.h
-@@ -25,6 +25,7 @@
- #define SDAP_ASYNC_AD_H_
-
- errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
-+ struct sdap_options *opts,
- struct sss_domain_info *user_dom,
- struct sdap_idmap_ctx *idmap_ctx,
- size_t num_sids,
-diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
-index 34747be59..03f6de01a 100644
---- a/src/providers/ldap/sdap_async_initgroups.c
-+++ b/src/providers/ldap/sdap_async_initgroups.c
-@@ -225,6 +225,19 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
- ret = sysdb_add_incomplete_group(domain, groupname, gid,
- original_dn, sid_str,
- uuid, posix, now);
-+ if (ret == ERR_GID_DUPLICATED) {
-+ /* In case o group id-collision, do:
-+ * - Delete the group from sysdb
-+ * - Add the new incomplete group
-+ * - Notify the NSS responder that the entry has also to be
-+ * removed from the memory cache
-+ */
-+ ret = sdap_handle_id_collision_for_incomplete_groups(
-+ opts->dp, domain, groupname, gid,
-+ original_dn, sid_str, uuid, posix,
-+ now);
-+ }
-+
- if (ret != EOK) {
- goto done;
- }
-diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
-index 30f1d3db2..eab103652 100644
---- a/src/providers/ldap/sdap_async_initgroups_ad.c
-+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
-@@ -836,6 +836,7 @@ sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq)
- }
-
- errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
-+ struct sdap_options *opts,
- struct sss_domain_info *user_dom,
- struct sdap_idmap_ctx *idmap_ctx,
- size_t num_sids,
-@@ -921,6 +922,19 @@ errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
-
- ret = sysdb_add_incomplete_group(domain, name, gid,
- NULL, sid, NULL, false, now);
-+ if (ret == ERR_GID_DUPLICATED) {
-+ /* In case o group id-collision, do:
-+ * - Delete the group from sysdb
-+ * - Add the new incomplete group
-+ * - Notify the NSS responder that the entry has also to be
-+ * removed from the memory cache
-+ */
-+ ret = sdap_handle_id_collision_for_incomplete_groups(
-+ idmap_ctx->id_ctx->be->provider,
-+ domain, name, gid, NULL, sid, NULL,
-+ false, now);
-+ }
-+
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete "
- "group: [%s]\n", strerror(ret));
-@@ -992,6 +1006,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq)
- }
-
- ret = sdap_ad_save_group_membership_with_idmapping(state->username,
-+ state->opts,
- state->domain,
- state->idmap_ctx,
- num_sids,
---
-2.14.3
-
diff --git a/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch b/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
deleted file mode 100644
index 04c20b7..0000000
--- a/0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 5da97dcfb8499348080b5c7a3980c704294f22fa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Mon, 19 Feb 2018 08:53:56 +0100
-Subject: [PATCH] SYSDB_OPS: Error out on id-collision when adding an
- incomplete group
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This situation can be hit when renaming a group. For now, let's just
-error this out so the caller can handle it properly on its own layer.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit 514b2be089bfd0e2702d7e9ab883ab071a61b719)
----
- src/db/sysdb_ops.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 5d3cf643d..de4fdb592 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -2377,12 +2377,34 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
- TALLOC_CTX *tmp_ctx;
- int ret;
- struct sysdb_attrs *attrs;
-+ struct ldb_message *msg;
-+ const char *previous = NULL;
-+ const char *group_attrs[] = { SYSDB_SID_STR, SYSDB_UUID, SYSDB_ORIG_DN, NULL };
-+ const char *values[] = { sid_str, uuid, original_dn, NULL };
-+ bool same = false;
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
- return ENOMEM;
- }
-
-+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
-+ if (ret == EOK) {
-+ for (int i = 0; !same && group_attrs[i] != NULL; i++) {
-+ previous = ldb_msg_find_attr_as_string(msg,
-+ group_attrs[i],
-+ NULL);
-+ if (previous != NULL && values[i] != NULL) {
-+ same = strcmp(previous, values[i]) == 0;
-+ }
-+ }
-+ }
-+
-+ if (same) {
-+ ret = ERR_GID_DUPLICATED;
-+ goto done;
-+ }
-+
- /* try to add the group */
- ret = sysdb_add_basic_group(domain, name, gid);
- if (ret) goto done;
---
-2.14.3
-
diff --git a/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch b/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
deleted file mode 100644
index ef547d4..0000000
--- a/0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From ead866b198034c0b3101732e09a5524d0182d1cb Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 19 Feb 2018 18:26:05 +0100
-Subject: [PATCH] TESTS: Add an integration test for renaming incomplete groups
- during initgroups
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As we implemented the group renaming heuristics to rename only if we can
-use another "hint" like the original DN or the SID to know the group is
-the same, this patch adds two tests (positive and negative) to make sure
-a group with a totally different RDN and hence different originalDN
-cannot be renamed but a group whose name changed but the RDN stays the
-same can be renamed.
-
-Related:
-https://pagure.io/SSSD/sssd/issue/3282
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 35d6fb7cabd6183252fd29b29aaf66264dca9135)
----
- src/tests/intg/test_ldap.py | 149 +++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 147 insertions(+), 2 deletions(-)
-
-diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
-index db3253858..98b6349a8 100644
---- a/src/tests/intg/test_ldap.py
-+++ b/src/tests/intg/test_ldap.py
-@@ -94,10 +94,11 @@ def create_ldap_cleanup(request, ldap_conn, ent_list=None):
- request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list))
-
-
--def create_ldap_fixture(request, ldap_conn, ent_list=None):
-+def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True):
- """Add LDAP entries and add teardown for removing them"""
- create_ldap_entries(ldap_conn, ent_list)
-- create_ldap_cleanup(request, ldap_conn, ent_list)
-+ if cleanup:
-+ create_ldap_cleanup(request, ldap_conn, ent_list)
-
-
- SCHEMA_RFC2307 = "rfc2307"
-@@ -1437,3 +1438,147 @@ def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid):
- ", ".join(["%s" % s for s in sorted(gids)]),
- ", ".join(["%s" % s for s in sorted(user1_expected_gids)])
- )
-+
-+
-+def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None):
-+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
-+ ent_list.add_user("user1", 1001, 2001)
-+ ent_list.add_group_bis("user1_private", 2001)
-+
-+ ent_list.add_user("user2", 1002, 2002)
-+ ent_list.add_group_bis("user2_private", 2002)
-+
-+ ent_list.add_group_bis("group1", 2015, ["user1", "user2"])
-+
-+ if cleanup_ent is None:
-+ create_ldap_fixture(request, ldap_conn, ent_list)
-+ else:
-+ # Since the entries were renamed, we need to clean up
-+ # the renamed entries..
-+ create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False)
-+ create_ldap_cleanup(request, ldap_conn, None)
-+
-+
-+@pytest.fixture
-+def rename_setup_cleanup(request, ldap_conn):
-+ cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
-+ cleanup_ent_list.add_user("user1", 1001, 2001)
-+ cleanup_ent_list.add_group_bis("new_user1_private", 2001)
-+
-+ cleanup_ent_list.add_user("user2", 1002, 2002)
-+ cleanup_ent_list.add_group_bis("new_user2_private", 2002)
-+
-+ cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1", "user2"])
-+
-+ rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list)
-+
-+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS)
-+ create_conf_fixture(request, conf)
-+ create_sssd_fixture(request)
-+ return None
-+
-+
-+@pytest.fixture
-+def rename_setup_with_name(request, ldap_conn):
-+ rename_setup_no_cleanup(request, ldap_conn)
-+
-+ conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
-+ unindent("""
-+ [nss]
-+ [domain/LDAP]
-+ ldap_group_name = name
-+ timeout = 3000
-+ """).format(**locals())
-+ create_conf_fixture(request, conf)
-+ create_sssd_fixture(request)
-+ return None
-+
-+
-+def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name):
-+ """
-+ Test that if a group's name attribute changes, but the DN stays the same,
-+ the incomplete group object will be renamed.
-+
-+ Because the RDN attribute must be present in the entry, we add another
-+ attribute "name" that is purposefully different from the CN and make
-+ sure the group names are reflected in name
-+
-+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
-+ """
-+ pvt_dn1 = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
-+ pvt_dn2 = 'cn=user2_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
-+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
-+
-+ # Add the name we want for both private and secondary group
-+ old = {'name': []}
-+ new = {'name': [b"user1_group1"]}
-+ ldif = ldap.modlist.modifyModlist(old, new)
-+ ldap_conn.modify_s(group1_dn, ldif)
-+
-+ new = {'name': [b"pvt_user1"]}
-+ ldif = ldap.modlist.modifyModlist(old, new)
-+ ldap_conn.modify_s(pvt_dn1, ldif)
-+
-+ new = {'name': [b"pvt_user2"]}
-+ ldif = ldap.modlist.modifyModlist(old, new)
-+ ldap_conn.modify_s(pvt_dn2, ldif)
-+
-+ # Make sure the old name shows up in the id output
-+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
-+ assert res == sssd_id.NssReturnCode.SUCCESS, \
-+ "Could not find groups for user1, %d" % errno
-+
-+ assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"])
-+
-+ # Rename the group by changing the cn attribute, but keep the DN the same
-+ old = {'name': [b"user1_group1"]}
-+ new = {'name': [b"new_user1_group1"]}
-+ ldif = ldap.modlist.modifyModlist(old, new)
-+ ldap_conn.modify_s(group1_dn, ldif)
-+
-+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
-+ assert res == sssd_id.NssReturnCode.SUCCESS, \
-+ "Could not find groups for user2, %d" % errno
-+
-+ assert sorted(grp_list) == sorted(["pvt_user2", "new_user1_group1"])
-+
-+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
-+ assert res == sssd_id.NssReturnCode.SUCCESS, \
-+ "Could not find groups for user1, %d" % errno
-+
-+ assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"])
-+
-+
-+def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup):
-+ """
-+ Test that if a group's name attribute changes, and the DN changes with
-+ the RDN. Then adding the second group will fail because we can't tell if
-+ there are two duplicate groups in LDAP when saving the group or if the
-+ group was renamed.
-+
-+ Please note that with many directories (AD, IPA), the code can rely on
-+ other heuristics (SID, UUID) to find out the group is in fact the same.
