--- sssd-1.16.1.orig/.git-commit-template +++ sssd-1.16.1/.git-commit-template @@ -0,0 +1,9 @@ +COMPONENT: Subject + +Explanation + +Resolves: +https://pagure.io/SSSD/sssd/issue/XXXX + +# Try to keep the subject line within 52 chars ----| +# Also please try to not exceed 72 characters of length for the body --| --- sssd-1.16.1.orig/.tx/config +++ sssd-1.16.1/.tx/config @@ -0,0 +1,13 @@ +[main] +host = https://www.transifex.com + +[sssd.master-po-sssd-pot] +file_filter = po/.po +source_file = po/sssd.pot +source_lang = en + +[sssd.sssd-docspot_1] +file_filter = src/man/po/.po +source_file = src/man/po/sssd-docs.pot +source_lang = en + --- sssd-1.16.1.orig/README.md +++ sssd-1.16.1/README.md @@ -0,0 +1,52 @@ +# SSSD - System Security Services Daemon + +## Introduction +SSSD provides a set of daemons to manage access to remote directories and +authentication mechanisms such as LDAP, Kerberos or FreeIPA. It provides +an NSS and PAM interface toward the system and a pluggable backend system +to connect to multiple different account sources. + +More information about SSSD can be found on its project page - +https://pagure.io/SSSD/sssd/ + +## Downloading SSSD +SSSD is shipped as a binary package by most Linux distributions. If you +want to obtain the latest source files, please navigate to the +[Releases folder on pagure](https://releases.pagure.org/SSSD/sssd/) + +## Releases +SSSD maintains two release streams - stable and LTM. Releases designated as +LTM are long-term maintenance releases and will see bugfixes and security +patches for a longer time than other releases. + +The list of all releases is maintained together with [SSSD documentation](https://docs.pagure.org/SSSD.sssd/users/releases.html) + +## Building and installation from source +Please see the [our developer documentation](https://docs.pagure.org/SSSD.sssd/developers/) + +## Documentation +The most up-to-date documentation can be found at https://docs.pagure.org/SSSD.sssd/ + +Its source code is hosted at https://pagure.io/SSSD/docs + +## Submitting bugs +Please file an issue in the [SSSD pagure instance](https://pagure.io/SSSD/sssd/issues). +Make sure to follow the [guide on reporting SSSD bugs](https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html) + +## Licensing +Please see the file called COPYING. + +## Social networks +We maintain our presence on [Twitter](https://twitter.com/SysSecSvcDaemon) +and [Google plus](https://plus.google.com/114204339376082660377) + +## Contacts +There are several ways to contact us: + +* the sssd-devel mailing list: [Development of the System Security Services Daemon]( + https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/) +* the sssd-users mailing list: [End-user discussions about the System Security Services Daemon]( + https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/) +* the #sssd and #freeipa IRC channels on freenode: + * irc://irc.freenode.net/sssd + * irc://irc.freenode.net/freeipa --- sssd-1.16.1.orig/Vagrantfile +++ sssd-1.16.1/Vagrantfile @@ -0,0 +1,77 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Fedora blog on creating Vagrant files: +# http://fedoramagazine.org/running-vagrant-fedora-22/ + +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure(2) do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + + # Every Vagrant development environment requires a box. You can search for + # boxes at https://atlas.hashicorp.com/search. + config.vm.box = "fedora-22" + config.vm.box_url = "http://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Base-Vagrant-22-20150521.x86_64.vagrant-libvirt.box" + + # Disable automatic box update checking. If you disable this, then + # boxes will only be checked for updates when the user runs + # `vagrant box outdated`. This is not recommended. + # config.vm.box_check_update = false + + # Create a forwarded port mapping which allows access to a specific port + # within the machine from a port on the host machine. In the example below, + # accessing "localhost:8080" will access port 80 on the guest machine. + # config.vm.network "forwarded_port", guest: 80, host: 8080 + + # Create a private network, which allows host-only access to the machine + # using a specific IP. + # config.vm.network "private_network", ip: "192.168.33.10" + + # Create a public network, which generally matched to bridged network. + # Bridged networks make the machine appear as another physical device on + # your network. + # config.vm.network "public_network" + + # Share an additional folder to the guest VM. The first argument is + # the path on the host to the actual folder. The second argument is + # the path on the guest to mount the folder. And the optional third + # argument is a set of non-required options. + # config.vm.synced_folder "../data", "/vagrant_data" + + # Provider-specific configuration so you can fine-tune various + # backing providers for Vagrant. These expose provider-specific options. + # Example for VirtualBox: + # + # config.vm.provider "virtualbox" do |vb| + # # Display the VirtualBox GUI when booting the machine + # vb.gui = true + # + # # Customize the amount of memory on the VM: + # vb.memory = "1024" + # end + # + # View the documentation for the provider you are using for more + # information on available options. + + # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies + # such as FTP and Heroku are also available. See the documentation at + # https://docs.vagrantup.com/v2/push/atlas.html for more information. + # config.push.define "atlas" do |push| + # push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME" + # end + + # Enable provisioning with a shell script. Additional provisioners such as + # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the + # documentation for more information about their specific syntax and use. + # config.vm.provision "shell", inline: <<-SHELL + # sudo apt-get update + # sudo apt-get install -y apache2 + # SHELL + + config.vm.provision :shell, path: "contrib/vagrant/bootstrap.sh" +end --- sssd-1.16.1.orig/contrib/gdb/sssd_gdb_plugin.py +++ sssd-1.16.1/contrib/gdb/sssd_gdb_plugin.py @@ -0,0 +1,196 @@ +# SSSD and LDB debugging plugins +# +# Activate them by putting: +# source /path/to/this/file.py +# to your .gdbinit file +# +# To bypass the pretty printer and print the raw values, use the "/r" option: +# print /r foobar +import gdb + + +def gdb_printer_decorator(fn): + gdb.pretty_printers.append(fn) + return fn + + +def indent_string(s, indent): + return '\n'.join(["%s%s" % ("\t" * indent, part) for part in s.split('\n')]) + + +class StringPrinter(object): + "Shared code between different string-printing classes" + def __init__(self, val): + self.val = val + + def to_string(self): + return self.as_string() + + +class LdbDnPrinter(StringPrinter): + " print an ldb dn " + + def as_string(self, indent=0): + ret = "{ <%s>\tlinearized:%s }" % (self.val.type, self.val['linearized']) + return indent_string(ret, indent) + + +class LdbValPrinter(StringPrinter): + " print a ldb value" + + def as_string(self, indent=0): + ret = "data = %(data)s, length = %(length)s" % self.val + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class LdbMessageElementPrinter(StringPrinter): + " print a ldb message element " + + def as_string(self, indent=0): + ret = "flags = %(flags)s, name = %(name)s, num_values = %(num_values)s" % self.val + try: + nvals = int(self.val['num_values']) + except ValueError: + return "num_values is not numeric?" + + for i in range(nvals): + ldbval = LdbValPrinter(self.val['values'][i]) + ret += "\n%s" % (ldbval.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class LdbMessagePrinter(StringPrinter): + " print a ldb message " + + def as_string(self, indent=0): + try: + nels = int(self.val['num_elements']) + except ValueError: + return "num_elements is not numeric?" + + dn = LdbDnPrinter(self.val['dn']) + ret = "num_elements:\t%s\ndn:\t%s\nelements:\t" % (nels, dn.as_string(indent)) + + for i in range(nels): + el = LdbMessageElementPrinter(self.val['elements'][i]) + ret += "\n%s" % (el.as_string(indent+1)) + + return indent_string("{ <%s>\n%s }" % (self.val.type, ret), indent) + + +class LdbResultPrinter(StringPrinter): + " print a ldb message element " + + def as_string(self, indent=0): + ret = "count = %(count)s, extended = %(extended)s, controls = %(controls)s, refs = %(refs)s" % self.val + try: + count = int(self.val['count']) + except ValueError: + ret += 'Count is not numeric value?' + return ret + + for i in range(count): + msg = LdbMessagePrinter(self.val['msgs'][i]) + ret += "\n%s" % (msg.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +class SysdbAttrsPrinter(StringPrinter): + " print a struct sysdb attrs " + + def as_string(self, indent=0): + ret = "num = %(num)s" % self.val + + try: + num = int(self.val['num']) + except ValueError: + ret += 'num is not numeric value?' + return ret + + for i in range(num): + el = LdbMessageElementPrinter(self.val['a'][i]) + ret += "\n%s" % (el.as_string(indent+1)) + + return indent_string("{ <%s>\t%s }" % (self.val.type, ret), indent) + + +# --- +# --- register pretty printers --- +# --- +@gdb_printer_decorator +def ldb_val_element_printer(val): + if str(val.type) == 'struct ldb_dn': + return LdbDnPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_val_element_printer(val): + if str(val.type) == 'struct ldb_val': + return LdbValPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_message_element_printer(val): + if str(val.type) == 'struct ldb_message_element': + return LdbMessageElementPrinter(val) + return None + + +@gdb_printer_decorator +def ldb_message_printer(val): + if str(val.type) == 'struct ldb_message': + return LdbMessagePrinter(val) + return None + + +@gdb_printer_decorator +def ldb_result_printer(val): + if str(val.type) == 'struct ldb_result': + return LdbResultPrinter(val) + return None + + +@gdb_printer_decorator +def sysdb_attrs_printer(val): + if str(val.type) == 'struct sysdb_attrs': + return SysdbAttrsPrinter(val) + return None + + +# --- +# --- set a breakpoint at the tevent_req finish fn --- +# --- +class TeventBreak(gdb.Command): + """Break at the tevent finish location """ + + def __init__(self): + super(TeventBreak, self).__init__("tbr", gdb.COMMAND_BREAKPOINTS) + + def invoke(self, arg, from_tty): + req = gdb.parse_and_eval(arg) + if not hasattr(req, 'type'): + print('cannot determine the type of the variable') + return + if str(req.type) != 'struct tevent_req *': + print('wrong attribute - must be a tevent_req pointer') + return + + try: + fn = req['async']['fn'] + except KeyError: + print("No async function defined?") + return + + try: + fnaddr = str(fn).split()[0].strip() + except IndexError: + print("Cannot get function address") + return + + b = gdb.Breakpoint("*%s" % fnaddr) + +TeventBreak() --- sssd-1.16.1.orig/contrib/gdbinit +++ sssd-1.16.1/contrib/gdbinit @@ -0,0 +1,2 @@ +# When attaching to an SSSD process, cancel the watchdog +p teardown_watchdog() --- sssd-1.16.1.orig/contrib/git/pre-push +++ sssd-1.16.1/contrib/git/pre-push @@ -0,0 +1,73 @@ +#!/usr/bin/env python + +# A git pre-push hook that declines commits that don't contain a Reviewed-By: +# tag. The tag must be present on the beginning of the line. To activate, copy +# to $GIT_DIR/hooks/pre-push and make sure the executable flag is on. + +# The commit message should also be based on .git-commit-template, although +# that is just best practice and not enforced + +import sys +import re +import subprocess + + +def get_all_commits(ref_from, ref_to): + args = ['git', 'rev-list', '{:s}..{:s}'.format(ref_from, ref_to)] + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() + return [commit.strip() for commit in out.decode('UTF-8').split('\n') if commit != ''] + + +def commit_message(commit_hash): + args = ['git', 'cat-file', 'commit', commit_hash] + p = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + out, err = p.communicate() + return out.decode('UTF-8') + + +def commit_has_rb(commit): + msg = commit_message(commit) + for l in msg.split('\n'): + has_rb = re.search('^Reviewed-by:', l) + if has_rb: + return True + + return False + + +def report_commit(commit_hash): + print("Commit {:s} does not have Reviewed-By!".format(commit_hash)) + print("Full message:\n======") + print("{:s}".format(commit_message(commit_hash))) + print("======") + + +# man 5 githooks says: +# Information about what is to be pushed is provided on the hook's +# standard input with lines of the form: +# SP SP SP LF +def check_push(hook_input): + ref_to = hook_input.split()[1][:6] + ref_from = hook_input.split()[3][:6] + commit_list = get_all_commits(ref_from, ref_to) + + no_rb_list = [] + for commit in commit_list: + if not commit_has_rb(commit): + no_rb_list.append(commit) + + return no_rb_list + +# Don't warn when pushing to personal repositories, only origin +remote = sys.argv[1] +if remote != 'origin': + sys.exit(0) + +for hook_input in sys.stdin.readlines(): + no_rb_list = check_push(hook_input) + + if len(no_rb_list) > 0: + for offender in no_rb_list: + report_commit(offender) + sys.exit(1) --- sssd-1.16.1.orig/contrib/suse/sssd.spec.in +++ sssd-1.16.1/contrib/suse/sssd.spec.in @@ -0,0 +1,301 @@ +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib(1))")} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib())")} + +Name: @PACKAGE_NAME@ +Version: @PACKAGE_VERSION@ +Release: 0@PRERELEASE_VERSION@%{?dist} +Group: Applications/System +Summary: System Security Services Daemon +# The entire source code is GPLv3+ except replace/ which is LGPLv3+ +License: GPLv3+ and LGPLv3+ +URL: https://pagure.io/SSSD/sssd/ +Source0: %{name}-%{version}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +%global dhash_version 0.4.0 + +### Patches ### + +### Dependencies ### + +Requires: libldb0 >= 0.9.3 +Requires: libtdb1 >= 1.1.3 +Requires: sssd-client = %{version}-%{release} +Requires: libdhash = %{dhash_version}-%{release} +Requires: cyrus-sasl-gssapi +Requires(post): python +Requires(preun): aaa_base procps filesystem +Requires(postun): /sbin/service + +%global servicename sssd +%global sssdstatedir %{_localstatedir}/lib/sss +%global dbpath %{sssdstatedir}/db +%global pipepath %{sssdstatedir}/pipes +%global pubconfpath %{sssdstatedir}/pubconf + +### Build Dependencies ### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent0-devel +BuildRequires: libtdb1-devel +BuildRequires: libldb0-devel +BuildRequires: libcares-devel +BuildRequires: dbus-1-devel +BuildRequires: dbus-1 +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel +BuildRequires: python-devel + + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +%package client +Summary: SSSD Client libraries for NSS and PAM +Group: Applications/System + +%description client +Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD +service. + +%package -n libdhash +Summary: Dynamic hash table +Group: Development/Libraries +Version: %{dhash_version} +License: LGPLv3+ + +%description -n libdhash +A hash table which will dynamically resize to achieve optimal storage & access +time properties + +%package -n libdhash-devel +Summary: Development files for libdhash +Group: Development/Libraries +Version: %{dhash_version} +Requires: libdhash = %{dhash_version}-%{release} +License: LGPLv3+ + +%description -n libdhash-devel +A hash table which will dynamically resize to achieve optimal storage & access +time properties + + +%prep +%setup -q + +%build +%configure \ + --without-tests \ + --with-db-path=%{dbpath} \ + --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ + --with-init-dir=%{_initrddir} \ + --enable-nsslibdir=/%{_lib} \ + --without-selinux \ + --without-semanage \ + --with-os=suse \ + --disable-static + +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT + +# Remove the example files from the output directory +# We will copy them directly from the source directory +# for packaging +rm -f \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/README \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/examples/dhash_example.c \ + $RPM_BUILD_ROOT/usr/share/doc/dhash/examples/dhash_test.c + +# Prepare language files +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_daemon +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_client + +# Copy default sssd.conf file +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 server/examples/sssd.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf +install -m400 server/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf +install -m400 server/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/ + +# Remove .la files created by libtool +rm -f \ + $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ + $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ + $RPM_BUILD_ROOT/%{_libdir}/libdhash.la \ + $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ipa.la \ + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ + $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la + +if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +then + # Apppend this file to the sss_daemon.lang + # Older versions of rpmbuild can only handle one -f option + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so >> sss_daemon.lang +fi +for file in `ls $RPM_BUILD_ROOT/%{python_sitelib}/*.egg-info 2> /dev/null` +do + echo %{python_sitelib}/`basename $file` >> sss_daemon.lang +done + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f sss_daemon.lang +%defattr(-,root,root,-) +%doc COPYING +%{_initrddir}/%{name} +%{_sbindir}/sssd +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod +%{_sbindir}/sss_groupshow +%{_sbindir}/sss_debuglevel +%{_libexecdir}/%{servicename}/ +%{_libdir}/%{name}/ +%{_libdir}/ldb/memberof.so +%dir %{sssdstatedir} +%attr(700,root,root) %dir %{dbpath} +%attr(755,root,root) %dir %{pipepath} +%attr(755,root,root) %dir %{pubconfpath} +%attr(700,root,root) %dir %{pipepath}/private +%attr(750,root,root) %dir %{_var}/log/%{name} +%attr(700,root,root) %dir %{_sysconfdir}/sssd +%config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%config %{_sysconfdir}/sssd/sssd.api.conf +%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d +%config %{_sysconfdir}/sssd/sssd.api.d/ +%{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-ipa.5* +%{_mandir}/man5/sssd-krb5.5* +%{_mandir}/man5/sssd-ldap.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_groupshow.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sss_debuglevel.8* +%{_mandir}/man8/sssd_krb5_locator_plugin.8* +%{python_sitearch}/pysss.so +%{python_sitelib}/*.py* + + +%files client -f sss_client.lang +%defattr(-,root,root,-) +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_mandir}/man8/pam_sss.8* + +%files -n libdhash +%defattr(-,root,root,-) +%doc common/dhash/COPYING +%doc common/dhash/COPYING.LESSER +%{_libdir}/libdhash.so.1 +%{_libdir}/libdhash.so.1.0.0 + +%files -n libdhash-devel +%defattr(-,root,root,-) +%{_includedir}/dhash.h +%{_libdir}/libdhash.so +%{_libdir}/pkgconfig/dhash.pc +%doc common/dhash/README +%doc common/dhash/examples + +%post +/sbin/ldconfig +/sbin/chkconfig --add %{servicename} +if [ $1 -ge 2 ] ; then +# a one-time upgrade from confdb v1 to v2, only if upgrading + python %{_libexecdir}/%{servicename}/upgrade_config.py +fi + +%preun +if [ $1 = 0 ]; then + /sbin/service %{servicename} stop 2>&1 > /dev/null + /sbin/chkconfig --del %{servicename} +fi + +%postun +/sbin/ldconfig +if [ $1 -ge 1 ] ; then + /sbin/service %{servicename} condrestart 2>&1 > /dev/null +fi + +%post client -p /sbin/ldconfig + +%postun client -p /sbin/ldconfig + +%post -n libdhash -p /sbin/ldconfig + +%postun -n libdhash -p /sbin/ldconfig + +%changelog +* Mon Sep 28 2009 Sumit Bose - 0.6.0-0 +- New upstream release 0.6.0 + +* Fri Sep 25 2009 Simo Sorce - 0.5.0-1 +- Split package into server and clients components +- Convert to new config file format + +* Wed Sep 02 2009 Stephen Gallagher - 0.5.0-0 +- New upstream release 0.5.0 + +* Mon May 18 2009 Stephen Gallagher - 0.4.0-1 +- Convert build system to automake + +* Mon Apr 20 2009 Jakub Hrozek - 0.3.2-1 +- bugfix release 0.3.2 + +* Mon Apr 13 2009 Simo Sorce - 0.3.1-1 +- bugfix release + +* Sun Apr 12 2009 Stephen Gallagher - 0.3.0-2 +- Remove InfoPipe from RPM build + +* Sun Apr 12 2009 Stephen Gallagher - 0.3.0-1 +- Convert to using /etc/sssd/sssd.conf for configuration + +* Tue Mar 10 2009 Simo Sorce - 0.2.1-1 +- Bump up to version 0.2.1 + +* Fri Mar 06 2009 Jakub Hrozek - 0.1.0-4 +- fixed items found during review +- added initscript + +* Thu Mar 05 2009 Sumit Bose - 0.1.0-3 +- added sss_client + +* Mon Feb 23 2009 Jakub Hrozek - 0.1.0-2 +- Small cleanup and fixes in the spec file + +* Thu Feb 12 2009 Stephen Gallagher - 0.1.0-1 +- Initial release (based on version 0.1.0 upstream code) --- sssd-1.16.1.orig/contrib/vagrant/bootstrap.sh +++ sssd-1.16.1/contrib/vagrant/bootstrap.sh @@ -0,0 +1,21 @@ +#!/bin/bash -x + +sed -e "s/@PACKAGE_NAME@/sssd/" \ + -e "s/@PRERELEASE_VERSION@//" \ + -e "s/@PACKAGE_VERSION@/0/" \ + /vagrant/contrib/sssd.spec.in > /vagrant/contrib/sssd_vagrant.spec + +dnf clean metadata +dnf install -y @buildsys-build realmd sssd adcli polkit oddjob-mkhomedir +dnf builddep -y /vagrant/contrib/sssd_vagrant.spec + +source /usr/share/doc/git/contrib/completion/git-prompt.sh + +cat << EOF >> /home/vagrant/.bashrc +source /usr/share/doc/git/contrib/completion/git-prompt.sh +export GIT_PS1_SHOWDIRTYSTATE=1 +export PS1='[\u@\h:\W\$(__git_ps1 " (%s)")]\$\[\e[0m\] ' + +. /vagrant/contrib/fedora/bashrc_sssd + +EOF --- sssd-1.16.1.orig/debian/README.source +++ sssd-1.16.1/debian/README.source @@ -0,0 +1,58 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + break + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. --- sssd-1.16.1.orig/debian/apparmor-profile +++ sssd-1.16.1/debian/apparmor-profile @@ -0,0 +1,53 @@ +#include + +/usr/sbin/sssd { + #include + #include + #include + #include + + capability chown, + capability dac_override, + capability dac_read_search, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_resource, + + @{PROC} r, + @{PROC}/[0-9]*/net/psched r, + @{PROC}/[0-9]*/status r, + + /etc/krb5.keytab k, + /etc/ldap/ldap.conf r, + /etc/libnl-3/classid r, + /etc/localtime r, + /etc/shells r, + /etc/sssd/sssd.conf r, + + /usr/lib/@{multiarch}/ldb/modules/ldb/* m, + /usr/lib/@{multiarch}/samba/ldb/* m, + /usr/lib/@{multiarch}/sssd/* rix, + /usr/sbin/sssd rmix, + + /tmp/{,.}krb5cc_* rwk, + + /var/lib/sss/* rw, + /var/lib/sss/db/* rwk, + /var/lib/sss/gpo_cache/* rw, + /var/lib/sss/mc/* rw, + /var/lib/sss/pipes/* rw, + /var/lib/sss/pipes/private/* rw, + /var/lib/sss/pubconf/* rw, + /var/lib/sss/pubconf/krb5.include.d/ r, + /var/lib/sss/pubconf/krb5.include.d/* rw, + /var/log/sssd/* rw, + /var/tmp/host_* rw, + + /{,var/}run/sssd.pid rw, + /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- sssd-1.16.1.orig/debian/changelog +++ sssd-1.16.1/debian/changelog @@ -0,0 +1,989 @@ +sssd (1.16.1-1ubuntu1.3) bionic; urgency=medium + + * d/libsss-sudo.postinst: Add sss entry to nsswitch only on initial install. + Thanks to Timo Aaltonen (LP: #1781991) + + -- Andreas Hasenack Tue, 28 May 2019 10:52:13 -0300 + +sssd (1.16.1-1ubuntu1.2) bionic; urgency=medium + + * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of + crond for Debian and Ubuntu (LP: #1572908) + + -- Victor Tapia Wed, 27 Feb 2019 14:53:11 +0100 + +sssd (1.16.1-1ubuntu1.1) bionic; urgency=medium + + * d/p/fix-id-out-of-range-lookup.patch: CACHE_REQ: Do not fail the domain + locator plugin if ID outside the domain range is looked up. Thanks to + Jakub Hrozek . (LP: #1807246) + * d/t/common-tests, d/t/control, d/t/ldap-user-group-krb5-auth, + d/t/ldap-user-group-ldap-auth, d/t/login.exp, d/t/util: add DEP8 + tests for kerberos and LDAP (LP: #1793882) + + -- Andreas Hasenack Wed, 16 Jan 2019 13:58:03 -0200 + +sssd (1.16.1-1ubuntu1) bionic; urgency=medium + + * Merge from Debian. (LP: #1754746) + * d/p/restart_providers_on_timeshift.patch: Dropped, upstream. + + -- Timo Aaltonen Mon, 09 Apr 2018 13:45:29 +0300 + +sssd (1.16.1-1) unstable; urgency=medium + + * New upstream release. + * common.dirs, common.postinst: Add dir for secrets with correct + permissions. (Closes: #892315) + * common: Add support for Fleet Commander, create deskprofile dir with + correct permissions. + * control: Add libgdm-dev to build-depends to support multiple + certificates. + * control, rules, common.install: Add support for systemtap. + * control: Bump policy to 4.1.3, no changes. + + -- Timo Aaltonen Tue, 13 Mar 2018 11:25:00 +0200 + +sssd (1.16.0-5ubuntu2) bionic; urgency=medium + + * Enable the secrets service and build against http-parser (LP: #1754365). + This drops the following Debian delta: + - Build without the secrets service as libhttp-parser2.1 is in universe + * d/{sssd-common.postinst,sssd-common.dirs}: create the secrets directory + used by sssd-secrets and set its permissions in postinst. + (Closes: #892315) + + -- Andreas Hasenack Tue, 06 Mar 2018 16:23:11 +0100 + +sssd (1.16.0-5ubuntu1) bionic; urgency=medium + + * Merge with Debian unstable (LP: #1735493). Remaining changes: + - Build without the secrets service as libhttp-parser2.1 is in universe + - d/p/restart_providers_on_timeshift.patch: Use SIGUSR2 after watchdog + detects time shift to execute pending scheduled tasks that could + be stuck (LP 1641875) + [refreshed with what was committed upstream in the end] + - d/sssd-common.maintscript: rm_conffile for upstart drop + + -- Andreas Hasenack Fri, 26 Jan 2018 17:46:39 -0200 + +sssd (1.16.0-5) unstable; urgency=medium + + * rules: Disable files domain, it's not useful in Debian. (Closes: + #888207) + + -- Timo Aaltonen Fri, 26 Jan 2018 10:42:17 +0200 + +sssd (1.16.0-4) unstable; urgency=medium + + * Revert installing responder service/socket files again. + (Closes: #886483) + + -- Timo Aaltonen Mon, 22 Jan 2018 16:50:14 +0200 + +sssd (1.16.0-3) unstable; urgency=medium + + * Install responder service and socket files again. + + -- Timo Aaltonen Thu, 04 Jan 2018 09:55:41 +0200 + +sssd (1.16.0-2) unstable; urgency=medium + + * Enable default config. (Closes: #858968) + * Enable files domain. + + -- Timo Aaltonen Mon, 25 Dec 2017 21:38:26 +0200 + +sssd (1.16.0-1) unstable; urgency=medium + + * New upstream release. + * sysdb-sanitize-search-filter-input.diff: Dropped, upstream. + * sssd-common.install: Add sssd-session-recording.5. + * control: Depend on python3 pkgs by default. (Closes: #883178) + + -- Timo Aaltonen Wed, 20 Dec 2017 11:58:50 +0200 + +sssd (1.15.3-3ubuntu1) bionic; urgency=medium + + * Merge with Debian unstable (LP: #1732242). Remaining changes: + - Build without the secrets service as libhttp-parser2.1 is in universe + - d/p/restart_providers_on_timeshift.patch: Use SIGUSR2 after watchdog + detects time shift to execute pending scheduled tasks that could + be stuck (LP 1641875) + * Drop unused upstart file debian/sssd-common.sssd.upstart.in + - remove debian/sssd-common.sssd.upstart.in + - debian/sssd-common.maintscript remove stale conffile + + -- Andreas Hasenack Tue, 14 Nov 2017 16:13:02 -0200 + +sssd (1.15.3-3) unstable; urgency=medium + + * Rebuild against new libldb. (Closes: #880013) + + -- Timo Aaltonen Sun, 29 Oct 2017 09:13:42 +0200 + +sssd (1.15.3-2ubuntu1) artful; urgency=medium + + * Merge from Debian, remaining changes: + - Build without the secrets service as libhttp-parser2.1 is in universe + - d/p/restart_providers_on_timeshift.patch: Use SIGUSR2 after watchdog + detects time shift to execute pending scheduled tasks that could + be stuck (LP: 1641875) + + -- Timo Aaltonen Thu, 12 Oct 2017 10:02:08 +0300 + +sssd (1.15.3-2) unstable; urgency=medium + + * control: Fix libipa-hbac-dev short description. + * generate-config: Update the config template. (Closes: #872787) + * sysdb-sanitize-search-filter-input.diff: Fix CVE-2017-12173. + (Closes: #877885) + + -- Timo Aaltonen Thu, 12 Oct 2017 08:24:51 +0300 + +sssd (1.15.3-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Add chown capability, allow one to notify systemd. + * control: Add libcurl4-gnutls-dev and uuid-dev to build depends. + * Add libsss-certmap{0,-dev} packages. + * Add sssd-kcm. + * rules: Migrate to dh_missing. + * control: Bump policy to 4.0.0, no changes. + * compat, control, rules: Bump debhelper compat to 10, drop --parallel + as it's the default now. + + -- Timo Aaltonen Sat, 29 Jul 2017 11:50:41 +0300 + +sssd (1.15.2-1ubuntu3) artful; urgency=medium + + * No-change rebuild to build with python3.6. + + -- Matthias Klose Mon, 24 Jul 2017 18:24:23 +0000 + +sssd (1.15.2-1ubuntu2) artful; urgency=medium + + * d/apparmor-profile: + - allow the chown capability (LP: #1699576) + - allow sssd to notify systemd during startup (LP: #1689387) + + -- Andreas Hasenack Wed, 21 Jun 2017 15:50:35 -0300 + +sssd (1.15.2-1ubuntu1) zesty; urgency=medium + + * Merge from Debian. + - new bugfix release + + -- Timo Aaltonen Thu, 06 Apr 2017 12:45:49 +0300 + +sssd (1.15.2-1) unstable; urgency=medium + + * New upstream release. + * control: Demote adcli to sssd-ad suggests. + * rules, common.install: Fix sssd_krb5_locator_plugin install path. + (LP: #1664566) + * control, copyright, watch: Update upstream URLs. + * common.install: Add libsss_files and socket activation helper. + + -- Timo Aaltonen Mon, 20 Mar 2017 15:17:19 +0200 + +sssd (1.15.0-3ubuntu4) zesty; urgency=medium + + * Rebuild against new samba/libldb. (LP: #1664785) + + -- Timo Aaltonen Sun, 05 Mar 2017 13:30:40 +0200 + +sssd (1.15.0-3ubuntu3) zesty; urgency=medium + + * d/p/restart_providers_on_timeshift.patch: Use SIGUSR2 after watchdog + detects time shift to execute pending scheduled tasks that could + be stuck (LP: #1641875) + + -- Victor Tapia Wed, 15 Feb 2017 17:05:05 +0100 + +sssd (1.15.0-3ubuntu2) zesty; urgency=medium + + * Demote sssd-ad Recommends to Suggests. This fixes a component mismatch in + Ubuntu, but also we believe in LP 1590471 that it shouldn't be required for + full functionality of sssd-ad anyway. This has also been done in Debian VCS + in commit d26fd6b. + + -- Robie Basak Thu, 09 Feb 2017 13:34:01 +0000 + +sssd (1.15.0-3ubuntu1) zesty; urgency=medium + + * Build without the secrets service as libhttp-parser2.1 is in universe. An + MIR is pending in LP 1638957; when this is complete, we can revert this. + - Configure with --without-secrets. + - Drop build depends on libhttp-parser-dev and libjansson-dev. These are + only needed for the "secrets service". + - Remove secrets service -related files from d/sssd-common.install and in + d/rules. + + -- Robie Basak Tue, 07 Feb 2017 19:37:45 +0000 + +sssd (1.15.0-3) unstable; urgency=medium + + * rules, install: Remove responder service and socket files for now, the + sockets weren't supposed to be enabled anyway and can cause issues. + (Closes: #854048) + + -- Timo Aaltonen Sat, 04 Feb 2017 18:34:06 +0200 + +sssd (1.15.0-2) unstable; urgency=medium + + * import-daemon-opts.diff, sssd.default: Drop the patch modifying sssd + service file, and revert the daemon options for sysvinit. + /etc/default/sssd is now only for the initscript (Closes: #852719) + + -- Timo Aaltonen Thu, 26 Jan 2017 21:29:58 +0200 + +sssd (1.15.0-1) unstable; urgency=medium + + * New upstream release. (Closes: #852450) (LP: #1566508) + * Drop upstreamed patches. + * sssd-common.sssd.default, import-daemon-opts.diff: Change default + daemon options to match current upstream. + * sssd-dbus.install: Drop libsss_config, which was removed. + * sssd-{ad,common,dbus}.install: Add systemd service and socket files + for pac, sudo, ssh, autofs, pam, nss and ifp responders. + + -- Timo Aaltonen Wed, 25 Jan 2017 22:46:02 +0200 + +sssd (1.14.2-2.1) unstable; urgency=low + + * Non-maintainer upload with maintainer approval. + * ldap-blocking.diff: Fix ldaps connections by removing NON_BLOCKING from + socket options (Closes: 849756). Patch from upstream pull request #67. + + -- Petter Reinholdtsen Tue, 24 Jan 2017 22:26:17 +0000 + +sssd (1.14.2-2) unstable; urgency=medium + + * fix-prefix-substitution.diff: Fix IFP service file path substitution. + (LP: #1652629) + + -- Timo Aaltonen Tue, 17 Jan 2017 16:39:14 +0200 + +sssd (1.14.2-1) unstable; urgency=medium + + * New upstream release. + * control: Add adcli to sssd-ad Recommends. (LP: #1590471) + * accept-krb5-1.15.diff: Allow building PAC responder with MIT krb5 + 1.15. (Closes: #843385) + * common.install: Add sssd-secrets manpage. + + -- Timo Aaltonen Wed, 16 Nov 2016 10:47:15 +0200 + +sssd (1.14.1-1) unstable; urgency=medium + + * New upstream release. + * ipa-terminate-if-view-name-fails.diff, + gpo-add-unity-to-ad-gpo-map-interactive.diff: + Dropped, upstream. + * sssd-common.dirs: Add etc/sssd/conf.d for config snippets. + * control: Add libhttp-parser-dev and libjansson-dev to build-deps. + * sssd-tools.install: Add sssctl. + * sssd-common.install: Add sssd-secrets and winbind idmap plugin. + * Drop the upstart job, it was only shipped on Ubuntu which has + switched to systemd. + * rules, default, import-daemon-opts.diff: Import daemon options from + default/sssd also with systemd. (LP: #1587395) + * rules: Don't install a default config file. + + -- Timo Aaltonen Wed, 05 Oct 2016 14:20:37 +0300 + +sssd (1.13.4-3) unstable; urgency=medium + + * common: Add /var/lib/sss/gpo_cache. (LP: #1579092) + * gpo-add-unity-to-ad-gpo-map-interactive.diff: Allow logging in from + unity lockscreen. (LP: #1578415) + + -- Timo Aaltonen Tue, 10 May 2016 10:39:46 +0300 + +sssd (1.13.4-2) unstable; urgency=medium + + * ipa-terminate-if-view-name-fails.diff: Fix support for older IPA + servers. (LP: #1572582) + + -- Timo Aaltonen Wed, 20 Apr 2016 16:55:24 +0300 + +sssd (1.13.4-1) unstable; urgency=medium + + * New upstream release. + * apparmor-profile: Fixed and tidied. + + -- Timo Aaltonen Wed, 30 Mar 2016 19:31:33 +0300 + +sssd (1.13.3-1) unstable; urgency=medium + + * New upstream release. + + -- Timo Aaltonen Thu, 17 Dec 2015 13:27:11 +0200 + +sssd (1.13.2-1) unstable; urgency=medium + + * New upstream release. + * patches: Removed fix-obsolete-target.diff, fix-python-modules.diff, + both upstream now. + + -- Timo Aaltonen Thu, 03 Dec 2015 21:14:29 +0200 + +sssd (1.13.1-2) unstable; urgency=medium + + * apparmor: Fix access to krb5.include.d. (LP: #1489378) + * {krb5-common,proxy}.postinst: Chmod the correct files. (Closes: + #801537, #801538) + + -- Timo Aaltonen Tue, 13 Oct 2015 16:55:47 +0300 + +sssd (1.13.1-1) unstable; urgency=medium + + * New upstream release. + * {common,ipa,krb5,proxy}.postinst: Create a sssd system user & group, + and migrate various bits to their ownership. + * Add sssd-dbus to libsss-simpleifp0 Depends. + * ipa: Add /var/lib/sss/keytabs. + * common: Add PEM/DER conversion library. + * Add support for python3 modules. + * tools: Add sss_override. + * common: Add p11_child. + * ad: Drop libsss_ad_common, it was for tests only and not shipped + anymore. + * common: Move libsss_krb5_common here from sssd-krb5-common to satisfy + libsss_ldap_common depending on it. + * libsystemd.diff: Dropped, fixed upstream. + * fix-python-modules.diff: Don't add symlinks to python modules, + rename the built modules instead. + * rules, postinst: Avoid running dpkg-architecture in postinst and + instead mangle them in post-dh_installdeb. + * common: Add depends on adduser. + + -- Timo Aaltonen Sat, 03 Oct 2015 08:38:29 +0300 + +sssd (1.12.5-3) unstable; urgency=medium + + * sssd-common.postinst: Drop removing the old logrotate file, handle + it in sssd.maintscript instead. (Closes: #794332) + + -- Timo Aaltonen Tue, 08 Sep 2015 22:47:08 +0300 + +sssd (1.12.5-2) unstable; urgency=medium + + * sssd-common.postinst: Remove duplicate logrotate file on update. + (LP: #1249772) + * control, libsystemd.diff: Transition to libsystemd, thanks Michael + Biebl! (Closes: #791909) + + -- Timo Aaltonen Tue, 21 Jul 2015 15:04:25 +0300 + +sssd (1.12.5-1) unstable; urgency=medium + + * New upstream release. + * Let uscan verify upstream tarballs. + * control: Bump policy to 3.9.6, no changes. + + -- Timo Aaltonen Fri, 12 Jun 2015 22:36:52 +0300 + +sssd (1.12.4-1) experimental; urgency=medium + + * New upstream release. + * apparmor-profile: Updated. (LP: #1421110) + * control: Add new build-depends; cifs-utils, libaugeas-dev, + libnfsidmap-dev, libsmbclient-dev, systemd. + * control, .install: Add libwbclient-sssd{,-dev}. + * control, .install: Add libsss-simpleifp{0,-dev}. + * fix-automake-compat.diff, fix-catchchild.diff: Dropped, upstream. + * rules: Use max-parallel=1 for dh_auto_install. + * sssd-common.install: Add files for NFS v4 client. + * sssd-ad.install: Add new files. + * sssd-ipa.install: Add selinux_child. + * sssd-dbus: Add libsss_config.so. + * sssd-common: Add cifs idmap plugin, semanage library and krb5 + localauth plugin. + * rules: Add a placeholder to not modify permissions of + {krb5,ldap,selinux}_child. + * control: Add libsystemd-login-dev to build-depends. + * control: Add libnss-wrapper and libuid-wrapper to build-depends. + * rules: Use automake native verbosity for tests, and bump + CK_TIMEOUT_MULTIPLIER. + + -- Timo Aaltonen Thu, 09 Apr 2015 23:56:01 +0300 + +sssd (1.11.7-3) unstable; urgency=medium + + * libsss-sudo.postrm: Delete sudoers line from nsswitch.conf, if only + files source left. (Closes: #749722) + * libsss-sudo.postinst: Fix comments. + * libsss-sudo.postinst: Check nsswitch sudoers entry unconditionally, + so that it is added on upgrade too if missing. + + -- Timo Aaltonen Fri, 16 Jan 2015 13:53:22 +0200 + +sssd (1.11.7-2) unstable; urgency=medium + + * default, upstart.in: Upstream ticket #2312 is fixed now, so drop the + workaround to run the daemon in the foreground. (Closes: #760353) + * fix-automake-compat.diff: Added an upstream commit to fix configure + with new automake. + * fix-catchchild.diff: Fix build failure with samba 4.1.13, bump + samba-dev build-dependency to match. + + -- Timo Aaltonen Thu, 30 Oct 2014 14:49:05 +0200 + +sssd (1.11.7-1) unstable; urgency=medium + + * New upstream release. + * sssd-common.install, sssd-dbus.install: Add new sss_signal helper + and the dbus service using it. + * fix-obsolete-target.diff: Drop syslog.target from the service file. + * libnss-sss.post*: Add sss entry to shadow and services on + nsswitch.conf. (Closes: #761173) + + -- Timo Aaltonen Wed, 24 Sep 2014 07:08:04 +0300 + +sssd (1.11.6-1) unstable; urgency=medium + + * New upstream release. + * control: Update my email. + * control: Update vcs urls. + * libnss-sss.postrm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + removing sss entry from nsswitch.conf. (Closes: #748671) + * libpam-sss.prerm: Check DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT before + running pam-auth-update --remove. + * control: Mark libkeyutils-dev, libselinux-dev, libsemanage-dev, + libnl*-dev build-deps as linux-any, as a preliminary step to build + on kfreebsd-*. + * Run wrap-and-sort. + * sssd-dbus: Add a new subpackage for the D-Bus responder. + * control: Demote libsasl2-modules-ldap to Suggests for sssd-ldap. + * generate-config: Bring it back for convenience, but don't run it on + postinst. + * sssd-common.postinst: Remove obsolete config upgrade. + + -- Timo Aaltonen Tue, 19 Aug 2014 09:15:13 +0300 + +sssd (1.11.5.1-2) unstable; urgency=medium + + * control: Drop libcmocka-dev and check from build-depends again so + that the package will build on every arch. Test failures will be + fixed in a future upload. + + -- Timo Aaltonen Thu, 14 Aug 2014 02:22:57 +0300 + +sssd (1.11.5.1-1) unstable; urgency=medium + + [ Stéphane Graber ] + * Fix upstart job to provide a proper stdin for sssd. + * Update defaults to always pass -i. + + [ Timo Aaltonen ] + * New upstream release. (Closes: #745664) + * control: Bump libkrb5-dev build-dependency to 1.12 due to the OTP + features. + + -- Timo Aaltonen Fri, 09 May 2014 14:50:12 +0300 + +sssd (1.11.5-1) unstable; urgency=medium + + * New upstream bugfix release. (Closes: #729982) + * upstart: Run the daemon in foreground and drop expect fork from the + job, should fix issues with upstart getting confused when a backend + fails to start. + + -- Timo Aaltonen Tue, 08 Apr 2014 23:39:20 +0300 + +sssd (1.11.4-1) unstable; urgency=low + + * New upstream release. + * control, rules: Add libcmocka-dev and re-add check to build-depends. + Override dh_auto_test so that it shows the test error log if they fail. + * rules: Fix the manpage date handling with a bigger hammer, and + enable it for all manpages not just pam_sss.8. (Closes: #734083) + * Drop an obsolete lintian override from libsss-sudo. + + -- Timo Aaltonen Fri, 21 Mar 2014 13:28:38 +0200 + +sssd (1.11.3-1) unstable; urgency=low + + * New upstream release. + * control: Update policy to 3.9.5, no changes. + + -- Timo Aaltonen Fri, 03 Jan 2014 00:01:29 +0200 + +sssd (1.11.2-1) unstable; urgency=low + + * New upstream release. + * rules, sssd-common.install: Use the correct path for the systemd + service file. + * control: Build depend on libpam0g-dev | libpam-dev. + + -- Timo Aaltonen Tue, 19 Nov 2013 15:22:27 +0200 + +sssd (1.11.1-1) unstable; urgency=low + + * New upstream release. + * sssd-common.postinst, generate-config: Don't create a config on install, + drop generate-config. (Closes: #717587) + * sssd-common.postrm: Remove /etc/apparmor.d too, if empty. + * control, rules, sssd-common.install: Install the systemd service + file provided by upstream. + * control: Drop M-A: foreign from sssd-* and add back to sssd instead. + * control: Don't hardcode 'multiarch-support'. + * control: Drop unnecessary multiarch declarations. + * control: Drop obsolete Breaks/Conflicts. + * rules: Enable parallel build. + * control: Add libltdl-dev to build-depends. + * control: Prepare for new unified samba package, adjust build- + dependencies. Thanks, Ivo De Decker! (Closes: #725992) + + -- Timo Aaltonen Tue, 06 Aug 2013 17:04:28 +0300 + +sssd (1.10.0-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release (Closes: #693054, #705357, #711101) + * Update the packaging for the new version, thanks Esko Järnfors! + - Add libsss-idmap0, libsss-idmap-dev packages + - Add sssd Depends on libsss-idmap0 + - Add /var/lib/sss/mc directory for the new mmap cache + * Split authentication providers to separate packages and make sssd + a metapackage. + * control: Drop libunistring-dev from build-depends and add libglib2.0-dev + for unicode support. + * sssd-*.install: Install new manpages. + * python-sss.install: py-files got moved under SSSDConfig. + * control, rules: Use default build flags, bump dpkg-dev build-dep to + 1.16.1~. + * rules: Install the apparmor profile with -m644. + * python-sss: Add pysss_murmur.so. + * rules, control, sssd-ad-common.install: PAC responder support. + - Add libndr-dev, libndr-standard-dev, libsamba-util-dev, samba4-dev, + libdcerpc-dev to build-depends + - Add -I/usr/include/samba-4.0 to CFLAGS + * control: Mark sssd-common as Multi-Arch: foreign. + * watch: Add a comment about the upstream git tree. + * Replace perl snippet from libnss-sss.post* with sed, drop perl from + Depends. (Closes: #686237) + * compat: Bump compat to 9. + * rules: Set DEB_HOST_MULTIARCH, drop --libdir and remnants of cdbs. + * sssd-common.install: Install the support binaries under the multiarch path. + * rules,sssd-common.postinst: Move generate-config to /usr/share/sssd. + * rules, sssd-common.install: Use the correct install path for the + krb5_locator plugin. + * libnss-sss.postinst: SSSD doesn't handle shadow maps, so don't pretend + that it would. + * libsss-sudo*, control: Remove the soname from the library, move .so to + the libsss-sudo, drop -dev package. + * rules: Pass --datadir, so the path in autogenerated python files is + correctly substituted. (LP: #1079938) + * sssd-krb5-common.dirs: Add krb5 include dir. + * fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream. + * libsss-sudo.postrm: Run ldconfig on remove/purge. + * apparmor-profile: Fix the profile to use the multiarch path for it's + helper location (LP: #1175317). + * Add packaging for libsss-nss-idmap0, libsss-nss-idmap-dev, + python-libsss-nss-idmap. + * watch: Updated to work with alpha/beta releases. + * control: Migrate to libnl-3 now that it's supported. (Closes: #688174) + * sssd-common.{preinst,postrm}: Install the apparmor profile in force-complain + mode on install, and remove the profile directory on purge (if empty). Also + migrate from previous setup which installed it as disabled. + (Closes: #676140) + * control: Bump policy to 3.9.4, no changes. + * control: Add libpam-pwquality (>= 1.2.2-1) to libpam-sss depends, which + makes the password stack work in all cases. (LP: #1159983) + * control: Drop check from build-depends for now, to work around a linking bug + in check (#712140) that makes the tests fail on (at least) i386. + + [ Stéphane Graber ] + * Add postinst/postrm script for libsss-sudo. Those will add a "sudoers" + entry to /etc/nsswitch.conf upon first installation of the package and + will then take care of adding/removing sss from the stack as required. + * Set CK_DEFAULT_TIMEOUT to 30 so that slower buildds (armhf at least) can + run the tests without hitting the default 4s timeout. + + -- Timo Aaltonen Fri, 05 Jul 2013 14:53:06 +0300 + +sssd (1.8.4-2) unstable; urgency=low + + * fix-cve-2013-0219-1.diff, fix-cve-2013-0219-2.diff, + fix-cve-2013-0220.diff: Upstream commits from the stable tree to fix + recent CVE reports. (Closes: #698871) + + -- Timo Aaltonen Wed, 27 Feb 2013 23:38:28 +0200 + +sssd (1.8.4-1) unstable; urgency=low + + * New upstream bugfix release 1.8.2. + - Several fixes to case-insensitive domain functions + - Fix for GSSAPI binds when the keytab contains unrelated + principals + - Fixed several segfaults + - Workarounds added for LDAP servers with unreadable RootDSE + - SSH knownhostproxy will no longer enter an infinite loop + preventing login + - The provided SYSV init script now starts SSSD earlier at startup + and stops it later during shutdown + - Assorted minor fixes for issues discovered by static analysis + tools + * New upstream bugfix release 1.8.3. + - Numerous manpage and translation updates + - LDAP: Handle situations where the RootDSE isn't available anonymously + - LDAP: Fix regression for users using non-standard LDAP attributes for + user information + * New upstream bugfix release 1.8.4. (LP: #981125, #985031) + - Fix a bug causing AD servers not to fail over properly when the KDC + on the primary server is down + - Fix an endianness bug on big-endian systems when looking up services + - Fix a segfault dealing with nested groups (LP: #981125) + - Make the nowait cache updates work for netgroups + - Fix a regression that broke domains with use_fully_qualified_names = True + (LP: #985031) + * control: Move the dependency of libsasl2-modules-gssapi-mit to + Recommends. + * control: sssd works with Heimdal gssapi modules too, add + libsasl2-modules-gssapi-mit as an option for the Recommends. + (LP: #966146) + * libpam-sss.pam-auth-update: + - Drop the dependency to 128, since pam_sss should always be below + pam_unix. (LP: #957486) + - Drop 'use_authtok' from the password stack, since it only works when + pam_cracklib is installed. This will allow password changes on the + default install. + * sssd.postrm: Try to remove /etc/sssd only if it exists. + (Closes: #666226) + * Add disabled by default Apparmor profile (LP: #933342) + - debian/sssd.upstart.in: load the profile during pre-start + - add debian/apparmor-profile, install to /etc/apparmor.d + - debian/rules: use dh_apparmor to install profile before sssd is + restarted + - debian/control: sssd Suggests apparmor (>= 2.3) + - debian/control: Add dh-apparmor to build-depends + - debian/sssd.preinst: disable profile on clean install or upgrades + from earlier than when we shipped the profile + * rules: Mangle the date stamp on pam_sss.8 so that the compressed file is + identical across all archs. (Closes: #670019) + * control: Add build-depends on libnl-dev to enable Netlink support. + * control: Add build-depends on libkeyutil-dev to enable support for + kernel keyring manipulation. + * sssd.logrotate: Rotate logs weekly, keep four previous rotations. + (Closes: #672984) + * sssd.upstart.in: Delete an invisible control character from the pre-start + script. (LP: #1003845) + + -- Timo Aaltonen Fri, 01 Jun 2012 11:43:42 +0300 + +sssd (1.8.1-1) unstable; urgency=low + + * New maintainer, Debian SSSD Team. (Closes: #660985) + + [ Timo Aaltonen ] + * New upstream release (1.8.1) (Closes: #647980, #624194, #639965) + - Support for the service map in NSS + - Support for setting default SELinux user context from FreeIPA + - Support for retrieving SSH user and host keys from LDAP (Experimental) + - Support for caching autofs LDAP requests (Experimental) + - Support for caching SUDO rules (Experimental) + * Update build-deps: + - Add libunistring-dev, libdhash-dev, libcollection-dev and + libini-config-dev. + - Add check for unit tests. + - Drop cvs and python-central. + - Migrate to dh, drop cdbs build-dep, add quilt, dh-autoreconf and + autopoint to build-deps. + * Add new packages: + - libipa-hbac0, libipa-hbac-dev, libsss-sudo0, libsss-sudo-dev, + and python-libipa-hbac. + - Split sssd-tools: add Breaks/Replaces sssd (<< 1.8.0~beta3-1) and + add to sssd Suggests + * Drop patch to ensure LDAP authentication never accept a zero + length password, which is now included upstream. + * sssd.upstart.ubuntu: + - Don't start before net-device-up. (LP: 812943) + - Source /etc/default/sssd. (LP: 812943) + * sssd.default: Added a file to include the sssd daemon defaults, + currently has '-D -f'. + * sssd.init: Drop separate OPTIONS, '-D' comes from /etc/default/sssd + now.. + * rules: Install the Python API files to /usr/share/sssd, as discussed + with upstream. (LP: 859611) + * fix-python-api-path.dpatch: Use the new location for the API files. + (LP: 859611) + * libpam-sss.pam-auth-update: + - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: 826643) + - Add pam_localuser.so to account stack to allow local users to log in. + (LP: 860488) + * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is + mostly useless without them. (LP: 767337) + * control, compat: Bump debhelper build-dep and compat level to 8. + * Switch patch-system to quilt. + * Do not install a working config file by default. The local domain + definition was broken (upstream #1014). The daemon will need to be + configured by other means before it's usable. + * Add support for Multi-Arch (Closes: #634123). + * Remove unnecessary libnss-sss.links. + * libnss-sss.overrides: Add an override for + "package-name-doesnt-match-sonames". + * Determine the used init system during build, add lsb-release to + build-deps. Default to sysvinit, use upstart if Ubuntu. + * sssd.upstart.in: Test if the config file exists, and exit if not. + * Fail gracefully if invoke-rc.d returns an error on postinst/prerm, like + when the daemon fails to start when there is no config file. + * sssd.init.in: Check that /etc/default/sssd is a real file before sourcing + it (Closes: #587895). + * control: Add libsasl2-modules-gssapi-mit and libsasl2-modules-ldap to + Recommends for sssd. + * rules: Move the rule for purging .la files before dh_install + (Closes: #633206). + * sssd.install: Fix the wildcard for plugins to include .so symlinks. + * rules: Add configure flags + - Disable RPATH + - Disable building static libs + - Enable ssh user and host key retrieval, autofs request + and sudo rules caching. The respective packages need to add support + for these to be useful. + * Drop fix-python-api-path.patch, included upstream. + * sssd.examples: Install the renamed example config. + * rules: Drop special handling of the sssd.api.d, upstream uses + the proper path now. + * rules: Add --fail-missing to dh_install. + * sssd.install: Add new files. + * libpam-sss.install, control: Move pam_sss.8 to the correct package, + add Breaks/Replaces. + * rules: Remove some files we don't want to install, to make dh_install + happy. + * rules: Clean po/*.gmo, po/stamp-po and *.pyc. + * Install lintian overrides using dh_lintian. + * {sssd,libnss-sss}.lintian-overrides: Update. + * Move libsasl2-modules-gssapi to sssd Depends to make sure it gets + installed, as it's needed in most cases. + * control: Update maintainer address and repo location. + * control: Bump the Standards-Version to 3.9.3, no changes. + * control: Bump the debhelper build-dep to 9. + * control: Add ${misc:Depends} to libipa-hbac*, libsss-sudo*. + * control, rules: Migrate to dh_python2 (Closes: #617071). + * control: Add myself to uploaders. + + [ Petter Reinholdtsen ] + * New upstream version 1.2.4: + - Resolves long-standing issues related to group processing with + RFC2307bis LDAP servers. + - Fixed bugs in RFC2307bis group memberships related to initgroups + (Closes: #595564). + - Fix tight-loop bug on systems with older OpenLDAP client + libraries (such as Red Hat Enterprise Linux 5) + * New Upstream Version 1.2.3: + - Resolves CVE-2010-2940. + * New Upstream Version 1.2.2: + - The LDAP provider no longer requires access to the LDAP + RootDSE. If it is unavailable, we will continue on with our best + guess. + - The LDAP provider will now log issues with TLS and GSSAPI to the + syslog. + - Significant performance improvement when performing initgroups + on users who are members of large groups in LDAP. + - The sss_client will now reconnect properly to the SSSD if the + daemon is restarted. + * This resolves an issue causing GDM to crash when logging out + of a user after the SSSD had been restarted. + * Correct package description for python-sss (Closes: #596215). + * Update Standards-Version from 3.8.4 to 3.9.1. No changes needed. + + [ Stéphane Graber ] + * Fix prerm invoke_failure hook to simply return as empty functions + are invalid shell syntax. + + -- Timo Aaltonen Thu, 22 Mar 2012 13:28:27 +0200 + +sssd (1.2.1-4.4) unstable; urgency=low + + * Non-maintainer upload. + * Fix FTBFS with -Werror=format-security. Thanks Philippe De Swert for patch. + (Closes: #643806). + + -- Hector Oron Sun, 19 Feb 2012 19:33:04 +0000 + +sssd (1.2.1-4.3) unstable; urgency=medium + + * Non-maintainer upload. + * Adjust install path to consider GNU triplet (Closes: #640626). + + -- Luca Falavigna Tue, 20 Sep 2011 20:02:34 +0200 + +sssd (1.2.1-4.2) unstable; urgency=low + + * Non-maintainer upload. + * debian/sssd.install + - updated location for ldb modules; Closes: #618159 + + -- Sandro Tosi Fri, 03 Jun 2011 23:53:59 +0200 + +sssd (1.2.1-4.1) unstable; urgency=medium + + * Non-maintainer upload by the Security Team + * Fix CVE-2010-4341 (Closes: #610032) + + -- Moritz Muehlenhoff Tue, 25 Jan 2011 22:09:21 +0100 + +sssd (1.2.1-4) unstable; urgency=low + + * Add patch from Stephen Gallagher to ensure LDAP authentication + never accept a zero length password (Closes: #594413). Solves + CVE-2010-2940. + + -- Petter Reinholdtsen Wed, 25 Aug 2010 22:33:40 +0200 + +sssd (1.2.1-3) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Look for /etc/default/sssd, not /etc/defaults/sssd in init.d + script (Closes: #588252). + * Make sssd.conf generation more robust, and make sure missing SRV + records are ignored and not handled as host names. + * Add code in generate-config to look up Kerberos realm using + _kerberos TXT record in DNS if it exist. + * Recommend bind9-host used by generate-config for SRV and TXT + lookups. + + [ Morten Werner Forsbring ] + * Check if /etc/default/sssd is a file and executable, not a directory, + before sourcing in init-script. Thanks to lintian. + + -- Morten Werner Forsbring Thu, 12 Aug 2010 16:31:14 +0200 + +sssd (1.2.1-2) unstable; urgency=low + + * Make sure init.d script sources /etc/default/sssd (Closes: #588252). + * Drop /etc/default/sssd from package, to avoid conffile question + from dpkg during upgrades. + * Make sure to only remove obsolete sssd conffiles on upgrades, not + on first time installation. + * Add new script generate-config and call it from the sssd postinst + during first time installation to try to generate the sssd.conf + file dynamically for LDAP and Kerberos using DNS entries, and fall + back to the static example configuration if this fail. + * Let sssd suggest libnss-sss and libpam-sss, to make those + installing sssd aware of the other packages. + * Add netgroup to nsswitch.conf entries added at first time + installation, to make sure those installing now get working + netgroups when sssd get netgroup support + * Let sssd recommend ldap-utils as ldapsearch is used for generating + the configuration. + + -- Petter Reinholdtsen Fri, 06 Aug 2010 23:44:26 +0200 + +sssd (1.2.1-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * Move calls to pam-auth-update from the package scripts in sssd to + libpam-sss, and correct prerm call to remove the correct pam config. + Add versioned dependency on libpam-runtime to make sure + pam-auth-update is available. + * Add code to the postinst and postrm of libnss-sss to update + passwd, group and shadow entries in /etc/nsswitch.conf. + * Make sure init.d/sssd start after $named, to ensure it can look up + in DNS also when the DNS server is on the local machine. + + [ Morten Werner Forsbring ] + * New upstream release. + + -- Morten Werner Forsbring Thu, 24 Jun 2010 14:16:30 +0200 + +sssd (1.2.0-1) unstable; urgency=low + + [ Petter Reinholdtsen ] + * New upstream release. + - Add libsemanage1-dev as build dependency, as it is now required. + - Drop python-build-with-deb-layout.dpatch, now handled upstream. + - Adjust provide-default-working-sssd-config-file.dpatch to + work with new package source layout and config file content. + - Adjust build rules to cope with server/ changing to src/ in the + source tarball. + - Add --enable-krb5-locator-plugin to keep building the plugin. + * Change the pam-auth-update configuration to make the session + script optional instead of sufficient, to make sure the other + session modules are executed too. + * Change initial pam password entry from requisite to sufficient, + to make sure local users can have their password set even if + sssd is enabled. + * Rename pam-configs/sssd to pam-configs/sss, to have a name that + is consistent with the package name libpam-sss. + * Add VCS links to the GIT repository. + * Move configuration API documentation from /etc/sssd/ to + /usr/share/doc/sssd/. It is not configuration and do not belong + in /etc/. + * Drop autoconf, automake, libtool, m4 and autotools-dev from + build-depends. There is no need to regenerate the build files any + more. + + [ Morten Werner Forsbring ] + * Add dnsutils as build-dependency. + + -- Morten Werner Forsbring Tue, 01 Jun 2010 20:41:59 +0200 + +sssd (1.0.5-1) unstable; urgency=low + + * Initial upload based on package from Ubuntu (Closes: #579593). + * Update standards-version from 3.8.3 to 3.8.4. No changes needed. + * Add init.d script and rename sssd.upstart to sssd.upstart.ubuntu + to make sure init.d script is installed instead of upstart job. + * Add draft pam-auth-update configuration based on proposals in + Launcepad bug #557398. + * Update address to FSF in copyright file. Thanks lintian. + * Set section for python-sss to python after advice from lintian. + * Rewrite python-build-with-deb-layout.dpatch to patch Makefile.in + instead of Makefile.am, to avoid having to run autoreconf. + * Make sssd depend on python for its upgrade script. + * Extend clean rule to remove generated file server/config/.files. + * Make sure sssd.api.conf is installed into the sssd package, and + put it in /etc/sssd/sssd.api.conf. Fixes typo in Ubuntu package. + + -- Petter Reinholdtsen Wed, 05 May 2010 21:53:29 +0200 + +sssd (1.0.5-0ubuntu1) lucid; urgency=low + + * New upstream bugfix release. (LP: #510290) + * sssd.dirs: Add /var/lib/sss/pubconf (LP: #557394) + + -- Timo Aaltonen Fri, 16 Apr 2010 11:37:16 +0300 + +sssd (1.0.2-0ubuntu2) lucid; urgency=low + + * No change rebuild due to libldb downgrade + + -- Scott Kitterman Fri, 02 Apr 2010 17:48:19 -0400 + +sssd (1.0.2-0ubuntu1) lucid; urgency=low + + * New upstream release (LP: #473262): + - python API for managing sssd daemon configuration and + native SSSD users. + - support for asynchronous cache refreshes. + - support password changing in LDAP and Kerberos providers. + - support for server failover. + * debian/control: + - update tdb build dependency to use libtdb-dev. + - add libselinux1-dev and libsasl2-dev build dependencies. + * debian/sssd.upstart: replace init script with an upstart job. + * Turn sssd.conf into a configuration file. + * Create sssd log directory. + + -- Mathias Gug Tue, 19 Jan 2010 15:17:13 -0500 + +sssd (0.5.0-0ubuntu2) karmic; urgency=low + + * debian/libnss-sss.overrides, debian/sssd.overrides: + + Fix linitian errors and warnings (LP: #425697): + sssd ships an nss library - these are false-positives. + * debian/fix-dbus-watch.dpatch: Update dbus-patch to final + upstream version. + * debian/fix-proxy-segfault.dpatch: Fix proxy enumeration. + + -- Mathias Gug Wed, 09 Sep 2009 20:21:04 -0400 + +sssd (0.5.0-0ubuntu1) karmic; urgency=low + + * Initial release. + + -- Mathias Gug Mon, 24 Aug 2009 16:35:11 -0400 --- sssd-1.16.1.orig/debian/compat +++ sssd-1.16.1/debian/compat @@ -0,0 +1 @@ +10 --- sssd-1.16.1.orig/debian/control +++ sssd-1.16.1/debian/control @@ -0,0 +1,487 @@ +Source: sssd +Section: utils +Priority: extra +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian SSSD Team +Uploaders: Timo Aaltonen +Build-Depends: + autopoint, +# check, + cifs-utils, + debhelper (>= 10), + dh-apparmor, + dh-autoreconf, + dh-python, + dh-systemd (>= 1.5), + dnsutils, + docbook-xml, + docbook-xsl, + dpkg-dev (>= 1.16.1~), + krb5-config, + libaugeas-dev, + libc-ares-dev, +# libcmocka-dev [amd64 armhf i386], + libcollection-dev, + libcurl4-gnutls-dev, + libdbus-1-dev, + libdhash-dev, + libgdm-dev, + libglib2.0-dev, + libhttp-parser-dev, + libini-config-dev, + libjansson-dev, + libkeyutils-dev [linux-any], + libkrb5-dev (>= 1.12), + libldap2-dev, + libldb-dev, + libltdl-dev, + libnfsidmap-dev, + libnl-3-dev [linux-any], + libnl-route-3-dev [linux-any], + libnspr4-dev, + libnss-wrapper, + libnss3-dev, + libpam0g-dev | libpam-dev, + libpcre3-dev, + libpopt-dev, + libsasl2-dev, + libselinux1-dev [linux-any], + libsemanage1-dev [linux-any], + libsmbclient-dev, + libsystemd-dev [linux-any], + libtalloc-dev, + libtdb-dev, + libtevent-dev, + libuid-wrapper, + libxml2-utils, + lsb-release, + python-dev (>= 2.6.6-3~), + python-setuptools, + python3-dev, + python3-setuptools, + quilt, + samba-dev (>= 2:4.1.13), + systemd, + systemtap-sdt-dev, + uuid-dev, + xml-core, + xsltproc +X-Python-Version: >= 2.6 +X-Python3-Version: >= 3.3 +Standards-Version: 4.1.3 +Vcs-Git: git://anonscm.debian.org/pkg-sssd/sssd.git +Vcs-Browser: http://anonscm.debian.org/cgit/pkg-sssd/sssd.git +Homepage: https://pagure.io/SSSD/sssd/ + +Package: sssd +Section: metapackages +Architecture: any +Multi-Arch: foreign +Pre-Depends: ${misc:Pre-Depends} +Depends: + python3-sss (= ${binary:Version}), + sssd-ad (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-ipa (= ${binary:Version}), + sssd-krb5 (= ${binary:Version}), + sssd-ldap (= ${binary:Version}), + sssd-proxy (= ${binary:Version}), + ${misc:Depends} +Description: System Security Services Daemon -- metapackage + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package is a metapackage which installs the daemon and existing + authentication back ends. + +Package: sssd-common +Architecture: any +Depends: + python3, + python3-sss, + ${misc:Depends}, + ${shlibs:Depends}, + adduser, +Recommends: + bind9-host, + libnss-sss, + libpam-sss, + libsss-sudo +Suggests: + apparmor, + sssd-tools +Breaks: sssd (<< 1.10.0~beta2-1), + sssd-krb5-common (<< 1.13.1-1), +Replaces: sssd (<< 1.10.0~beta2-1), + sssd-krb5-common (<< 1.13.1-1), +Description: System Security Services Daemon -- common files + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides the daemon and other common files needed by the + authentication back ends. + +Package: sssd-ad +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Suggests: + adcli, +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Active Directory back end + Provides the Active Directory back end that the SSSD can utilize to fetch + identity data from and authenticate against an Active Directory server. + +Package: sssd-ad-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- PAC responder + Provides the PAC responder that the AD and IPA backends can use for + fetching additional attributes from the kerberos ticket. + +Package: sssd-dbus +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Description: System Security Services Daemon -- D-Bus responder + Provides the D-Bus responder called InfoPipe, that allows the information + from the SSSD to be transmitted over the system bus. + +Package: sssd-ipa +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + libsss-idmap0 (= ${binary:Version}), + sssd-ad-common (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- IPA back end + Provides the IPA back end that the SSSD can utilize to fetch identity data + from and authenticate against an IPA server. + +Package: sssd-kcm +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- Kerberos KCM server implementation + Provides an implementation of a Kerberos KCM server. Use this package if + you want to use the KCM: Kerberos credentials cache. + +Package: sssd-krb5 +Architecture: any +Depends: + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Kerberos back end + Provides the Kerberos back end that the SSSD can utilize authenticate + against a Kerberos server. + +Package: sssd-krb5-common +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- Kerberos helpers + Provides helper processes that the LDAP and Kerberos back ends can use for + Kerberos user or host authentication. + +Package: sssd-ldap +Architecture: any +Depends: + libsss-idmap0 (= ${binary:Version}), + sssd-common (= ${binary:Version}), + sssd-krb5-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: ldap-utils +Suggests: libsasl2-modules-ldap +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- LDAP back end + Provides the LDAP back end that the SSSD can utilize to fetch identity data + from and authenticate against an LDAP server. + +Package: sssd-proxy +Architecture: any +Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Breaks: sssd (<< 1.10.0~beta2-1) +Replaces: sssd (<< 1.10.0~beta2-1) +Description: System Security Services Daemon -- proxy back end + Provides the proxy back end which can be used to wrap an existing NSS and/or + PAM modules to leverage SSSD caching. + +Package: sssd-tools +Architecture: any +Depends: + python, + sssd-common (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} +Description: System Security Services Daemon -- tools + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provides tools to manage users, groups and nested groups when + using the local id provider. + +Package: libnss-sss +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Pre-Depends: ${misc:Pre-Depends} +Recommends: sssd +Multi-Arch: same +Description: Nss library for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the nss library to connect to the sssd daemon. + +Package: libpam-sss +Architecture: any +Depends: + libpam-pwquality (>= 1.2.2-1), + libpam-runtime (>= 1.0.1-6), + ${misc:Depends}, + ${shlibs:Depends} +Recommends: sssd +Multi-Arch: same +Description: Pam module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide the pam module to connect to the sssd daemon. + +Package: libipa-hbac0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: FreeIPA HBAC Evaluator library + Utility library to validate FreeIPA HBAC rules for authorization requests. + +Package: libipa-hbac-dev +Section: libdevel +Architecture: any +Depends: libipa-hbac0 (= ${binary:Version}), ${misc:Depends} +Description: FreeIPA HBAC Evaluator library -- development files + Utility library to validate FreeIPA HBAC rules for authorization requests. + . + This package contains header files and symlinks to develop programs which will + use the libipa-hbac library. + +Package: libsss-certmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, +Description: Certificate mapping library for SSSD + Library to map certificates to users based on rules. + +Package: libsss-certmap-dev +Section: libdevel +Architecture: any +Depends: libsss-certmap0 (= ${binary:Version}), ${misc:Depends} +Description: Certificate mapping library for SSSD -- development files + Utility library to map certificates to users based on rules. + . + This package contains header files and symlinks to develop programs which will + use the libsss-certmap library. + +Package: libsss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: ID mapping library for SSSD + Utility library to convert SIDs to Unix uids and gids. + +Package: libsss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: ID mapping library for SSSD -- development files + Utility library to convert SIDs to Unix uids and gids. + . + This package contains header files and symlinks to develop programs which will + use the libsss-idmap library. + +Package: libsss-nss-idmap0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: SID based lookups library for SSSD + Utility library for SID based lookups. + +Package: libsss-nss-idmap-dev +Section: libdevel +Architecture: any +Depends: libsss-nss-idmap0 (= ${binary:Version}), ${misc:Depends} +Description: SID based lookups