-+
-+ Regression test for https://pagure.io/SSSD/sssd/issue/3282
-+ """
-+ pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn
-+ group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
-+
-+ # Make sure the old name shows up in the id output
-+ (res, errno, grp_list) = sssd_id.get_user_groups("user1")
-+ assert res == sssd_id.NssReturnCode.SUCCESS, \
-+ "Could not find groups for user1, %d" % errno
-+
-+ assert sorted(grp_list) == sorted(["user1_private", "group1"])
-+
-+ # Rename the groups, changing the RDN
-+ ldap_conn.rename_s(group1_dn, "cn=new_group1")
-+ ldap_conn.rename_s(pvt_dn, "cn=new_user1_private")
-+
-+ (res, errno, grp_list) = sssd_id.get_user_groups("user2")
-+ assert res == sssd_id.NssReturnCode.SUCCESS, \
-+ "Could not find groups for user2, %d" % errno
-+
-+ # The initgroups succeeds, but because saving the new group fails,
-+ # SSSD will revert to the cache contents and return what's in the cache
-+ assert sorted(grp_list) == sorted(["user2_private", "group1"])
---
-2.14.3
-
diff --git a/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch b/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
deleted file mode 100644
index b314815..0000000
--- a/0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 0a367914b87ef56dd4d5d56778e5770d1201f255 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 16 Apr 2018 20:29:28 +0200
-Subject: [PATCH] SYSDB: sysdb_add_incomplete_group now returns EEXIST with a
- duplicate GID
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Related:
-https://pagure.io/SSSD/sssd/issue/2653
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit ba2d5f7a0adefb017d3f85203d715b725ca8810f)
----
- src/db/sysdb_ops.c | 13 ++++++++++---
- src/tests/sysdb-tests.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 56 insertions(+), 4 deletions(-)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index de4fdb592..93b967e75 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -2398,10 +2398,17 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
- same = strcmp(previous, values[i]) == 0;
- }
- }
-- }
-
-- if (same) {
-- ret = ERR_GID_DUPLICATED;
-+ if (same == true) {
-+ DEBUG(SSSDBG_TRACE_LIBS,
-+ "The group with GID [%"SPRIgid"] was renamed\n", gid);
-+ ret = ERR_GID_DUPLICATED;
-+ goto done;
-+ }
-+
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Another group with GID [%"SPRIgid"] already exists\n", gid);
-+ ret = EEXIST;
- goto done;
- }
-
-diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
-index 32b8ca856..416dedb5e 100644
---- a/src/tests/sysdb-tests.c
-+++ b/src/tests/sysdb-tests.c
-@@ -989,6 +989,50 @@ START_TEST (test_sysdb_add_incomplete_group)
- }
- END_TEST
-
-+START_TEST (test_sysdb_incomplete_group_rename)
-+{
-+ struct sysdb_test_ctx *test_ctx;
-+ int ret;
-+
-+ ret = setup_sysdb_tests(&test_ctx);
-+ if (ret != EOK) {
-+ fail("Could not set up the test");
-+ return;
-+ }
-+
-+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group",
-+ 20000, NULL,
-+ "S-1-5-21-123-456-789-111",
-+ NULL, true, 0);
-+ fail_unless(ret == EOK,
-+ "sysdb_add_incomplete_group error [%d][%s]",
-+ ret, strerror(ret));
-+
-+ /* Adding a group with the same GID and all the other characteristics uknown should fail */
-+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
-+ 20000, NULL, NULL, NULL, true, 0);
-+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
-+
-+ /* A different SID should also trigger a failure */
-+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
-+ 20000, NULL,
-+ "S-1-5-21-123-456-789-222",
-+ NULL, true, 0);
-+ fail_unless(ret == EEXIST, "Did not caught a duplicate\n");
-+
-+ /* But if we know based on a SID that the group is in fact the same,
-+ * let's just change its name
-+ */
-+ ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new",
-+ 20000, NULL,
-+ "S-1-5-21-123-456-789-111",
-+ NULL, true, 0);
-+ fail_unless(ret == ERR_GID_DUPLICATED,
-+ "Did not catch a legitimate rename",
-+ ret, strerror(ret));
-+}
-+END_TEST
-+
- START_TEST (test_sysdb_getpwnam)
- {
- struct sysdb_test_ctx *test_ctx;
-@@ -5526,7 +5570,7 @@ START_TEST(test_sysdb_search_sid_str)
- ret = setup_sysdb_tests(&test_ctx);
- fail_if(ret != EOK, "Could not set up the test");
-
-- data = test_data_new_group(test_ctx, 2900);
-+ data = test_data_new_group(test_ctx, 2902);
- fail_if(data == NULL);
- data->sid_str = "S-1-2-3-4";
-
-@@ -7166,6 +7210,7 @@ Suite *create_sysdb_suite(void)
- tcase_add_loop_test(tc_sysdb,
- test_sysdb_remove_local_group_by_gid,
- 28000, 28010);
-+ tcase_add_test(tc_sysdb, test_sysdb_incomplete_group_rename);
-
- /* test custom operations */
- tcase_add_loop_test(tc_sysdb, test_sysdb_store_custom, 29010, 29020);
---
-2.14.3
-
diff --git a/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch b/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
deleted file mode 100644
index 028814b..0000000
--- a/0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Thu, 19 Apr 2018 09:38:47 +0200
-Subject: [PATCH] MAN: Document which principal does the AD provider use
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Administrators are often confused by the difference between what
-principal is used to authenticate to AD. Let's document that.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
----
- src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
-index c41b454f8..818a2bf78 100644
---- a/src/man/include/ad_modified_defaults.xml
-+++ b/src/man/include/ad_modified_defaults.xml
-@@ -58,6 +58,22 @@
- ldap_use_tokengroups = true
- </para>
- </listitem>
-+ <listitem>
-+ <para>
-+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
-+ </para>
-+ <para>
-+ The AD provider looks for a different principal than the
-+ LDAP provider by default, because in an Active Directory
-+ environment the principals are divided into two groups
-+ - User Principals and Service Principals. Only User
-+ Principal can be used to obtain a TGT and by default,
-+ computer object's principal is constructed from
-+ its sAMAccountName and the AD realm. The well-known
-+ host/hostname@REALM principal is a Service Principal
-+ and thus cannot be used to get a TGT with.
-+ </para>
-+ </listitem>
- </itemizedlist>
- </refsect2>
- </refsect1>
---
-2.14.3
-
diff --git a/0047-GPO-Fix-bug-with-empty-GPO-rules.patch b/0047-GPO-Fix-bug-with-empty-GPO-rules.patch
deleted file mode 100644
index 331cf5a..0000000
--- a/0047-GPO-Fix-bug-with-empty-GPO-rules.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
-Date: Wed, 11 Apr 2018 18:56:53 +0200
-Subject: [PATCH] GPO: Fix bug with empty GPO rules
-
-When two or more GPO rules were defined on the server
-and one of them contained no SIDs (no users or groups
-were specified), then SSSD failed to store such rule
-and users were denied access (system error).
-
-This patch changes the behavior so that in case
-there are no SIDs in the rule a special value is
-stored with the rule to indicate that the rule
-was actually specified, but this value will not
-match any real SID (because the rule should be
-empty).
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3680
-
-Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
----
- src/providers/ad/ad_gpo.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index a48f264c7..ae3329b90 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- int i;
- char *allow_value = NULL;
- char *deny_value = NULL;
-+ const char *empty_val = "NO_SID";
- const char *allow_key = NULL;
- const char *deny_key = NULL;
- TALLOC_CTX *tmp_ctx = NULL;
-@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- }
-
- for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
--
-+ /* The NO_SID val is used as special SID value for the case when
-+ * no SIDs are found in the rule, but we need to store some
-+ * value (SID) with the key (rule name) so that it is clear
-+ * that the rule is defined on the server. */
- struct gpo_map_option_entry entry = gpo_map_option_entries[i];
-
- allow_key = entry.allow_key;
-@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- allow_key, ret, sss_strerror(ret));
- goto done;
- } else if (ret != ENOENT) {
-+ const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
-- allow_value);
-+ value);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
-@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- deny_key, ret, sss_strerror(ret));
- goto done;
- } else if (ret != ENOENT) {
-+ const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
-- deny_value);
-+ value);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
---
-2.14.3
-
diff --git a/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch b/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
deleted file mode 100644
index 797bfa8..0000000
--- a/0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 8c86f78e41bdb0fa4d77ffaffd13e602b77cdf2f Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Wed, 4 Apr 2018 14:18:10 +0200
-Subject: [PATCH] FILES: Do not overwrite and actually remove
- files_ctx.{pwd,grp}_watch
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The snotify_ctx structures were unused, are completely opaque (their
-only value is that if they are freed, the watches disappear which
-the files provider never does).
-
-And moreover, since the patches to support multiple files, the watches
-were overwritten with subsequent assignments.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit d69e1da370fa33c5085b31eb6302a30d81817534)
----
- src/providers/files/files_ops.c | 35 +++++++++++++++++++++++------------
- 1 file changed, 23 insertions(+), 12 deletions(-)
-
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index a2a2798d3..95c4d2a06 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -36,9 +36,6 @@
- #define GRP_MAXSIZE 2048
-
- struct files_ctx {
-- struct snotify_ctx *pwd_watch;
-- struct snotify_ctx *grp_watch;
--
- struct files_ops_ctx *ops;
- };
-
-@@ -957,6 +954,7 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
- struct files_ctx *fctx;
- struct tevent_immediate *imm;
- int i;
-+ struct snotify_ctx *snctx;
-
- fctx = talloc(mem_ctx, struct files_ctx);
- if (fctx == NULL) {
-@@ -964,18 +962,31 @@ struct files_ctx *sf_init(TALLOC_CTX *mem_ctx,
- }
-
- for (i = 0; passwd_files[i]; i++) {
-- fctx->pwd_watch = sf_setup_watch(fctx, ev, passwd_files[i],
-- sf_passwd_cb, id_ctx);
-+ snctx = sf_setup_watch(fctx, ev, passwd_files[i],
-+ sf_passwd_cb, id_ctx);
-+ if (snctx == NULL) {
-+ DEBUG(SSSDBG_FATAL_FAILURE,
-+ "Cannot set watch for passwd file %s\n", passwd_files[i]);
-+ /* Rather than reporting incomplete or inconsistent information
-+ * in case e.g. group memberships span multiple files, just abort
-+ */
-+ talloc_free(fctx);
-+ return NULL;
- }
--
-- for (i = 0; group_files[i]; i++) {
-- fctx->grp_watch = sf_setup_watch(fctx, ev, group_files[i],
-- sf_group_cb, id_ctx);
- }
-
-- if (fctx->pwd_watch == NULL || fctx->grp_watch == NULL) {
-- talloc_free(fctx);
-- return NULL;
-+ for (i = 0; group_files[i]; i++) {
-+ snctx = sf_setup_watch(fctx, ev, group_files[i],
-+ sf_group_cb, id_ctx);
-+ if (snctx == NULL) {
-+ DEBUG(SSSDBG_FATAL_FAILURE,
-+ "Cannot set watch for group file %s\n", group_files[i]);
-+ /* Rather than reporting incomplete or inconsistent information
-+ * in case e.g. group memberships span multiple files, just abort
-+ */
-+ talloc_free(fctx);
-+ return NULL;
-+ }
- }
-
- /* Enumerate users and groups on startup to process any changes when
---
-2.14.3
-
diff --git a/0049-FILES-Reduce-code-duplication.patch b/0049-FILES-Reduce-code-duplication.patch
deleted file mode 100644
index ef0a2e8..0000000
--- a/0049-FILES-Reduce-code-duplication.patch
+++ /dev/null
@@ -1,310 +0,0 @@
-From 601e30e9d6e7c0da2e1648dc2d9bc37bddf512d8 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 17 Apr 2018 14:22:39 +0200
-Subject: [PATCH] FILES: Reduce code duplication
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 1f8bfb6975becda07ff29f557f82b6ac1eaa0be9)
----
- src/providers/files/files_ops.c | 213 +++++++++++++++-------------------------
- 1 file changed, 81 insertions(+), 132 deletions(-)
-
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index 95c4d2a06..370af1274 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -35,6 +35,10 @@
- #define PWD_MAXSIZE 1024
- #define GRP_MAXSIZE 2048
-
-+#define SF_UPDATE_PASSWD 1<<0
-+#define SF_UPDATE_GROUP 1<<1
-+#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP)
-+
- struct files_ctx {
- struct files_ops_ctx *ops;
- };
-@@ -708,6 +712,70 @@ done:
- return ret;
- }
-
-+static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
-+ uint8_t flags)
-+{
-+ errno_t ret;
-+ errno_t tret;
-+ bool in_transaction = false;
-+
-+ ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = true;
-+
-+ if (flags & SF_UPDATE_PASSWD) {
-+ ret = delete_all_users(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ /* All users were deleted, therefore we need to enumerate each file again */
-+ for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
-+ ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
-+ goto done;
-+ }
-+ }
-+ }
-+
-+ if (flags & SF_UPDATE_GROUP) {
-+ ret = delete_all_groups(id_ctx->domain);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ /* All groups were deleted, therefore we need to enumerate each file again */
-+ for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-+ ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-+ goto done;
-+ }
-+ }
-+ }
-+
-+ ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+ in_transaction = false;
-+
-+ ret = EOK;
-+done:
-+ if (in_transaction) {
-+ tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-+ if (tret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE,
-+ "Cannot cancel transaction: %d\n", ret);
-+ }
-+ }
-+
-+ return ret;
-+}
-+
- static void sf_cb_done(struct files_id_ctx *id_ctx)
- {
- /* Only activate a domain when both callbacks are done */
-@@ -722,8 +790,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
- {
- struct files_id_ctx *id_ctx;
- errno_t ret;
-- errno_t tret;
-- bool in_transaction = false;
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-@@ -740,49 +806,17 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
- dp_sbus_reset_users_memcache(id_ctx->be->provider);
- dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
-
-- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = true;
--
-- ret = delete_all_users(id_ctx->domain);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- /* All users were deleted, therefore we need to enumerate each file again */
-- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
-- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
-- goto done;
-- }
-- }
--
-- /* Covers the case when someone edits /etc/group, adds a group member and
-+ /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and
- * only then edits passwd and adds the user. The reverse is not needed,
- * because member/memberof links are established when groups are saved.
- */
-- ret = delete_all_groups(id_ctx->domain);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- /* All groups were deleted, therefore we need to enumerate each file again */
-- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-- goto done;
-- }
-- }
--
-- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
- if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Could not update files: [%d]: %s\n",
-+ ret, sss_strerror(ret));
- goto done;
- }
-- in_transaction = false;
-
- id_ctx->updating_passwd = false;
- sf_cb_done(id_ctx);
-@@ -790,14 +824,6 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
-
- ret = EOK;
- done:
-- if (in_transaction) {
-- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-- if (tret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot cancel transaction: %d\n", ret);
-- }
-- }
--
- return ret;
- }
-
-@@ -805,8 +831,6 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
- {
- struct files_id_ctx *id_ctx;
- errno_t ret;
-- errno_t tret;
-- bool in_transaction = false;
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-@@ -823,47 +847,20 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
- dp_sbus_reset_groups_memcache(id_ctx->be->provider);
- dp_sbus_reset_initgr_memcache(id_ctx->be->provider);
-
-- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = true;
--
-- ret = delete_all_groups(id_ctx->domain);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- /* All groups were deleted, therefore we need to enumerate each file again */
-- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-- goto done;
-- }
-- }
--
-- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-+ ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP);
- if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Could not update files: [%d]: %s\n",
-+ ret, sss_strerror(ret));
- goto done;
- }
-- in_transaction = false;
-
- id_ctx->updating_groups = false;
- sf_cb_done(id_ctx);
- files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
-
- ret = EOK;
--
- done:
-- if (in_transaction) {
-- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-- if (tret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot cancel transaction: %d\n", ret);
-- }
-- }
--
- return ret;
- }
-
-@@ -873,62 +870,14 @@ static void startup_enum_files(struct tevent_context *ev,
- {
- struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- errno_t ret;
-- errno_t tret;
-- bool in_transaction = false;
-
- talloc_zfree(imm);
-
-- ret = sysdb_transaction_start(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = true;
--
-- ret = delete_all_users(id_ctx->domain);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- ret = delete_all_groups(id_ctx->domain);
-+ ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH);
- if (ret != EOK) {
-- goto done;
-- }
--
-- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
-- DEBUG(SSSDBG_TRACE_FUNC,
-- "Startup user enumeration of [%s]\n", id_ctx->passwd_files[i]);
-- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Enumerating users failed, data might be inconsistent!\n");
-- goto done;
-- }
-- }
--
-- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
-- DEBUG(SSSDBG_TRACE_FUNC,
-- "Startup group enumeration of [%s]\n", id_ctx->group_files[i]);
-- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Enumerating groups failed, data might be inconsistent!\n");
-- goto done;
-- }
-- }
--
-- ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
-- if (ret != EOK) {
-- goto done;
-- }
-- in_transaction = false;
--
--done:
-- if (in_transaction) {
-- tret = sysdb_transaction_cancel(id_ctx->domain->sysdb);
-- if (tret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "Cannot cancel transaction: %d\n", ret);
-- }
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Could not update files after startup: [%d]: %s\n",
-+ ret, sss_strerror(ret));
- }
- }
-
---
-2.14.3
-
diff --git a/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch b/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
deleted file mode 100644
index acf6488..0000000
--- a/0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 12876995fe664ac05149fa5d843836aed5ce33e9 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 17 Apr 2018 14:38:03 +0200
-Subject: [PATCH] FILES: Reset the domain status back even on errors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The block that resets the domain status was only called on success, so
-on error, the domain would have been permanently stuck in an
-inconsistent state.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 81f16996c980a75e98538c7dd91baf9e0e635f58)
----
- src/providers/files/files_ops.c | 16 ++++++----------
- 1 file changed, 6 insertions(+), 10 deletions(-)
-
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index 370af1274..b91078417 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -793,8 +793,7 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-- ret = EINVAL;
-- goto done;
-+ return EINVAL;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n");
-@@ -818,12 +817,11 @@ static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt)
- goto done;
- }
-
-+ ret = EOK;
-+done:
- id_ctx->updating_passwd = false;
- sf_cb_done(id_ctx);
- files_account_info_finished(id_ctx, BE_REQ_USER, ret);
--
-- ret = EOK;
--done:
- return ret;
- }
-
-@@ -834,8 +832,7 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
-
- id_ctx = talloc_get_type(pvt, struct files_id_ctx);
- if (id_ctx == NULL) {
-- ret = EINVAL;
-- goto done;
-+ return EINVAL;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC, "group notification\n");
-@@ -855,12 +852,11 @@ static int sf_group_cb(const char *filename, uint32_t flags, void *pvt)
- goto done;
- }
-
-+ ret = EOK;
-+done:
- id_ctx->updating_groups = false;
- sf_cb_done(id_ctx);
- files_account_info_finished(id_ctx, BE_REQ_GROUP, ret);
--
-- ret = EOK;
--done:
- return ret;
- }
-
---
-2.14.3
-
diff --git a/0051-FILES-Skip-files-that-are-not-created-yet.patch b/0051-FILES-Skip-files-that-are-not-created-yet.patch
deleted file mode 100644
index 5cfa708..0000000
--- a/0051-FILES-Skip-files-that-are-not-created-yet.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 7703a7efe1ed4800a7676cfaac9bd00fec7de1c4 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Wed, 4 Apr 2018 14:13:56 +0200
-Subject: [PATCH] FILES: Skip files that are not created yet
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In order to avoid complex ordering logic, even if one file is updated,
-we flush all the entries. In theory, we could only flush the individual
-file and all the files preceding it, but it's safer to just create a
-complete mirror every time.
-
-And this can be problematic if one of the files we try to update is not
-created yet during the update. This can happen e.g. when a file is not
-created during early boot.
-
-To solve this, try to be very defensive and always flush the whole
-database, ignore ENOENT errors, but abort on all other errors.
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit c1bce7da6c33b352dc708a5dd9712a4d96c63057)
----
- src/providers/files/files_ops.c | 22 ++++++++++---
- src/tests/intg/test_files_provider.py | 60 +++++++++++++++++++++++++++++++++++
- 2 files changed, 78 insertions(+), 4 deletions(-)
-
-diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
-index b91078417..f5a40297a 100644
---- a/src/providers/files/files_ops.c
-+++ b/src/providers/files/files_ops.c
-@@ -734,8 +734,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
- /* All users were deleted, therefore we need to enumerate each file again */
- for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) {
- ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate users\n");
-+ if (ret == ENOENT) {
-+ DEBUG(SSSDBG_MINOR_FAILURE,
-+ "The file %s does not exist (yet), skipping\n",
-+ id_ctx->passwd_files[i]);
-+ continue;
-+ } else if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Cannot enumerate users from %s, aborting\n",
-+ id_ctx->passwd_files[i]);
- goto done;
- }
- }
-@@ -750,8 +757,15 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
- /* All groups were deleted, therefore we need to enumerate each file again */
- for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) {
- ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]);
-- if (ret != EOK) {
-- DEBUG(SSSDBG_OP_FAILURE, "Cannot enumerate groups\n");
-+ if (ret == ENOENT) {
-+ DEBUG(SSSDBG_MINOR_FAILURE,
-+ "The file %s does not exist (yet), skipping\n",
-+ id_ctx->group_files[i]);
-+ continue;
-+ } else if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Cannot enumerate groups from %s, aborting\n",
-+ id_ctx->group_files[i]);
- goto done;
- }
- }
-diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py
-index ce5c7b774..cc9c1f1c7 100644
---- a/src/tests/intg/test_files_provider.py
-+++ b/src/tests/intg/test_files_provider.py
-@@ -187,6 +187,40 @@ def files_multiple_sources(request):
- return alt_pwops, alt_grops
-
-
-+@pytest.fixture
-+def files_multiple_sources_nocreate(request):
-+ """
-+ Sets up SSSD with multiple sources, but does not actually create
-+ the files.
-+ """
-+ alt_passwd_path = tempfile.mktemp(prefix='altpasswd')
-+ request.addfinalizer(lambda: os.unlink(alt_passwd_path))
-+
-+ alt_group_path = tempfile.mktemp(prefix='altgroup')
-+ request.addfinalizer(lambda: os.unlink(alt_group_path))
-+
-+ passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path])
-+ group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path])
-+
-+ conf = unindent("""\
-+ [sssd]
-+ domains = files
-+ services = nss
-+
-+ [nss]
-+ debug_level = 10
-+
-+ [domain/files]
-+ id_provider = files
-+ passwd_files = {passwd_list}
-+ group_files = {group_list}
-+ debug_level = 10
-+ """).format(**locals())
-+ create_conf_fixture(request, conf)
-+ create_sssd_fixture(request)
-+ return alt_passwd_path, alt_group_path
-+
-+
- @pytest.fixture
- def proxy_to_files_domain_only(request):
- conf = unindent("""\
-@@ -1113,3 +1147,29 @@ def test_multiple_passwd_group_files(add_user_with_canary,
-
- check_group(GROUP1)
- check_group(ALT_GROUP1)
-+
-+
-+def test_multiple_files_created_after_startup(add_user_with_canary,
-+ add_group_with_canary,
-+ files_multiple_sources_nocreate):
-+ """
-+ Test that users and groups can be mirrored from multiple files,
-+ but those files are not created when SSSD starts, only afterwards.
-+ """
-+ alt_passwd_path, alt_group_path = files_multiple_sources_nocreate
-+
-+ check_user(USER1)
-+ check_group(GROUP1)
-+
-+ # touch the files
-+ for fpath in (alt_passwd_path, alt_group_path):
-+ with open(fpath, "w") as f:
-+ pass
-+
-+ alt_pwops = PasswdOps(alt_passwd_path)
-+ alt_grops = GroupOps(alt_group_path)
-+ alt_pwops.useradd(**ALT_USER1)
-+ alt_grops.groupadd(**ALT_GROUP1)
-+
-+ check_user(ALT_USER1)
-+ check_group(ALT_GROUP1)
---
-2.14.3
-
diff --git a/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch b/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
deleted file mode 100644
index e99d8a6..0000000
--- a/0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From faba3074869b069a64a66844385cf170f149be4f Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 17 Apr 2018 12:32:11 +0200
-Subject: [PATCH] FILES: Only send the request for update if the files domain
- is inconsistent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3520
-
-The code was probably commented out as a mistake..
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit 77d63f561830c15341b2ffe915a4c86b3c0f88a3)
----
- src/responder/common/responder_dp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
-index 8cc734813..9669b5fee 100644
---- a/src/responder/common/responder_dp.c
-+++ b/src/responder/common/responder_dp.c
-@@ -598,11 +598,11 @@ static int sss_dp_account_files_params(struct sss_domain_info *dom,
- enum sss_dp_acct_type *_type_out,
- const char **_opt_name_out)
- {
--#if 0
- if (sss_domain_get_state(dom) != DOM_INCONSISTENT) {
-+ DEBUG(SSSDBG_TRACE_INTERNAL,
-+ "The entries in the files domain are up-to-date\n");
- return EOK;
- }
--#endif
-
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Domain files is not consistent, issuing update\n");
---
-2.14.3
-
diff --git a/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch b/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
deleted file mode 100644
index d49546b..0000000
--- a/0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
+++ /dev/null
@@ -1,551 +0,0 @@
-From 0e53e397599da4b5d86121f6ee3de50c0389783e Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 14 Feb 2019 18:35:40 +0100
-Subject: [PATCH] TESTS: simple CA to generate certificates for test
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-To avoid issue with certificate lifetimes a simple OpenSSL based CA is
-used to generate certificates for tests.
-
-To make management easy all related data is kept in
-src/tests/test_CA. Since some header files will be generated the
-generation of the needed files is added to BUILT_SOURCES as other
-generated code.
-
-Related to https://pagure.io/SSSD/sssd/issue/3436
-
-Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-(cherry picked from commit 19f5dd0b8dc4eff3373a0ac9ea17c2440628fd4c)
----
- Makefile.am | 15 ++-
- configure.ac | 4 +-
- contrib/sssd.spec.in | 8 ++
- src/external/test_ca.m4 | 42 +++++++++
- src/tests/test_CA/Makefile.am | 93 +++++++++++++++++++
- src/tests/test_CA/README | 26 ++++++
- src/tests/test_CA/SSSD_test_CA.config | 47 ++++++++++
- src/tests/test_CA/SSSD_test_CA_key.pem | 52 +++++++++++
- src/tests/test_CA/SSSD_test_cert_0001.config | 20 ++++
- src/tests/test_CA/SSSD_test_cert_0002.config | 19 ++++
- src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 ++++++
- src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 ++++++
- 12 files changed, 380 insertions(+), 2 deletions(-)
- create mode 100644 src/external/test_ca.m4
- create mode 100644 src/tests/test_CA/Makefile.am
- create mode 100644 src/tests/test_CA/README
- create mode 100644 src/tests/test_CA/SSSD_test_CA.config
- create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem
- create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config
- create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config
- create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem
- create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem
-
-diff --git a/Makefile.am b/Makefile.am
-index d52fe0670..d9477cb64 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -21,7 +21,7 @@ if HAVE_MANPAGES
- SUBDIRS += src/man
- endif
-
--SUBDIRS += . src/tests/cwrap src/tests/intg
-+SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA
-
- # Some old versions of automake don't define builddir
- builddir ?= .