library for SSSD -- development files + Utility library for SID based lookups. + . + This package contains header files and symlinks to develop programs which will + use the libsss-nss-idmap library. + +Package: libsss-sudo +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Replaces: libsss-sudo-dev (<= 1.9.3) +Description: Communicator library for sudo + Utility library to allow communication between sudo and SSSD for caching + sudo rules by SSSD. + +Package: libsss-simpleifp0 +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, + sssd-dbus (= ${binary:Version}), +Description: SSSD D-Bus responder helper library + Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + +Package: libsss-simpleifp-dev +Section: libdevel +Architecture: any +Depends: libsss-simpleifp0 (= ${binary:Version}), ${misc:Depends} +Description: SSSD D-Bus responder helper library -- development files + Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + . + This package contains header files and symlinks to develop programs which will + use the libsss-simpleifp0 library. + +Package: libwbclient-sssd +Section: libs +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: SSSD libwbclient implementation + The SSSD libwbclient implementation. + +Package: libwbclient-sssd-dev +Section: libdevel +Architecture: any +Depends: libwbclient-sssd (= ${binary:Version}), ${misc:Depends}, +Description: SSSD libwbclient implementation -- development files + The SSSD libwbclient implementation. + . + This package contains header files and symlinks to develop programs which will + use the libwbclient-sssd library. + +Package: python-libipa-hbac +Section: python +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + ${misc:Depends}, + ${python:Depends}, + ${shlibs:Depends} +Description: Python bindings for the FreeIPA HBAC Evaluator library + The libipa_hbac-python contains the bindings so that libipa_hbac can be + used by Python applications. + . + This package installs the library for Python 2. + +Package: python-libsss-nss-idmap +Section: python +Architecture: any +Depends: + libsss-nss-idmap0 (= ${binary:Version}), + ${misc:Depends}, + ${python:Depends}, + ${shlibs:Depends} +Description: Python bindings for the SID lookups library + This package contains the bindings for libnss_sss_idmap to be used by + Python applications. + . + This package installs the library for Python 2. + +Package: python-sss +Section: python +Architecture: any +Depends: ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} +Provides: ${python:Provides} +Recommends: sssd +Description: Python module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide a module to access the configuration of the sssd daemon. + . + This package installs the library for Python 2. + +Package: python3-libipa-hbac +Section: python +Architecture: any +Depends: + libipa-hbac0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the FreeIPA HBAC Evaluator library + The libipa_hbac-python contains the bindings so that libipa_hbac can be + used by Python applications. + . + This package installs the library for Python 3. + +Package: python3-libsss-nss-idmap +Section: python +Architecture: any +Depends: + libsss-nss-idmap0 (= ${binary:Version}), + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: Python3 bindings for the SID lookups library + This package contains the bindings for libnss_sss_idmap to be used by + Python applications. + . + This package installs the library for Python 3. + +Package: python3-sss +Section: python +Architecture: any +Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends} +Provides: ${python3:Provides} +Recommends: sssd +Description: Python3 module for the System Security Services Daemon + Provides a set of daemons to manage access to remote directories and + authentication mechanisms. It provides an NSS and PAM interface toward + the system and a pluggable backend system to connect to multiple different + account sources. It is also the basis to provide client auditing and policy + services for projects like FreeIPA. + . + This package provide a module to access the configuration of the sssd daemon. + . + This package installs the library for Python 3. --- sssd-1.16.1.orig/debian/copyright +++ sssd-1.16.1/debian/copyright @@ -0,0 +1,222 @@ +This package was debianized by Mathias Gug on +Wed, 05 Aug 2009 08:58:56 +0100. + +It was downloaded from https://pagure.io/SSSD/sssd/ + +Upstream Authors: + Dmitri Pal + Jakub Hrozek + Simo Sorce + Stephen Gallagher + Sumit Bose + +Copyright: + + Copyright (C) Red Hat 2008, 2009 + + Copyright (C) Dmitri Pal 2009 + Copyright (C) Jakub Hrozek 2009 + Copyright (C) Simo Sorce 2007, 2008, 2009 + Copyright (C) Stephen Gallagher 2008,2009 + Copyright (C) Sumit Bose 2009 + + Copyright (C) Andrew Bartlett 2002 + Copyright (C) Andrew Tridgell 1992-2006 + Copyright (C) James J Myers 2003 + Copyright (C) Jelmer Vernooij 2002, 2006, 2007 + Copyright (C) Jeremy Allison 1998-2002, 2007 + Copyright (C) Martin Pool 2002 + Copyright (C) Michael Adam 2008 + Copyright (C) Tim Potter 2000 + Copyright (c) 1997 Kungliga Tekniska Högskolan + + Copyright (c) 1996-2005, The PostgreSQL Global Development Group + Copyright (c) 1994, The Regents of the University of California + Copyright (c) 1996-2007, PostgreSQL Global Development Group + Copyright (C) 1996-2001 Internet Software Consortium. + + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +The Debian packaging is Copyright (C) Canonical Ltd 2009 and is licensed under +the GPL-3 or later, see `/usr/share/common-licenses/GPL-3'. + +======================== +replace/repdir_getdents.c +replace/test/testsuite.c +replace/test/main.c +replace/getpass.c +replace/replace.c +replace/socketpair.c +replace/inet_ntoa.c +replace/strptime.c +replace/inet_aton.c +replace/dlfcn.c +replace/repdir_getdirentries.c +common/collection/* +common/ini/* +======================== +License: LGPL3 or later - see `/usr/share/common-licenses/LGPL-3'. + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . + + +=================== +sss_client/group.c +sss_client/common.c +sss_client/passwd.c +=================== +License: LGPL (v2.1 or later) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as + published by the Free Software Foundation; either version 2.1 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, + USA. + + +===================== +replace/getaddrinfo.c +replace/getaddrinfo.h +===================== + + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose, without fee, and without a written agreement + is hereby granted, provided that the above copyright notice and this paragraph + and the following two paragraphs appear in all copies. + + IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR + DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING + LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, + EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + + THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS + ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS + TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. + +=================== +replace/inet_pton.c +replace/inet_ntop.c +=================== +License: ISC + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +================ +replace/timegm.c +================ +License: BSD (3 clause) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +================== +replace/snprintf.c +================== + + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +=========================== +sss_client/sss_cli.h +sss_client/protos.h +sss_client/sss_pam_macros.h +sss_client/sss_errno.h +=========================== + + You can used this header file in any way you see fit provided copyright + notices are preserved. + +============================= +server/resolv/ares/ares_dns.h +============================= + + * Permission to use, copy, modify, and distribute this + * software and its documentation for any purpose and without + * fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright + * notice and this permission notice appear in supporting + * documentation, and that the name of M.I.T. not be used in + * advertising or publicity pertaining to distribution of the + * software without specific, written prior permission. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" + * without express or implied warranty. + +============================= +server/util/nss_sha512crypt.c +============================= + + Released into the Public Domain by Ulrich Drepper . --- sssd-1.16.1.orig/debian/generate-config +++ sssd-1.16.1/debian/generate-config @@ -0,0 +1,135 @@ +#!/bin/sh + +# Generate sssd.conf setup dynamically based on autodetectet LDAP +# and Kerberos server. + +set -e + +# See if we can find an LDAP server. Prefer ldap.domain, but also +# accept SRV records if no ldap.domain server is found. +lookup_ldap_uri() { + domain="$1" + if ping -c2 ldap.$domain > /dev/null 2>&1; then + echo ldap://ldap.$domain + else + host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}' | head -1) + if [ "$host" ] ; then + echo ldap://$host | sed 's/\.$//' + fi + fi +} + +lookup_ldap_base() { + ldapuri="$1" + defaultcontext="$(ldapsearch -LLL -H "$ldapuri" -x -b '' -s base defaultNamingContext 2>/dev/null | awk '/^defaultNamingContext: / { print $2}')" + if [ -z "$defaultcontext" ] ; then + # If there are several contexts, pick the first one with + # posixAccount or posixGroup objects in it. + for context in $(ldapsearch -LLL -H "$ldapuri" -x -b '' \ + -s base namingContexts 2>/dev/null | \ + awk '/^namingContexts: / { print $2}') ; do + if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \ + '(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \ + egrep -q '^dn:|^Administrative limit exceeded' ; then + echo $context + return + fi + done + fi + echo $defaultcontext +} + +lookup_kerberos_server() { + domain="$1" + if ping -c2 kerberos.$domain > /dev/null 2>&1; then + echo kerberos.$domain + else + host=$(host -t SRV _kerberos._tcp.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1) + if [ "$host" ] ; then + echo $host | sed 's/\.$//' + fi + fi +} + +lookup_kerberos_realm() { + domain="$1" + realm=$(host -t txt _kerberos.$domain | grep -v NXDOMAIN | awk '{print $NF}'|head -1|tr -d '"') + if [ -z "$realm" ] ; then + realm=$(echo $domain | tr a-z A-Z) + fi + echo $realm +} + + +generate_config() { + if [ "$1" ] ; then + domain=$1 + else + domain="$(hostname -d)" + fi + kerberosrealm=$(lookup_kerberos_realm $domain) + ldapuri=$(lookup_ldap_uri "$domain") + if [ -z "$ldapuri" ]; then + # autodetection failed + return + fi + + ldapbase="$(lookup_ldap_base "$ldapuri")" + if [ -z "$ldapbase" ]; then + # autodetection failed + return + fi + kerberosserver=$(lookup_kerberos_server "$domain") + +cat <&2 + exit 1 + ;; +esac --- sssd-1.16.1.orig/debian/libpam-sss.install +++ sssd-1.16.1/debian/libpam-sss.install @@ -0,0 +1,2 @@ +lib/*/security/pam_sss.so +usr/share/man/man8/pam_sss.8* --- sssd-1.16.1.orig/debian/libpam-sss.pam-auth-update +++ sssd-1.16.1/debian/libpam-sss.pam-auth-update @@ -0,0 +1,22 @@ +Name: SSS authentication +Default: yes +Priority: 128 + +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_sss.so use_first_pass +Auth-Initial: + [success=end default=ignore] pam_sss.so forward_pass +Account-Type: Additional +Account: + sufficient pam_localuser.so + [default=bad success=ok user_unknown=ignore] pam_sss.so +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_sss.so +Password-Type: Primary +Password: + sufficient pam_sss.so use_authtok +Password-Initial: + sufficient pam_sss.so --- sssd-1.16.1.orig/debian/libpam-sss.postinst +++ sssd-1.16.1/debian/libpam-sss.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + pam-auth-update --package + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-1.16.1.orig/debian/libpam-sss.prerm +++ sssd-1.16.1/debian/libpam-sss.prerm @@ -0,0 +1,8 @@ +#! /bin/sh -e + + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove sss +fi + +#DEBHELPER# --- sssd-1.16.1.orig/debian/libsss-certmap-dev.install +++ sssd-1.16.1/debian/libsss-certmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_certmap.h +usr/lib/*/libsss_certmap.so +usr/lib/*/pkgconfig/sss_certmap.pc --- sssd-1.16.1.orig/debian/libsss-certmap0.install +++ sssd-1.16.1/debian/libsss-certmap0.install @@ -0,0 +1,2 @@ +usr/lib/*/libsss_certmap.so.* +usr/share/man/man5/sss-certmap.5 --- sssd-1.16.1.orig/debian/libsss-idmap-dev.install +++ sssd-1.16.1/debian/libsss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_idmap.h +usr/lib/*/libsss_idmap.so +usr/lib/*/pkgconfig/sss_idmap.pc --- sssd-1.16.1.orig/debian/libsss-idmap0.install +++ sssd-1.16.1/debian/libsss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_idmap.so.* --- sssd-1.16.1.orig/debian/libsss-nss-idmap-dev.install +++ sssd-1.16.1/debian/libsss-nss-idmap-dev.install @@ -0,0 +1,3 @@ +usr/include/sss_nss_idmap.h +usr/lib/*/libsss_nss_idmap.so +usr/lib/*/pkgconfig/sss_nss_idmap.pc --- sssd-1.16.1.orig/debian/libsss-nss-idmap0.install +++ sssd-1.16.1/debian/libsss-nss-idmap0.install @@ -0,0 +1 @@ +usr/lib/*/libsss_nss_idmap.so.* --- sssd-1.16.1.orig/debian/libsss-simpleifp-dev.install +++ sssd-1.16.1/debian/libsss-simpleifp-dev.install @@ -0,0 +1,4 @@ +usr/include/sss_sifp* +usr/lib/*/libsss_simpleifp.so +usr/lib/*/pkgconfig/sss_simpleifp.pc + --- sssd-1.16.1.orig/debian/libsss-simpleifp0.install +++ sssd-1.16.1/debian/libsss-simpleifp0.install @@ -0,0 +1,2 @@ +usr/lib/*/libsss_simpleifp.so.* + --- sssd-1.16.1.orig/debian/libsss-sudo.install +++ sssd-1.16.1/debian/libsss-sudo.install @@ -0,0 +1 @@ +usr/lib/*/libsss_sudo.so --- sssd-1.16.1.orig/debian/libsss-sudo.lintian-overrides +++ sssd-1.16.1/debian/libsss-sudo.lintian-overrides @@ -0,0 +1 @@ +shlib-without-versioned-soname usr/lib/*/libsss_sudo.so libsss_sudo.so --- sssd-1.16.1.orig/debian/libsss-sudo.postinst +++ sssd-1.16.1/debian/libsss-sudo.postinst @@ -0,0 +1,54 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + ldconfig + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert sss entries to the sudoers line in /etc/nsswitch.conf to +# automatically enable libsss-sudo support; do not change the configuration +# if the lines already references some sss lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + + if grep -q ^sudoers /etc/nsswitch.conf; then + # append 'sss' to the end of the line if it's not found already + sed -i --regexp-extended ' + /^(sudoers):/ { + /\bsss\b/! s/$/ sss/ + } + ' /etc/nsswitch.conf + else + echo "sudoers: files sss" >> /etc/nsswitch.conf + fi +} + +if [ "$1" = configure ] && [ -z "$2" ]; then + insert_nss_entry +fi + +exit 0 --- sssd-1.16.1.orig/debian/libsss-sudo.postrm +++ sssd-1.16.1/debian/libsss-sudo.postrm @@ -0,0 +1,44 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +remove_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + sed -i --regexp-extended ' + /^(sudoers):/ { + s/\bsss\b//g + s/[[:space:]]+$// + } + ' /etc/nsswitch.conf + + # delete sudoers line if only default entry left" + if ! [ -z "grep \"^sudoers: files$\" /etc/nsswitch.conf" ]; then + sed -i /^sudoers:/d /etc/nsswitch.conf + fi +} + +case "$1" in + remove|purge) + remove_nss_entry + ldconfig + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac --- sssd-1.16.1.orig/debian/libwbclient-sssd-dev.install +++ sssd-1.16.1/debian/libwbclient-sssd-dev.install @@ -0,0 +1,3 @@ +usr/include/wbclient_sssd.h +usr/lib/*/pkgconfig/wbclient_sssd.pc +usr/lib/*/sssd/modules/libwbclient.so --- sssd-1.16.1.orig/debian/libwbclient-sssd.install +++ sssd-1.16.1/debian/libwbclient-sssd.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/modules/libwbclient.so.* + --- sssd-1.16.1.orig/debian/patches/GPO_CROND-customization.patch +++ sssd-1.16.1/debian/patches/GPO_CROND-customization.patch @@ -0,0 +1,41 @@ +Description: GPO: Allow customization of GPO_CROND per OS + For both Debian and Ubuntu, the cron PAM service is named "cron" instead + of "crond", denying the use of the service by default. + + This patch enables the HAVE_$OS (HAVE_DEBIAN/HAVE_FEDORA...) macros to select + the service name during build, allowing further customization if required. + +Author: Victor Tapia +Origin: upstream, https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524 +Bug-Ubuntu: https://launchpad.net/bugs/1572908 +--- a/src/external/platform.m4 ++++ b/src/external/platform.m4 +@@ -36,6 +36,14 @@ + AM_CONDITIONAL([HAVE_DEBIAN], [test x"$osname" = xdebian]) + AM_CONDITIONAL([HAVE_GENTOO], [test x"$osname" = xgentoo]) + ++AS_CASE([$osname], ++ [redhat], [AC_DEFINE_UNQUOTED([HAVE_REDHAT], 1, [Build with redhat config])], ++ [fedora], [AC_DEFINE_UNQUOTED([HAVE_FEDORA], 1, [Build with fedora config])], ++ [suse], [AC_DEFINE_UNQUOTED([HAVE_SUSE], 1, [Build with suse config])], ++ [gentoo], [AC_DEFINE_UNQUOTED([HAVE_GENTOO], 1, [Build with gentoo config])], ++ [debian], [AC_DEFINE_UNQUOTED([HAVE_DEBIAN], 1, [Build with debian config])], ++ [AC_MSG_NOTICE([Build with $osname config])]) ++ + AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , , + [[#include ]]) + +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -199,7 +199,11 @@ + #define GPO_SSHD "sshd" + #define GPO_FTP "ftp" + #define GPO_SAMBA "samba" ++#ifdef HAVE_DEBIAN ++#define GPO_CROND "cron" ++#else + #define GPO_CROND "crond" ++#endif + #define GPO_POLKIT "polkit-1" + #define GPO_SUDO "sudo" + #define GPO_SUDO_I "sudo-i" --- sssd-1.16.1.orig/debian/patches/fix-id-out-of-range-lookup.patch +++ sssd-1.16.1/debian/patches/fix-id-out-of-range-lookup.patch @@ -0,0 +1,117 @@ +From 2952de740f2ec1da9cbd682fb1d9219e5370e6a1 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: May 03 2018 20:02:44 +0000 +Subject: CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up + + +A fix for upstream bug #3569 and the domain-locator feature were both +developed in the context of the same upstream version and therefore +touched the same code, but the domain locator did not account for the +ERR_ID_OUTSIDE_RANGE error code. + +Therefore lookups for IDs that are outside the range for the domain +caused the whole lookup to fail instead of carrying on to the next +domain. + +This patch just handles ERR_ID_OUTSIDE_RANGE the same way as if the ID +was not found at all. Also some whitespace errors are fixed. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3728 + +Reviewed-by: Fabiano Fidêncio +Origin: upstream, https://pagure.io/SSSD/sssd/c/2952de7 +Bug: https://pagure.io/SSSD/sssd/issue/3728 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1807246 +Last-Update: 2019-01-15 +--- + +diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c +index 134688b..28b5633 100644 +--- a/src/responder/common/cache_req/cache_req.c ++++ b/src/responder/common/cache_req/cache_req.c +@@ -523,6 +523,7 @@ static void cache_req_locate_dom_cache_done(struct tevent_req *subreq) + DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n"); + tevent_req_done(req); + return; ++ case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + /* Not cached and locator was requested, run the locator + * DP request plugin +diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c +index 2404168..d19ca89 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_common.c ++++ b/src/responder/common/cache_req/plugins/cache_req_common.c +@@ -27,7 +27,7 @@ + #include "responder/common/cache_req/cache_req_plugin.h" + + errno_t cache_req_idminmax_check(struct cache_req_data *data, +- struct sss_domain_info *domain) ++ struct sss_domain_info *domain) + { + if (((domain->id_min != 0) && (data->id < domain->id_min)) || + ((domain->id_max != 0) && (data->id > domain->id_max))) { +diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +index 3fb8103..e0c6b65 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c ++++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@@ -85,7 +85,7 @@ cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, + + ret = cache_req_idminmax_check(data, domain); + if (ret != EOK) { +- return ret; ++ return ret; + } + return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result); + } +diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c +index 252d89d..45d71b8 100644 +--- a/src/tests/cmocka/test_responder_cache_req.c ++++ b/src/tests/cmocka/test_responder_cache_req.c +@@ -1827,6 +1827,37 @@ void test_group_by_id_multiple_domains_notfound(void **state) + assert_true(test_ctx->dp_called); + } + ++void test_group_by_id_multiple_domains_outside_id_range(void **state) ++{ ++ struct cache_req_test_ctx *test_ctx = NULL; ++ struct sss_domain_info *domain = NULL; ++ struct sss_domain_info *domain_a = NULL; ++ ++ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); ++ ++ domain_a = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_a", true); ++ assert_non_null(domain_a); ++ domain_a->id_min = 1; ++ domain_a->id_max = 100; ++ ++ /* Setup group. */ ++ domain = find_domain_by_name(test_ctx->tctx->dom, ++ "responder_cache_req_test_d", true); ++ assert_non_null(domain); ++ prepare_group(domain, &groups[0], 1000, time(NULL)); ++ ++ /* Mock values. */ ++ will_return_always(__wrap_sss_dp_get_account_send, test_ctx); ++ will_return_always(sss_dp_req_recv, 0); ++ will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); ++ ++ /* Test. */ ++ run_group_by_id(test_ctx, NULL, 0, ERR_OK); ++ assert_true(test_ctx->dp_called); ++ check_group(test_ctx, &groups[0], domain); ++} ++ + void test_group_by_id_multiple_domains_locator_cache_valid(void **state) + { + struct cache_req_test_ctx *test_ctx = NULL; +@@ -3970,6 +4001,7 @@ int main(int argc, const char *argv[]) + new_single_domain_test(group_by_id_missing_notfound), + new_multi_domain_test(group_by_id_multiple_domains_found), + new_multi_domain_test(group_by_id_multiple_domains_notfound), ++ new_multi_domain_test(group_by_id_multiple_domains_outside_id_range), + + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid), + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired), + --- sssd-1.16.1.orig/debian/patches/series +++ sssd-1.16.1/debian/patches/series @@ -0,0 +1,3 @@ +#placeholder +fix-id-out-of-range-lookup.patch +GPO_CROND-customization.patch --- sssd-1.16.1.orig/debian/python-libipa-hbac.install +++ sssd-1.16.1/debian/python-libipa-hbac.install @@ -0,0 +1 @@ +usr/lib/python2*/dist-packages/pyhbac.so --- sssd-1.16.1.orig/debian/python-libsss-nss-idmap.install +++ sssd-1.16.1/debian/python-libsss-nss-idmap.install @@ -0,0 +1 @@ +usr/lib/python2*/dist-packages/pysss_nss_idmap.so --- sssd-1.16.1.orig/debian/python-sss.install +++ sssd-1.16.1/debian/python-sss.install @@ -0,0 +1,3 @@ +usr/lib/python2*/dist-packages/SSSDConfig/*.py +usr/lib/python2*/dist-packages/pysss.so +usr/lib/python2*/dist-packages/pysss_murmur.so --- sssd-1.16.1.orig/debian/python3-libipa-hbac.install +++ sssd-1.16.1/debian/python3-libipa-hbac.install @@ -0,0 +1 @@ +usr/lib/python3*/site-packages/pyhbac.so --- sssd-1.16.1.orig/debian/python3-libsss-nss-idmap.install +++ sssd-1.16.1/debian/python3-libsss-nss-idmap.install @@ -0,0 +1 @@ +usr/lib/python3*/site-packages/pysss_nss_idmap.so --- sssd-1.16.1.orig/debian/python3-sss.install +++ sssd-1.16.1/debian/python3-sss.install @@ -0,0 +1,3 @@ +usr/lib/python3*/dist-packages/SSSDConfig/*.py +usr/lib/python3*/site-packages/pysss.so +usr/lib/python3*/site-packages/pysss_murmur.so --- sssd-1.16.1.orig/debian/rules +++ sssd-1.16.1/debian/rules @@ -0,0 +1,104 @@ +#!/usr/bin/make -f +%: + dh $@ --with quilt,autoreconf,python2,python3,systemd \ + --builddirectory=build + +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) +CFLAGS += -I/usr/include/samba-4.0 + +export CK_DEFAULT_TIMEOUT=30 + +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +APIDOCDIR = /usr/share/sssd +DISTRIBUTION = $(shell lsb_release -i | sed 's/.*:\t//') +INIT = init +PKGDATE = $(shell dpkg-parsechangelog | \ + awk -F" " '/^Date/ { print $$4 "/" $$3 "/" $$5 }' | \ + sed 's/Jan/01/;s/Feb/02/;s/Mar/03/;s/Apr/04/;s/May/05/;s/Jun/06/;s/Jul/07/;s/Aug/08/;s/Sep/09/;s/Oct/10/;s/Nov/11/;s/Dec/12/;s/\//\\\//g') +CURDATE = $(shell date +%m/%d/%Y | sed 's/\//\\\//g') +export CK_VERBOSITY=verbose + +override_dh_auto_configure: + dh_auto_configure -- --enable-krb5-locator-plugin \ + --datadir=/usr/share/ \ + --with-environment-file=/etc/default/sssd \ + --with-ldb-lib-dir=/usr/lib/$(DEB_HOST_MULTIARCH)/ldb/modules/ldb \ + --with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/libkrb5 \ + --enable-nsslibdir=/lib/$(DEB_HOST_MULTIARCH) \ + --enable-pammoddir=/lib/$(DEB_HOST_MULTIARCH)/security \ + --enable-systemtap \ + --disable-static \ + --disable-rpath \ + --with-autofs \ + --with-ssh \ + --with-initscript=systemd \ + --with-systemdunitdir=/lib/systemd/system \ + --disable-files-domain \ + --with-sudo + +override_dh_auto_test: + export CK_TIMEOUT_MULTIPLIER=10 + dh_auto_test -- VERBOSE=yes + unset CK_TIMEOUT_MULTIPLIER + +override_dh_auto_install: + dh_auto_install --max-parallel=1 + +override_dh_fixperms: + dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child + +override_dh_install: + install -D -m755 $(CURDIR)/debian/generate-config \ + $(CURDIR)/debian/tmp/usr/share/sssd/generate-config + + mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs + install -m644 debian/libpam-sss.pam-auth-update \ + $(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss + install -m644 -D $(CURDIR)/debian/apparmor-profile \ + $(CURDIR)/debian/sssd-common/etc/apparmor.d/usr.sbin.sssd + + cat $(CURDIR)/debian/sssd-common.sssd.$(INIT).in > $(CURDIR)/debian/sssd-common.sssd.$(INIT) + + # remove files we don't want to install + find $(CURDIR)/debian/tmp/ -name '*.la' -exec rm '{}' ';' + find $(CURDIR)/debian/tmp/ -name '*.pyc' -exec rm '{}' ';' + find $(CURDIR)/debian/tmp/ -name '*.egg-info' -exec rm '{}' ';' + rm -f $(CURDIR)/debian/tmp/etc/rc.d/init.d/sssd + + # match nn/nn/nnnn, replace with the date from changelog + sed -i 's/[0-1][0-9]\/[0-3][0-9]\/[0-9][0-9][0-9][0-9]/${PKGDATE}/g' $(CURDIR)/debian/tmp/usr/share/man/man*/* + + for responder in autofs ifp nss pac pam-priv pam ssh sudo; do \ + rm -f $(CURDIR)/debian/tmp/lib/systemd/system/sssd-$$responder.service \ + $(CURDIR)/debian/tmp/lib/systemd/system/sssd-$$responder.socket; \ + done + + dh_install + +override_dh_missing: + dh_missing --fail-missing + +override_dh_python2: + dh_python2 --no-guessing-versions + +override_dh_installinit: + dh_apparmor -psssd-common --profile-name=usr.sbin.sssd + dh_installinit --name sssd --error-handler=invoke_failure + +override_dh_installdeb: + dh_installdeb + for pkg in sssd-common sssd-ipa sssd-krb5-common sssd-proxy; do \ + sed -i 's/@TRIPLET@/${DEB_HOST_MULTIARCH}/' \ + $(CURDIR)/debian/$$pkg/DEBIAN/postinst; \ + done + +override_dh_auto_clean: + dh_auto_clean + rm -f $(CURDIR)/debian/sssd-common.$(INIT) + rm -f $(CURDIR)/po/*.gmo + rm -f $(CURDIR)/src/config/*.pyc + rm -f $(CURDIR)/po/stamp-po --- sssd-1.16.1.orig/debian/source/format +++ sssd-1.16.1/debian/source/format @@ -0,0 +1 @@ +1.0 --- sssd-1.16.1.orig/debian/sssd-ad-common.install +++ sssd-1.16.1/debian/sssd-ad-common.install @@ -0,0 +1,3 @@ +#lib/systemd/system/sssd-pac.service +#lib/systemd/system/sssd-pac.socket +usr/lib/*/sssd/sssd_pac --- sssd-1.16.1.orig/debian/sssd-ad-common.postinst +++ sssd-1.16.1/debian/sssd-ad-common.postinst @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + if dpkg --compare-versions "$2" lt-nl "1.16.0-4"; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge sssd-pac.service >/dev/null + deb-systemd-helper unmask sssd-pac.service >/dev/null + deb-systemd-helper purge sssd-pac.socket >/dev/null + deb-systemd-helper unmask sssd-pac.socket >/dev/null + fi + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- sssd-1.16.1.orig/debian/sssd-ad.install +++ sssd-1.16.1/debian/sssd-ad.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/gpo_child +usr/lib/*/sssd/libsss_ad.so +usr/share/man/man5/sssd-ad.5* --- sssd-1.16.1.orig/debian/sssd-common.dirs +++ sssd-1.16.1/debian/sssd-common.dirs @@ -0,0 +1,12 @@ +etc/sssd +etc/sssd/conf.d +var/lib/sss +var/lib/sss/db +var/lib/sss/deskprofile +var/lib/sss/gpo_cache +var/lib/sss/mc +var/lib/sss/pipes +var/lib/sss/pipes/private +var/lib/sss/pubconf +var/lib/sss/secrets +var/log/sssd --- sssd-1.16.1.orig/debian/sssd-common.docs +++ sssd-1.16.1/debian/sssd-common.docs @@ -0,0 +1 @@ +BUILD.txt --- sssd-1.16.1.orig/debian/sssd-common.examples +++ sssd-1.16.1/debian/sssd-common.examples @@ -0,0 +1 @@ +src/examples/sssd-example.conf --- sssd-1.16.1.orig/debian/sssd-common.install +++ sssd-1.16.1/debian/sssd-common.install @@ -0,0 +1,63 @@ +etc/pam.d/sssd-shadowutils +lib/systemd/system/sssd.service +lib/systemd/system/sssd-secrets.service +lib/systemd/system/sssd-secrets.socket +#lib/systemd/system/sssd-sudo.service +#lib/systemd/system/sssd-sudo.socket +#lib/systemd/system/sssd-ssh.service +#lib/systemd/system/sssd-ssh.socket +#lib/systemd/system/sssd-autofs.service +#lib/systemd/system/sssd-autofs.socket +#lib/systemd/system/sssd-pam.service +#lib/systemd/system/sssd-pam.socket +#lib/systemd/system/sssd-pam-priv.socket +#lib/systemd/system/sssd-nss.service +#lib/systemd/system/sssd-nss.socket +usr/bin/sss_ssh_authorizedkeys +usr/bin/sss_ssh_knownhostsproxy +usr/lib/*/cifs-utils/cifs_idmap_sss.so +usr/lib/*/krb5/plugins/authdata/sssd_pac_plugin.so +usr/lib/*/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +usr/lib/*/ldb/modules/ldb/memberof.so +usr/lib/*/libnfsidmap/sss.so +usr/lib/*/samba/idmap/sss.so +usr/lib/*/sssd/conf/sssd.conf +usr/lib/*/sssd/libsss_cert.so +usr/lib/*/sssd/libsss_child.so +usr/lib/*/sssd/libsss_crypt.so +usr/lib/*/sssd/libsss_debug.so +usr/lib/*/sssd/libsss_files.so +usr/lib/*/sssd/libsss_krb5_common.so +usr/lib/*/sssd/libsss_ldap_common.so +usr/lib/*/sssd/libsss_semanage.so +usr/lib/*/sssd/libsss_simple.so +usr/lib/*/sssd/libsss_util.so +usr/lib/*/sssd/modules/libsss_autofs.so +usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so +usr/lib/*/sssd/p11_child +usr/lib/*/sssd/sss_signal +usr/lib/*/sssd/sssd_autofs +usr/lib/*/sssd/sssd_be +usr/lib/*/sssd/sssd_check_socket_activated_responders +usr/lib/*/sssd/sssd_nss +usr/lib/*/sssd/sssd_pam +usr/lib/*/sssd/sssd_secrets +usr/lib/*/sssd/sssd_ssh +usr/lib/*/sssd/sssd_sudo +usr/sbin/sssd +usr/share/locale/*/LC_MESSAGES/* +usr/share/man/man1/sss_ssh_authorizedkeys.1* +usr/share/man/man1/sss_ssh_knownhostsproxy.1* +usr/share/man/man5/sss_rpcidmapd.5* +usr/share/man/man5/sssd-files.5* +usr/share/man/man5/sssd-secrets.5* +usr/share/man/man5/sssd-session-recording.5* +usr/share/man/man5/sssd-simple.5* +usr/share/man/man5/sssd-sudo.5* +usr/share/man/man5/sssd-systemtap.5* +usr/share/man/man5/sssd.conf.5* +usr/share/man/man8/idmap_sss.8* +usr/share/man/man8/sssd.8* +usr/share/man/man8/sssd_krb5_locator_plugin.8* +usr/share/sssd/* +usr/share/systemtap \ No newline at end of file --- sssd-1.16.1.orig/debian/sssd-common.lintian-overrides +++ sssd-1.16.1/debian/sssd-common.lintian-overrides @@ -0,0 +1 @@ +manpage-has-errors-from-man usr/share/man/man5/sssd-ldap.5.* --- sssd-1.16.1.orig/debian/sssd-common.logrotate +++ sssd-1.16.1/debian/sssd-common.logrotate @@ -0,0 +1,11 @@ +/var/log/sssd/*.log { + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + postrotate + kill -HUP `cat /var/run/sssd.pid` > /dev/null 2>&1 || true + endscript +} --- sssd-1.16.1.orig/debian/sssd-common.maintscript +++ sssd-1.16.1/debian/sssd-common.maintscript @@ -0,0 +1,3 @@ +# the file was dropped post xenial but not yet cleaned up +# This can be dropped on a merge >18.04 +rm_conffile /etc/init/sssd.conf 1.15.3-3ubuntu1~ --- sssd-1.16.1.orig/debian/sssd-common.manpages +++ sssd-1.16.1/debian/sssd-common.manpages @@ -0,0 +1 @@ +usr/share/man/man*/* --- sssd-1.16.1.orig/debian/sssd-common.postinst +++ sssd-1.16.1/debian/sssd-common.postinst @@ -0,0 +1,105 @@ +#!/bin/sh +# postinst script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +OUT=/dev/null +HOME=/var/lib/sss +LIBDIR=/usr/lib/@TRIPLET@/sssd + +case "$1" in + configure) + if ! getent passwd sssd > $OUT; then + echo "Creating SSSD system user & group..." + adduser --quiet --system --home $HOME \ + --disabled-password --group \ + --gecos "SSSD system user" \ + sssd > $OUT + fi + chown sssd:sssd \ + $HOME/db \ + $HOME/gpo_cache \ + $HOME/mc \ + $HOME/pipes \ + $HOME/pipes/private \ + $HOME/pubconf \ + $HOME/secrets \ + /etc/sssd \ + /var/log/sssd + chown root:sssd $LIBDIR/p11_child + + chmod 4754 $LIBDIR/p11_child + chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf + chmod 751 $HOME/deskprofile + chmod 750 /var/log/sssd + chmod 711 /etc/sssd + chmod 700 $HOME/db $HOME/pipes/private $HOME/secrets + if [ -f /etc/sssd/sssd.conf ]; then + chown root:root /etc/sssd/sssd.conf + chmod 0600 /etc/sssd/sssd.conf + fi + + if dpkg --compare-versions "$2" lt-nl "1.16.0-4"; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge sssd-autofs.service >/dev/null + deb-systemd-helper unmask sssd-autofs.service >/dev/null + deb-systemd-helper purge sssd-autofs.socket >/dev/null + deb-systemd-helper unmask sssd-autofs.socket >/dev/null + deb-systemd-helper purge sssd-nss.service >/dev/null + deb-systemd-helper unmask sssd-nss.service >/dev/null + deb-systemd-helper purge sssd-nss.socket >/dev/null + deb-systemd-helper unmask sssd-nss.socket >/dev/null + deb-systemd-helper purge sssd-pam.service >/dev/null + deb-systemd-helper unmask sssd-pam.service >/dev/null + deb-systemd-helper purge sssd-pam.socket >/dev/null + deb-systemd-helper unmask sssd-pam.socket >/dev/null + deb-systemd-helper purge sssd-pam-priv.socket >/dev/null + deb-systemd-helper unmask sssd-pam-priv.socket >/dev/null + deb-systemd-helper purge sssd-sudo.service >/dev/null + deb-systemd-helper unmask sssd-sudo.service >/dev/null + deb-systemd-helper purge sssd-sudo.socket >/dev/null + deb-systemd-helper unmask sssd-sudo.socket >/dev/null + deb-systemd-helper purge sssd-ssh.service >/dev/null + deb-systemd-helper unmask sssd-ssh.service >/dev/null + deb-systemd-helper purge sssd-ssh.socket >/dev/null + deb-systemd-helper unmask sssd-ssh.socket >/dev/null + fi + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +invoke_failure() { + # invoke-rc.d failed, likely because of a missing sssd.conf + if [ ! -s /etc/sssd/sssd.conf ]; then + echo "... because /etc/sssd/sssd.conf is not available yet" + fi +} + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- sssd-1.16.1.orig/debian/sssd-common.postrm +++ sssd-1.16.1/debian/sssd-common.postrm @@ -0,0 +1,53 @@ +#!