-@@ -2411,6 +2411,7 @@ pam_srv_tests_SOURCES = \
- $(NULL)
- pam_srv_tests_CFLAGS = \
- -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
-+ -I$(abs_builddir)/src \
- $(AM_CFLAGS) \
- $(NULL)
- pam_srv_tests_LDFLAGS = \
-@@ -3286,6 +3287,7 @@ test_cert_utils_SOURCES = \
- $(NULL)
- test_cert_utils_CFLAGS = \
- $(AM_CFLAGS) \
-+ -I$(abs_builddir)/src \
- $(CRYPTO_CFLAGS) \
- $(NULL)
- test_cert_utils_LDADD = \
-@@ -4975,6 +4977,17 @@ endif
-
- CLEANFILES += *.X */*.X */*/*.X
-
-+test_CA: test_CA.stamp
-+
-+test_CA.stamp: $(srcdir)/src/tests/test_CA/*
-+ $(MAKE) -C src/tests/test_CA ca_all
-+ touch $@
-+
-+if BUILD_TEST_CA
-+BUILT_SOURCES += test_CA
-+endif
-+CLEANFILES += test_CA.stamp
-+
- tests: all $(check_PROGRAMS)
- (cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1;
-
-diff --git a/configure.ac b/configure.ac
-index 69deb811e..725c28f52 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -208,6 +208,7 @@ m4_include([src/external/libresolv.m4])
- m4_include([src/external/intgcheck.m4])
- m4_include([src/external/systemtap.m4])
- m4_include([src/external/service.m4])
-+m4_include([src/external/test_ca.m4])
-
- if test x$with_secrets = xyes; then
- m4_include([src/external/libhttp_parser.m4])
-@@ -483,6 +484,7 @@ AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x])
- AM_CHECK_CMOCKA
- AM_CHECK_UID_WRAPPER
- AM_CHECK_NSS_WRAPPER
-+AM_CHECK_TEST_CA
-
- # Check if the user wants SSSD to be compiled with systemtap probes
- AM_CHECK_SYSTEMTAP
-@@ -506,7 +508,7 @@ AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config
- contrib/sssd-pcsc.rules
- src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd
- po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile
-- src/tests/intg/Makefile
-+ src/tests/intg/Makefile src/tests/test_CA/Makefile
- src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy
- src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy
- src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy
-diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
-index f69f192fe..25314596b 100644
---- a/contrib/sssd.spec.in
-+++ b/contrib/sssd.spec.in
-@@ -209,6 +209,14 @@ BuildRequires: selinux-policy-targeted
- BuildRequires: libcmocka-devel >= 1.0.0
- BuildRequires: uid_wrapper
- BuildRequires: nss_wrapper
-+
-+# Test CA requires openssl independent if SSSD is build with NSS or openssl,
-+# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil.
-+# Currently only cmocka based tests use the test CA. If it is used elsewhere
-+# you might want to move the following requires out of the if-block.
-+BuildRequires: openssl
-+BuildRequires: openssh
-+BuildRequires: nss-tools
- %endif
- BuildRequires: libnl3-devel
- %if (0%{?use_systemd} == 1)
-diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
-new file mode 100644
-index 000000000..eb624acf3
---- /dev/null
-+++ b/src/external/test_ca.m4
-@@ -0,0 +1,42 @@
-+dnl Check for tools needed to run the test CA
-+AC_DEFUN([AM_CHECK_TEST_CA],
-+[
-+ AC_PATH_PROG([OPENSSL], [openssl])
-+ if test ! -x "$OPENSSL"; then
-+ AC_MSG_NOTICE([Could not find openssl])
-+ fi
-+
-+ AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen])
-+ if test ! -x "$SSH_KEYGEN"; then
-+ AC_MSG_NOTICE([Could not find ssh-keygen])
-+ else
-+ AC_MSG_CHECKING([for -m option of ssh-keygen])
-+ if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then
-+ AC_MSG_RESULT([yes])
-+ else
-+ SSH_KEYGEN=""
-+ AC_MSG_RESULT([no])
-+ fi
-+ fi
-+
-+ if test x$cryptolib = xnss; then
-+ AC_PATH_PROG([CERTUTIL], [certutil])
-+ if test ! -x "$CERTUTIL"; then
-+ AC_MSG_NOTICE([Could not find certutil])
-+ fi
-+
-+ AC_PATH_PROG([PK12UTIL], [pk12util])
-+ if test ! -x "$PK12UTIL"; then
-+ AC_MSG_NOTICE([Could not find pk12util])
-+ fi
-+
-+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"])
-+ else
-+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN"])
-+ fi
-+
-+ AM_COND_IF([BUILD_TEST_CA],
-+ [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1,
-+ [Build with certificates from test CA])],
-+ [AC_MSG_WARN([Test CA cannot be build, skiping some tests])])
-+])
-diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
-new file mode 100644
-index 000000000..a23a3feef
---- /dev/null
-+++ b/src/tests/test_CA/Makefile.am
-@@ -0,0 +1,93 @@
-+dist_noinst_DATA = \
-+ SSSD_test_CA.config \
-+ SSSD_test_CA_key.pem \
-+ SSSD_test_cert_0001.config \
-+ SSSD_test_cert_0002.config \
-+ SSSD_test_cert_key_0001.pem \
-+ SSSD_test_cert_key_0002.pem \
-+ $(NULL)
-+
-+openssl_ca_config = $(srcdir)/SSSD_test_CA.config
-+openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem
-+pwdfile = pwdfile
-+
-+configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config))
-+ids := $(subst SSSD_test_cert_,,$(basename $(configs)))
-+certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids)))
-+certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids)))
-+pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids)))
-+pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids)))
-+pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids)))
-+
-+if HAVE_NSS
-+nssdb = p11_nssdb p11_nssdb_2certs
-+endif
-+
-+# If openssl is run in parallel there might be conflicts with the serial
-+.NOTPARALLEL:
-+
-+ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(nssdb)
-+
-+$(pwdfile):
-+ @echo "12345678" > $@
-+
-+SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial
-+ $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@
-+
-+
-+SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config
-+ $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@
-+
-+SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem
-+ $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@
-+
-+SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile)
-+ $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@
-+
-+SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem
-+ $(OPENSSL) x509 -in $< -pubkey -noout > $@
-+
-+SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem
-+ $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@
-+
-+SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem
-+ @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@
-+
-+SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub
-+ @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@
-+
-+# This nss db is used in
-+# - src/tests/cmocka/test_cert_utils.c (validation only)
-+# - src/tests/cmocka/test_pam_srv.c
-+p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile)
-+ mkdir $@
-+ $(CERTUTIL) -d sql:./$@ -N --empty-password
-+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
-+ $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
-+
-+# This nss db is used in
-+# - src/tests/cmocka/test_pam_srv.c
-+p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile)
-+ mkdir $@
-+ $(CERTUTIL) -d sql:./$@ -N --empty-password
-+ $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem
-+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile)
-+ $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile)
-+
-+CLEANFILES = \
-+ index.txt index.txt.attr \
-+ index.txt.attr.old index.txt.old \
-+ serial serial.old \
-+ SSSD_test_CA.pem $(pwdfile) \
-+ $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \
-+ $(NULL)
-+
-+clean-local:
-+ rm -rf newcerts
-+ rm -rf p11_nssdb
-+ rm -rf p11_nssdb_2certs
-+
-+serial: clean
-+ touch index.txt
-+ mkdir newcerts
-+ echo -n 01 > serial
-diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README
-new file mode 100644
-index 000000000..342fd5890
---- /dev/null
-+++ b/src/tests/test_CA/README
-@@ -0,0 +1,26 @@
-+Simple CA for SSSD tests
-+
-+To avoid issues with certificate lifetimes during tests certificates can be
-+generated with a simple OpenSSL based CA.
-+
-+To create a new certificate add a suitable and valid OpenSSL config file with a
-+[req] section for a certificate signing request (CSR) which must use the name
-+pattern SSSD_test_cert_*.config. Additionally a matching key file
-+SSSD_test_cert_key_%.pem should be added e.g. with
-+
-+ openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048
-+
-+It would be possible to generate the keys automatically as well but
-+pre-created keys will safe some resources on the hosts running the tests,
-+allow more flexibility with algorithms and key lengths and make the tests
-+more reproducible.
-+
-+The Makefile will pick up the config and the keys and generate a X.509
-+certificate. For usage in C-code it will generate a header file
-+SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made
-+available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys
-+the ssh key is available in SSSD_test_cert_pubsshkey_*.h as
-+SSSD_TEST_CERT_SSH_KEY_*.
-+
-+Other targets for other types of tests can be added to the Makefile and should
-+be documented here.
-diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config
-new file mode 100644
-index 000000000..90ae2233c
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_CA.config
-@@ -0,0 +1,47 @@
-+[ ca ]
-+default_ca = CA_default
-+
-+[ CA_default ]
-+dir = .
-+database = $dir/index.txt
-+new_certs_dir = $dir/newcerts
-+
-+certificate = $dir/SSSD_test_CA.pem
-+serial = $dir/serial
-+private_key = $dir/SSSD_test_CA_key.pem
-+RANDFILE = $dir/rand
-+
-+default_days = 365
-+default_crl_days = 30
-+default_md = sha256
-+
-+policy = policy_any
-+email_in_dn = no
-+
-+name_opt = ca_default
-+cert_opt = ca_default
-+copy_extensions = copy
-+
-+[ usr_cert ]
-+authorityKeyIdentifier = keyid, issuer
-+
-+[ v3_ca ]
-+subjectKeyIdentifier = hash
-+authorityKeyIdentifier = keyid:always,issuer:always
-+basicConstraints = CA:true
-+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-+
-+[ policy_any ]
-+organizationName = supplied
-+organizationalUnitName = supplied
-+commonName = supplied
-+emailAddress = optional
-+
-+[ req ]
-+distinguished_name = req_distinguished_name
-+prompt = no
-+
-+[ req_distinguished_name ]
-+O = SSSD
-+OU = SSSD test
-+CN = SSSD test CA
-diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem
-new file mode 100644
-index 000000000..4838d0379
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_CA_key.pem
-@@ -0,0 +1,52 @@
-+-----BEGIN PRIVATE KEY-----
-+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq
-+8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5
-+pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx
-+8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ
-+xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn
-+iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX
-+KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm
-+f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx
-+WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH
-+83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM
-+XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+
-+w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD
-+VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/
-+JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC
-+CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg
-+tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h
-+WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF
-+qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX
-+4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW
-+h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba
-+enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC
-+NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP
-+INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv
-+noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs
-+zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8
-+Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf
-+PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3
-+ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT
-+ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD
-+DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K
-+IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj
-+SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu
-+vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM
-+bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi
-+w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r
-+VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc
-+ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07
-+suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0
-+5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF
-+ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W
-+kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl
-+ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE
-+HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu
-+GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX
-+RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t
-+byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU
-+q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN
-+/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC
-+y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH
-+xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+
-+-----END PRIVATE KEY-----
-diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config
-new file mode 100644
-index 000000000..b6c52a148
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_cert_0001.config
-@@ -0,0 +1,20 @@
-+# This certificate is used in
-+# - src/tests/cmocka/test_cert_utils.c
-+# - src/tests/cmocka/test_pam_srv.c
-+[ req ]
-+distinguished_name = req_distinguished_name
-+prompt = no
-+
-+[ req_distinguished_name ]
-+O = SSSD
-+OU = SSSD test
-+CN = SSSD test cert 0001
-+
-+[ req_exts ]
-+basicConstraints = CA:FALSE
-+nsCertType = client, email
-+nsComment = "SSSD test Certificate"
-+subjectKeyIdentifier = hash
-+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-+extendedKeyUsage = clientAuth, emailProtection
-+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
-diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config
-new file mode 100644
-index 000000000..8722ffa7e
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_cert_0002.config
-@@ -0,0 +1,19 @@
-+# This certificate is used in
-+# - src/tests/cmocka/test_pam_srv.c
-+[ req ]
-+distinguished_name = req_distinguished_name
-+prompt = no
-+
-+[ req_distinguished_name ]
-+O = SSSD
-+OU = SSSD test
-+CN = SSSD test cert 0002
-+
-+[ req_exts ]
-+basicConstraints = CA:FALSE
-+nsCertType = client
-+nsComment = "SSSD test Certificate"
-+subjectKeyIdentifier = hash
-+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-+extendedKeyUsage = clientAuth
-+subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd//
-diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
-new file mode 100644
-index 000000000..365c9897a
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG
-+V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D
-+ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v
-+BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq
-+ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k
-+hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST
-+a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7
-+yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz
-+yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8
-+K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp
-+8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K
-+FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK
-+0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K
-+Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L
-+ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH
-+QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV
-+6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy
-+JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/
-+Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq
-+zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv
-+NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum
-+Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD
-+8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR
-+plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5
-++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+
-+O8zzsFaOeoxTVyVxjHmuhZ6U
-+-----END PRIVATE KEY-----
-diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
-new file mode 100644
-index 000000000..d80349f50
---- /dev/null
-+++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem
-@@ -0,0 +1,28 @@
-+-----BEGIN PRIVATE KEY-----
-+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr
-+b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR
-+QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y
-+DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf
-+gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b
-+1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ
-+Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA
-+sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16
-+ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d
-+FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8
-+YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd
-+lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK
-+qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh
-+DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH
-+AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR
-+/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V
-+KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2
-+/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM
-+MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ
-+6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG
-+dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4
-+Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y
-+9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB
-++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/
-+OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq
-+JxM2HRDRdC23CGRuGjv+hO4d
-+-----END PRIVATE KEY-----
---
-2.17.0
-
diff --git a/0054-TESTS-replace-hardcoded-certificates.patch b/0054-TESTS-replace-hardcoded-certificates.patch
deleted file mode 100644
index 3923899..0000000
--- a/0054-TESTS-replace-hardcoded-certificates.patch
+++ /dev/null
@@ -1,365 +0,0 @@
-From a6514e1829c018c7b68b168e6206ec51bd8a7e08 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 14 Feb 2019 18:35:49 +0100
-Subject: [PATCH] TESTS: replace hardcoded certificates
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since the hardcoded certificates have a limited lifetime they are
-replaces by certificates from the test CA.
-
-Related to https://pagure.io/SSSD/sssd/issue/3436
-
-Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-(cherry picked from commit 0dc7f90667df6420bc9e93ae2c8bacd6ea148f0f)
----
- src/tests/cmocka/test_cert_utils.c | 41 ++++--------
- src/tests/cmocka/test_pam_srv.c | 104 +++++++++++------------------
- 2 files changed, 50 insertions(+), 95 deletions(-)
-
-diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c
-index f50030e49..dd58b73a7 100644
---- a/src/tests/cmocka/test_cert_utils.c
-+++ b/src/tests/cmocka/test_cert_utils.c
-@@ -34,6 +34,13 @@
- #include "util/crypto/nss/nss_util.h"
- #include "util/crypto/sss_crypto.h"
-
-+#ifdef HAVE_TEST_CA
-+#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h"
-+#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
-+#else
-+#define SSSD_TEST_CERT_0001 ""
-+#define SSSD_TEST_CERT_SSH_KEY_0001 ""
-+#endif
-
- /* TODO: create a certificate for this test */
- const uint8_t test_cert_der[] = {
-@@ -325,32 +332,6 @@ void test_sss_cert_derb64_to_ldap_filter(void **state)
- talloc_free(filter);
- }
-
--#define SSH_TEST_CERT \
--"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
--"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
--"NDEzNDlaFw0xODA1MjQxNDEzNDlaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
--"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
--"ADCCAQoCggEBALfEAE0IUlOAgDTdZQGcYA03IPooixNnkUQruh0eU3uw+KYGQoS1" \
--"YCdCHJzRc+IfuqdNntgtGDIpWADRwB4h963pBImpMSU5L1T4uiHNCpvl9eMt4ynk" \
--"xduOa+JmJUvqvwe7Gj9iDql4lWmJcXvq74/yOc3MBSPQCdg/pHZU65+NjSZmZzlN" \
--"eNV3tQKrhMe6tM00pai2igXilfUpzOU2v+AX69oOesrqTUl9i2eCUirGanR9l95d" \
--"yVCcmIDJd2P2NLIkhbHGRitfTC/tQZ4G+Edg9STw8Y+4ljp2rTHs59dWRBe2Gn8Z" \
--"Zt8zZ5WuNxARVF1THI9X6ydX/uoaz8R7pfkCAwEAAaOCASYwggEiMB8GA1UdIwQY" \
--"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
--"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
--"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
--"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
--"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
--"IEF1dGhvcml0eTAdBgNVHQ4EFgQUMydoshxYXhDXOMo/EETvrZaQuBwwDQYJKoZI" \
--"hvcNAQELBQADggEBADIrTFNvEdZGna7jD1xpiLGGUwCi11GQT+Txg5B7dydUn5U5" \
--"32zSBBZV6bsy0E+PiiAgehJObv9hBaOWnhp7ltNyQod1OLdI1t988ow2wxHvUEEi" \
--"MhRF0h2RJwdYIUIIF7XC01mKBOFj/84vvMOgLToZnGqVzArkzpr1aCaHI7EoTkpb" \
--"V16v+drZkXc47JuHg5CRjTHV/kFPm63gQ8Fstmw/dQZBzbCiVzmcG0Xm9r4jMOOf" \
--"YjVueMt/jk1LP4KoSCBY6kLMcpL5rQm53hO82rPAgV695rjdPlIUm09dvkCl28ZD" \
--"109Ju18eAaaVFewK82NDg9rsNraBKxMCBSgg0es="
--
--#define SSH_PUB_KEY "AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xABNCFJTgIA03WUBnGANNyD6KIsTZ5FEK7odHlN7sPimBkKEtWAnQhyc0XPiH7qnTZ7YLRgyKVgA0cAeIfet6QSJqTElOS9U+LohzQqb5fXjLeMp5MXbjmviZiVL6r8Huxo/Yg6peJVpiXF76u+P8jnNzAUj0AnYP6R2VOufjY0mZmc5TXjVd7UCq4THurTNNKWotooF4pX1KczlNr/gF+vaDnrK6k1JfYtnglIqxmp0fZfeXclQnJiAyXdj9jSyJIWxxkYrX0wv7UGeBvhHYPUk8PGPuJY6dq0x7OfXVkQXthp/GWbfM2eVrjcQEVRdUxyPV+snV/7qGs/Ee6X5"
--
- void test_cert_to_ssh_key(void **state)
- {
- int ret;
-@@ -366,13 +347,13 @@ void test_cert_to_ssh_key(void **state)
- struct test_state *ts = talloc_get_type_abort(*state, struct test_state);
- assert_non_null(ts);
-
-- der = sss_base64_decode(ts, SSH_TEST_CERT, &der_size);
-+ der = sss_base64_decode(ts, SSSD_TEST_CERT_0001, &der_size);
- assert_non_null(der);
-
-- exp_key = sss_base64_decode(ts, SSH_PUB_KEY, &exp_key_size);
-+ exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size);
- assert_non_null(exp_key);
-
-- ret = cert_to_ssh_key(ts, "sql:" ABS_SRC_DIR "/src/tests/cmocka/p11_nssdb",
-+ ret = cert_to_ssh_key(ts, "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb",
- der, der_size, &cert_verify_opts, &key, &key_size);
- assert_int_equal(ret, EOK);
- assert_int_equal(key_size, exp_key_size);
-@@ -407,8 +388,10 @@ int main(int argc, const char *argv[])
- setup, teardown),
- cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter,
- setup, teardown),
-+#ifdef HAVE_TEST_CA
- cmocka_unit_test_setup_teardown(test_cert_to_ssh_key,
- setup, teardown),
-+#endif
- };
-
- /* Set debug level to invalid value so we can decide if -d 0 was used. */
-diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
-index c510c2d3b..e68e81f97 100644
---- a/src/tests/cmocka/test_pam_srv.c
-+++ b/src/tests/cmocka/test_pam_srv.c
-@@ -38,6 +38,14 @@
- #include "util/crypto/nss/nss_util.h"
- #endif
-
-+#ifdef HAVE_TEST_CA
-+#include "tests/test_CA/SSSD_test_cert_x509_0001.h"
-+#include "tests/test_CA/SSSD_test_cert_x509_0002.h"
-+#else
-+#define SSSD_TEST_CERT_0001 ""
-+#define SSSD_TEST_CERT_0002 ""
-+#endif
-+
- #define TESTS_PATH "tp_" BASE_FILE_STEM
- #define TEST_CONF_DB "test_pam_conf.ldb"
- #define TEST_DOM_NAME "pam_test"
-@@ -52,55 +60,11 @@
-
- #define TEST_TOKEN_NAME "SSSD Test Token"
- #define TEST_MODULE_NAME "NSS-Internal"
--#define TEST_KEY_ID "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7"
--#define TEST_PROMPT "Server-Cert\nCN=ipa-devel.ipa.devel,O=IPA.DEVEL"
--#define TEST_TOKEN_CERT \
--"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
--"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
--"NDE0MTVaFw0xODA1MjQxNDE0MTVaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \
--"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \
--"ADCCAQoCggEBALHvOzZy/3llvoAYxrtOpux0gDVvSuSRpTGOW/bjpgdTowvXoOb5" \
--"G9Cy/9S6be7ZJ9D95lc/J9W8tX+ShKN8Q4b74l4WjmILQJ4dUsJ/BXfvoMPR8tw/" \
--"G47dGbLZanMXdWGBSTuXhoiogZWib2DhSwrX2DbEH5L3OWooeAVU5ZWOw55/HD7O" \
--"Q/7Of7H3tf4bvxNTFkxh39KQMG28wjPZSv+SZWNHMB+rj2yZgyeHBMkoPOPesAEi" \
--"7KKHxw1MHSv2xBI1AiV+aMdKfYUMy0Rq3PrRU4274i3eaBX4Q9GnDi36K/7bHjbt" \
--"LW0YTIW/L5/cH/BO88BREjxS3bEXAQqlKOcCAwEAAaOCASYwggEiMB8GA1UdIwQY" \
--"MBaAFPci/0Km5D/L5z7YqwEc7E1/GwgcMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \
--"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \
--"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \
--"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \
--"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \
--"IEF1dGhvcml0eTAdBgNVHQ4EFgQUIJuWIts3m3uEYqJ9pUL0y7utTiEwDQYJKoZI" \
--"hvcNAQELBQADggEBAB0GyqGxtZ99fsXA1+fHfAwKOwznT7Hh8hN9efEMBJICVud+" \
--"ivUBOH6JpSTWgNLuBhrpebV/b/DSjhn+ayuvoPWng3hjwMbSEIe0euzCEdwVcokt" \
--"bwNMMSeTxSg6wbJnEyZqQEIr2h/TR9dRNxE+RbQXyamW0fUxSVT16iueL0hMwszT" \
--"jCfI/UZv3tDMHbh6D4811A0HO8daW7ufMGb/M+kDxYigJiL2gllMZ+6xba1RRgzF" \
--"8Z+9gqZhCa7FEKJOPNR9RVtJs0qUUutMZrp1zpyx0GTmXQBA7LbgPxy8L68uymEQ" \
--"XyQBwOYRORlnfGyu+Yc9c3E0Wx8Tlznz0lqPR9g="
--
--#define TEST2_KEY_ID "C8D60E009EB195D01A7083EE1D5419251AA87C2C"
--#define TEST2_PROMPT "ipaCert\nCN=IPA RA,O=IPA.DEVEL"
--#define TEST_TOKEN_2ND_CERT \
--"MIIDazCCAlOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \
--"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA1MjMx" \
--"NDEzMDFaFw0xODA1MTMxNDEzMDFaMCUxEjAQBgNVBAoMCUlQQS5ERVZFTDEPMA0G" \
--"A1UEAwwGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3abE" \
--"8LmIc6QN16VVxsMlN/rrCOoZKyyJolSzpP4+K66t+KZUiW/1j1MZogjyYyD39U1F" \
--"zpa2H+pID74XYrdiqP7sp+uE9/k2XOv/nN3FobXDt+fSINLDriCmxNhUZqpgo2uq" \
--"Mmka+yx2iJZwkntEoJTcd3aynoa2Sa2ZZbkMBy5p6/pUQKwnD6scOwe6mUDppIBK" \
--"+ZZRm+u/NDdIRFI5wfKLRR1r/ONaJA9nz1TxSEsgLsjG/1m+Zbb6lGG4pePIFkQ9" \
--"Iotpi64obBh93oIxzQR29lBG/FMjQVHlPIbx+xuGx11Vtp5pAomgFz0HRrj0leI7" \
--"bROE+jnC/VGPLQD2aQIDAQABo4GWMIGTMB8GA1UdIwQYMBaAFPci/0Km5D/L5z7Y" \
--"qwEc7E1/GwgcMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYlaHR0cDovL2lw" \
--"YS1kZXZlbC5pcGEuZGV2ZWw6ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYD" \
--"VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBg" \
--"4Sppx2C3eXPJ4Pd9XElkQPOaBReXf1vV0uk/GlK+rG+aAqAkA2Lryx5PK/iAuzAU" \
--"M6JUpELuQYgqugoCgBXMgsMlpAO/0C3CFq4ZH3KgIsRlRngKPrt6RG0UPMRD1CE2" \
--"tSVkwUWvyK83lDiu2BbWDXyMyz5eZOlp7uHusf5BKvob8jEndHj1YzaNTmVSsDM5" \
--"kiIwf8qgFhsO1HCq08PtAnbVHhqkcvnmIJN98eNWNfTKodDmFVbN8gB0wK+WB5ii" \
--"WVOw7+3/zF1QgqnYX3t+kPLRryip/wvTZkzXWwMNj/W6UHgjNF/4gWGoBgCHu+u3" \
--"EvjMmbVSrEkesibpGQS5"
-+#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17"
-+#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD"
-
-+#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9"
-+#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD"
-
- static char CACHED_AUTH_TIMEOUT_STR[] = "4";
- static const int CACHED_AUTH_TIMEOUT = 4;
-@@ -187,7 +151,7 @@ static errno_t setup_nss_db(void)
- DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
- return ret;
- }
-- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR);
-+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
- if (ret < 0) {
- DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
- return ret;
-@@ -208,7 +172,7 @@ static errno_t setup_nss_db(void)
- DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
- return ret;
- }
-- ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/cmocka/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_SRC_DIR);
-+ ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR);
- if (ret < 0) {
- DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n");
- return ret;
-@@ -451,6 +415,7 @@ static int pam_test_setup(void **state)
- return 0;
- }
-
-+#ifdef HAVE_TEST_CA
- #ifdef HAVE_NSS
- static int pam_test_setup_no_verification(void **state)
- {
-@@ -476,6 +441,7 @@ static int pam_test_setup_no_verification(void **state)
- return 0;
- }
- #endif /* HAVE_NSS */
-+#endif /* HAVE_TEST_CA */
-
- static int pam_cached_test_setup(void **state)
- {
-@@ -1915,6 +1881,7 @@ static int test_lookup_by_cert_cb(void *pvt)
-
- return EOK;
- }
-+
- static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt)
- {
- int ret;
-@@ -1927,7 +1894,7 @@ static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt)
- attrs = sysdb_new_attrs(pam_test_ctx);
- assert_non_null(attrs);
-
-- der = sss_base64_decode(pam_test_ctx, TEST_TOKEN_2ND_CERT, &der_size);
-+ der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size);
- assert_non_null(der);
-
- ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size);
-@@ -2033,7 +2000,7 @@ void test_pam_preauth_cert_match(void **state)
- set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2057,7 +2024,7 @@ void test_pam_preauth_cert_match_gdm_smartcard(void **state)
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL,
- "gdm-smartcard", test_lookup_by_cert_cb,
-- TEST_TOKEN_CERT, false);
-+ SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2080,7 +2047,7 @@ void test_pam_preauth_cert_match_wrong_user(void **state)
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_wrong_user_cb,
-- TEST_TOKEN_CERT, false);