/bin/sh +# postrm script for sssd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge) + rm -f /etc/sssd/sssd.conf + if [ -d /etc/sssd ]; then + rmdir --ignore-fail-on-non-empty /etc/sssd/ + fi + rm -rf /var/log/sssd/ + if getent group dirsrv > /dev/null; then + deluser --system sssd + fi + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +# work around buggy dh_apparmor which doesn't do this for us +if [ "$1" = "purge" ]; then + rmdir /etc/apparmor.d/force-complain 2>/dev/null || true + rmdir /etc/apparmor.d 2>/dev/null || true +fi + +exit 0 --- sssd-1.16.1.orig/debian/sssd-common.preinst +++ sssd-1.16.1/debian/sssd-common.preinst @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +# Remove a no-longer used conffile +# Copied from http://wiki.debian.org/DpkgConffileHandling +rm_conffile() { + local PKGNAME="$1" + local CONFFILE="$2" + + [ -e "$CONFFILE" ] || return 0 + + local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" + local old_md5sum="$(dpkg-query -W -f='${Conffiles}' $PKGNAME | \ + sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" + if [ "$md5sum" != "$old_md5sum" ]; then + echo "Obsolete conffile $CONFFILE has been modified by you." + echo "Saving as $CONFFILE.dpkg-bak ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-bak + else + echo "Removing obsolete conffile $CONFFILE ..." + mv -f "$CONFFILE" "$CONFFILE".dpkg-del + fi +} + +APP_PROFILE="usr.sbin.sssd" +APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE" +APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE" +APP_DISABLE="/etc/apparmor.d/disable/$APP_PROFILE" + +inst_complain_profile() { + # Create a symlink to the yet-to-be-unpacked profile + mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true + ln -sf $APP_CONFFILE $APP_COMPLAIN +} + +case "$1" in +install) + # Force the AppArmor profile to complain mode on install + inst_complain_profile + ;; +upgrade) + if dpkg --compare-versions "$2" le "1.0.5-1"; then + rm_conffile sssd "/etc/sssd/sssd.api.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-proxy.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-simple.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ipa.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-local.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-krb5.conf" + rm_conffile sssd "/etc/sssd/sssd.api.d/sssd-ldap.conf" + fi + if dpkg --compare-versions "$2" lt "1.10.0~beta2-1"; then + inst_complain_profile + if [ -e "$APP_DISABLE" ]; then + rm -f "$APP_DISABLE" + fi + fi + ;; +esac + +#DEBHELPER# --- sssd-1.16.1.orig/debian/sssd-common.prerm +++ sssd-1.16.1/debian/sssd-common.prerm @@ -0,0 +1,9 @@ +#! /bin/sh -e + +invoke_failure() { + # invoke-rc.d failed + return +} + +#DEBHELPER# + --- sssd-1.16.1.orig/debian/sssd-common.sssd.default +++ sssd-1.16.1/debian/sssd-common.sssd.default @@ -0,0 +1,5 @@ +# Defaults for sssd, installed at /etc/default/sssd by the maintainer scripts +# This is only used for /etc/init.d/sssd + +# Additional options that are passed to the Daemon. +DAEMON_OPTS="-D -f" --- sssd-1.16.1.orig/debian/sssd-common.sssd.init.in +++ sssd-1.16.1/debian/sssd-common.sssd.init.in @@ -0,0 +1,86 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Should-Start: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to +# remote directories and authentication +# mechanisms. It provides an NSS and PAM interface +# toward the system and a pluggable backend system +# to connect to multiple different account sources. +### END INIT INFO +# start on filesystem +# stop on runlevel [06] + +DESCRIPTION="System Security Services Daemon" +PATH=/bin:/usr/bin:/sbin:/usr/sbin +NAME=sssd +DAEMON_OPTS="" +DAEMON=/usr/sbin/$NAME +PIDFILE=/var/run/$NAME.pid + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +if [ -f /etc/default/sssd ] ; then + . /etc/default/sssd +fi + +initdmain() { + case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESCRIPTION" "$NAME" + start_daemon -p $PIDFILE $DAEMON $DAEMON_OPTS + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Starting $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + killproc -p $PIDFILE $DAEMON + RC=$? + case "$RC" in + 0) + [ "$VERBOSE" != no ] && log_end_msg $RC + ;; + *) + # Report error also when VERBOSE=no + log_daemon_msg "Stopping $DESCRIPTION" "$NAME" + log_end_msg $RC + ;; + esac + ;; + force-reload|restart) + $0 stop + $0 start + ;; + status) + status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" + exit 1 + ;; + esac +} + +initdmain $@ + +exit 0 --- sssd-1.16.1.orig/debian/sssd-dbus.install +++ sssd-1.16.1/debian/sssd-dbus.install @@ -0,0 +1,5 @@ +etc/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +#lib/systemd/system/sssd-ifp.service +usr/lib/*/sssd/sssd_ifp +usr/share/dbus-1/system-services/org.freedesktop.sssd.infopipe.service +usr/share/man/man5/sssd-ifp.5 --- sssd-1.16.1.orig/debian/sssd-dbus.postinst +++ sssd-1.16.1/debian/sssd-dbus.postinst @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + if dpkg --compare-versions "$2" lt-nl "1.16.0-4"; then + if [ -x "/usr/bin/deb-systemd-helper" ]; then + deb-systemd-helper purge sssd-ifp.service >/dev/null + deb-systemd-helper unmask sssd-ifp.service >/dev/null + fi + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- sssd-1.16.1.orig/debian/sssd-ipa.dirs +++ sssd-1.16.1/debian/sssd-ipa.dirs @@ -0,0 +1 @@ +var/lib/sss/keytabs --- sssd-1.16.1.orig/debian/sssd-ipa.install +++ sssd-1.16.1/debian/sssd-ipa.install @@ -0,0 +1,3 @@ +usr/lib/*/sssd/libsss_ipa.so +usr/lib/*/sssd/selinux_child +usr/share/man/man5/sssd-ipa.5* --- sssd-1.16.1.orig/debian/sssd-ipa.postinst +++ sssd-1.16.1/debian/sssd-ipa.postinst @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/lib/@TRIPLET@/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/selinux_child + chmod 4754 $LIBDIR/selinux_child + chown sssd:sssd /var/lib/sss/keytabs + chmod 700 /var/lib/sss/keytabs + ;; +esac + +#DEBHELPER# + --- sssd-1.16.1.orig/debian/sssd-kcm.install +++ sssd-1.16.1/debian/sssd-kcm.install @@ -0,0 +1,5 @@ +lib/systemd/system/sssd-kcm.service +lib/systemd/system/sssd-kcm.socket +usr/lib/*/sssd/sssd_kcm +usr/share/sssd-kcm/kcm_default_ccache +usr/share/man/man8/sssd-kcm.8 --- sssd-1.16.1.orig/debian/sssd-krb5-common.dirs +++ sssd-1.16.1/debian/sssd-krb5-common.dirs @@ -0,0 +1,2 @@ +var/lib/sss/pubconf/krb5.include.d + --- sssd-1.16.1.orig/debian/sssd-krb5-common.install +++ sssd-1.16.1/debian/sssd-krb5-common.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/krb5_child +usr/lib/*/sssd/ldap_child --- sssd-1.16.1.orig/debian/sssd-krb5-common.postinst +++ sssd-1.16.1/debian/sssd-krb5-common.postinst @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/lib/@TRIPLET@/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/krb5_child $LIBDIR/ldap_child + chmod 4754 $LIBDIR/krb5_child $LIBDIR/ldap_child + ;; +esac + +#DEBHELPER# + --- sssd-1.16.1.orig/debian/sssd-krb5.install +++ sssd-1.16.1/debian/sssd-krb5.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_krb5.so +usr/share/man/man5/sssd-krb5.5* --- sssd-1.16.1.orig/debian/sssd-ldap.install +++ sssd-1.16.1/debian/sssd-ldap.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_ldap.so +usr/share/man/man5/sssd-ldap.5* --- sssd-1.16.1.orig/debian/sssd-proxy.install +++ sssd-1.16.1/debian/sssd-proxy.install @@ -0,0 +1,2 @@ +usr/lib/*/sssd/libsss_proxy.so +usr/lib/*/sssd/proxy_child --- sssd-1.16.1.orig/debian/sssd-proxy.postinst +++ sssd-1.16.1/debian/sssd-proxy.postinst @@ -0,0 +1,13 @@ +#!/bin/sh +set -e + +LIBDIR=/usr/lib/@TRIPLET@/sssd + +case "$1" in + configure) + chown root:sssd $LIBDIR/proxy_child + chmod 4754 $LIBDIR/proxy_child + ;; +esac + +#DEBHELPER# --- sssd-1.16.1.orig/debian/sssd-tools.install +++ sssd-1.16.1/debian/sssd-tools.install @@ -0,0 +1,26 @@ +usr/sbin/sss_cache +usr/sbin/sss_debuglevel +usr/sbin/sss_groupadd +usr/sbin/sss_groupdel +usr/sbin/sss_groupmod +usr/sbin/sss_groupshow +usr/sbin/sss_obfuscate +usr/sbin/sss_override +usr/sbin/sss_seed +usr/sbin/sss_useradd +usr/sbin/sss_userdel +usr/sbin/sss_usermod +usr/sbin/sssctl +usr/share/man/man8/sss_cache.8* +usr/share/man/man8/sss_debuglevel.8* +usr/share/man/man8/sss_groupadd.8* +usr/share/man/man8/sss_groupdel.8* +usr/share/man/man8/sss_groupmod.8* +usr/share/man/man8/sss_groupshow.8* +usr/share/man/man8/sss_obfuscate.8* +usr/share/man/man8/sss_override.8* +usr/share/man/man8/sss_seed.8* +usr/share/man/man8/sss_useradd.8* +usr/share/man/man8/sss_userdel.8* +usr/share/man/man8/sss_usermod.8* +usr/share/man/man8/sssctl.8* --- sssd-1.16.1.orig/debian/sssd.maintscript +++ sssd-1.16.1/debian/sssd.maintscript @@ -0,0 +1 @@ +rm_conffile /etc/logrotate.d/sssd 1.12.5-3~ --- sssd-1.16.1.orig/debian/tests/common-tests +++ sssd-1.16.1/debian/tests/common-tests @@ -0,0 +1,28 @@ +#!/bin/sh + +run_common_tests() { + echo "Assert local user databases do not have our LDAP test data" + check_local_user "${ldap_user}" + check_local_group "${ldap_user}" + check_local_group "${ldap_group}" + + echo "The LDAP user is known to the system via getent" + check_getent_user "${ldap_user}" + + echo "The LDAP user's private group is known to the system via getent" + check_getent_group "${ldap_user}" + + echo "The LDAP group ${ldap_group} is known to the system via getent" + check_getent_group "${ldap_group}" + + echo "The id(1) command can resolve the group membership of the LDAP user" + #$ id -Gn testuser1 + #testuser1 ldapusers + output=$(id -Gn ${ldap_user}) + # XXX couldn't find a better way to make this comparison using just /bin/sh + if [ "${output}" != "${ldap_user} ${ldap_group}" ]; then + if [ "${output}" != "${ldap_group} ${ldap_user}" ]; then + die "Output doesn't match expected group membership: ${output}" + fi + fi +} --- sssd-1.16.1.orig/debian/tests/control +++ sssd-1.16.1/debian/tests/control @@ -0,0 +1,7 @@ +Tests: ldap-user-group-ldap-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release +Restrictions: isolation-container, needs-root, allow-stderr + +Tests: ldap-user-group-krb5-auth +Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc +Restrictions: isolation-container, needs-root, allow-stderr --- sssd-1.16.1.orig/debian/tests/ldap-user-group-krb5-auth +++ sssd-1.16.1/debian/tests/ldap-user-group-krb5-auth @@ -0,0 +1,35 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +myrealm="EXAMPLE.COM" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +kerberos_principal_pw="testuser1kerberos" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +create_realm "${myrealm}" "${myhostname}" +create_krb_principal "${ldap_user}" "${kerberos_principal_pw}" +configure_sssd_ldap_rfc2307_krb5_auth +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +# login works with the kerneros password +echo "The Kerberos principal can login on a terminal" +kdestroy > /dev/null 2>&1 || /bin/true +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${kerberos_principal_pw}" "${ldap_user}"@"${myrealm}" --- sssd-1.16.1.orig/debian/tests/ldap-user-group-ldap-auth +++ sssd-1.16.1/debian/tests/ldap-user-group-ldap-auth @@ -0,0 +1,29 @@ +#!/bin/sh + +set -ex + +. debian/tests/util +. debian/tests/common-tests + +mydomain="example.com" +myhostname="ldap.${mydomain}" +mysuffix="dc=example,dc=com" +admin_dn="cn=admin,${mysuffix}" +admin_pw="secret" +ldap_user="testuser1" +ldap_user_pw="testuser1secret" +ldap_group="ldapusers" + +adjust_hostname "${myhostname}" +reconfigure_slapd +generate_certs "${myhostname}" +enable_ldap_ssl +populate_ldap_rfc2307 +configure_sssd_ldap_rfc2307 +enable_pam_mkhomedir + +# tests begin here +run_common_tests + +echo "The LDAP user can login on a terminal" +/usr/bin/expect -f debian/tests/login.exp "${ldap_user}" "${ldap_user_pw}" --- sssd-1.16.1.orig/debian/tests/login.exp +++ sssd-1.16.1/debian/tests/login.exp @@ -0,0 +1,74 @@ +#!/usr/bin/expect + +set timeout 10 +set user [lindex $argv 0] +set password [lindex $argv 1] +set principal [lindex $argv 2] + +set distribution [exec "lsb_release" "-is"] + +if { $distribution == "Ubuntu" } { + set welcome "Welcome to" +} elseif { $distribution == "Debian" } { + set welcome "Debian GNU/Linux comes" +} else { + puts "Unsupported linux distribution $distribution" + exit 1 +} + +spawn login +expect "login:" +send "$user\r" +expect "Password:" +send "$password\r" +expect { + timeout + { + puts "Expect error: timeout after password\r\r" + exit 1 + } + "Login incorrect" + { + puts "Expect error: incorrect credentials\r\r" + exit 1 + } + "$welcome" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +send "id -un\r" +expect { + timeout + { + puts "Expect error: timeout waiting for 'id' result\r\r" + exit 1 + } + "$user" +} +expect { + timeout + { + puts "Expect error: timeout waiting for prompt\r\r" + exit 1 + } + "$ " +} +if { $principal != "" } { + send "klist\r" + expect { + timeout + { + puts "Expect error: timeout waiting for klist output\r\r" + exit 1 + } + "Default principal: $principal" + } +} +send "logout\r" +exit 0 --- sssd-1.16.1.orig/debian/tests/util +++ sssd-1.16.1/debian/tests/util @@ -0,0 +1,259 @@ +#!/bin/sh + +reconfigure_slapd() { + debconf-set-selections << EOF +slapd slapd/domain string ${mydomain} +slapd shared/organization string ${mydomain} +slapd slapd/password1 password ${admin_pw} +slapd slapd/password2 password ${admin_pw} +EOF + rm -rf /var/backups/*slapd* /var/backups/unknown*ldapdb + dpkg-reconfigure -fnoninteractive -pcritical slapd +} + +die() { + echo "ERROR" + echo "$@" + exit 1 +} + +enable_pam_mkhomedir() { + if ! grep -qE "^session.*pam_mkhomedir\.so" /etc/pam.d/common-session; then + echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common-session + fi +} + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +generate_certs() { + local cn="$1" + local cert="/etc/ldap/server.pem" + local key="/etc/ldap/server.key" + local cnf="/etc/ldap/openssl.cnf" + + cat > "$cnf" < /etc/ldap/ldap.conf < /etc/sssd/sssd.conf < /etc/sssd/sssd.conf < /etc/krb5kdc/kdc.conf < /etc/krb5.conf < /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +create_krb_principal() { + local principal="$1" + local password="$2" + + kadmin.local -q "addprinc -pw ${password} ${principal}" +} + --- sssd-1.16.1.orig/debian/upstream/signing-key.asc +++ sssd-1.16.1/debian/upstream/signing-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.3 + +mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MUXQDAKJM7 +MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0R+OiWh8d7ChCG6ri +v/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWXqZoZrm4lPlBZQltfhzdmvn8D +/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjgq9Knn4sE9lnGjtG4RCYMT2Sideognk9A +h5nWOGynwta6cluCEqlF6ORJPKpAeqG1a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/ +XtMoHSSyPi/Xum6R+jwISv7nTMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlS +B6tAqN0G7VL6AFcsiOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KN +tbnCrhS+Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv +emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iEYEEBECAAYFAkoAZ+EACgkQeiVVYja6o6PaUgCc +C1uIdzSouXkz/Hpc8WIq5bbdMCkAoIi6PtlzQuiCQgzN39VcFzIdnUfuiEYEEBECAAYFAkoA +aA0ACgkQWAkQHAJrbG8paQCgle0IkEHUEpBG3T+despZYg2KaIwAnRRsCazy6CeJfOuP0IVG +Y8FKWedYiEYEEBECAAYFAkoAcQUACgkQGliNByGNTpdfzgCfVdjXUF5AXkDJ78q2N9biKECo +GTEAoJWdxJJAI6kE54tSCay6LkqU49etiEgEEBECAAkFAkoAZiECBwAACgkQUDGHpI6P4rpH +YgCWJtMmuHsk2/znWsUfqALeXL3LXQCgpmRUJbjVee51ja2KSLRqslUZZ1KIXwQTEQIAIAUC +RcN19QIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEB7Gq3Uy57wlIcEAoKNgX8eyFiQn +ylJlOKUs7TJsxY4XAJiU6oXuJwZUMVPjZbcKiot+BqMKiQIcBBABAgAGBQJKAGrfAAoJEKqM +a5A1GvYd/CsP/1eHH2Ogbp9ycbPBc7pO5iLwBDPE81a4SMXqLcs0VS4Ps5d4gpjGo6CilNb6 +gi5GTK4gmpQqFHYmzRSacO5aYnwSeueGYpI+jMxDeQcbabwA9oquOhckYuQ4tM6Cmnwdiym4 +0RsIA+8zEnZuzQywUD7h/b1xRjoEeLAe24UPdF0qMypChdF0EGXhosaapmxhXe31F/qqa2uH +LUpECwJb417y9aVxDxtq4tnWh3kjpFMrLkX8NA2qMkBO9csI0lRVkDu+Ofs0V7yc3MjART2k +azYI7VkpVbqRc4QHnzfD3MLR2sgycEc5HQzJZYhe84AYATz8bqwptJlDi2pfEx11rHpVeGGN +/I2hjitsARsNUIopYyNdXpbwCk4xv2U+uZzGpgzpt/siU4t1oKHc+P2gJ5xrazRan3gEd6QF +XrWHq1+sdV4pUFM2R3UZt8z8NquRposHPn9ldNEpxNVkjbTZiY6D+f3yIUa43z6f4B2gWSuI +Gq2ayIVGSKaf+hxzFa9sFsMJ1VeGsYt9g3zxnWRFEJRup0/VasVCqkMan0YoXOJB5+R2Ie73 +WWfoLlv2KozPDL91D1sXhxschxHHnQ8ro3Nl80s+yCNINhBK3+UUZsE/THlU7KQvq2j8dy85 +frWvjPylNddJsXGRzBVTu629Gkhm3glVMPrfi5CEZkuRC4FOiQIcBBABAgAGBQJNsBsGAAoJ +EK184QA5M3MO9bMP/R4d3Xvhx65ayuLTehyoi0CAdaCU6wbxvO922rzSu57i0JY2Ef14ZXF2 +2RDrkAPgbw6S+wF8GRT4NKvfYaVx9oYunvD1OTa5EfEjG2KvJrKOsOKUCD7yQxKXGhP7K8sc +AiuZk4rCgfX9+O4RpqRdl1/EqCEBzUZaU79RN/KLqapddtF0H4tyLWpWSyrQs8PjGRJmeh3J +7RuD7ZYC4XRtvpx3IDqn6+RCQFhb/EpGX7EwxbKgapmpD+9W2vqLHbM655w6/hc68J4bnE80 +DnZKc659HuNvRGitzS7ShbI+8h5TUHcxsEsQCnfKkrkfdQo79878IKBmlJKC1WqUBZbbvdIT +fVToL9dtShHiNoy4jVuxUoizEAXEIjdi52MHhAY5I6wWyrDOV9Ftg9ZLwa6MbH31EKUbRMmP +75y0ID4RQCINqP7HMu5vlHRBKAKC1Tf3DqRZJIU61v4A3WR6IMGNXaoVFbQwB6YXsOkJPiN1 +vgrqo42Z+rNRFFkCj341RJO2KNpjeUdeKVSyDmEb22wiRLEgXnmk902uOJN1HFcj7/JjlXGR +R24Zu0C97B+HNdlmWVnxJx/aNx2zkGnjdAjMLy1bosMJSPyAJVWnKU3TmrsB4raPeawbk8OS +mwzRCiIl9VDlBjaDK4E4+0I05/BNMWvsEMOeGeJdKU/OhWYPnoBWuQINBEXDdgAQCAC6qjQX +EfVe106L+pbq/61Z2pgcuP9/RWiqPVxulL5w4M1NpfX9d/gme/q+biU4bmAiSoPV7lQKkbmk +Mm8ySuljSVhGvlEagLb20dlhd8QFUSR2G5TtlNJBFqiK0rlNLCM6Ploq8VIcSMysJZwZJRqM +QJCREfBlvccrbCqoFasmOOM+2P7lxCD6wqntmnrFTeJmUyhV91iL/MZ6e6YKnlIybwJlnmBy +w1mGMi2RPDDkr/83orPjWgxjIeWCHTb0kPQsc+Appw/cp4QQPNIMTH9JIQXjMP8R8sMd6GBr ++fRmKw2bF3G578EjYubuqoY0O1X6prXukgnp899p9tIAphq3AAQLB/9K4yRk3fpQOyg6fTqo +itiLkkGyzew5+F4kSepQgQ7QkKnJv5+qKx2qhMkzQbmAWkK+5k4AKnPNW/RaOGUwjI+X/tS4 +/gpgjosaoABGo3GwdPsU3FPRS/pBHx8Y9CpV0UsUF3roQEv0+c63dENjC0mUP1ww1Q2nNYRe +MndEKTSVkXZ6WOk+W7Q6vnc66KiaaeGZyaPFHmC8x/ikupRGERnZTTKVGJOJMiTRjIgBKwOc +B/QEKUVfPiLipIPqMmWgqitELsy7zvGLUMbgwv4VgL/Z3ncjw6ocFGG01S38Zty2GwcPEWrm +JWk3HAMBfW+vrk9a/3ym9MycmaMgOF+DAkx0iEkEGBECAAkFAkXDdgACGwwACgkQHsardTLn +vCWU5wCgqQcHeUMVaVQ1xIt1EJDF+wILLvMAn0YtJTYbQdH6FBUyLY42isSL8TJM +=+iK5 +-----END PGP PUBLIC KEY BLOCK----- --- sssd-1.16.1.orig/debian/watch +++ sssd-1.16.1/debian/watch @@ -0,0 +1,4 @@ +#git=git://pagure.io/SSSD/sssd.git +version=3 +opts="uversionmangle=s/alpha/~alpha/;s/beta/~beta/,pgpsigurlmangle=s/$/.asc/" \ +https://releases.pagure.org/SSSD/sssd/sssd-(.*)\.tar\.gz --- sssd-1.16.1.orig/po/cs.po +++ sssd-1.16.1/po/cs.po @@ -0,0 +1,2738 @@ +# Zdenek , 2017. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2017-07-25 11:53+0200\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"PO-Revision-Date: 2017-09-11 08:51-0400\n" +"Last-Translator: Zdenek \n" +"Language-Team: Czech\n" +"Language: cs\n" +"X-Generator: Zanata 3.9.6\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:112 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses send the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate databse with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:115 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:120 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:124 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:128 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:134 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "" +"The username to use when authenticating to a Custodia server using " +"basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The password to use when authenticating to a Custodia server using " +"basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"If false peer's certificate may contain different hostname then proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:148 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:149 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:159 +msgid "Minimum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:160 +msgid "Maximum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +#: src/config/SSSDConfig/__init__.py.in:173 +#: src/config/SSSDConfig/__init__.py.in:174 +#: src/config/SSSDConfig/__init__.py.in:175 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:179 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:180 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:181 +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "IPA server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:199 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:200 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +#: src/config/SSSDConfig/__init__.py.in:226 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:227 +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "Option for tuing the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "Kerberos server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:249 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:250 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:258 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:259 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "A mapping from user names to kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:273 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:274 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:277 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:278 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "" +"How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:309 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:312 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:314 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:317 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:318 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:330 +#: src/config/SSSDConfig/__init__.py.in:371 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "Full Name" +msgstr "Celé jméno" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:343 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:367 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:369 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:372 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "Maximum nesting level SSSd will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:383 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:385 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:392 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:398 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:418 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:419 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:423 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:424 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:429 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:430 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:464 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:468 +msgid "PAM stack to use" +msgstr "" + +#: src/monitor/monitor.c:2469 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2471 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2474 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2476 src/tools/sss_debuglevel.c:72 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2478 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2481 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2645 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3032 src/providers/ldap/ldap_child.c:624 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3034 src/providers/ldap/ldap_child.c:626 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3036 src/providers/ldap/ldap_child.c:628 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3038 src/providers/ldap/ldap_child.c:630 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3041 src/providers/ldap/ldap_child.c:632 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3043 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3045 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3047 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3049 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3051 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3053 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3056 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3058 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/data_provider_be.c:507 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1015 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1018 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1021 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1024 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1029 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1035 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:68 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:69 src/sss_client/pam_sss.c:746 +#: src/sss_client/pam_sss.c:757 +msgid "Server message: " +msgstr "" + +# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa +#: src/sss_client/pam_sss.c:264 +msgid "Passwords do not match" +msgstr "Hesla nejsou stejná." + +#: src/sss_client/pam_sss.c:452 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:493 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:494 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:524 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:570 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:619 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:640 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:743 src/sss_client/pam_sss.c:756 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1670 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1671 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1783 src/sss_client/pam_sss.c:1786 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:1784 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:1787 +msgid "Second Factor: " +msgstr "" + +# auto translated by TM merge from project: anaconda, version: f25, DocId: main +#: src/sss_client/pam_sss.c:1792 +msgid "Password: " +msgstr "Heslo: " + +#: src/sss_client/pam_sss.c:1832 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2098 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:40 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:203 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 src/tools/sss_debuglevel.c:70 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:42 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:207 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:205 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:249 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:254 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:260 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Skupiny" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local domain." +"\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local domain." +"\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/sss_debuglevel.c:41 +msgid "\n" +msgstr "" + +#: src/tools/sss_debuglevel.c:97 +msgid "Specify debug level you want to set\n" +msgstr "" + +#: src/tools/sss_debuglevel.c:103 +msgid "Only one argument expected\n" +msgstr "" + +#: src/tools/tools_util.c:204 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:311 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +# auto translated by TM merge from project: Cockpit, version: rhel-7.4, DocId: cockpit +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "ano" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +# auto translated by TM merge from project: firewalld, version: master, DocId: po/firewalld +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "chyba" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +# auto translated by TM merge from project: libosinfo, version: master, DocId: libosinfo +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "Název" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:511 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:527 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:555 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:565 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:591 src/tools/sssctl/sssctl_cache.c:638 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:601 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exist, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "Nedostatek paměti\n" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:48 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:59 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:62 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:68 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:71 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:97 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:100 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:103 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid " - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InforPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:74 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:76 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:84 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:86 +msgid "Informs that the responder has been dbus-activated" +msgstr "" --- sssd-1.16.1.orig/scripts/release.sh +++ sssd-1.16.1/scripts/release.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +function config() +{ + autoreconf -i -f || return $? + ./configure +} + +SAVED_PWD=$PWD +version=`grep '\[VERSION_NUMBER], \[.*\]' version.m4 |grep '[0-9]\+\.[0-9]\+\.[0-9]\+' -o` +tag=$(echo ${version} | tr "." "_") + +trap "cd $SAVED_PWD; rm -rf sssd-${version} sssd-${version}.tar" EXIT + +git archive --format=tar --prefix=sssd-${version}/ sssd-${tag} > sssd-${version}.tar +if [ $? -ne 0 ]; then + echo "Cannot perform git-archive, check if tag $tag is present in git tree" + exit 1 +fi +tar xf sssd-${version}.tar + +pushd sssd-${version} +config || exit 1 +make dist-gzip || exit 1 # also builds docs +popd + +mv sssd-${version}/sssd-${version}.tar.gz . +gpg --detach-sign --armor sssd-${version}.tar.gz + --- sssd-1.16.1.orig/src/man/po/LINGUAS +++ sssd-1.16.1/src/man/po/LINGUAS @@ -0,0 +1,2 @@ +ca +cs --- sssd-1.16.1.orig/src/tests/cmocka/p11_nssdb_2certs/pkcs11.txt +++ sssd-1.16.1/src/tests/cmocka/p11_nssdb_2certs/pkcs11.txt @@ -0,0 +1,4 @@ +library= +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:../src/tests/cmocka/p11_nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) --- sssd-1.16.1.orig/src/tests/intg/.config/screenrc +++ sssd-1.16.1/src/tests/intg/.config/screenrc @@ -0,0 +1,23 @@ +autodetach on +defscrollback 1024 +startup_message off +nethack on +vbell off +vbell_msg " -- Bell,Bell!! -- " +multiuser off +msgminwait 0 +msgwait 10 + +defutf8 on +defencoding utf8 + +hardstatus string '%{gk}[ %{G}%H %{g}][%= %{wk}%?%-Lw%?%{=b kR}(%{W}%n*%f %t%?(%u)%?%{=b kR})%{= kw}%?%+Lw%?%?