-+ SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2111,7 +2078,7 @@ void test_pam_preauth_cert_no_logon_name(void **state)
- * request will be done with the username found by the certificate
- * lookup. */
- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
- mock_account_recv_simple();
- mock_parse_inp("pamuser", NULL, EOK);
-
-@@ -2140,7 +2107,7 @@ void test_pam_preauth_cert_no_logon_name_with_hint(void **state)
- * during pre-auth and there is no need for an extra mocked response as in
- * test_pam_preauth_cert_no_logon_name. */
- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2162,7 +2129,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert(void **state)
- set_cert_auth_param(pam_test_ctx->pctx, NSS_DB);
-
- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
-+ false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2185,7 +2153,8 @@ void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state)
- pam_test_ctx->rctx->domains->user_name_hint = true;
-
- mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
-+ false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2258,8 +2227,8 @@ void test_pam_cert_auth(void **state)
- * in the cache and no second request to the backend is needed. */
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
- "NSS-Internal",
-- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true);
-+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2292,8 +2261,8 @@ void test_pam_cert_auth_no_logon_name(void **state)
- * in the cache and no second request to the backend is needed. */
- mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token",
- "NSS-Internal",
-- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, true);
-+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true);
-
- mock_account_recv_simple();
- mock_parse_inp("pamuser", NULL, EOK);
-@@ -2354,8 +2323,9 @@ void test_pam_cert_auth_double_cert(void **state)
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token",
- "NSS-Internal",
-- "A5EF7DEE625CA5996C8D1BA7D036708161FD49E7", NULL,
-- test_lookup_by_cert_double_cb, TEST_TOKEN_CERT, true);
-+ "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL,
-+ test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001,
-+ true);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2380,7 +2350,7 @@ void test_pam_cert_preauth_2certs_one_mapping(void **state)
- set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS);
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
-- test_lookup_by_cert_cb, TEST_TOKEN_CERT, false);
-+ test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2403,7 +2373,7 @@ void test_pam_cert_preauth_2certs_two_mappings(void **state)
-
- mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL,
- test_lookup_by_cert_cb_2nd_cert_same_user,
-- TEST_TOKEN_CERT, false);
-+ SSSD_TEST_CERT_0001, false);
-
- will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
- will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
-@@ -2812,6 +2782,7 @@ int main(int argc, const char *argv[])
- cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa,
- pam_cached_test_setup,
- pam_test_teardown),
-+#ifdef HAVE_TEST_CA
- /* p11_child is not built without NSS */
- #ifdef HAVE_NSS
- cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
-@@ -2856,6 +2827,7 @@ int main(int argc, const char *argv[])
- cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id,
- pam_test_setup, pam_test_teardown),
- #endif /* HAVE_NSS */
-+#endif /* HAVE_TEST_CA */
-
- cmocka_unit_test_setup_teardown(test_filter_response,
- pam_test_setup, pam_test_teardown),
---
-2.17.0
-
diff --git a/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch b/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
deleted file mode 100644
index e176b6d..0000000
--- a/0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 4452b5e6adb03378ccb8e581e60e73c2237644cf Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 30 Apr 2018 11:16:25 +0200
-Subject: [PATCH] DYNDNS: Move the retry logic into a separate function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Let's not repeat ourselves
-
-Related to:
-https://pagure.io/SSSD/sssd/issue/3725
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 65034a715e5071ad944bf37b414c6a36bf60cf29)
----
- src/providers/ldap/sdap_dyndns.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
-index 9d28b5758..f791ba9f3 100644
---- a/src/providers/ldap/sdap_dyndns.c
-+++ b/src/providers/ldap/sdap_dyndns.c
-@@ -79,6 +79,16 @@ static struct sss_iface_addr*
- sdap_get_address_to_delete(struct sss_iface_addr *address_it,
- uint8_t remove_af);
-
-+static bool should_retry(int child_status)
-+{
-+ if (WIFEXITED(child_status)
-+ && WEXITSTATUS(child_status) != 0) {
-+ return true;
-+ }
-+
-+ return false;
-+}
-+
- struct tevent_req *
- sdap_dyndns_update_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
-@@ -371,8 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
- if (ret != EOK) {
- /* If the update didn't succeed, we can retry using the server name */
- if (state->fallback_mode == false
-- && WIFEXITED(child_status)
-- && WEXITSTATUS(child_status) != 0) {
-+ && should_retry(child_status)) {
- state->fallback_mode = true;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "nsupdate failed, retrying.\n");
-@@ -514,8 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq)
- if (ret != EOK) {
- /* If the update didn't succeed, we can retry using the server name */
- if (state->fallback_mode == false
-- && WIFEXITED(child_status)
-- && WEXITSTATUS(child_status) != 0) {
-+ && should_retry(child_status)) {
- state->fallback_mode = true;
- DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n");
- ret = sdap_dyndns_update_ptr_step(req);
---
-2.17.0
-
diff --git a/0056-DYNDNS-Retry-also-on-timeouts.patch b/0056-DYNDNS-Retry-also-on-timeouts.patch
deleted file mode 100644
index 98ebfd0..0000000
--- a/0056-DYNDNS-Retry-also-on-timeouts.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 288c9c42534f0ae24af51ad4b439cdd2656266f9 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 30 Apr 2018 11:18:49 +0200
-Subject: [PATCH] DYNDNS: Retry also on timeouts
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There is the dyndns_server option that is supposed to make it possible
-for the admin to select a server to update DNS with if the server
-detected by nsupdate does not work. The fallback works OK for the case
-where nsupdate fails with a non-zero return code, but doesn't work
-for the case where nsupdate times out.
-
-This patch extends the retry condition to also fallback to the
-dyndns_server directive if nsupdate return ERR_DYNDNS_TIMEOUT.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3725
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit b57dfac8a047494162395422447ed5675806cfdc)
----
- src/providers/ldap/sdap_dyndns.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c
-index f791ba9f3..20d97ca41 100644
---- a/src/providers/ldap/sdap_dyndns.c
-+++ b/src/providers/ldap/sdap_dyndns.c
-@@ -79,10 +79,10 @@ static struct sss_iface_addr*
- sdap_get_address_to_delete(struct sss_iface_addr *address_it,
- uint8_t remove_af);
-
--static bool should_retry(int child_status)
-+static bool should_retry(int nsupdate_ret, int child_status)
- {
-- if (WIFEXITED(child_status)
-- && WEXITSTATUS(child_status) != 0) {
-+ if ((WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0)
-+ || nsupdate_ret == ERR_DYNDNS_TIMEOUT) {
- return true;
- }
-
-@@ -381,7 +381,7 @@ sdap_dyndns_update_done(struct tevent_req *subreq)
- if (ret != EOK) {
- /* If the update didn't succeed, we can retry using the server name */
- if (state->fallback_mode == false
-- && should_retry(child_status)) {
-+ && should_retry(ret, child_status)) {
- state->fallback_mode = true;
- DEBUG(SSSDBG_MINOR_FAILURE,
- "nsupdate failed, retrying.\n");
-@@ -523,7 +523,7 @@ sdap_dyndns_update_ptr_done(struct tevent_req *subreq)
- if (ret != EOK) {
- /* If the update didn't succeed, we can retry using the server name */
- if (state->fallback_mode == false
-- && should_retry(child_status)) {
-+ && should_retry(ret, child_status)) {
- state->fallback_mode = true;
- DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n");
- ret = sdap_dyndns_update_ptr_step(req);
---
-2.17.0
-
diff --git a/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch b/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
deleted file mode 100644
index a787a96..0000000
--- a/0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 1ff0edffde5b86e73c20c485236b9b20f22f6f7a Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 30 Apr 2018 15:31:49 +0200
-Subject: [PATCH] AD: Warn if the LDAP schema is overriden with the AD provider
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3726
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 3cff2c5e563d967366d534bd3fc8c410f6467ea6)
----
- src/providers/ad/ad_common.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
-index d92c68e6f..c39dcfad6 100644
---- a/src/providers/ad/ad_common.c
-+++ b/src/providers/ad/ad_common.c
-@@ -1000,6 +1000,7 @@ ad_set_sdap_options(struct ad_options *ad_opts,
- errno_t ret;
- char *krb5_realm;
- char *keytab_path;
-+ const char *schema;
-
- /* We only support Kerberos password policy with AD, so
- * force that on.
-@@ -1050,6 +1051,17 @@ ad_set_sdap_options(struct ad_options *ad_opts,
- goto done;
- }
-
-+ /* Warn if the user is doing something silly like overriding the schema
-+ * with the AD provider
-+ */
-+ schema = dp_opt_get_string(id_opts->basic, SDAP_SCHEMA);
-+ if (schema != NULL && strcasecmp(schema, "ad") != 0) {
-+ DEBUG(SSSDBG_IMPORTANT_INFO,
-+ "The AD provider only supports the AD LDAP schema. "
-+ "SSSD will ignore the ldap_schema option value and proceed "
-+ "with ldap_schema=ad\n");
-+ }
-+
- /* fix schema to AD */
- id_opts->schema_type = SDAP_SCHEMA_AD;
-
---
-2.17.0
-
diff --git a/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch b/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
deleted file mode 100644
index 6088872..0000000
--- a/0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From f2c1a2c4a209f1d8db13ec8a875b5787747dca61 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 1 May 2018 21:05:21 +0200
-Subject: [PATCH] SYSDB: Only check non-POSIX groups for GID conflicts
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When checking for a GID conflict, it doesn't make sense to check for one
-when the group being added is a non-POSIX one, because then the GID will
-always be 0.
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 8a8285cf515c78709e16ec03b254c89466fe3ea2)
----
- src/db/sysdb_ops.c | 38 ++++++++++++++++---------------
- src/tests/sysdb-tests.c | 50 ++++++++++++++++++++++++++++++++++++++++-
- 2 files changed, 69 insertions(+), 19 deletions(-)
-
-diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
-index 93b967e75..124c1285e 100644
---- a/src/db/sysdb_ops.c
-+++ b/src/db/sysdb_ops.c
-@@ -2388,28 +2388,30 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
- return ENOMEM;
- }
-
-- ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
-- if (ret == EOK) {
-- for (int i = 0; !same && group_attrs[i] != NULL; i++) {
-- previous = ldb_msg_find_attr_as_string(msg,
-- group_attrs[i],
-- NULL);
-- if (previous != NULL && values[i] != NULL) {
-- same = strcmp(previous, values[i]) == 0;
-+ if (posix) {
-+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &msg);
-+ if (ret == EOK) {
-+ for (int i = 0; !same && group_attrs[i] != NULL; i++) {
-+ previous = ldb_msg_find_attr_as_string(msg,
-+ group_attrs[i],
-+ NULL);
-+ if (previous != NULL && values[i] != NULL) {
-+ same = strcmp(previous, values[i]) == 0;
-+ }
-+ }
-+
-+ if (same == true) {
-+ DEBUG(SSSDBG_TRACE_LIBS,
-+ "The group with GID [%"SPRIgid"] was renamed\n", gid);
-+ ret = ERR_GID_DUPLICATED;
-+ goto done;
- }
-- }
-
-- if (same == true) {
-- DEBUG(SSSDBG_TRACE_LIBS,
-- "The group with GID [%"SPRIgid"] was renamed\n", gid);
-- ret = ERR_GID_DUPLICATED;
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "Another group with GID [%"SPRIgid"] already exists\n", gid);
-+ ret = EEXIST;
- goto done;
- }
--
-- DEBUG(SSSDBG_OP_FAILURE,
-- "Another group with GID [%"SPRIgid"] already exists\n", gid);
-- ret = EEXIST;
-- goto done;
- }
-
- /* try to add the group */
-diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
-index 416dedb5e..19cdcc2f8 100644
---- a/src/tests/sysdb-tests.c
-+++ b/src/tests/sysdb-tests.c
-@@ -1557,6 +1557,53 @@ START_TEST (test_sysdb_add_nonposix_user)
- }
- END_TEST
-
-+static void add_nonposix_incomplete_group(struct sysdb_test_ctx *test_ctx,
-+ const char *groupname)
-+{
-+ const char *get_attrs[] = { SYSDB_GIDNUM,
-+ SYSDB_POSIX,
-+ NULL };
-+ struct ldb_message *msg;
-+ const char *attrval;
-+ const char *fq_name;
-+ int ret;
-+ uint64_t id;
-+
-+ /* Create group */
-+ fq_name = sss_create_internal_fqname(test_ctx, groupname, test_ctx->domain->name);
-+ fail_if(fq_name == NULL, "Failed to create fq name.");
-+
-+ ret = sysdb_add_incomplete_group(test_ctx->domain, fq_name, 0,
-+ NULL, NULL, NULL, false, 0);
-+ fail_if(ret != EOK, "sysdb_add_group failed.");
-+
-+ /* Test */
-+ ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, fq_name, get_attrs, &msg);
-+ fail_if(ret != EOK, "sysdb_search_group_by_name failed.");
-+
-+ attrval = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
-+ fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value.");
-+
-+ id = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 123);
-+ fail_unless(id == 0, "Wrong GID value");
-+}
-+
-+START_TEST (test_sysdb_add_nonposix_group)
-+{
-+ struct sysdb_test_ctx *test_ctx;
-+ int ret;
-+
-+ /* Setup */
-+ ret = setup_sysdb_tests(&test_ctx);
-+ fail_if(ret != EOK, "Could not set up the test");
-+
-+ add_nonposix_incomplete_group(test_ctx, "nonposix1");
-+ add_nonposix_incomplete_group(test_ctx, "nonposix2");
-+
-+ talloc_free(test_ctx);
-+}
-+END_TEST
-+
- START_TEST (test_sysdb_add_group_member)
- {
- struct sysdb_test_ctx *test_ctx;
-@@ -7268,8 +7315,9 @@ Suite *create_sysdb_suite(void)
- /* Test GetUserAttr with subdomain user */
- tcase_add_test(tc_sysdb, test_sysdb_get_user_attr_subdomain);
-
-- /* Test adding a non-POSIX user */
-+ /* Test adding a non-POSIX user and group */
- tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_user);
-+ tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_group);
-
- /* ===== NETGROUP TESTS ===== */
-
---
-2.17.0
-
diff --git a/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch b/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
deleted file mode 100644
index dbb2c02..0000000
--- a/0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From dfcc67f54823bee15632cf52704842863e8b8a93 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Tue, 3 Apr 2018 21:48:37 +0200
-Subject: [PATCH] Do not keep allocating external groups on a long-lived
- context
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The hash table with the external groups was never freed, so the
-server_mode->ext_groups context was growing over time.
-
-This patch keeps the new hash on the state if something failed, then
-frees the previous hash and finally steals the new hash onto the server
-mode.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3719
-
-Signed-off-by: Sumit Bose <sbose@redhat.com>
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 10213efaf1f9f587b47a82778a252d79863f665e)
----
- src/providers/ipa/ipa_subdomains_ext_groups.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
-index 9e1d6c3a9..63ff7c7d7 100644
---- a/src/providers/ipa/ipa_subdomains_ext_groups.c
-+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
-@@ -583,14 +583,19 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
- DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n",
- state->reply_count);
-
-- ret = process_ext_groups(state->server_mode->ext_groups,
-- state->reply_count, state->reply, &ext_group_hash);
-+ ret = process_ext_groups(state,
-+ state->reply_count,
-+ state->reply,
-+ &ext_group_hash);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n");
- goto fail;
- }
-
-- state->server_mode->ext_groups->ext_groups = ext_group_hash;
-+ talloc_free(state->server_mode->ext_groups->ext_groups);
-+ state->server_mode->ext_groups->ext_groups = talloc_steal(
-+ state->server_mode->ext_groups,
-+ ext_group_hash);
- /* Do we have to make the update timeout configurable? */
- state->server_mode->ext_groups->next_update = time(NULL) + 10;
-
---
-2.17.0
-
diff --git a/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch b/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
deleted file mode 100644
index a379cd0..0000000
--- a/0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 2b965403ecc5a6685602859945a4b73d0f5cddcd Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Wed, 2 May 2018 11:37:55 +0200
-Subject: [PATCH] CACHE_REQ: Do not fail the domain locator plugin if ID
- outside the domain range is looked up
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A fix for upstream bug #3569 and the domain-locator feature were both
-developed in the context of the same upstream version and therefore
-touched the same code, but the domain locator did not account for the
-ERR_ID_OUTSIDE_RANGE error code.
-
-Therefore lookups for IDs that are outside the range for the domain
-caused the whole lookup to fail instead of carrying on to the next
-domain.
-
-This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID
-was not found at all. Also some whitespace errors are fixed.
-
-Resolves:
-https://pagure.io/SSSD/sssd/issue/3728
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 2952de740f2ec1da9cbd682fb1d9219e5370e6a1)
----
- src/responder/common/cache_req/cache_req.c | 1 +
- .../cache_req/plugins/cache_req_common.c | 2 +-
- .../cache_req/plugins/cache_req_group_by_id.c | 2 +-
- src/tests/cmocka/test_responder_cache_req.c | 32 +++++++++++++++++++
- 4 files changed, 35 insertions(+), 2 deletions(-)
-
-diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
-index 134688b0f..28b563392 100644
---- a/src/responder/common/cache_req/cache_req.c
-+++ b/src/responder/common/cache_req/cache_req.c
-@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq)
- DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n");
- tevent_req_done(req);
- return;
-+ case ERR_ID_OUTSIDE_RANGE:
- case ENOENT:
- /* Not cached and locator was requested, run the locator
- * DP request plugin
-diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c
-index 240416803..d19ca8912 100644
---- a/src/responder/common/cache_req/plugins/cache_req_common.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_common.c
-@@ -27,7 +27,7 @@
- #include "responder/common/cache_req/cache_req_plugin.h"
-
- errno_t cache_req_idminmax_check(struct cache_req_data *data,
-- struct sss_domain_info *domain)
-+ struct sss_domain_info *domain)
- {
- if (((domain->id_min != 0) && (data->id < domain->id_min)) ||
- ((domain->id_max != 0) && (data->id > domain->id_max))) {
-diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
-index 3fb81032b..e0c6b6515 100644
---- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
-+++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c
-@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx,
-
- ret = cache_req_idminmax_check(data, domain);
- if (ret != EOK) {
-- return ret;
-+ return ret;
- }
- return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result);
- }
-diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
-index 252d89dad..45d71b83b 100644
---- a/src/tests/cmocka/test_responder_cache_req.c
-+++ b/src/tests/cmocka/test_responder_cache_req.c
-@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state)
- assert_true(test_ctx->dp_called);
- }
-
-+void test_group_by_id_multiple_domains_outside_id_range(void **state)
-+{
-+ struct cache_req_test_ctx *test_ctx = NULL;
-+ struct sss_domain_info *domain = NULL;
-+ struct sss_domain_info *domain_a = NULL;
-+
-+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
-+
-+ domain_a = find_domain_by_name(test_ctx->tctx->dom,
-+ "responder_cache_req_test_a", true);
-+ assert_non_null(domain_a);
-+ domain_a->id_min = 1;
-+ domain_a->id_max = 100;
-+
-+ /* Setup group. */
-+ domain = find_domain_by_name(test_ctx->tctx->dom,
-+ "responder_cache_req_test_d", true);
-+ assert_non_null(domain);
-+ prepare_group(domain, &groups[0], 1000, time(NULL));
-+
-+ /* Mock values. */
-+ will_return_always(__wrap_sss_dp_get_account_send, test_ctx);
-+ will_return_always(sss_dp_req_recv, 0);
-+ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED);
-+
-+ /* Test. */
-+ run_group_by_id(test_ctx, NULL, 0, ERR_OK);
-+ assert_true(test_ctx->dp_called);
-+ check_group(test_ctx, &groups[0], domain);
-+}
-+
- void test_group_by_id_multiple_domains_locator_cache_valid(void **state)
- {
- struct cache_req_test_ctx *test_ctx = NULL;
-@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[])
- new_single_domain_test(group_by_id_missing_notfound),
- new_multi_domain_test(group_by_id_multiple_domains_found),
- new_multi_domain_test(group_by_id_multiple_domains_notfound),
-+ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range),
-
- new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid),
- new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired),
---
-2.17.0
-
diff --git a/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch b/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
deleted file mode 100644
index 05e8249..0000000
--- a/0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b96c60f55789527b1f9232ddae03e5c7566bf578 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 4 May 2018 17:00:55 +0200
-Subject: [PATCH] NSS: nss_clear_netgroup_hash_table() do not free data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-nss_clear_netgroup_hash_table() is called during the clearEnumCache SBUS
-request, which is e.g. used during 'sss_cache -E', to remove netgroup
-data cached in the memory of the NSS responder.
-
-Currently nss_clear_netgroup_hash_table() calls
-'sss_ptr_hash_delete_all(nss_ctx->netgrent, true);' which not only
-removes all entries in the 'netgerent' hash table but frees them as
-well.
-
-The second step is not needed because nss_setnetgrent_set_timeout()
-takes care that the data is freed after a timeout. Additionally freeing
-the data in nss_clear_netgroup_hash_table() can even do harm when the
-request is received by the NSS responder while waiting for the backend
-to acquire the netgroup data. Because if the backend is done the NSS
-responder tries do use enum_ctx which might have been freed in the
-meantime.
-
-Because of this nss_clear_netgroup_hash_table() should only remove the
-data from the hash table but not free it.
-
-Related to https://pagure.io/SSSD/sssd/issue/3731
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-(cherry picked from commit b13cc2d1413a0d5bbe36e06e5ffd87dbf5c0cb9f)
----
- src/responder/nss/nsssrv.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
-index 171c2a5ca..004e6c1a1 100644
---- a/src/responder/nss/nsssrv.c
-+++ b/src/responder/nss/nsssrv.c
-@@ -142,7 +142,7 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da
-
- DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n");
-
-- sss_ptr_hash_delete_all(nss_ctx->netgrent, true);
-+ sss_ptr_hash_delete_all(nss_ctx->netgrent, false);
-
- return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
- }
---
-2.17.0
-
diff --git a/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch b/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
deleted file mode 100644
index fa87f50..0000000
--- a/0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-From e7aee44602eb36ee1e1201ad6c7234562b8bb703 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 5 Dec 2017 21:14:09 +0100
-Subject: [PATCH] SYSDB: Properly handle name/gid override when using domain
- resolution order
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When using name/gid override together with domain resolution order the
-mpg name/gid may be returned instead of the overridden one.
-
-In order to avoid that, let's add a check in case the domain supports
-mpg so we can ensure that the originalADname and originalADgidNumber
-attributes are the very same as the ones searched and then normally
-proceed with the current flow in the code. In case those are not the
-same, we *must* follow the code path for the non-mpg domains and then
-return the proper values.