%= %{g}]%{=b C}[ %d/%m %c ]%{W}' +hardstatus alwayslastline + +setenv LD_LIBRARY_PATH "$_LD_LIBRARY_PATH" +setenv LD_PRELOAD "$_LD_PRELOAD" + +screen -t / 0 sh -c 'cd $ROOT_DIR; exec "${SHELL:-sh}"' +screen -t /etc 1 sh -c 'cd $ROOT_DIR/etc; exec "${SHELL:-sh}"' +screen -t sssd_cache 3 sh -c 'cd $ROOT_DIR/var/lib/sss/db; exec "${SHELL:-sh}"' +screen -t sssd_log 2 sh -c 'cd $ROOT_DIR/var/log/sssd; exec "${SHELL:-sh}"' --- sssd-1.16.1.orig/src/tests/multihost/basic/README +++ sssd-1.16.1/src/tests/multihost/basic/README @@ -0,0 +1,19 @@ +This Directory contains Basic Multihost tests written using +pytest using pytest-multihost plugin + +Following are the test cases: + +1. Check ssh login as LDAP user with Kerberos credentials +2. Run kinit after user login +3. Run kinit with KRB5CCNAME=KCM: +4. Test Offline ssh login + +Requirements to run the test: + +1. Fedora 26/RHEL7.4/CentOS7.4 with pytest,pytest-multihost, +paramaiko system as controller node + +2. Another Fedora26 system to be provisioned + +NOTE: Currently these tests can only be run inside internal Red Hat Network +as there is no capability to provision systems upstream. --- sssd-1.16.1.orig/src/tests/multihost/basic/conftest.py +++ sssd-1.16.1/src/tests/multihost/basic/conftest.py @@ -0,0 +1,206 @@ +from sssd.testlib.common.qe_class import session_multihost, create_testdir +from sssd.testlib.common.libkrb5 import krb5srv +from sssd.testlib.common.utils import sssdTools, PkiTools +from sssd.testlib.common.libdirsrv import DirSrvWrap +from sssd.testlib.common.exceptions import PkiLibException +from sssd.testlib.common.authconfig import RedHatAuthConfig +from sssd.testlib.common.utils import LdapOperations +import pytest +import ConfigParser +import os +import tempfile +import ldap + + +def pytest_namespace(): + return {'num_masters': 1, + 'num_ad': 0, + 'num_atomic': 0, + 'num_replicas': 0, + 'num_clients': 0, + 'num_others': 0} + + +@pytest.fixture(scope="class") +def multihost(session_multihost, request): + return session_multihost + + +@pytest.fixture(scope="session") +def config_authconfig(session_multihost, request): + """ Run authconfig to configure Kerberos and SSSD auth on remote host """ + authconfig = RedHatAuthConfig(session_multihost.master[0]) + session_multihost.master[0].log.info("Take backup of current authconfig") + authconfig.backup('/root/authconfig_backup') + krbrealm = 'EXAMPLE.TEST' + kerberos_server = session_multihost.master[0].sys_hostname + authconfig.enable("sssd") + authconfig.enable("sssdauth") + authconfig.add_parameter("krb5kdc", kerberos_server) + authconfig.add_parameter("krb5adminserver", kerberos_server) + authconfig.add_parameter("krb5realm", krbrealm) + authconfig.execute() + + def restore_authconfig(): + """ Restore authconfig """ + authconfig.restore('/root/authconfig_backup') + request.addfinalizer(restore_authconfig) + + +@pytest.fixture(scope="session") +def nssdir(session_multihost, request): + serverList = [session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + + +@pytest.fixture(scope="session") +def setup_ldap(session_multihost, nssdir, request): + ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, ssldb=nssdir) + ds_obj.create_ds_instance('example1', 'dc=example,dc=test') + + def remove_ldap(): + ds_obj.remove_ds_instance('example1') + request.addfinalizer(remove_ldap) + + +@pytest.fixture(scope="session") +def setup_kerberos(session_multihost, request): + tools = sssdTools(session_multihost.master[0]) + tools.config_etckrb5('EXAMPLE.TEST') + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + krb.krb_setup_new() + + def remove_kerberos(): + krb.destroy_krb5server() + request.addfinalizer(remove_kerberos) + + +@pytest.fixture(scope='class', autouse=True) +def setup_sssd(session_multihost, request): + domain_section = 'domain/EXAMPLE.TEST' + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + krb5_server = session_multihost.master[0].sys_hostname + cacert_loc = '/etc/openldap/cacerts/cacert.pem' + sssdConfig = ConfigParser.SafeConfigParser() + sssdConfig.optionxform = str + sssdConfig.add_section('sssd') + sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST') + sssdConfig.set('sssd', 'config_file_version', '2') + sssdConfig.set('sssd', 'services', 'nss, pam, ifp') + sssdConfig.add_section(domain_section) + sssdConfig.set(domain_section, 'enumerate', 'false') + sssdConfig.set(domain_section, 'id_provider', 'ldap') + sssdConfig.set(domain_section, 'ldap_uri', ldap_uri) + sssdConfig.set(domain_section, 'ldap_search_base', 'dc=example,dc=test') + sssdConfig.set(domain_section, 'ldap_tls_cacert', cacert_loc) + sssdConfig.set(domain_section, 'auth_provider', 'krb5') + sssdConfig.set(domain_section, 'krb5_server', krb5_server) + sssdConfig.set(domain_section, 'krb5_kpasswd', krb5_server) + sssdConfig.set(domain_section, 'krb5_realm', 'EXAMPLE.TEST') + sssdConfig.set(domain_section, 'debug_level', '9') + sssdConfig.add_section('nss') + sssdConfig.set('nss', 'debug_level', '9') + sssdConfig.add_section('pam') + sssdConfig.set('pam', 'debug_level', '9') + sssdConfig.add_section('secrets') + sssdConfig.set('secrets', 'debug_level', '9') + sssdConfig.add_section('kcm') + sssdConfig.set('kcm', 'debug_level', '9') + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', prefix='sssd') + with open(temp_file_path, "wb") as outfile: + sssdConfig.write(outfile) + session_multihost.master[0].transport.put_file(temp_file_path, + '/etc/sssd/sssd.conf') + chg_perm = 'chmod 600 /etc/sssd/sssd.conf' + session_multihost.master[0].run_command(chg_perm) + os.close(temp_fd) + try: + session_multihost.master[0].service_sssd('restart') + except Exception: + journalctl_cmd = "journalctl -x -n 50 --no-pager" + session_multihost.master[0].run_command(journalctl_cmd) + assert False + tools = sssdTools(session_multihost.master[0]) + tools.enable_kcm() + session_multihost.master[0].run_command(['systemctl', 'start', 'sssd-kcm']) + + def stop_sssd(): + session_multihost.master[0].service_sssd('stop') + session_multihost.master[0].run_command(['systemctl', + 'stop', + 'sssd-kcm']) + sssd_cache = ['cache_%s.ldb' % ('EXAMPLE.TEST'), 'config.ldb', + 'sssd.ldb', 'timestamps_%s.ldb' % ('EXAMPLE.TEST')] + for cache_file in sssd_cache: + db_file = '/var/lib/sss/db/%s' % (cache_file) + session_multihost.master[0].run_command(['rm', '-f', db_file]) + secrets_db = '/var/lib/sss/secrets/secrets.ldb' + session_multihost.master[0].run_command(['rm', '-f', secrets_db]) + request.addfinalizer(stop_sssd) + + +@pytest.fixture(scope='class', autouse=True) +def create_posix_usersgroups(session_multihost): + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + for i in range(10): + user_info = {'cn': 'foo%d' % i, + 'uid': 'foo%d' % i, + 'uidNumber': '1458310%d' % i, + 'gidNumber': '14564100'} + if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): + krb.add_principal('foo%d' % i, 'user', 'Secret123') + else: + print("Unable to add ldap User %s" % (user_info)) + assert False + memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') + group_info = {'cn': 'ldapusers', + 'gidNumber': '14564100', + 'uniqueMember': memberdn} + try: + ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) + except Exception: + assert False + group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' + for i in range(1, 10): + user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i + add_member = [(ldap.MOD_ADD, 'uniqueMember', user_dn)] + (ret, _) = ldap_inst.modify_ldap(group_dn, add_member) + assert ret == 'Success' + + +@pytest.fixture(scope="session", autouse=True) +def setup_session(request, session_multihost, + config_authconfig, + setup_ldap, + setup_kerberos): + tp = TestPrep(session_multihost) + tp.setup() + + def teardown_session(): + tp.teardown() + request.addfinalizer(teardown_session) + + +class TestPrep(object): + def __init__(self, multihost): + self.multihost = multihost + + def setup(self): + print("\n............Session Setup...............") + reqd_packages = '389-ds-base authconfig krb5-server krb5-workstation '\ + 'sssd-kcm openldap-clients' + install_cmd = 'dnf -y install %s' % reqd_packages + self.multihost.master[0].run_command(install_cmd) + + def teardown(self): + print("\n............Session Ends.................") --- sssd-1.16.1.orig/src/tests/multihost/basic/mhc.yaml +++ sssd-1.16.1/src/tests/multihost/basic/mhc.yaml @@ -0,0 +1,9 @@ +windows_test_dir: '/home/Administrator' +root_password: 'redhat' +domains: + - name: testrealm.test + type: sssd + hosts: + - name: idm1.example.test + external_hostname: idm1.example.test + role: master --- sssd-1.16.1.orig/src/tests/multihost/basic/test_basic.py +++ sssd-1.16.1/src/tests/multihost/basic/test_basic.py @@ -0,0 +1,97 @@ +from sssd.testlib.common.utils import SSHClient +import ConfigParser +import paramiko +import pytest +import time + + +class Test_basic_sssd(object): + + def test_ssh_user_login(self, multihost): + """ Check ssh login as LDAP user with Kerberos credentials """ + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Authentication Failed as user %s" % ('foo1')) + else: + assert True + ssh.close() + + def test_kinit(self, multihost): + """ Run kinit after user login """ + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo2', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Authentication Failed as user %s" % ('foo2')) + else: + (_, _, exit_status) = ssh.execute_cmd(args='kinit', + stdin='Secret123') + assert exit_status == 0 + (stdout, _, _) = ssh.execute_cmd('klist') + for line in stdout.readlines(): + print(line) + assert exit_status == 0 + ssh.close() + + def test_kinit_kcm(self, multihost): + """ Run kinit with KRB5CCNAME=KCM: """ + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Authentication Failed as user %s" % ('foo3')) + else: + (_, _, exit_status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit', + stdin='Secret123') + assert exit_status == 0 + (stdout, _, _) = ssh.execute_cmd('KRB5CCNAME=KCM:;klist') + for line in stdout.readlines(): + if 'Ticket cache: KCM:14583103' in str(line.strip()): + assert True + break + else: + assert False + assert exit_status == 0 + ssh.close() + + def test_offline_ssh_login(self, multihost): + """ Test Offline ssh login """ + multihost.master[0].transport.get_file('/etc/sssd/sssd.conf', + '/tmp/sssd.conf') + sssdconfig = ConfigParser.RawConfigParser() + sssdconfig.read('/tmp/sssd.conf') + domain_section = "%s/%s" % ('domain', 'EXAMPLE.TEST') + if domain_section in sssdconfig.sections(): + sssdconfig.set(domain_section, 'cache_credentials', 'True') + sssdconfig.set(domain_section, 'krb5_store_password_if_offline', + 'True') + sssdconfig.set('pam', 'offline_credentials_expiration', '0') + with open('/tmp/sssd.conf', "wb") as fd: + sssdconfig.write(fd) + else: + print("Could not fetch sssd.conf") + assert False + multihost.master[0].transport.put_file('/tmp/sssd.conf', + '/etc/sssd/sssd.conf') + multihost.master[0].service_sssd('restart') + time.sleep(5) + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo4', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Unable to authenticate as %s" % ('foo4')) + else: + ssh.close() + multihost.master[0].run_command(['systemctl', + 'stop', + 'dirsrv@example1']) + multihost.master[0].run_command(['systemctl', 'stop', 'krb5kdc']) + try: + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo4', password='Secret123') + except paramiko.ssh_exception.AuthenticationException: + pytest.fail("Unable to authenticate as %s" % ('foo4')) + else: + ssh.close() --- sssd-1.16.1.orig/src/tests/python/MANIFEST.in +++ sssd-1.16.1/src/tests/python/MANIFEST.in @@ -0,0 +1,3 @@ +include README.rst +recursive-include sssd/testlib/etc/ * +recursive-include docs * --- sssd-1.16.1.orig/src/tests/python/README.rst +++ sssd-1.16.1/src/tests/python/README.rst @@ -0,0 +1,4 @@ +sssd_qe_tests +============= + +`sssd.testlib` is a library containing shared functions to automate `System Services Security Daemon (SSSD)` using pytest framework. --- sssd-1.16.1.orig/src/tests/python/docs/Install.rst +++ sssd-1.16.1/src/tests/python/docs/Install.rst @@ -0,0 +1,47 @@ +Install +======= +* sssd.testlib is a python library which contains shared functions to be used with + py.test to automate System Services Security Daemon (SSSD). + +Dependencies +------------ +sssd.testlib requires the following packages: + +1. python-paramiko +2. python-pytest-multihost +3. PyYAML +4. pytest + +RHEL7 +----- +To install above dependencies on RHEL7.4 get the: + +* python-paramiko package (available at Extras repo) + +* `pytest-multihost copr repo(epel7) `_ file:: + + $ wget -O /etc/yum.repos.d/pytest-multihost.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/python-pytest-multihost/repo/epel-7/mrniranjan-python-pytest-multihost-epel-7.repo + $ yum install python-pytest-multihost + +* `sssd-testlib copr repo(epel7) `_ file:: + + $ wget -O /etc/yum.repos.d/sssd-testlib.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/sssd-testlib/repo/epel-7/mrniranjan-sssd-testlib-epel-7.repo + $ yum install sssd-testlib + +Fedora +------ +To install the above dependencies on Fedora get the: + +* `pytest-multihost copr repo(F26) `_ file:: + + $ wget -O /etc/yum.repos.d/pytest-multihost.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/python-pytest-multihost/repo/fedora-24/mrniranjan-python-pytest-multihost-fedora-24.repo + $ dnf install python-pytest-multihost + +* `sssd-testlib copr repo(f26) `_ file:: + + $ wget -O /etc/yum.repos.d/sssd-testlib.repo \ + https://copr.fedorainfracloud.org/coprs/mrniranjan/sssd-testlib/repo/fedora-24/mrniranjan-sssd-testlib-fedora-24.repo + $ dnf install sssd-testlib --- sssd-1.16.1.orig/src/tests/python/docs/Makefile +++ sssd-1.16.1/src/tests/python/docs/Makefile @@ -0,0 +1,188 @@ +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = docs + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " applehelp to make an Apple Help Book" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " coverage to run coverage check of the documentation (if enabled)" + +clean: + rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/Nexus.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/Nexus.qhc" + +applehelp: + $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp + @echo + @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." + @echo "N.B. You won't be able to view it unless you put it in" \ + "~/Library/Documentation/Help or install it in your application" \ + "bundle." + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/Nexus" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/Nexus" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +coverage: + $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage + @echo "Testing of coverage in the sources finished, look at the " \ + "results in $(BUILDDIR)/coverage/python.txt." + +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." --- sssd-1.16.1.orig/src/tests/python/docs/MultihostPlugin.rst +++ sssd-1.16.1/src/tests/python/docs/MultihostPlugin.rst @@ -0,0 +1,27 @@ +pytest multihost plugin doc +=========================== + +pytest_multihost.config +----------------------- +.. automodule:: pytest_multihost.config + :members: + +pytest_multihost.plugin +----------------------- +.. automodule:: pytest_multihost.plugin + :members: + +pytest_multihost.transport +-------------------------- +.. automodule:: pytest_multihost.transport + :members: + +pytest_multihost.util +--------------------- +.. automodule:: pytest_multihost.util + :members: + +pytest_multihost.host +--------------------- +.. automodule:: pytest_multihost.host + :members: --- sssd-1.16.1.orig/src/tests/python/docs/conf.py +++ sssd-1.16.1/src/tests/python/docs/conf.py @@ -0,0 +1,314 @@ +# -*- coding: utf-8 -*- +# +# sssd-qe tests documentation build configuration file, created by +# sphinx-quickstart on Thu Apr 2 23:33:29 2015. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys +import os +import shlex + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +# needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. + + +def skip(app, what, name, obj, skip, options): + if name == "__init__": + return False + return skip + + +def setup(app): + app.connect("autodoc-skip-member", skip) + +# extensions = [ +# 'sphinx.ext.todo', +# 'sphinx.ext.viewcode', +# 'sphinx.ext.autodoc', +# 'numpydoc', +# 'sphinx.ext.autosummary', +# ] +extensions = [ + 'sphinx.ext.autodoc', + 'sphinx.ext.mathjax', + 'sphinx.ext.viewcode', + 'numpydoc', + 'sphinx.ext.autosummary', + 'sphinx.ext.doctest', + 'sphinx.ext.inheritance_diagram'] + + +autoclass_content = 'both' + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' +numpydoc_show_class_members = False +# The encoding of source files. +# source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'sssd-qe-tests' +copyright = u'2015, Red Hat' +author = u'SSSD QE' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '0.1' +# The full version, including alpha/beta/rc tags. +release = '1' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +# today = '' +# Else, today_fmt is used as the format for a strftime call. +# today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +# default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +# add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +# add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +# show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +# modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +# keep_warnings = False + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = True + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +# html_theme = 'flask' +# html_theme = 'sphinx_rtd_theme' +html_theme = 'classic' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +# html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +# html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +# html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +# html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +# html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +# html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +# html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +# html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +# html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +# html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +# html_additional_pages = {} + +# If false, no module index is generated. +# html_domain_indices = True + +# If false, no index is generated. +# html_use_index = True + +# If true, the index is split into individual pages for each letter. +# html_split_index = False + +# If true, links to the reST sources are added to the pages. +# html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +# html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +# html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +# html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +# html_file_suffix = None + +# Language to be used for generating the HTML full-text search index. +# Sphinx supports the following languages: +# 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja' +# 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr' +# html_search_language = 'en' + +# A dictionary with options for the search language support, empty by default. +# Now only 'ja' uses this config value +# html_search_options = {'type': 'default'} + +# The name of a javascript file (relative to the configuration directory) that +# implements a search results scorer. If empty, the default will be used. +# html_search_scorer = 'scorer.js' + +# Output file base name for HTML help builder. +htmlhelp_basename = 'sssd-testsdoc' + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # 'preamble': '', + + # Latex figure (float) alignment + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, 'sssd-qe-tests.tex', u'sssd-qe-tests Documentation', + u'SSSD QE', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +# latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +# latex_use_parts = False + +# If true, show page references after internal links. +# latex_show_pagerefs = False + +# If true, show URL addresses after external links. +# latex_show_urls = False + +# Documents to append as an appendix to all manuals. +# latex_appendices = [] + +# If false, no module index is generated. +# latex_domain_indices = True + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +# man_pages = [ +# (master_doc, 'nexus', u'sssd-qe-tests Documentation', +# [author], 1) +# ] + +# If true, show URL addresses after external links. +# man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, 'sssd-qe-tests', u'sssd-qe-tests Documentation', + author, 'sssd-qe-tests', 'One line description of project.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +# texinfo_appendices = [] + +# If false, no module index is generated. +# texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +# texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +# texinfo_no_detailmenu = False --- sssd-1.16.1.orig/src/tests/python/docs/ds_389.rst +++ sssd-1.16.1/src/tests/python/docs/ds_389.rst @@ -0,0 +1,456 @@ +Examples of using libdirsrv module from sssd.testlib.common +=========================================================== +* sssd-testlib provides module libdirsrv which creates/removes directory server instances. + + +Design +------ +* libdirsrv module consists of 2 classes the base class DirSrv and wrapper class DirSrvWrap. + +* DirSrv class consists of methods to create DS config file, setup Directory Server, enable SSL + in Directory server and remove DS instances. This class is very generic and all the details like + instance name, hostname, suffix, LDAP and TLS ports should be provided. + +* DirSrvWrap is a wrapper class of DirSrv, it sets up some default values like LDAP and TLS ports, + suffix, set SELinux label ldap_t on LDAP and TLS ports etc. + +* The wrapper class allows to create multiple instances without worrying about what ports to be used + for each instance. Port for unencrypted LDAP ports are chosen from the below list: + `[389, 1389, 2389, 3389, 4389, 30389, 31389, 32389, 33389, 34389, 35389, 36389, 37389, 38389, 39389]` + + and TLS ports are chosen from below list: + `[636, 1636, 2636, 3636, 4636, 30636, 31636, 32636, 33636, 34636, 35636, 36636, 37636, 38636, 39636]` + +* Though ports can be passed manually but user must verify if those ports are available. + +* The default suffix is 'dc=example,dc=org' + +* To enable SSL for a Directory Server instance a directory containing the CA and server certs (created on the + host with DS instance) should be passed. To create these certs, PkiTools module can be used. PkiTools has + method `createselfsignedcerts` which creates self-signed certs (CA and server-cert for each host). These + certs are copied to host on which Directory server instance should be created + and `setup_certs` method of DirSrv class adds these certs to NSS DB of that + specific instance and enables TLS on Directory Server. + +* below are some of the examples of setting up DS instance in pytest + +Example-1: Setup DS instance on single host +------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 192.168.122.60 + role: client + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* add a fixture specified as below in conftest.py:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost): + ds_obj = DirSrvWrap(session_multihost.client[0]) + return ds_obj + +* session_multihost is the session fixture which gets activated when + py.test is run with --multihost-config=mhc.yaml parameter. This + parameter connects to systems mentioned in mhc.yaml using paramiko + module and the session of each host is available through roles + defined in multihost config file. In the above example client[0] is + the multihost handle for host `client1.example.test` + +* Importing the DirSrvWrap module we are creating instance of + DirSrvWrap by passing the multihost session handle of client[0] to + the DirSrvWrap object. + +* the fixture created by 389_ds is of scope class which can be called in a test file as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1') + setup_ldap.remove_ds_instance('example1') + + def test2(self, session_multihost): + pass + + def test3(self, session_multihost): + pass + +Example-2: Setup DS instance with SSL on single host: +----------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, ssldb=nssdir) + return ds_obj + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1') + setup_ldap.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +* to override the default suffix:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + setup_ldap.create_ds_instance('example1', 'dc=abc,dc=test') + setup_ldap.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +Example-3: Setup DS instance on multiple hosts(2) +------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname, + session_multihost.master[0].sys.hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + client_ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, + ssldb=nssdir) + master_ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + return (client_ds_obj, master_ds_obj) + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.create_ds_instance('example1') + master_ds_obj.create_ds_instance('example1') + client_ds_obj.remove_ds_instance('example1') + master_ds_obj.remove_ds_instance('example1') + + def test2(self): + pass + + def test3(self): + pass + +Example-4: Creating and removing DS instance using setup/teardown methods +------------------------------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1.example.test + external_hostname: client1.example.test + ip: 10.65.223.160 + role: client + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* Create a fixture of scope class to have setup and teardown methods in class + and these functions are run before and after tests are executed. In our test + class we define a **setup_class** method which will be run before our tests run + where we do all our setup required for tests and also define **class_teardown** + method at the end in **Testclass** which will teardown all the setup done in + **class_setup**. To these functions we pass our fixtures setup_ldap:: + + @pytest.fixture(scope="class") + def multihost(session_multihost, setup_ldap, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost, setup_ldap) + request.addfinalizer(lambda:request.cls().class_teardown(session_multihost, setup_ldap)) + return session_multihost + +* create a fixture to create a CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.client[0].sys_hostname, + session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture:: + + @pytest.fixture(scope="class") + def setup_ldap(session_multihost, nssdir): + client_ds_obj = DirSrvWrap(session_multihost.client[0], ssl=True, + ssldb=nssdir) + master_ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + return (client_ds_obj, master_ds_obj) + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + + def class_setup(self, multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.create_ds_instance('example1') + master_ds_obj.create_ds_instance('example1') + + def test1(self): + pass + + def test2(self): + pass + + def class_teardown(self, multihost, setup_ldap): + client_ds_obj = setup_ldap[0] + master_ds_obj = setup_ldap[1] + client_ds_obj.remove_ds_instance('example1') + master_ds_obj.remove_ds_instance('example1') + +Example-5: Creating and add POSIX Users and Groups +-------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: master1.example.test + external_hostname: master1.example.test + ip: 10.65.223.161 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libdirsrv import DirSrvWrap + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':0, 'num_others': 0} + +* Create a fixture of scope class to have setup and teardown methods in class + and these functions are run before and after tests are executed. In our test + class we define a **setup_class** method which will be run before our tests run + where we do all our setup required for tests and also define **class_teardown** + method at the end in **Testclass** which will teardown all the setup done in + **class_setup**. To these functions we pass our fixtures setup_ldap:: + + @pytest.fixture(scope="class") + def multihost(session_multihost, setup_ldap, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost, setup_ldap, create_posix_usersgroups) + request.addfinalizer(lambda:request.cls().class_teardown(session_multihost)) + return session_multihost + +* create a fixture to create CA and server-cert for each host in conftest.py:: + + from sssd.testlib.common.exceptions import PkiLibException + from sssd.testlib.common.utils import PkiTools + + @pytest.fixture(scope="class") + def nssdir(session_multihost, request): + serverList = [session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + return certdb + +* Add another fixture to create an instance of `DirSrvWrap` passing the certdb + returned from above fixture. With autouse=True, one doesn't have to + explicitly state the fixture in the test functions:: + + @pytest.fixture(scope="class", autouse=True) + def setup_ldap(session_multihost, nssdir): + ds_inst = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=nssdir) + ds_inst.create_ds_instance('example1', 'dc=example,dc=test') + + def remove_ldap(): + ds_inst.remove_ds_instance('example1') + request.addfinalizer(remove_ldap) + +* Create another fixture to create posix users/groups here we create 10 users + with dn uid=foo{1..10},ou=People,dc=example,dc=test, and a group called + ldapusers, where all the foo{1..10} are members of that group. The method + use for adding all the members to a group is we first add one user to the + group while creating the group and then use ldap modify method to add other + users to the group:: + + @pytest.fixture(scope='class') + def create_posix_usersgroups(session_multihost): + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + for i in range(10): + user_info = {'cn': 'foo%d' % i + 'uid': 'foo%d' % i, + 'uidNumber': '1458310%d' % i, + 'gidNumber': '14564100'} + ldap_inst.posix_user("ou=People", "dc=example,dc=test", + user_info): + # we first add one user the group + memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') + group_info = {'cn': 'ldapusers', + 'gidNumber': '14564100', + 'uniqueMember': memberdn} + try: + ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", + group_info) + except Exception: + assert False + # now add other to the group + for i in range(1, 11): + user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i + add_member = [(ldap.MOD_ADD, 'uniqueMember',user_dn)] + (ret, return_value) = ldap_inst.modify_ldap(group_dn, add_member) + assert ret == 'Success' + + +* call the fixture setup_ldap from the test functions as below:: + + class TestCase(object): + def class_setup(multihost, setup_ldap, create_posix_usersgroups) + print("Configuring LDAP and add posix users") + + def test1(self): + pass + + def test2(self): + pass + + def class_teardown(multihost) + print("teardown setup") --- sssd-1.16.1.orig/src/tests/python/docs/examples.rst +++ sssd-1.16.1/src/tests/python/docs/examples.rst @@ -0,0 +1,392 @@ +Examples of using Multihost Plugin with Fixture for SSSD +======================================================== +* pytest multihost plugin uses paramiko/OpenSSHTransport to connect to hosts and provides methods to + run commands and copy files. + +Namespace hook +-------------- +* With pytest multihost plugin we define the hosts under which the actual commands will be + running in a YAML/JSON file. This file is then read by multihost plugin. Each of the + host specified in the YAML file have a role, username/password, IP address. + +* pytest multihost provides modules and functions which takes the description of hosts in the + YAML file, connect to the hosts and provides some common functions to run commands, copy/get + files etc. The main modules provided by multihost plugin are config, domain, host. To use + these modules we have to subclass them and change their behaviour to suite our needs. + +* For SSSD QE we created subclasses of the config, domain and host functions to suite our needs and + expanded them. This is available through + `qe_class.py `_. + +* qe_class.py also provides a global fixture called session_multihost which provides a session + scope fixture. This fixture can read the YAML file and provide a global multihost fixture + to all the tests. This fixture assumes that the YAML file has hosts defined with any of these roles: + + - master + - client + - ad + - atomic + - others + +* Hosts in the above roles are read and a list is created for hosts in each role and provided using the generator (yield) feature of python. All this is exported in the pytest namespace and can be accessed in the individual tests using namespace hook + +* Below are the examples of using namespace hook: + + - Single host: + + * create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + + * since we have 1 host with role client we can create a namespace hook in conftest.py + to access the host as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0]. + + * client[0] is the handle for the client1 system defined in the mhc.yaml + + - Multiple hosts of same role: + + * create a multihost config file as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: client2 + external_hostname: client2.example.test + ip: 10.65.223.17 + role: client + + * since we have 2 hosts with role client we can create a namespace hook in conftest.py + to access the hosts as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':2, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0]. + session_multihost.client[1]. + + * client[0] is the handle for the client1 system defined in mhc.yaml + * client[1] is the handle for the client2 system defined in mhc.yaml + + - Multiple hosts of different roles: + + * create a multihost config file where we have 2 clients and 1 server:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: client2 + external_hostname: client2.example.test + ip: 10.65.223.17 + role: client + - name: server1 + external_hostname: master1.example.test + ip: 10.65.223.18 + role: master + + * since we have 2 hosts with with role client and 1 host with role master we can create a namespace hook in conftest.py to access the hosts as a list + + * create a conftest.py as below:: + + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':2, 'num_others': 0} + + * in the actual testcase it can be accessed as below:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(session_multihost): + session_multihost.client[0]. + session_multihost.client[1]. + def test2(session_multihost): + session_multihost.master[0]. + +Example-1: Single host tests +---------------------------- +* create a multihost config file mhc.yaml with 1 host as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-2: Multiple hosts tests +------------------------------- +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: master1 + external_hostname: master1.example.test + ip: 10.65.223.35 + role: master + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + + def test2(self, session_multihost): + session_multihost.master[0].run_command(['ls', '-l']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-3: Multiple hosts test with setup and teardown +------------------------------------------------------ +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: master1 + external_hostname: master1.example.test + ip: 10.65.223.35 + role: master + +* create a file called conftest.py with below contents:: + + from sssd.testlib.common.qe_class import session_multihost + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + + @pytest.fixture(scope="class") + def multihost(session_multihost, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost) + request.addfinalizer(lambda: request.cls().class_teardown(session_multihost)) + return session_multihost + +* create file called test1.py which contains testcases:: + + class TestCase: + def class_setup(self, session_multihost): + cmd = session_multihost.client[0].run_command(['useradd', 'foobar']) + assert cmd.returncode == 0 + + def test1(self, session_multihost): + session_multihost.client[0].run_command(['id', 'foobar']) + + def class_teardown(self, session_multihost): + session_multihost.master[0].run_command(['userdel', 'foobar']) + +* running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v + +Example-4: Copying files to hosts using multihost plugin +-------------------------------------------------------- +* scenario: Create an sssd.conf file with specific configuration parameters. We create a local file on the + system from which we are running py.test command (jslave/laptop/testsystem) and copy it + to the actual hosts using transport.put_file method + +* create test1.py with below contents:: + + import ConfigParser + + class TestCase: + def class_setup(self, session_multihost): + sssdconfig = ConfigParser.RawConfigParser() + sssdconfig.optionxform = str + sssdconfig.add_section('sssd') + sssdconfig.set("sssd", "config_file_version", '2') + sssdconfig.set("sssd", "domains", 'example.com') + sssdconfig.set("sssd", "services", "nss, pam") + domain_section = '%s/%s' % ('domain', 'example.com') + sssdconfig.add_section(domain_section) + sssdconfig.set(domain_section, "id_provider", "ad") + sssdconfig.set(domain_section, "auth_provider", "ad") + sssdconfig.set(domain_section, "access_provider", "ad") + sssdconfig.set(domain_section, "fallback_homedir", "/home/%d/%u") + sssdconfig.set(domain_section, "use_fully_qualified_names", "True") + sssdconfig.set(domain_section, "ad_maximum_machine_account_password_age", "1") + sssdconfig.set(domain_section, "ad_machine_account_password_renewal_opts", "300:15") + sssdconfig.set(domain_section, "debug_level", "9") + sssdconfig.set(domain_section, "enumerate", "True") + temp_file = '/tmp/sssd.conf' + with open(temp_file, 'wb') as fd: + sssdconfig.write(fd) + session_multihost.client[0].transport.put_file(temp_file, '/etc/sssd/sssd.conf') + session_multihost.client[0].run_command(['chmod', '600', '/etc/sssd/sssd.conf'], + set_env=False, raiseonerr=False) + +Example-5: Creating a fixture and calling a fixture +--------------------------------------------------- +* scenario: We want to configure sssd.conf before our test runs. we can create a + function which configures sssd.conf and we call this function before our test runs + +* create a file called conftest.py with below contents:: + + from sssd.testlib.common.qe_class import session_multihost + import ConfigParser + def pytest_namespace(): + return { 'num_masters': 1, 'num_ad':0, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + + @pytest.fixture(scope="class") + def multihost(session_multihost, request): + if hasattr(request.cls(), 'class_setup'): + request.cls().class_setup(session_multihost) + request.addfinalizer(lambda: request.cls().class_teardown(session_multihost)) + return session_multihost + + @pytest.fixture(scope="class") + def config_sssd(session_multihost, request): + sssdconfig = ConfigParser.RawConfigParser() + sssdconfig.optionxform = str + sssdconfig.add_section('sssd') + sssdconfig.set("sssd", "config_file_version", '2') + sssdconfig.set("sssd", "domains", 'example.com') + sssdconfig.set("sssd", "services", "nss, pam") + domain_section = '%s/%s' % ('domain', 'example.com') + sssdconfig.add_section(domain_section) + sssdconfig.set(domain_section, "id_provider", "ad") + sssdconfig.set(domain_section, "auth_provider", "ad") + sssdconfig.set(domain_section, "fallback_homedir", "/home/%d/%u") + sssdconfig.set(domain_section, "use_fully_qualified_names", "True") + sssdconfig.set(domain_section, "debug_level", "9") + sssdconfig.set(domain_section, "enumerate", "True") + temp_file = '/tmp/sssd.conf' + with open(temp_file, 'wb') as fd: + sssdconfig.write(fd) + session_multihost.client[0].transport.put_file(temp_file, '/etc/sssd/sssd.conf') + +* create a file test1.py with below contents:: + + class Testcase: + def class_setup(self, multihost, config_sssd): + cmd = session_multihost.client[0].run_command(['service', 'sssd', 'restart']) + assert cmd.returncode == 0 + + def test1(self, multihost): + print("I am in test1") + + def class_teardown(self, multihost): + cmd = session_multihost.client[0].run_command(['service', 'sssd', 'stop']) + assert cmd.returncode == 0 + +Example-6: Connecting to Windows system and running AD specific commands +------------------------------------------------------------------------ +* scenario: If the test requirement requires running any specific native commands on + windows which cannot be fulfilled by adcli. + + Note: Connecting to Windows using multihost plugin requires ssh be running on Windows system. + For this multihost plugin has been tested only with OpenSSH provided using CYGWIN. So before + using multihost plugin please install CYGWIN and OpenSSH package. Configure OpenSSH on Windows + and make sure its firewall is allowing ssh port. + +* create a multihost config file mhc.yaml with 2 hosts with roles master and client:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: client1 + external_hostname: client1.example.test + ip: 10.65.223.16 + role: client + - name: srv1 + external_hostname: srv1.example.test + ip: 10.65.223.35 + role: ad + username: Administrator + password: Secret123 + +* create a file called conftest.py with below contents:: + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':1, 'num_atomic': 0, 'num_replicas': 0, 'num_clients':1, 'num_others':0 } + +* create file called test1.py which contains testcases:: + + from sssd.testlib.common.qe_class import session_multihost + class TestCase: + def test1(self, session_multihost): + session_multihost.client[0].run_command(['ls', '-l']) + + def test2(self, session_multihost): + session_multihost.ad[0].run_command(['date']) + +* Running the test:: + + $ py.test --multihost-config=mhc.yaml test1.py -s -v --- sssd-1.16.1.orig/src/tests/python/docs/index.rst +++ sssd-1.16.1/src/tests/python/docs/index.rst @@ -0,0 +1,39 @@ +.. SSSD QE Test documentation master file, created by + sphinx-quickstart on Wed Sep 02 18:52:16 2015. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +SSSD QE pytest framework Documentation +=========================================== + +SSSD QE PyTest provides a framework `sssd.testlib` which contains shared functions and libraries to be used to write tests in pytest framework for +System Services Security Daemon. + + +Contents: + +.. toctree:: + :maxdepth: 3 + + Install + running + layout + examples + ds_389 + krb5 + kcm + sssd-testlib + MultihostPlugin + + + +Additional Information +====================== +.. [#] `Python Pytest Multihost plugin `_. + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` --- sssd-1.16.1.orig/src/tests/python/docs/kcm.rst +++ sssd-1.16.1/src/tests/python/docs/kcm.rst @@ -0,0 +1,253 @@ +Examples of testing KCM +======================= + + +Design +------ +* For testing KCM ccache, minimal requirements is to have a Kerberos + server. sssd-testlib provides `libkrb5` module to setup Kerberos server. + +* `sssd-testlib` now contains `utils` module which now contains functions to + enable `sssd-kcm` + +* Below are some of the examples of using it in pytest + + +Example1: Using single host to test sssd-kcm +-------------------------------------------- +* create a single host running Directory Server, krb5 server and configure + client to authenticate to LDAP and Kerberos server using SSSD and enable KCM + + * create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: testrealm.test + type: sssd + hosts: + - name: idm1.example.test + external_hostname: idm1.example.test + role: master + + * create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost, + from sssd.testlib.common.qe_class import create_testdir + import pytest + + def pytest_namespace(): + return { 'num_masters': 0, 'num_ad':0, 'num_atomic': 0, + num_replicas': 0, 'num_clients':1, 'num_others': 0} + + * create fixture to run Authconfig to authenticate to SSSD:: + + @pytest.fixture(scope="session") + def config_authconfig(session_multihost, request): + """ Run authconfig to configure Kerberos and + SSSD auth on remote host + """ + authconfig = RedHatAuthConfig(session_multihost.master[0]) + session_multihost.master[0].log.info("Take backup of current authconfig") + authconfig.backup('/root/authconfig_backup') + krbrealm = 'EXAMPLE.TEST' + kerberos_server = session_multihost.master[0].sys_hostname + authconfig.enable("sssd") + authconfig.enable("sssdauth") + authconfig.add_parameter("krb5kdc", kerberos_server) + authconfig.add_parameter("krb5adminserver", kerberos_server) + authconfig.add_parameter("krb5realm", krbrealm) + authconfig.execute() + + def restore_authconfig(): + """ Restore authconfig """ + authconfig.restore('/root/authconfig_backup') + + request.addfinalizer(restore_authconfig) + + * add a fixture to configure Directory Server:: + + from sssd.testlib.common.libdirsrv import DirSrvWrap + from sssd.testlib.common.utils import sssdTools, PkiTools + from sssd.testlib.common.exceptions import PkiLibException + + @pytest.fixture(scope=session) + def setup_ldap(session_multihost, request): + serverList = [session_multihost.master[0].sys_hostname] + pki_inst = PkiTools() + try: + certdb = pki_inst.createselfsignedcerts(serverList) + except PkiLibException as err: + return (err.msg, err.rval) + else: + ds_obj = DirSrvWrap(session_multihost.master[0], ssl=True, + ssldb=certdb) + ds_obj.create_ds_instance('example1', 'dc=example,dc=test') + + def remove_ldap(): + ds_obj.remove_ds_instance('example1') + request.addfinalizer(remove_ldap) + + * add a fixture to configure Kerberos server:: + + @pytest.fixture(scope='class') + def setup_kerberos(session_multihost, request): + tools = sssdTools(session_multihost.master[0]) + tools.config_etckrb5('EXAMPLE.TEST') + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + krb.krb_setup_new() + + def remove_kerberos(): + krb.destroy_krb5serer() + request.addfinalizer(remove_kerberos) + + * add a fixture to setup SSSD conf:: + + @pytest.fixture(scope='class', autouse=True) + def setup_sssd(session_multihost, request): + domain_section = 'domain/EXAMPLE.TEST' + ldap_uri = 'ldap://%s' % + (session_multihost.master[0].sys_hostname) + krb5_server = session_multihost.master[0].sys_hostname + cacert_loc = '/etc/openldap/cacerts/cacert.pem' + sssdConfig = ConfigParser.SafeConfigParser() + sssdConfig.optionxform = str + sssdConfig.add_section('sssd') + sssdConfig.set('sssd', 'domains', 'EXAMPLE.TEST') + sssdConfig.set('sssd', 'config_file_version', '2') + sssdConfig.set('sssd', 'services', 'nss, pam, ifp') + sssdConfig.add_section(domain_section) + sssdConfig.set(domain_section, 'enumerate', 'false') + sssdConfig.set(domain_section, 'id_provider', 'ldap') + sssdConfig.set(domain_section, 'ldap_uri', ldap_uri) + sssdConfig.set(domain_section, 'ldap_search_base', + 'dc=example,dc=test') + sssdConfig.set(domain_section, 'ldap_tls_cacert', cacert_loc) + sssdConfig.set(domain_section, 'auth_provider', 'krb5') + sssdConfig.set(domain_section, 'krb5_server', krb5_server) + sssdConfig.set(domain_section, 'krb5_kpasswd', krb5_server) + sssdConfig.set(domain_section, 'krb5_realm', 'EXAMPLE.TEST') + sssdConfig.set(domain_section, 'debug_level', '9') + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', + prefix='sssd') + with open(temp_file_path, "wb") as outfile: + sssdConfig.write(outfile) + session_multihost.master[0].run_command(['cp', '-f', + paths.SSSD_CONF, + '%s.orig' % + paths.SSSD_CONF]) + session_multihost.master[0].transport.put_file(temp_file_path, + paths.SSSD_CONF) + + os.close(temp_fd) + try: + session_multihost.master[0].service_sssd('restart') + except Exception: + journalctl_cmd = "journalctl -x -n 50 --no-pager" + session_multihost.master[0].run_command(journalctl_cmd) + assert False + + * add fixture to create some POSIX users and also create Kerberos users with + same names:: + + @pytest.fixture(scope='class', autouse=True) + def create_posix_usersgroups(session_multihost): + ldap_uri = 'ldap://%s' % (session_multihost.master[0].sys_hostname) + ds_rootdn = 'cn=Directory Manager' + ds_rootpw = 'Secret123' + ldap_inst = LdapOperations(ldap_uri, ds_rootdn, ds_rootpw) + krb = krb5srv(session_multihost.master[0], 'EXAMPLE.TEST') + for i in range(10): + user_info = {'cn': 'foo%d' % i, + 'uid': 'foo%d' % i, + 'uidNumber': '1458310%d' % i, + 'gidNumber': '14564100'} + if ldap_inst.posix_user("ou=People", "dc=example,dc=test", user_info): + krb.add_principal('foo%d' % i, 'user', 'Secret123') + else: + print("Unable to add ldap User %s" % (user_info)) + assert False + memberdn = 'uid=%s,ou=People,dc=example,dc=test' % ('foo0') + group_info = {'cn': 'ldapusers', + 'gidNumber': '14564100', + 'uniqueMember': memberdn} + try: + ldap_inst.posix_group("ou=Groups", "dc=example,dc=test", group_info) + except Exception: + assert False + group_dn = 'cn=ldapusers,ou=Groups,dc=example,dc=test' + for i in range(1, 11): + user_dn = 'uid=foo%d,ou=People,dc=example,dc=test' % i + add_member = [(ldap.MOD_ADD, 'uniqueMember',user_dn)] + (ret, return_value) = ldap_inst.modify_ldap(group_dn, add_member) + assert ret == 'Success' + + * create a session fixture which calls config_authconfig, setup_ldap, + setup_kerberos:: + + @pytest.fixture(scope="session", autouse=True) + def setup_session(request, session_multihost, + config_authconfig, + setup_ldap, + setup_kerberos): + print("\n............Session Setup...............") + def teardown(): + print("\n............Session teardown...............") + request.addfinalizer(teardown) + + * create a test suite file called test1.py, to test KCM as user, or + to check if the Kerberos user can ssh to the system, we can use + `SSHClient` module from `sssd.testlib.common.utils` module:: + + from sssd.testlib.common.utils import SSHClient + from sssd.testlib.common.uilts import sssdTools + + class TestBasicSSSD: + + def test_kcm_sock(self, multihost): + tools = sssdTools(session_multihost.master[0]) + tools.enable_kcm() + multihost.master[0].run_command(['systemctl', 'start', + 'sssd-kcm']) + kcm_sock_link = '/var/run/.heim_org.h5l.kcm-socket' + cmd = multihost.master[0].run_command(['ls', '-l', kcm_sock_link], + raiseonerr=False) + assert cmd.returncode == 0 + + def test_ssh_user_login(self, multihost): + """ Check ssh login as LDAP user with Kerberos credentials """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo1', password='Secret123') + assert ssh.connstatus + ssh.close() + + def test_kinit(self, multihost): + """ Run kinit after user login """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo2', password='Secret123') + assert ssh.connstatus + (stdout, stderr, exit_status) = ssh.execute_cmd(args='kinit', + stdin='Secret123') + assert exit_status == 0 + (stdout, stderr, exit_status) = ssh.execute_cmd('klist') + for line in stdout.readlines(): + print(line) + assert exit_status == 0 + ssh.close() + + def test_kinit_kcm(self, multihost): + """ Run kinit with KRB5CCNAME=KCM: """ + ssh = SSHClient(multihost.master[0].sys_hostname, + username='foo3', password='Secret123') + assert ssh.connstatus + (out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit', + stdin='Secret123') + assert status == 0 + (out, err, status) = ssh.execute_cmd('KRB5CCNAME=KCM:; klist') + for line in stdout.readlines(): + if 'Ticket cache: KCM:14583103' in str(line.strip()): + assert True + break + else: + assert False + assert exit_status == 0 + ssh.close() --- sssd-1.16.1.orig/src/tests/python/docs/krb5.rst +++ sssd-1.16.1/src/tests/python/docs/krb5.rst @@ -0,0 +1,75 @@ +Examples of using libkrb5 module from sssd.testlib.common +========================================================= +* sssd-testlib provides module libkrb5 which creates a Kerberos server instance + + +Design +------ +* libkb5 module consists of class krb5Srv + +* krb5srv class consists of methods to create a Kerberos server + +* below are some of the examples of setting up a Kerberos server on RHEL7 + +Example-1: Setup a Kerberos instance on a single host +----------------------------------------------------- +* create a multihost config file mhc.yaml as below:: + + root_password: 'redhat' + domains: + - name: example.test + type: sssd + hosts: + - name: server1 + external_hostname: server1.example.test + ip: 192.168.122.60 + role: master + +* create a conftest.py to specify namespace hook:: + + from sssd.testlib.common.qe_class import session_multihost + from sssd.testlib.common.libkb5 import krb5srv + import pytest + + def pytest_namespace(): + return {'num_masters': 1, 'num_ad':0, 'num_atomic': 0, + 'num_replicas': 0, 'num_clients':1, 'num_others': 0} + +* add a fixture specified below in conftest.py:: + + import subprocess + + @pytest.fixture(scope="class") + def setup_krb5(session_multihost): + tools = sssdTools(session_multihost.master[0]) + tools.config_etckrb5('EXAMPLE.TEST') + krb = krb5srv(session_multihost[0]. 'EXAMPLE.TEST') + try: + krb.krb_setup_new() + except subprocess.CalledProcessError: + print("fail to setup Kerberos") + assert False + +* session_multihost is the session fixture which gets activated when + py.test is run with --multihost-config=mhc.yaml parameter. This + parameter connects to systems mentioned in mhc.yaml using paramiko + module and this session of each host is available through roles + defined in multihost config file. In the above example client[0] is + the multihost handle for host `server1.example.test` + +* importing the krb5srv module we are creating instance of + krb5srv by passing the multihost session handle of master[0] to + the krb5srv object + +* the fixture created by setup_krb5 is of scope class which can be called in a test file as below:: + + class TestCase(object): + + def test1(self, session_multihost, setup_krb5): + print("This is test1") + + def test2(self, session_multihost): + pass + + def test3(self, session_multihost): + pass --- sssd-1.16.1.orig/src/tests/python/docs/layout.rst +++ sssd-1.16.1/src/tests/python/docs/layout.rst @@ -0,0 +1,13 @@ +layout +====== +This doc provides the layout of SSSD pytest framework and test suites directory. + +module +------ +* sssd.testlib + + This is the main top directory under which there are subdirectories containing various shared functions required to write tests using pytest + +* sssd.testlib/common + + This directory contains shared functions which are generic in nature --- sssd-1.16.1.orig/src/tests/python/docs/running.rst +++ sssd-1.16.1/src/tests/python/docs/running.rst @@ -0,0 +1,112 @@ +running +======= +* Running Tests + +Prerequisites +------------- +* pytest-multihost-plugin + + To execute tests with multiple tests, pytest-multihost plugin is required. + Refer to Install section for installing the plugin. + +* SSSD pytest framework + + SSSD pytest framework is mostly set of shared functions that is used in test cases for common tasks like authconfig, setting up DS, Kerberos, IPA, etc. + sssd-testlib is the module provided by the framework. + +Getting Started +--------------- +* Functional Tests mostly written for SSSD require multiple hosts. Each of the hosts take a particular role. Below are the predefined roles used: + + - master: Node on which we have Directory Server/OpenLDAP Server/krb5 Server/IPA Server is running + - replica: Node on which is replica of Directory/OpenLDAP Server/krb5 server + - client: Node on which sssd-client is configured + - ad: Node on which Microsoft Active Directory is running + - atomic: Atomic host Node + +config +------ +* To run multihosts tests using pytest, we have to define the infrastructure containing RHEL and Windows systems in a file. Check Example config file:: + + root_password: 'redhat' + test_dir: '/root/multihost' + windows_test_dir: '/home/administrator' + domains: + - name: testrealm.test + type: sssd + hosts: + - name: hostname1 + ip: 192.168.122.1 + role: master + - name: hostname2 + ip: 192.168.122.2 + role: replica + - name: hostname3: + ip: 192.168.122.3 + role: client + - name: hostname4: + ip: 192.168.122.4 + role: ad + username: Administrator + password: Secret123 + +Brief description of the above lines: + + **root_password** is the root password of the systems, it's better to have common password of the RHEL systems that you would like to connect. + Instead of password, you can use ssh keys, in which the parameter is **ssh_key_filename: ~/.ssh/id_rsa** + + **test_dir** directory to store test-specific data in, defaults to **/root/multihost_tests** + + **windows_test_dir** Directory to store test-specific data on Windows hosts, defaults to **/home/Administrator** + + **Domains** is a list of domains under which the hosts that will run the commands reside. Domains are a way of classifying hosts. + + **name(under Domains)** is the name of the domain, can be any name (resolvable/non-resolvable) + + **type(under Domains)** is the type of hosts, a string specifying the type of the domain ('default' by default) + + **hosts(under Domains)** is a placeholder for list of hosts + + **name(under hosts)** is a hostname to which multihost needs to connect, can be a short name in which case the FQDN will be formed by combining name and domain + name specified under domains. + + **ip** is the IP address of the system + + **role** is the role that the host will be taking, like master/slave/replica/ad/atomic + + **username** (optional) each host can have its specific username to connect to. For example for connecting to Windows systems we use username 'Administrator' + + **password** password to connect to + +Executing Tests +--------------- +* To execute existing tests clone sssd-qe-tests repo and run py.test against any specific test suite directory. + + - On RHEL7.2:: + + $ git clone git://git.app.eng.bos.redhat.com/sssd-qe-tests.git + $ cd sssd-qe-tests/pytest + $ py.test --multihost-config= + +* Before executing any tests, it's required to create a config file as specified in `config` section. + + - Executing test suite:: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit-xml=/tmp/junit.xml \ + --multihost-config=mh_cfg.yaml \ + -v + + - Executing Individual Test sub-suite (module):: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit-xml=/tmp/junit.xml \ + --multihost-config=mh_cfg.yaml \ + -v + + - Executing individual Test cases:: + + $ cd sssd-qe-tests/pytest/ + $ py.test --junit.xml=/tmp/junit.xml \ + --multihosts-config=mh_cfg.yaml \ + -v /.py:::: --- sssd-1.16.1.orig/src/tests/python/docs/sssd-testlib.rst +++ sssd-1.16.1/src/tests/python/docs/sssd-testlib.rst @@ -0,0 +1,32 @@ +sssd test library doc +====================== + +sssd.testlib.common.qe_class +---------------------------- +.. automodule:: sssd.testlib.common.qe_class + :members: + +sssd.testlib.common.authconfig +------------------------------ +.. automodule:: sssd.testlib.common.authconfig + :members: + +sssd.testlib.common.utils +-------------------------- +.. automodule:: sssd.testlib.common.utils + :members: + +sssd.testlib.common.libdirsrv +----------------------------- +.. automodule:: sssd.testlib.common.libdirsrv + :members: + +sssd.testlib.common.libkrb5 +--------------------------- +.. automodule:: sssd.testlib.common.libkrb5 + :members: + +pytest_multihost +---------------- +.. automodule:: pytest_multihost + :members: --- sssd-1.16.1.orig/src/tests/python/setup.py +++ sssd-1.16.1/src/tests/python/setup.py @@ -0,0 +1,37 @@ +#!/usr/bin/python +# +# Copyright (C) 2016 sssd-qe contributors. +# +from setuptools import setup + +REQUIRES = [ + 'paramiko', + 'PyYAML', + 'pytest_multihost', + 'pytest'] + +with open('README.rst', 'r') as f: + README = f.read() + +setup_args = dict( + name='sssd.testlib', + version='0.1-11', + description='System Services Security Daemon python test suite', + long_description=README, + author=u'SSSD QE Team', + url='http://git.app.eng.bos.redhat.com/git/sssd-qe-tests.git/', + packages=[ + 'sssd', + 'sssd.testlib', + 'sssd.testlib.common', + ], + package_data={'': ['LICENSE']}, + install_requires=REQUIRES, + license='GNU GPL v3.0', + classifiers=( + 'Programming Language :: Python', + 'Programming Language :: Python :: 2.7', + ), +) +if __name__ == '__main__': + setup(**setup_args) --- sssd-1.16.1.orig/src/tests/python/sssd-testlib.spec +++ sssd-1.16.1/src/tests/python/sssd-testlib.spec @@ -0,0 +1,144 @@ +%if 0%{?rhel} && 0%{?rhel} >= 8 +%global with_python3 1 +%else +%{!?__python2: %global __python2 /usr/bin/python2} +%{!?python2_sitelib2: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib())")} +%endif +%if 0%{?fedora} >= 27 +%global with_python3 1 +%endif + +%define name sssd-testlib +%define owner sssd-qe +%define project sssd-testlib +%define version 0.1 +%define release 11 +%define srcname sssd-testlib + +Name: %{name} +Version: %{version} +Release: %{release}%{?dist} +Summary: System Services Security Daemon (SSSD) PyTest Framework +License: GPLv3+ +Source0: %{name}.tar.gz + +BuildArch: noarch +%if 0%{?with_python3} +BuildRequires: python3-devel +%else +%if 0%{?fedora} +BuildRequires: python2-devel +%else +BuildRequires: python-devel +%endif +%endif + +%if 0%{?fedora} +Requires: python3-paramiko +Requires: freeipa-python +Requires: python3-pytest-multihost >= 1.1 +Requires: python3-PyYAML +Requires: python3-pytest +Requires: python-dns +Requires: python-krbV +Requires: python-nss +%else +Requires: python-paramiko +Requires: python-pytest-multihost >= 1.1 +Requires: PyYAML +Requires: pytest +Requires: python-ldap +Requires: openldap-clients +Requires: python-dns +Requires: python-krbV +Requires: python-nss +%else +%if 0%{?rhel} +Requires: ipa-python +%endif +%endif + +%description +A python framework for System Services Security Daemon (SSSD) PyTest Framework. + +%prep +%setup -qn %{project} + +%if 0%{?with_python3} +echo %{py3dir} +rm -rf %{py3dir} +cp -a . %{py3dir} +%endif + +%build +%{__python2} setup.py build +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py build +popd +%endif + +%install +%{__python2} setup.py install -O1 --skip-build --root %{buildroot} +%if 0%{?with_python3} +%py_byte_compile %{__python2} %{buildroot}%{python_sitelib}/%{srcname} +%else +%{__python2} -m compileall %{buildroot}%{python_sitelib}/%{srcname} +%endif + +%if 0%{?with_python3} +pushd %{py3dir} +%{__python3} setup.py install --skip-build --root %{buildroot} +%py_byte_compile %{__python3} %{buildroot}%{python3_sitelib}/%{srcname} +popd +%endif + +mkdir -p %{buildroot}/etc/sssd_testlib +install -m 644 sssd/testlib/etc/* %{buildroot}/etc/sssd_testlib/ + +%files +%doc README.rst docs/* +%config /etc/sssd_testlib +%if 0%{?fedora} +%{python2_sitelib}/* +%endif +%if 0%{?with_python3} +%{python3_sitelib}/* +%else: +%{python2_sitelib}/* +%endif + +%changelog +* Fri Jul 7 2017 Niranjan MR - 0.1-11 +- pylint fixes +* Sat Apr 19 2017 Niranjan MR - 0.1-10 +- Add functions to create POSIX users/groups +- Add libkrb5 module to create kerberos server +- Use paramiko to test ssh logins for non-root users +- Update documentation +* Tue Mar 14 2017 Niranjan MR - 0.1-9 +- Use adcli with realm to join system to Windows AD +* Mon Feb 20 2017 Niranjan MR - 0.1-8 +- Fix indetation issues with qe_class.py +* Fri Feb 17 2017 Niranjan MR - 0.1-7 +- pep8 fixes to sssd.testlib.common +- updated docs on setting up DS instances using multihost +* Wed Nov 30 2016 Niranjan MR - 0.1-6 +- Add functions related to configuring Directory Server, +- Add functions related to adding, removing, modifying AD users, + and adding UNIX attributes to Windows AD Users +* Fri Oct 21 2016 Niranjan MR - 0.1-5 +- Add functions to connect AD and move common fixtures + as sssdTools module in common +* Sat Sep 10 2016 Niranjan MR - 0.1-4 +- Add Run time requirement to have pytest-multihost >= 1.1 +- Modify spec file to be built on fedora/rhel +- When using fedora 24 and above use python3 +* Wed Aug 24 2016 Niranjan MR - 0.1-3 +- Add functions to start/stop/restart sssd based on RHEL versions +- Use systemctl instead of service command for systemd based versions +* Fri Jul 15 2016 Niranjan MR - 0.1-2 +- Modified qe_class.py to make Windows AD details to be in separate domain +- Added ipa-python as a Runtime dependency +* Thu Jun 30 2016 Niranjan MR - 0.1-1 +- initial version- --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/authconfig.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/authconfig.py @@ -0,0 +1,145 @@ +# Authors: Simo Sorce +# Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2007-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +""" Authconfig Module """ +from __future__ import print_function +from subprocess import CalledProcessError +import os + +FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow'] + + +class RedHatAuthConfig(object): + """ + AuthConfig class implements a system-independent interface to configure + system authentication resources. In Red Hat systems this is done with + authconfig(8) utility. + + AuthConfig class is nothing more than a tool to gather configuration + options and execute their processing. These options are then converted by + an actual implementation to a series of system calls to appropriate + utilities performing real configuration. + + If you need to re-use existing AuthConfig instance for multiple runs, + make sure to call 'AuthConfig.reset()' between the runs. + """ + + def __init__(self, host): + """ Initialize host + :param str host: hostname + """ + self.host = host + self.parameters = {} + + def enable(self, option): + """ + Option to be passed to authconfig + :param str option: authconfig options + """ + self.parameters[option] = True + return self + + def disable(self, option): + """ + Disable options + :param str option: authconfig options + """ + self.parameters[option] = False + return self + + def add_option(self, option): + """ + Add option + :param str option: authconfig options + """ + self.parameters[option] = None + return self + + def add_parameter(self, option, value): + """ + Add parameters + :param str option: authconfig options + :param str values: values + """ + self.parameters[option] = [value] + return self + + def reset(self): + """ + Reset to the default + """ + self.parameters = {} + return self + + def build_args(self): + """ + Build argument list from options provided + """ + args = [] + print("parameters passed: ", self.parameters) + for (option, value) in self.parameters.items(): + if type(value) is bool: + if value: + args.append("--enable%s" % (option)) + else: + args.append("--disable%s" % (option)) + elif type(value) in (tuple, list): + args.append("--%s" % (option)) + args.append("%s" % (value[0])) + elif value is None: + args.append("--%s" % (option)) + else: + args.append("--%s%s" % (option, value)) + return args + + def execute(self, update=True): + """ Execute authconfig command """ + if update: + self.add_option("update") + + args = self.build_args() + auth_cmd = ['/usr/sbin/authconfig'] + args + cmd = self.host.run_command(auth_cmd, set_env=False, raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Failed to run Authconfig") + + def backup(self, path): + """ Backup existing authconfig options + :param str path: path where existing files are backed + """ + cmd = self.host.run_command(['/usr/sbin/authconfig', '--savebackup', + path], set_env=False, raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Unable to save backup") + # do not backup these files since we don't want to mess with + # users/groups during restore. Authconfig doesn't seem to mind about + # having them deleted from backup dir + files_to_remove = [os.path.join(path, f) for f in FILES_TO_NOT_BACKUP] + for filename in files_to_remove: + try: + self.host.run_command(['rm', '-f', filename], set_env=False) + except CalledProcessError: + pass + + def restore(self, path): + """ Restore from backup + :param str path: backup path + """ + self.host.run_command(["/usr/sbin/authconfig", "--restorebackup", + path], set_env=False, raiseonerr=False) --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/exceptions.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/exceptions.py @@ -0,0 +1,56 @@ +""" + Provide Exceptions for py.test framework +""" + + +class StandardException(Exception): + """ Overrides Exception class """ + + def __init__(self, msg=None, rval=1): + if msg is None: + msg = 'Error' + self.msg = msg + self.rval = rval + super(StandardException, self).__init__(self.msg) + + def __str__(self): + return "{} ({})".format(self.msg, self.rval) + + +class InvalidInput(StandardException): + """ + Override StandardException used mainly when invalid input is passed + """ + + +class DirSrvException(StandardException): + """ + Override StandardException, This exception is to be used for + Directory Server related Errors + """ + + +class PkiLibException(StandardException): + """ + Override StandardException, + This exception is to be used for PKI/SSL related Errors + """ + + +class OSException(StandardException): + """ + Override StandardException, This exception is to be used for + Operating system errors. + """ + + +class LdapException(StandardException): + """ + Override StandardException, This exception is to be used for LDAP Errors + """ + + +class RPMException(StandardException): + """ + Override StandardException, This exception is to be used for RPM Errors + """ --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/libdirsrv.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/libdirsrv.py @@ -0,0 +1,559 @@ +"""This module contains methods to create Directory Server Instance.""" +from __future__ import print_function +import os +import ConfigParser +import tempfile +import subprocess +import socket +import time +import ldap +from sssd.testlib.common.exceptions import DirSrvException +from sssd.testlib.common.exceptions import LdapException +from sssd.testlib.common.utils import LdapOperations + +DS_USER = 'nobody' +DS_GROUP = 'nobody' +DS_ADMIN = 'admin' +DS_ROOTDN = 'CN=Directory Manager' + + +class DirSrv(object): + """Base class to setup DS Instances + + For setting up Directory Server, enabling TLS, and + removing of Directory Server instance. + """ + + # pylint: disable=too-many-instance-attributes + def __init__(self, **kwargs): + """Initialize name, suffix, host, ports, Directory Manager password.""" + self.instance_name = kwargs.get('name') + self.dsinstance_host = kwargs.get('host') + self.dsinstance_suffix = kwargs.get('suffix') + self.multihost = kwargs.get('multihost') + self.dsrootdn_pwd = kwargs.get('root_dn_password') + self.dsldap_port = kwargs.get('ldap_port', None) + self.dstls_port = kwargs.get('ldap_tls_port', None) + self.dsrootdn = DS_ROOTDN + self.ds_inst_name = 'slapd-%s' % self.instance_name + self.dsrootdir = '/etc/dirsrv' + self.dsinst_path = os.path.join(self.dsrootdir, self.ds_inst_name) + + def __str__(self): + return "%s.%s('%r')" % (self.__module__, self.__class__.__name__, + self.__dict__) + + def __repr__(self): + return '%s(%s, %r)' % (self.__module__, self.__class__.__name__, + self.__dict__) + + def create_config(self): + """create config file for setup-ds.pl to setup DS instances. + + Args: + param1 (None): + + Returns: + str: Returns path of the config file + + Exceptions: + None + """ + config = ConfigParser.RawConfigParser() + config.optionxform = str + config.add_section('General') + config.set('General', 'FullMachineName', self.dsinstance_host) + config.set('General', 'SuiteSpotUserID', DS_USER) + config.set('General', 'SuiteSpotGroup', DS_GROUP) + config.set('General', 'ConfigDirectoryAdminID', DS_ADMIN) + config.add_section('slapd') + config.set('slapd', 'ServerIdentifier', self.instance_name) + config.set('slapd', 'ServerPort', self.dsldap_port) + config.set('slapd', 'Suffix', self.dsinstance_suffix) + config.set('slapd', 'RootDN', self.dsrootdn) + config.set('slapd', 'RootDNPwd', self.dsrootdn_pwd) + + (ds_config, ds_config_file_path) = tempfile.mkstemp(suffix='cfg') + os.close(ds_config) + with open(ds_config_file_path, "wb") as outfile: + config.write(outfile) + return ds_config_file_path + + def setup_ds(self, ds_cfg_file): + """create DS instance by running setup-ds.pl. + + Args: + ds_config_file (str): ds_config_file: Configuration File path + + Returns: + bool: True if setup-ds.pl ran successfully else False + + Exceptions: + subprocess.CalledProcessError: + """ + self.multihost.transport.put_file(ds_cfg_file, '/tmp/test.cfg') + setup_args = ['setup-ds.pl', '--silent', + '--file=/tmp/test.cfg', '--debug'] + try: + self.multihost.run_command(setup_args) + except subprocess.CalledProcessError: + raise + else: + os.remove(ds_cfg_file) + return True + + def remove_ds(self, inst_name=None): + """Remove Directory Server instance + + Args: + inst_name (str): DS Instance name + + Returns: + None + + Exceptions: + subprocess.CalledProcessError + """ + if inst_name is None: + inst_name = self.ds_inst_name + remove_args = ['remove-ds.pl', '-i', inst_name, '-d'] + try: + self.multihost.run_command(remove_args) + except subprocess.CalledProcessError: + raise + + def setup_certs(self, ssl_dir): + """copy CA and Server certs to all DS instances. + + Args: + ssl_dir (str): NSS Directory containing CA and Server-Certs + + Returns: + bool: True if files are copied + + Exceptions: + DirSrvException + """ + # We stop directory server before we copy files. This is required + # because it's seen that at times, if ns-slapd process is reading + # the db files, copying of files is successful but not all data + # is written causing the files to go corrupt. + stop_ds = ['systemctl', 'stop', 'dirsrv@%s' % (self.instance_name)] + try: + self.multihost.run_command(stop_ds) + except subprocess.CalledProcessError: + return True + else: + self.multihost.log.info('DS instance stopped successfully') + nss_db_files = ['cert8.db', 'key3.db', 'secmod.db', 'pin.txt'] + dirsrv_cert_path = '/etc/dirsrv/' + self.ds_inst_name + '/cacert.pem' + cacert_file_path = '%s/cacert.pem' % ('/etc/openldap/cacerts') + for db_file in nss_db_files: + source = os.path.join(ssl_dir, db_file) + destination = os.path.join(self.dsinst_path, db_file) + self.multihost.transport.put_file(source, destination) + target_pin_file = os.path.join(self.dsinst_path, 'pin.txt') + change_ownership = ['chown', DS_USER, target_pin_file] + change_group = ['chgrp', DS_GROUP, target_pin_file] + chmod_file = ['chmod', '600', target_pin_file] + # copy the cacert file to test_dir + create_cert_dir = 'mkdir -p /etc/openldap/cacerts' + self.multihost.run_command(create_cert_dir) + self.multihost.transport.put_file(os.path.join( + ssl_dir, 'cacert.pem'), cacert_file_path) + try: + self.multihost.run_command(change_ownership) + except subprocess.CalledProcessError: + raise DirSrvException( + 'fail to user change ownership of pin.txt fail') + try: + self.multihost.run_command(change_group) + except subprocess.CalledProcessError: + raise DirSrvException( + 'fail to change group ownership of pin.txt file') + try: + self.multihost.run_command(chmod_file) + except subprocess.CalledProcessError: + raise DirSrvException('fail to change permissions of pin.txt file') + start_ds = ['systemctl', 'start', 'dirsrv@%s' % (self.instance_name)] + try: + self.multihost.run_command(start_ds) + except subprocess.CalledProcessError: + raise DirSrvException('Could not Start DS Instance') + else: + self.multihost.log.info('DS instance started successfully') + ca = self.multihost.get_file_contents(cacert_file_path) + self.multihost.transport.put_file_contents(dirsrv_cert_path, ca) + + def enable_ssl(self, binduri, tls_port): + """sets TLS Port and enabled TLS on Directory Server. + + Args: + binduri (str): LDAP uri to bind with + tls_port (str): TLS port to be setup + + Returns: + bool: True if successfully setup TLS port + + Exceptions: + LdapException + """ + ldap_obj = LdapOperations(uri=binduri, binddn=self.dsrootdn, + bindpw=self.dsrootdn_pwd) + # Enable TLS + mod_dn1 = 'cn=encryption,cn=config' + add_tls = [(ldap.MOD_ADD, 'nsTLS1', 'on')] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn1, add_tls) + if not return_value: + raise LdapException('fail to enable TLS, Error:%s' % (ret)) + else: + print('Enabled nsTLS1=on') + + entry1 = { + 'objectClass': ['top', 'nsEncryptionModule'], + 'cn': 'RSA', + 'nsSSLtoken': 'internal (software)', + 'nsSSLPersonalitySSL': 'Server-Cert-%s' % (self.dsinstance_host), + 'nsSSLActivation': 'on' + } + dn1 = 'cn=RSA,cn=encryption,cn=config' + (ret, return_value) = ldap_obj.add_entry(entry1, dn1) + if not return_value: + raise LdapException('fail to set Server-Cert nick:%s' % (ret)) + else: + print('Enabled Server-Cert nick') + + # Enable security + mod_dn2 = 'cn=config' + enable_security = [(ldap.MOD_REPLACE, 'nsslapd-security', 'on')] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn2, enable_security) + if not return_value: + raise LdapException( + 'fail to enable nsslapd-security, Error:%s' % (ret)) + else: + print('Enabled nsslapd-security') + + # set the appropriate TLS port + mod_dn3 = 'cn=config' + enable_ssl_port = [(ldap.MOD_REPLACE, 'nsslapd-securePort', + str(tls_port))] + (ret, return_value) = ldap_obj.modify_ldap(mod_dn3, enable_ssl_port) + if not return_value: + raise LdapException( + 'fail to set nsslapd-securePort, Error:%s' % (ret)) + else: + print('Enabled nsslapd-securePort=%r' % tls_port) + + +class DirSrvWrap(object): + """This is a wrapper class for DirSrv. + + This is a wrapper class of DirSrv class which validates + all the inputs sent to Dirsrv object. Specifies ports for + LDAP and TLS ports, specifies default suffix. + """ + # pylint: disable=too-many-instance-attributes + def __init__(self, multihost_obj, ssl=None, ssldb=None): + """ + Create a DirSrv object for a specific Host. Specify the ports, + instance details to the Dirsrv object + + Args: + multihost_obj (obj): Multihost object + ssl (bool): set True to enable SSL else none/False + ssldb (str): Directory containing CA and server certs + """ + self.ds_used_ports = {} + self.dirsrv_info = {} + self.dirsrv_obj = None + self.ds_instance_name = None + self.multihost = multihost_obj + self.ds_instance_host = self.multihost.sys_hostname + self.ds_instance_suffix = None + self.ds_rootdn_pwd = None + self.ds_ldap_port = None + self.ds_tls_port = None + self.ssl = ssl + if self.ssl: + self.ssl_dir = ssldb + + def __iter__(self): + """ iter values of each instance """ + return self.dirsrv_info.itervalues() + + def __getitem__(self, key): + """ Return values of each instance """ + return self.dirsrv_info[key] + + def _set_options(self, + instance_name, + instance_suffix, + root_dn_pwd, + ldap_port, + tls_port): + """set Default values. + + Args: + instance_name (str): DS Instance Name + instance_suffix (str): DS Instance Suffix + root_dn_pwd (str): Directory Manager password + ldap_port (str): LDAP port + tls_port (str): TLS Port + + Returns: + A tuple containing 'Success', 0 or Failed Message and 1 + for failure to setup ports + + Exceptions: + None + """ + self.ds_instance_name = instance_name + if instance_suffix: + self.ds_instance_suffix = instance_suffix + else: + self.ds_instance_suffix = 'dc=example,dc=org' + + if root_dn_pwd: + self.ds_rootdn_pwd = root_dn_pwd + else: + self.ds_rootdn_pwd = 'Secret123' + # Get ports + try: + self.ds_ldap_port, self.ds_tls_port = self._set_ports( + ldap_port, tls_port) + except IndexError: + return "No more ports available", 1 + else: + self.ds_used_ports[self.ds_instance_name] = [ + self.ds_ldap_port, self.ds_tls_port] + + # validate instance + try: + self._validate_options() + except DirSrvException as err: + return err.msg, err.rval + else: + return "Success", 0 + + def _set_ports(self, u_port, e_port): + """return ports required to setup DS Instance. + + Idea behind this is when a directory server instance needs + to be created we need ports for LDAP and SSL ports. + 1. check if LDAP port and SSL port is given + 1.1 If given, verify if the ports are available(not used) + 1.1.1 Bind that port to ldap_port_t using semanage command + 1.1.2 Use the ports and add it to the self.UsedPorts list + 1.2 else raise exception + 2. If LDAP port and SSL port is not given + 2.1 Check if the ports are available(not used) + 2.1.1 Bind the port to ldap_port_t using semanage command + 2.1.2 Use the ports and add it to self.ds_used_ports list + + Args: + u_port (str): unencrypted LDAP port + e_port (str): Encrypted port to be used for TLS + + Returns: + sorted_available_ports[0] (list): LDAP and TLS ports + """ + ds_ports = [389, 1389, 2389, 3389, 4389, 30389, 31389, 32389, 33389, + 34389, 35389, 36389, 37389, 38389, 39389] + tls_ports = [636, 1636, 2636, 3636, 4636, 30636, 31636, 32636, 33636, + 34636, 35636, 36636, 37636, 38636, 39636] + + if u_port is None and e_port is None: + for ldap_port, ldaps_port in zip(ds_ports, tls_ports): + if (self._check_remote_port(ldap_port) or + self._check_remote_port(ldaps_port)): + pass + else: + return ldap_port, ldaps_port + else: + list_a = [] + for ports in self.ds_used_ports.values(): + list_a.append(ports) + + list_b = [] + for l_port, s_port in zip(ds_ports, tls_ports): + list_b.append((l_port, s_port)) + + if len(set(list_a)) > len(set(list_b)): + available_ports = set(list_a) - set(list_b) + else: + available_ports = set(list_b) - set(list_a) + sorted_available_ports = sorted(available_ports) + return sorted_available_ports[0] + + def _check_remote_port(self, port): + """check if the port on the remote host is free. + + Args: + port (int): check if port is available + + Returns: + bool: True if port is free else False. + """ + sock_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock_obj.settimeout(1) + try: + sock_obj.connect((self.ds_instance_host, port)) + except socket.error as err: + print("fail to connect to port %s due to error %r" % (port, + err.errno)) + return False + else: + sock_obj.close() + return True + + def _validate_options(self): + """verify if the instance directory already exists. + + Args: + None + + Returns: + None + + Exceptions: + DirSrvException: if instance directory already exists + """ + check_instance = ['/usr/bin/ls', '/etc/dirsrv/slapd-%s' % + self.ds_instance_name] + output = self.multihost.run_command(check_instance, raiseonerr=False) + if output.returncode == 0: + raise DirSrvException('%s Instance already exists' % + self.ds_instance_name) + + def create_ds_instance(self, + inst_name, + inst_suffix=None, + root_dn_pwd=None, + ldap_port=None, + tls_port=None): + """create Directory server instance. + + Args: + inst_name (str): Instance Name + inst_suffix (str): Instance suffix + root_dn_pwd (str): Directory Manager password + ldap_port (str): LDAP port to be used + tls_port (str): TLS port to be used + + Returns: + result (str) and return code (str): Result containing message and + return code containing 0 or 1 (1 indicating failure) + + Exceptions: + DirSrvException: if DS instance could not be created. + """ + result, return_code = self._set_options(inst_name, + inst_suffix, + root_dn_pwd, + ldap_port, + tls_port) + if return_code == 0: + self.dirsrv_obj = DirSrv(name=self.ds_instance_name, + host=self.ds_instance_host, + suffix=self.ds_instance_suffix, + multihost=self.multihost, + root_dn_password=self.ds_rootdn_pwd, + ldap_port=self.ds_ldap_port, + tls_port=self.ds_tls_port) + cfg_file = self.dirsrv_obj.create_config() + try: + self.dirsrv_obj.setup_ds(cfg_file) + except subprocess.CalledProcessError: + raise DirSrvException('fail to DS config file to setup') + self.dirsrv_info[self.ds_instance_name] = self.dirsrv_obj.__dict__ + if self.ssl: + try: + self.dirsrv_obj.setup_certs(self.ssl_dir) + except DirSrvException as err: + return err.msg, err.rval + else: + (result, return_code) = self.enablessl() + return result, return_code + else: + raise DirSrvException('fail to setup Directory Server instance') + + def enablessl(self): + """Enable SSL/TLS on instance. + + Enable by adding TLS port to ldap_port_t SELinux label and restart + Directory Server. + + Args: + None + + Returns: + Tuple: Success, 0 or Error, 1 + + Exceptions: + None: + """ + # add TLS port to ldap_port_t SELinux label + + add_tls_port = ['semanage', 'port', '-a', '-t', + 'ldap_port_t', '-p', 'tcp', str(self.ds_tls_port)] + + restart_ds = ['systemctl', 'restart', 'dirsrv@%s' % + self.ds_instance_name] + if self.ds_tls_port != 636: + try: + self.multihost.run_command(add_tls_port) + except subprocess.CalledProcessError: + return "Unable to set tls_port as ldap_port_t", 1 + else: + self.multihost.log.info('Added %s port to ldap_port_t' % + self.ds_tls_port) + try: + self.dirsrv_obj.enable_ssl('ldap://%s:%r' % (self.ds_instance_host, + self.ds_ldap_port), + self.ds_tls_port) + except LdapException: + return "Error", 1 + + try: + self.multihost.run_command(restart_ds) + except subprocess.CalledProcessError: + return "Error", 1 + else: + self.multihost.log.info('DS instance restarted successfully') + # sleep for 10 seconds + time.sleep(10) + tail_cmd = ['tail', '-n', '100', + '/var/log/dirsrv/slapd-%s/errors' % self. + ds_instance_name] + output = self.multihost.run_command(tail_cmd, raiseonerr=False) + if output.returncode != 0: + return "Error", 1 + else: + return "Success", 0 + + def remove_ds_instance(self, instance_name): + """remove Directory server instance. + + Args: + instance_name (str): Instance Name + + Returns: + bool: True if successfully removed + + Exceptions: + DirSrvException: if DS instance cannot be removed + """ + ret = self.dirsrv_info[instance_name] + if ret['instance_name'] == instance_name: + ds_inst_name = ret['ds_inst_name'] + try: + self.dirsrv_obj.remove_ds(ds_inst_name) + except subprocess.CalledProcessError: + raise DirSrvException('Could not remove DS Instance', + ds_inst_name) + else: + del self.ds_used_ports[instance_name] + return True + else: + raise DirSrvException('%s Instance could not found' % + (instance_name)) --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/libkrb5.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/libkrb5.py @@ -0,0 +1,219 @@ +from __future__ import print_function +import ConfigParser +import tempfile +import os +import subprocess + + +class krb5srv(object): + """ Base class to setup MIT Kerberos server + Default Kerberos Server realm is "EXAMPLE.TEST" + Default Admin password is "Secret123" + """ + + def __init__(self, multihost, krb_realm=None): + """ Initialize realm, host, ports, Kerberos admin password """ + if krb_realm is None: + self.krb_realm = 'EXAMPLE.TEST' + else: + self.krb_realm = krb_realm.upper() + self.multihost = multihost + self.kdc_port = '88' + self.kadmin_port = '749' + self.admin_password = 'Secret123' + self.krb5_kdc_data_dir = '/var/kerberos/krb5kdc' + self.krb5_kdc_sysconfig = '/etc/sysconfig/krb5kdc' + self.krb5_log_file = '/var/log/krb5kdc.log' + self.admin_keytab = '%s/kadm5.keytab' % (self.krb5_kdc_data_dir) + self.kadmin_log_file = '/var/log/kadmind.log' + self.enc_type = ['aes256-cts:normal', 'aes128-cts:normal', + 'des3-hmac-sha1:normal', 'arcfour-hmac:normal', + 'camellia256-cts:normal', 'camellia128-cts:normal', + 'des-hmac-sha1:normal', 'des-cbc-md5:normal', + 'des-cbc-crc:normal'] + self.krb_acl_file = '%s/kadm5.acl' % (self.krb5_kdc_data_dir) + self.admin_keytab = '%s/kadm5.keytab' % (self.krb5_kdc_data_dir) + self.supported_enctypes = ' '.join(self.enc_type) + self.kdc_conf = '%s/kdc.conf' % (self.krb5_kdc_data_dir) + + def _config_krb5kdc(self): + """ Configure kdc.conf and kadm5.acl + :param: None + :return str: Return Kerberos kdc.conf file path + """ + realm_def = """ { + acl_file = %s + admin_keytab = %s + supported_enctypes = %s + } """ % (self.krb_acl_file, + self.admin_keytab, + self.supported_enctypes) + config = ConfigParser.RawConfigParser() + config.optionxform = str + config.add_section('kdcdefaults') + config.set('kdcdefaults', 'kdc_ports', self.kdc_port) + config.set('kdcdefaults', 'kdc_tcp_ports', self.kdc_port) + config.add_section('logging') + config.set('logging', 'kdc', 'FILE:%s' % (self.krb5_log_file)) + config.set('logging', 'admin_server', 'File:%s' % + (self.kadmin_log_file)) + config.add_section('realms') + config.set('realms', self.krb_realm, realm_def) + + (krb_config, krb_config_path) = tempfile.mkstemp(suffix='cfg') + os.close(krb_config) + with open(krb_config_path, "wb") as outfile: + config.write(outfile) + return krb_config_path + + def _krb_acl_config(self): + """ Create ACL file + :param: None + :return: Config file path + """ + acl = "*/%s@%s *" % ('admin', self.krb_realm) + (acl_config, acl_config_path) = tempfile.mkstemp(suffix='cfg') + os.close(acl_config) + with open(acl_config_path, "wb") as outfile: + outfile.write(acl) + return acl_config_path + + def krb_setup_new(self): + """ Setup new Kerberos REALM + :param: None + :return: None + :Exception: Raises subprocess.CalledProcessError + """ + krb_config_path = self._config_krb5kdc() + acl_file = self._krb_acl_config() + self.multihost.transport.put_file(krb_config_path, self.kdc_conf) + self.multihost.transport.put_file(acl_file, self.krb_acl_file) + kdb5_util_create = ['kdb5_util', 'create', '-W', '-r', + self.krb_realm, '-s', '-P', '""'] + + try: + self.multihost.run_command(kdb5_util_create) + except subprocess.CalledProcessError: + raise + + try: + self.add_principal(p_type='admin', + password=self.admin_password, + service='admin', + service_name='admin') + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("created REALM %s" % (self.krb_realm)) + + try: + self.add_principal(p_type=None, service='host', + service_name=self.multihost.sys_hostname) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("host principal added") + + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd host/%s" % + (self.multihost.sys_hostname)]) + except subprocess.CalledProcessError: + raise + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd -k %s kadmin/admin" % + (self.admin_keytab)]) + except subprocess.CalledProcessError: + raise + + try: + self.multihost.run_command(['kadmin.local', '-r', self.krb_realm, + '-q', "ktadd -k %s kadmin/changepw" % + (self.admin_keytab)]) + except subprocess.CalledProcessError: + raise + + try: + self.multihost.run_command(['systemctl', 'start', 'krb5kdc']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("krb5kdc service start successful") + try: + self.multihost.run_command(['systemctl', 'start', 'kadmin']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("kadmin service started successfully") + + def add_principal(self, principal=None, + p_type='user', + password=None, + service=None, + service_name=None): + """ Add server/user principals to Kerberos server + :param str principal: principal name (foobar) + :param str p_type: principal type (user/admin/None) + :param str password: password ('Secret123') + :param str service: service principal (host/http/nfs) + :param str service_name: Hostname where service is run + :return bool: True if principal is added + :Exception: Raise subprocess.CalledProcessError + """ + # Todo: Need to check if a principal already exists before adding. + if service is None: + service = 'host' + + if p_type is 'user': + add_principal = "add_principal -clearpolicy"\ + " -pw %s %s@%s" % (password, principal, + self.krb_realm) + kadmin_local_cmd = ['kadmin.local', '-r', + self.krb_realm, '-q', add_principal] + elif p_type is 'admin': + add_principal = "add_principal -clearpolicy"\ + " -pw %s %s/%s" % (password, service, 'admin') + kadmin_local_cmd = ['kadmin.local', '-r', self.krb_realm, + '-q', add_principal] + else: + add_principal = "add_principal -clearpolicy"\ + " -randkey %s/%s" % (service, service_name) + kadmin_local_cmd = ['kadmin.local', '-r', self.krb_realm, + '-q', add_principal] + try: + self.multihost.run_command(kadmin_local_cmd) + except subprocess.CalledProcessError: + raise + else: + return True + + def destroy_krb5server(self): + """ Destroy Kerberos database + :param: None + :Exception: subprocess.CalledProcessError + """ + # stop the Kerberos server + try: + self.multihost.run_command(['systemctl', 'stop', 'krb5kdc']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("stopped krb5kdc service") + + # stop kadmin service + try: + self.multihost.run_command(['systemctl', 'stop', 'krb5kdc']) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("stopped kadmin service") + + # destroy Kerberos database + try: + self.multihost.run_command(['kdb5_util', 'destroy', '-f', + self.krb_realm]) + except subprocess.CalledProcessError: + raise + else: + self.multihost.log.info("Removed krb realm %s" % self.krb_realm) --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/qe_class.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/qe_class.py @@ -0,0 +1,346 @@ +from pytest_multihost import make_multihost_fixture +import pytest_multihost.config +import pytest_multihost.host +import logging +import pytest +import time + + +class QeConfig(pytest_multihost.config.Config): + """QeConfig subclass of multihost plugin to extend functionality.""" + + extra_init_args = {'directory_manager', 'directory_password', + 'rootdn', 'rootdn_pwd'} + + def __init__(self, **kwargs): + self.log = self.get_logger('%s.%s' % (__name__, type(self).__name__)) + pytest_multihost.config.Config.__init__(self, **kwargs) + + def get_domain_class(self): + """return custom domain class. + + This is needed to fully extend the config for custom + multihost plugin extensions. + + Args: + None + + Returns: + None + """ + return QeDomain + + def get_logger(self, name): + """Override get_logger to set logging level. + + Args: + name (str): Name of the logger + + Returns: + log (obj): Logger object + """ + log = logging.getLogger(name) + log.propagate = False + if not log.handlers: + # set log Level + log.setLevel(logging.DEBUG) + handler = logging.StreamHandler() + handler.setLevel(logging.DEBUG) + # set formatter + formatter = logging.Formatter( + '%(asctime)s - %(name)s - %(levelname)s - %(message)s') + handler.setFormatter(formatter) + log.addHandler(handler) + return log + + +class QeBaseHost(pytest_multihost.host.BaseHost): + """QeBaseHost subclass of multihost plugin BaseHost class.""" + pass + + +class QeHost(QeBaseHost): + """QeHost subclass of multihost plugin host class. + + This extends functionality of the host class for SSSD QE purposes. + Here we add support functions that will be very widely used across + tests and must be run on any or all hosts in the environment. + """ + + @property + def sys_hostname(self): + """Get system hostname + + Args: + None + + Returns: + str: System hostname + """ + cmd = self.run_command(['hostname'], raiseonerr=False) + return cmd.stdout_text.strip() + + @property + def distro(self): + """ Get contents of /etc/redhat-release + + :param None: + :return str: contents of /etc/redhat-release + """ + cmd = self.run_command(['cat', '/etc/redhat-release'], + raiseonerr=False) + if cmd.returncode != 0: + distro = 'Unknown Distro' + else: + distro = cmd.stdout_text.strip() + return distro + + def service_sssd(self, action): + """ Start/stop/restart sssd service based on RHEL Version + + :param str action: Action to be performed (start/stop/restart) + :return: str Return code of the systemctl/service command + :Exception Raises exception + """ + if 'Fedora' in self.distro: + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise Exception('Unable to %s sssd' % action, 1) + elif '7.' in self.distro.split()[6]: + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise Exception('Unable to %s sssd' % action, 1) + elif '6.' in self.distro.split()[6]: + cmd = self.run_command(['service', 'sssd', action], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise Exception('Unable to %s sssd' % action, 1) + elif 'Atomic' in self.distro.split(): + cmd = self.run_command(['systemctl', action, 'sssd'], + raiseonerr=False) + if cmd.returncode == 0: + time.sleep(10) + return cmd.returncode + else: + raise Exception('Unable to %s sssd' % action, 1) + + def yum_install(self, package): + """ Install packages through yum + + :param str package: Name of the package to be installed + :return str: Returncode of the yum command + :Exception: None + """ + cmd = self.run_command(['yum', '-y', 'install', package], + raiseonerr=False) + return cmd.returncode + + def dnf_install(self, package): + """ Install packages through dnf + + :param str package: Name of the package to be installed + :return str: Returncode of the dnf command + :Exception: None + """ + cmd = self.run_command(['dnf', '-y', 'install', package], + raiseonerr=False) + return cmd.returncode + + def yum_uninstall(self, package): + """ Uninstall packages through yum + :param str package: Name of the package to be uninstalled + :return str: Return code of the yum remove command + :Exception: None + """ + + cmd = self.run_command(['yum', '-y', 'remove', package], + raiseonerr=False) + return cmd.returncode + + def dnf_uninstall(self, package): + """ Uninstall packages through dnf + :param str package: Name of the package to be uninstalled + :return str: Return code of the dnf remove command + :Exception: None + """ + + cmd = self.run_command(['dnf', '-y', 'remove', package], + raiseonerr=False) + return cmd.returncode + + +class QeWinHost(QeBaseHost, pytest_multihost.host.WinHost): + """ Windows Host class + + Subclass of pytest_multihost.host.WinHost, QeBaseHost + Functions defined provide extra attributes when using Windows AD + + Attributes: + domainname (str): Return domainname of the AD Machine + realm (str): Return AD realm in upper case + """ + + @property + def domainname(self): + """ Return Domain name """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + return cmd.stdout_text.strip() + + @property + def realm(self): + """ Return AD Realm """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + return cmd.stdout_text.strip().upper() + + @property + def domain_basedn_entry(self): + """ Return base DN Entry of the """ + cmd = self.run_command(['domainname'], set_env=False, raiseonerr=False) + domain_list = ['DC=' + string for string in cmd.stdout_text.strip(). + split('.')] + list1 = map(str, domain_list) + domain_base_dn = ','.join(list1) + return domain_base_dn + + def _get_client_dn_entry(self, client): + """ Return DN entry of client computer in AD """ + cmd = self.run_command(['dsquery', 'computer', '-name', str(client)], + set_env=False, raiseonerr=False) + output = cmd.stdout_text.strip() + return output + + def _get_user_dn_entry(self, user): + """ Return DN entry of client computer in AD """ + cmd = self.run_command(['dsquery', 'user', '-name', user], + set_env=False, raiseonerr=False) + output = cmd.stdout_text.strip() + return output + + +class QeDomain(pytest_multihost.config.Domain): + """ QeDomain subclass of multihost plugin domain class. """ + def __init__(self, config, name, domain_type): + """ + Subclass of pytest_multihost.config.Domain + + :param obj config: config config + :param str name: Name + :param str domain_type: + + :return None: + """ + self.type = str(domain_type) + self.config = config + self.name = str(name) + self.hosts = [] + + host_classes = {'default': QeHost, 'windows': QeWinHost} + + +@pytest.yield_fixture(scope="session", autouse=True) +def session_multihost(request): + """Multihost plugin fixture for session scope""" + if pytest.num_ad > 0: + mh = make_multihost_fixture(request, descriptions=[ + { + 'type': 'sssd', + 'hosts': + { + 'master': pytest.num_masters, + 'atomic': pytest.num_atomic, + 'replica': pytest.num_replicas, + 'client': pytest.num_clients, + 'other': pytest.num_others, + } + }, + { + 'type': 'ad', + 'hosts': + { + 'ad': pytest.num_ad, + }, + }, + ], config_class=QeConfig,) + else: + mh = make_multihost_fixture(request, descriptions=[ + { + 'type': 'sssd', + 'hosts': + { + 'master': pytest.num_masters, + 'atomic': pytest.num_atomic, + 'replica': pytest.num_replicas, + 'client': pytest.num_clients, + 'other': pytest.num_others, + } + }, + ], config_class=QeConfig,) + mh.domain = mh.config.domains[0] + mh.master = mh.domain.hosts_by_role('master') + mh.atomic = mh.domain.hosts_by_role('atomic') + mh.replica = mh.domain.hosts_by_role('replica') + mh.client = mh.domain.hosts_by_role('client') + mh.others = mh.domain.hosts_by_role('other') + + if pytest.num_ad > 0: + mh.domain_ad = mh.config.domains[1] + mh.ad = mh.domain_ad.hosts_by_role('ad') + + yield mh + + +@pytest.fixture(scope='session', autouse=True) +def create_testdir(session_multihost, request): + config_dir_cmd = "mkdir -p %s" % (session_multihost.config.test_dir) + env_file_cmd = "touch %s/env.sh" % (session_multihost.config.test_dir) + rm_config_cmd = "rm -rf %s" % (session_multihost.config.test_dir) + + for i in range(len(session_multihost.atomic)): + session_multihost.atomic[i].run_command(config_dir_cmd) + session_multihost.atomic[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.client)): + session_multihost.client[i].run_command(config_dir_cmd) + session_multihost.client[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.master)): + session_multihost.master[i].run_command(config_dir_cmd) + session_multihost.master[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.others)): + session_multihost.others[i].run_command(config_dir_cmd) + session_multihost.others[i].run_command(env_file_cmd) + + for i in range(len(session_multihost.replica)): + session_multihost.replica[i].run_command(config_dir_cmd) + session_multihost.replica[i].run_command(env_file_cmd) + + def remove_test_dir(): + + for i in range(len(session_multihost.atomic)): + session_multihost.atomic[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.client)): + session_multihost.client[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.master)): + session_multihost.master[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.others)): + session_multihost.others[i].run_command(rm_config_cmd) + + for i in range(len(session_multihost.replica)): + session_multihost.replica[i].run_command(rm_config_cmd) + + request.addfinalizer(remove_test_dir) --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/common/utils.py +++ sssd-1.16.1/src/tests/python/sssd/testlib/common/utils.py @@ -0,0 +1,980 @@ +""" This module defines classes regarding sssd tools, +AD Operations and LDAP Operations""" +from __future__ import print_function +import os +import tempfile +import subprocess +import array +import random +import socket +import shlex +import ConfigParser +from subprocess import CalledProcessError +from StringIO import StringIO +import ldap +import ldif +import paramiko +from ldap import modlist +from .authconfig import RedHatAuthConfig +from .exceptions import PkiLibException + + +PARAMIKO_VERSION = (int(paramiko.__version__.split('.')[0]), + int(paramiko.__version__.split('.')[1])) + + +class sssdTools(object): + """ Collection of assorted functions which is used in fixtures + + Attributes: + Host(obj: `Multihost object type`): Multihost Object + authbackup(str): Backup directory of authconfig + """ + def __init__(self, Host): + self.multihost = Host + self.authbackup = "/root/authconfig_backup" + + def update_resolv_conf(self, ip_addr): + """ Update /etc/resolv.conf with Windows AD IP address + + :param str ip_addr: IP Address to be added in resolv.conf + :return: None + :Exception: Raises exception of builtin type Exception + """ + self.multihost.log.info("Taking backup of /etc/resolv.conf") + output = self.multihost.run_command(['cp', '-f', '/etc/resolv.conf', + '/etc/resolv.conf.backup'], + set_env=False, raiseonerr=False) + if output.returncode == 0: + self.multihost.log.info("/etc/resolv.conf successfully backed up") + self.multihost.log.info("Add ip addr %s in resolv.conf" % ip_addr) + nameserver = 'nameserver %s\n' % ip_addr + contents = self.multihost.get_file_contents('/etc/resolv.conf') + if not contents.startswith(nameserver): + contents = nameserver + contents.replace(nameserver, '') + self.multihost.put_file_contents('/etc/resolv.conf', contents) + else: + raise Exception("Updating resolv.conf with ip %s failed" % ip_addr) + + def config_authconfig(self, hostname, domainname): + """ Run authconfig to configure Kerberos and SSSD auth on remote host + + :param str hostname: Hostname of server(AD) to + which client is configured to auth + :param domainname: domain name of IPA/AD + :return: None + :Exceptions: None + """ + authconfig = RedHatAuthConfig(self.multihost) + self.multihost.log.info("Take backup of current authconfig") + authconfig.backup(self.authbackup) + self.multihost.run_command(['domainname'], raiseonerr=False) + authconfig.enable("sssd") + authconfig.enable("sssdauth") + authconfig.add_parameter("krb5kdc", hostname) + authconfig.add_parameter("krb5adminserver", hostname) + authconfig.add_parameter("krb5realm", domainname.upper()) + authconfig.execute() + + def restore_authconfig(self): + """ Restore the default authconfig """ + authconfig = RedHatAuthConfig(self.multihost) + authconfig.restore(self.authbackup) + + def config_smb_net_ads_join(self, domainname): + """ Configure smb.conf as Domain Member to Windows AD + :param str domainname: domain name of AD/IPA + :return: None + :Exception: None + """ + workgroup_name = domainname.strip().split('.')[0].upper() + realm = domainname.strip().upper() + sambaconfig = ConfigParser.RawConfigParser() + sambaconfig.optionxform = str + sambaconfig.add_section('global') + sambaconfig.set("global", "workgroup", workgroup_name) + sambaconfig.set("global", "security", "ads") + sambaconfig.set("global", "realm", realm) + sambaconfig.set("global", "kerberos method", "secrets and keytab") + sambaconfig.set("global", "client signing", "yes") + sambaconfig.set("global", "client use spnego", "yes") + tmp_fd, tmp_file_path = tempfile.mkstemp(suffix='conf', prefix='smb') + with open(tmp_file_path, "wb") as outfile: + sambaconfig.write(outfile) + self.multihost.transport.put_file(tmp_file_path, '/etc/samba/smb.conf') + os.close(tmp_fd) + + def realm_join(self, domainname, admin_password, + client_software='sssd', + server_software='active-directory', + membership_software='adcli'): + """ Join system to AD/IPA Domain using realmOA + :param str domainname: domain name of AD/IPA + :param str admin_password: Administrator password required to join + :param str client_software: client software to be used (sssd/samba) + :param str server_software: server software (active-directory/ipa) + :param str membership_software: membership software (samba/adcli) + :return bool: True if successfully joined to AD/IPA + else raises Exception + :Exception: Raises exception(builtin) + """ + + cmd = self.multihost.run_command(['realm', 'join', domainname, + '--client-software=%s' % + (client_software), + '--server-software=%s' % + (server_software), + '--membership-software=%s' % + (membership_software), '-v'], + stdin_text=admin_password, + raiseonerr=False) + + if cmd.returncode != 0: + raise Exception("Error: %s" % cmd.stderr_text) + else: + return True + + def realm_leave(self, domainname): + """ Leave system from AD/IPA Domain + + :param str domainname: domain name of AD/IPA + :return bool: True if successfully dis-joined to AD/IPA + else raises Exception + :Exception: Raises exception(builtin) + """ + + cmd = self.multihost.run_command(['realm', 'leave', + domainname, '-v'], + raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Error: %s", cmd.stderr_text) + else: + return True + + def export_nfs_fs(self, path_list, nfs_client): + """ Add local file systems directories to /etc/exports + + Todo: We are not checking if the directories added + to /etc/exports already exist. + + :param str path_list: list of directories to be created + :param str nfs_client: hostname/ip-address of nfs client + :return bool: True if successfully added values in /etc/exports + :Exception: Raises exception(builtin) if not successfully added + """ + self.multihost.transport.get_file('/etc/exports', '/tmp/exports') + for local_dir in path_list: + cmd = self.multihost.run_command(['mkdir', '-p', local_dir], + raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Unable to create %s directory" % local_dir) + exp_share = '{}{}{}{}'.format(local_dir, ' ', nfs_client, + '(rw,sync,fsid=0)') + + with open('/tmp/exports', "a+") as outfile: + outfile.write(exp_share + "\n") + self.multihost.transport.put_file('/tmp/exports', '/etc/exports') + return True + + def remove_sss_cache(self, cache_path): + """ Remove the sssd cache + :param str cache_path: The relative path of cache + :return bool: True if deletion and mkdir is successful + :Exception: Raises exception(builtin) + """ + cmd = self.multihost.run_command(['ls', cache_path], raiseonerr=False) + if cmd.returncode == 0: + db_list = cmd.stdout_text.split() + # for index in range(len(db_list)): + for index in enumerate(db_list): + # sss_db = db_list[index] + sss_db = index[1] + relative_path = '{}/{}'.format(cache_path, sss_db) + rm_file = self.multihost.run_command(['rm', '-f', + relative_path], + raiseonerr=False) + if rm_file.returncode != 0: + raise Exception("Error: %s", cmd.stderr_text) + else: + print("Successfully deleted %s" % (relative_path)) + return True + + def domain_from_suffix(self, suffix): + """ Domain name from the suffix + :param suffix: The suffix of 389 RHDS instance + :return: domain name in upper case + :Exception: Raises exception(builtin) + """ + if suffix is None: + raise Exception("Error: suffix should be passed") + else: + l1 = suffix.split("dc=") + elist = [] + for i in l1: + d1 = i.strip(',') + elist.append(d1) + str1 = '.'