-
-Resolves: https://pagure.io/SSSD/sssd/issue/3595
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit cf4f5e031ecbdfba0b55a4f69a06175a2e718e67)
----
- src/db/sysdb.h | 2 +
- src/db/sysdb_search.c | 116 ++++++++++++++++++++++++++++++++++--------
- 2 files changed, 97 insertions(+), 21 deletions(-)
-
-diff --git a/src/db/sysdb.h b/src/db/sysdb.h
-index 2660314a7..d9c8fd5d6 100644
---- a/src/db/sysdb.h
-+++ b/src/db/sysdb.h
-@@ -258,6 +258,8 @@
- SYSDB_OVERRIDE_OBJECT_DN, \
- SYSDB_DEFAULT_OVERRIDE_NAME, \
- SYSDB_UUID, \
-+ ORIGINALAD_PREFIX SYSDB_NAME, \
-+ ORIGINALAD_PREFIX SYSDB_GIDNUM, \
- NULL}
-
- #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
-diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
-index b7ceb6e59..66c4977b3 100644
---- a/src/db/sysdb_search.c
-+++ b/src/db/sysdb_search.c
-@@ -893,8 +893,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
- const char *fmt_filter;
- char *sanitized_name;
- struct ldb_dn *base_dn;
-- struct ldb_result *res;
-+ struct ldb_result *res = NULL;
- char *lc_sanitized_name;
-+ const char *originalad_sanitized_name;
- int ret;
-
- tmp_ctx = talloc_new(NULL);
-@@ -902,30 +903,67 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
- return ENOMEM;
- }
-
-+ ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
-+ &sanitized_name, &lc_sanitized_name);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
- if (domain->mpg) {
-+ /* In case the domain supports magic private groups we *must*
-+ * check whether the searched name is the very same as the
-+ * originalADname attribute.
-+ *
-+ * In case those are not the same, we're dealing with an
-+ * override and in order to return the proper overridden group
-+ * we must use the very same search used by a non-mpg domain
-+ */
- fmt_filter = SYSDB_GRNAM_MPG_FILTER;
- base_dn = sysdb_domain_dn(tmp_ctx, domain);
-+ if (base_dn == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
-+ lc_sanitized_name, sanitized_name, sanitized_name);
-+ if (ret != EOK) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
-+
-+ if (res->count > 0) {
-+ originalad_sanitized_name = ldb_msg_find_attr_as_string(
-+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
-+
-+ if (originalad_sanitized_name != NULL
-+ && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
-+ fmt_filter = SYSDB_GRNAM_FILTER;
-+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
-+ res = NULL;
-+ }
-+ }
- } else {
- fmt_filter = SYSDB_GRNAM_FILTER;
- base_dn = sysdb_group_base_dn(tmp_ctx, domain);
- }
-- if (!base_dn) {
-+ if (base_dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
-- ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
-- &sanitized_name, &lc_sanitized_name);
-- if (ret != EOK) {
-- goto done;
-- }
--
-- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-- LDB_SCOPE_SUBTREE, attrs, fmt_filter,
-- lc_sanitized_name, sanitized_name, sanitized_name);
-- if (ret) {
-- ret = sysdb_error_to_errno(ret);
-- goto done;
-+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
-+ * it's a MPG and we're dealing with a overriden group, which has to
-+ * use the very same filter as a non MPG domain. */
-+ if (res == NULL) {
-+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
-+ lc_sanitized_name, sanitized_name, sanitized_name);
-+ if (ret != EOK) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
- }
-
- ret = mpg_res_convert(res);
-@@ -1045,10 +1083,11 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
- {
- TALLOC_CTX *tmp_ctx;
- unsigned long int ul_gid = gid;
-+ unsigned long int ul_originalad_gid;
- static const char *attrs[] = SYSDB_GRSRC_ATTRS;
- const char *fmt_filter;
- struct ldb_dn *base_dn;
-- struct ldb_result *res;
-+ struct ldb_result *res = NULL;
- int ret;
-
- tmp_ctx = talloc_new(NULL);
-@@ -1057,22 +1096,57 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
- }
-
- if (domain->mpg) {
-+ /* In case the domain supports magic private groups we *must*
-+ * check whether the searched gid is the very same as the
-+ * originalADgidNumber attribute.
-+ *
-+ * In case those are not the same, we're dealing with an
-+ * override and in order to return the proper overridden group
-+ * we must use the very same search used by a non-mpg domain
-+ */
- fmt_filter = SYSDB_GRGID_MPG_FILTER;
- base_dn = sysdb_domain_dn(tmp_ctx, domain);
-+ if (base_dn == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
-+ if (ret != EOK) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
-+
-+ if (res->count > 0) {
-+ ul_originalad_gid = ldb_msg_find_attr_as_uint64(
-+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_GIDNUM, 0);
-+
-+ if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) {
-+ fmt_filter = SYSDB_GRGID_FILTER;
-+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
-+ res = NULL;
-+ }
-+ }
- } else {
- fmt_filter = SYSDB_GRGID_FILTER;
- base_dn = sysdb_group_base_dn(tmp_ctx, domain);
- }
-- if (!base_dn) {
-+ if (base_dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
-- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
-- if (ret) {
-- ret = sysdb_error_to_errno(ret);
-- goto done;
-+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
-+ * it's a MPG and we're dealing with a overriden group, which has to
-+ * use the very same filter as a non MPG domain. */
-+ if (res == NULL) {
-+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
-+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
-+ if (ret != EOK) {
-+ ret = sysdb_error_to_errno(ret);
-+ goto done;
-+ }
- }
-
- ret = mpg_res_convert(res);
---
-2.17.0
-
diff --git a/0063-test_ca-add-empty-index.txt.attr-file.patch b/0063-test_ca-add-empty-index.txt.attr-file.patch
deleted file mode 100644
index 72c9145..0000000
--- a/0063-test_ca-add-empty-index.txt.attr-file.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From f6d3289ca95bcaca68647f0db76c100d616679bc Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 14 Mar 2018 15:15:19 +0100
-Subject: [PATCH] test_ca: add empty index.txt.attr file
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Although is does not harm because 'openssl ca' creates the
-index.tx.tattr file with a suitable content automatically this patch
-adds the file to the test_CA directory to silence a message like:
-
-Can't open ./index.txt.attr for reading, No such file or directory
-139867607979840:error:02001002:system library:fopen:No such file or
-directory:crypto/bio/bss_file.c:74:fopen('./index.txt.attr','r')
-139867607979840:error:2006D080:BIO routines:BIO_new_file:no such
-file:crypto/bio/bss_file.c:81:
-
-which is show by recent versions of OpenSSL.
-
-Related to https://pagure.io/SSSD/sssd/issue/3436
-
-Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
-(cherry picked from commit 86c06c3b3d1cb4f590bcd951939bf3ef0001c4d3)
----
- src/tests/test_CA/Makefile.am | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am
-index a23a3feef..bfcd908e3 100644
---- a/src/tests/test_CA/Makefile.am
-+++ b/src/tests/test_CA/Makefile.am
-@@ -89,5 +89,6 @@ clean-local:
-
- serial: clean
- touch index.txt
-+ touch index.txt.attr
- mkdir newcerts
- echo -n 01 > serial
---
-2.17.0
-
diff --git a/sources b/sources
index 5488873..f3ab243 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sssd-1.16.1.tar.gz) = fb9611cecf4c74b5a82224f9f8d3b98341c144d248094b6cb12975343db9b85142ded620e5f26fef63b2db29cdb45eb8abd698db82e9a1334bc6e001001109fd
+SHA512 (sssd-1.16.2.tar.gz) = de029e60c509d1ca9d716074c6c30bc469793440ad11452be6756df110911772d3d9d6bf555acb65f510957d6b8a265f0accc0940622101fa9cf809ac9c6d999
diff --git a/sssd.spec b/sssd.spec
index b099c4a..9ce5d02 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -25,6 +25,10 @@
%global with_gdm_pam_extensions 1
+%if (0%{?fedora} > 28)
+ %global use_openssl 1
+%endif
+
%global libwbc_alternatives_version 0.14
%global libwbc_lib_version %{libwbc_alternatives_version}.0
%global libwbc_alternatives_suffix %nil
@@ -33,8 +37,8 @@
%endif
Name: sssd
-Version: 1.16.1
-Release: 9%{?dist}
+Version: 1.16.2
+Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -42,69 +46,6 @@ URL: https://pagure.io/SSSD/sssd/
Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
### Patches ###
-Patch0001: 0001-IPA-Handle-empty-nisDomainName.patch
-Patch0002: 0002-intg-enhance-netgroups-test.patch
-Patch0003: 0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
-Patch0004: 0004-TOOLS-Take-into-consideration-app-domains.patch
-Patch0005: 0005-TESTS-Move-get_call_output-to-util.py.patch
-Patch0006: 0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
-Patch0007: 0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
-Patch0008: 0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
-Patch0009: 0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
-Patch0010: 0010-KCM-Introduce-kcm_input_get_payload_len.patch
-Patch0011: 0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
-Patch0012: 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
-Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch
-Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
-Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
-Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
-#Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
-#Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch
-Patch0019: 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
-Patch0020: 0020-IPA-Qualify-the-externalUser-sudo-attribute.patch
-Patch0021: 0021-NSS-Adjust-netgroup-setnetgrent-cache-lifetime-if-mi.patch
-Patch0022: 0022-CONFDB-Add-passwd_files-and-group_files-options.patch
-Patch0023: 0023-FILES-Handle-files-provider-sources.patch
-Patch0024: 0024-TESTS-Add-a-test-for-the-multiple-files-feature.patch
-Patch0025: 0025-AD-Missing-header-in-ad_access.h.patch
-Patch0026: 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
-Patch0027: 0027-GPO-Use-AD-site-override-if-set.patch
-Patch0028: 0028-nss-initialize-nss_enum_index-in-nss_setnetgrent.patch
-Patch0029: 0029-nss-add-a-netgroup-counter-to-struct-nss_enum_index.patch
-Patch0030: 0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
-Patch0031: 0031-sssctl-move-check-for-version-error-to-correct-place.patch
-Patch0032: 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
-Patch0033: 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
-Patch0034: 0034-MAN-Improve-docs-about-GC-detection.patch
-Patch0035: 0035-nss-idmap-do-not-set-a-limit.patch
-Patch0036: 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
-Patch0037: 0037-NSS-Add-InvalidateGroupById-handler.patch
-Patch0038: 0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
-Patch0039: 0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
-Patch0040: 0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
-Patch0041: 0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
-Patch0042: 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
-Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
-Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
-Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
-Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
-Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
-Patch0048: 0048-FILES-Do-not-overwrite-and-actually-remove-files_ctx.patch
-Patch0049: 0049-FILES-Reduce-code-duplication.patch
-Patch0050: 0050-FILES-Reset-the-domain-status-back-even-on-errors.patch
-Patch0051: 0051-FILES-Skip-files-that-are-not-created-yet.patch
-Patch0052: 0052-FILES-Only-send-the-request-for-update-if-the-files-.patch
-Patch0053: 0053-TESTS-simple-CA-to-generate-certificates-for-test.patch
-Patch0054: 0054-TESTS-replace-hardcoded-certificates.patch
-Patch0055: 0055-DYNDNS-Move-the-retry-logic-into-a-separate-function.patch
-Patch0056: 0056-DYNDNS-Retry-also-on-timeouts.patch
-Patch0057: 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
-Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
-Patch0059: 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
-Patch0060: 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
-Patch0061: 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
-Patch0062: 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
-Patch0063: 0063-test_ca-add-empty-index.txt.attr-file.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@@ -182,12 +123,19 @@ BuildRequires: cifs-utils-devel
BuildRequires: libnfsidmap-devel
BuildRequires: samba4-devel
BuildRequires: libsmbclient-devel
+BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel
BuildRequires: http-parser-devel
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
+%if (0%{?use_openssl} == 1)
+BuildRequires: p11-kit-devel
+BuildRequires: openssl-devel
+BuildRequires: gnutls-utils
+BuildRequires: softhsm >= 2.1.0
+%endif
BuildRequires: openssl
BuildRequires: openssh
BuildRequires: nss-tools
@@ -688,11 +636,13 @@ autoreconf -ivf
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
+%if (0%{?use_openssl} == 1)
+ --with-crypto=libcrypto \
+%endif
--enable-sss-default-nss-plugin \
--enable-files-domain \
%{?with_cifs_utils_plugin_option} \
- %{?enable_systemtap_opt} \
-
+ %{?enable_systemtap_opt}
make %{?_smp_mflags} all docs
@@ -909,6 +859,9 @@ done
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
+%if (0%{?use_openssl} == 1)
+%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki
+%endif
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
@@ -1309,6 +1262,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
+* Mon Jun 11 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.2-1
+- New upstream release 1.16.2
+- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_16_2.html
+
* Thu May 24 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-9
- Related: upstream#3742 - Change of: User may not run sudo --> a password is
required