.join(elist) + l_domain = str1.lstrip('.') + u_domain = l_domain.upper() + return u_domain + + def delete_sssd_domain_log(self, domainname): + """ Remove the sssd domain log + + :param str cache_path: domain name from default configuration file + :return bool: True if deletion is successful + :Exception: Raises exception(builtin) + """ + path = ("/var/log/sssd/sssd_%s.log" % domainname) + cmd = self.multihost.run_command(['rm', '-rf', path], raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Error: %s", cmd.stderr_text) + else: + return True + + def get_ad_user_info(self, username, ad_host): + """ Get the ad user information through 'net ads dn' command + + :param str username: The name of ad user + :param str ad_host: Host of active directory + :return bool: True is command is successful + :return: output of command + :Exception: Raises exception(builtin) + """ + user_dn = "CN=%s,CN=Users,%s" % (username, ad_host.domain_basedn_entry) + cmd = self.multihost.run_command(['net', 'ads', 'dn', user_dn], + raiseonerr=False) + if cmd.returncode != 0: + raise Exception("Error: %s", cmd.stderr_text) + else: + return(True, cmd.stdout_text) + + def auth_from_client(self, username, password): + """ ssh to user from client environment + :param str username: The name of user + :param str password: Login password of user + :return: exit status + if timeout the return status is 0 + if user successfully login then return status is 3 + if not then return status is 10 + """ + expect_script = 'spawn ssh -o NumberOfPasswordPrompts=1 ' \ + '-o StrictHostKeyChecking=no '\ + '-o UserKnownHostsFile=/dev/null ' \ + '-l ' + username + ' localhost whoami' + '\n' + expect_script += 'expect "*assword: "\n' + expect_script += 'send "' + password + '\r"\n' + expect_script += 'expect {\n' + expect_script += '\ttimeout { set result_code 0 }\n' + expect_script += '\t"' + username + '" { set result_code 3 }\n' + expect_script += '\teof {}\n' + expect_script += '\t"Permission denied " { set result_code 10 }\n' + expect_script += '}\n' + expect_script += 'exit $result_code\n' + print(expect_script) + rand_tag = ''.join(random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789') + for _ in range(10)) + exp_file = "/tmp/qe_pytest_expect_file" + rand_tag + self.multihost.put_file_contents(exp_file, expect_script) + print(("remote side expect script filename: %s") % exp_file) + + # Next run expect + cmd = self.multihost.run_command(['expect', '-f', exp_file], + raiseonerr=False) + print("----expect output start----") + print(cmd.stdout_text) + print(cmd.stderr_text) + print("----expect output end----") + return cmd.returncode + + def config_etckrb5(self, realm, krb5_server=None): + """ Configure /etc/krb5.conf with realm specified + :param str realm: Kerberos realm + :param krb5_server: kerberos server + :return: None + :Exception: Raise exception(builtin) + """ + if krb5_server is None: + krb5_server = self.multihost.sys_hostname + if realm is None: + raise Exception("Error: realm should be passed") + else: + realm_def = ("{\n" + "kdc = %s\n" + "admin_server = %s\n" + "}") % (krb5_server, krb5_server) + krb5config = ConfigParser.RawConfigParser() + krb5config.optionxform = str + krb5config.add_section('logging') + krb5config.set("logging", "default", "FILE:/var/log/krb5libs.log") + krb5config.set("logging", "kdc", "FILE:/var/log/krb5kdc.log") + krb5config.set("logging", "admin_server", + "FILE:/var/log/kadmind.log") + krb5config.add_section('libdefaults') + krb5config.set("libdefaults", "ticket_lifetime", "3600") + krb5config.set("libdefaults", "default_realm", realm.upper()) + krb5config.set("libdefaults", "dns_lookup_realm", "false") + krb5config.set("libdefaults", "dns_lookup_kdc", "false") + krb5config.set("libdefaults", "allow_weak_crypto", "yes") + krb5config.set("libdefaults", "forwardable", "true") + krb5config.set("libdefaults", "rdns", "false") + krb5config.add_section("realms") + krb5config.set("realms", "realm", realm_def) + krb5config.add_section("domain_realm") + krb5config.set("domain_realm", realm.lower(), realm.upper()) + krb5config.set("domain_realm", ".%s" % (realm.lower()), + realm.upper()) + krb5config.add_section("appdefaults") + krb5config.set("appdefaults", "validate", "true") + krb5config.add_section("kdc") + krb5config.set("kdc", "profile", "/var/kerberos/krb5kdc/kdc.conf") + krb5config.add_section("pam") + krb5config.set("pam", "debug", "false") + krb5config.set("pam", "ticket_lifetime", "3600") + krb5config.set("pam", "renew_lifetime", "3600") + krb5config.set("pam", "forwardable", "true") + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', + prefix='krb5conf') + with open(temp_file_path, "wb") as outfile: + krb5config.write(outfile) + self.multihost.run_command(['cp', '-f', '/etc/krb5.conf', + '/etc/krb5.conf.orig']) + self.multihost.transport.put_file(temp_file_path, '/etc/krb5.conf') + os.close(temp_fd) + + def enable_kcm(self): + """ Enable kcm + :param: None + :Return: None + :Exception: Raise Exception("message") + """ + kcm_cache_file = '/etc/krb5.conf.d/kcm_default_ccache' + config = ConfigParser.SafeConfigParser() + config.optionxform = str + config.add_section('libdefaults') + config.set('libdefaults', 'default_ccache_name', "KCM:") + temp_fd, temp_file_path = tempfile.mkstemp(suffix='conf', + prefix='krb5cc') + with open(temp_file_path, 'wb') as kcmfile: + config.write(kcmfile) + self.multihost.transport.put_file(temp_file_path, kcm_cache_file) + os.close(temp_fd) + enable_sssd_kcm_socket = 'systemctl enable sssd-kcm.socket' + cmd = self.multihost.run_command(enable_sssd_kcm_socket, + raiseonerr=False) + symlink = '/etc/systemd/system/sockets.target.wants/sssd-kcm.socket' + try: + self.multihost.run_command(['ls', '-l', symlink]) + except subprocess.CalledProcessError: + self.multihost.log.info("kcm socket not enabled") + raise Exception("kcm socket not enabled") + start_ssd_kcm_socket = 'systemctl start sssd-kcm.socket' + cmd = self.multihost.run_command(start_ssd_kcm_socket, + raiseonerr=False) + if cmd.returncode != 0: + raise Exception("sssd-kcm.socket service not started") + start_sssd_kcm_service = 'systemctl enable sssd-kcm.service' + cmd = self.multihost.run_command(start_sssd_kcm_service, + raiseonerr=False) + symlink = '/etc/systemd/system/sockets.target.wants/sssd-kcm.socket' + if cmd.returncode != 0: + raise Exception("sssd-kcm.service not enabled") + try: + self.multihost.run_command(['ls', '-l', symlink]) + except subprocess.CalledProcessError: + self.multihost.log.info("kcm socket not enabled") + raise Exception("kcm socket not enabled") + + +class LdapOperations(object): + """ + LDapOperations consists of functions related to ldap operations, like + adding entry, adding a DN, modifying DN, search entries. + + Attributes: + uri(str): ldap server uri(ldap(s):/// + binddn(str): Binddn required to bind + bindpw(str): Bind password + conn: ldap bind object (already initialized) + """ + + def __init__(self, uri, binddn, bindpw): + self.uri = uri + self.binddn = binddn + self.bindpw = bindpw + self.conn = ldap.initialize(uri) + self.conn = self.bind() + if type(self.conn).__name__ != "instance": + raise self.conn[0] + + def bind(self): + """ Bind to ldap server + :param: None + :return: None + :Exceptions: None + """ + try: + self.conn.simple_bind_s(self.binddn, self.bindpw) + except ldap.SERVER_DOWN as err: + return self._parseException(err) + except ldap.INVALID_CREDENTIALS as err: + return self._parseException(err) + else: + return self.conn + + def add_entry(self, entry, ldap_dn): + """ Add an entry to ldap server + :param dict entry: attributes/objectclass to be added to dn + :param str dn: Entry dn to be added + """ + print("Adding entry: %s" % (ldap_dn)) + ldif = modlist.addModlist(entry) + try: + self.conn.add_s(ldap_dn, ldif) + except: + raise + else: + return "Success", True + + def _parseException(self, err): + """ Parsing Exception """ + return_value = False + return err, return_value + + def del_dn(self, ldap_dn): + """Delete dn + :param str ldap_dn: DN to be deleted + :return tupele: "Success", return_value + :Exception: ldap exception + """ + try: + ret = self.conn.delete(ldap_dn) + except: + raise + else: + return "Success", ret + + def search(self, basedn, criteria, attributes, scope=ldap.SCOPE_SUBTREE): + """ Search ldap server and return results + + :param str base: basedn of ldap server + :param str criteria: Search criteria(ex: + "(&(objectClass=user)(sAMAccountName=Administrator))" + :param str attributes: Attributes to be returned in the result + :scope obj : scope to be used when search default: + ldap.SCOPE_SUBTREE + :return tuple: Success/Fail, bool(True,False) + """ + + self.conn.set_option(ldap.OPT_REFERRALS, 0) + result = self.conn.search_s(basedn, ldap.SCOPE_SUBTREE, + criteria, attributes) + result_set = [entry for _, entry in result if isinstance(entry, dict)] + return result_set + + def modify_ldap(self, ldap_dn, modify_list): + """ Modify ldap dn """ + try: + self.conn.modify_s(ldap_dn, modify_list) + except ldap.NO_SUCH_ATTRIBUTE: + return "Fail", False + except ldap.NO_SUCH_OBJECT as err: + return self._parseException(err) + except ldap.OBJECT_CLASS_VIOLATION as err: + return self._parseException(err) + except ldap.TYPE_OR_VALUE_EXISTS as err: + return self._parseException(err) + except ldap.UNWILLING_TO_PERFORM: + return self._parseException(err) + else: + return 'Success', True + + def posix_user(self, org_unit, basedn, user_attr): + """ Add POSIX Users + :param str ou: Organizational unit (ou=Users) + :param str basedn: Base dn ('dc=example,dc=test') + :param dict user_attr: Entry attributes + :Return bool: Return True + :Exception: Raise Exception if unable to add user + """ + common_name = user_attr['cn'] + uid = user_attr['uid'] + uidnumber = user_attr['uidNumber'] + gidnumber = user_attr['gidNumber'] + try: + surname = user_attr['sn'] + except KeyError: + surname = common_name + try: + shell = user_attr['loginShell'] + except KeyError: + shell = '/bin/bash' + try: + password = user_attr['userPassword'] + except KeyError: + password = 'Secret123' + try: + home_directory = user_attr['homeDirectory'] + except KeyError: + home_directory = '/home/%s' % (uid) + try: + mail = user_attr['mail'] + except KeyError: + mail = '%s@example.test' % (uid) + try: + gecos = user_attr['gecos'] + except KeyError: + gecos = '%s User' % common_name + try: + location = user_attr['location'] + except KeyError: + location = 'US' + + attr = { + 'objectClass': ['top', 'posixAccount', 'inetOrgPerson'], + 'cn': common_name, 'uid': uid, 'sn': surname, 'loginShell': shell, + 'homeDirectory': home_directory, 'uidNumber': uidnumber, + 'gidNumber': gidnumber, 'userPassword': password, + 'mail': mail, 'gecos': gecos, 'l': location} + + user_dn = 'uid=%s,%s,%s' % (uid, org_unit, basedn) + (ret, _) = self.add_entry(attr, user_dn) + if ret == 'Success': + return True + else: + raise Exception('Unable to add User to ldap') + + def posix_group(self, org_unit, basedn, group_attr): + """ Add POSIX group + :param str ou: Organizational unit (ou=Groups) + :param str basedn: Base dn ('dc=example,dc=test') + :param dict group_attr: Entry attributes + :Return bool: Return True + :Exception: Raise Exception if unable to add user + """ + group_cn = group_attr['cn'] + gidnumber = group_attr['gidNumber'] + member_dn = group_attr['uniqueMember'] + user_password = '{crypt}x' + attr = { + 'objectClass': ['posixGroup', 'top', 'groupOfUniqueNames'], + 'gidNumber': gidnumber, 'cn': group_cn, + 'userPassword': user_password, 'uniqueMember': member_dn} + + group_dn = 'cn=%s,%s,%s' % (group_cn, org_unit, basedn) + (ret, _) = self.add_entry(attr, group_dn) + if ret != 'Success': + raise Exception('Unable to add group to ldap') + + def enable_autofs_schema(self, basedn): + """ Enable autofs schema + + :param str basedn: base dn of the ldap server + :return: None + :Exceptions: None + """ + + autofs_schema = (""" +dn: ou=automount,%s +ou: automount +objectClass: organizationalUnit + +dn: CN=auto.master,OU=automount,%s +objectClass: top +objectClass: nisMap +cn: auto.master +nisMapName: auto.master + +dn: cn=/-,cn=auto.master,ou=automount,%s +objectClass: nisObject +objectClass: top +cn: /- +nisMapEntry: auto.direct +nisMapName: auto.master + +dn: cn=/home,cn=auto.master,ou=automount,%s +objectClass: nisObject +objectClass: top +cn: /home +nisMapEntry: auto.home +nisMapName: auto.master + +dn: cn=auto.direct,ou=automount,%s +objectClass: nisMap +objectClass: top +cn: auto.direct +nisMapName: auto.direct + +dn: cn=auto.home,ou=automount,%s +objectClass: nisMap +objectClass: top +nisMapName: auto.home""") % (basedn, basedn, basedn, basedn, basedn, basedn) + ldif_file = StringIO(autofs_schema) + parser = ldif.LDIFRecordList(ldif_file) + parser.parse() + + for ldap_dn, entry in parser.all_records: + self.add_entry(entry, ldap_dn) + + +class PkiTools(object): + """ + PkiTools consists of functions related to creation of + certificate requests, updating profile XML with certificate + requests. + """ + + def __init__(self, nssdir=None, nssdir_pwd=None): + + if nssdir is None: + self.nssdb = tempfile.mkdtemp('nssdir') + else: + self.nssdb = nssdir + if nssdir_pwd is None: + self.nssdb_pwd = 'Secret123' + else: + self.nssdb_pwd = nssdir_pwd + self.pwdfilename = 'pwfile' + self.noisefilename = 'noiseFile' + self.pwdfilepath = os.path.join(self.nssdb, self.pwdfilename) + self.noise = array.array('B', os.urandom(128)) + self.noisefilepath = os.path.join(self.nssdb, self.noisefilename) + + def create_nssdb(self): + """ + Create a NSS Database on a temporary Directory + + :return: + str nssdb: path of the NSS DB Directory + """ + with open(self.pwdfilepath, 'w') as outfile: + outfile.write(self.nssdb_pwd) + certutil_cmd = 'certutil -N -d %s -f %s' % (self.nssdb, + self.pwdfilepath) + _, _, ret = self.execute(shlex.split(certutil_cmd)) + if ret != 0: + raise PkiLibException('Could not setup NSS DB on %s' % self.nssdb) + else: + return self.nssdb + + def execute(self, + args, + stdin=None, + capture_output=True, + raiseonerr=False, + env=None, + cwd=None): + """ + Execute a command and return stdout, stderr and return code + + :param str args: List of arguments for the command + :param str stdin: Optional input + :param bool: capture_output: Capture output of the command + (default True) + :param bool raiseonerr: Raise exception if command fails + :param str env: Env variables to be set before the command is run + :param str cwd: Current working Directory + + :return stdout, stderr and returncode: if command return code is 0 + :Exception: raises exception if raiseonerr is True + """ + + p_in = None + p_out = None + p_err = None + if env is None: + env = os.environ.copy() + if capture_output: + p_out = subprocess.PIPE + p_err = subprocess.PIPE + try: + proc = subprocess.Popen(args, stdin=p_in, stdout=p_out, + stderr=p_err, close_fds=True, + env=env, cwd=cwd) + stdout, stderr = proc.communicate(stdin) + except KeyboardInterrupt: + proc.wait() + raise + if proc.returncode != 0 and raiseonerr: + raise subprocess.CalledProcessError(proc.returncode, args, stdout) + else: + return (stdout, stderr, proc.returncode) + + def createselfsignedcerts(self, + serverlist, + ca_dn=None, + passphrase='Secret123', + canickname='Example CA'): + """ + Creates a NSS DB in /tmp/nssDirxxxx where self signed Root CA + and Server Certs are created + + :param str CA_DN: Distinguished Name for CA Cert + :param str Server_DN: Distinguished Name for Server Cert + """ + if ca_dn is None: + ca_dn = 'CN=Example CA,O=Example,L=Raleigh,C=US' + nss_passphrase = passphrase + pin_filename = 'pin.txt' + nss_dir = self.create_nssdb() + pin_filepath = os.path.join(nss_dir, pin_filename) + ca_certpath = os.path.join(nss_dir, 'cacert.der') + ca_pempath = os.path.join(nss_dir, 'cacert.pem') + server_pempath = os.path.join(nss_dir, 'server.pem') + with open(self.noisefilepath, 'w') as outfile: + outfile.write(str(self.noise)) + ca_args = 'certutil -d %s -f %s -S -n "%s" -s %s' \ + ' -t "CT,," -x -z %s' % (nss_dir, self.pwdfilepath, + canickname, ca_dn, + self.noisefilepath) + + ca_pem = 'certutil -d %s -f %s -L -n "%s"' \ + '-a -o %s' % (nss_dir, self.pwdfilepath, + canickname, ca_pempath) + + with open(pin_filepath, 'w') as outfile: + outfile.write('Internal (Software) Token:%s' % nss_passphrase) + _, _, return_code = self.execute(shlex.split(ca_args)) + if return_code != 0: + raise PkiLibException('Could not create Self signed CA Cert') + else: + self.execute(shlex.split(ca_pem)) + + for server in serverlist: + server_cn = 'CN=%s' % (server) + server_nickname = 'Server-Cert-%s' % (server) + server_pem = 'certutil -d %s -f %s -L '\ + '-n "%s" -a -o %s' % (nss_dir, + self.pwdfilepath, + server_nickname, + server_pempath) + rand_var = str(random.randint(1000, 2000)) + server_args = 'certutil -d %s -f %s -S -n "%s" -s %s -c "%s"'\ + ' -t u,u,u -v 720 -m %s -z %s' % (nss_dir, + self.pwdfilepath, + server_nickname, + server_cn, + canickname, + rand_var, + self.noisefilepath) + _, _, return_code = self.execute(shlex.split(server_args)) + if return_code != 0: + raise PkiLibException('Could not create Server-Cert') + else: + _, _, return_code = self.execute(shlex.split(server_pem)) + if return_code != 0: + raise PkiLibException('Could not create Server pem file') + return nss_dir + + +class ADOperations(object): + """ + ADOperations class consists of methods related to managing AD User With + Unix properties. + """ + def __init__(self, ad_host): + self.ad_host = ad_host + self.ad_uri = 'ldap://%s' % ad_host.external_hostname + host_domain_basedn_entry = self.ad_host.domain_basedn_entry + self.ad_users_dn_entry = '{},{}'.format('CN=Users', + host_domain_basedn_entry) + self.ad_dn = 'CN={},{}'.format("Administrator", self.ad_users_dn_entry) + self.ad_admin_passwd = self.ad_host.ssh_password + cmd = ['powershell.exe', + '-inputformat', + 'none', + '-noprofile', + '(Get-ADDomain -Current LocalComputer).NetBIOSName'] + self._ad_netbionsname = self.ad_host.run_command(cmd).stdout_text + + def ad_conn(self): + """ Create a LDAP Connection with AD + + :param None + :Return obj: Object of LdapOperations + :Exceptions: None + """ + + ad_conn_inst = LdapOperations(self.ad_uri, self.ad_dn, + self.ad_admin_passwd) + return ad_conn_inst + + def create_ad_unix_user_group(self, username, groupname, + password='Secret123'): + """ Create a AD User with Unix Attributes + + :param str username: AD User Name + :param str groupname: AD Group Name + :param str password: User password (default: Secret123) + :Return bool: if user/group added correctly return True else False + :Exceptions: False + """ + + uid = random.randint(9999, 999999) + user_dn = "CN=%s,%s" % (username, self.ad_users_dn_entry) + group_dn = "CN=%s,%s" % (groupname, self.ad_users_dn_entry) + cmd = self.ad_host.run_command(['dsadd.exe', 'user', user_dn, '-samid', + username, '-pwd', password]) + cmd = self.ad_host.run_command(['dsadd.exe', 'group', group_dn]) + cmd = self.ad_host.run_command(['dsmod', 'group', group_dn, '-addmbr', + user_dn]) + ad_conn_inst = self.ad_conn() + if cmd.returncode == 0: + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', self.ad_netbiosname)] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'uidNumber', str(uid))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(uid))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'unixHomeDirectory', + '/home/%s' % (username))] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'loginShell', '/bin/bash')] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', username)] + (_, _) = ad_conn_inst.modify_ldap(user_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', self.ad_netbiosname)] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(uid))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', groupname)] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + else: + return False + return True + + def create_ad_unix_group(self, groupname): + """ Create AD Group with UNIX Attributes + + :param str groupname: Windows AD Group name + :Return bool : True if AD group was created with Unix Attributes + :Exceptions: None + """ + + gid = random.randint(9999, 999999) + group_dn = "CN=%s,%s" % (groupname, self.ad_users_dn_entry) + cmd = self.ad_host.run_command(['dsadd.exe', 'group', group_dn]) + ad_conn_inst = self.ad_conn() + if cmd.returncode == 0: + mod_dn = [(ldap.MOD_ADD, 'msSFU30NisDomain', self.ad_netbiosname)] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'gidNumber', str(gid))] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + mod_dn = [(ldap.MOD_ADD, 'msSFU30Name', groupname)] + (_, _) = ad_conn_inst.modify_ldap(group_dn, mod_dn) + else: + return False + return True + + def delete_ad_user_group(self, user_group): + """ Delete AD user + + :param str user_group: User or Group Name to be deleted + :Return bool: True if delete is successful else false + :Exceptions: None + """ + + ad_entry = 'CN=%s,%s' % (user_group, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsrm.exe', ad_entry, '-noprompt']) + except CalledProcessError: + return False + else: + return True + + def add_user_member_of_group(self, group, user): + """ Add user member of a group + + :param str group: Name of Windows AD Group + :param str user: Name of Windows AD user + :Return bool: True if user is added as member to group + :Exceptions: None + """ + + group_dn = 'CN=%s,%s' % (group, self.ad_users_dn_entry) + user_dn = 'CN=%s,%s' % (user, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsmod', 'group', group_dn, '-addmbr', + user_dn]) + except CalledProcessError: + return False + else: + return True + + def remove_user_from_group(self, group, user): + """ Remove User from Group membership + + :param str group: Name of Windows AD Group + :param str user: Name of Windows AD user + :Return bool: True if user is removed from group else False + :Exceptions: None + """ + + group_dn = 'CN=%s,%s' % (group, self.ad_users_dn_entry) + user_dn = 'CN=%s,%s' % (user, self.ad_users_dn_entry) + try: + self.ad_host.run_command(['dsmod', 'group', group_dn, '-rmmbr', + user_dn]) + except CalledProcessError: + return False + return True + + +class SSHClient(paramiko.SSHClient): + """ This class Inherits paramiko.SSHClient and implements client.exec_commands + channel.exec_command """ + + def __init__(self, hostname=None, port=None, username=None, password=None): + """ Initialize connection to Remote Host using Paramiko SSHClient. Can be + initialized with hostname, port, username and password. + """ + self.hostname = hostname + self.username = username + self.password = password + + if port is None: + self.port = 22 + else: + self.port = port + + paramiko.SSHClient.__init__(self) + self.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + try: + self.connect(self.hostname, port=self.port, + username=self.username, + password=self.password, + timeout=30) + except (paramiko.AuthenticationException, + paramiko.SSHException, + socket.error): + raise + + def execute_cmd(self, args, stdin=None): + """ This Function executes commands using SSHClient.exec_commands(). + :param str args: actual command to run + :param str stdin: stdin for the command + :Return tuple: stdin stdout stderr + :Exception: paramiko.SSHException + """ + if PARAMIKO_VERSION >= (1, 15, 0): + try: + std_in, std_out, std_err = self.exec_command(args, timeout=30) + except paramiko.SSHException: + raise + else: + if stdin: + std_in.write("%s\n" % (stdin)) + std_in.flush() + exit_status = std_out.channel.recv_exit_status() + return std_out, std_err, exit_status + else: + try: + std_in, std_out, std_err = self.exec_command(args) + except paramiko.SSHException: + raise + else: + if stdin: + std_in.write("%s\n" % (stdin)) + std_in.flush() + exit_status = std_out.channel.recv_exit_status() + return std_out, std_err, exit_status --- sssd-1.16.1.orig/src/tests/python/sssd/testlib/etc/pylintrc +++ sssd-1.16.1/src/tests/python/sssd/testlib/etc/pylintrc @@ -0,0 +1,384 @@ +[MASTER] + +# Specify a configuration file. +#rcfile= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Add files or directories to the blacklist. They should be base names, not +# paths. +ignore=CVS + +# Pickle collected data for later comparisons. +persistent=yes + +# List of plugins (as comma separated values of python modules names) to load, +# usually to register additional checkers. +load-plugins= + +# Use multiple processes to speed up Pylint. +jobs=1 + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code +extension-pkg-whitelist= + +# Allow optimization of some AST trees. This will activate a peephole AST +# optimizer, which will apply various small optimizations. For instance, it can +# be used to obtain the result of joining multiple strings with the addition +# operator. Joining a lot of strings can lead to a maximum recursion error in +# Pylint and this flag can prevent that. It has one side effect, the resulting +# AST will be different than the one from reality. +optimize-ast=no + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, INFERENCE, INFERENCE_FAILURE, UNDEFINED +confidence= + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time. See also the "--disable" option for examples. +#enable= + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once).You can also use "--disable=all" to +# disable everything first and then reenable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use"--disable=all --enable=classes +# --disable=W" +disable=R0201,R0903,E1123,W0621,E1121 +# IdM-QE skipping: +# # R0201: Method could be a function +# # R0903: Too few public methods +# # E1123: These are needed for defining how the multihost plugin fixtures work. +# # W0621: This is a method in pytest of defining the fixtures used by a function and we need it. +# # E1121: Using the calls as described on pytest docs but, it's red flagged here. +#disable=import-star-module-level,old-octal-literal,oct-method,print-statement,unpacking-in-except,parameter-unpacking,backtick,old-raise-syntax,old-ne-operator,long-suffix,dict-view-method,dict-iter-method,metaclass-assignment,next-method-called,raising-string,indexing-exception,raw_input-builtin,long-builtin,file-builtin,execfile-builtin,coerce-builtin,cmp-builtin,buffer-builtin,basestring-builtin,apply-builtin,filter-builtin-not-iterating,using-cmp-argument,useless-suppression,range-builtin-not-iterating,suppressed-message,no-absolute-import,old-division,cmp-method,reload-builtin,zip-builtin-not-iterating,intern-builtin,unichr-builtin,reduce-builtin,standarderror-builtin,unicode-builtin,xrange-builtin,coerce-method,delslice-method,getslice-method,setslice-method,input-builtin,round-builtin,hex-method,nonzero-method,map-builtin-not-iterating + +[REPORTS] + +# Set the output format. Available formats are text, parseable, colorized, msvs +# (visual studio) and html. You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +output-format=text + +# Put messages in a separate file for each module / package specified on the +# command line instead of printing them on stdout. Reports (if any) will be +# written in a file name "pylint_global.[txt|html]". +files-output=no + +# Tells whether to display a full report or only the messages +reports=yes + +# Python expression which should return a note less than 10 (10 is the highest +# note). You have access to the variables errors warning, statement which +# respectively contain the number of errors / warnings messages and the total +# number of statements analyzed. This is used by the global evaluation report +# (RP0004). +evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details +#msg-template= + + +[TYPECHECK] + +# Tells whether missing members accessed in mixin class should be ignored. A +# mixin class is detected if its name ends with "mixin" (case insensitive). +ignore-mixin-members=yes + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis. It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# List of classes names for which member attributes should not be checked +# (useful for classes with attributes dynamically set). This supports can work +# with qualified names. +ignored-classes=pytest + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + + +[BASIC] + +# List of built-in function names that should not be used, separated by a comma +bad-functions=map,filter,input + +# Good variable names which should always be accepted, separated by a comma +good-names=i,j,k,ex,Run,_ + +# Bad variable names which should always be refused, separated by a comma +bad-names=foo,bar,baz,toto,tutu,tata + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Include a hint for the correct naming format with invalid-name +include-naming-hint=no + +# Regular expression matching correct function names +function-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for function names +function-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct variable names +variable-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for variable names +variable-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct constant names +const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ + +# Naming hint for constant names +const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$ + +# Regular expression matching correct attribute names +attr-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for attribute names +attr-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct argument names +argument-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for argument names +argument-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression matching correct class attribute names +class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ + +# Naming hint for class attribute names +class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ + +# Regular expression matching correct inline iteration names +inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ + +# Naming hint for inline iteration names +inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$ + +# Regular expression matching correct class names +class-rgx=[A-Z_][a-zA-Z0-9]+$ + +# Naming hint for class names +class-name-hint=[A-Z_][a-zA-Z0-9]+$ + +# Regular expression matching correct module names +module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Naming hint for module names +module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ + +# Regular expression matching correct method names +method-rgx=[a-z_][a-z0-9_]{2,30}$ + +# Naming hint for method names +method-name-hint=[a-z_][a-z0-9_]{2,30}$ + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + + +[ELIF] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + + +[SIMILARITIES] + +# Minimum lines number of a similarity. +min-similarity-lines=4 + +# Ignore comments when computing similarities. +ignore-comments=yes + +# Ignore docstrings when computing similarities. +ignore-docstrings=yes + +# Ignore imports when computing similarities. +ignore-imports=no + + +[LOGGING] + +# Logging modules to check that the string format arguments are in logging +# function parameter format +logging-modules=logging + + +[VARIABLES] + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# A regular expression matching the name of dummy variables (i.e. expectedly +# not used). +dummy-variables-rgx=_$|dummy + +# List of additional names supposed to be defined in built-ins. Remember that +# you should avoid to define new built-ins when possible. +additional-builtins= + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_,_cb + + +[FORMAT] + +# Maximum number of characters on a single line. +max-line-length=120 + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + +# List of optional constructs for which whitespace checking is disabled. `dict- +# separator` is used to allow tabulation in dicts, etc.: {1 : 1,\n222: 2}. +# `trailing-comma` allows a space between comma and closing bracket: (a, ). +# `empty-line` allows space-only lines. +no-space-check=trailing-comma,dict-separator + +# Maximum number of lines in a module +max-module-lines=1000 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + + +[SPELLING] + +# Spelling dictionary name. Available dictionaries: none. To make it working +# install python-enchant package. +spelling-dict= + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to indicated private dictionary in +# --spelling-private-dict-file option instead of raising a message. +spelling-store-unknown-words=no + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME,XXX,TODO + + +[IMPORTS] + +# Deprecated modules which should not be used, separated by a comma +deprecated-modules=regsub,TERMIOS,Bastion,rexec + +# Create a graph of every (i.e. internal and external) dependencies in the +# given file (report RP0402 must not be disabled) +import-graph= + +# Create a graph of external dependencies in the given file (report RP0402 must +# not be disabled) +ext-import-graph= + +# Create a graph of internal dependencies in the given file (report RP0402 must +# not be disabled) +int-import-graph= + + +[DESIGN] + +# Maximum number of arguments for function / method +max-args=5 + +# Argument names that match this expression will be ignored. Default to name +# with leading underscore +ignored-argument-names=_.* + +# Maximum number of locals for function / method body +max-locals=15 + +# Maximum number of return / yield for function / method body +max-returns=6 + +# Maximum number of branch for function / method body +max-branches=12 + +# Maximum number of statements in function / method body +max-statements=99 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of Boolean expressions in an if statement +max-bool-expr=5 + + +[CLASSES] + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__,__new__,setUp + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=mcs + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict,_fields,_replace,_source,_make + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when being caught. Defaults to +# "Exception" +overgeneral-exceptions=Exception --- sssd-1.16.1.orig/zanata.xml +++ sssd-1.16.1/zanata.xml @@ -0,0 +1,11 @@ + + + https://fedora.zanata.org/ + sssd + master + gettext + . + . + po/*.pot,src/man/po/*.pot + +